________________________________________ ) PHILIP R. KARN, Jr. ) ) Plaintiff, ) ) Civ. A. No. 95-1812(CRR) v. ) ) (Judge Charles R. Richey) U.S. DEPARTMENT OF STATE, and ) THOMAS E. MCNAMARA, ) ) Defendants. ) ) ________________________________________)
Pursuant to the Court's Order of October 6, 1995, the parties hereby submit the following Joint Statement of Facts Not in Dispute in connection with defendants' motion for summary judgment. This joint statement contains solely facts that are undisputed. The parties reserve the right to argue whether certain facts are material to the legal issues before the Court. The Court is also referred to the parties' respective submissions pursuant to Local Rule 108(h), as well as pleadings, declarations or affidavits, citations to authority, and other evidence that the parties have submitted for the record.
1. By letter dated February 12, 1994, plaintiff Philip R. Karn submitted to the State Department a commodity jurisdiction request for the book Applied Cryptography by Bruce Schneier, in which plaintiff stated that "the book contains encryption software source code listings that provide data confidentiality." See Declaration of William J. Lowell, Director of the Office of Defense Trade Controls, 10 and Tab 4.
2. Plaintiff stated in his February 12, 1994, CJ request that it was a "Commodity Jurisdiction Request for mass market software with encryption capabilities." Lowell Decl. 10 and Tab 4.
3. Plaintiff stated in his February 12, 1994, CJ request that "[t]he book is intended as a reference for those who wish to incorporate encryption into their applications." Lowell Decl. 10 and Tab 4.
4. By letter dated March 2, 1994, the Office of Defense Trade Controls responded to plaintiff's CJ request, indicating that the book is not subject to the licensing jurisdiction of the Department of State because it is in the public domain. Lowell Decl. 11 and Tab 5. As stated therein, this determination did not extend to the two disks containing source code that the book references and that are available from the author. Id.
5. By letter dated March 9, 1994, Mr. Karn submitted a second commodity jurisdiction request for a diskette which contains source codes for data encryption that are printed in Part Five of the Applied Cryptography book. Lowell Decl. 12 and Tab 6.
6. Plaintiff stated in his March 9, 1994, CJ request that "the diskette contains source code for encryption software that provides data confidentiality." Tab 6 to Lowell Declaration at 2.
7. Plaintiff stated in his March 9, 1994, CJ request that "the software on this diskette is provided for those who wish to incorporate encryption into their applications." Tab 6 to Lowell Declaration at 2.
8. By letter dated May 11, 1994, the Department of State, Office of Defense Trade Controls, responded to plaintiff's second CJ request, indicating that the source code diskette is subject to the licensing jurisdiction of the Department of State. Lowell Decl. 15 and Tab 9. The Department indicated that the diskette is designated as a defense article under Category XIII(b)(1) of the United States Munitions List ("USML"), 22 C.F.R. § 121.1 XIII(b)(1), and that a license from the State Department was required prior to its export. Id.
9. By letter dated June 10, 1994, plaintiff appealed the CJ determination concerning the source code diskette to Deputy Assistant Secretary of State, Dr. Martha Harris. Lowell Decl. 16 and Tab 10.
10. By letter dated October 7, 1994, Deputy Assistant Secretary Harris decided plaintiff's appeal and upheld the CJ determination made by ODTC. Lowell Decl. 18 and Tab 11. In this appeal determination, the State Department again concluded that the source code diskette is covered by Category XIII(b)(1) of the USML and subject to the export licensing jurisdiction of the State Department. Id.
11. By letter dated December 5, 1994, plaintiff appealed Dr. Harris's determination to the Assistant Secretary of State for Political-Military Affairs, Thomas E. McNamara. Lowell Decl. 19 and Tab 12.
12. By letter dated June 13, 1995, the Assistant Secretary decided plaintiff's appeal, affirmed the decision made by Deputy Assistant Secretary Harris, and upheld the CJ determination made by ODTC. Lowell Decl. 22 and Tab 14. In this appeal determination, Assistant Secretary McNamara concluded that the source code diskette is covered by Category XIII(b)(1) of the USML and subject to the export licensing jurisdiction of the State Department. Id.
13. The National Security Agency ("NSA") is the agency with technical expertise for evaluating whether cryptographic devices and software fall within Category XIII(b)(1) of the USML. See Lowell Decl. 24; Declaration of William P. Crowell, Deputy Director of the National Security Agency, 3, 5.
14. The commodity at issue in this case is a computer diskette which contains cryptographic algorithms expressed in source code. Crowell Decl. 7.
15. A cryptographic algorithm is a mathematical function or equation that can be applied to transform data into an unintelligible form (i.e., into ciphertext.) Crowell Decl. 7.
16. A cryptographic source code expresses a cryptographic algorithm in human-readable computer programming language, such as the "C" language, and is a precise set of operating instructions to a computer that, when compiled, enables a computer to perform cryptographic functions. See Crowell Decl. 7.
17. Source code can be converted by another computer program, called a compiler, into "object code." Object code may be conveniently thought of as a series of "ones" and "zeros" that may be directly executed by a computer. Crowell Decl. 7.
18. The diskette at issue may be inserted into the floppy disk drive of a computer and the directory of its contents called to the screen, displaying a list of source codes on the disk. Crowell Decl. 11 and Tab A.
