FRANK W. HUNGER
Assistant Attorney General

ERIC H. HOLDER, Jr.
United States Attorney

DOUGLAS N. LETTER
SCOTT R. McINTOSH
Attorneys, Appellate Staff
Room 3127, Civil Division
Department of Justice
950 Pennsylvania Ave. N.W.
Washington D.C. 20530
(202) 514-4052

AECA Arms Export Control Act, 22 U.S.C. §§ 2751 et seq.

APA Administrative Procedure Act

CCL Commodity Control List, 15 C.F.R. Part 799

CJ Commodity Jurisdiction

EAR Export Administration Regulations, 15 C.F.R. Parts 768-799

ITAR International Traffic in Arms Regulations, 22 C.F.R. Parts 120-130

NSA National Security Agency

OCR Optical character recognition

ODTC Office of Defense Trade Controls, Bureau of Politico- Military Affairs, Department of State

OLC Office of Legal Counsel, Department of Justice

SIGINT Signals intelligence

USML United States Munitions List, 22 C.F.R. Part 121

1. This is an action against the Department of State for a declaratory judgment based on claims arising under the First and Fifth Amendments and the Administrative Procedure Act. The jurisdiction of the district court was asserted under 28 U.S.C. § 1331.

2. The plaintiff is appealing from a final judgment that disposed of all claims with respect to all parties. The appeal is within this Court's appellate jurisdiction under 28 U.S.C. § 1291. The notice of appeal was filed within the time allowed by Rule 4 of the Federal Rules of Appellate Procedure.

The Arms Export Control Act ("AECA") prohibits the export of "defense articles" without a license. The International Traffic in Arms Regulations ("ITAR") classifies cryptographic products as defense articles. The issues presented are:

1. Whether the AECA precludes judicial review of an APA challenge to the government's determination that a computer diskette containing cryptographic source code is a defense article.

2. Whether the classification of the diskette as a defense article violates the Due Process Clause of the Fifth Amendment.

3. Whether the classification of cryptographic products as defense articles under the ITAR violates the First Amendment as applied to cryptographic source code.

22 C.F.R. Parts 120 and 121 are set forth in the addendum to this brief. All other pertinent statutes and regulations are set forth in the brief for the appellant.

I. NATURE OF CASE AND PROCEEDINGS BELOW

This case involves a controversy over the export of cryptographic software. The plaintiff wishes to export a computer diskette containing source code for cryptographic software that can encode messages and other information. The Department of State, acting in response to an inquiry from the plaintiff, has determined that the computer diskette is a "defense article" under the International Traffic in Arms Regulations and therefore may not be exported without a license under the Arms Export Control Act.

Following this administrative determination, the plaintiff brought suit against the Department of State. The plaintiff asserted that the classification of the computer diskette as a defense article is arbitrary and capricious and therefore invalid under the APA. The plaintiff further asserted that the application of the ITAR to the computer diskette violates his constitutional rights under the First Amendment and the Due Process Clause of the Fifth Amendment. The district court, acting on a motion by the government, dismissed the plaintiff's APA claim on the ground that judicial review is precluded under the AECA, and entered summary judgment in favor of the government on the plaintiff's constitutional claims.

II. STATEMENT OF FACTS

A. Statutory And Regulatory Background

1. The Arms Export Control Act (AECA) And The International Traffic In Arms Regulations (ITAR)

The Arms Export Control Act, 22 U.S.C. §§ 2751 et seq., regulates the export of "defense articles" and "defense services" from the United States to other nations. Section 38 of the AECA, 22 U.S.C. § 2778, authorizes the President to control the export of defense articles and services "[i]n furtherance of world peace and the security and foreign policy of the United States." Id. § 2778(a)(1). As a general matter, any person who wishes to export a defense article or service must obtain a license to do so. Id. § 2778(b)(2). The export of defense articles or services without a license is prohibited. Id. §§ 2778(b)(2), 2778(c).

The AECA does not undertake to define "defense articles" or "defense services." Instead, the AECA authorizes the President to "designate th[e] items which shall be considered as defense articles and defense services * * * and to promulgate regulations for the import and export of such articles and services." 22 U.S.C. § 2778(a)(1). The President has delegated this authority to the Secretary of State, who in turn has redelegated it to the Under Secretary for Arms Control and International Security. See 22 C.F.R. 120.1(a).

The AECA's restrictions on the export of defense articles and services are implemented through the International Traffic in Arms Regulations, 22 C.F.R. Parts 120-130. At the heart of the ITAR is the United States Munitions List ("USML"), which identifies the items that are designated as defense articles and services for purposes of the AECA and the ITAR. See 22 C.F.R. Part 121. The USML comprises eighteen general categories, such as firearms (Category I), tanks and military vehicles (Category VII), and military electronics (Category XI), and a final catch-all category (Category XXI).

In addition to regulating defense articles, the USML also regulates any directly related "technical data" (see, e.g., 22 C.F.R. § 121.1, Category I(d)). As a general matter, "technical data" is defined in the ITAR as information "required for the design[,] development, production, manufacture, assembly, operation, repair, testing, maintenance or modification" of defense articles. 22 C.F.R. § 120.10(a)(1). The definition of "technical data" excludes information "in the public domain," meaning information that is "published and * * * is generally accessible or available to the public" through, inter alia, libraries, bookstores, or mail subscriptions. Id. §§ 120.10(a)(5), 120.11.

The ITAR is administered primarily by the Director of the Office of Defense Trade Controls ("ODTC"), an office within the Department of State's Bureau of Politico-Military Affairs. 22 C.F.R. § 120.1(a). One of the functions performed by the ODTC is to assist private parties in determining whether a particular article or service is covered by the USML. The ODTC carries out this function by issuing "commodity jurisdiction" ("CJ") determinations. Id. § 120.4(a). A person may obtain a CJ determination by submitting a written request that identifies the article or service in question and describes its "design, development and use." Id. § 120.4(c). If the ODTC determines that the article or service is covered by the USML, the person may obtain administrative review of the CJ determination within the Department of State. See Lowell Dec. ¶ 4.

A determination that an item is covered by the USML does not mean that the export of the item is prohibited. Instead, it means only that the person must obtain an export license under the AECA and the ITAR. See 22 C.F.R. Parts 123-25 (license procedures). Many defense articles and services are currently exported around the world pursuant to licenses issued by the ODTC. Lowell Dec. ¶ 5. Licensing decisions may take into account a combination of factors, including the identity of the end-user, the declared end-use of the commodity, and foreign policy and national security interests. Ibid.

2. Encryption Products As "Defense Articles"

Under The AECA And The ITAR

The national security of the United States depends in part on the ability of the government to obtain timely information about the activities and plans of potentially hostile foreign governments and groups abroad. The United States therefore uses a variety of means to monitor and intercept communications by foreign intelligence targets. Among other things, the United States engages in signals intelligence ("SIGINT"), the collection and analysis of information from foreign electromagnetic signals. Crowell Dec. ¶¶ 3-4.

Primary responsibility for the government's SIGINT activities belongs to the National Security Agency ("NSA"). Crowell Dec. ¶ 3. Based on information derived from its SIGINT activities, the NSA provides information on a rapid-response basis to military commanders, national policymakers, and other entities in the federal government. Id. ¶ 4. This information has proven to be highly reliable and essential to the national defense, national security, and the conduct of foreign affairs. Ibid.

The ability of the United States to make use of intercepted communications is complicated by the use of encryption. Encryption is the process of converting a message from its original form (known as "plaintext") into an encoded form (known as "ciphertext") that cannot be deciphered by persons other than the message's sender and its intended recipients. Crowell Dec. ¶ 4. Modern encryption technology rests on the use of cryptographic algorithms, mathematical functions or equations that are applied to transform plaintext into ciphertext. Joint Statement ¶ 15; Crowell Dec. ¶ 7. Cryptographic algorithms can be used in the design of mechanical devices, like the famed "Enigma" machine used by Germany during the Second World War, or electronic circuitry. Cryptographic algorithms also can be incorporated into computer software, thereby enabling general-purpose computers to encrypt and decrypt electronic messages.

