12 April 1998
Source: Digital file from Peter Junger
See related files at Peter Junger's Web site: http://samsara.LAW.CWRU.Edu/comp_law/jvd/
Documents of the suit: http://jya.com/pdj.htm
UNITED STATES DISTRICT COURT
NORTHERN DISTRICT OF OHIO
|PETER D. JUNGER
WILLIAM M. DALEY, United States Secretary of
Commerce; UNITED STATES DEPARTMENT
OF COMMERCE; LT. GEN. KENNETH A.
MINIHAN, Director, National Security Agency.
Pursuant to the direction of the Court, the parties hereby submit the following stipulation of undisputed facts in connection with the parties' pending cross-motions for summary judgment. This stipulation contains solely facts that are undisputed for purposes of the pending motions only. The parties reserve the right to argue whether certain facts are material to the legal issues before the Court. The Court is also referred to the parties' respective pleadings, memoranda, declarations or affidavits, citations to authority, and other evidence that the parties have submitted for the record in connection with the pending motions.
The parties hereby stipulate and agree that the following
I. Cryptography and Encryption
1. "Cryptography" concerns the encryption and decryption of communications, records and other data. "Encryption" is the process by which the original, "human-readable" text of a message or document (also known as plaintext) is transformed into a text that the sender and recipient intend not to be understandable by third parties (known as "ciphertext"). "Decryption" is the reverse process of transforming the ciphertext message or document into the original plaintext.
2. Cryptography is used in an effort to prevent the unauthorized interception, viewing, reading, tampering, and forging of communications. In the absence of cryptography, information sent via a computer is unsecure and may be viewed by those other than the intended recipient.
3. Most modern cryptography uses a "key" -- specific information (analogous to entering a password) that is necessary to decrypt ciphertext. Whether an encrypted message is actually secure depends, inter alia, on the relative "strength" of the encryption as well as the security of the key.
4. "Cryptanalysis" refers to the science and activity of "breaking" a ciphertext message without the key (i.e., determining the content of encrypted communications). According to the National Security Agency, cryptanalysis is one of its principal "signals intelligence" activities.
5. A person can encrypt a message or document on
general-purpose computers, including "desktop" computers, of the sort in
common use here and abroad.
II. Regulatory Background
6. Interim regulations governing the export of encryption were published by the Department of Commerce on December 30, 1996, and the licensing requirements at issue are now set forth in the Export Administration Regulations ("EAR"), 15 C.F.R. Part 730 et seq.; see 61 Fed. Reg. 68572 et seq. (December 30, 1996).
7. The "Commerce Control List" ("CCL"), see 15 C.F.R. Part 774, is a list of items whose export is subject to licensing regulation. Encryption circuitry and hardware products are covered in CCL Category 5 as amended by ECCN 5A002, while encryption software is covered by amended ECCN 5D002, and encryption technology is covered by amended ECCN 5E002. See 15 C.F.R. Part 774, ECCN 5A002 and 5D002, 5E002.
III. Encryption Software Programs
8. Computer software is the set of instructions, written by programmers, that tell computer hardware to perform certain tasks. See Bateman v. Mnemonics, Inc., 79 F.3d 1532, 1537 n.11 (11th Cir. 1996). The EAR defines encryption software to mean computer programs that provide the "capability of encryption functions or confidentiality of information or information systems." See 15 C.F.R. Part 772 (definitions). Encryption software implements a cryptographic "algorithm," which is a set of instructions, usually made up of mathematical functions or equations, that can be applied to encrypt plaintext into ciphertext. Software programs take two general forms: object code and source code.
9. The EAR defines encryption source code to mean "[a] precise set of operating instructions to a computer that, when compiled, allows for the execution of an encryption function on a computer." See 15 C.F.R. Part 772.
10. The EAR defines encryption object code to mean "[c]omputer programs containing an encryption source code that has been compiled into a form of code that can be directly executed by a computer to perform an encryption function." See 15 C.F.R. Part 772. Object code may be conveniently thought of as a series of binary digits -- "ones" and "zeros" -- that may be directly executed by a computer microprocessor.
11. Source code may be converted into object code through a process called "compiling," whereby source code is converted into object code through the use of another program called a "compiler."
12. Source code in "interpreted" programming languages, like BASIC and PERL, may be converted into executable machine code by running a computer program called an "interpreter" at the same time the source code is executed by the computer, without creating a separate file of object code. Programs in interpreted languages cannot be executed on a computer without running the source code with the appropriate interpreter.
13. Software in source code form can be understood by computer scientists, mathematicians, programmers and others with knowledge of the particular language in which the program is written.
14. Source code, when compiled or interpreted, can be used to control the operation of a computer.
15. A person may modify software (including source code) to perform different or additional functions, or to incorporate it into another software program, like a Web Browser. Software in source code form may also be capable of being compiled or interpreted on computers with different operating systems.
16. Some programmers may review object code to "diagnose and repair systems" and to "facilitate debugging and maintenance" of software in order to fix or improve the actual execution of the software on a computer.
17. Encryption software in electronic form is subject to the EAR, while such software published in printed form is not subject to the EAR. See 15 C.F.R. 734.3(b)(2) (note). It is possible to type or "scan" printed source code into a computer as described in the Declaration of Philip R. Karn 5-15 (Plaintiff's Exh. "W") using Optical Character Recognition Technology ("OCR"). OCR technology may not produce error free reproductions of the scanned material. Any errors in the program, whether in the original print version or in the typed or scanned version, must be detected and corrected before information can be encrypted.
III. Publication and the Internet
18. Articles, papers, journals, and textbooks concerning cryptography, and containing and discussing cryptographic theories, algorithms, and computer code, are commonly published and distributed.
