Plaintiff,		)
					)	Civ. A. No. 95-1812(CRR)
	v.				)
					)	(Judge Charles R. Richey)
		 Defendants.		)



Plaintiff's opposition brief ("Pl. Opp.") concedes several points that are at the heart of this case. First, plaintiff concedes that source code on his diskette is, with a few additional steps, part of an "operating [encryption] program." Pl. Opp. at 5. This confirms that the diskette can be used on a computer to maintain the secrecy of information, and is clearly covered by Category XIII(b)(1) of the United States Munitions List ("USML").

Second, plaintiff himself recognizes the national security interest in controlling the diskette, in stating his belief that widespread use of one code on the disk to encrypt messages "could significantly reduce the ability of [the National Security Agency] to gather foreign intelligence." Pl. Opp. at 32. It is precisely because encryption source code on plaintiff's diskette can so easily be used to encrypt information on a computer that its export is subject to State Department licensing.

Having conceded that source code on his diskette can be used to encrypt, plaintiff also argues, inconsistently, that export of his diskette constitutes "pure speech." But while the theory of how an encryption source code functions may inform the intellect of those who can comprehend source code (and the programming language in which it is expressed), such code is much more than scientific information. It is the operating instructions to a computer that permit a computer (after minimal additional steps) to encrypt communications. The diskette is not controlled because it might "inform" someone who will "read" its source code. It is subject to export licensing in order to limit the capacity of foreign entities to encrypt information. For this reason, under the O'Brien standards, whatever restriction on "speech" or "ideas" that may result from controlling the export of the diskette is incidental to furthering a substantial governmental interest in controlling the spread of a commodity that may hinder the United States' foreign intelligence collection efforts.

On his First Amendment claim, plaintiff's principal argument is that, in his view, the foreign availability of cryptographic source code (primarily on the Internet) undermines any national security interest at stake. It is common sense, however, that the unlimited export of any type of encryption software, including a ready-made product such as plaintiff's diskette, by any method of export and to any place or entity in the world, would present a far greater threat to national security than does the appearance of some source code on the Internet.

On his "substantive due process" claim, plaintiff's argument -- that there is no "functional difference" between the diskette and the source code printed in Part Five of the Applied Cryptography book -- is beside the point. Defendants acknowledged that, ultimately, even printed source code might be used to encrypt communications. But, in any event, there is a clear rational basis for more stringent control of a diskette that, as plaintiff himself demonstrates, is much easier to use and would readily be preferred by those seeking to encrypt communications.

In the final analysis, this case is a simple one. The government has designated a commodity that can be utilized to encrypt communications as a defense article on the United States Munitions List. This determination does not implicate the Constitution and is not subject to judicial review under 22 U.S.C. 2778(h).



Plaintiff's First Amendment argument can be considered in two parts. First, he argues that the source code on the diskette constitutes "pure speech" or mere "knowledge" readable by a human being like a newspaper. He argues, accordingly, that licensing controls on its export are subject to strict scrutiny. Second, plaintiff argues that, even if the lesser O'Brien standards apply, subjecting his diskette to export licensing controls violates the First Amendment because some such source codes are available abroad on the Internet. These contentions lack merit.
A. The Source Codes on the Diskette Are Not "Pure Speech."
In support of his First Amendment claim, plaintiff makes a series of demonstrably inaccurate assertions that, indeed, are largely contradicted by his own statements. He asserts that the diskette, "like the book, functions to communicate information to a human, not to cause a computer to a function." Pl. Opp. at 10. Indeed, he states that source codes "are in fact primarily designed to communicate with human beings." Id. [1] Plaintiff bases this contention on the notion that the source codes on the diskette must undergo three additional "programming" steps to make them "operational." Id. at 5. Plaintiff's argument is wrong.