Encryption has long been a tool in the conduct of military and foreign affairs. See, e.g., David Kahn, The Code Breakers: The Story of Secret Writing (1967). Today, many foreign intelligence targets use encryption in an effort to maintain the secrecy of their communications. Crowell Dec. ¶ 4. For this reason, one of the NSA's principal SIGINT activities is cryptanalysis, the science of "reading" ciphertext without having access to the key that was used to encrypt the message. Crowell Dec. ¶¶ 4, 6 n.2. How readily ciphertext can be read through cryptanalysis depends, in large part, on the strength of the particular cryptographic algorithm used to encode the plaintext. The stronger the algorithm, the greater the odds that the ciphertext cannot be read at all or that the process of deciphering the message will take prohibitive amounts of time and effort.

Because encryption can be used by foreign intelligence targets to deny the United States access to information vital to our national security interests, cryptographic products are classified as defense articles in the USML. Category XIII(b) of the USML generally covers "cryptographic devices, software, and components specifically designed or modified therefor * * * ." Category XIII(b) encompasses several subcategories of cryptographic products. The one at issue in this case is Category XIII(b)(1): "[c]ryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information or information systems."

The USML contains a number of specific exceptions to the general classification of encryption products as defense articles. See 22 C.F.R. § 121.1, Category XIII(b)(1)(i)-(ix). In addition, specific types of mass-market encryption software may be transferred from the USML to the Commodity Control List ("CCL"), a separate export licensing system for "dual use" technology administered by the Department of Commerce under the Export Administration Regulations ("EAR"). Id. Category XIII(b)(1) Note; Lowell Dec. ¶ 8 and Tab 3; see 15 C.F.R. Part 799 (CCL).1

B. The Present Controversy

1. Karn's CJ Requests

This case involves a controversy over the export of cryptographic "source code." Source code is a set of instructions to a computer, written in a human-readable programming language such as "C" or BASIC. See Joint Statement ¶ 16. Source code can be converted by another computer program, called a compiler, into "object code," a set of instructions in binary form ("zeroes" and "ones") that can be directly executed by a computer. Id. ¶ 17. Cryptographic source code instructs a computer how to execute a cryptographic algorithm that will transform plaintext into ciphertext. Id. ¶ 15.

In February 1994, a software engineer named Philip Karn submitted a commodity jurisdiction request for a book by Bruce Schneier titled Applied Cryptography. Joint Statement ¶ 1; Karn Dec. ¶ 2. Applied Cryptography (Karn Ex. 1) covers a variety of cryptographic algorithms and programming techniques. Part Five of the book contains printed source code implementing a number of cryptographic algorithms. Ibid.

The ODTC informed Karn that the book, which has been published in the United States and is widely available, is not subject to the Department of State's licensing jurisdiction under the ITAR because it is in the public domain (see p. 5 supra). Joint Statement ¶ 4; Lowell Dec. Tab 5. However the ODTC stated that its jurisdictional determination did not extend to two computer diskettes that are referenced in the book and are available from the author. Ibid.

Shortly thereafter, in March 1994, Karn submitted a second CJ request. The second request concerns a computer diskette containing the cryptographic source code printed in Part Five of Applied Cryptography. Joint Statement ¶ 5. Karn told the ODTC that the diskette "contains source code for encryption software that provides data confidentiality." Lowell Dec. Tab 6. Karn further stated that "[t]he software on this diskette is provided for those who wish to incorporate encryption into their software." Ibid.

The ODTC informed Karn that the diskette falls within Category XIII(b)(1) of the USML (see p. 8 supra) and therefore is subject to the licensing jurisdiction of the Department of State under the ITAR. Joint Statement ¶ 8; Lowell Dec. ¶ 15 and Tab 9. Karn sought administrative review of the ODTC's CJ determination, appealing first to the Deputy Assistant Secretary of State for Export Controls, then to the Assistant Secretary of State for Political-Military Affairs. Both officials sustained the CJ determination. Joint Statement ¶¶ 9-12; Lowell Dec. ¶¶ 16, 18, 19, 22 and Tab 10-12, 14. They informed Karn, inter alia, that cryptographic software is not treated as "technical data" under the ITAR (see 22 C.F.R. §§ 120.10(a)(4) and 121.8(f)), but instead is itself a defense article, making the public domain exception to the definition of "technical data" inapplicable. Lowell Dec. Tab 11, 14.

2. Karn's Suit

Following the completion of the CJ process, Karn chose not to apply for a export license under the ITAR. Instead, Karn filed a complaint for declaratory relief against the Department of State. In his complaint, Karn asserted that the Department's CJ determination regarding the diskette is arbitrary and capricious and hence invalid under the APA. In the same vein, Karn asserted that the CJ determination lacks a rational basis and therefore violates the Due Process Clause of the Fifth Amendment. Finally, Karn asserted that the application of the ITAR licensing requirements to cryptographic source code violates the First Amendment.

The government moved to dismiss the complaint or for summary judgment. The district court granted the motion to dismiss with respect to Karn's APA claim and entered summary judgment in favor of the government with respect to Karn's constitutional claims.

The district court first held that judicial review of Karn's non-constitutional APA claim is precluded, both expressly and impliedly, by the Arms Export Control Act. Opinion 10-20. The court then held that Karn's constitutional claims, while not barred from judicial review by the AECA, are without merit. Id. at 20-36. With respect to the First Amendment, the court held that the application of the inclusion of cryptographic source code as a defense article under the ITAR satisfies the requirements of United States v. O'Brien, 391 U.S. 367 (1968). Id. at 23-31. With respect to the Due Process Clause, the court held that the government had a rational basis both for the general decision to regulate the export of cryptographic software and for the specific decision to require a license for the export of Karn's diskette. Id. at 33-36. The district court's decision on each of these issues is subject to de novo review on appeal.

Karn possesses a computer diskette containing source code for a number of cryptographic algorithms. It is undisputed that if the diskette were exported, it could be used to maintain the confidentiality of electronic communications. For that reason, the diskette comes squarely within the terms of Category XIII(b)(1) of the USML. Nonetheless, Karn asserts that the government is obligated, both as a matter of administrative law and constitutional law, to allow the unlicensed and unrestricted export of the diskette, regardless of the identity of the recipient of the diskette or the uses to which the diskette's encryption capabilities will be put. The district court rightly rejected this submission.

1. Karn argues that it is irrational for the government to draw a regulatory distinction between a computer diskette containing cryptographic source code in computer-ready form and a publication containing cryptographic source code in printed form. To the extent that this argument is a garden-variety APA challenge to the government's actions, judicial review is precluded. Decisions about what items should be regulated as defense articles under the ITAR involve technical, political, and military judgments relating to national security that do not lend themselves to judicial oversight. As the district court recognized, both the text and the structure of the AECA preclude courts from interposing themselves in this decisionmaking process.

2. Karn attempts to circumvent this obstacle by recasting his claim as a constitutional challenge under the Due Process Clause. However, Karn fails to come to terms with the severely limited scope of substantive due process review. Under settled precedents of the Supreme Court and this Court, the government is entitled to prevail as long as its actions bear a rational relationship to a legitimate purpose, and the government may rely on any reasonably conceivable state of facts to provide a rational basis for its actions. Moreover, the rationality of the government's actions is not subject to courtroom factfinding and may not be "disproved" by a plaintiff's evidentiary submissions.

There is a manifestly rational basis for the government's actions in this case. As Karn himself inadvertently demonstrated below, a diskette containing source code in computer-ready form provides a materially easier and more reliable basis for performing encryption than does a printed book or periodical containing the same source code. Accordingly, the unrestricted export of computer diskettes containing cryptographic source code poses a greater risk to the government's SIGINT capabilities than does the export of published materials. For that reason, even if it is assumed that technological developments like OCR scanning might provide a basis for regulating the export of printed cryptographic source code, the government's failure to take that additional step does not make its treatment of cryptographic diskettes as defense articles irrational for due process purposes.

3. Karn also contends that the First Amendment precludes the government from regulating the export of cryptographic source code. This argument is wholly without merit. Cryptographic source code is regulated as a defense article under the ITAR because of its functional capability to maintain data confidentiality, not because of any informational value that it may be claimed to have in a particular case. Because the government's reasons for regulating the export of cryptographic source code are entirely unrelated to the suppression of any ideas that may be reflected in the source code, Karn's First Amendment challenge is governed by the standards of United States v. O'Brien, 391 U.S. 367 (1968). The district court properly concluded that the treatment of cryptographic source code as a defense article passes muster under O'Brien test, and Karn makes virtually no effort to dispute that conclusion.

