UNITED STATES DISTRICT COURT
NORTHERN DISTRICT OF OHIO
EASTERN DIVISION
CASE NO.
PETER D. JUNGER,
Plaintiff
v.
JUDGE WARREN CHRISTOPHER,
DEPARTMENT OF STATE;
WILLIAM J. LOWELL,
OFFICE OF DEFENSE TRADE CONTROLS;
LT. GENERAL KENNETH A. MINIHAN,
NATIONAL SECURITY AGENCY,
Defendants.
COMPLAINT FOR
DECLARATORY AND
INJUNCTIVE RELIEF
1. This is an action for declaratory and injunctive relief brought by
a law professor to protect his rights and the rights of others to
teach, publish and otherwise disclose unclassified cryptographic
information to foreign students and other foreign persons without
first obtaining a license or approval from the government. The
plaintiff challenges the constitutionality of specific provisions of
the International Traffic in Arms Regulations ("ITAR," "the
regulations"), 22 C.F.R. �� 120 et seq., that require a license or
approval from the government before "exporting" cryptography and seeks
to enjoin the defendants from using, or threatening to use, such
provisions to restrict him and others from disclosing cryptographic
information.
JURISDICTION, VENUE AND PARTIES
2. This action arises under the First and Fifth Amendments to the
United States Constitution and the constitutional doctrine of
separation of powers. Declaratory relief is sought under 28 U.S.C. ��
2201-02. The jurisdiction of this Court is invoked pursuant to 28
U.S.C. � 1331.
3. The plaintiff resides in the Northern District of Ohio. Since this
is a suit against officials and/or agencies of the federal government,
venue is proper under 28 U.S.C. � 1391(e).
4. The plaintiff, Peter D. Junger, is a citizen of the United States
and a professor of law at the Case Western Reserve University School
of Law in Cleveland, Ohio.
5. The individual defendants are members of the executive branch of
the government of the United States. The individual defendants are
sued as officers or employees of the United States acting under color
of law in their official capacities.
6. Warren Christopher is the United States Secretary of State.
7. William J. Lowell is the Director of the Department of State's
Bureau of Politico-Military Affairs, Office of Defense Trade Controls
("ODTC").
8. Lt. General Kenneth A. Minihan is the Director of the National
Security Agency ("NSA").
9. The defendants and their respective agencies (also referred to as
"the government") are responsible for the interpretation and
administration of the ITAR provisions at issue in this complaint.
BACKGROUND
10. The plaintiff teaches a course entitled "Computers and the Law" at
the Case Western Reserve University Law School ("CWRU Law School").
The plaintiff has offered this course in the fall semester of each
year since 1993 and is scheduled to offer it again this fall.
11. In May 1993, the plaintiff wrote a short encryption program that
he intended to use in his class the following fall.
12. On numerous occasions beginning on or about May 7, 1993, the
plaintiff contacted the Department of Commerce, Department of State,
the ODTC and the NSA to determine whether his program was subject to
export regulations. To the best of plaintiff's knowledge and
information, any answer that the plaintiff received, or may have
received, from the persons he contacted is not binding on their
respective agencies and thus cannot be relied on by the plaintiff or
anyone else.
13. The plaintiff has prepared, and continues to prepare, materials
for his computer law course. These materials include (i) a casebook,
which the plaintiff is currently revising for use in class this coming
fall, (ii) handouts supplementing and extending the information
contained in the casebook and (iii) duplicates of some of those
materials and additional materials that will be available on the
plaintiff's World Wide Web ("WWW," "Web") server at http://samsara.
law.cwru.edu or other WWW servers linked to the plaintiff's server.
14. These materials referred to in the above paragraph currently
include, or will include, the source code, algorithm and
representations of machine code for the encryption program initially
created by the plaintiff in May 1993 along with the source codes,
application programs and algorithms for other cryptographic systems,
including the Diffie-Hellman key distribution protocol, the
Hellman-Merkle public-key "knapsack" system (U.S. Patent Number
4,218,582) and the RSA and RC4 algorithms. The materials will also
contain information on how to obtain and how to use programs
implementing the DES, triple-DES, or RSA algorithms, such as the
encryption program "Pretty Good Privacy" ("PGP"). The cryptographic
information included in the plaintiff's materials, other than his
program, was taken from public sources, including materials published
in books, journals and on internet.
