The opinion of the court was delivered by: PATEL
Plaintiff Daniel Bernstein originally brought this action against the Department of State and the individually named defendants seeking declaratory and injunctive relief from their enforcement of the Arms Export Control Act ("AECA"), 22 U.S.C. § 2778 (1990), and the International Traffic in Arms Regulations ("ITAR"), 22 C.F.R. §§ 120-30 (1994), on the grounds that they are unconstitutional on their face and as applied to plaintiff. The court granted in part and denied in part the parties' cross motions for summary judgment on December 9, 1996. Just prior to the court's order, President Clinton by Executive Order 13026 transferred jurisdiction over the export of nonmilitary encryption products to the Department of Commerce pursuant to the Export Administration Act of 1979 ("EAA"), 50 U.S.C. App. §§ 2401 et seq. (1991), and the Export Administration Regulations ("EAR"), 15 C.F.R. Pt. 730 et seq. (1997). On December 30, 1996, the Commerce Department issued an interim rule regulating the export of certain encryption products. 61 Fed. Reg. 68572 (Dec. 30, 1996). Plaintiff subsequently amended his complaint to include the new regulations and new defendants. Now before this court are the parties' second cross-motions for summary judgment on the question of whether the licensing requirements for the export of cryptographic devices, software and related technology covered by the amendments to the EAR constitute an impermissible infringement on speech in violation of the First Amendment.
Having considered the parties' arguments and submissions, and for the reason set forth below, the court enters the following memorandum and order.
At the time this action was filed, plaintiff was a PhD candidate in mathematics at University of California at Berkeley working in the field of cryptography, an area of applied mathematics that seeks to develop confidentiality in electronic communication. Plaintiff is currently a Research Assistant Professor in the Department of Mathematics, Statistics and Computer Science at the University of Illinois at Chicago.
Encryption basically involves running a readable message known as "plaintext" through a computer program that translates the message according to an equation or algorithm into unreadable "ciphertext." Decryption is the translation back to plaintext when the message is received by someone with an appropriate "key." The message is both encrypted and decrypted by compatible keys.
The uses of cryptography are far-ranging in an electronic age, from protecting personal messages over the Internet and transactions on bank ATMs to ensuring the secrecy of military intelligence. In a prepublication copy of a report done by the National Research Council ("NRC") at the request of the Defense Department on national cryptography policy, the NRC identified four major uses of cryptography: ensuring data integrity, authenticating users, facilitating nonrepudiation (the linking of a specific message with a specific sender) and maintaining confidentiality. Tien Decl., Exh. E, National Research Council, National Academy of Sciences, Cryptography's Role in Securing the Information Society C-2 (Prepublication Copy May 30, 1996) (hereinafter "NRC Report").
Once a field dominated almost exclusively by governments concerned with protecting their own secrets as well as accessing information held by others, the last twenty years has seen the popularization of cryptography as industries and individuals alike have increased their use of electronic media and have sought to protect their electronic products and communications. NRC Report at vii. As part of this transformation, cryptography has also become a dynamic academic discipline within applied mathematics. Appel Decl. at 5; Blaze Decl. at 2.
II. Prior Regulatory Framework
As a graduate student, Bernstein developed an encryption algorithm he calls "Snuffle." He describes Snuffle as a zero-delay private-key encryption system. Complaint Exh. A. Bernstein has articulated his mathematical ideas in two ways: in an academic paper in English entitled "The Snuffle Encryption System," and in "source code" written in "C", a high-level computer programming language,
detailing both the encryption and decryption, which he calls "Snuffle.c" and "Unsnuffle.c", respectively. Once source code is converted into "object code," a binary system consisting of a series of 0s and 1s read by a computer, the computer is capable of encrypting and decrypting data.
In 1992 plaintiff submitted a commodity jurisdiction ("CJ") request to the State Department to determine whether Snuffle.c and Unsnuffle.c (together referred to as Snuffle 5.0), each submitted in C language source files, and his academic paper describing the Snuffle system, were controlled by ITAR.
The ODTC determined that the commodity Snuffle 5.0 was a defense article on the USML under Category XIII of the ITAR and subject to licensing by the Department of State prior to export. The ODTC identified the item as a "stand-alone cryptographic algorithm which is not incorporated into a finished software product." Complaint Exh. B.