Category XIII(b)(1) of the USML classifies cryptographic products with "the capability of maintaining secrecy or confidentiality of information" as defense articles for purposes of the Arms Export Control Act and the ITAR. Karn does not dispute that the cryptographic source code on his diskette has, in the language of Category XIII(b)(1), "the capability of maintaining secrecy or confidentiality of information." Indeed, Karn himself informed the Department of State that the diskette "contains source code for encryption software that provides data confidentiality" and that the source code "is provided for those who wish to incorporate encryption into their software." Lowell Dec. Tab 6. Nevertheless, Karn asserts that the Department of State's designation of his computer diskette as a defense article was arbitrary and capricious and therefore invalid under the Administrative Procedure Act.

The district court held that the Arms Export Control Act precludes judicial review of Karn's APA claim. Opinion 10-20. As a textual matter, the district court's holding rests on Section 38(h) of the AECA, 22 U.S.C. § 2278(h). Section 38(h) provides that:

The designation by the President (or by an official to whom the President's functions under subsection (a) of this section [22 U.S.C. § 2778(a)] have been duly delegated), in regulations issued under this section, of items as defense articles or defense services for purposes of this section shall not be subject to judicial review.

Karn concedes that Section 38(h) precludes courts from reviewing decisions of the Department of State, acting on behalf of the President, regarding what categories of articles and services should be placed on the USML. However, he argues (Brief 42-47) that Section 38(h) does not foreclose judicial review of the APA claim in this case, which challenges the Department's determination that Karn's diskette constitutes a defense article under Category XIII(b)(1) of the USML. The district court correctly rejected that argument.

Karn's APA claim, like his due process claim, rests principally on the theory that it does not make sense for the Department of State to draw a regulatory distinction under the ITAR between a computer diskette containing cryptographic source code and a printed publication containing the same source code (see pp. 23-24 infra). This is nothing more than an argument that the Department of State, acting in consultation with the Department of Defense, has drawn the boundaries of the USML in the wrong place. That is precisely the kind of claim that Section 38(h) places outside the purview of the judicial process.2 Cf. United States v. Martinez, 904 F.2d 601 (11th Cir. 1990) (refusing, on political question grounds, to review claim that earlier version of Category XIII(b) of the USML was "overbroad" because it allegedly included items "whose dissemination would pose no security threat").

It is hardly surprising that Congress chose to preclude judicial review of decisions whether or not to designate items as defense articles. Under the express terms of the AECA, the President's decisions in this regard are to be guided solely by whether designation of an item as a defense article would "further[] * * * world peace and the security and foreign policy of the United States." 22 U.S.C. § 2778(a). Therefore, decisions by the Executive Branch regarding the export of defense articles involve technical, political, and military judgments relating to national security that do not lend themselves to judicial oversight. "[I]t is not reasonably possible for an outside nonexpert body to review the substance of such a judgment and to decide whether the agency should have been able to make the necessary [determination] with confidence. Nor can such a body determine what constitutes an acceptable margin of error in assessing the potential risk." Department of Navy v. Egan, 484 U.S. 518, 529 (1988).

Accordingly, courts will not second-guess the Executive Branch's national security decisions "unless Congress specifically has provided otherwise." Id. at 530. Under the AECA there is, of course, no specific provision for judicial review of defense-article determinations. To the contrary, Section 38(h) of the AECA specifically precludes such review. Moreover, even if Congress had not specifically precluded such review, it is hard to see how the courts could find any "law to apply" in order to review decisions under Section 38. The standard for the Executive Branch's decision -- whether regulation of the export of an item would "further[] * * * world peace and the security and foreign policy of the United States" -- "fairly exudes deference to the [President], and appears * * * to foreclose the application of any meaningful judicial standard of review." Webster v. Doe, 486 U.S. 592, 600 (1988); see also United States Information Agency v. Krc, 905 F.2d 389, 396 (D.C. Cir. 1990).

Karn suggests that these considerations do not apply when a litigant challenges a CJ determination. But that is not the case. Determining whether a particular item possesses the characteristics that render it a defense article may well call for the same kinds of technical and military judgments that inform the underlying choice of the categories of items to be included in the USML. Moreover, as the district court recognized, the commodity jurisdiction process is an integral part of the more general enterprise of regulating the export of defense articles and services under the AECA and the ITAR. Opinion 13-14. A determination that a particular item constitutes (or does not constitute) a defense article is, in practical terms, an elaboration of the terms of the USML itself. Thus, the distinction that Karn seeks to draw between the selection of articles for the USML and the determination of a particular item's status under the USML is a fundamentally artificial one. The district court was therefore correct to conclude that Karn's APA claim is not subject to judicial review.3

A. The Standards Governing Karn's Due Process Claim

Karn argues that the designation of his computer diskette as a defense article under the ITAR violates not only the APA but also the Due Process Clause of the Fifth Amendment. Karn argues that, as a general matter, the government lacks a rational basis for distinguishing between a diskette containing cryptographic source code (like the one covered by Karn's second CJ request) and a book containing the same source code in printed form (like the one in Karn's first CJ request). In addition, Karn argues that it is irrational to designate the particular diskette in this case as a defense article because the same source code is available overseas via the Internet. Karn asserts that the government's actions here are facially invalid under the Due Process Clause or, in the alternative, that the district court should have held a trial to resolve supposed factual disputes concerning the rationality of the lines drawn by the government.

Karn acknowledges (Brief 14) that his due process claim is subject to review under a "rational basis" standard. However, his challenge to the government's regulatory treatment of his diskette reflects a basic misunderstanding of what rational basis review actually entails.

Rational basis review "'is not a license for courts to judge the wisdom, fairness, or logic'" of governmental policies. Heller v. Doe, 509 U.S. 312, 319 (1993). The sole question before a court is whether the challenged government action bears a rational relationship to a legitimate governmental purpose. PBGC v. R.A. Gray & Co., 467 U.S. 717, 729 (1984); Usery v. Turner Elkhorn Mining Co., 428 U.S. 1, 15-16 (1976). Under rational basis review, "a classification must be upheld * * * 'if there is any reasonably conceivable state of facts that could provide a rational basis for the classification.'" Heller, 509 U.S. at 320. This standard "does not apply merely to congressional * * * legislative schemes, but extends to administrative regulatory action as well * * * ." Steffan v. Perry, 41 F.3d 677, 684-85 (D.C. Cir. 1994).

The rationality of the government's actions "is not subject to courtroom factfinding and may be based on rational speculation unsupported by evidence or empirical data." FCC v. Beach Communications, Inc., 508 U.S. 307, 315 (1993); Steffan, 41 F.3d at 289. Accordingly, "[t]he government * * * 'has no obligation to produce evidence to sustain the rationality of a [regulatory] classification.'" Steffan, 41 F.3d at 288 (quoting Heller, 509 U.S. at 320). Conversely, a plaintiff cannot prevail by offering to "prove," as a factual matter, that the assumptions underlying the government's actions are incorrect. "Outside of the realm of 'heightened scrutiny' there is * * * never a role for evidentiary proceedings." National Paint & Coatings Ass'n v. City of Chicago, 45 F.3d 1124, 1127 (7th Cir.), cert. denied, 115 S. Ct. 2579 (1995). Under rational basis review, "to say that * * * a [factual] dispute exists -- indeed, to say that one may be imagined -- is to require a decision for the [government]." Ibid. (emphasis in original).

If the lines drawn by a regulatory scheme are rational as a general matter, a plaintiff cannot establish a due process violation by attempting to show that the assumptions underlying the law fail in the particular circumstances of the plaintiff's own case. For purposes of rational basis review, "[t]hat there may be exceptions to the assumption[s] on which the regulation is premised is irrelevant, * * * so long as the classification (the regulation) in the run of cases serves its purpose * * * ." Steffan, 41 F.3d at 286. Thus, an argument that a regulatory scheme is irrational as applied to an individual plaintiff

cannot sustain a substantive due process challenge. Just because a measure is over- or under-inclusive will not render it irrational. * * * A fifteen-year-old cannot successfully challenge a minimum age requirement of sixteen for driving on the basis that she would be a great driver even though most individuals of that age would not.

