[This text has been spell-checked and lightly proofread. Please report any errors to John Gilmore .] UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA FILED Dec 9 1 10 PM '96 RICHARD [illegible] [illegible] ) U.S. DISTRICT COURT ) NO DIST OF CA DANIEL J. BERNSTEIN, ) ) No. C-95-0582 MHP Plaintiff, ) MEMORANDUM AND ORDER ) DEC 16 1996 vs. ) ENTERED IN CIVIL DOCKET _____, 19__ ) UNITED STATES DEPARTMENT OF STATE ) et al., ) ) Defendants. ) __________________________________) Plaintiff Daniel Bernstein brought this action against the Department of State and the individually named defendants seeking declaratory and injunctive relief from their enforcement of the Arms Export Control Act ("AECA"), 22 U.S.C. Section 2778, and the International Traffic in Arms Regulations ("ITAR"), 22 C.F.R. Sections 120-30 (1994), on the grounds that they are unconstitutional on their face and as applied to plaintiff. Now before this court are cross-motions for summary judgment on the question of whether the licensing requirements for the export of cryptographic devices and software covered by Part 121, Category XIII(b) of the ITAR and the export control over related technical data constitute an impermissible infringement on speech in violation of the First Amendment. Having considered the parties' arguments and submissions, and for the reason set forth below, the court enters the following memorandum and order. BACKGROUND [1] At the time this action was filed, plaintiff was a PhD candidate in mathematics at University of California at Berkeley working in the field of cryptography, an area of applied mathematics that seeks to develop confidentiality in electronic communication. Plaintiff is currently a Research Assistant Professor in the Department of Mathematics, Statistics and Computer Science at the University of Illinois at Chicago. I. Cryptography Encryption basically involves running a readable message known as "plaintext" through a computer program that translates the message according to an equation or algorithm into unreadable "ciphertext." Decryption is the translation back to plaintext when the message is received by someone with an appropriate "key." The message is both encrypted and decrypted by compatible keys.[2] The uses of cryptography are far-ranging in an electronic age, from protecting personal messages over the Internet and transactions on bank ATMs to ensuring the secrecy of military intelligence. In a prepublication copy of a report done by the National Research Council ("NRC") at the request of the Defense Department on national cryptography policy, the NRC identified four major uses of cryptography: ensuring data integrity, authenticating users, facilitating nonrepudiation (the linking of a specific message with a specific sender) and maintaining confidentiality. Tien Decl., Exh. E. National Research Council, National Academy of Sciences, _Cryptography's Role in Securing the Information Society_ C-2 (Prepublication Copy May 30, 1996) (hereinafter "NRC Report"). Once a field dominated almost exclusively by governments concerned with protecting their own secrets as well as accessing information held by others, the last twenty years has seen the popularization of cryptography as industries and individuals alike have increased their use of electronic media and have sought to protect their electronic products and communications. NRC Report at vii. As part of this transformation, cryptography has also become a dynamic academic discipline within applied mathematics. Appel Decl. at 5; Blaze Decl. at 2. As a graduate student, Bernstein developed an encryption algorithm he calls "Snuffle." He describes Snuffle as a zero-delay private-key encryption system. Complaint Exh. A. Bernstein has articulated his mathematical ideas in two ways: in an academic paper in English entitled "The Snuffle Encryption System," and in "source code" written in "C", a high-level computer programming language,[3] detailing both the encryption and decryption, which he calls "Snuffle.c" and "Unsnuffle.c", respectively. Once source code is converted into "object code," a binary system consisting of a series of 0s and ls read by a computer, the computer is capable of encrypting and decrypting data.[4] II. Statutory and Regulatory Background The Arms Export Control Act authorizes the President to control the import and export of defense articles and defense services by designating such items to the United States Munitions List ("USML"). 22 U.S.C. Section 2778(a)(1). Once on the USML, and unless otherwise exempted, a defense article or service requires a license before it can be imported or exported. 22 U.S.C. Section 2778(b)(2). The International Traffic in Arms Regulations, 22 C.F.R. Sections 120-30, were promulgated by the Secretary of State, who was authorized by executive order to implement the AECA. The ITAR is administered primarily within the Department of State by the Director of the Office of Defense Trade Controls ("ODTC"), Bureau of Politico-Military Affairs. The ITAR allows for a "commodity jurisdiction procedure" by which the ODTC determines if an article or service is covered by the USML when doubt exists about an item. 22 C.F.R. Section 120.4(a). Also contained in the ITAR are the licensing requirements for defense articles, 22 C.F.R. Section 123, and technical data, 22 C.F.R. Section 125. Categories of items covered by the USML are enumerated at section 121.1. Category XIII, Auxiliary Military Equipment, includes "Cryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information or information systems . . . ." 22 C.F.R. Section 121 XIII(b)(1). A number of applications of cryptography are excluded, such as those used in automated teller machines and certain mass market software products that use encryption. Id. A "defense article" is defined by the ITAR as any item or technical data that has been designated in the USML. 22 C.F.R. Section 120.6. A "defense service" is any assistance rendered to a foreign person in the United States or abroad in the development or use of a defense article, 22 C.F.R. Section 120.9(a)(1), or the furnishing of technical data to a foreign person, 22 C.F.R. Section 9(a)(2). "Technical data" is perhaps the most confusing category of items regulated by the ITAR since it is defined separately and _in relation to_ defense articles, 22 C.F.R. Section 120.10, but is also defined _as_ a defense article when it is covered by the USML. See 22 C.F.R. Section 120.6. It generally covers information "which is required for the design development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles. 22 C.F.R. Section 120.10. It also encompasses software directly related to defense articles. 22 C.F.R. Section 120.10(a)(4). Software "includes but is not limited to the system functional design, logic flow, algorithms, application programs, operating systems and support software for design, implementation, test operation, diagnosis and repair." 22 C.F.R. Section 121.8(f). A person who wants to export software that is not designated on the USML can apply for a technical data license. 22 C.F.R. Section 121.8(f). The definition of technical data includes some noteworthy exemptions. Technical data "does not include information concerning general scientific, mathematical or engineering principles commonly taught in schools, colleges and universities or information in the public domain . . . ." C.F.R. Section 120.10(a)(5). The public domain exemption excludes from technical data information which is "published and generally accessible" to the public through newsstands, bookstores, subscriptions, libraries, conferences and trade exhibitions. 