1 September 1997
Source: Hardcopy from Greg Broiles
(http://www.parrhesia.com)
See subsequent Bernstein Stay: http://jya.com/bernstein-stay.htm
See related case documents: http://www.eff.org/pub/Legal/Cases/Bernstein_v_DoS/Legal/
See related EAR documents: http://jya.com/eartoc.htm
FILED AUG 25 2 12 PM '97 RICHARD W. WIEKING CLERK U.S. DISTRICT COURT NO. DIST. OF CA. UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA DANIEL J. BERNSTEIN No. C-95-0582 MHP Plaintiff OPINION vs. UNITED STATES DEPARTMENT OF STATE, et al. Defendants _________________________________________/ Plaintiff Daniel Bernstein originally brought this action against the Department of State and the individually named defendants seeking declaratory and injunctive relief from their enforcement of the Arms Export Control Act ("AECA"), 22 U.S.C. § 2778 (1990), and the International Traffic in Arms Regulations ("ITAR"), 22 C.F.R. §§ 120-30 (1994), on the grounds that they are unconstitutional on their face and as applied to the plaintiff. The court granted in part and denied in part the parties' cross motions for summary judgment on December 9, 1996. Just prior to the court's order, President Clinton by Executive Order 13026 transferred jurisdiction over the export of nonmilitary encryption products to the Department of Commerce pursuant to the Export Administration Act of 1979 ("EAA"). 50 U.S.C. App. §§ 2401 et seq. (1991), and the Export Administration Regulations ("EAR"), 15 C.F.R. Pt. 730 et seq. (1997). On December 30, 1996, the Commerce Department issued an interim rule regulating certain encryption products. 61 Fed. Reg. 68572 (Dec. 30, 1996). Plaintiff subsequently amended his complaint to include the 1
new regulations and new defendants. Now before this court are the parties' second cross-motions for summary judgment on the question of whether licensing requirements for th export of cryptographic devices, software and related technology covered by the amendments to the EAR constitute an impermissable infringement on speech in violation of the First Amendment. Having considered the parties' arguments and submissions, and for the reason set forth below, the court enters the following memorandum and order. BACKGROUND1 At the time this action was filed, plaintiff was a PhD candidate in mathematics at University of California at Berkeley working in the field of cryptography, an area of applied mathematics that seeks to develop confidentiality in electronic communication. Plaintiff is currently a Research Assistant Professor in the Department of Mathematics, Statistics and Computer Science at the University of Illinois at Chicago. I. Cryptography Encryption basically involves running a readable message known as "plaintext" through a computer program that translates the message according to an equation or algorithm into unreadable "ciphertext." Decryption is the translation back to plaintext when the message is received by someone with an appropriate "key." The message is both encrypted and decrypted by compatible keys.2 The uses of cryptography are far-ranging in an electronic age, from protecting personal messages over the Internet and transactions on bank ATMs to ensuring the secrecy of military intelligence. In a prepublication copy of a report done by the National Research Council ("NRC") at the request of the Defense Department on national cryptography policy, the NRC identified four major uses of cryptography: ensuring data integrity, authenticating users, facilitating nonrepudiation (the linking of a specific message with a specific sender) and maintaining confidentiality. Tien Decl., Exh. E, National Research Council, National Academy of Sciences, Cryptography's Role in Securing the Information Society C-2 (prepublication Copy May 30, 1996) (hereinafter "NRC 2
Report"). Once a field dominated almost exclusively by governments concerned with protecting their own secrets as well as accessing information held by others, the last twenty years has seen the popularization of cryptography as industries and individuals alike have increased their use of electronic media and have sought to protect their electronic products and communications. NRC Report at vii. As part of this transformation, cryptography has also become a dynamic academic discipline within applied mathematics. Appel Decl. at 5; Blaze Decl. at 2. II. Prior Regulatory Framework Plaintiff's original complaint and both of the court's decisions in this action were directed at the regulations in force at the time, the ITAR, promulgated to implement the AECA. The ITAR, administered within the State Department by the Director of the Office of Defense Trade Controls ("ODTC"), Bureau of Politico- Military Affairs, regulates the import and export of defense articles and defense services by designating such items to the United States Munitions List ("USML"), 22 U.S.C. § 2778(a)(1).3 Items listed on the USML, which at the time included all cryptographic systems and software, require a license before they can be imported or exported. 22 U.S.C. § 2778(b)(2). The ITAR allows for a "commodity jurisdiction procedure" by which the ODTC determines if an article or service is covered by the USML when doubt exists about an item. 22. C.F.R. § 120.4(a). As a graduate student, Bernstein developed an encryption algorithm he call "Snuffle." He describes Snuffle as a zero-delay private-key encryption system. Complaint Exh. A. Bernstein has articulated his mathematical ideas in two ways: an academic paper in English entitled "The Snuffle Encryption system," and in "source code" written in "C", a high-level computer programming language,4 detailing both the encryption and decryption, which he calls "Snuffle.c" and "Unsnuffle.c", respectively. Once source code is converted to "object code," a binary system consisting of a series of 0s and 1s read by a computer, the computer is capable of encrypting and decrypting data. 3
In 1992 plaintiff submitted a commodity jurisdiction ("CJ") request to the State Department to determine whether Snuffle.c and Unsnuffle.c (together referred to as Snuffle 5.0), each submitted in C language source files, and his academic paper describing the Snuffle system, were controlled by ITAR.5 The ODTC determined that the commodity Snuffle 5.0 was a defense article on the USML under Category XIII of the ITAR and subject to licensing by the Department of State prior to export. The ODTC identified the item as a "stand- alone cryptographic algorithm which is not incorporated into a finished software product." Complaint Exh. B. Alleging that he was not free to teach, publish or discuss with other scientists his theories on cryptography embodied in his Snuffle program, plaintiff brought this action challenging the AECA and the ITAR on the grounds that they violated the First Amendment. In Bernstein I this court found that source code was speech for purposes of the First Amendment and therefore plaintiff's claims presented a colorable constitutional challenge and were accordingly justiciable. In Bernstein II the court concluded that the licensing requirements for encryption software under the ITAR constituted an unlawful prior restraint. The court also considered vagueness and overbreadth challenges to certain terms contained in the ITAR. The court issued its decision in Bernstein II on December 9, 1996. III. The Transfer of Jurisdiction and the Current Regulatory Framework On November 15, 1996, President Clinton issued Executive Order 13026, titled "Administration of Export Controls on Encryption Products," in which he ordered that jurisdiction over export controls on nonmilitary encryption products and related technology be transferred from the Department of State to the Department of commerce. The President's Executive Order specifies that encryption products that would be designated as defense articles under the USML and regulated under the AECA are now to be placed on the Commerce Control List ("CCL"), under the EAR. The White House Press Release accompanying the Executive Order clarified that encryption products designed for military applications would remain on the USML and continue to be regulated under the ITAR. Press Release Accompanying Exec. Order No. 13026, at 2 (hereinafter "Press Release") 4
The Executive Order also provides a caveat that is repeated in the Press Release and throughout the new regulations: "the export of encryption software, like the export of other encryption products described in this section, must be controlled because of the software's functional capacity, rather than because of any informational value of such software...." Exec. Order No. 13026, 61 Fed. Reg. 58768 (1996). The Press Release states that encryption products must be controlled for foreign policy and national security interests and concludes by noting that if the new regulations do not provide adequate controls on encryption products then such products will be redesignated as defense articles and placed again on the USML. Press Release, at 1, 4. The EAR were promulgated to implement the EAA, but the EAA is not permanent legislation. Lapses in the EAA have been declared national emergencies and the President has issued Executive orders authorizing continuation of the EAR export controls under the authority of the International Emergency Economic Powers Act ("IEEPA"), 50 U.S.C. §§ 1701-1706. See, e.g., Exec. Order No. 12924, 59 Fed. Reg. 43437 (1994). Executive Order 13026 states that the authority of the President to administer these changes in the export control system under the EAR derives in part from the IEEPA and that the new controls on encryption products are "additional steps with respect to the national emergency described and declared" in the previous Executive Orders continuing in effect the EAR. Exec. Order No. 13026, 61 Fed. Reg. 58767 (1996). On December 30, 1996, the Bureau of Export Administration ("BXA") under the Department of Commerce issued an interim rule amending the EAR "by exercising jurisdiction over, and imposing new combined national security and foreign policy controls on, certain encryption items that were on the [USML].: 61 Fed. Reg. 68572 (1996) (to be codified at 15 C.F.R. Pts. 730-774) ("encryption regulations" or "new regulations"). The EAR is structured around the CCL. 15 C.F.R. Pt. 774, 61 Fed. Reg. 12937 (1996), which categorizes items whose export is regulated according to various criteria, including the reason for their control. The new regulations add a category called "Encryption Items" or "EI" as a reason for control. 61 Fed. REg. 68579 (1996) (to be codified at 15 C.F.R. § 738.2(d)(2)(I)(A)). Encryption items are defined as "all encryption commodities, software, and technology that contain encryption features and are subject to EAR." 61 Fed. Reg. 68585 (to 5