15. For fear of violating ITAR, the plaintiff has refrained from
disclosing his program and other cryptographic information to foreign
persons other than some Canadian students that he allowed to enroll in
his computer and law class in 1994 under the belief that disclosure to
Canadians was exempt from ITAR. For the same reason, the plaintiff has
not disclosed his program and other cryptographic information at
faculty discussions in the presence of foreign colleagues and, other
than the Canadian students in 1994, he has not allowed foreign
students to enroll in his computer and law class. The plaintiff has
required, and continues to require, that students taking the class
certify that they are citizens of the United States or admitted to
permanent residence in the United States.
16. In class, the plaintiff has disclosed, and will continue to
disclose, cryptographic information, including source codes,
representations of machine code, and information on how to use and
where to obtain functioning encryption programs to his students. For
class this coming fall, the plaintiff will require students to
participate in exercises that require them to obtain and have some
hands on experience with cryptographic software.
17. In discussions on the internet, the plaintiff has been forced to
be very careful not to disclose cryptographic information to foreign
persons for fear of violating ITAR. Thus, for example, on or about
August 22, 1994, after Paul Leyland of Oxford University Computing
Services in Oxford, England, posted a short encryption program written
in the "C" programming language and which performs the same encryption
function as the plaintiff's program, to the sci.crypt.research
newsgroup, the plaintiff could not respond, as he wished, by posting
his program to the newsgroup. Moreover, when the plaintiff sent Mr.
Leyland an email message requesting permission to include Mr.
Leyland's program in his course materials, the plaintiff could not
disclose his program or Mr. Leyland's program to Mr. Leyland without
violating ITAR.
18. The plaintiff wants to publish his course materials as a text book
and has begun writing a law review article on ITAR and cryptography
that will include his program and other cryptographic information. For
fear of violating ITAR, the plaintiff hesitates to publish his course
materials and any law review article that contains cryptographic
information.
19 For fear of violating ITAR, the plaintiff has refrained from making
his course materials available to others with whom he would like to
share information. Thus, on or about May 29, 1996, Peter M. Gerhart,
who was then the Dean of CWRU Law School, requested a copy of the
plaintiff's course materials for a colleague in the People's Republic
of China. The plaintiff was forced to deny this request since the
materials contained information that could not be sent to China
without a license or other permission from the ODTC.
20. None of the cryptographic information that the plaintiff seeks to
teach, publish or otherwise disclose is classified information, and
all of it, other than the plaintiff's program, is available in books,
libraries and on the internet.
21. The plaintiff has been informed and believes that the defendants
have taken the position that software that contains no cryptographic
routines whatsoever, but which could be modified to include
cryptographic routines, (also referred to as "crypto with a hole") is
subject to regulation under ITAR.
22. The plaintiff is required to register for a fee with the ODTC and
obtain a license or approval before he can lawfully "export" his
program or other cryptographic information that is not specifically
exempted under ITAR.
23. The definition of "export" in 22 C.F.R. � 120.17 includes "sending
or taking a defense article out of the United States in any manner,"
22 C.F.R. � 120.17(a)(1), "[d]isclosing (including oral or visual
disclosure) or transferring technical data to a foreign person,
whether in the United States or abroad, 22 C.F.R. � 120.17(a)(4), and
"performing a defense service on behalf of, or for the benefit of, a
foreign person," 22 C.F.R. � 120.17(a)(5).
24. Cryptographic software is classified as a "munition" under
Category XIII of the United States Munitions List ("USML"), 22 C.F.R.
� 121.1, and, thus, a "defense article" under 22 C.F.R. � 120.6.