19. Academic courses on cryptography, including theories concerning cryptographic algorithms and software, are taught at many U.S. colleges and universities. Many U.S. colleges and universities have World Wide Web sites for particular classes in a broad range of disciplines, including cryptography, where class information, syllabuses, class notes and other information is available on-line.
20. Software programming is widely taught and researched. Textbooks and "do-it-yourself" books on developing and writing software programs have been published.
21. Public conferences and symposia are commonly held at which theories of cryptography, including algorithms and their implementation in source code, are publicly discussed.
22. For purposes of encryption software subject to ECCN 5D002, the EAR defines "export" to include an actual shipment, transfer, or transmission out of the United States (or to an embassy or affiliate of a foreign country in the United States), including by means of making the software available electronically for downloading outside the United States through the Internet. See 15 C.F.R. 734.2(b)(9).
23. The Internet is an international network of computers by which people all over the world communicate with each other and exchange materials, including academic information. Students and teachers use the Internet to "publish" their writings and research. Some universities require their students to post their master's theses and dissertations on the Internet. Law professors post draft articles on the World Wide Web. Law review articles and court opinions are available on the Internet. The World Wide Web extends beyond the scientific and academic community to include materials by individuals, non-profit organizations, and businesses.
24. Computer software can be distributed electronically over the Internet. Software distributed on the Internet can be downloaded to a computer hard drive.
25. Certain encryption software programs are available on the Internet and can be downloaded from foreign sites.
26. The EAR does not contain an exemption from licensing requirements for "non-commercial" or "academic" exports of encryption software. [Reinsch Dec. 21].
IV. Plaintiff's Administrative Requests
27. By letter dated June 12, 1997, plaintiff submitted three applications to the Commerce Department requesting "commodity classification" determinations for various encryption software programs and other items. See Exhibit C to Supplemental Complaint and Tabs 5, 6, 7 to the Declaration of William A. Reinsch. Under the EAR, an individual may request a determination from the Bureau of Export Administration as to whether a particular commodity is subject to the export licensing jurisdiction of the Commerce Department. See 15 C.F.R. 748.3.
28. By letter dated July 4, 1997, the Bureau of Export Administration ("BXA") responded to plaintiff's three commodity classification requests. See Exhibit D to the Supplemental Complaint and Tabs 8-11 to the Reinsch Declaration.
29. In response to plaintiff's first application, BXA determined that four of five software programs submitted by plaintiff were covered by ECCN 5D002 and, thus, are subject to the export licensing requirements of the EAR, while one software program was not covered by ECCN 5D002. See Tab 9 to the Reinsch Declaration.
30. Plaintiff seeks to "export" encryption software (in source code and object code forms) subject to ECCN 5D002 of the CCL by means of the unrestricted posting to the Internet and by other means also defined as an "export" under the EAR.
31. In response to plaintiff's second application, BXA determined that a set of instructions for creating the computer program that was not classified as ECCN 5D002 was not encryption software under ECCN 5D002, and there is no licensing restriction that precludes plaintiff from making this item publicly available or exporting it. See Tab 10 to the Reinsch Declaration. BXA also determined that the non-software portions of plaintiff's "Chapter One to Computers and the Law" are not subject to the EAR. Id.
32. Upon a separate request by plaintiff by letter dated July 18, 1997 (see Exhibit E to Supplemental Complaint and Tab 12 to Reinsch Declaration), the software programs contained in "Chapter One to Computers and the Law" were evaluated separately, and BXA determined by letter dated August 7, 1997, that none of the software programs contained in the Chapter were encryption software subject to ECCN 5D002. See Exhibit F to Supplemental Complaint and Tab 13 to Reinsch Declaration. BXA advised plaintiff that no export licensing restriction applied if he desired to export the entire chapter he submitted, in electronic form or otherwise. Id.
33. Also by letter dated July 18, 1997, plaintiff requested a separate determination on the status of the same Chapter if he later decided to modify the item to include software that was subject to ECCN 5D002. See Exhibit E to Supplemental Complaint and Tab 12 to Reinsch Declaration. By letter dated August 7, 1997, BXA responded to plaintiff's inquiry by indicating that encryption software subject to ECCN 5D002 is not exempt from licensing requirements simply because it is consolidated with other material not subject to the EAR. See Tab 13 to Reinsch Declaration.
34. Also in his second application by letter dated June 12, 1997, plaintiff requested a commodity classification for a page on his Web site containing "html" hyperlinks to encryption programs already located overseas. See Tab 6 to Reinsch Declaration. By letters dated July 4 and August 7, 1997, BXA advised plaintiff that this is not an export activity. See Tabs 9 and 13 to Reinsch Declaration.
35. In plaintiff's third application by letter dated June 12, 1997, he sought a classification for "any encryption program that can be used to maintain secrecy by implementing a certain algorithm, such as RC2 or RSA." See Tab 6 to Resinch Declaration. By letter dated July 4, 1997, BXA advised plaintiff that this request did not provide sufficient technical detail for a specific software item to enable a classification by BXA. See Tab 8 to Reinsch Declaration.
|FOR THE DEFENDANTS||FOR THE PLAINTIFF|
|FRANK W. HUNGER
Assistant Attorney General
EMILY M. SWEENEY
VINCENT M. GARVEY
ANTHONY J. COPPOLINO
GINO J. SCARSELLI (0062327)
RAYMOND VASVARI (0055538)
KEVIN FRANCIS O'NEILL (0010481)
|Attorneys for the Defendants||Attorneys for the Plaintiff|
HTML by JYA/Urban Deadline