22 C.F.R. Section 120.11(a)(1)-(6). The public domain also includes information available to the public through fundamental research at accredited institutions of higher learning: Fundamental research is defined to mean basic and applied research in science and engineering where the resulting information is ordinarily published and shared broadly within the scientific community, as distinguished from research the results of which are restricted for proprietary reasons or specific U.S. Government access and dissemination controls. 22 C.F.R. Section 120.11(a)(8). It is apparent from the ITAR, and neither party appears to dispute it, that the public domain exceptions apply only to technical data and not to defense articles. Finally, "export" is defined as "[s]ending or taking a defense article out of the United States in any manner", 22 C.F.R. Section 120.17(a)(1), and as "[d]isclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad". 22 C.F.R. Section 120.17(a)(4). III. Plaintiff's Commodity Jurisdiction Determinations On June 30, 1992 Bernstein submitted a commodity jurisdiction ("CJ") request to the State Department to determine whether three items were controlled by ITAR. Those items were Snuffle.c and Unsnuffle.c (together referred to as Snuffle 5.0), each submitted in C language source files, and his academic paper describing the Snuffle system. Complaint Exh. A. On August 20, 1992 the ODTC informed Bernstein that after consultation with the Departments of Commerce and Defense it had determined that the commodity Snuffle 5.0 was a defense article on the USML under Category XIII of the ITAR and subject to licensing by the Department of State prior to export. The ODTC identified the item as a "stand-alone cryptographic algorithm which is not incorporated into a finished software product." Complaint Exh. B. The ODTC further informed plaintiff that a commercial software product incorporating Snuffle 5.0 may not be subject to State Department control and should be submitted as a new commodity jurisdiction request. Plaintiff and ODTC exchanged copious and contentious correspondence regarding the licensing requirements during the spring of 1993. Still unsure if his academic paper had been included in the ODTC CJ determination of August 20, 1992, Bernstein submitted a second CJ request on July 15, 1993, asking for a separate determination for each of five items. Lowell Decl., Exh. 17. According to plaintiff these items were 1) the paper, "The Snuffle Encryption System," 2) Snuffle.c, 3) Unsnuffle.c, 4) a description in English of how to use Snuffle, and 5) instructions in English for programming a computer to use Snuffle.[5] On October 5, 1993 the ODTC notified Bernstein that _all_ of the referenced items were defense articles under Category XIII(b)(1). Complaint Exh. E. By letter dated June 29, 1995, after plaintiff had initiated this action, the ODTC clarified that its CJ determinations pertained only to Snuffle.c and Unsnuffle.c, which it had determined to be a defense article on the USML. Lowell Decl., Exh. 21 at l. The ODTC further noted that the two items of explanatory information fell within the definition of technical data but that the paper, "The Snuffle Encryption System," did "not appear to meet the definition of technical data." Lowell Decl., Exh. 21 at 2. The June 29 letter also explains the public domain exception to technical data without drawing a conclusion about the applicability of that exception to the explanatory information. This court noted, in considering defendants' motion to dismiss, that Bernstein had every reason to believe his paper was determined to be on the USML until June 29, 1995, and that defendants should make a prompt and unequivocal determination as to the status of the paper. Bernstein, 922 F.Supp. at 1434 & n.12. Plaintiff's counsel wrote to defense counsel on May 3, 1996, seeking, among other things, such a determination. Lowell Decl., Exh. 22. In a response dated July 25, 1996, William Lowell, Director of the ODTC, stated that their letter of June 29, 1995 had made clear that the paper "is neither a defense article nor technical data under the ITAR and USML. Therefore, this item is not subject to the ITAR." Lowell Decl., Exh. 24 at 1. With respect to the two items determined to be technical data, Lowell clarified that their publication or teaching would not be regulated, but that a license would be required if the object or intent of their export was to furnish assistance to a foreign person in operating cryptographic software. Id. at 2. Plaintiff seeks to publish and communicate his ideas on cryptography. Bernstein asserts that he is not free to teach the Snuffle algorithm, to disclose it at academic conferences, or to publish it in journals or online discussion groups without a license. // // LEGAL STANDARD Under Federal Rule of Civil procedure 56, summary judgment shall be granted "against a party who fails to make a showing sufficient to establish the existence of an element essential to that party's case, and on which that party will bear the burden of proof at trial . . . since a complete failure of proof concerning an essential element of the nonmoving party's case necessarily renders all other facts immaterial." Celotex Corp. v. Catrett, 477 U.S. 317, 322-23 (1986); see also T.W. Elec. Serv. v. Pacific Elec. Contractors Ass'n, 809 F.2d 626, 630 (9th Cir. 1987) (the nonmoving party may not rely on the pleadings but must present significant probative evidence supporting the claim); Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986) (a dispute about a material fact is genuine "if the evidence is such that a reasonable jury could return a verdict for the nonmoving party."). The court's function, however, is not to make credibility determinations, Anderson, 477 U.S. at 249, and the inferences to be drawn from the facts must be viewed in a light most favorable to the party opposing the motion. T.W. Elec. Serv., 809 F.2d at 631. Where as here, the question is purely a legal one involving no disputes of material fact, the matter is appropriately handled on a motion for summary judgment. // DISCUSSION Plaintiff contends that the licensing scheme under the ITAR imposes an unconstitutional prior restraint on cryptographic speech, whether that speech is defined as a defense article or technical data. Plaintiff further maintains that a number of terms make the ITAR vague and overbroad in violation of the First Amendment. Defendants argue that the ITAR, insofar as it regulates cryptographic software, is content neutral and easily survives intermediate scrutiny under the First Amendment. In addition, defendants aver that the technical data provisions do not regulate scientific or academic speech and therefore do not act as a prior restraint on speech. Finally, defendants contend that plaintiff's overbreadth claim, vagueness claim and his claims under the Administrative Procedure Act ("APA") are without merit. Both parties sizable briefs in support of their motions for summary judgment are notable for the contrast of their approaches. Plaintiff, for his part, argues that the provisions of the ITAR at issue violate numerous conceivable--and a few inconceivable--First Amendment doctrines. Defendants' arguments, in contrast, while steering closer to traditional first amendment analysis, are notable for the conspicuous absence of discussion of the prior restraint doctrine. Defendants state in their opposition that the real issue in this case is whether export licensing controls on