Alleging that he was not free to teach, publish or discuss with other scientists his theories on cryptography embodied in his Snuffle program, plaintiff brought this action challenging the AECA and the ITAR on the grounds that they violated the First Amendment. In Bernstein I this court found that source code was speech for purposes of the First Amendment and therefore plaintiff's claims presented a colorable constitutional challenge and were accordingly justiciable. In Bernstein II the court concluded that the licensing requirements for encryption software under the ITAR constituted an unlawful prior restraint. The court also considered vagueness and overbreadth challenges to certain terms contained in the ITAR. The court issued its decision in Bernstein II on December 9, 1996.
III. The Transfer of Jurisdiction and the Current Regulatory Framework
On November 15, 1996, President Clinton issued Executive Order 13026, titled "Administration of Export Controls on Encryption Products," in which he ordered that jurisdiction over export controls on nonmilitary encryption products and related technology be transferred from the Department of State to the Department of Commerce. The President's Executive Order specifies that encryption products that would be designated as defense articles under the USML and regulated under the AECA are now to be placed on the Commerce Control List ("CCL") under the EAR. The White House Press Release accompanying the Executive Order clarified that encryption products designed for military applications would remain on the USML and continue to be regulated under the ITAR. Press Release Accompanying Exec. Order No. 13026, at 2 (hereinafter "Press Release"). The Executive Order also provides a caveat that is repeated in the Press Release and throughout the new regulations: "the export of encryption software, like the export of other encryption products described in this section, must be controlled because of such software's functional capacity, rather than because of any possible informational value of such software . . . ." Exec. Order No. 13026, 61 Fed. Reg. 58768 (1996). The Press Release states that encryption products must be controlled for foreign policy and national security interests and concludes by noting that if the new regulations do not provide adequate controls on encryption products then such products will be redesignated as defense articles and placed again on the USML. Press Release, at 1, 4.
The EAR were promulgated to implement the EAA, but the EAA is not permanent legislation. Lapses in the EAA have been declared national emergencies and the President has issued Executive Orders authorizing continuation of the EAR export controls under the authority of the International Emergency Economic Powers Act ("IEEPA"), 50 U.S.C. §§ 1701-1706. See e.g., Exec. Order No. 12924, 59 Fed. Reg. 43437 (1994). Executive Order 13026 states that the authority of the President to administer these changes in the export control system under the EAR derives in part from the IEEPA and that the new controls on encryption products are "additional steps with respect to the national emergency described and declared" in the previous Executive Orders continuing in effect the EAR. Exec. Order No. 13026, 61 Fed. Reg. 58767 (1996).
On December 30, 1996, the Bureau of Export Administration ("BXA") under the Department of Commerce issued an interim rule amending the EAR "by exercising jurisdiction over, and imposing new combined national security and foreign policy controls on, certain encryption items that were on the [USML]." 61 Fed. Reg. 68572 (1996) (to be codified at 15 C.F.R. Pts. 730-774) ("encryption regulations" or "new regulations"). The EAR is structured around the CCL, 15 C.F.R. Pt. 774, 61 Fed. Reg. 12937 (1996), which categorizes items whose export is regulated according to various criteria, including the reason for their control. The new regulations add a category called "Encryption Items" or "EI" as a reason for control. 61 Fed. Reg. 68579 (1996) (to be codified at 15 C.F.R. § 738.2(d)(2)(I)(A)). Encryption items are defined as "all encryption commodities, software, and technology that contain encryption features and are subject to the EAR." 61 Fed. Reg. 68585 (to be codified at 15 C.F.R. § 772). This does not include those items still listed on the USML and controlled by the Department of State. With certain exceptions, one must obtain a license from the BXA prior to exporting any item listed on the CCL. See 15 C.F.R. Pts. 740-44. All items on the CCL are given an Export Control Classification Number ("ECCN") which can be used to determine the categories under which an item is controlled and the reasons for its control.
The new regulations add three categories of items to the CCL which are controlled for EI reasons,
all of them more generally classified in Category 5, which covers telecommunications and information security. See 15 C.F.R. § 738.2(a). Those items are ECCN 5A002, covering encryption commodities; ECCN 5D002, covering encryption software; and ECCN 5E002, covering encryption technology. 61 Fed. Reg. 68586-87 (to be codified at 15 C.F.R. § 774 supp. 1). For export licensing purposes, encryption software is treated the same as an encryption commodity. See note following ECCN 5D002. A commodity is defined generally as "any article, material, or supply except technology and software." 61 Fed. Reg. 68585 (to be codified at 15 C.F.R. Pt. 772). Encryption software is regulated differently from other software controlled by the CCL and is defined as "computer programs that provide capability of encryption functions or confidentiality of information or information systems. Such software includes source code, object code, applications software, or system software." 61 Fed. Reg. 68585 (to be codified at 15 C.F.R. Pt. 772).