First, plaintiff greatly exaggerates the additional steps to be undertaken to use the diskette to encrypt information on a computer. The steps he cites are minimal, ones which he concedes "might not take a skilled programmer more than a[n] hour or so to perform." Pl. Opp. at 5. Indeed, one such step is not even a matter of "programming" at all. [2]

More importantly, the fact that such steps have to be undertaken does not mean that the item is not properly on the United States Munitions List. All of the defense articles on the USML are subject to export regulation, even if they are in a form that requires additional steps to operate them. The fact that it might take some expertise to make the item functional does not mean, as plaintiff argues, that the "only function" of the diskette "is to provide information to a human being which can then be used as part of the knowledge needed to build a functioning encryption/decryption program." Pl. Opp. at 4 (emphasis added). While plaintiff labels the diskette only a "basic building block" for making a functioning encryption program, id., it is not a "building block" in the sense that it provides mere "know-how" to a programmer, such as knowledge of architecture or physics is a "building block" to the construction of a building.

Rather, the encryption source code software on the diskette is the essential component for enabling a computer to perform cryptographic functions. It is source code that provides operating instructions to a computer that results in encryption. Crowell Decl. 7. Without source code, an encryption program cannot exist. While modest additional steps are needed to encrypt using the diskette, these steps do not have such legal significance as to render the diskette mere "information" like a newspaper, movie, or TV show. See Pl. Opp. at 9.

Indeed, conveying "knowledge" or "information" to the recipient of the diskette is unlikely to be even an incidental purpose of its export. Plaintiff stated in his commodity jurisdiction request that the diskette "is provided for those who wish to incorporate encryption into their applications." Tab 6 to the Lowell Declaration at 2. By his own admission, its export is intended not to enable foreign recipients to merely "read" the source code, but to use it. If the purpose of exporting the disk was simply "to provide textual information to a human being," Pl. Opp. at 29, the disk would not even be necessary since the source codes were printed in the Applied Cryptography book. And even if foreign recipients wanted the diskette solely to "read" the "text" of codes on "mylar" instead of paper, the fact remains that the disk could be used to encrypt through steps within the knowledge of much of its likely target audience.

In short, the diskette does far more than merely "communicate information" to those knowledgeable enough to comprehend it: its principal function is to serve as a physical device that can be used to encrypt information.

B. The O'Brien Standards Apply to Plaintiff's First Amendment Claim.
Based on his theory that source codes are "pure speech," plaintiff argues that the First Amendment standard applicable here should be that set forth in the Pentagon Papers case, New York Times Co. v. United States, 403 U.S. 713 (1971). Plaintiff argues that the government must demonstrate that export of his diskette would pose a "clear and present danger" to national security. Pl. Opp. at 8, 15.

Plaintiff's invocation of the Pentagon Papers case is especially inapt. There, the government attempted to forbid publication of the Pentagon Papers because those papers would convey information to those who read them. See 403 U.S. at 718 (Black, J., concurring) (quoting government brief seeking injunction because "disclosure" of "information" would endanger national security). By contrast, the State Department does not control the export of plaintiff's diskette because it might "disclose information" to foreigners. It controls the disk because it would give foreigners a device that can be used to encrypt in "a[n] hour or so." Pl. Opp. at 5. To illustrate the point, if the text of the Pentagon Papers were on diskette, they could not be converted into a functioning device simply by working with a computer for "an hour or so" (or for a thousand hours, for that matter). Those papers are pure information; plaintiff's source code diskette is not. Hence, export controls on encryption software are simply not comparable to the restriction on publishing national security information about the Vietnam War that was at issue in the Pentagon Papers case.