Lindsey Coal Mining Co. v. Chater, 90 F.3d 688, 694-95 (3d Cir. 1996).

Karn's disregard for these standards is most obvious in his repeated criticism of the district court for failing to hold a fact-finding "minitrial" (e.g., Brief 18-20). Karn claims that there is a factual dispute regarding the "functional difference" between a diskette containing cryptographic source code and a book containing the same code, and he argues that the district court erred in ruling for the government in the absence of "evidentiary submissions" supporting the proffered rationales for the government's actions (Brief 19). As we show below, the real dispute between the parties here does not involve the facts, but rather the legal significance of the facts. More fundamentally, however, the rationality of the regulatory distinctions applied by the government in this case simply "is not subject to courtroom factfinding" (Beach Communications, 508 U.S. at 315), and "[t]he government * * * 'has no obligation to produce evidence to sustain the rationality'" of its regulatory scheme. Steffan, 41 F.3d at 288.

Strict attention to these constitutional standards is especially important in light of the nearly complete overlap between Karn's due process claim and his APA claim. The due process claim rests on the same objections to the "rationality" of the government's actions that underlie the APA claim. But Karn cannot circumvent the bar on judicial review of non-constitutional claims (see pp. 14-18 supra) simply by dressing up his APA claim in constitutional garb. See, e.g., Czerkies v. Department of Labor, 73 F.3d 1435, 1439, 1443 (7th Cir. 1996) (en banc). Karn's due process claim is cognizable only to the extent that it transcends the confines of "garden-variety [APA] claim[s]" (Czerkies, 73 F.3d at 1443) and demonstrates defects of constitutional magnitude. As we now show, Karn falls far short of making such a showing.

B. The Government Has A Rational Basis For Designating A Diskette Containing Cryptographic Source Code As A Defense Article

1. The general rationale for subjecting cryptographic software to the ITAR's export licensing requirements is both obvious and compelling: to protect vital foreign intelligence-gathering capabilities of the United States. This rationale applies with full force to cryptographic software in the form of source code. As the district court pointed out, cryptographic source code "constitute[s] the 'engine' for a cryptographic device." Opinion 19. As explained above, cryptographic source code can be used to encrypt messages by placing the source code in a computer and converting it, through a largely automated process, into cryptographic "object code" that can be executed directly by the computer (see p. 9 supra). If cryptographic source code were not included in the USML, the result would be a major gap in the ITAR's regulation of cryptographic products and a corresponding threat to the government's SIGINT capabilities.

Karn's diskette well illustrates these considerations. The diskette contains source code for cryptographic algorithms that are designed to maintain the secrecy of information. Crowell Dec. ¶ 8. As the government demonstrated below, a foreign recipient of Karn's diskette can use it to encrypt messages through a short series of steps. Briefly, the user inserts the diskette into a computer, adds simple "input/output" routines to the source code, then compiles the source code into object code. Crowell Dec. ¶¶ 11-13. Once these steps are completed, the recipient can use the software to convert plaintext into ciphertext. Id. ¶ 14. The diskette thus has a demonstrable "capability of maintaining secrecy or confidentiality of information" (Category XIII(b)(1)). It is for this reason that Karn's diskette has been designated as a defense article for purposes of the ITAR.

For purposes of his due process claim, Karn does not directly question the rationality of applying the ITAR to cryptographic source code, nor does he dispute that his own diskette can be used to carry out cryptographic functions on a computer.4 Instead, he argues that there is no rational basis for the government to treat diskettes containing cryptographic source code as defense articles while not imposing the same regulatory requirements on publications that contain cryptographic source code in printed form. Karn asserts that there is "no functional difference of any significance" (Brief 14) between a diskette containing cryptographic source code and a book or magazine that reproduces the same source code. He premises this argument on the fact that it is possible to convert printed source code into a form that can be used by a computer, either by manually typing the contents of the source code into the computer or by using a "scanner" with optical character recognition ("OCR") capabilities.

The government does not dispute Karn's factual premise that it is feasible to use OCR technology (or typing) to transform printed source code into a non-printed form that can be used by a computer. But it simply does not follow that the government lacks a rational basis for distinguishing between a diskette, which contains cryptographic source code in computer-ready form, and a book or magazine containing source code listings, which require additional processing by the recipient before they can be used for encryption purposes. Simply stated, widespread use of strong cryptographic software abroad is more likely to result from the export of cryptographic source code on diskettes than from the export of the same source code in printed form.

The point is not simply that converting printed source code into computer-ready form takes additional time and effort, although that is certainly one relevant consideration. More important, the process of copying printed source code, whether through the use of OCR technology or through typing, tends to introduce numerous errors into the code. See Crowell Dec. ¶ 16. The user cannot produce a functioning encryption program until and unless all errors that arise through this process can be identified and corrected. Ibid. Moreover, the printed source code itself may contain typographical and other errors, which likewise must be discovered and corrected. If there is any doubt about whether the printed source code is error-free, verifying the accuracy of the source code once scanned requires the expertise of someone familiar with the particular source code language and the fundamentals of cryptography. Id. ¶ 17.

Karn's own declaration in this case provides a graphic illustration of the obstacles posed by the use of printed source code. As a demonstration, Karn scanned printed source code from Part Five of the Applied Cryptography book with an OCR scanner. The scanner made "many errors, such as mistaking the digit '0' for the letter 'O' or mistaking the vertical bar '|' for the letter 'I'," which Karn had to correct manually by comparing the scanned output with the printed version. Karn Dec. ¶ 5. After correcting the errors that he uncovered through this process, Karn attempted to compile the source code into object code, but the compiler "pointed out additional errors I had overlooked in my visual inspection * * * ." Id. ¶ 6. In the course of reviewing the printed source code, Karn "also noticed several errors in the [source code] listing in the Book." Id. ¶ 6. Karn then compiled and tested the program, but "the test did not succeed, meaning that at least one error went undetected by the compiler in either the code as printed in the Book or as scanned." Id. ¶ 7. After examining the code further, Karn found and corrected another error in the printed source code, but "it still did not produce correct results." Ibid. Only after another hour of searching was Karn finally able to locate and correct the error and produce executable object code. Ibid. Karn, it should be noted, is a software engineer with considerable cryptographic expertise, who assisted in the editing of Applied Cryptography and contributed source code to the book. Id. ¶ 2; Karn Ex. 1 (p. xviii).

Karn's recital confirms the government's basic point here: a computer-ready, error-free diskette provides a substantially easier and more reliable basis for performing encryption on a computer than does a book or a magazine. It is therefore materially less likely that individuals and entities abroad -- few of whom have Karn's cryptographic expertise -- will use a book or magazine containing cryptographic source code for such purposes. The government therefore has a rational basis for believing that the unrestricted export of cryptographic source code on computer diskettes poses a greater risk to the government's SIGINT capabilities than does the corresponding export of published materials. As noted above, regulatory distinctions drawn by an agency "must be upheld" under rational basis review "if there is any reasonable conceivable state of facts that could provide a rational basis" for them. Beach Communications, 508 U.S. at 313. That is manifestly the case here.

We do not mean to suggest that Karn's comments about the potential use of OCR scanning technology are entirely without regulatory significance. For example, as OCR scanning technology improves, the government may find it appropriate to reconsider the status of printed cryptographic source code for purposes of export licensing. But that possibility does not affect the underlying rationality of the Department of State's treatment of cryptographic source code in computer-ready form (i.e., diskettes) as a defense article.

2. Karn also attacks the rationality of the government's actions on another ground, one that is particular to the circumstances of Karn's own case. He alleges (Brief 18) that the contents of his diskette are available electronically to Internet users from a foreign Internet computer site. Under this circumstance, he argues that the export of his diskette could not possibly cause any additional harm to the national security, and hence that it is irrational to require a license for its export.