be codified at 15 C.F.R. § 772). This does not include those items still listed on the USML and controlled by the Department of State. With certain exception, one must obtain a license from the BXA prior to exporting any item listed on the CCL. See 15 C.F.R. Pts. 740-44. All items on the CCL are given an Export Control Classification Number ("ECCN") which can be used to determine the categories under which an item is controlled and the reasons for its control. The new regulations add three categories of items to the CCL which are controlled for EI reasons,6 all of them more generally classified in Category 5, which covers telecommunications and information security. See C.F.R. § 738.2(a). Those items are ECCN 5A002, covering encryption commodities; ECCN 5D002, covering encryption software; and ECCN 5E002, covering encryption technology. 61 Fed. Reg. 68586-87 (to be codified at 15 C.F.R. § 774 supp. 1). For export licensing purposes, encryption software is treated the same as an encryption commodity. See note following ECCN 5D002. A commodity is defined generally as "[a]ny article, material, or supply except technology and software." 61 Fed. Reg. 68586 (to be codified at 15 C.F.R. Pt. 772). Encryption software is regulated differently from other software controlled by the CCL and is defined as "[c]omputer programs that provide capability of encryption functions or confidentiality of information or information systems. Such software includes source code, object code, applications software, or system software." 61 Fed. Reg. 68585 (to be codified at 15 C.F.R. Pt. 772).7 Definitions of encryption source code and encryption object code have also been added.8 Technology has not been amended by the encryption regulations and is defined generally as teh technical data or technical assistance necessary for the development or use of a product. 15 C.F.R. Pt. 772. Controlled technology is that technology required for the development or use of items on the CCL. 15 C.F.R. Pt. 774 supp. 2 (General Technology Note). New restrictions on technical assistance have been added, however, to require a license to provide technical assistance (including training) to foreign persons with the intent to aid them in the foreign development of items that if they were domestic would be controlled under ECCNs 5A002 and 5D002.9 61 Fed. Reg. 68584 (to be codified at 15 C.F.R. § 744.9(a)); 61 Fed. Reg. 68579 (to be codified at 15 C.F.R. § 736.2(b)(7)(ii)). 6
The EAR defines export as "an actual shipment or transmission of items subject to the EAR out of the United States, or release of technology or software subject to the EAR to a foreign national in the United States ...." 15 C.F.R. § 734.2(b)(1). The encryption regulations add a specific definition of export for encryption source code and object code software controlled under ECCN 5D002 which includes downloading, or causing the downloading of, such software to locations (including electronic bulletin boards, Internet file transfer protocol, and World Wide Web sites) outside the United States, over wire, cable, radio, electromagnetic, photooptical, photoelectric or other comparable communication facilities accessible to persons outside the United States, including transfers from electronic bulletin boards, Internet file transfer protocol and World Wide Web sites, unless the person making the software available takes precautions adequate to prevent unauthorized transfer of such code outside the United States. 61 Fed. Reg. 68578 (to be codified at 15 C.F.R. § 734.2(b)(9)). A number of licensing exceptions are available under the EAR. See 15 C.F.R. Pt. 740. Under the encryption regulations, after a one-time review by BXA, licensing exceptions will be available for certain commercial encryption items, including mass-market encryption software, key-recovery software and commodities, and non-recovery encryption items up to 56-bit key length DES or equivalent strength software accompanied by a commitment to develop recoverable items. 61 Fed. Reg. 68581 (to be codified at 15 C.F.R. § 742.15). In general, items that are already publicly available or contain "de minimus" domestic content are not subject to the EAR. 15 C.F.R. §§ 734.3(b)(3) & 734.4. However, as directed by the President and implemented by the new regulations, these exceptions do not apply to encryption commodities or software. 61 Fed. Reg. 68577-78 (to be codified at 15 C.F.R. §§ 732.2(b) & (d), 734.3(b)(3), 734.4(b)); Exec. Order No. 13026, 61 Fed. Reg. 58768 (1996) ("I have determined that the export of encryption products described in this section could harm national security and foreign policy interests even where comparable products are or appear to be available from sources outside the United States ...."). This exception for encryption software to the general exclusion of publicly available Items appears to pertain to publicly available or published information and software within the United States as well. 61 Fed. Reg. 68578 (to be codified at 15 C.F.R. § 734.7(c)). In addition, the EAR allows for broadly defined exceptions from the regulations for information resulting from fundamental research 7
and educational information. 15 C.F.R. §§ 734.8, 734.9, & supp. 1. Neither of these exceptions applies to encryption software controlled under ECCN 5D002. 61 Fed. Reg. 68579 (to be codified at 15 C.F.R. §§ 734.8, 734.9). They do appear to apply to encryption technology. Finally, phonographic records and most printed matter are not subject to the EAR and encryption software is not exempted from this exclusion. 15 C.F.R. § 734.3(b)(2). Indeed, an intriguing if somewhat baffling note appears in the new regulations: "A printed book or other printed material setting forth encryption source code is not itself subject to the EAR (see § 734.3(b)(2)). However, notwithstanding § 734.3(b)(2), encryption source code in electronic form or media (e.g. computer diskette or CD ROM) remains subject to the EAR (see § 734.3(b)(3))."10 61 Fed. Reg. 68578 (to be codified at 15 C.F.R. § 734.3). Licenses are required for export of items controlled by ECCNs 5A002, 5D002 and 5E002 for all destinations except Canada. 61 Fed. Reg. 68580 (to be codified at 15 C.F.R. § 742.15(a)). Applications for licenses "will be reviewed on a case-by-case basis by BXA, in conjunction with other agencies, to determine whether the export or reexport is consistent with U.S. national security and foreign policy interests." 61 Fed. Reg. 68581 (to be codified at 15 C.F.R. § 742.15(b)). The EAR provides that license applications will be resolved or referred to the President within 90 days. 15 C.F.R. § 750.4(a). While an applicant who is denied a license is informed of appeal procedures, 15 C.F.R. § 750.6(a)(6), the EAR does not appear to allow for judicial review. 15 C.F.R. § 756.2(c)(2); 50 U.S.C. App. § 2412(e). LEGAL STANDARD Under Federal Rule of Civil Procedure 56, summary judgment shall be granted "against a party who fails to make a showing sufficient to establish the existence of an element essential to that party's case, and on which that party will bear the burden of proof at trial . . . since a complete failure of proof concerning an essential element of the nonmoving party's case necessarily renders all other facts immaterial." Celotex Corp. v. Catrett, 477 U.S. 317, 322-23 (1986); See also T.W. Elec. Serv. v. Pacific Elec. Contractors Ass'n, 809 F.2d 626, 630 (9th Cir. 1987) (the nonmoving party may not 8
rely on the pleadings but must present significant probative evidence supporting the claim); Anderson v. Liberty Lobby, Inc., 477 U.s. 242, 248 (1986) (a dispute about a material fact is genuine "if the evidence is such that a reasonable jury could return a verdict for the nonmoving party."). The court's function, however, is not to make credibility determinations, Anderson, 477 U.S. at 249, and the inferences to be drawn from the facts must be viewed in a light most favorable to the party opposing the motion. T W. Elec. Serv., 809 F.2d at 631. Where as here, the question is purely a legal one involving no disputes,of material fact, the matter is appropriately handled on a motion for summary judgment. DISCUSSION Plaintiff contends that the EAR, specifically the amendments regulating encryption items, both facially and as applied, constitutes a prior restraint on plaintiff's right to free speech, is unconstitutionally vague and overbroad, is content-based, and violates his freedom of association. Plaintiff also claims that the presidential transfer of jurisdiction to the Commerce Department and the encryption regulations themselves exceed their statutory authority and are ultra vires. Plaintiff requests declaratory and nationwide injunctive relief. In addition to opposing plaintiff's claims, defendants seek to dismiss certain defendants as extraneous and ask that the court vacate its decision in Bernstein II. I. Statuatory Authority of the President and the Agency to Regulate Encryption Items In his amended complaint plaintiff alleges that the presidential transfer of jurisdiction and the subsequent agency regulations are ultra vires because the President and the Department of Commerce lacked statutory authority under the IEEPA to regulate encryption products. Plaintiff contends that the IEEPA, by its own terms, restricts the regulation of information protected by the First Amendment. Plaintiff also argues that use of the IEEPA requires an international emergency, which is not identified in the President's Executive Order. Plaintiff also maintains that the 9