19. The source codes on the diskette are named after the cryptographic algorithms that they implement. Crowell Decl. 11.
20. Encryption source codes, such as those on the diskette, are essential to a functioning program that can be executed to encrypt communications on a computer by:
(a) writing additional instructions to the computer called "input and output" routines that allow for the plaintext of a document or message to be "passed through" the source code resulting in the output of scrambled ciphertext;
(b) compiling the total source code into object code by using commercially available software; and
(c) typing a command to the computer to encrypt the text of a document or message. Crowell Decl. 11-14 and Tab B.
21. The command to the computer to encrypt plaintext and decrypt ciphertext includes a "key," which is information known only by the parties sending and receiving the text that acts as a "password" so that the text can be encrypted and decrypted. Crowell Decl. 14.
22. An optical "scanner" is a device that can be passed over a printed text and which "reads" the text into a computer. Optical character recognition ("OCR") technology then converts the picture of the printed text scanned into the computer into an electronic format which can be edited. Crowell Decl. 15.
23. OCR technology may not produce error free reproductions of the scanned material. Any errors of character recognition that occur in the scanning process must be detected and corrected before compiling may begin and information encrypted. Crowell Decl. 16. Mr. Karn scanned the TRIPLE DES source code in Part Five of the Applied Cryptography book and corrected errors in the scanned text and in the printed source code. Karn Decl. 5 to 7.
24. If a source code printed on paper contains an error or "bug," verifying the accuracy of the source code requires the expertise of someone who is familiar with the particular source code language and may require knowledge of the fundamentals of cryptography. See Crowell Decl. 17.
25. Scanning the FEAL-8 source code as printed in Part Five of original editions of the book Applied Cryptography would create a malfunctioning source code because the printed code contains an error. Crowell Decl. 18.
26. The error in the printed FEAL-8 source code has been corrected on the diskette at issue and the source code on the diskette would function properly. Crowell Decl. 18.
27. A programmer with the same capability to undertake the procedures described in 5 to 9 of the Karn Declaration may, by starting with encryption source codes printed in Part Five of the Applied Cryptography book, ultimately enable a computer to perform cryptographic functions. See Karn Decl. 5 to 9; Crowell Decl. 16 to 19. By using the TRIPLE DES source code printed in Part Five of the book, such a programmer may ultimately achieve the same encryption and decryption function that was achieved by the NSA using solely the Karn diskette. See Karn Decl. 5 to 9; Crowell Decl. 11 to 14, 19.
28. As described in the Declaration of Barbara Tuthill, two skilled secretaries working together manually typed the DES source code, which is the most lengthy of the codes in the book, into a computer in 2.77 hours. This period of time does not include checking for typographical errors in the typewritten product, nor for correcting any "bugs" in the printed source code.
29. It took Mr. Karn about 25 minutes to photocopy and then to scan into a computer the TRIPLE DES source code printed in Part Five of the Applied Cryptography book. Karn Decl. 5. After the TRIPLE DES source code is converted into a computer- readable text file, either by manual typing or optical scanning, it is necessary to "debug" the listing by correcting errors created when the data is transformed into a computer-readable format, and by correcting any errors that are present in the original listings in the book. Karn Decl. 5 to 7; Crowell Decl. 16-17.
30. It took Mr. Karn 3.5 hours to convert the TRIPLE DES source code printed in Part Five of the Applied Cryptography book into a file on his computer containing correct TRIPLE DES encryption code (not including 40 minutes spent on a "driver" program comparable to the input/output routines described in 12 of the Crowell Declaration). Karn Decl. 10. Mr. Karn then used the Triple DES source code to successfully encrypt and decrypt the same plaintext used in the demonstration described in 14 of the Crowell Declaration. Karn Decl. 9.
31. The United States Government, working with the British Government, was able to successfully read messages encrypted by the German Enigma machine during World War II.
32. Part Five of the Applied Cryptography book is available in foreign countries through export of the book. Tabs A and B to the Karn Declaration describe foreign computer sites where individuals with access to the Internet may be able to obtain certain cryptographic source code software.
33. The undersigned counsel for Mr. Karn are advised that approximately 20,000 copies of the Applied Cryptography book have been sold worldwide. See Lowell Decl., Ex. 12, at 2.
34. Three of the source code listings on the diskette and in Part Five of the Applied Cryptography book, MD-5, N-HASH, and SHS are "hashing routines" that perform a data authentication function and, by themselves, are not controlled for export under the ITAR because cryptographic software that is solely limited to a data authentication function is excluded from Category XIII(b) of the United States Munitions List. See 22 C.F.R. § 121.1 XIII(b)(vi).
Respectfully Submitted, VINCENT M. GARVEY KENNETH C. BASS, III Deputy Branch Director THOMAS J. COOPER VENABLE, BAETJER, HOWARD ANTHONY J. COPPOLINO & CIVILETTI, LLP Trial Attorney 1201 New York Avenue, N.W. Suite 1000 U.S. Department of Justice Washington, D.C. 20005 Civil Division (202) 962-4890 Federal Programs Branch 901 E Street, N.W. - Room 1084 Attorneys for the Plaintiff Washington, D.C. 20530 (202) 514-4782 Attorneys for the Defendants Date: December 18, 1995.
Kenneth C. Bass, III Thomas J. Cooper Teresa Trissell VENABLE, BAETJER, HOWARD & CIVILETTI, LLP 1201 New York Avenue, N.W. Suite 1000 Washington, D.C. 20005 ANTHONY J. COPPOLINO