Definitions of encryption source code and encryption object code have also been added.
Technology has not been amended by the encryption regulations and is defined generally as the technical data or technical assistance necessary for the development or use of a product. 15 C.F.R. Pt. 772. Controlled technology is that technology required for the development or use of items on the CCL. 15 C.F.R. Pt. 774 supp. 2 (General Technology Note). New restrictions on technical assistance have been added, however, to require a license to provide technical assistance (including training) to foreign persons with the intent to aid them in the foreign development of items that if they were domestic would be controlled under ECCNs 5A002 and 5D002.
61 Fed. Reg. 68584 (to be codified at 15 C.F.R. § 744.9(a)); 61 Fed. Reg. 68579 (to be codified at 15 C.F.R. § 736.2(b)(7)(ii)).
The EAR defines export as "an actual shipment or transmission of items subject to the EAR out of the United States, or release of technology or software subject to the EAR to a foreign national in the United States . . . ." 15 C.F.R. § 734.2(b)(1). The encryption regulations add a specific definition of export for encryption source code and object code software controlled under ECCN 5D002 which includes
downloading, or causing the downloading of, such software to locations (including electronic bulletin boards, Internet file transfer protocol, and World Wide Web sites) outside the United States, over wire, cable, radio, electromagnetic, photooptical, photoelectric or other comparable communication facilities accessible to persons outside the United States, including transfers from electronic bulletin boards, Internet file transfer protocol and World Wide Web sites, unless the person making the software available takes precautions adequate to prevent unauthorized transfer of such code outside the United States.
61 Fed. Reg. 68578 (to be codified at 15 C.F.R. § 734.2(b)(9)).
A number of licensing exceptions are available under the EAR. See 15 C.F.R. Pt. 740. Under the encryption regulations, after a one-time review by BXA, licensing exceptions will be available for certain commercial encryption items, including mass-market encryption software, key-recovery software and commodities, and non-recovery encryption items up to 56-bit key length DES or equivalent strength software accompanied by a commitment to develop recoverable items. 61 Fed. Reg. 68581 (to be codified at 15 C.F.R. § 742.15). In general, items that are already publicly available or contain "de minimus" domestic content are not subject to the EAR. 15 C.F.R. §§ 734.3(b)(3) & 734.4. However, as directed by the President and implemented by the new regulations, these exceptions do not apply to encryption commodities or software. 61 Fed. Reg. 68577-78 (to be codified at 15 C.F.R. §§ 732.2(b) & (d), 734.3(b)(3), 734.4(b)); Exec. Order No. 13026, 61 Fed. Reg. 58768 (1996) ("I have determined that the export of encryption products described in this section could harm national security and foreign policy interests even where comparable products are or appear to be available from sources outside the United States . . . ."). This exception for encryption software to the general exclusion of publicly available items appears to pertain to publicly available or published information and software within the United States as well. 61 Fed. Reg. 68578 (to be codified at 15 C.F.R. § 734.7(c)). In addition, the EAR allows for broadly defined exceptions from the regulations for information resulting from findamental research and educational information. 15 C.F.R. §§ 734.8, 734.9, & supp. 1. Neither of these exceptions applies to encryption software controlled under ECCN 5D002. 61 Fed. Reg. 68579 (to be codified at 15 C.F.R. §§ 734.8, 734.9). They do appear to apply to encryption technology. Finally, phonographic records and most printed matter are not subject to the EAR and encryption software is not exempted from this exclusion. 15 C.F.R. § 734.3(b)(2). Indeed, an intriguing if somewhat baffling note appears in the new regulations: "A printed book or other printed material setting forth encryption source code is not itself subject to the EAR (see § 734.3(b)(2)). However, notwithstanding § 734.3(b)(2), encryption source code in electronic form or media (e.g. computer diskette or CD ROM) remains subject to the EAR (see § 734.3(b)(3))."