regulation of encryption products by the President and the Secretary violates the APA. Defendants contend that the court lacks jurisdiction to review presidential determinations under the IEEPA. To the extent a claim may still lie against the Secretary, defendants argue that the IEEPA does not preclude export controls on encryption items. Although the parties do not identify this claim as a threshold issue, plaintiff's argument is that the transfer of jurisdiction to Commerce and the Secretary's regulations were in excess of their statutory authority and are therefore invalid. To the extent this issue implicates the very validity of the current regulations, the court finds that it should be addressed before a review on the merits. In addition, courts must consider nonconstitutional questions before reaching constitutional considerations in order to avoid passing on constitutionality where possible. Jean v. Nelson, 472 U.S. 846, 854 (1985). A. The IEEPA The IEEPA authorizes the President "to deal with any unusual and extraordinary threat, which has its source in whole or substantial part outside the United States, to the national security, foreign policy, or economy of the United States, if the President declares a national emergency with respect to such threat." 50 U.S.C. § 1701(a). Under this authority the President may "investigate, regulate, or prohibit any transaction in foreign exchange," 50 U.S.C. § 1702(a)(1)(A)(I), and investigate, regulate, direct and compel, nullify, void, prevent or prohibit, any . . . exportation of . . . any property in which any foreign country or a foreign national thereof has any interest ...." 50 U.S.C. § 1702(a)(1)(B). However, the IEEPA explicitly excludes any authority to regulate or prohibit, directly or indirectly -- any postal, telegraphic, or other personal communication, which does not involve a transfer of anything of value; . . . or the importation from any country, or the exportation to any country, whether commercial or otherwise, regardless of format or medium of transmission, of any information or informational materials, including but not limited to, publications, films, posters, phonograph records, photographs, microfilms, microfiche, tapes, compact disks, CD ROMs, artworks, and news wire feeds. 50 U.S.C. § 1702(b)(1) & (3) (1991 & Supp. 1996). The statute goes on to limit the above exemption to those exports which are not otherwise controlled under sections 2404 and 2405 of the 10
EAA. 50 U.S.C. § 1702(b)(3). The IEEPA was passed in 1977 as a refinement of the Trading With the Enemy Act of 1917 ("TWEA"), which at the time provided a source of presidential emergency authority. S. Rep. No. 95-466, at 2 (1977), reprinted in 1977 U.S.C.C.A.N. 4540, 4541. In the Senate Report accompanying the passage of the IEEPA, the Committee suggests that what became section 1702(b) was intended to exclude donations and humanitarian contributions from emergency regulation so long as such transfers did not subvert the effective exercise of emergency authority. S. Rep. No. 95-466, at 5; Section 1702(b)(3) of the IEEPA was enacted in 1988 and amended in 1994 to broaden and strengthen the exemption for informational materials. According to the House Conference Report, language adopted in 1988 was intended to ensure "that no embargo may prohibit or restrict directly or indirectly the import or export of information that is protected under the First Amendment to the U.S. Constitution. The language was explicitly intended, by including the words 'directly or indirectly' to have a broad scope." H.R. Con. Rep. No. 103-482, at 239 (1994), reprinted in 1994 U.S.C.C.A.N. 302, 483. However, overly-narrow interpretations of section 1702(b)(3) by the Treasury Department prompted the 1994 amendment to "facilitate transactions and activities incident to the flow of information and informational materials without regard to the type of information, its format, or means of transmission, and electronically transmitted information ...." H.R. Con. Rep. No. 103-482, at 239. B. Statutory Authority of the President to Regulate Encryption Items Under the IEEPA Plaintiff argues that President Clinton exceeded his authority under the IEEPA because the encryption items regulated are properly exempt from regulation under section 1702(b) and because the transfer was not a temporary exercise of emergency authority.11 Defendants claim that the President's actions are not reviewable. It is clear that the President's order is not reviewable under the APA. Franklin v. Massachusetts, 505 U.S. 788, 796 (1992). In Franklin, an action seeking APA review of the decennial reapportionment of the House of Representatives, the Supreme Court concluded that "the 11
final action complained of is that of the President, and the President is not an agency within the meaning of the [APA]." Id. The Court went on to note that the President's actions were still reviewable for constitutionality. Id. at 801. Less clear is the extent to which a court may review a non-APA claim that the President exceeded his statutory authority where there is no allegation of a constitutional violation. Not long after Franklin the Supreme Court decided Dalton v. Specter, 511 U.S. 462 (1994), in which it reviewed a claim that the President exceeded his statutory authority under the Defense Base Closure and Realignment Act. The court below had attempted to follow Franklin by reasoning that when the President's actions exceed his statutory authority he also violates the constitutional separation of powers doctrine. Id. at 471. The Dalton Court rejected this conclusion, holding that "claims simply alleging that the President has exceeded his statutory authority are not 'constitutional' claims, subject to judicial review under the exception recognized in Franklin." Id. at 473-74 (footnote omitted). However, the Court did not rule out the possibility of judicial review of statutory claims entirely. We may assume for the sake of argument that some claims that the President has violated a statutory mandate are judicially reviewable outside the framework of the APA. But longstanding authority holds that such review is not available when the statute in question commits the decision to the discretion of the President. Id. at 474 (citing Dames & Moore v. Reagan, 453 U.S. 654, 667 (1981)). The Court went on to conclude that the statute in question did not limit the President's discretion and was therefore unreviewable. Notably, Dames & Moore, the case cited by the Court for the proposition that some non-APA statutory claims may still be subject to judicial review, involved review of various Executive Orders and regulations issued pursuant to the IEEPA which nullified attachments on Iranian assets in the United States and suspended claims against Iran following the hostage crisis. While the Court did not address the reviewability of the claims,12 it did indicate that when the President acts under authorization from Congress "the executive action 'would be supported by the strongest of presumptions and the widest latitude of judicial interpretation, and the burden of persuasion would 12
rest heavily upon any who might attack it.'" Dames & Moore, 453 U.S. at 668 (quoting Youngstown Sheet & Tube Co. v. Sawyer, 343 U.S. 579, 637 (1952)). The Court concluded that the IEEPA did authorize the nullification of attachments but did not directly authorize the suspension of claims. Id. at 675. However, despite this conclusion, the Court went on to find that due in part to the tenor and breadth of the IEEPA and congressional acquiescence in the practice of claim settlement by executive agreement, the President did not lack the power to settle claims against Iran. Although the Supreme Court suggested the possibility of judicial review of non-APA statutory claims, it did not indicate, beyond the very narrow and specific instance identified in Dames & Moore, under what circumstances that review might take place. One appellate court has concluded that Dalton does not preclude judicial review of executive action for conformity with an authorizing statute, or any other statute. Chamber of Commerce of U.S. v. Reich, 74 F.3d 1322, 1331 (D.C. Cir. 1996). Unlike the actions in Franklin and Dalton where the final action taken was by the President, and much like the present case, Chamber of Commerce involved an Executive Order which initiated agency regulations where the regulations carried direct and final consequences for the plaintiff. However, the court in Chamber of Commerce speaks boldly about the reviewability of executive action without readily distinguishing between whether such review lies equally for the President as for an executive official.13 In fact, in a footnote the court concedes that the "Dalton Court's hesitancy to review presidential action . . . suggests a reluctance to bring judicial power to bear directly on the President. Of course, here we are concerned with the long established non-statutory review of a claim directed at a subordinate executive official." Id. at 1331 n.4. Indeed, the court goes on to note that in all the cases cited by the Dalton court, "special reasons existed for concluding that judicial review was precluded." Id. at 1331 n.5. Those reasons involved matters of political discretion and national security. Id. Finally, in United States v. Spawr Optical Research, Inc., 685 F.2d 1076 (9th Cir. 1982), the Ninth Circuit, in a case predating Franklin and Dalton, reviewed an Executive Order by President Ford under the IEEPA's predecessor, the TWEA, continuing the EAA export regulations pending expiration of that Act. The Spawrs were convicted of the unlicensed exportation of laser mirrors 13
after the EAA's expiration "when the sole basis for the regulations was the Executive Order." Id. at 1080. Much like plaintiff here, the Spawrs argued on appeal that the government lacked authority to prosecute them because there was no genuine emergency, the regulations were not related to any emergency then in effect, and Congress had intended to let the regulations lapse. Id. Reviewing language very similar to that of the IEEPA, the court found that the statute afforded broad and extensive powers. Id. Noting that in the face of such broad discretion, courts have been wary of reviewing the political considerations involved in declaring or continuing a national emergency, the Spawr court declined to do so as well. Id. However, the court then concluded that "[a]lthough we will not address these essentially-political questions, we are free to review whether the actions taken pursuant to a national emergency comport with the power delegated by Congress." Id. at 1081 (citing United States v. Yoshida International Inc., 526 F.2d 560, 579 (Cust. & Pat. App. 1975)). In swift analysis the court went on to find that the regulations were rationally related to the emergency claimed and that Congress did not intend to terminate the regulations. Id. In fact, the court noted that each time the EAA had lapsed previously the President had issued an Executive Order declaring a national emergency to continue the export regulations and "Congress not only tolerated this practice, it expressed approval of the President's reliance on the TWEA to maintain the export regulations." Id. Such has been the case under the IEEPA as well.14 See, e.g., Exec. Order No. 12444, 48 Fed. Reg. 48215 (1983); Exec. Order No. 12730, 55 Fed. Reg. 40373 (1990), reprinted in 50 U.S.C. App. § 1701 at 598 (1991); Exec. Order No. 12924, 59 Fed. Reg. 43437 (1994). Plaintiff notes that in recent years Congress has criticized use of the IEEPA to extend export regulations when the EAA lapses. Plf. Mem. in Opp. at 17 n.49 (citing statements made by various members of Congress). Be that as it may, it is within Congress' power to change this practice and it has chosen not to. While the analysis in Spawr is useful given that the facts are strikingly similar to the instant action, this court cannot ignore the skepticism with which the Supreme Court recently has approached judicial review of a presidential exercise of statutory authority absent a constitutional claim. As noted above, this case differs from Franklin and Dalton in that the final action is taken by 14