cryptographic software violate the First Amendment. The court agrees that this is the central issue before it and therefore an appropriate place to begin. Moreover, as this court has already determined that source code is speech, Bernstein, 922 F. Supp. at 1436, and both parties agree that a licensing scheme controls the "export" of such speech, the court turns first to prior restraint analysis. I. Prior Restraint A. Analytical Framework As the Supreme Court has stated, in determining the extent of the constitutional protection afforded by the guarantees of the First Amendment, "it has been generally, if not universally, considered that it is the chief purpose of the guaranty to prevent previous restraints upon publication." Near v. Minnesota, 283 U.S. 697, 713 (1931). It is for this reason that the Court has held: "Any prior restraint on expression comes to this Court with a 'heavy presumption' against its constitutional validity." Organization for a Better Austin v. Keefe, 402 U.S. 415, 419 (1971) (citations omitted). While prior restraints have often come in the form of judicial injunctions on publication, see e.g., C.B.S. v. Davis, 510 U.S. 1315 (1994); New York Times Co. v. United States, 403 U.S. 713 (1971), they are also recognized in licensing schemes. See e.g., FW/PBS, Inc. v. Dallas, 493 U.S. 215 (l990); Lakewood v. Plain Dealer Publishing Co., 486 U.S. 750 (1988). Governments may impose valid time, place and manner restrictions when they are content neutral, narrowly tailored to serve a substantial governmental interest, and leave open alternative channels for communication. See e.g., Clark v. Community for Creative Non-Violence, 468 U.S. 288, 293 (1984). However, "even if a government may constitutionally impose content-neutral prohibitions on a particular manner of speech, it may not condition that speech on obtaining a license or permit from a government official in that official's boundless discretion." Lakewood, 486 U.S. at 764. It is axiomatic that the First Amendment is more tolerant of subsequent criminal punishment of speech than it is of prior restraints on the same speech. The thread running through all these cases is that prior restraints on speech and publication are the most serious and the least tolerable infringement on First Amendment rights. A criminal penalty or a judgment in a defamation case is subject to the whole panoply of protections afforded by deferring the impact of the judgment until all avenues of appellate review have been exhausted. . . . A prior restraint, by contrast and by definition, has an immediate and irreversible sanction. If it can be said that a threat of criminal or civil sanction after publication "chills" speech, prior restraint "freezes" it at least for the time. Nebraska Press Ass'n v. Stuart, 427 U.S. 539, 559 (196). While the Supreme Court has consistently rejected the idea that a prior restraint can never be employed, id. at 570, it nonetheless begins with a presumption of invalidity. The danger inherent in prior restraints is largely procedural, in that they bypass the judicial process and locate in a government official the delicate responsibility of passing on the permissibility of speech. See Freedman v. Maryland, 380 U.S. 51, 58 (1965) (holding that "a noncriminal process which requires the prior submission of a film to a sensor avoids constitutional infirmity only if it takes place under procedural safeguards designed to obviate the dangers of a censorship system".) Freedman sets forth three procedural safeguards that have been used by the Supreme Court to examine licensing schemes: 1) any prior restraint to judicial review can only be imposed for a brief and specified period during which the status quo prevails; 2) expeditious judicial review must be available; and 3) the censor must bear the burden of going to court to suppress speech and once there bears the burden of proof. FW/PBS, 493 U.S. at 227 (citing Freedman, 380 U.S. at 58-60). When the risks associated with unbridled licensing schemes are present to a significant degree, "courts must entertain an immediate facial attack on the law." Lakewood , 486 U.S. at 759. B. Analysis Plaintiff argues that the CJ process, the registration and fee system and the licensing system under the ITAR all act as prior restraints on his ability to communicate and publish both his source code and its accompanying technical data. Additionally, plaintiff contends that by failing to meet the procedural requirements of Freedman the ITAR scheme violates the First Amendment. Defendants analyze cryptographic software on the basis of whether it is content based or content neutral and conclude that export controls on source code do not regulate the content of speech and are therefore not a prior restraint or otherwise in violation of the First Amendment. Defendants discuss prior restraint only with respect to technical data and contend that the prior restraint cases are inapplicable. The court will analyze Category XIII of the USML and technical data separately under the prior restraint doctrine. 1. Category XIII(b) of the USML A couple of preliminary observations are in order. The first concerns the nature of the speech involved. Plaintiff cites Hurley v. Irish-American Gay Group of Boston, ___ U.S. ___ , 115 S.Ct. 2338 (1995), to assert that the First Amendment prevents compelled speech and McIntyre v. Ohio Electronics Comm'n, ___ U.S. ___ , 115 S.Ct. 1511 (1995), in support of its protection of anonymous speech. Based on these cases plaintiff advances the novel proposition that the First Amendment also includes the right to speak confidentially, and thus, encryption is deserving of protection because it facilitates private communication. It is unnecessary, and this court is unwilling, to reach this issue. The court reiterates its previous conclusion that source code is speech. Bernstein, 922 F. Supp. at 1436. Software relating to encryption is simply a topic of speech employed by some scientists involved in applied research. Hence, Snuffle is speech afforded the full protection of the First Amendment not because it enables encryption, but because it is itself speech. Second, defendants assume that if the ITAR export controls do not restrict the content of protected speech they are not a prior restraint. This misunderstands the prior restraint analysis. If a licensing scheme does not employ sufficient procedural safeguards, it must be invalidated not because it is necessarily content based but because it bestows on a government official substantial power to discriminate based on the content of the speech or to burden speech by delaying a licensing decision. Lakewood, 486 U.S. at 759; see also FW/PBS, 493 U.S. at 229 (plurality opinion) (finding that under the ordinance at issue the city did not pass judgment on the content of the protected speech but had an indefinite amount of time to issue license). Category XIII(b) of the USML--directed as it is to cryptographic software where software includes logic flows, algorithms and source code--covers speech protected by the First Amendment. Defendants do not dispute that the State Department requires a license to export items covered by Category XIII(b).[6] Furthermore, exportation as defined by the ITAR would appear to include publication where publication, such as posting software on the Internet or distributing it freely among colleagues, could be said to be tantamount to sending it out of the United States "in any manner". 