Bernstein v. U.S. Dept. of State

• Decision Date: 09 December 1996
• Docket Number: No. C-95-0582 MHP.,C-95-0582 MHP.
• Citation: 945 F.Supp. 1279
• Court: U.S. District Court — Northern District of California
• Parties: Daniel J. BERNSTEIN, Plaintiff, v. UNITED STATES DEPARTMENT OF STATE et al., Defendants.

945 F.Supp. 1279

Daniel J. BERNSTEIN, Plaintiff, v. UNITED STATES DEPARTMENT OF STATE et al., Defendants.

No. C-95-0582 MHP.

United States District Court, N.D. California.

December 9, 1996.

COPYRIGHT MATERIAL OMITTED

COPYRIGHT MATERIAL OMITTED

Cindy A. Cohn, McGlashan & Sarrail, San Mateo, CA, Lee Tien, Berkeley, CA, James R. Wheaton, James Wheaton Law Offices, Oakland, CA, M. Edward Ross, Steefel Levitt & Weiss, San Francisco, CA, for Daniel J. Bernstein.

Frank W. Hunger, Asst. Atty. Gen., U.S. Dept. of Justice, Torts, Civil Division, San Francisco, CA, Michael J. Yamaguchi, U.S. Atty., Mary Beth Uitti, U.S. Attorney's Office, San Francisco, CA, Vincent M. Garvey, USDJ-Civil Division, Washington, DC, Anthony J. Coppolino, U.S. Department of Justice, Civil Division-Federal Programs Branch, Washington, DC, for United States Department of State, United States Arms Control & Disarmament Agency, United States Department of Defense, U.S. Dept. of Commerce, National Security Agency.

MEMORANDUM AND ORDER

PATEL, District Judge.

Plaintiff Daniel Bernstein brought this action against the Department of State and the individually named defendants seeking declaratory and injunctive relief from their enforcement of the Arms Export Control Act ("AECA"), 22 U.S.C. § 2778, and the International Traffic in Arms Regulations ("ITAR"), 22 C.F.R. §§ 120.1-130.7 (1994), on the grounds that they are unconstitutional on their face and as applied to plaintiff. Now before this court are cross-motions for summary judgment on the question of whether the licensing requirements for the export of cryptographic devices and software covered by Part 121, Category XIII(b) of the ITAR and the export control over related technical data constitute an impermissible infringement on speech in violation of the First Amendment.

Having considered the parties' arguments and submissions, and for the reason set forth below, the court enters the following memorandum and order.

BACKGROUND¹

At the time this action was filed, plaintiff was a PhD candidate in mathematics at University of California at Berkeley working in the field of cryptography, an area of applied mathematics that seeks to develop confidentiality in electronic communication. Plaintiff is currently a Research Assistant Professor in the Department of Mathematics, Statistics and Computer Science at the University of Illinois at Chicago.

I. Cryptography

Encryption basically involves running a readable message known as "plaintext" through a computer program that translates the message according to an equation or algorithm into unreadable "ciphertext." Decryption is the translation back to plaintext when the message is received by someone with an appropriate "key." The message is both encrypted and decrypted by compatible keys.² The uses of cryptography are far-ranging in an electronic age, from protecting personal messages over the Internet and transactions on bank ATMs to ensuring the secrecy of military intelligence. In a prepublication copy of a report done by the National Research Council ("NRC") at the request of the Defense Department on national cryptography policy, the NRC identified four major uses of cryptography: ensuring data integrity, authenticating users, facilitating nonrepudiation (the linking of a specific message with a specific sender) and maintaining confidentiality. Tien Decl., Exh. E, National Research Council, National Academy of Sciences, Cryptography's Role in Securing the Information Society C-2 (Prepublication Copy May 30, 1996) (hereinafter "NRC Report").

Once a field dominated almost exclusively by governments concerned with protecting their own secrets as well as accessing information held by others, the last twenty years has seen the popularization of cryptography as industries and individuals alike have increased their use of electronic media and have sought to protect their electronic products and communications. NRC Report at vii. As part of this transformation, cryptography has also become a dynamic academic discipline within applied mathematics. Appel Decl. at 5; Blaze Decl. at 2.

