The opinion of the court was delivered by: PATEL
Plaintiff Daniel Bernstein brought this action against the Department of State and the individually named defendants seeking declaratory and injunctive relief from their enforcement of the Arms Export Control Act ("AECA"), 22 U.S.C. § 2778, and the International Traffic in Arms Regulations ("ITAR"), 22 C.F.R. §§ 120-30 (1994), on the grounds that they are unconstitutional on their face and as applied to plaintiff. Now before this court are cross-motions for summary judgment on the question of whether the licensing requirements for the export of cryptographic devices and software covered by Part 121, Category XIII(b) of the ITAR and the export control over related technical data constitute an impermissible infringement on speech in violation of the First Amendment.
Having considered the parties' arguments and submissions, and for the reason set forth below, the court enters the following memorandum and order.
At the time this action was filed, plaintiff was a PhD candidate in mathematics at University of California at Berkeley working in the field of cryptography, an area of applied mathematics that seeks to develop confidentiality in electronic communication. Plaintiff is currently a Research Assistant Professor in the Department of Mathematics, Statistics and Computer Science at the University of Illinois at Chicago.
Encryption basically involves running a readable message known as "plaintext" through a computer program that translates the message according to an equation or algorithm into unreadable "ciphertext." Decryption is the translation back to plaintext when the message is received by someone with an appropriate "key." The message is both encrypted and decrypted by compatible keys.
The uses of cryptography are far-ranging in an electronic age, from protecting personal messages over the Internet and transactions on bank ATMs to ensuring the secrecy of military intelligence. In a prepublication copy of a report done by the National Research Council ("NRC") at the request of the Defense Department on national cryptography policy, the NRC identified four major uses of cryptography: ensuring data integrity, authenticating users, facilitating nonrepudiation (the linking of a specific message with a specific sender) and maintaining confidentiality. Tien Decl., Exh. E, National Research Council, National Academy of Sciences, Cryotography's Role in Securing the Information Society C-2 (Prepublication Copy May 30, 1996) (hereinafter "NRC Report").
As a graduate student, Bernstein developed an encryption algorithm he calls "Snuffle." He describes Snuffle as a zero-delay private-key encryption system. Complaint Exh. A. Bernstein has articulated his mathematical ideas in two ways: in an academic paper in English entitled "The Snuffle Encryption System," and in "source code" written in "C", a high-level computer programming language,
detailing both the encryption and decryption, which he calls "Snuffle.c" and "Unsnuffle.c", respectively. Once source code is converted into "object code," a binary system consisting of a series of 0s and 1s read by a computer, the computer is capable of encrypting and decrypting data.
II. Statutory and Regulatory Background
The Arms Export Control Act authorizes the President to control the import and export of defense articles and defense services by designating such items to the United States Munitions List ("USML"). 22 U.S.C. § 2778(a)(1). Once on the USML, and unless otherwise exempted, a defense article or service requires a license before it can be imported or exported. 22 U.S.C. § 2778(b)(2).
The International Traffic in Arms Regulations, 22 C.F.R. §§ 120-30, were promulgated by the Secretary of State, who was authorized by executive order to implement the AECA. The ITAR is administered primarily within the Department of State by the Director of the Office of Defense Trade Controls ("ODTC"), Bureau of Politico-Military Affairs. The ITAR allows for a "commodity jurisdiction procedure" by which the ODTC determines if an article or service is covered by the USML when doubt exists about an item. 22 C.F.R. § 120.4(a). Also contained in the ITAR are the licensing requirements for defense articles, 22 C.F.R. § 123, and technical data, 22 C.F.R. § 125.
Categories of items covered by the USML are enumerated at section 121.1. Category XIII, Auxiliary Military Equipment, includes "Cryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information or information systems . . . ." 22 C.F.R. § 121 XIII(b)(1). A number of applications of cryptography are excluded, such as those used in automated teller machines and certain mass market software products that use encryption. Id.
"Technical data" is perhaps the most confusing category of items regulated by the ITAR since it is defined separately and in relation to defense articles, 22 C.F.R. § 120.10, but is also defined as a defense article when it is covered by the USML. See 22 C.F.R. § 120.6. It generally covers information "which is required for the design development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles. 22 C.F.R. § 120.10. It also encompasses software directly related to defense articles. 22 C.F.R. § 120.10(a)(4). Software "includes but is not limited to the system functional design, logic flow, algorithms, application programs, operating systems and support software for design, implementation, test operation, diagnosis and repair." 22 C.F.R. § 121.8(f). A person who wants to export software that is not designated on the USML can apply for a technical data license. 22 C.F.R. § 121.8(f).
The definition of technical data includes some noteworthy exemptions. Technical data "does not include information concerning general scientific, mathematical or engineering principles commonly taught in schools, colleges and universities or information in the public domain . . . ." 22 C.F.R. § 120.10(a)(5). The public domain exemption excludes from technical data information which is "published and generally accessible" to the public through newsstands, bookstores, subscriptions, libraries, conferences and trade exhibitions. 22 C.F.R. § 120.11(a)(1)-(6). The public domain also includes information available to the public through fundamental research at accredited institutions of higher learning:
Fundamental research is defined to mean basic and applied research in science and engineering where the resulting information is ordinarily published and shared broadly within the scientific community, as distinguished from research the results of which are restricted for proprietary reasons or specific U.S. Government access and dissemination controls.