25. At least some, if not all, of what is included under the
definition of "cryptographic software" is included under the
definition of "technical data" in 22 C.F.R. � 120.10, which is also
listed on the USML under Category XIII and, thus, is a defense
article. The furnishing of cryptographic software and cryptographic
technical data to foreign persons may also constitute a "defense
service," as defined in 22 C.F.R. � 120.9.
26. Under 22 C.F.R. Part 122, a person who intends to export a defense
article or provide a defense service "on behalf of, or for the benefit
of, a foreign person" must register with the ODTC for a fee of at
least $250.00 even if that person is not in the business of
manufacturing or exporting defense articles or defense services.
27. Under 22 C.F.R. Parts 123-25, a person must obtain a license or
written approval from the ODTC before exporting a defense article,
defense service or technical data unless some specific exemption
applies.
28. Thus, absent some exemption, a person must register with the ODTC
and obtain a license or written approval from the ODTC before
exporting cryptographic software and/or technical data.
29. The public domain exemption in 22 C.F.R. � 120.11 and the
exemption for general scientific, mathematical or engineering
principles in 22 C.F.R. � 120.10(a)(5) do not exempt all of the
cryptographic information that the plaintiff seeks to disclose.
30. 22 C.F.R. � 127.1 makes it is unlawful
to export or attempt to export from the United States any defense
article or technical data or to furnish any defense service for
which a license or written approval is required ... without first
obtaining the required license or written approval from the Office
of Defense Trade Controls.
31. Under the provisions of ITAR referred to in the paragraphs above,
the defendants can require a license or government approval prior to
the dissemination of privately developed, unclassified cryptographic
software and/or technical data to any foreign person within the United
States and to anyone, without limitation, outside the United States.
CLAIMS FOR RELIEF
Count One: Prior restraint
32. The plaintiff realleges and incorporates herein paragraphs 1 to 31
as if fully rewritten.
33. The plaintiff has been, and is, compelled to exclude students who
are "foreign persons" from his computer law course because it would be
a violation of the ITAR for him to disclose cryptographic software
and/or cryptographic technical data that is not specifically exempted
under ITAR to foreign students without first applying for and
obtaining a license or approval from the ODTC.
34. The plaintiff is prohibited from disclosing cryptographic software
and/or cryptographic technical data that is not specifically exempted
under ITAR to foreign students, lawyers, professional colleagues and
all other foreign persons without first applying for and obtaining a
license or approval from the ODTC.
35. The plaintiff is prohibited from publishing his course materials
and law review articles that contain cryptographic software and/or
cryptographic technical data that is not specifically exempted under
ITAR if the course materials and law review articles are available to
foreign persons within the United States or available outside the
United States without first applying for and obtaining a license or
approval from the ODTC.
36. The plaintiff is prohibited from publishing cryptographic software
and/or cryptographic technical data that is not specifically exempted
under ITAR on the internet without first applying for and obtaining a
license or approval from the ODTC.
37. The plaintiff must register for a fee with the ODTC before
disclosing cryptographic software and/or technical data that is not
specifically exempted under ITAR to foreign students and foreign
colleagues or publishing cryptographic software and/or technical data
on the internet.
38. ITAR's restrictions on the export of "cryptographic software" and
"technical data" without a license or the government's approval have
chilled the plaintiff's speech and have caused him to restrict his
research and censor his publications and communications with foreign
persons.
39. There is no provision of ITAR that allows for judicial review of
ODTC decisions.
40. The provisions of ITAR referred to in the paragraphs above
constitute a prepublication registration and licensing scheme, and
thus a prior restraint on free expression, in violation of the First
Amendment to the United States Constitution.
Count Two: Overbreadth and Vagueness
41. The plaintiff realleges and incorporates herein paragraphs 1 to 40
as if fully rewritten
42. The provisions of ITAR referred to in the paragraphs above, as
written and as interpreted by the defendants, control a substantial
amount of speech. The provisions in question govern all disclosures of
cryptographic software and all disclosures of cryptographic technical
data that are not specifically exempted, including disclosures of
unclassified information.