As a graduate student, Bernstein developed an encryption algorithm he calls "Snuffle." He describes Snuffle as a zero-delay private-key encryption system. Complaint Exh. A. Bernstein has articulated his mathematical ideas in two ways: in an academic paper in English entitled "The Snuffle Encryption System," and in "source code" written in "C", a high-level computer programming language,³ detailing both the encryption and decryption, which he calls "Snuffle.c" and "Unsnuffle.c", respectively. Once source code is converted into "object code," a binary system consisting of a series of 0s and 1s read by a computer, the computer is capable of encrypting and decrypting data.⁴

II. Statutory and Regulatory Background

The Arms Export Control Act authorizes the President to control the import and export of defense articles and defense services by designating such items to the United States Munitions List ("USML"). 22 U.S.C. § 2778(a)(1). Once on the USML, and unless otherwise exempted, a defense article or service requires a license before it can be imported or exported. 22 U.S.C. § 2778(b)(2).

The International Traffic in Arms Regulations, 22 C.F.R. §§ 120.1-130.17, were promulgated by the Secretary of State, who was authorized by executive order to implement the AECA. The ITAR is administered primarily within the Department of State by the Director of the Office of Defense Trade Controls ("ODTC"), Bureau of Politico-Military Affairs. The ITAR allows for a "commodity jurisdiction procedure" by which the ODTC determines if an article or service is covered by the USML when doubt exists about an item. 22 C.F.R. § 120.4(a). Also contained in the ITAR are the licensing requirements for defense articles, 22 C.F.R. § 123, and technical data, 22 C.F.R. § 125.

Categories of items covered by the USML are enumerated at section 121.1. Category XIII, Auxiliary Military Equipment, includes "Cryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information or information systems...." 22 C.F.R. § 121.1 XIII(b)(1). A number of applications of cryptography are excluded, such as those used in automated teller machines and certain mass market software products that use encryption. Id.

A "defense article" is defined by the ITAR as any item or technical data that has been designated in the USML. 22 C.F.R. § 120.6. A "defense service" is any assistance rendered to a foreign person in the United States or abroad in the development or use of a defense article, 22 C.F.R. § 120.9(a)(1), or the furnishing of technical data to a foreign person, 22 C.F.R. § 9(a)(2).

"Technical data" is perhaps the most confusing category of items regulated by the ITAR since it is defined separately and in relation to defense articles, 22 C.F.R. § 120.10, but is also defined as a defense article when it is covered by the USML. See 22 C.F.R. § 120.6. It generally covers information "which is required for the design development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles." 22 C.F.R. § 120.10. It also encompasses software directly related to defense articles. 22 C.F.R. § 120.10(a)(4). Software "includes but is not limited to the system functional design, logic flow, algorithms, application programs, operating systems and support software for design, implementation, test operation, diagnosis and repair." 22 C.F.R. § 121.8(f). A person who wants to export software that is not designated on the USML can apply for a technical data license. 22 C.F.R. § 121.8(f).

The definition of technical data includes some noteworthy exemptions. Technical data "does not include information concerning general scientific, mathematical or engineering principles commonly taught in schools, colleges and universities or information in the public domain...." 22 C.F.R. § 120.10(a)(5). The public domain exemption excludes from technical data information which is "published and generally accessible" to the public through newsstands, bookstores, subscriptions, libraries, conferences and trade exhibitions. 22 C.F.R. § 120.11(a)(1)-(6). The public domain also includes information available to the public through fundamental research at accredited institutions of higher learning:

Fundamental research is defined to mean basic and applied research in science and engineering where the resulting information is ordinarily published and shared broadly within the scientific community, as distinguished from research the results of which are restricted for proprietary reasons or specific U.S. Government access and dissemination controls.

22 C.F.R. § 120.11(a)(8). It is apparent from the ITAR, and neither party appears to dispute it, that the public domain exceptions apply only to technical data and not to defense articles.

Finally, "export" is defined as "[s]ending or taking a defense article out of the United States in any manner", 22 C.F.R. § 120.17(a)(1), and as "[d]isclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad". 22 C.F.R. § 120.17(a)(4).

III. Plaintiff's Commodity Jurisdiction Determinations

On June 30, 1992 Bernstein submitted a commodity jurisdiction ("CJ") request to the State Department to determine whether three items were controlled by ITAR. Those items were Snuffle.c and Unsnuffle.c (together referred to as Snuffle 5.0), each submitted in C language source files, and his academic paper describing the Snuffle system. Complaint Exh. A. On August 20, 1992 the ODTC informed Bernstein that after consultation with the Departments of Commerce and Defense it had determined that the commodity Snuffle 5.0 was a defense article on the USML under Category XIII of...