their own secrets as well as accessing information held by others, the last twenty years has seen the popularization of cryptography as industries and individuals alike have increased their use of electronic media and have sought to protect their electronic products and communications. NRC Report at vii. As part of this transformation, cryptography has also become a dynamic academic discipline within applied mathematics. Appel Decl. at 5; Blaze Decl. at 2.
As a graduate student, Bernstein developed an encryption algorithm he calls "Snuffle." He describes Snuffle as a zero-delay private-key encryption system. Complaint Exh. A. Bernstein has articulated his mathematical ideas in two ways: in an academic paper in English entitled "The Snuffle Encryption System," and in "source code" written in "C", a high-level computer programming language,
detailing both the encryption and decryption, which he calls "Snuffle.c" and "Unsnuffle.c", respectively. Once source code is converted into "object code," a binary system consisting of a series of 0s and 1s read by a computer, the computer is capable of encrypting and decrypting data.
II. Statutory and Regulatory Background
The Arms Export Control Act authorizes the President to control the import and export of defense articles and defense services by designating such items to the United States Munitions List ("USML"). 22 U.S.C. § 2778(a)(1). Once on the USML, and unless otherwise exempted, a defense article or service requires a license before it can be imported or exported. 22 U.S.C. § 2778(b)(2).
The International Traffic in Arms Regulations, 22 C.F.R. §§ 120-30, were promulgated by the Secretary of State, who was authorized by executive order to implement the AECA. The ITAR is administered primarily within the Department of State by the Director of the Office of Defense Trade Controls ("ODTC"), Bureau of Politico-Military Affairs. The ITAR allows for a "commodity jurisdiction procedure" by which the ODTC determines if an article or service is covered by the USML when doubt exists about an item. 22 C.F.R. § 120.4(a). Also contained in the ITAR are the licensing requirements for defense articles, 22 C.F.R. § 123, and technical data, 22 C.F.R. § 125.
Categories of items covered by the USML are enumerated at section 121.1. Category XIII, Auxiliary Military Equipment, includes "Cryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information or information systems . . . ." 22 C.F.R. § 121 XIII(b)(1). A number of applications of cryptography are excluded, such as those used in automated teller machines and certain mass market software products that use encryption. Id.
A "defense article" is defined by the ITAR as any item or technical data that has been designated in the USML. 22 C.F.R. § 120.6. A "defense service" is any assistance rendered to a foreign person in the United States or abroad in the development or use of a defense article, 22 C.F.R. § 120.9(a)(1), or the furnishing of technical data to a foreign person, 22 C.F.R. § 9(a)(2).
"Technical data" is perhaps the most confusing category of items regulated by the ITAR since it is defined separately and in relation to defense articles, 22 C.F.R. § 120.10, but is also defined as a defense article when it is covered by the USML. See 22 C.F.R. § 120.6. It generally covers information "which is required for the design development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles. 22 C.F.R. § 120.10. It also encompasses software directly related to defense articles. 22 C.F.R. § 120.10(a)(4). Software "includes but is not limited to the system functional design, logic flow, algorithms, application programs, operating systems and support software for design, implementation, test operation, diagnosis and repair." 22 C.F.R. § 121.8(f). A person who wants to export software that is not designated on the USML can apply for a technical data license. 22 C.F.R. § 121.8(f).
The definition of technical data includes some noteworthy exemptions. Technical data "does not include information concerning general scientific, mathematical or engineering principles commonly taught in schools, colleges and universities or information in the public domain . . . ." 22 C.F.R. § 120.10(a)(5). The public domain exemption excludes from technical data information which is "published and generally accessible" to the public through newsstands, bookstores, subscriptions, libraries, conferences and trade exhibitions. 22 C.F.R. § 120.11(a)(1)-(6). The public domain also includes information available to the public through fundamental research at accredited institutions of higher learning:
Fundamental research is defined to mean basic and applied research in science and engineering where the resulting information is ordinarily published and shared broadly within the scientific community, as distinguished from research the results of which are restricted for proprietary reasons or specific U.S. Government access and dissemination controls.
22 C.F.R. § 120.11(a)(8). It is apparent from the ITAR, and neither party appears to dispute it, that the public domain exceptions apply only to technical data and not to defense articles.