43. The provisions of ITAR referred to in the paragraphs above, as
written and as interpreted by the defendants, have been drafted and
applied in such a confusing way that the plaintiff cannot be sure what
cryptographic information is exempt from ITAR and what requires a
license or written approval from the ODTC. As a result, the
plaintiff's speech has been, and continues to be, chilled.
44. The provisions of ITAR referred to in the paragraphs above, as
written and as interpreted by the defendants, have been drafted and
applied in such a confusing way that persons other than the plaintiff
cannot be sure what cryptographic information is exempt from ITAR and
what requires a license or written approval from the ODTC. The
plaintiff is informed and believes that, as a result, the speech of
others has been, and continues to be, chilled.
45. To the best of plaintiff's knowledge and information, there are no
published criteria or standards available to him or the public on
which the defendants base their decisions to grant or deny licenses
for the export of cryptographic information other than guidelines for
the export of mass market encryption software.
46. The provisions of ITAR referred to in the paragraphs above are
overbroad and vague, facially and as applied to the plaintiff's
conduct, and are thus unconstitutional in violation of the First and
Fifth Amendments to the United States Constitution.
Count Three: Restrictions on Academic Freedom and Political Speech
47. The plaintiff realleges and incorporates herein paragraphs 1 to 46
as if fully rewritten.
48. The provisions of ITAR referred to in the paragraphs above
restrict the plaintiff's rights to teach, research and publish
unclassified cryptographic information in whatever manner he chooses
and to whom he chooses.
49. The provisions of ITAR referred to in the paragraphs above also
restrict and the rights of the plaintiff and others, particularly
foreign students and foreign professors within the United States, to
receive and discuss unclassified cryptographic information.
50. A knowledge of cryptography is important for understanding and
evaluating government efforts to establish key escrow systems, such as
the Clipper Chip, that have significant consequences for individual
rights. Thus, cryptographic information is a matter of public debate,
and in the context of a public debate, restrictions on cryptographic
information are restrictions on political speech.
51. The provisions of ITAR referred to in the paragraphs above are not
narrowly drawn, and the government does not have a compelling interest
to regulate all unclassified cryptographic information.
52. The provisions of ITAR referred to in the paragraphs above are
unconstitutional restrictions on academic and political speech in
violation of the First Amendment .
Count Four: Freedom of Association
53. The plaintiff realleges and incorporates herein paragraphs 1 to 52
as if fully rewritten.
54. The provisions of ITAR referred to in the paragraphs above require
that the plaintiff apply for, and obtain, a license or approval from
the government before allowing foreign students to enroll in his
class, before allowing foreign professors to attend faculty
discussions where cryptographic software and other cryptographic
information is discussed and before posting cryptographic software
and/or other cryptographic information on the internet where it may be
available to foreign persons.
55. The provisions of ITAR referred to in the paragraphs above
restrict the rights of the plaintiff and U.S. citizens and permanent
residents to freely associate with foreign persons to discuss
cryptographic information and further restrict the rights of foreign
persons within the United States to discuss cryptographic information
with U.S. citizens and permanent residents.
56. The plaintiff and anyone else intending to disclose cryptographic
information for which a license is required, other than those
exporting mass encryption software, must identify each and every
recipient of the information, including every foreign persons within
the United States who receives the information, in order to obtain a
license from the ODTC.
57. By requiring the identification of all recipients of cryptographic
information, the defendants are compelling the disclosure of foreign
persons who pose no threat to national security and with whom the
plaintiff and others communicate.
58. It is practicably impossible for the plaintiff to name each
recipient of cryptographic information that receives the information
from the plaintiff's web site or FTP server.
59. The provisions of ITAR referred to in the above paragraphs violate
the plaintiff's and other's freedom of association rights under the
First Amendment.
Count Five: Separation of Powers
60. The plaintiff realleges and incorporates herein paragraphs 1 to 59
as if fully rewritten.
61. The provisions of the ITAR referred to in the paragraphs above
allow the defendants to control the dissemination of cryptographic
information within the United States and on the internet.
