PHILIP R. KARN, JR ) 7431 Teasdale Avenue ) San Diego, California 92122 ) ) ) Plaintiff ) ) ) v. ) ) ) UNITED STATES DEPARTMENT OF STATE ) etc ) and ) Civil Action No. 95-1812-LFO ) ) UNITED STATES DEPARTMENT OF COMMERCE ) ) and ) ) WILLIAM A. REINSCH UNDERSECRETARY ) BUREAU OF EXPORT ADMINISTRATION ) U.S. DEPARTMENT OF COMMERCE ) )
COMES NOW the plaintiff PHILIP R. KARN, JR. by and through his undersigned counsel of record, and for his causes of action against the named Defendant states the following:
1. Plaintiff PHILIP R. KARN, JR. is a resident of San Diego, California.
2. Defendants, U.S. DEPARTMENT OF COMMERCE and WILLIAM A. REINSCH are charged with, inter alia, the administration of the Export Administration Regulations ("the EAR"), 15 C.F.R. Part 730 et seq. (Subsequent citations to the EAR are with a section designator only.)
3. Defendant U.S. DEPARTMENT OF STATE was, until November 15, 1996, charged with the administration of the Arms Export Control Act 22 U.S.C. 2778 et seq ("the AECA") with respect to encryption commodities, software and technology ("Encryption Items"). Acting under that authority the State Department previously denied Plaintiff permission to export the cryptography source code at issue and is retained as a defendant solely for purposes of any award of attorneys’ fees in this matter. Another prior Defendant, THOMAS E. MCNAMARA, is no longer named or retained as a defendant since his presence is not necessary for complete relief.
4. This is an action for a declaratory judgment pursuant to 28 U.S.C 2201 for the purpose of determining a question of actual controversy between the parties as is herein more fully set forth.
5. Jurisdiction of this action is based on 28 U.S.C. 1331, in that it is a civil action arising under the laws of the United States, and the First and Fifth Amendments to the Constitution of the United States.
6. Venue is proper in this court pursuant to 28 U.S.C. 1391, in that this is a civil action against an officer of the United States, and the decisions, which are the subject of this action, were made within the District of Columbia.
7. The EAR were originally issued under the auspices of the Export Administration Act of 1979 ("the EAA"), 50 U.S.C. App. 2401 et seq. The EAA, which was not intended to be permanent legislation, lapsed on August 20, 1994. Since that date, the President has continued and amended the EAR pursuant to an Executive Order, and extended by notices, under the authority granted to him by the International Emergency Economic Powers Act ("IEEPA"), 50 U.S.C. 1701 et seq.
8. The IEEPA grants the President certain authorities, "that may be exercised to deal with any unusual and extraordinary threat . . . if the President declares a national emergency with respect to such threat." See 50 U.S.C. 1701(a).
9. The authorities granted to the President under IEEPA may only be exercised to deal with "an unusual and extraordinary threat with respect to which a national emergency has been declared . . . and may not be exercised for any other purpose." See 50 U.S.C. 1701(b).
10. The IEEPA expressly does not include the authority to regulate, "directly or indirectly . . . the exportation to any country, whether commercial or otherwise of publications, . . . or any other informational materials . . . ." See 50 U.S.C. 1702(b).
11. On November 15, 1996, the President, pursuant to an Executive Order, transferred the export control jurisdiction for all non-military Encryption Items to the Commerce Department, and the EAR. Previously, export control jurisdiction with respect to such products was under the authority of the Department of State and subject to the International Traffic in Arms Regulations, 22 C.F.R. Subchapter M ("the ITAR").
12. Encryption Items are listed under particular Export Control Classification Numbers ("ECCN") or entries on the Commerce Control List ("the CCL"). (Products listed on the CCL are controlled according to particular reasons, e.g., National Security, each of which had a basis in the EAA.) Encryption software is classified under ECCN 5D002.
13. Encryption software, according to the EAR, is controlled because of its functional capacity and not because of any informational value. See the note in ECCN 5D002.
14. Publicly available technology and software is not under the jurisdiction of the EAR. Publicly available encryption source code, "in electronic form or media (e.g., computer diskette or CD ROM) remains subject to the EAR . . ." However, the Regulations also provide that a "printed book or other printed material setting forth encryption source code is not itself subject to the EAR." See 734.3(b)(3).