There are two problems with this argument. First, it "fundamentally misapprehend[s] the substantive due process guarantee." Lindsey Coal, 90 F.3d at 694. As this Court has held, if a regulatory classification serves its purpose "in the run of cases," it is irrelevant for purposes of rational basis review whether the assumptions on which it rests fail to apply in a particular case. Steffan, 41 F.3d at 286. Karn is simply arguing that, to the extent that Category XIII(b)(1) of the USML includes his diskette, the availability of the same source code on the Internet makes the regulation overinclusive. But "[j]ust because a measure is over- or under-inclusive will not render it irrational." Lindsey Coal, 41 F.3d at 694-95; accord, Steffan, 41 F.3d at 687. As the Supreme Court has made clear, "courts are compelled under rational-basis review to accept [the government's] generalizations even when there is an imperfect fit between means and ends. A classification does not fail rational-basis review because it 'is not made with mathematical nicety * * * .'" Heller, 509 U.S. at 321.

Second, even if a rational basis challenge could properly be grounded in the circumstances of an individual case, the government had a rational basis in this case for requiring Karn to obtain a license under the ITAR before exporting his diskette. It is rational for the government to regulate on the assumption that unrestricted export of Karn's diskette will result in wider distribution of the source code than the Internet has brought about. For one thing, a diskette can be sent to persons who do not have access to the Internet and who therefore cannot download source code from an Internet computer site. In addition, it is rational to assume that at least some foreign users would be more likely to use encryption source code coming directly from a reliable source such as Karn, rather than depending on source code on a publicly accessible Internet site whose contents might be feared to have been inadvertently or intentionally altered. The very fact that Karn anticipates foreign demand for his diskette, despite the availability of the same source code on the Internet, shows the rationality of that assumption. In short, at a minimum, "there is a[] reasonably conceivable state of facts" (Beach Communications, 508 U.S. at 313) that supports applying the ITAR's licensing provisions to Karn's diskette.5

C. The "Public Domain" Exception To The ITAR's Definition Of "Technical Data" Does Not Apply To Karn's Diskette

Elsewhere in his brief (37-42), Karn raises another, quite different due process claim. Briefly, he asserts that the Department of State misconstrued the ITAR when it classified his diskette as a defense article under Category XIII(b)(1) of the USML. Although Karn claims that this supposed error in construing the ITAR "is unconstitutional under the Due Process Clause" (Brief 42), this is simply an APA claim in constitutional guise. As such, it is not subject to judicial review. In any event, even if it were cognizable under the Due Process Clause, it would be wholly without merit.

The designation of the diskette as a defense article follows directly from the terms of the ITAR. As explained above, Category XIII(b)(1) of the USML covers "[c]ryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information or information systems." Here, Karn does not dispute that the diskette contains "[c]ryptographic * * * software." Neither does he dispute that the source code on the diskette has "the capability of maintaining secrecy or confidentiality of information." That is, after all, the source code's very purpose. As Karn himself told the ODTC in his CJ request, the diskette "contains source code for encryption software that provides data confidentiality." Lowell Dec. Tab 6 (emphasis added).6 As a result, the diskette comes squarely within the scope of Category XIII(b)(1).

Karn argues that cryptographic source code is exempted from the ITAR's licensing requirements by the ITAR's "public domain" provision, 22 C.F.R. § 120.11. However, contrary to Karn's suggestion, the public domain provision is not an exemption from the ITAR's coverage of defense articles. Instead, by its terms, it is simply a definitional provision. See ibid. ("Public domain means information which is published and which is generally accessible or available to the public * * * "). And it is used solely as part of the ITAR's definition of "technical data." See 22 C.F.R. § 120.10(a)(5) ("Th[e] definition [of "technical data"] does not include * * * information in the public domain as defined in § 120.11.").

Karn argues that cryptographic software is governed by the ITAR's "technical data" provisions, and therefore is exempt from the ITAR if it is in the public domain. This argument rests on the fact that the ITAR's definition of "technical data" includes "[s]oftware as defined in [22 C.F.R.] § 121.8(f) * * * ." 22 C.F.R. § 120.10(a)(4). However, the definition of "software" in 22 C.F.R. § 121.8(f) makes clear that cryptographic software, unlike most other kinds of software, is not treated as technical data. That provision states, inter alia, that "[a] person who intends to export software only should, unless it is specifically enumerated in § 121.1 (e.g., [Category] XIII(b)), apply for a technical data license" (emphasis added). As the underscored language makes clear, software that is specifically designated as a defense article under the USML, such as cryptographic software under Category XIII(b), is not treated as technical data.

Karn argues that the quoted language in 22 C.F.R. § 121.8(f) should not be read in the foregoing manner, but instead should be read as a "limitation on the granting of technical data licenses" (Brief 42). That "reading" does not accord with the plain language of the regulation. Moreover, it makes no sense as a matter of policy or practice. If Karn's reading were adopted, cryptographic software could be exported at will to foreign intelligence targets, regardless of its strength and its capability to shield communications from our government's SIGINT efforts, simply by placing it in the public domain.

In addition, Karn's argument ignores the deference that is due the Department of State in the construction of the ITAR. Courts "must defer to an agency's interpretation of its own regulations 'unless it is plainly erroneous or inconsistent with the regulation,' regardless of whether interpreting the regulation requires an agency's technical expertise." A.L. Pharma, Inc. v. Shalala, 62 F.3d 1484, 1490 (D.C. Cir. 1995). Here, even assuming that the literal language of the ITAR could bear the strained reading that Karn offers, the agency's contrary interpretation is entirely reasonable and consistent with the text and policies of the ITAR and the AECA. See Opinion 36.

Karn asserts that Category XIII(b)(1) of the USML, which designates cryptographic hardware and software as defense articles for purposes of the AECA and the ITAR, violates the First Amendment to the extent that it includes cryptographic source code. As noted above, the district court reviewed this First Amendment claim under the standards developed in United States v. O'Brien, 391 U.S. 367 (1968). Under O'Brien, "a content-neutral [law] will be sustained [under the First Amendment] if 'it furthers an important or substantial governmental interest; if the governmental interest is unrelated to the suppression of free expression; and if the incidental restrictions on alleged First Amendment freedoms is no greater than is essential to the furtherance of that interest.'" Turner Broadcasting System, Inc. v. FCC, 114 S. Ct. 2445, 2469 (1994) (quoting O'Brien, 391 U.S. at 377). The district court determined that the application of the ITAR licensing system to cryptographic source code satisfies each of these requirements. Opinion 26-31.

On appeal, Karn argues that the district court erred in using the O'Brien test to evaluate his constitutional claim. Alternatively, Karn asserts that the application of the ITAR to cryptographic source code does not meet the requirements of O'Brien. As we now show, both of these assertions are incorrect.7

A. Karn's First Amendment Claim Is Governed By United States v. O'Brien

1. In challenging the district court's use of the O'Brien test, Karn relies primarily on a supposed First Amendment distinction between "speech" and "conduct" (Brief 21-24, 26-29). According to Karn, O'Brien applies only when the government undertakes to regulate "conduct," not when it regulates "speech" (or "pure speech"). In this case, Karn asserts that the export of cryptographic software in the form of source code is "speech," not "conduct," and therefore may not (in Karn's view) be regulated on the basis of O'Brien.

As a threshold matter, it is far from clear why, as a general matter, the export of cryptographic source code should be treated as "speech" rather than "conduct." It is certainly true that cryptographic source code can be used to convey information about cryptography to persons who understand the particular computer language in which the source code is written. But it is hardly the case, as Karn asserts, that source code is "primarily designed to communicate with human beings" (Brief 23). After all, as the parties jointly stipulated below, source code is "a precise set of operating instructions to a computer." Joint Statement ¶ 16 (emphasis added). Every instruction written in a computer language is directed at telling computers, not humans, what to do.8 While it is possible to write and circulate source code for expressive or informational purposes, the more obvious, conventional, and non-expressive reason for doing so is simply to make a computer carry out a particular task.

Moreover, quite apart from the general practice of using and distributing source code for non-expressive purposes, there is no indication that Karn himself sought to export his diskette for any expressive purpose. Karn informed the ODTC that his diskette "is provided for those who wish to incorporate encryption into their applications." Lowell Dec. Tab 6. Thus, Karn's own proposed export is intended not to enable foreign recipients to learn about cryptography, but to enable them to make use of the diskette in encrypting data and communications. In deciding whether conduct in a particular case is "sufficiently imbued with elements of communication" to warrant First Amendment protection, the courts look to "whether `[a]n intent to convey a particularized message was present, and [whether] the likelihood was great that the message would be understood by those who viewed it.'" Texas v. Johnson, 491 U.S. 397, 404 (1989) (emphasis added) (quoting Spence v. Washington, 418 U.S. 405, 410-11 (1974)); Clark v. Community for Creative Non-Violence, 468 U.S. 288, 294 (1984). There is no evidence that Karn had such an intent in this case.