62. The authority of the defendants to implement and enforce ITAR is
based on � 38 of the Arms Export Control Act ("AECA"), 22 U.S.C. �
2778.
63. The AECA does not authorize the registration or licensing of
disclosures of unclassified cryptographic information within the
United States, including disclosures of unclassified cryptographic
information on the internet.
64. By requiring registration and a license prior to the disclosure of
unclassified cryptographic software or cryptographic technical data
within the United States, the defendants are engaged in controlling
the exchange of cryptographic information between persons within the
United States, including the dissemination of cryptographic
information on the internet. The defendants have therefore adopted a
de facto policy of restricting the domestic dissemination of
unclassified cryptographic information which has the direct effect of
restricting the availability of cryptographic software within the
United States.
65. Congress, and not the Executive, is constitutionally responsible
for formulating and determining domestic policy on cryptography and
for placing restrictions on the availability of cryptographic software
within the United States.
66. Congress has not delegated its responsibility referred to in the
paragraph above to the President or the defendants.
67. By designating unclassified cryptographic software and technical
data as defense articles, the defendants are regulating information
and expression as defense articles.
68. Section 2778(h) of the AECA precludes judicial review of the
designation of items as defense articles.
69. To the extent that the AECA authorizes the defendants to regulate
disclosures of unclassified cryptographic software and cryptographic
technical data within the United States, � 2778(h) of the AECA
unconstitutionally deprives the Judiciary of its responsibility to
review potential restrictions on information and expression.
70. Thus, the defendants act in violation of the constitutional
doctrine of separation of powers by regulating unclassified
cryptographic information in violation within the United States.
PRAYER FOR RELIEF
WHEREFORE, the plaintiff demands that judgment be entered against the
defendants. Specifically, the plaintiff demands such declaratory,
injunctive and other relief as follows:
(1) A declaration that the provisions of the International Traffic in
Arms Regulations, 22 C.F.R. �� 120 et seq., referred to in the
paragraphs above that require registration and a license or government
approval before the "export" of unclassified "cryptographic software"
and "cryptographic technical data," as those terms are defined in
ITAR, are unconstitutional in violation of the First and Fifth
Amendments and the constitutional doctrine of separation of powers.
(2) A declaration that, to the extent that the Arms Export Control
Act, 22 U.S.C. � 2778, authorizes the regulation of unclassified
cryptographic software and cryptographic technical data within the
United States, � 2778(h) is unconstitutional in violation of the
constitutional doctrine of separation of powers.
(3) Preliminary and permanent injunctions enjoining the defendants
from interpreting, applying, and enforcing the International Traffic
in Arms Regulations, 22 C.F.R. �� 120 et seq., to require that the
plaintiff and his students register or obtain a license or approval
from the defendants before disclosing to any person or persons by
speech, publication or any other means or by any medium, any
unclassified information about cryptography, whether or not that
information is included within the definition of "software" or
"technical data" as those terms are defined in ITAR.
(4) A permanent injunction enjoining the defendants from interpreting,
applying and enforcing the International Traffic in Arms Regulations,
22 C.F.R. �� 120 et seq., to require that any person or persons
register or obtain a license or approval from the government before
disclosing to any other person or persons by speech, publication or
any other means or by any medium, any unclassified information about
cryptography, whether or not that information is included within the
definition of "software" or "technical data" as those terms are
defined in ITAR;
(5) An award of attorney fees pursuant to the Equal Access to Justice
Act, costs and such other relief as the Court deems proper.
Respectfully submitted,
GINO J. SCARSELLI (0062327) KEVIN FRANCIS O'NEILL (0010481)
664 Allison Dr. Professor of Law
Richmond Hts., OH 44143-2904 Cleveland-Marshall College of Law
(216) 291-8601 1801 Euclid Ave.
Cleveland, OH 44115
RAYMOND VASVARI (0055538) (216) 687-2286
1300 Bank One Center
600 Superior Ave. East
Cleveland, OH 44114-2650
(216) 522-1925 Attorneys for the Plaintiff