61 Fed. Reg. 68578 (to be codified at 15 C.F.R. § 734.3).
Licenses are required for export of items controlled by ECCNs 5A002, 5D002 and 5E002 for all destinations except Canada. 61 Fed. Reg. 68580 (to be codified at 15 C.F.R. § 742.15(a)). Applications for licenses "will be reviewed on a case-by-case basis by BXA, in conjunction with other agencies, to determine whether the export or reexport is consistent with U.S. national security and foreign policy interests." 61 Fed. Reg. 68581 (to be codified at 15 C.F.R. § 742.15(b)). The EAR provides that license applications will be resolved or referred to the President within 90 days. 15 C.F.R. § 750.4(a). While an applicant who is denied a license is informed of appeal procedures, 15 C.F.R. § 750.6(a)(6), the EAR does not appear to allow for judicial review. 15 C.F.R. § 756.2(c)(2); 50 U.S.C. App. § 2412(e).
Under Federal Rule of Civil Procedure 56, summary judgment shall be granted "against a party who fails to make a showing sufficient to establish the existence of an element essential to that party's case, and on which that party will bear the burden of proof at trial . . . since a complete failure of proof concerning an essential element of the nonmoving party's case necessarily renders all other facts immaterial." Celotex Corp. v. Catrett, 477 U.S. 317, 322-23, 91 L. Ed. 2d 265, 106 S. Ct. 2548 (1986); see also T.W. Elec. Serv. v. Pacific Elec. Contractors Ass'n, 809 F.2d 626, 630 (9th Cir. 1987) (the nonmoving party may not rely on the pleadings but must present significant probative evidence supporting the claim); Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248, 91 L. Ed. 2d 202, 106 S. Ct. 2505 (1986) (a dispute about a material fact is genuine "if the evidence is such that a reasonable jury could return a verdict for the nonmoving party.").
The court's function, however, is not to make credibility determinations, Anderson, 477 U.S. at 249, and the inferences to be drawn from the facts must be viewed in a light most favorable to the party opposing the motion. T.W. Elec. Serv., 809 F.2d at 631.
Where as here, the question is purely a legal one involving no disputes of material fact, the matter is appropriately handled on a motion for summary judgment.
Plaintiff contends that the EAR, specifically the amendments regulating encryption items, both facially and as applied, constitutes a prior restraint on plaintiff's right to free speech, is unconstitutionally vague and overbroad, is content-based, and violates his freedom of association. Plaintiff also claims that the presidential transfer of jurisdiction to the Commerce Department and the encryption regulations themselves exceed their statutory authority and are ultra vires. Plaintiff requests declaratory and nationwide injunctive relief. In addition to opposing plaintiff's claims, defendants seek to dismiss certain defendants as extraneous and ask that the court vacate its decision in Bernstein II.
I. Statutory Authority of the President and the Agency to Regulate Encryption Items
Defendants contend that the court lacks jurisdiction to review presidential determinations under the IEEPA. To the extent a claim may still lie against the Secretary, defendants argue that the IEEPA does not preclude export controls on encryption items.
Although the parties do not identify this claim as a threshold issue, plaintiff's argument is that the transfer of jurisdiction to Commerce and the Secretary's regulations were in excess of their statutory authority and are therefore invalid. To the extent this issue implicates the very validity of the current regulations, the court finds that it should be addressed before a review on the merits. In addition, courts must consider nonconstitutional questions before reaching constitutional considerations in order to avoid passing on constitutionality where possible. Jean v. Nelson, 472 U.S. 846, 854, 86 L. Ed. 2d 664, 105 S. Ct. 2992 (1985).
The IEEPA authorizes the President "to deal with any unusual and extraordinary threat, which has its source in whole or substantial part outside the United States, to the national security, foreign policy, or economy of the United States, if the President declares a national emergency with respect to such threat." 50 U.S.C. § 1701(a). Under this authority the President may "investigate, regulate, or prohibit any transaction in foreign exchange," 50 U.S.C. § 1702(a)(1)(A)(I), and "investigate, regulate, direct and compel, nullify, void, prevent or prohibit, any . . . exportation of . . . any property in which any foreign country or a foreign national thereof has any interest . . . ." 50 U.S.C. § 1702(a)(1)(B). However, the IEEPA explicitly excludes any authority
to regulate or prohibit, directly or indirectly--any postal, telegraphic, or other personal communication, which does not involve a transfer of anything of value; . . . or the importation from any country, or the exportation to any country, whether commercial or otherwise, regardless of format or medium of transmission, of any information or informational materials, including but not limited to, publications, films, posters, ...