22 C.F.R. Section 120.17(a)(1). A facial challenge on the basis of prior restraint will lie where a law has a "close enough nexus to expression, or to conduct commonly associated with expression, to pose a real and substantial threat of identified censorship risks." Lakewood, 486 U.S. at 759. In Lakewood, a newspaper challenged a city ordinance which required annual permits for newsracks on public property and gave the mayor authority to grant or deny applications for those permits. The Court contrasted laws that are directed at expression, such as the one governing the circulation of newspapers, with laws of general applicability not aimed at conduct commonly associated with expression, such as a law requiring building permits. Id. at 760-61. The former risks self-censorship on the part of those applying for permits and censorship on the part of the decisionmaker. The latter rarely do. While, as defendants assert, the bulk of the ITAR scheme may well be viewed as a law of general applicability not aimed at expression but at controlling the spread of defense-related commodities abroad, the same cannot be said of Category XIII(b) of the Munitions List. Category XIII(b) is directed very specifically at applied scientific research and speech on the topic of encryption. That it regulates encryption in the interest of national security does not alone justify a prior restraint. In New York Times Co., 403 U.S. at 714, the Supreme Court invalidated a prior restraint on classified material that had been enjoined in the interests of national security. While that case inspired nine separate opinions on the propriety of enjoining publication of the Pentagon Papers in The New York Times and The Washington Post, a majority of Justices found national security, without more, too amorphous a rationale to abrogate the protections of the First Amendment. See id. at 719 (Black, J. and Douglas, J., concurring). Justice Brennan concluded that the First Amendment's ban on prior restraints could only be overridden in time of war, id. at 726 (Brennan, J. concurring) (citing Schenck v. United States, 249 U.S. 47 (1919)), and even then, according to Justice Stewart, only when disclosure would "surely result in direct, immediate, and irreparable damage to our Nation or its people." Id. at 730 (Stewart, J. and White, J. concurring). Under such an exacting standard, defendants' interests here, in being able to break foreign encryption and conduct adequate surveillance in "furtherance of world peace and the security and foreign policy of the United States," 22 U.S.C. Section 2778(a)(1), are clearly insufficient without more. However, even though in form Category XIII(b) aims at speech, it is arguable--and defendants assert--that its purpose is content neutral. Yet the very nature of the technology blurs the distinction between these two ways of understanding the constitutionality of a regulation. With respect to encryption, the stronger the cryptographic algorithm, the better the science and the more noteworthy the academic speech, but also the more powerful are its effects and therefore the greater the interest in government regulation.[7] However, even if the court were to determine that the regulatory purpose behind Category XIII(b) was content neutral that would not resolve the issue. The plurality opinion in FW/PBS suggests that even an otherwise valid licensing scheme must still contain adequate procedural safeguards in order to be constitutional. There Justice O'Connor, joined by Justices Stevens and Kennedy, stated: Because we conclude that the city's licensing scheme lacks adequate procedural safeguards, we do not reach the issue decided by the Court of Appeals whether the ordinance is properly viewed as a content-neutral time, place, and manner restriction aimed at secondary effects arising out of the sexually oriented businesses. FW/PBS, 493 U.S. at 223. Thus, the court turns to the procedural safeguards afforded by the ITAR. As noted above, the Court in FW/PBS read Freedman to hold that for a licensing scheme to be constitutional, 1) the licensor must make the licensing decision within a specific and reasonable period of time; 2) there must be prompt judicial review; and 3) the censor must bear the burden of going to court to uphold a licensing denial and once there bears the burden of justifying the denial. FW/PBS, 493 U.S. at 227-28 (citing Freedman, 380 U.S. at 58-60). The ITAR scheme, a paradigm of standardless discretion, fails on every count. This court finds nothing in the ITAR that places even minimal limits on the discretion of the licensor and hence nothing to alleviate the danger of arbitrary or discriminatory licensing decisions. Part 123 governing licenses for the export of defense articles, 22 C.F.R. Section 123, lays out an extensive list of requirements for those seeking a license but places no constraints on the ODTC in approving or denying a license. First, there is no limit to the time in which the ODTC must make a licensing decision. Second, not only does the ITAR not provide for judicial review of licensing decisions, prompt or otherwise, the AECA makes the initial designation of items as defense articles unreviewable. 22 U.S.C. Section 2778(h). Finally, given there is no recourse for someone denied a license, there is no burden on the ODTC to go to court to justify the denial. Moreover, applications for licenses can be disapproved and approved licenses can be revoked, suspended or amended without prior notice in the interests of national security or whenever it "is otherwise advisable". 22 C.F.R. Section 126.7(a)(1). While the court is mindful of the problems inherent in judicial review of ODTC licensing decisions regarding cryptographic software, both with respect to the sophistication of the technology and the potentially classified nature of the licensing considerations, there must still be some review available if the export controls on cryptographic software are to survive the presumption against prior restraints on speech. According to the NRC Report, some of the problems that standardless discretion invite have been realized among commercial vendors of cryptographic products.[8] The Report notes, for example, that virtually all industry representatives testified that product development was inhibited and trust eroded by the unpredictability of USML licensing, a lengthy licensing process and the lack of an independent adjudicating forum in which to appeal negative licensing decisions. NRC Report at 4-14, 4-15, 4-17. In addition, the risk of discriminatory treatment associated with standardless licensing schemes was reflected in the Report's comments that companies were reluctant to express their full dissatisfaction with the rules and implementation of export controls over cryptographic products for fear that "any explicit connection between critical comments and their company might result in unfavorable treatment of a future application for an export license for one of their products." Id. at 4-29. In FW/PBS, the Court declared that the first two safeguards required by Freedman--a time limit on the licensing decision and judicial review--were essential. FW/PBS, 493 U.S. at 228. The third requirement that the censor bear the burdens of going to court and justifying its decision, it concluded, depended on the nature of the licensing scheme. Unlike the film censorship at issue in Freedman, the ordinance considered in FW/PBS did not entail "passing judgment on the content of any protected speech" and because the applicants were applying for a license of their entire business and not just a single film, the applicant had "every incentive . . . to pursue a license denial through