22 C.F.R. § 120.11(a)(8). It is apparent from the ITAR, and neither party appears to dispute it, that the public domain exceptions apply only to technical data and not to defense articles.
Finally, "export" is defined as "sending or taking a defense article out of the United States in any manner", 22 C.F.R. § 120.17(a)(1), and as "disclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad". 22 C.F.R. § 120.17(a)(4).
III. Plaintiff's Commodity Jurisdiction Determinations
On June 30, 1992 Bernstein submitted a commodity jurisdiction ("CJ") request to the State Department to determine whether three items were controlled by ITAR. Those items were Snuffle.c and Unsnuffle.c (together referred to as Snuffle 5.0), each submitted in C language source files, and his academic paper describing the Snuffle system. Complaint Exh. A. On August 20, 1992 the ODTC informed Bernstein that after consultation with the Departments of Commerce and Defense it had determined that the commodity Snuffle 5.0 was a defense article on the USML under Category XIII of the ITAR to licensing by the Department of State prior to export. The OPTC identified the item as a stand alone cryptographic algorithm which is not incorporated into a finished software product." Complaint Exh. B. The ODTC further informed plaintiff that a commercial software product incorporating Snuffle 5.O may not be subject to State Department control and should be submitted as a new commodity jurisdiction request.
Plaintiff and ODTC exchanged copious and contentious correspondence regarding the licensing requirements during the spring of 1993. Still unsure if his academic paper had been included in the ODTC CJ determination of August 20, 1992, Bernstein submitted a second CJ request on July 15, 1993, asking for a separate determination for each of five items. Lowell Decl., Exh. 17. According to plaintiff these items were 1) the paper, "The Snuffle Encryption System," 2) Snuffle.c, 3) Unsnuffle.c, 4) a description in English of how to use Snuffle, and 5) instructions in English for programming a computer to use Snuffle.
On October 5, 1993 the ODTC notified Bernstein that all of the referenced items were defense articles under Category XIII(b)(1). Complaint Exh. E. By letter dated June 29, 1995, after plaintiff had initiated this action, the ODTC clarified that its CJ determinations pertained only to Snuffle.c and Unsnuffle.c, which it had determined to be a defense article on the USML. Lowell Decl., Exh. 21 at 1. The ODTC further noted that the two items of explanatory information fell within the definition of technical data but that the paper, "The Snuffle Encryption System," did "not appear to meet the definition of technical data." Lowell Decl., Exh. 21 at 2. The June 29 letter also explains the public domain exception to technical data without drawing a conclusion about the applicability of that exception to the explanatory information.
This court noted, in considering defendants' motion to dismiss, that Bernstein had every reason to believe his paper was determined to be on the USML until June 29, 1995, and that defendants should make a prompt and unequivocal determination as to the status of the paper. Bernstein, 922 F. Supp. at 1434 & n.12. Plaintiff's counsel wrote to defense counsel on May 3, 1996, seeking, among other things, such a determination. Lowell Decl., Exh. 22. In a response dated July 25, 1996, William Lowell, Director of the ODTC, stated that their letter of June 29, 1995 had made clear that the paper "is neither a defense article nor technical data under the ITAR and USML. Therefore, this item is not subject to the ITAR." Lowell Decl., Exh. 24 at 1. With respect to the two items determined to be technical data, Lowell clarified that their publication or teaching would not be regulated, but that a license would be required if the object or intent of their export was to furnish assistance to a foreign person in operating cryptographic software. Id. at 2.
Plaintiff seeks to publish and communicate his ideas on cryptography. Bernstein asserts that he is not free to teach the Snuffle algorithm, to disclose it at academic conferences, or to publish it in journals or online discussion groups without a license.
Under Federal Rule of Civil Procedure 56, summary judgment shall be granted "against a party who fails to make a showing sufficient to establish the existence of an element essential to that party's case, and on which that party will bear the burden of proof at trial . . . since a complete failure of proof concerning an essential element of the nonmoving party's case necessarily renders all other facts immaterial." Celotex Corp. v. Catrett, 477 U.S. 317, 322-23, 91 L. Ed. 2d 265, 106 S. Ct. 2548 (1986); see also T.W. Elec. Serv. v. Pacific Elec. Contractors Ass'n, 809 F.2d 626, 630 (9th Cir. 1987) (the nonmoving party may not rely on the pleadings but must present significant probative evidence supporting the claim); Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248, 91 L. Ed. 2d 202, 106 S. Ct. 2505 (1986) (a dispute about a material fact is genuine "if the evidence is such that a reasonable jury could return a verdict for the nonmoving party.")
The court's function, however, is not to make credibility determinations, Anderson, 477 U.S. at 249, and the inferences to be drawn from the facts must be viewed in a light most favorable to the party opposing the motion. T.W. Elec. Serv., 809 F.2d at 631.
Where as here, the question is purely a legal one involving no disputes of material fact, the matter is appropriately handled on a motion for summary judgment.
Plaintiff contends that the licensing scheme under the ITAR imposes an unconstitutional prior restraint on cryptographic speech, whether that speech is defined as a defense article or technical data. Plaintiff further maintains that a number of terms make the ITAR vague and overbroad in violation of the First Amendment.