Bernstein v. U.S. Dept. of State, C-95-0582 MHP.

• Citation: 974 F.Supp. 1288
• Decision Date: 25 August 1997
• Docket Number: No. C-95-0582 MHP.,C-95-0582 MHP.
• Court: U.S. District Court — Northern District of California
• Parties: Daniel J. BERNSTEIN, Plaintiff, v. UNITED STATES DEPARTMENT OF STATE, et al., Defendants.

974 F.Supp. 1288

Daniel J. BERNSTEIN, Plaintiff, v. UNITED STATES DEPARTMENT OF STATE, et al., Defendants.

No. C-95-0582 MHP.

United States District Court, N.D. California.

August 25, 1997.

COPYRIGHT MATERIAL OMITTED

COPYRIGHT MATERIAL OMITTED

Cindy A. Cohn, McGlashan & Sarrail, San Mateo, CA, Lee Tien, Berkeley, CA, M. Edward Ross, Steefel, Levitt & Weiss, San Francisco, CA, James R. Wheaton, Environmental Law Foundation, Oakland, CA, for Plaintiff.

Frank W. Hunger, Asst. Atty. Gen., U.S. Dept. of Justice Torts, Civil Div., San Francisco, CA, Michael J. Yamaguchi, U.S. Atty., Mary Beth Uitti, U.S. Attorney's Office, San Francisco, CA, Vincent M. Garvey, U.S.D.J.-Civil Div., Washington, DC, Anthony J. Coppolino, U.S. Dept. of Justice, Civil Division-Federal Programs Branch, Washington, DC, for Defendants.

OPINION

PATEL, District Judge.

Plaintiff Daniel Bernstein originally brought this action against the Department of State and the individually named defendants seeking declaratory and injunctive relief from their enforcement of the Arms Export Control Act ("AECA"), 22 U.S.C. § 2778 (1990), and the International Traffic in Arms Regulations ("ITAR"), 22 C.F.R. Pts. 120-30 (1994), on the grounds that they are unconstitutional on their face and as applied to plaintiff. The court granted in part and denied in part the parties' cross motions for summary judgment on December 9, 1996. Just prior to the court's order, President Clinton by Executive Order 13026 transferred jurisdiction over the export of nonmilitary encryption products to the Department of Commerce pursuant to the Export Administration Act of 1979 ("EAA"), 50 U.S.C.App. §§ 2401 et seq. (1991), and the Export Administration Regulations ("EAR"), 15 C.F.R. Pt. 730 et seq. (1997). On December 30, 1996, the Commerce Department issued an interim rule regulating the export of certain encryption products. 61 Fed.Reg. 68572 (Dec. 30, 1996). Plaintiff subsequently amended his complaint to include the new regulations and new defendants. Now before this court are the parties' second cross-motions for summary judgment on the question of whether the licensing requirements for the export of cryptographic devices, software and related technology covered by the amendments to the EAR constitute an impermissible infringement on speech in violation of the First Amendment.

Having considered the parties' arguments and submissions, and for the reason set forth below, the court enters the following memorandum and order.

BACKGROUND¹

At the time this action was filed, plaintiff was a PhD candidate in mathematics at University of California at Berkeley working in the field of cryptography, an area of applied mathematics that seeks to develop confidentiality in electronic communication. Plaintiff is currently a Research Assistant Professor in the Department of Mathematics, Statistics and Computer Science at the Encryption basically involves running a readable message known as University of Illinois at Chicago.

I. Cryptography

Encryption basically involves running a readable message known as "plaintext" through a computer program that translates the message according to an equation or algorithm into unreadable "ciphertext." Decryption is the translation back to plaintext when the message is received by someone with an appropriate "key." The message is both encrypted and decrypted by compatible keys.² The uses of cryptography are far-ranging in an electronic age, from protecting personal messages over the Internet and transactions on bank ATMs to ensuring the secrecy of military intelligence. In a prepublication copy of a report done by the National Research Council ("NRC") at the request of the Defense Department on national cryptography policy, the NRC identified four major uses of cryptography: ensuring data integrity, authenticating users, facilitating nonrepudiation (the linking of a specific message with a specific sender) and maintaining confidentiality. Tien Decl., Exh. E, National Research Council, National Academy of Sciences, Cryptograph's Role in Securing the Information Society C-2 (Prepublication Copy May 30, 1996) (hereinafter "NRC Report").