court." Id. at 607. For these reasons the plurality opinion concluded that the city was not required under the First Amendment to bear the burden of going to court or to bear the burden of proof once there. Id. The ITAR licensing scheme for items listed in Category XIII(b) of the USML is more like the scheme in Freedman than FW/PBS. Here the relevant provision of the ITAR is directed at speech on a particular subject matter--cryptography. The Supreme Court has held that "the First Amendment's hostility to content-based regulation extends not only to a restriction on a particular viewpoint, but also to a prohibition of public discussion of an entire topic." Burson v. Freeman, 504 U.S. 191, 197 (1992) (citing Consolidated Edison Co. of N.Y. v. Public Service Comm'n of N.Y., 447 U.S. 530, 537 (1980)). Furthermore, applicants must apply for a license for each item covered by Category XIII(b) and like the film distributor seeking approval of one film, may be deterred from challenging the licensing decision. For these reasons, this court concludes that the ITAR licensing scheme of cryptographic software is subject to all three procedural safeguards. Because it fails to provide for a time limit on the licensing decision, for prompt judicial review and for a duty on the part of the ODTC to go to court and defend a denial of a license, the ITAR licensing system as applied to Category XIII(B) acts as an unconstitutional prior restraint in violation of the First Amendment. 2. The Technical Data Provision The same question addressed above with respect to Category XIII(b) applies to the technical data provision: whether it establishes an impermissible system of prior restraints. Plaintiff argues that it does for the same reasons he advances with respect to Category XIII(b). Plaintiff contends that despite the exceptions for fundamental research and work in the public domain, the technical data provisions still sweep in a good deal of scientific speech and that a law must be scrutinized based on what it includes rather than what it excludes. Additionally, plaintiff asserts that the Ninth Circuit's interpretation of technical data in United States v. Edler, 579 F.2d 516 (9th Cir. 1978), no longer saves it on prior restraint grounds because since Edler the AECA was amended to preclude judicial review. Defendants contend that Edler upheld a technical data provision that was considerably less friendly to First Amendment interests and that since then exemptions for academic research and discussion have been added and clarified. In addition to the exemptions of general scientific principles and fundamental research from the definition of technical data, defendants point to a number of scholarly articles on cryptographic theory that have been published free of ITAR licensing. Finally, the ODTC has indicated that it interprets the technical data provision in a manner consistent with Edler. 49 Fed. Reg. 47683 (Dec. 6, 1984). In Edler the Ninth Circuit reviewed a conviction under the predecessor of the AECA for unlicensed exportation of technical data relating to a defense article on the USML. The technical data at issue in Edler related to a technique of tape wrapping with applications for missile components. In an appeal of his conviction, defendant challenged the statute and regulations on First Amendment grounds. After finding that "an expansive interpretation of technical data relating to items on the Munitions List could seriously impede scientific research and publishing and international scientific exchange," 579 F.2d at 519, the court went on to adopt a narrowing construction to save the statute. The court construed the statute and regulations to prohibit only the export of technical data "significantly and directly related to specific articles on the Munitions List." Id. at 521. In addition, when information could have both peaceful and military applications, the court added a scienter requirement that a defendant "must know or have reason to know that its information is intended for the prohibited use." Id. The Ninth Circuit concluded that as construed the statute and regulations were not overbroad and not a prior restraint on speech. Id. This court has serious concerns about the viability of the Edler holding, particularly in light of advanced technologies such as cryptography and other applied sciences.[9] First, the Ninth Circuit's reasoning in Edler is not only twenty years old, but more importantly, it was made without the benefit of the Supreme Court's subsequent interpretation of Freedman and the procedural safeguards required of regulatory schemes that license speech. Second, the court notes with some concern that in practice the technical data provision appears to have been as confusing to those charged with implementing it as to those potentially regulated by it. The NRC Report notes that the rules governing technical data are particularly difficult to understand, pointing to the fact that a cryptographic algorithm that is not machine-readable is technical data while the same algorithm in machine-readable form is a product.[10] The Report also provides excerpts from the only document it found in which the ODTC explains how the regulation of technical data relates to cryptography. NRC Report at 4-47. That 1980 document appears to be inconsistent with the Edler construction and suggests that the technical data provision could be used to directly regulate, and chill, academic discourse. It states: "The public is reminded that professional and academic presentations and informal discussions, as well as demonstrations of equipment, constituting disclosure of cryptographic technical data to foreign nationals are prohibited without the prior approval of this office." Id.[11] Lastly, defendants received between 1978 and 1984 three separate and extensive memoranda from the Department of Justice's Office of Legal Counsel, two regarding proposed revisions to the ITAR and one specifically addressing the constitutionality of the ITAR restrictions on public cryptography. Tien Decl., Exhs. A-C. Each of them concludes, despite further revision and amendment to the ITAR, that the technical data provisions as they relate to academic and scientific speech are in violation of the First Amendment.[12] While this court is inclined to agree, despite revisions to the ITAR since 1984 and especially in light of Freedman and FW/PBS, Edler remains the law of this Circuit and this court is bound by its holding.