15. The EAR requires the prior application to Commerce for a license to export Encryption Items to all destinations except Canada. See 742.15(a). There are exceptions to this general rule for certain mass market and key recovery software.
16. The EAR generally provide that software and technology that are available abroad may be exempt from its licensing requirements following a determination by Commerce. This exemption is not available to Encryption Items. See 768.1(b).
17. Violations of the EAR are punishable by civil and criminal penalties. See 764.3.
18. The ITAR provides procedures for the determination of whether a particular product or technology is subject to its licensing requirements. See 22 C.F.R. 120.4. (Hereafter, all citations to the ITAR are with a section designator only). Under this procedure, upon receipt of a written Commodity Jurisdiction Determination Request (a "Request"), a determination will be made as to whether a particular item is included within its export licensing jurisdiction.
19. Pursuant to 120.4, plaintiff KARN, on February 12, 1994, submitted a Request for a determination on Applied Cryptography a book ("the Book") by Bruce Schneier.
20. The Book was published in this country by John Wiley & Sons, Inc. It is available from most bookstores that carry computer books and has a list price of $44.95. It has sold approximately 20,000 copies worldwide.
21. The Book contains detailed descriptions and instructions on how to use a wide variety of cryptographic algorithms, and explains how computer programmers designing computer applications, networks and storage systems can use cryptography to maintain the privacy and security of computer data.
22. Cryptography is a technique used to protect the security of electronic communications between individuals by scrambling, or encrypting communications, so that the only particular recipients with a "key" to the encrypted communications may decipher them. Cryptographic software programs are created using programming instructions, or source code algorithms. Cryptography has a variety of commercial uses including ensuring the confidentiality of electronic mail, computer software, voice, video and other information in digitized form.
23. Part Five of the Book contains a full-text source code listing for 14 cryptographic algorithms in the C programming language, which were developed by various sources at various times using both private and public sources of funding. A two-disk cryptographic source code set ("the Diskette Set"), which includes all of the same codes printed on page 456 - 570 of Part Five of the Book, is offered for sale on its last page.
24. Binary copies of several of the source code algorithms published in Part Five of the Book are also publicly available over the Internet from anonymous file transfer protocols ("FTP") sites outside the United States.
25. The State Department, on March 2, 1994, concluded that the Book, including the source code in Part Five, was in the "public domain" and that it was within the export control jurisdiction of the Department of Commerce, where it was eligible for export to all destinations without an export license. The State Department ruling expressly did not extend its conclusion to the Diskette Set.
26. On March 9, 1994 plaintiff KARN submitted a second Request as to whether a Diskette ("the Diskette") containing only the source code information, as set out in Part Five of the Book was subject to the export licensing requirements of the ITAR. The only difference between the information contained on the Diskette and Part Five of the Book is the medium that is employed: magnetic pulses on mylar instead of ink characters on paper.
27. The State Department, on May 12, 1994 concluded that the Diskette was subject to the export licensing requirements of the ITAR.
28. Plaintiff KARN appealed this result, through counsel, to senior officials of the Department of State as prescribed by the ITAR. He initially appealed to the Deputy Assistant Secretary of State for Export Controls on June 7, 1994. That official subsequently affirmed the initial ruling on October 7, 1994. He then, through counsel, appealed to the Assistant Secretary for Political Military Affairs on December 5, 1994. That official affirmed the initial ruling on June 13, 1995.
29. Plaintiff KARN subsequently filed suit in this court on September 21 1995. A decision was rendered in which the complaint was dismissed. See Karn v Department of State, 935 F. SUPP 1(DDC 95). An appeal was taken, fully briefed, and scheduled for argument on January 10, 1997.
30. As noted in paragraph 11 above, jurisdiction over the export of Encryption Items was transferred from the Department of State to the Department of Commerce on November 15, 1996. In light of that transfer of jurisdiction and the new legal issues presented, the Court of Appeals on January 21, 1997 remanded the case to this Court, without a decision, for further proceedings.