the agency rather than the President.15 But that does not significantly change the analysis of whether the actions the President took are reviewable. On this score Chamber of Commerce is not illuminating and the Supreme Court's allusion to Dames & Moore remains opaque. Indeed, given that the law is still unsettled on this question and that considerations precluding review do not apply to agencies -- thereby allowing plaintiff to seek the same relief from agency action on the basis of a claim that the agency acted in excess of statutory authority -- the court favors deference to the executive. In light of the recent Supreme Court decisions in this area, this court concludes that it cannot review whether the President exceeded his statutory authority under the IEEPA to transfer jurisdiction of encryption items to the Commerce Department. C. Statutory Authority of the Commerce Secretary to Regulate Encryption Items Under the IEEPA Of critical importance in both Franklin and Dalton was the fact that the President was responsible for the final action under the statutes at issue. "What is crucial is the fact that '[t]he President, not the [Commission], takes the final action that affects' the military installations." Dalton, 511 U.S. at 470 (quoting Franklin, 505 U.S. at 799). Here we have the situation at issue in Chamber of Commerce, where the President's Executive Order initiated the regulatory process and left it to the agency to finalize the rules. "That the Secretary's regulations are based on the President's Executive Order hardly seems to insulate them from judicial review ...." Chamber of Commerce, 74 F.3d at 1327; see also Milena Ship Management Co. Ltd. v. Newcomb, 804 F. Supp. 846, 850 (E.D.La. 1992) (reviewing agency action taken pursuant to an unchallenged executive order under the IEEPA). Accordingly, this court will examine whether the Commerce Department's regulation of encryption items is consistent with the IEEPA.16 To the extent that plaintiff argues that the regulations governing encryption are not a temporary exercise of emergency power, the question really belongs to the legitimacy of the Executive Order in the first instance and the court declines to address it. The declaration of a national emergency is an action that rests with the President and is based on his broad discretion 15
under section 1701 of the IEEPA. Moreover, the question of employing the IEEPA or the TWEA before it -- to maintain export regulations during lapses in the EAA was essentially laid to rest by the Ninth Circuit in Spawr and by the legislative history of the IEEPA. [I]t is unmistakable that Congress intended to permit the President to use the TWEA to employ the same regulatory tools during a national emergency as it had employed under the EAA. We, therefore, conclude that the President had the authority during the nine-month lapse in the EAA to maintain the export regulations. Spawr, 685 F.3d at 1082. The gravamen of plaintiff's ultra vires argument is that the IEEPA does not authorize the regulation of speech, particularly speech that does not involve a foreign interest in property, and that as speech, encryption software fits well within the exemption for personal communications and informational materials in sections 1702(b)(1) & (3). With respect to whether encryption software fits within the scope of "property in which any foreign country or a national thereof has any interest", the court finds that section 1702(a))1) is sufficiently broad to allow for many forms of property, both tangible and intangible, and many forms of interest, both direct and indirect. See 31 C.F.R. §§ 500.311, 500.312; see also Spawr, 685 F.2d at 1081 n.10 (finding that section 5(b) of the TWEA was broad enough to allow regulation "of any property to any foreign country"). Encryption software or other technology comes within this section. Plaintiff also alleges that the regulations are beyond the statutory authority of the IEEPA because they affect personal communications and informational materials. Section 1702(b)(1) prohibits direct or indirect regulation of "any postal, telegraphic, telephonic or other personal communication" which does not transfer anything of value. As defendants convincingly argue, to the extent this argument is directed at academic discussion of cryptographic ideas, the regulations attempt to exempt such communications -- although whether they do so according to the demands of the First Amendment is a separate question. To the extent this argument is directed at cryptographic software generally, it does not appear to fit within this seemingly narrow and simple provision. Nor can it be assured that software would have no value. Indeed, there are potentially billions of dollars 16
at stake in the export of commercial encryption software. See Jared Sandberg, "Judge Rules Encryption Software Is Speech in Case on Export Curbs," Wall St. J., Apr. 18,1996, at B7. Thus, the regulations do not exceed this statutory provision. Finally, plaintiff contends that the regulations go beyond the authority provided by section 1702(b)(3) which specifically limits regulation of information or informational materials regardless of format or medium of transmission. Plaintiff argues that the broad scope of this provision precludes regulation of encryption software. In addition, plaintiff contends that by specifically referencing sections 2404 and 2405 of the EAA, and exempting -- from the informational materials exemption -- items "otherwise controlled for export" under those sections, the court is bound by principles of statutory construction to consider only those items controlled when section 1702(b)(3) was last amended, or April 30, 1994. Plaintiff then concludes that because encryption software fits within the scope of this provision and was not otherwise controlled under the EAA as of April of 1994, it cannot be regulated under the IEEPA. Defendants contend that section 1702 (b)(3) does not expressly provide for software, and that to include software in those items exempted from regulation for their informational value would lead to absurd results. Moreover, defendants counter plaintiff's statutory construction argument and claim that the items exempted from this provision by virtue of being controlled under the EAA are not only those that were on the Commerce Control List as of April of 1994 but any others that have since been added -- including the encryption technology at issue here. Defendants also argue that to read section 1702(b)(3) as exempting encryption software on the basis that it is protected under the First Amendment would be to impose a novel theory of free speech not contemplated by Congress. As noted above, the IEEPA explicitly excludes any authority to regulate or prohibit, directly or indirectly -- . . . the importation from any country, or the exportation to any country, whether commercial or otherwise, regardless of format or medium of transmission, of any information or informational materials, including but not limited to, publications, films, posters, phonograph records, photographs, microfilms, microfiche, tapes, compact disks, CD ROMs, artworks, and news wire feeds. The exports exempted from regulation or prohibition by this paragraph do not include those which are otherwise controlled for export under section 2404 of the Appendix to this title, or under section 2405 of the Appendix to this title to the extent that such controls promote the nonproliferation or antiterrorism policies of the United States ...." 17
50 U.S.C. § 1702(b)(3) (Supp. 1996). First, the court must consider whether software -- in this case, encryption software -- comes within the exception to the exception; if so, then the instant regulations do not exceed their statutory authority. In other words, anything controlled by sections 2404 and 2405 of the EAA may be regulated regardless of its informational content. Under the referenced sections of the EAA the President may "prohibit or curtail the exportation of any goods, technology, or other information subject to the jurisdiction of the United States" for either national security or foreign policy reasons. 50 U.S.C. App. § 2405(a)(1) (foreign policy controls); 50 U.S.C. App. § 2404(a)(1) (national security controls). It is not disputed that Executive Order 13026, by transferring encryption products to the Commerce Control List ("CCL"), subjected them to regulation under sections 2404 and 2405 of the EAA. The question becomes whether reference to sections 2404 and 2405 of the EAA should be understood to include all items currently on the CCL -- in which case the present regulations effectively remove encryption products from the exemption -- or whether rules of statutory construction require the court to construe the reference to those sections as including only those items listed at the time section 1702(b) was last amended, or April 30, 1994. A secondary issue complicates this already complicated matter further: since sections 2404 and 2405 do not themselves designate specific items on the CCL, which is governed by regulation, does the construction of the IEEPA with respect to those sections also apply to their implementing regulations? Plaintiff relies on a canon of statutory construction discussed in Hassett v. Welch, 303 U.S. 303, 314 (1938) and Pearce v. Director, Office of Workers' Comp. Programs, 603 F.2d 763, 767 (9th Cir. 1979) which holds that without clear congressional indication to the contrary, where one statute adopts provisions of another by specific reference to the provisions adopted (known as a statute of specific reference) the effect is that such adoption takes the provision as it existed at the time of adoption and does not include subsequent amendments; conversely, where a statute adopts the general law in a given area (a statute of general reference), it is construed to adopt that law's subsequent amendments. See 2A Sutherland, Statutory Construction § 51.07 (4th ed. 1984). 18