[13] Moreover, Edler was reaffirmed, albeit in cursory fashion, by the Ninth Circuit in 1989. United States v. Posey, 864 F.2d 1487, 1496 (9th Cir. 1989). If the Ninth-Circuit wants to reconsider those opinions it is free to do so, but that decision is theirs to make. However, as this court has found that Category XIII(b) is unconstitutional, a question the Ninth Circuit has not had an opportunity to address, the technical data provision--only insofar as it relates to items in Category XIII(b)--is unenforceable. II. Vagueness and Overbreadth The doctrines of vagueness and overbreadth have traditionally been viewed as related and similar doctrines by the Supreme Court. Kolender v. Lawson, 461 U.S. 352, 358 n. 8 (1983) (citations omitted). Vague or overbroad laws deter the constitutionally protected activity not only of the litigant, but of third parties not before the court, and for that reason can be challenged facially. Grayned v. City of Rockford, 408 U.S. 104, 114 (1972). The court will consider each doctrine briefly with respect to those parts of the statute not already adjudicated. The court will not address Category XIII(b) but will consider other provisions and amendments to the technical data provision that were not in effect at the time of Edler. A. Vagueness Due process requires that laws clearly define their prohibitions. Grayned, 408 U.S. at 108. Vague laws are objectionable for multiple reasons. First, because they do not "give the person of ordinary intelligence a reasonable opportunity to know what is prohibited," they do not provide fair warning to those who wish to act lawfully. Id. Second, a "vague law impermissibly delegates basic policy matters to policemen, judges, and juries" allowing for "arbitrary and discriminatory application." Id. at 108-09. Finally, a vague law touching on rights protected by the First Amendment inhibits the exercise of those rights; uncertainty can cause speakers to say less. Id. at 109. Therefore, when First Amendment interests are at stake, an even greater degree of specificity is required. Buckley v. Valeo, 424 U.S. 1, 77 (1976); Bullfrog Films, Inc. v. Wick, 847 F.2d 502, 512 (9th Cir. 1988) (citing N.A.A.C.P. v. Button, 371 U.S. 415, 432-33 (1963)). However, for a claim of facial vagueness to survive, the deterrent effect of the statute on protected expression must be "real and substantial" and not easily narrowed by a court. Young v. American Mini Theaters, Inc., 427 U.S. 50, 60 (1976). Plaintiff asserts that the AECA is impermissibly vague in that the statute lacks standards sufficient to guide its application by administrators, thus giving rise to arbitrary and discriminatory enforcement. Plaintiff also charges vagueness with respect to the ITAR terms "defense articles," "defense services," "technical data," "public domain," and "export." Defendants dispute each of these contentions. Plaintiff's argument that the AECA itself is vague is best characterized as an issue under the APA, which, if it still appears necessary to address, the court defers to another day.[14] Grayned, on which plaintiff relies for support, was concerned with the delegation of policy matters to police, judges and juries, entities not normally entrusted with policy decisions. In contrast, the AECA, like many federal statutes, delegates to federal agencies and departments the responsibility of making more detailed policy decisions in the course of promulgating regulations under the law. Here, one set of policy makers has entrusted other policy makers with sensitive policy issues. This was not the situation in Grayned and it does not implicate the vagueness doctrine. Plaintiff also argues that the ITAR is impermissibly vague in that the definitions of "defense articles," "defense services," and "technical data" all encompass the others. Specifically, a defense article "means any item _or technical data_ designated in Section 121.1 of this subchapter." 22 C.F.R. Section 120.6 (emphasis added). Technical data, as defined in the ITAR and by the court in Edler, is information required for the manufacture or operation of defense articles or information directly relating to defense articles. 22 C.F.R. Section 120.10. The definition of defense services distinguishes between defense articles and technical data. 2 C.F.R. Section 120.9. Defendants argue that technical data is defined separately in the ITAR and in a manner that distinguishes it from actual commodities treated as defense articles such that it is not a defense article itself. However, the exact language of the ITAR does not comport with defendants' characterization of it. The definition of defense articles _includes_ technical data, which according to its own definition can only be understood _in relation to_ defense articles. To say this is vague would be generous, but it need not be voided for it is easily cured. The phrase "or technical data" as well as the third sentence of the definition referring to technical data must be removed from the definition of defense article. Accordingly, items listed on the USML are defense articles and information relating directly to them are technical data. Read in this way, the three terms are not impermissibly vague. Plaintiff next claims that the exemptions to the definition of technical data are vague, specifically the public domain exemption and the academic exemption. Plaintiff claims that the public domain exemption presents a classic catch-22 in which items that are already published are exempted but publishing an item can invite prosecution under the ITAR. The definition of public domain includes "information which is published and which is generally accessible or available to the public" through a number of channels, including newsstands, bookstores, libraries and subscriptions. 22 C.F.R. Section 120.11(a)(1)-(7). With respect to subsections (1) though (7), this exemption is fairly well-defined, and not vague. It gives a person of ordinary intelligence concrete examples of the kinds of items that are in the public domain. The catch-22 plaintiff complains of is inherent in a licensing scheme rather than in the statute's definitional terms and as such, has been addressed in the court's discussion of prior restraint. However, the same cannot be said of section 120.11(a)(8), which contains the exemption for information available to the public "through fundamental research in science and engineering". 22 C.F.R. Section 120.11(a)(8). This subsection, like the academic exemption which exempts "general scientific, mathematical or engineering principles" commonly taught in schools and universities, 22 C.F.R. Section 120.10(a)(5), does not give people, particularly those of arguably extraordinary intelligence who are themselves engaged in the applied sciences, "a reasonable opportunity to know what is prohibited". Grayned, 408 S.Ct. at 108. Given the direct application of these exemptions to First Amendment protections, the uncertainty created in scientists about what speech is subject to regulation under the ITAR is unacceptable. For example, fundamental research is defined as "basic and applied research in science and engineering where the resulting information is ordinarily published and shared broadly within the scientific community". 22 C.F.R. Section 120.11(a)(8). As defendants themselves repeatedly attest, cryptographic algorithms and theory are often published in scientific journals. Crowell Decl., Exhs. 1-10; Joint Statement of Undisputed Facts s 9. However, cryptographic algorithms are also covered by Category XIII(b) of the USML. Given these two facts, it would be hard for scientists to discern when their work was a defense article and when it was wholly exempt from the ITAR without going through a CJ determination before any effort at publication. In fields of applied science, what is commonly taught in universities may well overlap with what the government might choose to regulate. In this instance the deterrent effect on protected expression appears both real and substantial. Young v. American Mini Theaters, Inc., 427 U.S. at 60. These academic exemptions from the definition of technical data, 22 C.F.R. Sections 120.10(a)(5) & 120.11(a)(8), are accordingly void for vagueness. Lastly, plaintiff challenges the term "export" as vague for two reasons. First, because it encompasses publishing and second, because what constitutes an export depends on whether an item is defined as a defense article or as technical data and those definitions are themselves vague. The first issue is more properly one of overbreadth and will be addressed below. The second is clarified by the modifications made by the court to the definition of defense article. Export is defined as "[s]ending or taking a defense article out of the United States in any manner", 22 C.F.R. Section 120.17(a)(1), and as "[d]isclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad". 