Plaintiff also argues that O'Brien applies only where the government is regulating "conduct," and "in this case there is no regulated conduct, only regulated speech." Id. at 13. This argument fails as well. O'Brien involved what is generally regarded as "conduct with speech elements" -- the burning of a draft card. However, the O'Brien standards apply not only in classic cases of "symbolic conduct," but whenever the government's regulation of speech is merely incidental to some governmental objective unrelated to expression. For example, O'Brien applies in cases where the government regulates the time, place, and manner of pure forms of speech (without any element of "conduct"), so long as the regulation is unrelated to content. [3] The test for whether O'Brien applies is based not on the "verbal or nonverbal nature of the expression," but instead on "the governmental interest at stake." See Texas v. Johnson, 491 U.S. 397, 406-07 (1989). O'Brien applies where, as here, the government interest is "unrelated to the suppression of expression." Id. at 407. Moreover, this case most certainly does involve conduct, not of "distributing information," Pl. Opp. at 13, but of exporting to foreign persons a device that, without significant difficulty, can be used to encrypt communications.

Plaintiff also argues that strict scrutiny should be applied because source is a "tool[] for facilitating human communication," much like "newsprint and ink," and that any regulation of such "tools of speech" is subject to strict scrutiny. Pl. Opp. at 11-12. On the contrary, there is no such First Amendment principle. If there were, every governmental regulation of ink, television, cable and postal services would be subject to strict scrutiny, even where such regulation is content-neutral. [4] Moreover, the source code diskette is quite different from newsprint, television, or other media by which ideas are conveyed. Export of the diskette would provide foreign recipients not with a tool for speech, but a tool that would help shield their communications from national security surveillance by the United States. Plaintiff has no constitutional right to assist foreign individuals or entities in avoiding U.S. intelligence collection.

In a related argument, plaintiff contends that "the Government cannot prohibit its citizens from communicating in code," which he likens to a "foreign language." Pl. Opp. at 12. Again, the issue before the Court is not whether plaintiff can "communicate in code" with foreigners, but whether he can provide them a device that can function to encrypt communications. Moreover, his analogy is an obvious stretch. While the Navaho language may once have been used for encryption purposes, Pl. Opp. at 12, n.13, it does not constitute a device containing instructions to a computer in the "C" programming language that allows a computer to be used for encrypted communications.

C. Control of Plaintiff's Diskette Satisfies the O'Brien Standards.
Plaintiff also addresses the O'Brien standards, and argues primarily that the fourth prong of O'Brien -- the "narrow tailoring" prong, see Def. Mem. at 32-33 -- is not satisfied. [5] Plaintiff contends that the ITAR's export controls are not narrowly tailored because "export of the encryption programs in the diskette, in fact, cannot threaten national security because the same programs are already widely available in other countries or are so 'weak' that they can be broken by the National Security Agency." Pl. Opp. at 15-16; 31-33. In support of his position, plaintiff provides a list of foreign computer sites where individuals with access to the Internet may be able to obtain certain cryptographic source codes and products. See Karn Declaration, Tabs A and B. Plaintiff also characterizes this issue as a material fact in dispute. He seeks discovery into whether and how the accessibility of some software on the Internet affects the national security interests in regulating export of software on diskette, and even into whether the NSA can decrypt information that has been encrypted by the algorithms. See Plaintiff's Statement of Material Facts Genuinely in Dispute, 2 and 3.

Plaintiff's contention can easily be rejected without delving into national security issues. Common sense demonstrates that, even if some source codes may be available abroad on the Internet, the government still has a compelling interest in seeking to control the unlimited availability of all encryption software for export. The unfettered availability of packaged, debugged encryption software from the United States -- such as that which Mr. Karn wishes to export -- can be expected to result in far more actual use of encryption overseas, and thereby complicate even more the signals intelligence mission of the United States. See Lowell Decl. 9; Crowell Decl. 4. Many foreign users would be more likely to trust and use encryption software coming directly from reputable sources, such as Mr. Karn or commercial software manufacturers (given, for example, the possibility of "bugs" or viruses in software made available through the on-line Internet). [6] But under plaintiff's reasoning, because of Internet availability of some encryption products, the door must be opened to the uncontrolled export of encryption software, in any medium, from any provider, by any means, and to any place or entity in the world. This would clearly expose the important governmental interests at stake to more harm. Hence, control of such exports satisfies the fourth part of the O'Brien standard, because it "'promotes a substantial government interest that would be achieved less effectively absent the regulation.'" Ward v. Rock Against Racism, 491 U.S. 781, 799 (1989) (citation omitted). See also Clark v. Community for Creative Non-Violence, 468 U.S. 288, 297 (1984).