Plaintiff claims that the IEEPA is a statute of specific reference and cannot be read as adopting subsequent changes to sections 2404 and 2405 of the EAA. Plaintiff further supports this position by pointing to the fact that at least one agency has interpreted the "informational materials" provision to exclude items that were, as of April 30, 1994, controlled for export under sections 5 and 6 of the EAA. 31 C.F.R. § 560.31 S(b) (Office of Foreign Assets Control regulation of Iranian transactions). Defendants contend that the IEEPA is more like the statute in United States v. Smith, 683 F.2d 1236 (9th Cir. 1982), in which the Ninth Circuit read the Youth Corrections Act ("YCA") as not incorporating specific provisions of the general probation statute. The court concluded that while there were persuasive arguments on both sides, the YCA did not really appear to adopt or incorporate the referenced provisions of the probation statute. "Rather, it merely provides that the YCA is not to 'be construed in any wise to amend, repeal, or affect the provisions of' the probation statute." Id. at 1239. According to the court this was not properly a statute of specific reference in which certain provisions of another statute are incorporated into it, but one that "actually emphasizes that these are distinct statutes". Id. Under defendants' reasoning, section 1702(b)(3) of the IEEPA does not incorporate sections 2404 and 2405 of the EAA but rather distinguishes them and as such those sections are to be read with their full and current force. This court believes that defendants have the better argument. The rules of statutory interpretation are not hard and fast. "A provision which, in terms, however, reads as a specific reference may, in context, be construed as a general reference." United States v. Rodriguez- Rodriguez, 863 F.2d 830, 831 (11th Cir. 1989). Such is the case here. Read in context, section 1702(b)(3) excludes rather than incorporates those items covered under the EAA. Moreover, the sections referenced are themselves fairly general and are clearly intended to be fleshed out by regulations suited to meet the changing needs of national security and foreign policy. Given the goals of the IEEPA and the powers it gives the President, it would seem odd indeed for Congress to exclude from the exemption those items the President deems sensitive to the national security under the EAA, but to freeze that list of items as of a certain date. As the court noted in Smith, this "is the 19
more appropriate interpretation in view of the policies that the [statute] is designed to advance. It is proper, and indeed essential, to interpret the words of a statute in the light of the purposes Congress was seeking to serve." 683 F.2d at 1240 (citations omitted). Therefore, because encryption products are currently regulated under sections 2404 and 2405 of the EAA they do not fall within the exemption for informational materials.17 Accordingly, this court finds that the regulation of encryption items is not prohibited by section 1702(b)(3) and therefore does not exceed the statutory authority provided by the IEEPA. It is worth noting at this juncture that this court's rather narrow determination that source code is speech protected by the First Amendment does not serve to remove encryption technology from all government regulation. Both parties exaggerate the debate needlessly. Plaintiff does so by aggrandizing the First Amendment, by assuming that once one is dealing with speech that it is immaterial what the consequences of that speech may be. Defendants do so by minimizing speech, by constantly referring to "mere speech" or "mere ideas" in their briefs and assuming that the functionality of speech can somehow be divorced from the speech itself. This controversy is before this court precisely because there is no clear line between communication and its consequences. While defendants may have the authority to regulate encryption source code, they must nonetheless do so within the bounds of the First Amendment. II. Prior Restraint18 A. Analytical Framework As the Supreme Court has stated, in determining the extent of the constitutional protection afforded by the guarantees of the First Amendment, "it has been generally, if not universally, considered that it is the chief purpose of the guaranty to prevent previous restraints upon publication." Near v. Minnesota, 283 U.S. 697, 713 (1931). It is for this reason that the Court has held: "Any prior restraint on expression comes to this Court with a 'heavy presumption' against its constitutional validity." Organization for a Better Austin v. Keefe, 402 U.S. 415, 419 (1971) (citations omitted). 20
While prior restraints have often come in the form of judicial injunctions on publication, see e.g., C.B.S. v. Davis,510 U.S. 1315 (1994); New York Times v. United States 403 U.S. 713 (1971), they are also recognized in licensing schemes. See e.g., FW/PBS, Inc. v. Dallas, 493 U.S. 215 (1990); Lakewood v. Plain Dealer Publishing Co., 486 U.S. 750 (1988). Governments may impose valid time, place and manner restrictions when they are content neutral, narrowly tailored to serve a substantial governmental interest, and leave open alternative channels for communication. See e.g., Clark v. Community for Creative Non-Violence, 468 U.S. 288, 293 (1984). However, "even if a government may constitutionally impose content-neutral prohibitions on a particular manner of speech, it may not condition that speech on obtaining a license or permit from a government official in that official's boundless discretion." Lakewood, 486 U.S. at 764. It is axiomatic that the First Amendment is more tolerant of subsequent criminal punishment of speech than it is of prior restraints on the same speech. The thread running through all these cases is that prior restraints on speech and publication are the most serious and the least tolerable infringement on First Amendment rights. A criminal penalty or a judgment in a defamation case is subject to the whole panoply of protections afforded by deferring the impact of the judgment until all avenues of appellate review have been exhausted.... A prior restraint, by contrast and by definition, has an immediate and irreversible sanction. If it can be said that a threat of criminal or civil sanction after publication "chills" speech, prior restraint "freezes" it at least for the time. Nebraska Press Ass'n v. Stuart, 427 U.S. 539, 559(1976). While the Supreme Court has consistently rejected the idea that a prior restraint can never be employed, id. at 570, it nonetheless begins with a presumption of invalidity. The danger inherent in prior restraints is largely procedural, in that they bypass the judicial process and locate in a government official the delicate responsibility of passing on the permissibility of speech. See Freedman v. Maryland, 380 U.S. 51, 58 (1965) (holding that "a noncriminal process which requires the prior submission of a film to a sensor avoids constitutional infirmity only if it takes place under procedural safeguards designed to obviate the dangers of a censorship system".) Freedman sets forth three procedural safeguards that have been used by the Supreme Court to examine licensing schemes: 1) any restraint prior to judicial review can only be imposed for a brief and specified period 21
during which the status quo prevails; 2) expeditious judicial review must be available; and 3) the censor must bear the burden of going to court to suppress speech and once there bears the burden of proof FW/PBS, 493 U.S. at 227 (citing Freedman, 380 U.S. at 58-60). When the risks associated with unbridled licensing schemes are present to a significant degree, "courts must entertain an immediate facial attack on the law." Lakewood, 486 U.S. at 759. B. Analysis In Bernstein II this court held that the ITAR effected an unconstitutional prior restraint on speech due to inadequate procedural safeguards. Plaintiff contends that the new encryption regulations suffer from identical deficiencies. Defendants do not argue that the effect of the new regulations is notably different from that of the ITAR.19 They do, however, present arguments against some of the reasoning in Bernstein II and to the extent that these arguments are applicable to the current analysis, the court will address them. 1. Controls on Encryption Commodities and Software First, defendants protest that a facial challenge is not applicable here because there is not a "close enough nexus to expression, or to conduct commonly associated with expression, to pose a real and substantial threat of identified censorship risks." Lakewood, 486 U.S. at 759. In Lakewood, a newspaper challenged a city ordinance which required annual permits for newsracks on public property and gave the mayor authority to grant or deny applications for those permits. The Court contrasted laws that are directed at expression, such as one governing the circulation of newspapers, with laws of general applicability not aimed at conduct commonly associated with expression, such as a law requiring building permits. Id. at 760-61. The former risks self-censorship on the part of those applying for permits and censorship on the part of the decisionmaker. The latter rarely do. See also Freedman, 380 U.S. 51 (licensing of films); FW/PBS, 493 U.S. 215 (licensing of sexually-oriented businesses). Defendants contend that while licensing schemes that vest unbridled discretion to regulate conduct commonly associated with expression are appropriate for facial attack 22