22 C.F.R. Section 120.17(a)(4). The NRC Report states that "[t]here is uncertainty about what specific act constitutes the 'export' of software products with encryption capabilities." NRC Report at 4-16. The Report gives the example of uploading an encryption product to an Internet site in the United States where it can be downloaded by a user in another country, and asks if the exportation is in the upload or the download. NRC Report at 416, 4-17. This example appears to point out the uncertainty in what acts can actually be prosecuted under the ITAR more than any uncertainty in the definition of export. It seems reasonably clear that uploading an item to an Internet site that can be accessed in a foreign country constitutes "sending" a defense article out of the country. The court does not find that the term "export" is impermissibly vague. B. Overbreadth In a facial challenge to a law on grounds of overbreadth, a court must first "determine whether the enactment reaches a substantial amount of constitutionally protected conduct. If it does not, then the overbreadth challenge must fail." Village of Hoffman Est. v. Flipside, Hoffman Est., 455 U.S. 489, 494 (1982). Facial overbreadth is concededly "strong medicine" employed as a last resort when a limiting construction cannot be applied to a statute. Broadrick v. Oklahoma, 413 U.S. 601, 613 (1973). In Members of the City Council of Los Angeles v. Taxpayers for Vincent, 466 U.S. 789 (1984), the Court noted that "where the statute unquestionably attaches sanctions to protected conduct, the likelihood that the statute will deter that conduct is ordinarily sufficiently great to justify an overbreadth attack." Id. at 801 n.19 (citing Erznoznik v. City of Jacksonville, 422 U.S. 205 (1975)). However, the Court also clarified the application of substantial facial overbreadth, saying there must be a "realistic danger that the statute itself will significantly compromise recognized First Amendment protections of parties not before the Court . . . ." Id. at 801. Merely being able to conceive of "some impermissible applications of a statute" is insufficient. Id. at 800. Defendants argue that although the traditional rules of standing are modified in the context of an overbreadth challenge on First Amendment grounds, Brockett v. Spokane Arcades, Inc., 472 U.S. 491, 503 (1984) (noting cases holding that one whose own speech is validly prohibited by statute may still challenge statute facially because it threatens others not before the court), that is not the case where the party before the court seeks to engage in protected speech that the statute purports to punish. In that case, there is "no want of a proper party to challenge the statute, no concern that an attack on the statute will be unduly delayed or protected speech discouraged." Brockett, 472 U.S. at 504. Accordingly defendants assert that because plaintiff cannot show a significant difference between his claims and those of third parties, the court must consider the overbreadth challenge as applied to plaintiff. Plaintiff disputes this by citing cases emphasizing that if a statute's overbreadth is substantial and its chilling effect significant, the entire statute may be invalidated to protect the First Amendment. Lind v. Grimme, 30 F.2d 115, 1122 (9th Cir. 1994), cert. den sub nom. Want v. Lind, 115 S.Ct. 902 (1995) (distinguishing cases in which the only unconstitutional application was the one directed at the party before the court and where the chilling effect could be obviated by partial invalidation); see also Board of Airport Comm'rs of Los Angeles v. Jews for Jesus. Inc., 482 U.S. 569, 573-74 (1987). The court need not resolve this dispute over standing because the issues left unresolved are few, and for those that remain the nature of the challenge will not make a difference. The First Amendment does not "render inapplicable the rule that a federal court should not extend its invalidation of a statute further than is necessary to dispose of the case before it." Brockett, 472 U.S. at 502 (citation omitted). The court is mindful of that admonition. It has ruled on Category XIII(b) and technical data generally under prior restraint analysis; it has offered a curing instruction for the definition of "defense articles" and has invalidated the academic exemptions to technical data on vagueness grounds. All that remains are plaintiff's claims that the definition of export is overbroad and that the entire ITAR scheme is overbroad in that it assumes that all foreigners are terrorists. The latter strikes the court as patently absurd. The former can be disposed of quickly. As noted above, "export" is defined with respect to defense articles as "[s]ending or taking a defense article out of the United States in any manner", 22 C.F.R. Section 120.17(a)(1). With respect to technical data it means "[d]isclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad". 22 C.F.R. Section 120.17(a)(4). The provision governing the exportation of defense articles is clearly aimed mainly at conduct--at shipping tanks, missiles and the like abroad. Yet in regulating cryptographic software it also sweeps in speech. While the overbreadth of the provision in this respect is real, the court cannot say that it is "substantial as well, judged in relation to the statute's plainly legitimate sweep." Broadrick, 413 U.S. at 615. With respect to the export of technical data, this court is again bound by Edler regardless of whether it agrees with that disposition. There the Ninth Circuit added a scienter requirement to the prohibition against exporting technical data in order to cure the overbreadth problem. Edler, 579 F.2d at 521. Accordingly, neither the definition of export nor the ITAR scheme as a whole is unconstitutionally overbroad. III. Administrative Procedures Act In light of the foregoing, the court finds it unnecessary to reach the claims brought by plaintiff under the APA. IV. Preliminary Injunction Plaintiff also seeks a preliminary injunction to enjoin the government from prosecuting him under the ITAR and AECA for his teaching activities. Plaintiff plans to teach a class on the theory and practice of cryptography at the University of Illinois at Chicago beginning in January of 1997. Plaintiff believes that foreign students may take his class and intends to post class materials, including cryptographic algorithms, on the University's Internet website for students to access. Defendants assert that a preliminary injunction is unwarranted because teaching a class on cryptography does not violate the regulations. They also argue that the motion for a preliminary injunction is merely an attempt by plaintiff to circumvent export controls by distributing cryptographic software abroad in the name of academic freedom. The court notes that an injunction appears hasty given the relative positions of the parties. The government seems to suggest that teaching a class on cryptography, regardless of the nationality of the students, is not the problem; the concern is with posting material on the Internet without limiting access. Assuming the government is sincere about its limited objections and that plaintiff could easily limit access to the class material he posts so that it is not available internationally, it is not clear why the parties could not enter into a stipulation. In view of the fact that the court has ruled on the merits and has found certain provisions of the ITAR invalid, plaintiff cannot be prosecuted under those provisions absent reversal on appeal. Therefore, at this time there is no immediate threat of injury and no need to rule on the preliminary injunction.