Even if Karn himself had intended to export the diskette in order to "communicate" some form of information to foreign recipients, the most that could be said from his standpoint is that the ITAR is regulating conduct (the export of cryptographic source code) that is not intrinsically expressive but that may in some cases be undertaken for expressive purposes (communicating information about cryptography). That, however, is precisely the situation that confronted the Supreme Court in O'Brien itself: a federal statute regulated conduct (the destruction of draft cards) that was not intrinsically expressive but that in some cases could be undertaken to convey a message (disapproval of the Vietnam war). Asking whether the export of cryptographic source code is "speech" or "conduct" thus leads directly back to O'Brien, not away from it.

In any event, Karn's speech/conduct argument suffers from a more fundamental problem: this Court has expressly rejected the distinction on which it rests. In Home Box Office, Inc. v. FCC, 567 F.2d 9 (D.C. Cir.) (per curiam), cert. denied, 434 U.S. 829 (1977), this Court squarely held that the applicability of the O'Brien test does not depend on a distinction between "speech" and "conduct." See 567 F.2d at 47-48. As the Court explained in Home Box Office, "conduct and speech can often be separated only in the eyes of the beholder[,] and therefore First Amendment doctrines turning on the true 'essence' of an expressive event can provide no very certain guide to judicial decision." Id. at 47. "Instead, the important inquiry * * * turns on the purpose for which government regulates" (emphasis added):

Regulations intended to curtail expression -- either directly by banning speech because of a harm thought to stem from its communicative or persuasive effect on its intended audience, or indirectly by favoring certain classes of speakers over others -- can be justified (if at all) only under categorization doctrines such as obscenity, "fighting words," or "clear and present danger." Regulations evincing a "governmental interest * * * unrelated to the suppression of free expression * * * ," United States v. O'Brien, supra, 391 U.S. at 377, are treated differently, however. If such regulations "[1] further an important or substantial governmental interest; * * * and [2] if the incidental restriction on alleged First Amendment freedoms is no greater than is essential to the furtherance of that interest," id. (bracketed numbers added), then the regulations are valid.

Id. at 47-48. As a result, whether the export of cryptographic source code is labeled "speech" or "conduct" is ultimately immaterial for First Amendment purposes. Instead, the level of judicial scrutiny depends on the government's reason for the regulation. See Blount v. SEC, 61 F.3d 938, 942 (D.C. Cir. 1995), cert. denied, 116 S. Ct. 1351 (1996) ("This [purpose-based] methodology has come to replace the distinction between speech and conduct regulations originally articulated in United States v. O'Brien").

Here, it cannot seriously be disputed that the purpose behind the government's regulation of cryptographic software exports under the ITAR is, in O'Brien's words, "unrelated to the suppression of free expression." The government regulates the export of cryptographic products under Category XIII(b)(1) of the USML because the proliferation of such products will make it easier for foreign intelligence targets to deny the United States access to information vital to the national security. Crowell Dec. ¶ 4. The government's object is not to prevent the free discussion of cryptographic ideas, but rather to minimize the risk that communications by intelligence targets will be rendered unintelligible through encryption. The uncontrolled export of cryptographic source code increases that risk, regardless of whether the recipients understand (or are even capable of understanding) the cryptographic algorithms embodied in the source code. It is for this reason that cryptographic source code is subject to the ITAR, not "because of a harm thought to stem from its communicative or persuasive effect on its intended audience." Home Box Office, 567 F.2d at 48.

The purpose behind the government's regulation of cryptographic product exports is confirmed by the terms and structure of the ITAR. Although Category XIII(b)(1) of the USML includes cryptographic source code, it reaches considerably further. With specified exceptions, it covers all "[c]ryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information or information systems." 22 C.F.R. § 121.1, Category XIII(b)(1). As this language indicates, the touchstone of Category XIII(b)(1) is the function of the item in question. If an item has "the capability of maintaining secrecy or confidentiality of information," it is classified as a defense article under Category XIII(b)(1), regardless of whether it is a mechanical device, an electronic component, or computer software.

The reach of Category XIII(b)(1) does not depend on whether an item conveys (or can convey) information about cryptography to its recipients. Items that function to encrypt data are regulated under Category XIII(b)(1) even if they do not convey any information about cryptography at all. For example, commercial software (including commercial encryption software) is ordinarily distributed in the form of "object code" (see p. 9 supra). Unlike source code, which can be read and understood by programmers, object code is a sequence of 0s and 1s that is, for all intents and purposes, unreadable by human beings in its native form. Cryptographic object code is nevertheless regulated as a defense article under Category XIII(b)(1), just like cryptographic source code, because it has "the capability of maintaining secrecy or confidentiality of information."

In contrast, materials that convey information about cryptography but do not themselves function to encrypt, such as books and articles about cryptography, are not covered by Category XIII(b)(1). To be sure, information about the design of cryptographic software, like information about the design of other defense articles, potentially constitutes "technical data" under the ITAR. See 22 C.F.R. § 120.10(a)(1). As explained above, however, the ITAR's technical data provisions exclude information in the "public domain," meaning information "published and * * * generally accessible or available to the public" from sources like bookstores and libraries. See id. §§ 120.10(a)(5), 120.11. As a result, books and articles about cryptography that are publicly available in the United States may be exported without a license under the ITAR.

This case is thus fundamentally different from New York Times v. United States, 403 U.S. 713 (1971) (per curiam), the case on which Karn places so much reliance. In New York Times, the government sought to enjoin the publication of the Pentagon Papers because of their informational content; the government feared that the documents contained "'information whose disclosure would endanger the national security.'" 403 U.S. at 718 (Black, J., concurring) (quoting government brief); id. at 726 n.* (Brennan, J., concurring). Here, in contrast, the ITAR regulates the export of cryptographic products, including but not limited to source code, solely on the basis of their function; whether they have any informational value to their recipients is irrelevant under the regulatory scheme.

For much the same reasons, the ITAR's regulation of cryptographic software exports is not subject to strict scrutiny as a "prior restraint," as Karn and the amici suggest. The prior restraint cases on which Karn and the amici rely involve outright attempts to enjoin speech because of the information that it conveys, such as New York Times and Near v. Minnesota, 283 U.S. 697, 713 (1931), or licensing schemes that single out speech and expressive activities, such as FW/PBS, Inc. v. Dallas, 493 U.S. 215, 224-25 (1990) (condemning licensing scheme that "largely targets businesses purveying sexually explicit speech" and subjects them to "more onerous" licensing requirements than "the vast majority of other businesses"). Here, the ITAR does not license the export of cryptographic source code because of its informational content, and the ITAR's licensing requirements apply across the board to all types of cryptographic products, not just to source code. As explained above, no license is required to teach cryptography or publish cryptographic books or articles in this country, and information about cryptography that is in the public domain may be freely exported without a license under the ITAR. There is simply no resemblance between this regulatory scheme, which goes out of its way not to impose restrictions on the dissemination of cryptographic information, and the schemes that have been condemned as prior restraints by the Supreme Court.

2. Karn also argues (Brief 29-32) that the district court erred in applying O'Brien because the ITAR's regulation of cryptographic source code is assertedly not "content neutral." Karn asserts (Brief 29-30) that the ITAR is not content neutral because it draws a distinction between cryptographic source code and source code for other kinds of software. He also argues that the ITAR is not content neutral because it provides for the transfer of certain kinds of mass-market cryptographic software from the USML to the Commodity Control List, which involves potentially less stringent export controls (see p. 8 supra).