Beyond this, as defendants have already pointed out, the policy bases underlying the governmental interest are not subject to judicial second-guessing. See Def. Mem. at 21-22. Courts have held that the national security or foreign policy basis for designating a commodity as subject to export controls is not a triable issue of fact, but a matter entrusted by the Constitution to the Congress and the President. [7]

Thus, whatever may be said about whether "speech" is at issue here, the national security aspects of this dispute -- the nature of the source codes on the diskette, the government's ability to decrypt communications which utilize them, and specific facts concerning their control -- are precisely the types of matters left to the discretion of the Executive branch. As the court put it in United States v. Martinez, 904 F.2d 601, 602 (11th Cir. 1990), a case that involved USML control over cryptographic equipment:

Neither the courts nor the parties are privy to reports of the intelligence services on which this decision, or decisions like it, may have been based. . . .
Martinez, 904 F.2d at 602. [8]

Plaintiff baldly declares, based on the fact of Internet availability of certain encryption software, as well as foreign availability of the printed codes in the book, that "there is no factual basis for NSA's contention that the export of the diskette at issue poses any additional threat to our national security." Karn Decl. 18. But plaintiff cannot possibly possess the breadth of knowledge, information, expertise, and judgment in intelligence matters available to the Executive branch related to encryption export control. [9]


Plaintiff makes two major arguments in support of his claim that it is arbitrary and capricious to control the export of his diskette when the Applied Cryptography book, which contains printed source codes, was not controlled. He argues first that the book and diskette have no "functional difference" and, hence, it is irrational to regulate one but not the other. Pl. Opp. at 2-7. Plaintiff seeks discovery and a "mini-trial" on this purported dispute of material fact. Id. at 7; 30-31. Second, plaintiff argues that if the book (with its printed source codes) were considered by the State Department to be in the "public domain" and exempt from export controls, so must the source code diskette. Id. at 21-26. Both arguments lack merit.
A. There is No Material Dispute of Fact as to Whether the Book and Diskette are "Functionally" Different.
The central argument plaintiff makes is that the source codes printed in the book can be utilized to encrypt communications on a computer, just as the same source codes on the diskette. See Karn Declaration 3-9. Plaintiff shows that he used the printed TRIPLE DES source code to encrypt the same sample text that NSA encrypted using the diskette. Karn Decl. 9; Crowell Decl. 14.

Plaintiff's argument substantially concedes many points defendants have made. Focusing on the diskette itself, defendants have shown that, with minimal effort, the diskette can be used to encrypt communications on a computer and, thus, is a functioning commodity included on the United States Munitions List. Def. Mem. at 24-25; Crowell Decl. 11-14. Defendants stated that, "whatever may be said about the source codes printed on paper in the book," the diskette unquestionably can be used to encrypt information. Def. Mem. at 27. For this reason, the diskette is subject to export controls.

What is more, defendants do not dispute plaintiff's principal contention that, in Deputy Director Crowell's words, "[u]ltimately, the technical impediments imposed by scanning can be overcome to create executable source code." Crowell Decl. 19. We agree that the encryption source codes at issue can function to encrypt information, including printed source codes that are successfully transformed into an electronic medium on a computer, corrected for errors, compiled, and tested properly. [10] But, as discussed below, there nonetheless is a rational basis for treating a ready-made, error-free, electronic diskette version of the source codes differently from the paper version -- namely, that it is more difficult to transform printed source code into an operating encryption program and, therefore, it is less likely that persons will use the book for such purposes rather than the diskette.