Finally, "export" is defined as "sending or taking a defense article out of the United States in any manner", 22 C.F.R. § 120.17(a)(1), and as "disclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad". 22 C.F.R. § 120.17(a)(4).
III. Plaintiff's Commodity Jurisdiction Determinations
On June 30, 1992 Bernstein submitted a commodity jurisdiction ("CJ") request to the State Department to determine whether three items were controlled by ITAR. Those items were Snuffle.c and Unsnuffle.c (together referred to as Snuffle 5.0), each submitted in C language source files, and his academic paper describing the Snuffle system. Complaint Exh. A. On August 20, 1992 the ODTC informed Bernstein that after consultation with the Departments of Commerce and Defense it had determined that the commodity Snuffle 5.0 was a defense article on the USML under Category XIII of the ITAR to licensing by the Department of State prior to export. The OPTC identified the item as a stand alone cryptographic algorithm which is not incorporated into a finished software product." Complaint Exh. B. The ODTC further informed plaintiff that a commercial software product incorporating Snuffle 5.O may not be subject to State Department control and should be submitted as a new commodity jurisdiction request.
Plaintiff and ODTC exchanged copious and contentious correspondence regarding the licensing requirements during the spring of 1993. Still unsure if his academic paper had been included in the ODTC CJ determination of August 20, 1992, Bernstein submitted a second CJ request on July 15, 1993, asking for a separate determination for each of five items. Lowell Decl., Exh. 17. According to plaintiff these items were 1) the paper, "The Snuffle Encryption System," 2) Snuffle.c, 3) Unsnuffle.c, 4) a description in English of how to use Snuffle, and 5) instructions in English for programming a computer to use Snuffle.
On October 5, 1993 the ODTC notified Bernstein that all of the referenced items were defense articles under Category XIII(b)(1). Complaint Exh. E. By letter dated June 29, 1995, after plaintiff had initiated this action, the ODTC clarified that its CJ determinations pertained only to Snuffle.c and Unsnuffle.c, which it had determined to be a defense article on the USML. Lowell Decl., Exh. 21 at 1. The ODTC further noted that the two items of explanatory information fell within the definition of technical data but that the paper, "The Snuffle Encryption System," did "not appear to meet the definition of technical data." Lowell Decl., Exh. 21 at 2. The June 29 letter also explains the public domain exception to technical data without drawing a conclusion about the applicability of that exception to the explanatory information.
This court noted, in considering defendants' motion to dismiss, that Bernstein had every reason to believe his paper was determined to be on the USML until June 29, 1995, and that defendants should make a prompt and unequivocal determination as to the status of the paper. Bernstein, 922 F. Supp. at 1434 & n.12. Plaintiff's counsel wrote to defense counsel on May 3, 1996, seeking, among other things, such a determination. Lowell Decl., Exh. 22. In a response dated July 25, 1996, William Lowell, Director of the ODTC, stated that their letter of June 29, 1995 had made clear that the paper "is neither a defense article nor technical data under the ITAR and USML. Therefore, this item is not subject to the ITAR." Lowell Decl., Exh. 24 at 1. With respect to the two items determined to be technical data, Lowell clarified that their publication or teaching would not be regulated, but that a license would be required if the object or intent of their export was to furnish assistance to a foreign person in operating cryptographic software. Id. at 2.
Plaintiff seeks to publish and communicate his ideas on cryptography. Bernstein asserts that he is not free to teach the Snuffle algorithm, to disclose it at academic conferences, or to publish it in journals or online discussion groups without a license.
Under Federal Rule of Civil Procedure 56, summary judgment shall be granted "against a party who fails to make a showing sufficient to establish the existence of an element essential to that party's case, and on which that party will bear the burden of proof at trial . . . since a complete failure of proof concerning an essential element of the nonmoving party's case necessarily renders all other facts immaterial." Celotex Corp. v. Catrett, 477 U.S. 317, 322-23, 91 L. Ed. 2d 265, 106 S. Ct. 2548 (1986); see also T.W. Elec. Serv. v. Pacific Elec. Contractors Ass'n, 809 F.2d 626, 630 (9th Cir. 1987) (the nonmoving party may not rely on the pleadings but must present significant probative evidence supporting the claim); Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248, 91 L. Ed. 2d 202, 106 S. Ct. 2505 (1986) (a dispute about a material fact is genuine "if the evidence is such that a reasonable jury could return a verdict for the nonmoving party.")