Once a field dominated almost exclusively by governments concerned with protecting their own secrets as well as accessing information held by others, the last twenty years has seen the popularization of cryptography as industries and individuals alike have increased their use of electronic media and have sought to protect their electronic products and communications. NRC Report at vii. As part of this transformation, cryptography has also become a dynamic academic discipline within applied mathematics. Appel Dec. at 5; Blaze Dec. at 2.

II. Prior Regulatory Framework

Plaintiff's original complaint and both of the court's decisions in this action were directed at the regulations in force at the time, the ITAR, promulgated to implement the AECA. The ITAR, administered within the State Department by the Director of the Office of Defense Trade Controls ("ODTC"), Bureau of Politico-Military Affairs, regulates the import and export of defense articles and defense services by designating such items to the United States Munitions List ("USML"). 22 U.S.C. § 2778(a)(1).³ Items listed on the USML, which at the time included all cryptographic systems and software, require a license before they can be imported or exported. 22 U.S.C. § 2778(b)(2). The ITAR allows for a "commodity jurisdiction procedure" by which the ODTC determines if an article or service is covered by the USML when doubt exists about an item. 22 C.F.R. § 120.4(a).

As a graduate student, Bernstein developed an encryption algorithm he calls "Snuffle." He describes Snuffle as a zero-delay private-key encryption system. Complaint Exh. A. Bernstein has articulated his mathematical ideas in two ways: in an academic paper in English entitled "The Snuffle Encryption System," and in "source code" written in "C", a high-level computer programming language,⁴ detailing both the encryption and decryption, which he calls "Snuffle.c" and "Unsnuffle.c", respectively. Once source code is converted into "object code," a binary system consisting of a series of 0s and 1s read by a computer, the computer is capable of encrypting and decrypting data.

In 1992 plaintiff submitted a commodity jurisdiction ("CJ") request to the State Department to determine whether Snuffle.c and Unsnuffle.c (together referred to as Snuffle 5.0), each submitted in C language source files, and his academic paper describing the Snuffle system, were controlled by ITAR.⁵ The ODTC determined that the commodity Snuffle 5.0 was a defense article on the USML under Category XIII of the ITAR and subject to licensing by the Department of State prior to export. The ODTC identified the item as a "stand-alone cryptographic algorithm which is not incorporated into a finished software product." Complaint Exh. B.

Alleging that he was not free to teach, publish or discuss with other scientists his theories on cryptography embodied in his Snuffle program, plaintiff brought this action challenging the AECA and the ITAR on the grounds that they violated the First Amendment. In Bernstein I this court found that source code was speech for purposes of the First Amendment and therefore plaintiff's claims presented a colorable constitutional challenge and were accordingly justiciable. In Bernstein II the court concluded that the licensing requirements for encryption software under the ITAR constituted an unlawful prior restraint. The court also considered vagueness and overbreadth challenges to certain terms contained in the ITAR. The court issued its decision in Bernstein II on December 9, 1996.

III. The Transfer of Jurisdiction and the Current Regulatory Framework

On November 15, 1996, President Clinton issued Executive Order 13026, titled "Administration of Export Controls on Encryption Products," in which he ordered that jurisdiction over export controls on nonmilitary encryption products and related technology be transferred from the Department of State to the Department of Commerce. The President's Executive Order specifies that encryption products that would be designated as defense articles under the USML and regulated under the AECA are now to be placed on the Commerce Control List ("CCL") under the EAR. The White House Press Release accompanying the Executive Order clarified that encryption products designed for military applications would remain on the USML and continue to be regulated under the ITAR. Press Release Accompanying Exec. Order No. 13026, at 2 (hereinafter "Press Release"). The Executive Order also provides a caveat that is repeated in the Press Release and throughout the new regulations: "the export of encryption software, like the export of other encryption products described in this section, must be controlled because of such software's functional capacity rather than because of any possible informational value of such software...." Exec. Order No. 13026, 61 Fed.Reg. 58768 (1996). The Press Release states that encryption products must be controlled for foreign policy and national security interests and concludes by noting that if the new regulations do not provide adequate controls on encryption products then such products will be redesignated as defense articles and placed again on the USML. Press Release, at 1, 4.

The EAR were promulgated to implement the EAA, but the EAA is not permanent legislation. Lapses in the EAA have been declared national emergencies and the President has issued Executive Orders authorizing continuation of the EAR export controls under the authority of the International Emergency Economic Powers Act ("IEEPA"), 50 U.S.C. §§ 1701-1706. See e.g., Exec. Order No. 12924, 59 Fed.Reg. 43437 (1994). Executive Order 13026 states that the authority of the President to administer these changes in the export control system under the EAR derives in part from the IEEPA and that...