B. There is a Rational Basis for Controlling the Export of the Diskette Even if Part Five of Applied Cryptography was Not Controlled.
The plaintiff's own declaration supports the conclusion that there is a rational basis for more stringent export controls on the diskette than on the printed source codes. Mr. Karn candidly confirms virtually everything that NSA Deputy Director Crowell observed about the practical differences between the printed code and the diskette. On the issue of scanning, Deputy Director Crowell stated that scanning "technology, while improving, may not always produce error-free reproductions of the scanned material." Errors of character recognition that occurred in the scanning process "must be detected and corrected before compiling may begin and information encrypted." Crowell Decl. 16. Mr. Karn's own experience with the book confirms this.

For example, Mr. Karn states that after scanning the book into a computer, he "began correcting the scanner's many errors, such as mistaking the digit '0' for the letter 'O' or mistaking the vertical bar '|' for the letter 'I'." Karn Decl. 5. After correcting such errors, Mr. Karn states that the compiling process "immediately pointed out additional errors I had overlooked in my visual inspection so I could correct them by reference to the Book." Id. 6. Mr. Karn "also noticed several errors in the [TRIPLE DES] listing printed in the Book." Karn Decl. 6. See Crowell Decl. 7 (the accuracy of the printed source code must also be verified). Mr. Karn then tested the program but, "[u]nfortunately, the test did not succeed, meaning that at least one error went undetected by the compiler in either the code as printed in the Book or as scanned." Karn Decl. 7. After scrutinizing the code more closely, Mr. Karn said he found and easily corrected another error in the printed version of the source code. "However, it still did not produce correct results." Id. After another hour of searching, Mr. Karn finally located and corrected the error. Id.

Ultimately, Mr. Karn states that he was able to transform the printed source code into executable object code, as defendants acknowledged could be done. Crowell Decl. 19. But the work that he went through only confirms defendants' main point: it is much easier to insert a ready-made, error-free diskette into a computer and work from there to encrypt information, than it is to transform a book into a functioning encryption device.

The issue is not merely about how much time it would take someone with the same capability to carry out the procedures Mr. Karn undertook in order to execute the printed source code. [11] In assessing whether it is reasonable for the State Department to have focused on controlling export of the diskette, the critical question is whether a user would be more likely to obtain encryption software by:

OPTION (A): scanning the pages of source code from Part Five of the book into a computer (assuming the user had a scanner and OCR software); proof-reading closely for inevitable scanning errors; fixing any "bugs" in the printed version of the code (assuming the user has adequate enough expertise in "C" language and/or the specific source code as necessary to detect particular errors); and then using commercial software to compile the code; or

OPTION (B): inserting Mr. Karn's diskette into a computer; adding "input/output" routines to the source code; and then using commercial software to compile the code.

It is surely more reasonable to expect that individuals would rather use a diskette than to bother with what Mr. Karn went through in his demonstration. The diskette obviously facilitates the use of the codes to a much greater degree than the printed text, and therefore is much more likely to be used as an encryption device. Scanning does not "easily" render the printed codes "every bit as systems-ready and systems-friendly as the Diskette," as plaintiff suggests. See December 5, 1994 Appeal Letter, Tab 12 to Lowell Declaration. Hence, there is at least a reasonable basis for treating the export of the diskette as presenting a greater threat than export of the printed codes in the book. Certainly, that conclusion would not be so arbitrary and capricious as to violate due process.

C. The Public Domain Exception Does Not Apply to Encryption Software.
Plaintiff's long discussion as to why the ITAR's "public domain" exception should apply to his encryption software diskette, Pl. Opp. at 19-26, is unavailing. Plaintiff argues first that if the book (and, hence, the printed source code) was found to be in the "public domain," so must the diskette with its identical "information." Pl. Opp. at 19-20. This syllogism is without merit.