These arguments reflect a fundamental misunderstanding of what it means for a regulation to be "content neutral" under the First Amendment. "In order to determine whether a statute is content neutral, '[t]he principal inquiry * * * is whether the government has adopted a regulation of speech because of disagreement with the message it conveys.'" American Library Ass'n v. Reno, 33 F.3d 78, 84 (D.C. Cir. 1994), cert. denied, 115 S. Ct. 2610 (1995) (quoting Ward v. Rock Against Racism, 491 U.S. 781, 791 (1989)); Clark v. Community for Creative Non-Violence, 468 U.S. 288, 295 (1984) (question is whether regulation is being applied "because of disagreement with the message presented"). "A regulation that serves purposes unrelated to the content of expression is deemed neutral, even if it has an incidental effect on some speakers or messages but not others." Ward, 491 U.S. at 791. Likewise, "a rule's use of subject-based categories" does not render it content-based. Blount, 61 F.3d at 942. As long as the regulation is directed at "the secondary effects" of a particular activity, rather than at "suppress[ing] the expression of unpopular views," it remains content neutral for First Amendment purposes. City of Renton v. Playtime Theatres, Inc., 475 U.S. 41, 47-48 (1986) (holding that zoning ordinance aimed at theaters showing "adult motion pictures" was content neutral because it was directed at "secondary effects" associated with such theaters, such as crime and noise); see American Library Ass'n, 33 F.3d at 86 (discussing Renton).

Here, as shown above, it is indisputable that the ITAR's regulation of cryptographic source code and other cryptographic products "serves purposes unrelated to the content of expression" and is not undertaken "because of disagreement with the message" (if any) that cryptographic source code may convey. To the extent that the ITAR treats cryptographic source code differently from source code for other kinds of computer software, it does so because of the function of the source code, not because of its potential informational value. The same thing is true of ITAR's treatment of mass-market cryptographic software. As Karn himself admits, whether particular cryptographic software is eligible for transfer from the USML to the CCL depends on "whether it will, once compiled, produce 'strong' encryption" (Brief 30) (emphasis added). Here too, the distinction drawn by the ITAR turns on the function of the software "once compiled," not on the information it may or may not convey as source code.

3. Karn asserts (Brief 24) that the ITAR's regulation of cryptographic source code should be subjected to heightened scrutiny because it affects a "tool of speech" -- that is, a product that can assist people in communicating with each other. However, there is no basis in First Amendment jurisprudence for according special protection to any product that can assist communication. If there were such a principle, every governmental regulation of paper, ink, telephones, television sets, and postal services would be subject to strict scrutiny, even when such regulation is content neutral. The decisions of the Supreme Court and this Court are plainly to the contrary.

Karn invokes Minneapolis Star & Tribune Co. v. Commissioner, 460 U.S. 575 (1983), but that case offers no support for Karn's "tools of speech" theory. In Minneapolis Star, the Supreme Court struck down a state law that taxed paper and ink used by local periodicals. The Supreme Court employed heightened scrutiny in Minneapolis Star not because the law affected "tools of speech," but rather "because [the challenged law] applied only to the press * * * [and] because in practical application it fell upon on a small number of newspapers," thereby "rais[ing] suspicions that [its] objective was, in fact, the suppression of certain ideas." Turner Broadcasting, 114 S. Ct. at 2468; see Time Warner Entertainment Co. v. FCC, 93 F.3d 957, 977-78 (D.C. Cir. 1996) (per curiam) (discussing Minneapolis Star). The ITAR does not present any comparable concern.

In a related vein, Karn argues that the government "cannot prohibit its citizens from communicating in code," an activity that Karn analogizes to communicating in a foreign language (Brief 24-25). But the ITAR does not prohibit American citizens from "communicating in code." Instead, it simply regulates the export of products that could assist foreign intelligence targets in maintaining the secrecy of their messages. Nothing about that undertaking warrants heightened scrutiny under the First Amendment, even if one accepts Karn's strained analogy between encrypted speech and speech in a foreign language.9

B. The Application Of The ITAR To Cryptographic Source Code Satisfies The Requirements Of O'Brien

The district court determined that the application of the ITAR to cryptographic source code satisfies each of the requirements of the O'Brien test. Opinion 26-31. Karn asserts (Brief 32-33) that the government has not satisfied the final prong of the O'Brien test, the requirement that the "incidental restriction on alleged First Amendment freedoms [be] no greater than is essential to the furtherance of that interest." O'Brien, 391 U.S. at 377. That assertion is wholly without merit, and Karn makes notably little effort to support it.10

As this Court has recognized, under the final prong of O'Brien, "a narrowly tailored regulation 'need not be the least restrictive or least intrusive means' of serving the government's content-neutral interests." American Library Ass'n, 33 F.3d at 88 (quoting Ward, 491 U.S. at 798). Instead, a regulation "will meet the Supreme Court's 'narrowly tailored' requirement if a substantial portion of the burden it imposes furthers the Government's interest, even though a less intrusive alternative might also exist." Ibid.

When the government makes a judgment about how far a particular content-neutral restriction must reach in order to deal adequately with a problem, the courts are "'loath to second-guess the Government's judgment to that effect.'" American Library Ass'n, 33 F.3d at 88 (quoting Board of Trustees v. Fox, 492 U.S. 469, 478 (1989)). In Clark v. Community for Creative Non-Violence, 468 U.S. 288 (1984), for example, the Supreme Court held that a Park Service ban on overnight camping on the Mall satisfies the O'Brien test, despite the claim that the Park Service's conservation goals could be achieved by other means that would have had less impact on expressive activities. The Court explained that "these suggestions represent no more than a disagreement with the Park Service over how much protection the * * * parks require or how an acceptable level of preservation is to be attained. We do not believe, however, that either United States v. O'Brien or the time, place, or manner decisions * * * endow the judiciary with the competence to judge how much protection of park lands is wise and how that level of conservation is to be attained." Id. at 299.

Applying these standards here, it cannot seriously be disputed that the ITAR's regulation of cryptographic software exports is narrowly tailored under O'Brien, for it is plain that "a substantial portion of the burden it imposes furthers the Government's interest." American Library Association, 33 F.3d at 88. The government has made the basic judgment that the unrestricted export of cryptographic software would jeopardize the national security and that licensing the export of cryptographic software will enable the government to reduce that risk. That judgment is reasonable on its face, and it is one that the Executive Branch is uniquely qualified to make. If the judiciary is not "competen[t] to judge how much protection of park lands is wise and how that level of conservation is to be attained" (Clark, 468 U.S. at 299), then a fortiori, courts should not second-guess the judgment of the Department of State and the National Security Agency regarding how much protection against the export of cryptographic products is required for the national security and how that level of protection is to be achieved.

At the same time, the government has taken care not to cast its net more widely than necessary. As explained above, the ITAR does not restrict the ability of individuals to publish books and articles on cryptography in the United States, nor does it restrict the export of cryptographic publications that are in the public domain in this country. See pp. 38-39 supra. As a result, the ITAR "leave[s] open ample alternative channels of communication," Ward, 491 U.S. at 802, regarding information and ideas about cryptography. And even with respect to cryptographic products, as distinct from cryptographic information, the ITAR's restrictions are narrowly tailored. As explained above, the USML excludes a variety of specific cryptographic products that do not lend themselves to use for general data encryption purposes, and it provides for the transfer of certain mass-market encryption software to the less restrictive provisions of the Commodity Control List. See p. 8 supra.

It also should be borne in mind that the ITAR is a licensing system, not an export ban. Although Karn repeatedly insists that the classification of cryptographic software as a defense article means that export is prohibited, the fact that a particular commodity is covered by the USML does not preclude its export. When someone applies for a license to export a defense article, a separate licensing decision is made, taking into account such factors as the threat to national security, the end-user, and the end-use. Crowell Dec. ¶ 5; Lowell Dec. ¶ 5. The licensing process thus further narrows the scope of the ITAR's restriction on cryptographic exports.

Karn's only argument with respect to the final prong of O'Brien is his assertion (Brief 33) that exporting his diskette "cannot in fact threaten the national security because the same programs are already widely available in other countries." We have already shown the shortcomings in this argument in our discussion of Karn's due process claim (see pp. 28-29 supra). Moreover, to the extent that Karn is basing his argument on the effect of exporting his diskette in particular, as opposed to the effect of exporting cryptographic source code in general, he misapprehends the nature of the First Amendment inquiry. Whether a content-neutral regulation is narrowly tailored for purposes of O'Brien "depends on the relation it bears to the overall problem the government seeks to correct, not on the extent to which it furthers the government's interests in an individual case." Ward, 491 U.S. at 801.11 Thus, even if it were assumed (incorrectly) that the application of the ITAR to Karn's diskette is unnecessary to advance the government's national security interests, that would not suffice to establish that the ITAR is fatally overbroad for purposes of the O'Brien test. Absent restrictions like those found in the ITAR, there would be unlimited worldwide dissemination of strong cryptographic software by many American concerns, not just Karn, resulting in irretrievable damage to this country's SIGINT capabilities.