The court's function, however, is not to make credibility determinations, Anderson, 477 U.S. at 249, and the inferences to be drawn from the facts must be viewed in a light most favorable to the party opposing the motion. T.W. Elec. Serv., 809 F.2d at 631.
Where as here, the question is purely a legal one involving no disputes of material fact, the matter is appropriately handled on a motion for summary judgment.
Plaintiff contends that the licensing scheme under the ITAR imposes an unconstitutional prior restraint on cryptographic speech, whether that speech is defined as a defense article or technical data. Plaintiff further maintains that a number of terms make the ITAR vague and overbroad in violation of the First Amendment.
Defendants argue that the ITAR, insofar as it regulates cryptographic software, is content neutral and easily survives intermediate scrutiny under the First Amendment. In addition, defendants aver that the technical data provisions do not regulate scientific or academic speech and therefore do not act as a prior restraint on speech. Finally, defendants contend that plaintiff's overbreadth claim, vagueness claim and his claims under the Administrative Procedure Act ("APA") are without merit.
Both parties sizable briefs in support of their motions for summary judgment are notable for the contrast of their approaches. Plaintiff, for his part, argues that the provisions of the ITAR at issue violate numerous conceivable--and a few inconceivable--First Amendment doctrines. Defendants' arguments, in contrast, while steering closer to traditional first amendment analysis, are notable for the conspicuous absence of discussion of the prior restraint doctrine.
Defendants state in their opposition that the real issue in this case is whether export licensing controls on cryptographic software violate the First Amendment. The court agrees that this is the central issue before it and therefore an appropriate place to begin. Moreover, as this court has already determined that source code is speech, Bernstein, 922 F. Supp. at 1436, and both parties agree that a licensing scheme controls the "export" of such speech, the court turns first to prior restraint analysis.
I. Prior Restraint
A. Analytical Framework
As the Supreme Court has stated, in determining the extent of the constitutional protection afforded by the guarantees of the First Amendment, "it has been generally, if not universally, considered that it is the chief purpose of the guaranty to prevent previous restraints upon publication." Near v. Minnesota, 283 U.S. 697, 713, 75 L. Ed. 1357, 51 S. Ct. 625 (1931). It is for this reason that the Court has held: "Any prior restraint on expression comes to this Court with a 'heavy presumption' against its constitutional validity." Organization for a Better Austin v. Keefe, 402 U.S. 415, 419, 29 L. Ed. 2d 1, 91 S. Ct. 1575 (1971) (citations omitted).
While prior restraints have often come in the form of judicial injunctions on publication, see e.g., C.B.S. v. Davis, 510 U.S. 1315, 127 L. Ed. 2d 358, 114 S. Ct. 912 (1994); New York Times Co. v. United States, 403 U.S. 713, 29 L. Ed. 2d 822, 91 S. Ct. 2140 (1971), they are also recognized in licensing schemes. See e.g., FW/PBS, Inc. v. Dallas, 493 U.S. 215, 107 L. Ed. 2d 603, 110 S. Ct. 596 (1990); Lakewood v. Plain Dealer Publishing Co., 486 U.S. 750, 100 L. Ed. 2d 771, 108 S. Ct. 2138 (1988). Governments may impose valid time, place and manner restrictions when they are content neutral, narrowly tailored to serve a substantial governmental interest, and leave open alternative channels for communication. See e.g., Clark v. Community for Creative Non-Violence, 468 U.S. 288, 293, 82 L. Ed. 2d 221, 104 S. Ct. 3065 (1984). However, "even if a government may constitutionally impose content-neutral prohibitions on a particular manner of speech, it may not condition that speech on obtaining a license or permit from a government official in that official's boundless discretion." Lakewood, 486 U.S. at 764.
It is axiomatic that the First Amendment is more tolerant of subsequent criminal punishment of speech than it is of prior restraints on the same speech.
The thread running through all these cases is that prior restraints on speech and publication are the most serious and the least tolerable infringement on First Amendment rights. A criminal penalty or a judgment in a defamation case is subject to the whole panoply of protections afforded by deferring the impact of the judgment until all avenues of appellate review have been exhausted. . . .
A prior restraint, by contrast and by definition, has an immediate and irreversible sanction. If it can be said that a threat of criminal or civil sanction after publication "chills" speech, prior restraint "freezes" it at least for the time.