Even if plaintiff were correct that printed source code could "easily" be transformed into functioning encryption, that argues for re-visiting the issue of their status under the ITAR. But it does not follow that the State Department should, by virtue of how the book was treated, be obligated to treat the diskette as in the "public domain," freely exportable to anywhere in the world without any national security or foreign policy licensing controls. In other words, to the extent plaintiff is correct that printed source codes can ultimately function to encrypt information, this would arguably place both forms of the source code within Category XIII(b)(1) of the USML -- but it would not be a reason to exclude the diskette from the USML.

Indeed, plaintiff's theory seems to be akin to one of estoppel: that because the State Department treated the book and printed source codes as in the public domain, it is estopped from controlling the export of these source codes but must treat them as in the "public domain" in any medium -- notwithstanding that the diskette may readily function to encrypt communications. But an agency may make case-by-case determinations on such matters, particularly in highly technical areas. See Def. Mem. at 30 (quoting SEC v. Chenery Corp., 332 U.S. 194, 202-03 (1946)). The fact that the State Department has acted "one step at a time" does not mean that its decision to take the first step and control the diskette -- which plainly serves as an encryption device -- is arbitrary and capricious. As the Supreme Court has stated in applying the "rational basis" standard: "'[e]vils in the same field may be of different dimensions and proportions, requiring different remedies.'" Federal Communications Commission v. Beach Communications, Inc., 113 S.Ct. 2096, 2102 (1993) (quoting Williamson v. Lee Optical of Okla., Inc., 348 U.S. 483, 489 (1955). "Reforms may take one step at a time addressing itself to the phase of the problem which seems most acute to legislative mind.'" Id.

Next, to the extent plaintiff is arguing that, regardless of how the book was treated, the diskette should be treated as in the public domain in its own right, that too would be without merit. If encryption software could be freely exported once it was in the public domain in the United States, there would be little point to even having a Category XIII(b)(1), since the ITAR does not control the purely domestic dissemination of commodities, but their export. It obviously cannot be that the government could control a commodity for export only if it were suppressed domestically as well. The President unquestionably has broad authority in national security and foreign affairs, United States v. Curtiss-Wright Corporation, 299 U.S. 304, 319- 320 (1936), and this includes matters of international trade, which are "intimately involved with foreign affairs." American Association of Exporters and Importers v. United States, 751 F.2d 1239, 1248 (Fed. Cir. 1985). See also United States v. Yoshida International, Inc., 526 F.2d 560, 580 (C.C.P.A. 1975) ("[n]o one has a vested right to trade with foreign nations"). The President can control the export of a commodity for national security purposes, even if that commodity is available publicly in this country.

Beyond this, the treatment of encryption software as a defense article, and not as information in the public domain, is well-founded in the regulations. First, it is the definition of technical data in the ITAR that specifically mentions and excludes information in the public domain. See 22 C.F.R. 120.10(a)(5) (citing 22 C.F.R. 120.11). Reasonably construed, this means that the public domain provision is a regulatory exemption for information that would otherwise be treated as technical data subject to export licensing controls, particularly since the two provisions cross-reference each other.

In contrast, the definition of software in the ITAR provides that a person who wishes to export software only should "apply for a technical data license" unless that software "is specifically enumerated in Category XIII(b) -- in other words, unless it is cryptographic software. See 22 C.F.R. 121.8(f). Someone wishing to export cryptographic software should not apply for a technical data license. Most reasonably, this means that cryptographic software is not treated as technical data, for which the public domain exception applies. Hence, Assistant Secretary McNamara's statement that the public domain exception applies to information that would otherwise be considered "technical data," and not to cryptographic software, is well- founded. Tab 14 to Lowell Declaration at 1-2. And it is Assistant Secretary McNamara's interpretation of the regulations to which the Court owes deference, not plaintiff's. [12]

In addition, any notion that the public domain exception should apply to the export of a defense article, whenever such an export might also convey information, is likewise without merit. A particular export of a munition might be intended to communicate technical information as to how it works. For example, one could inform a foreign recipient as to how a gun works either by exporting its schematic design (technical data) or by exporting the gun itself (a defense article). But any informational aspect of, or intent to communicate through, the export of the gun itself would not make it any less an export of a defense article. In contrast, the public domain exemption is applicable to technical data because such data would otherwise be controlled for export solely for its informational value. This is not the case with a defense article that serves a specific function, such as plaintiff's software diskette.