under prior restraint doctrine, such is not the case here where the activity at issue is the programming of a computer to encrypt information.20 Defendants also cite Roulette v. City of Seattle, 97 F.3d 300, 305 (9th Cir. 1996), to support their contention that only laws narrowly and specifically directed at expressive activities are subject to facial challenge. At issue in Roulette was an ordinance that prohibited people from sitting or lying on public sidewalks in certain areas and during certain times. The court, in a pithy opinion, held that "[t]he fact that sitting can possibly be expressive, however, isn't enough to sustain plaintiffs' facial challenge to the Seattle ordinance.... Consistent with this speech-protective purpose, the Supreme Court has entertained facial freedom-of-expression challenges only against statutes that, 'by their terms,' sought to regulate" words or expressive conduct. Id. at 303 (quoting Broadrick v. Oklahoma, 413 U.S. 601, 612-13 (1973)). The court does not disagree with defendants' statement of the law but with their application to the facts. The encryption regulations issued by the BXA are much more like the regulation of newspaper racks than lying or sitting. The new regulations are directed quite specifically and "by their terms" to an entire field of applied scientific research and discourse. Where one places a newspaper rack is not an activity associated with expression, but the availability of newspapers generally is. Similarly, while the export of a commercial cryptographic software program may not be undertaken for expressive reasons, that same activity -- undisputably regulated under the EAR -- is often undertaken by scientists for purely expressive reasons. By the very terms of the encryption regulations, the most common expressive activities of scholars -- teaching a class, publishing their ideas, speaking at conferences, or writing to colleagues over the Internet -- are subject to a prior restraint by the export controls when they involve cryptographic source code or computer programs. In the field of applied science ideas are not just expressed in abstract, theoretical terms, but in precise applications. Those applications are subject to licensing under the encryption regulations and are excluded from the exemptions for fundamental research and educational information. This is precisely the kind of law identified in Lakewood that risks self-censorship on the part of those that must apply for licenses and censorship on the part of the decisionmaker. As the American Association for the Advancement of Science ("AAAS") stated to the BXA in their comments 23
regarding the new regulations, the "basic thrust" of the Interim Rule threatens to undermine essential features of scientific freedom and the open exchange of information that are generally acknowledged as critical to innovation in science and technology and are responsible in large part for the preeminence of America's research and development enterprise. AAAS opposes attempts by the government to restrict the communication or publication of unclassified research and technical information, efforts which we believe are inconsistent with scientific advancement. Wimberly Decl., Exh. A, at 1. The regulations merit the application of the prior restraint doctrine because they present "a danger of unduly suppressing protected expression." Freedman, 380 U.S. at 54. The encryption regulations, like Category XIII of the USML, is specifically directed at speech protected by the First Amendment. The Department of Commerce requires a license to export items controlled under ECCNs 5A002 and 5D002. And as made explicit by the new regulations, export includes publication where publication is or could be made electronic and even where the information to be published is already publicly available. In fact, in spite of the disclaimers regarding functionality and the exception for printed materials, the encryption regulations issued by the BXA appear to be even less friendly to speech interests than the ITAR. Here encryption software is singled out and treated differently than other software regulated under the EAR. 61 Fed. Reg. 68580 (to be codified at 15 C.F.R. § 742.15); see FW/PBS, 493 U.S. at 225 ("Therefore, even assuming the correctness of the city's representation of its 'general' inspection scheme, the scheme involved here is more onerous with respect to sexually-oriented businesses than with respect to the vast majority of other businesses."). And the exception for printed materials, while at first glance a concession to the speech interests involved, is so irrational and administratively unreliable that it may well serve to only exacerbate the potential for self-censorship. 61 Fed. Reg. 68578 (to be codified at 15 C.F.R. § 734.3). First, the exception is unreliable because the BXA has indicated that it reserves the right to control scannable source code in printed form. 61 Fed. Reg. 68575. Second, the exception seeks to codify a distinction between paper and electronic publication that makes little or no sense and is untenable. See Bernstein II, 945 F. Supp. at 1291 n.10. As the AAAS commented, 24
[w]hile it is acceptable under this provision to publish such material in a book and distribute it internationally without an export license, putting the same information on a disk and sending it abroad is subject to EAR approval. This distinction has serious ramifications for scholarly communication as many professional journals are now moving onto the Internet as electronic publications. Wimberly Decl, Exh. A, at 1. As an example, the AAAS noted that their journal Science is available in both print and electronic form. At oral argument defendants admitted that encryption code in print form could be converted into a functioning encryption product, but defended the distinction on the basis that converting the print version to working software required a good deal of skill. The court is somewhat confounded by this explanation. Defendants claim that encryption poses unique and serious threats to national security, yet the printed matter exception belies this rationale by making encryption freely available to only those foreigners who are technologically sophisticated. Defendants conceded at oral argument that the effect of this dichotomy would be to make it more difficult only for the more inept. This seems to defeat the very purpose of the regulation since those who likely pose a greater threat to national security are likely more willing to expend the time and resources in that effort and will not be prevented by the regulation. In effect, the exception undermines the stated purpose of the regulations. Again, the government conceded that in only a slightly greater length of time and with some greater technological skill, the regulation could be defeated. Finally, the Supreme Court's recent decision in Reno v. American Civil Liberties Union, ___U.S.___, 117 S.Ct. 2239 (1997), suggests that not only is the distinction between print and electronic media increasingly untenable, but that the Internet is subject to the same exacting level of First Amendment scrutiny as print media This dynamic, multifaceted category of communication includes not only traditional print and news services, but also audio, video, and still images, as well as interactive, real-time dialogue. Through the use of chat rooms, any person with a phone line can become a town crier with a voice that resonates farther than it could from any soapbox. Through the use of Web pages, mail exploders, and newsgroups, the same individual can become a pamphleteer. As the District Court found, 'the content on the Internet is as diverse as human thought.' We agree with its conclusion that our cases provide no basis for qualifying the level of First Amendment scrutiny that should be applied to this medium. Id. at 2344. Thus, the dramatically different treatment of the same materials depending on the 25
medium by which they are conveyed is not only irrational, it may be impermissible under traditional First Amendment analysis. As this court noted in Bernstein II, that BXA regulates encryption in the interest of national security does not alone justify a prior restraint. In New York Times Co., 403 U.S. at 714, the Supreme Court invalidated a prior restraint on classified material that had been enjoined in the interests of national security. While that case inspired nine separate opinions on the propriety of enjoining publication of the Pentagon Papers in The New York Times and The Washington Post, a majority of Justices found national security, without more, too amorphous a rationale to abrogate the protections of the First Amendment. See id. at 719 (Black, J. and Douglas, J., concurring). Justice Brennan concluded that the First Amendment's ban on prior restraints could only be overridden in time of war, id. at 726 (Brennan, J. concurring) (citing Schenck v. United States, 249 U.S. 47 (1919)), and even then, according to Justice Stewart, only when disclosure would "surely result in direct, immediate, and irreparable damage to our Nation or its people." Id. at 730 (Stewart, J. and White, J. concurring). Even without a consensus from the Supreme Court on how exacting the standard should be, it is clear from New York Times that national security alone is insufficient without more. Yet that is exactly what both the President and the BXA have offered here as the justification for the regulation: national security and foreign policy interests. Exec. Order No. 13026, 61 Fed. Reg. 58767; 61 Fed. Reg. 68573. Particularly now, when none of the encryption items subject to export controls under the EAR have military applications, a less amorphous rationale is required.21 Nor is it necessary that an item be regulated for its content to make the regulations function as a prior restraint on speech. It is enough that they are directed at expressive activity. As the plurality opinion in FW/PBS suggests, even a licensing scheme with a content- neutral purpose must still contain adequate procedural safeguards in order to be constitutional.22 Thus, without deciding whether the regulations are content-based, the court turns to the procedural safeguards afforded under the encryption regulations. As noted above, the Court in FW/PBS read Freedman to hold that for a licensing scheme to be constitutional, 1) the licensor must make the licensing decision within a 26
specific and reasonable period of time; 2) there must be prompt judicial review; and 3) the censor must bear the burden of going to court to uphold a licensing denial and once there bears the burden of justifying the denial. FW/PBS, 493 U.S. at 227-28 (citing Freedman, 380 U.S. at 58-60). The new regulations, like the ITAR, are woefully inadequate. The EAR provides that license applications will be resolved or referred to the President within 90 days.23 15 C.F.R. § 750.4(a). However, there is no time limit on an application that has been referred to the President. If a license is denied, the agency provides an internal appeals process, 15 C.F.R. Pt. 756, but the only time-limit on the appeals decision is that the agency "shall decide an appeal within a reasonable time after receipt of the appeal." 15 C.F.R. § 756.2(c)(1). That decision is final and not subject to judicial review. 15 C.F.R. § 756.2(c)(2); 50 U.S.C. App. § 2412(e); see also United States v. Bozarov, 974 F.2d 1037, 1044-45 (9th Cir. 1992) (EAA's preclusion of judicial review does not violate nondelegation doctrine), cert. denied, 507 U.S. 917 (1993).24 And most important, and most lacking, are any standards for deciding an application. The EAR reviews applications for licenses "on a case-by-case basis" and appears to impose no limits on agency discretion. 61 Fed. Reg. 68581 (to be codified at 15 C.F.R. § 742.15(b)). Like the ordinance in Lakewood, where the mayor could deny a permit without any more justification than that it was not in the public interest, nothing in the regulations prevents the BXA from justifying a denial of an application by stating that it is contrary to national security and foreign policy interests.25 As the Court noted in Lakewood, these are illusory constraints. 486 U.S. at 769; see also Desert Outdoor Advertising, Inc. v. City of Moreno Valley, 103 F.3d 814, 818 (9th Cir. 1996) (finding billboard permit requirement unconstitutional because city officials had "discretion to deny a permit on the basis of ambiguous and subjective reasons"). This court has stated previously that while it is mindful of the problems inherent in judicial review of licensing decisions regarding cryptographic software, both with respect to the sophistication of the technology and the potentially classified nature of the licensing considerations, there must still be some review available if the export controls on cryptographic software are to survive the presumption against prior restraints on speech. In this case, for the reasons enumerated, the court concludes that the encryption regulations are an 27