C. Karn's First Amendment Challenge To The ITAR's Technical Data Provisions Is Misconceived

In the course of his First Amendment argument, Karn spends several pages (Brief 33-36) summarizing legal opinions from the Department of Justice's Office of Legal Counsel ("OLC") regarding the constitutionality of the ITAR's "technical data" provisions. The OLC memoranda, which date from the late 1970s and early 1980s, advised the Department of State that the technical data provisions then contained in the ITAR could be construed to encompass exchanges of scientific information protected by the First Amendment. See, e.g., Constitutionality of the Proposed Revision of the International Traffic In Arms Regulations, 5 Op. O.L.C. 202 (1981). The OLC advised the Department of State that export of technical data (i.e., information) other than commercial speech could be controlled only to the extent that the export is directly related to the provision of technical assistance to a foreign national or entity in the acquisition and use of defense articles. See, e.g., id. at 206-209. In all pertinent respects, OLC's conclusions corresponded to the First Amendment reasoning of United States v. Edler Industries, Inc., 579 F.2d 516, 522 (9th Cir. 1978). Karn asserts that the potential constitutional problems identified by the OLC and Edler "remain there today" (Brief 36) and should be dealt with in this case.

There are two problems with this argument. First, for reasons set forth above, the technical data provisions of the ITAR simply do not apply to the export of cryptographic software (see pp. 29-32 supra). For that reason, it was entirely appropriate for the district court not to reach Karn's challenge to those provisions. See Opinion 31-32. As this Court recently explained, "in order to establish a grievance resulting from the application of a regulatory term, a party would first have to show whether and how that term has been applied to him. This is all the more so when the [suit] is based on a claim of unconstitutionality." Steffan, 41 F.3d at 694. Here, Karn's diskette has never been subjected to regulation as technical data under the ITAR.

Second, the Department of State has subsequently amended the ITAR's technical data provisions to respond to the principal legal concerns expressed by the OLC. In 1984, the ITAR was amended to exclude "information concerning general scientific, mathematical or engineering principles" from the definition of "technical data." See 49 Fed. Reg. 47682, 47686 (Dec. 6, 1994). At the same time, the Department of State added a distinct "public domain" provision. See id. at 47685. In 1991, the definition of technical data was amended again to exclude "basic marketing information on function or purpose or general system descriptions of defense articles." 56 Fed. Reg. 44548 (Oct. 28, 1991). And in 1993, the definition of "public domain" was expanded to include "unlimited distribution at a [public] conference, meeting, seminar, trade show or exhibition," as well as "fundamental research in science and engineering at accredited institutions of higher learning in the U.S. where the resulting information is ordinarily published and shared broadly in the scientific community." 58 Fed. Reg. 39285 (July 22, 1993). Finally, the Department of State has expressly adopted a policy of administering the technical data provisions of the ITAR in accordance with the First Amendment principles of the Ninth Circuit's decision in Edler, supra. See 49 Fed. Reg. 47682, 47683 (Dec. 6, 1984) (preamble to ITAR amendments).

The result of these initiatives, all of which have been undertaken since the preparation of the OLC memoranda, is a regulatory system that goes out of its way to avoid impinging on the free exchange of ideas and information about cryptography and other areas of academic inquiry. Nothing in the OLC opinions, or in Karn's brief, casts doubt on the constitutionality of this system.

For the foregoing reasons, the judgment of the district court should be affirmed.

Respectfully submitted,

FRANK W. HUNGER
Assistant Attorney General

ERIC H. HOLDER, Jr.
United States Attorney

DOUGLAS N. LETTER
SCOTT R. McINTOSH
Attorneys, Appellate Staff
Room 3127, Civil Division
Department of Justice
950 Pennsylvania Ave. N.W.
Washington D.C. 20530

1 On October 1, 1996, Vice President Gore announced that the President intends to transfer regulatory jurisdiction over the export of most encryption products from the Department of State to the Department of Commerce. Thereafter, the Department of Commerce will regulate export of such products in accordance with the Export Administration Regulations, which are to be amended to address the control of encryption products. After this policy change is implemented, the government will apprise the Court of the impact, if any, on this case.

2 Near the end of his brief, Karn makes a separate argument that the Department of State misconstrued its own regulations and that, as a textual matter, the ITAR's licensing requirements do not apply to his diskette (Brief 37-42). As we show below, this textual argument is wholly without merit.

3 It is noteworthy that when the Department of Commerce administers the Commodity Control List (see p. 8 supra), judicial review has been held to be precluded not only with respect to decisions about the categories of products to be placed on the CCL, but also with respect to determinations regarding whether particular products fall within those categories. See United States v. Spawr Optical Research, Inc., 864 F.2d 1467, 1472-73 (9th Cir. 1988); United States v. Mandel, 914 F.2d 1215, 1220-23 (9th Cir. 1990); United States v. Bozarov, 974 F.2d 1037 (9th Cir. 1992). As the district court pointed out, "it would be strange indeed if Congress precluded judicial review of the determination that an item merely has a potential for military use (i.e., [is] subject to the [CCL]), but permitted review of the determination that an item was in fact a defense article (i.e., [is] subject to the [USML])." Opinion 16.

4 Karn states in passing (Brief 14-15) that the "sole function" of a diskette containing cryptographic source code is "storage and transmission of information." That is a manifestly misleading characterization. As shown above, a diskette containing cryptographic source code, such as Karn's diskette, provides the "engine" by which a computer can be made to perform encryption. Karn's own CJ request characterized the diskette as "software with encryption capabilities." Lowell Dec. Tab 6. The rationale for regulating such an item is not altered, as Karn seems to believe, by the fact that a few simple additional steps are required before encryption takes place.

5 As noted above, Karn has never applied for a license to export his diskette. Most of Karn's arguments about the widespread foreign availability of cryptographic source code are more properly addressed to the question of whether a license should be granted and, if so, on what terms.

6 Karn notes (Brief 17) that the diskette includes source code for three "hashing" algorithms, which do not function to encrypt information. See Joint Statement ¶ 34. However, Karn did not ask the Department of State for a separate CJ determination regarding the hashing algorithms. See Opinion 28 n.22. If Karn wishes to export a diskette that contains only the hashing source code, he is free to do so.

7 Karn assumes that the foreign rather than domestic locus of the ITAR's restrictions on cryptographic products does not affect the contours of the First Amendment analysis. This Court need not pass on the validity of that assumption, for Karn's First Amendment claim is without merit even if the assumption is correct. See Haig v. Agee, 453 U.S. 280, 308 (1981).

8 The cryptographic source code on Karn's diskette illustrates this point. To take a simple example, the source code for the DES encryption algorithm on Karn's diskette contains the following instruction:

right = (right << 31) | (right >> 1);

This instruction directs the computer to modify a variable (a reserved area in the computer's memory) by shifting the "bits" (0s and 1s) that represent the variable's current value.

9 Encrypted communications are fundamentally different from communications in a foreign language. Encrypted messages do not themselves communicate anything to the recipient; no one can read ciphertext. Restrictions on the use of encryption products therefore do not impede the capacity to communicate in the way that restrictions on the use of a language may do. An encryption product is more like invisible ink than it is like a foreign dictionary: it is a tool that helps to obscure and hide communications, not a tool that assists persons in understanding one another.

10 Karn also summarily asserts (Brief 32) that the governmental interest behind the ITAR is not "unrelated to the suppression of free expression" (O'Brien, 391 U.S. at 377). He offers no support for this assertion, and we have already shown above that it is incorrect (see pp. 37-42 supra).

11 Ward is a "time, place, and manner" case, but the "the four-factor standard of United States v. O'Brien * * * is little, if any different from the standard applied to time, place, or manner restrictions." Clark, 468 U.S. at 298-99.