[15] The motion for a preliminary injunction is denied without prejudice. If plaintiff is threatened with prosecution, he may return to this court and renew the motion. // // // CONCLUSION For the reasons set forth above, IT IS HEREBY ORDERED that plaintiff's motion for summary judgment is GRANTED in part and DENIED in part. Defendants' motion for summary judgment is likewise GRANTED in part and DENIED in part. Plaintiff's motion for a preliminary injunction is DENIED without prejudice. IT IS SO ORDERED. Dated: Dec. 6, 1996 [signature] ______________ ______________________________ MARILYN HALL PATEL United States District Judge ENDNOTES 1. Some of the information in this section is taken directly from the court's previous opinion in this action, Bernstein v. United States Dept. of State, 922 F. Supp. 1426, 1428-30 (N.D. Cal. 1996), and is repeated here for its relevance to the present motion. Additional information comes from the parties' submissions or other sources as indicated. 2. In symmetric cryptography the encryption key is the same as the decryption key. Asymmetric, or public-key, cryptography uses different keys for encryption and decryption and generally only the encryption key is disclosed. 3. Source code is the text of a source program and is generally written in a high-level language that is two or more steps removed from machine language which is a low-level language. High-level languages are closer to natural language than low- level languages which direct the functioning of the computer. Source code must be translated by way of a translating program into machine language before it can be read by a computer. The object code is the output of that translation. It is possible to write a source program in a high-level language without knowing about the actual functions of the computer that carry out the program. _Encyclopedia of Computer Science_ 962, 1263-64 (Anthony Ralston & Edwin D. Reilly eds., 3d ed. 1995) 4. The parties disagree about whether the computer code submitted by plaintiff to the State Department is technically "software." The court notes that 22 C.F.R. 121.8(f) defines "software" for the purposes of the AECA. That definition is descriptive of content, however, and does not define the actual format or physical form of the software. However, 22 C.F.R. 120.4(d)(2), pertaining to the commodity jurisdiction procedure, contains the note that for the purposes of software, "form denotes language, language level and media" while the function is "the action or actions it is designated to perform." For the purposes of this motion the court need not resolve this issue since regardless of Snuffle's exact form, it appears to meet the definitions contained in the statute and the ODTC has subjected it to the licensing requirements. 5. The CJ request of July 15, 1993, refers to the items as DJBCJF-2, DJBCJF-3, DJBCJF-4, DJBCJF-5, and DJBCJF-6 without distinguishing information. Complaint Exh. D. 6. Plaintiff contends that the CJ process, the registration and fee system, the licensing system and the recordkeeping mandate all function as a prior restraint on speech. For the purpose of this motion, this is overkill. Defendants do not dispute the licensing system for defense articles. As defendants point out, the CJ process is voluntary, although it appears to function as a pre-licensing system. The court will analyze the ITAR mainly with respect to the licensing system itself. 7. One might make the argument that encryption software could be validly regulated for its "secondary effects," much like adult theaters were in Young v. American Mini-Theaters, Inc., 427 U.S. 50 (1975), and Renton v. Playtime Theaters, Inc., 475 U.S. 41 (1986), where the Supreme Court upheld zoning ordinances aimed at the secondary effects of such theaters in the surrounding community. However, the secondary effects rationale has never been extended beyond sexually explicit speech. See Boos v. Barry, 485 U.S. 312 (1988) (refusing to apply the rationale to political speech). 8. The court recognizes that the vendors the NRC Report discusses have different speech interests in cryptography than academic scientists. However, the Report is nonetheless valuable for its up-to-date insights into the actual implementation of the ITAR export controls over cryptographic products. 9. The NRC Report states that the recent lawsuits in this area, including the instant one, "suggest quite strongly that the traditional national security paradigm of export controls on cryptography (one that is biased toward denial rather than approval) is stretched greatly by current technology. Put differently, when the export control regime is pushed to an extreme, it appears manifestly ridiculous." NRC Report at 4-33. 10. This is like the controversy surrounding Bruce Schneier's book, _Applied Cryptography_, which was the subject of litigation similar to the present action. See Karn v. United States Dept. of State, 925 F. Supp. 1 (D.D.C. 1996). The book contained source code for cryptography as well as a disk containing the identical source code. Karn received permission to export the book but not the disk. The NRC Report commented on the general dismay with which the academic cryptography community greeted this decision, repeating their quip: "They think terrorists can't type?" NRC Report at 4-48. 11. Also suggestive of the confusion surrounding application of this provision is the manner in which the ODTC handled the CJ determination of plaintiff's paper. Based on this court's understanding of the correspondence between ODTC and Bernstein, the paper was initially determined to be on the USML. See Bernstein, 922 F. Supp. at 1434. Although the ODTC claims this was because Bernstein presented his application in a confusing manner, it still took nearly two years for the ODTC to determine only that the paper did not "appear" to be technical data. In a letter sent to plaintiff since the court issued its opinion, the ODTC clarified that the paper was not technical data. 12. In an August 29, 1978 letter to Colonel Kay in the Office of Science and Technology Policy concerning the then recent decision in Edler, the Office of Legal Counsel stated that while the Ninth Circuit's decision is helpful in resolving First Amendment issues with respect to blueprints and similar types of technical data used as a basis for producing military equipment, we do not believe that it either resolves the First Amendment issues presented by restrictions on the export of cryptographic ideas or eliminates the need to reexamine the ITAR. Tien Decl., Exh. D at 2. 13. The court disagrees with plaintiff's contention that the elimination of judicial review allows for reconsideration of Edler. The judicial review provision, which was added in 1989, does not address licensing decisions but precludes judicial review only as to the designation of items as defense articles or services. 22 U.S.C. 2778(h). 14. This set of summary judgment motions was set specifically to address First Amendment issues. 15. In order to establish injury plaintiff need not "expose himself to actual arrest or prosecution . . . ." Steffel v. Thompson, 415 U.S. 452, 459 (1974). However, neither can the threat of prosecution be speculative. Id.; Caribbean Marine Servs. Co., Inc. v. Baldridge, 844 F.2d 668, 675 (9th Cir. 1988).