unconstitutional prior restraint in violation of the First Amendment. 2. Controls on Encryption Technology Plaintiff does not distinguish the regulation of encryption technology -- as opposed to commodities and software -- for the purposes of prior restraint analysis. With respect to vagueness, the only provision he addresses as vague is "technical assistance." 15 C.F.R. § 744.9(a). Defendants allege that plaintiff lacks standing to challenge the controls on technology because they have not been applied to him and any injury is speculative. Even if plaintiff is found to have standing, defendants contend that a facial challenge is still inappropriate because United States v. Edler Indus., Inc., 579 F.2d 516, 520 (9th Cir. 1978), found that the technical data provisions of the predecessor to the AECA survived constitutional challenge with a narrowing construction. It does not appear necessary to address the vagueness argument advanced by plaintiff, or any of the other constitutional arguments, as the bulk of the encryption regulations have been adjudged to constitute a prior restraint on speech. The First Amendment does not "render inapplicable the rule that a federal court should not extend its invalidation of a statute further than is necessary to dispose of the case before it." Brockett v. Spokane Arcades, Inc., 472 U.S. 491, 502 (1984) (citation omitted). The restrictions on technical assistance under the new regulations prohibit a person from providing technical assistance without a license to foreign persons "with the intent to aid a foreign person in the development or manufacture outside the United States of encryption commodities and software that, if of United States origin, would be controlled for 'EI' reasons under ECCN 5A002 or 5D002." 61 Fed. Reg. 68584 (to be codified at 15 C.F.R. § 744.9). The technical assistance provision also states that the "mere teaching or discussion of information about cryptography" does not establish the requisite intent. 61 Fed. Reg. 68584 (to be codified at 15 C.F.R. § 744.9(a)). However cryptic this provision might be viewed in relation to the more expansive exemptions for educational information and fundamental research elsewhere in the regulations, because it is dependent on the definitions and regulation of encryption commodities and software, it is unenforceable under the court's holding above. 28
III. Proper Defendants Plaintiff named three additional defendants in his supplemental complaint -- the Departments of Energy ("DOE") and Justice ("DOJ") and the Central Intelligence Agency ("CIA") -- because officials from each are now involved in some way with licensing reviews. 61 Fed. Reg. 68585 (to be codified at 15 C.F.R. § 750.3(b)(2)(v)); 15 C.F.R. § 750.4(d)-(e); 15 C.F.R. § 772 (listing committees involved in interagency review and their members). Plaintiff also contends that these agencies are involved with overall jurisdictional decisions as well. Press Release, at 4 (stating that after legislative reauthorization of export controls the Secretaries of Defense and State together with the Attorney General "shall reexamine whether adequate controls on encryption products can be maintained under the provisions of the new statute and advise the Secretary of Commerce of their conclusions as well as any recommendations for action"). Defendants claim that there is no justification for joining every agency that participates in the review process and that the Secretary of Commerce is the only proper defendant. The court is inclined to agree with defendants. The roles played by the DOE, DOJ and the CIA are limited to consulting and advising the Secretary of Commerce who is responsible for final decisions. Even if those agencies are asked to review any new legislation that may be passed,26 their roles are advisory. Accordingly, any determination against the Secretary of Commerce is sufficient and the DOE, DOJ and the CIA are dismissed as defendants. Furthermore, because the applicable regulations are no longer implemented by the Department of State, the Secretary of State is also dismissed. IV. Scope of Relief Plaintiff requests that in addition to declaratory relief, the court issue a permanent injunction against defendants barring nationwide application of the encryption regulations on the grounds that loss of First Amendment freedoms constitutes irreparable injury, Elrod v. Burns, 427 U.S. 347, 373 (1976), and that he will not be afforded complete relief unless an injunction extends to students, colleagues and others not before the court. Bresgal v. Brock, 843 F.2d 1163 (9th Cir. 1987). 29
Defendants protest that a nationwide injunction is improper because relief should be no broader than necessary, Meinhold v. United States Dept. of Defense, 34 F.3d 1469, 1480 (9th Cir. 1994), and because the issues are novel and of public importance. Azurin v. Von Raab, 792 F.2d 914, 1915 (9th Cir. 1986). In Bresgal, the Ninth Circuit found in the absence of a certified nationwide class that a district court could still order nationwide relief in order to ensure the prevailing parties were given the relief to which they were entitled so long as the injunction was directed against a party to the action, in that case the Secretary of Labor. 843 F.2d at 1170-71. However, this holding must still be weighed against the rule that an injunction should be no more burdensome than necessary to afford complete relief. Meinhold, 34 F.3d at 1480 (quoting Califano v. Yamasaki, 442 U.S. 682, 702 (1979)). In this instance the court, particularly given its determination of facial invalidity of the regulations, could indeed order nationwide relief. However, as it did in Bernstein II, the court concludes that because the legal questions at issue are novel, complex and of public importance, the injunctive relief should be as narrow as possible pending appeal. See Azurin, 792 F.2d at 1915. While declaratory relief should be sufficient, plaintiff should not fear prosecution for teaching and writing about encryption. Nor should plaintiff have to conduct his scholarly activities under stipulation with the government. Accordingly, defendants are enjoined from enforcing the regulations against plaintiff or against anyone who seeks to use, discuss or publish plaintiff's encryption program. V. Effect of Previous Order Defendants ask the court to vacate its order in Bernstein II as the controversy has shifted to the new regulations and Category XIII of the USML no longer covers plaintiff's software. Plaintiff argues the court should reaffirm its previous order because the President left open the possibility that jurisdiction would be shifted back to the Department of State if export controls under the Commerce Department prove inadequate. The likelihood of the jurisdiction being transferred back to the State Department seems too remote to justify maintaining an order that no longer applies to the 30
controversy before the court. While the government cannot avoid the constitutional deficiencies of its regulations by rotating oversight of them from department to department, the court does not believe that such was the intent here. Moreover, should the President direct that export controls on encryption be regulated under the ITAR once more, plaintiff can come back before this court at that time. However, given the continuing validity of the rationale in Bernstein II to the present order, neither is it necessary to vacate that decision. Accordingly, the court's holding in Bernstein II, in so far as it relates to the ITAR, is hereby superseded by the present order. CONCLUSION For the aforementioned reasons, 1) plaintiff's motion for summary judgment is GRANTED in part and DENIED in part in accordance with the foregoing; 2) defendants' motion for summary judgment is DENIED in part and GRANTED in part in accordance with the foregoing; 3) the Departments of State, Energy, Justice and the Central Intelligence Agency are dismissed as defendants; 4) the court's holding in Bernstein v. United States Dept. of State, 945 F. Supp. 1279, is superseded by this order; 5) the court declares that the Export Administration Regulations, 15 C.F.R. Pt. 730 et seq.(l997) and all rules, policies and practices promulgated or pursued thereunder insofar as they apply to or require licensing for encryption and decryption software and related devices and technology are in violation of the First Amendment on the grounds of prior restraint and are, therefore, unconstitutional as discussed above, and shall not be applied to plaintiff's publishing of such items, including scientific papers, algorithms or computer programs; 6) defendants are permanently enjoined from doing or causing to be done the following acts: a) further and future enforcement, operation or execution of the statutes, regulations, rules, policies and practices declared unconsitutional under this order, including criminal or civil 31
prosecutions with respect to plaintiff or anyone who uses, discusses or publishes or seeks to use, discuss or publish plaintiff's encryption program and related materials described in paragraph 5) of this order; and b) threatening, detaining, prosecuting, discouraging or otherwise interfering with plaintiff or any other person described in paragraph 6) above in the exercise of their federal constitutional rights as declared in this order. IT IS SO ORDERED. [Signature] Date August 25, 1997 MARILYN HALL PATEL United States District Judge Northern District of California 32