31. On July 22, 1997, plaintiff KARN, through counsel, submitted a formal Commodity Classification Request to the Department of Commerce. The request asked the Department to confirm his conclusion that the information on the Diskette was not subject to EAR and that it may be placed on a Website in this country for worldwide distribution without special access controls which would limit its distribution to U.S. and Canadian persons. The request noted that identical information had been published and distributed worldwide without control in printed form in the Book. It also stated that identical information is currently available in digital form at several sites on the Internet, where it can be easily obtained by anyone.
32. On August 22, 1997 the Department of Commerce responded to plaintiff KARN’s request for a commodity classification. The Department’s conclusion was that since the Diskette includes encryption software programs and source code:
that are classified as Export Commodity Classification Number ("ECCN") 5D002 on the Commerce Control List ("CCL"), the Diskette as submitted is classified as ECCN5D002 . . .
The Department thus ruled that the information on the Diskette was subject to the EAR, and, therefore, subject to prior export licensing requirements. It did state that three of the software programs on the Diskette were not controlled for export. These programs are MD5, N-HASH and SHS which do not contain encryption functionalities.
33. On September 30, 1997, Plaintiff KARN, through counsel, appealed the classification to the Under Secretary of Commerce for Export Administration.
34. On November 17, 1997, the Under Secretary confirmed the Commodity Classification and denied the appeal.
35. On October 2, 1997, Plaintiff KARN, through counsel, submitted an export license application for authorization for an encryption licensing arrangement (a type of export license) for the information on the Diskette which would enable it to be exported to all countries, except those designated by the Secretary of State as supporters of international terrorism and those which are under embargoes administered by the Office of Foreign Assets Control in the Department of the Treasury. The effect of this request, had it been granted, would have been to make the source codes on the Diskette exportable to the same extent as the Book
36. On November 20, 1997, the Commerce Department advised Plaintiff KARN, through counsel, that it, and various other reviewing departments, had concluded that approval of this export application would be "contrary to the national security interests of the United States."
37. On information and belief, Defendants have previously granted export licenses to another individual for at least two of the algorithms contained on the Diskette. The licenses permit that individual to export the algorithms in digital source code format from a Website in the United States without controls that would limit distribution of those digital source codes to the United States and Canada. Defendants have, by their actions at issue here refused Plaintiff permission to export those same source codes (DES and 3DES) in digital format from a Website in the United States without controls that would limit distribution of those digital source codes to the United States and Canada.
38. The Diskette at issue here cannot be used to encrypt anything. It is not a "device" that "functions" to do anything. It simply stores information in a form that can be "read" by a computer more readily than a printed page. As such, the Diskette is informational material within the meaning of 50 U.S.C. 1702(b)(3) just, as the Book is also informational material within the meaning of that provision.
39. The DES source code, and the triple-DES version of that code, is part of the source code included in the Book. There is an exact equivalence, for the purposes of enabling a computer to encrypt and decrypt the DES source code printed in the Book and that recorded on the Diskette.
40. The source code file in question implements both the DES and its variant commonly known as "triple DES" or "3DES". The latter involves merely executing DES three times with three separate keys to strengthen the algorithm against attack. This is analogous to putting three differently-keyed locks of the same type on a door with all three keys required to open it. Nearly all of the code in the file implements the basic DES; the Triple DES extensions are fairly trivial in that they simply execute the basic DES three times.
41. In order to demonstrate the equivalence, one can photocopy on a standard office photocopier, the 18 pages containing the Triple DES source code listing from Part V of the Book. This step takes approximately five minutes. Second, one can scan in the 18 pages on a McIntosh Quadra 610 computer system equipped with an HP ScanJet II flatbed scanner and OmniPage Professional optical character recognition (OCR) software.
42. The computer scanner and software are all readily available through normal consumer channels. The total scanning process takes about one and one half hours.
43. Approximately one hour of the total one and one half hours that is required is extended learning to use the scanning system and conducting trial runs. The actual "scan" of the 18 pages takes approximately 15 to 20 minutes.
44. Next, one transfers the resulting machine-readable file from the McIntosh to one’s own personal computer and brings it up under GNU-EMACS, a popular and widely available text editing program. In EMACS one compares, by eye, the scanned file displayed on a computer screen against the printed listing in the Book. The scanner’s errors are thereby corrected.