Finally, plaintiff spends several pages discussing three opinions of the Department of Justice, Office of Legal Counsel, in which OLC advised the State Department that the ITAR provisions concerning the export of technical data could be broadly construed to encompass exchanges of scientific information protected by the First Amendment. See, e.g., Pl. Exh. No. 6, July 5, 1984 OLC Opinion at 1-2. [13] One of the OLC opinions concerned the export of information related to cryptography. See Pl. Exh. No. 6 (May, 11, 1978 OLC Decision). But, like all the OLC opinions, it concerned the technical data provisions of the ITAR, not encryption software. Export controls on technical data, unlike controls on encryption software, are premised on such data's informational value, and the First Amendment analysis is that described by OLC. For reasons defendants have detailed, because encryption software is much more than "information," it is not treated merely as technical data under the ITAR. Hence, OLC's analysis of the technical data provisions, which the State Department has expressly stated that it follows, [14] does not apply to a functioning commodity such as encryption software.


Plaintiff's final argument is that Section 2778(h) of the Arms Export Control Act, 22 U.S.C. 2778(h), precludes judicial review only of "whether a category of items should have been placed on the USML," but not a specific designation such as for plaintiff's diskette. Pl. Opp. at 34. This argument is without merit.

The obvious practical flaw in plaintiff's argument is that the President and his designees could, without review, simply broaden the categories by listing specific items. But even if plaintiff were correct in his reading of Section 2778(h), plaintiff does not dispute that his diskette is cryptographic software with the capability of maintaining secrecy. See Karn Decl. 9, 14. It therefore falls squarely within Category XIII(b)(1) of the USML. Whatever legal arguments plaintiff presents, this case unquestionably involves judicial review of the designation of a defense article.

Also, contrary to plaintiff's contention, the preclusion of review in Section 2778(h) is most reasonably construed to extend to specific determinations, and not just general munition "categories." An item is designated as a defense article if the President determines that this would be "in furtherance of world peace and the security and foreign policy of the United States." 22 U.S.C. 2778(a)(1). It would make no sense to think that judicial review would not be available as to whether a general category of munitions was controlled in furtherance of world peace and national security, but that courts would have the capacity to decide whether a specific designation met this discretionary policy standard. [15]


For the foregoing reasons, defendants' motion to dismiss or, in the alternative, for summary judgment should be granted.
					Respectfully Submitted, 

					Assistant Attorney General
					United States Attorney

					Deputy Branch Director


					Trial Attorney
					U.S. Department of Justice
					Civil Division - Federal Programs Branch
					901 E Street, N.W. - Room 1084
					Washington, D.C.  20530
					(202) 514-4782

					Attorneys for the Defendants. 

Date: December 18, 1995.


I hereby certify that on December 18, 1995, the foregoing Reply Memorandum of Points and Authorities in Further Support of Defendants' Motion to Dismiss or, in the Alternative, for Summary Judgment, was served by hand-delivery, on:
		Kenneth C. Bass, III
		Thomas J. Cooper
		Teresa Trissell
		1201 New York Avenue, N.W.  Suite 1000
		Washington, D.C.  20005


1. Plaintiff also says diskette contains mere "text on mylar," Pl. Opp. at 9, and that its "sole function" is to "store textual information." Id. at 5.

2.The first step, the development of "input and output" routines, is not a significant task. Crowell Decl. 12. The next step, using a commercial program to "compile" the source code into object code, Pl. Opp. at 5, is also trivial. Such a program can easily be loaded by "ordinary users" into their home computer. Compiling is then done automatically in a matter of seconds. Id. 13. The third step of "running" the program -- typing commands to cause the program to encrypt or decrypt information, Pl. Opp. at 5, is not a matter of "programming" the source code to make it "operational." This is using the software to encrypt information. That is surely something an "ordinary user" of encryption would be able to do (otherwise there would be no point in their buying the software).