ENDNOTES 1. Some of the information in this section is taken directly from the court's previous opinions in this action, Bernstein v. United States Dept. of State, 922 F. Supp. 1426 (N.D. Cal. 1996) (Bernstein I), and Bernstein v. United States Dept. of State, 945 F. Supp. 1279 (N.D. Cal. 1996) (Bernstein II); other background information is left out or condensed and reference is made to those opinions. Additional information comes from the parties' current submissions or other sources as indicated. 2. In symmetric cryptography the encryption key is the same as the decryption key. Asymmetric, or public-key, cryptography uses different keys for encryption and decryption and generally only the encryption key is disclosed. 3. For a full description of the ITAR, see Bernstein I, 922 F. Supp. at 1429-30 and Bernstein II, 945 F. Supp. at 1283-84. 4. Source code is the text of a source program and is generally written in a high-level language that is two or more steps removed from machine language which is a low-level language. High-level languages are closer to natural language than low-level languages which direct the functioning of the computer. Source code must be translated by way of a translating program into machine language before it can be read by a computer. The object code is the output of that translation. It is possible to write a source program in high-level language without knowing about the actual functions of the computer that carry out the program. Encyclopedia of Computer Science 962, 1263-64 (Anthony Ralston & Edwin D. Reilly eds., 3d ed. l995). 5. Again, a more detailed description of plaintiff's communications with the ODTC appears in Bernstein I, 922 F. Supp. at 1430, and Bernstein II, 945 F. Supp. at 1284-85. Those opinions also describe the confusion surrounding the determination of the academic paper. 6. These items are also controlled for national security and anti-terrorism reasons. 61 Fed. Reg. 68586-87 (to be codified at 15 C.F.R. § 774 supp. 1). 7. Under Part 772 of the new regulations which is dedicated to definitions of terms, the term "commodity" contains the following note: Note that the provisions of the EAR applicable to the control of software (e.g. publicly available provisions) are not applicable to encryption software. Encryption software is controlled because, like the items controlled under ECCN 5A002, it has a functional capacity to encrypt information on a computer system, and not because of any informational or theoretical value that such software may reflect, contain or represent, or that its export may convey to others abroad. 61 Fed. Reg. 68585 (to be codified at 15 C.F.R. Pt. 772). 8. Encryption source code is defined as "[a] precise set of operating instructions to a computer that, when compiled, allows for the execution of an encryption function on a computer." Encryption object code is defined as "[c]omputer programs containing an encryption source code that has been compiled into a form of code that can be directly executed by a computer to perform an encryption function." 61 Fed. Reg. 68585 (to be codified at 15 C.F.R. Pt. 772). 9. This provision notes "that the mere teaching or discussion of information about cryptography, including, for example, in an academic setting, by itself would not establish the intent described in this section, even where foreign persons are present." 61 Fed. Reg. 68584 (to be codified at 15 C.F.R. § 744.9(a)). 33
10. The introductory information about the new regulations includes the following with respect to the exception for printed materials: "The administration continues to review whether and to what extent scannable encryption source or object code in printed form should be subject to the EAR and reserves the option to impose export controls on such software for national security and foreign policy reasons." 61 Fed. Reg. 68575. 11. At oral argument plaintiff retreated from his position that the ultra vires claim was directed at the President. However, Count VI of plaintiff's supplemental complaint clearly alleges that the President's actions exceeded his authority under the IEEPA. 12. In fact, due to the significance of the issues involved, the Court granted certiorari prior to judgment and ordered expedited briefing. 13. The Ninth Circuit on at least one occasion has declined to endorse the Chamber of Commerce decision. Alameda Newspapers, Inc. v. City of Oakland, 95 F.3d 1406, 1419 (9th Cir. 1996). 14. In fact, as defendants point out, when the TWEA was amended and the IEEPA enacted (as Title II of the same bill), the House Report on the legislation indicated that while it rejected a suggestion by the committee to make the EAA permanent legislation, the committee expected that in the case of future lapses of the EAA "the authority of Title II of this bill could be used to continue the Export Administration Regulations in effect if, and to the extent that, the President declared a national emergency as a result of such lapse according to the procedures of the National Emergencies Act." H.R. Rep. No. 95-459, at 3 (1977). 15. Admittedly, in both of those cases review was precluded in large part because the Court found that the authorizing statutes at issue granted broad discretion to the President. However, this action is not so different as to allow a court to review what the Ninth Circuit has found to be the extensive discretion afforded by section 5(b) of the TWEA, which was essentially reenacted as section 1702 of the IEEPA. Both sections 1701 and 1702 provide little guidance with which to judge the actions taken by the President. Where "the Act provides no standards by which to judge the exercise of discretion by the Executive Branch, we cannot subject that exercise of discretion to judicial review." Medina v. Clinton, 86 F.3d 155, 158 (9th Cir. 1996) (citing Dalton, 114 S.Ct. at 1728). 16. Since the EAA has expired, the "sole basis for the regulations" is the Executive Order, which itself is premised on the IEEPA. Spawr, 685 F.2d at 1080. 17. Even assuming the exemption excludes from regulation only those items designated before April 30, 1994, many software products were regulated at that time. That being so, there is no support for the contention that software generally would fall within the exemption. 18. Portions of the court's analysis of prior restraint cases in [sic] taken directly from its opinion in Bernstein II, 945 F. Supp. at 1286-90. 19. In their motion for reconsideration, defendants concede that the "essential requirements that previously applied to encryption source code under the ITAR would continue under the EAR." Df. Motion for Reconsideration, at 2. The government also acknowledged at oral argument that the issues before the court were basically unchanged. 20. Defendants again spend a great deal of energy arguing that encryption source code is not speech by citing to all the undisputed facts that show its functional capacity -- its ability to actually secure communication; Df. Mem. in Support, at 9-10. Defendants argue that just because "a program may be understood by those trained in programming does not negate the functional nature 34
of the program, nor render it a mere 'idea' ...." Df. Mem. in Opp., at 5. Again, the court does not disagree that encryption software is highly functional, but functionality does not remove it from the realm of speech. Just because an idea is functional does not "negate" its expressiveness. Indeed, it is functional speech. Programming is not, as defendants would have it, merely mechanical. It is both an art and a science. "[A] computer program is not just a way of getting a computer to perform operations but rather . . . is a novel formal medium for expressing ideas about methodology." Plaintiff. Mem. in Opp., at 6 n.15 (quoting Abelson and Sussman, Structure and Interpretation of Computer Programs, preface (1985)). 21. One might make the argument that encryption software could be validly regulated for its "secondary effects," much like adult theaters were in Young v. American Mini-Theaters, Inc., 427 U.S. 50 (1975), and Renton v. Playtime Theaters, Inc., 475 U.S. 41 (1986), where the Supreme Court upheld zoning ordinances aimed at the secondary effects of such theaters in the surrounding community. However, the secondary effects rationale has never been extended beyond sexually explicit speech. See Roos v. Barry, 485 U.S. 312 (1988) (refusing to apply the rationale to political speech). See also Reno, 97 C.D.O.S. at 5002 (considering the secondary effects doctrine in relation to a statute regulating speech on the Internet). 22. In FW/PBS Justice O'Connor, joined by Justices Stevens and Kennedy, stated: Because we conclude that the city's licensing scheme lacks adequate procedural safeguards, we do not reach the issue decided by the Court of Appeals whether the ordinance is properly viewed as a content-neutral time, place, and manner restriction aimed at secondary effects arising out of the sexually oriented businesses. FW/PBS, 493 U.S. at 223. 23. Given the other more obvious deficiencies in the procedural aspects of the regulations, the court does not consider whether 90 days is fast enough given the demands in the field of cryptography. 24. To the extent the EAR are authorized by the IEEPA, that statute does not appear to preclude judicial review. Milena Ship Management Co. Ltd. v. Newcomb, 804 F. SUPP. 846, 850 n.2 (E.D.La. 1992) (nothing in IEEPA provides clear evidence of intent to preclude judicial review). However, if the EAR are authorized exclusively by Executive Order 13026, that order seems to preclude judicial review. Exec. Order No. 13026, 61 Fed. Reg. 58768. 25. As the court discussed in Bernstein II with respect to the ITAR, some of the dangers of a standardless licensing scheme had already been realized. According to the NRC Report, the risk of discriminatory treatment associated with such schemes was reflected in the Report's comments that companies were reluctant to express their full dissatisfaction with the rules and implementation of export controls over cryptographic products for fear that "any explicit connection between critical comments and their company might result in unfavorable treatment of a future application for an export license for one of their products." NRC Report at 4-29. 26. It is not clear from the Press Release accompanying the President's Executive Order 13026 whether the review those agencies are to provide is limited to the enactment of new legislation or whether they will also review the new regulations.
[End]
Digitized and hypertexted by JYA/Urban Deadline