45. After the manual correction of errors noticed through the visual comparison with the Book, the "C" language compiler is invoked on the partially corrected file. The compiler will immediately point out additional errors that had been overlooked in the visual inspection. Within 50 minutes, the file will be compiled completely without error.
46. Next, a test program is used to execute the DES code with the test vectors given at the end of the source code listing. This program takes approximately five minutes to write. Next, one prepares a "driver" program that takes a simple plain text file, encrypts it, displays the encrypted file in hexadecimal and then decrypts it.
47. By using only the Book, a photocopier, a computer scanning system, a text editor and a compiler, and even with printing and scanning errors, one can generate a file containing correct DES encryption codes that is exactly equivalent in every significant way to that stored on the Diskette in the total time of approximately four hours.
48. On information and belief, it takes a skilled secretary less than three hours to type the entire DES source code listing into a computer text file. This is an alternative to the use of OCR software described in Paragraph 41 above. Assuming that it would be necessary to make corrections to that file, on information and belief, it would take less than five hours, starting with the source code listings in the Book to produce the same error-free DES executable file as the one on the Diskette, if the file were produced using manual typing followed by computer compilation.
49. There is, therefore, no significant practical or functional difference between source code listings in the form of printed text and the same listings in the form of a text file on computer-readable media. In either case, the source code cannot be used, by itself, to cause a computer to execute an operating program. Source code must always be compiled by a computer program before it can be used as a functioning program. While the source code file on the Diskette can be so compiled directly, the source code in the Book must first be converted to a digital form. That conversion is a simple process that can be achieved in less than five hours using only a readily available computer and in less than 4 hours using readily available scanning and OCR resources, all of which is available internationally. In the case of the encryption algorithm listing in the Book and on the Diskette, additional programming is required before the cryptographic code has any functionality whatsoever.
50. One of the cryptographic algorithms listed in Part V of the Book, and also on the Diskette, is the Enigma cipher that was used by the Germans in World War II and successfully "broken" by the Allies during the war. Another cipher contained in both the Book and the Diskette is FEAL-8 that was initially broken by Avi Shamir in 1989. The actions of the Defendants have denied Plaintiff permission to export those source codes in digital form on grounds of national security despite the fact that both algorithms are easily broken and thus cannot pose a national security threat.
51. The IDEA code listed in Part V is, on information and belief, in all likelihood, secure against cryptoanalytic attack, even by the National Security Agency. This fact does not, however, mean that export of the IDEA source code on the Diskette poses any threat to our national security. The algorithm itself was developed in Switzerland, and the specific source code is already widely available in foreign countries, both by itself and as part of a freely-available encryption program, Pretty Good Privacy. One version of the algorithm has been printed in Dr. Dobbs’ Journal, a magazine for computer programmers. Source code files that include the IDEA algorithm are also available in digital form from several sites over the Internet.
52. Many of the individual source codes in Part V of the Book are freely available in digital form from Internet sites around the world. Given the widespread public availability of these files in digital form, there is no factual basis for the Executive Branch’s contention that the export of the Diskette in question poses any additional threat to our national security.
53. Computer source code is necessarily and intentionally written in a manner that can be read and understood by human programmers because a primary purpose of source code is to communicate programming concepts to humans, not to machines. As such, source code is pure speech for all purposes under the First Amendment.
54. Plaintiff KARN desires to export the Diskette to fulfill his interest in the dissemination of cryptographic information to other individuals.
55. The application of the EAR to Plaintiff KARN which requires the application for an issuance of the license prior to any export has caused him unusual hardship and irreparable injury, and he has been and is currently being denied the free exercise of constitutional rights as more fully stated below. Plaintiff has no adequate remedy at law for these injuries. Accordingly, he is entitled to declaratory relief.
56. Plaintiff repeats and incorporates, as if set forth fully herein, paragraphs 1 through 55.
57. The actions of Defendants restricting the dissemination of information contained on the Diskette, when that information is identical to the information contained in Part Five of the Book, are arbitrary and capricious, constitute an abuse of discretion and are otherwise not in accordance with the Administrative Procedure Act ("the APA") at 5 U.S.C. 706(2)(A).
58. Plaintiff repeats and incorporates, as if set forth fully herein, paragraphs 1 through 57.
59. The actions of Defendants restricting the dissemination of information contained on the Diskette, when that information is identical to the information contained in Part Five of the Book, are contrary to Plaintiff’s constitutional rights and, therefore, not in accordance with the APA at 5 U.S.C. 706(2)(B).
60. Plaintiff repeats and incorporates, as if set forth fully herein, paragraphs 1 through 59.
61. Defendants’ determination subjecting the Diskette to export licensing controls, when the information it contains is identical to the published text of Part Five of the Book, which was deemed not subject to such export controls, is irrational, arbitrary, and capricious. This arbitrary and capricious determination violates Plaintiff’s Fifth Amendment right to substantive due process.
62. Plaintiff repeats and incorporates, as if set forth fully herein, paragraphs 1 through 61.
63. Defendants’ determination to control the export of the Diskette containing information set forth in Part Five of the Book is a violation of Plaintiff’s fundamental First Amendment right to free speech.
64. Plaintiff repeats and incorporates, as if set forth fully herein, paragraphs 1 through 63.
65. As applied by Defendants, the EAR requires Plaintiff to apply for a prior license to export the Diskette containing information identical to that in Part Five of the Book. Therefore, as applied to Plaintiff in this instance, this licensing requirement operates as a prior restraint on Plaintiff’s disclosure of ideas and information in violation of his First Amendment rights to free speech.
66. Plaintiff repeats and incorporates, as if set forth fully herein, paragraphs 1 through 65.
67. The actions of Defendants, which require prior application and receipt of an export license for the information contained on the Diskette, when copies of several of the source code algorithms are already publicly available from FTP sites outside the United States, are arbitrary and capricious and violate Plaintiff’s Fifth Amendment right to substantive due process.
68. Plaintiff repeats and incorporates, as if set forth fully herein, paragraphs 1 through 67.
69. Defendants’ denial of Plaintiff’s export license application for the information on the Diskette, when at least two of the algorithms thereon have been previously licensed by Commerce for export in digital format, is arbitrary and capricious and in violation of Plaintiff’s Fifth Amendment right to substantive due process and equal protection under the law.
70. Plaintiff repeats and incorporates, as if set forth fully herein, paragraphs 1 through 69.
71. Defendants’ implementation of the EAR, under the auspices of the IEEPA, for a period of more than three years is not authorized by that statute and lacks a lawful authorization in violation of the APA at 5 U.S.C. 706(2)(C).
72. Plaintiff repeats and incorporates, as if set forth fully herein, paragraphs 1 through 71.
73. Defendants’ regulation of the export of the information on the Diskette, when the same information is available for unrestricted export in the Book, is not consistent with the prohibition in IEEPA against controls on the exports of informational materials (see 50 U.S.C. 1702(b)(3)) and is therefore inconsistent with the APA at 5 U.S.C. 706(2)(C).
74. WHEREFORE, Plaintiff KARN prays for judgment against Defendants, U.S. DEPARTMENT OF COMMERCE AND REINSCH, as follows:
A. Declaring that the provisions of the EAR, as applied to Plaintiff KARN, be declared null and void, of no effect, as unconstitutional under the Fifth and First Amendments;
B. Declaring that the determination to subject the Diskette to the export licensing controls of the EAR is unlawful in violation of the APA at 5 U.S.C. 706(2)(A), (B) & (C):
And for judgment against all Defendants
C. For attorneys’ fees incurred herein;
D. For costs of the action incurred herein; and
E. For such other and further relief as the court deems
just and proper.
Kenneth C. Bass, III
D.C. Bar #: 52985
Venable, Baetjer, Howard & Civiletti, LLP
1201 New York Avenue, N.W.
Washington, D.C. 20005
Thomas J. Cooper
D.C. Bar #: 213215
Venable, Baetjer, Howard & Civiletti, LLP
1201 New York Avenue, N.W.
Washington, D.C. 20005
Counsel for Plaintiff
Date: January 16, 1998
Back to the Case History
Back to Phil Karn's Export Control Page
Back to Phil Karn's Home Page