3. See, e.g., Ward v. Rock Against Racism, 491 U.S. 781, 797-98 (1989); City Council of Los Angeles v. Taxpayers for Vincent, 466 U.S. 789, 803-05 (1984).

4. The authority plaintiff cites for this principle Minneapolis Star & Tribune Co. v. Comm'r of Revenue, 460 U.S. 575, 582 (1983), stands for no such thing. The tax at issue there was subjected to strict scrutiny because it "singled out the press for special treatment" and "targeted a small group of newspapers." Leathers v. Medlock, 499 U.S. 439, 445-46 (1991). See also Walsh v. Brady, 927 F.2d 1229, 1236 (D.C. Cir. 1991). This case does not implicate such issues of disparate treatment: the regulation of cryptographic software is content-neutral and does not single out any group for disfavored treatment.

5. Plaintiff makes a cursory reference to the third part of the O'Brien test, which concerns whether the governmental interest "is unrelated to the suppression of free expression." O'Brien, 391 U.S. at 377. Pl. Opp. at 15. While he argues that his source code diskette constitutes "pure speech," plaintiff must concede that the governmental interest at stake -- to protect the United States' foreign intelligence capabilities -- is unrelated to suppressing plaintiff's speech.

6. Indeed, the fact that there may be a market demand for Mr. Karn's diskette, notwithstanding the availability of source code on the Internet, indicates that his and other products like it would be preferable to some foreign users over software obtained from Internet.

7. United States v. Spawr Optical Research, Inc., 864 F.2d 1467, 1473 (9th Cir. 1988), cert. denied, 493 U.S. 809 (1989); United States v. Mandel, 914 F.2d 1215, 1223 (9th Cir. 1990) (discovery barred into whether export of a commodity would make a significant contribution to the military potential of other countries); United States v. Moller-Butcher, 560 F. Supp. 550, 553 (D. Mass. 1983) (Secretary of Commerce has "the final word" on whether an item designated on the CCL would prove detrimental to the national security of the United States).

8. Information concerning the NSA's ability to break codes is among the most highly classified national security information, and cannot be subject to discovery. See, e.g., Halkin v. Helms, 598 F.2d 1, 8 (D.C. Cir. 1978) (upholding state secrets privilege on information related to NSA's collection of intelligence). If such information is essential, then where its unavailability precludes a party from establishing a legal position on the ultimate issues in a case, the case must be dismissed. See, e.g., Fitzgerald v. Penthouse Int'l, 776 F.2d 1236, 1241 (4th Cir. 1985).

9. One issue concerning the diskette is not in dispute, although not material as well. Plaintiff is correct that some of the source codes on the diskette, by themselves, do not maintain data confidentiality, but are "hash" algorithms for "data authentication" purposes. These are MD5, N-HASH, and SHS. See Joint Statement of Facts Not in Dispute 34. Such "hash" data authentication source codes are not at issue in this case, but were included by Mr. Karn on the same diskette that contains source codes that do maintain secrecy of information and fall within Category XIII(b)(1) (such as DES and TRIPLE DES).

10. Hence, there is no need for discovery or a "mini-trial" on this point. Moreover, under the very deferential rational basis standard of review, plaintiff is not entitled to courtroom fact- finding, but the regulatory action must be upheld if there is at least a conceivable basis for it. See Steffan v. Perry, 41 F.3d 677, 684-87 (D.C. Cir. 1994).

11. Of course, someone with less expertise could not successfully complete the task in the 3.5 hours it took Mr. Karn, let alone the 5 hours he believes it would take if the code was manually typed. See Karn Decl. 10, 16.

12. See A.L. Pharma, Inc. v. Shalala, 62 F.3d 1484, 1490 (D.C. Cir. 1995); American Medical International, Inc. v. HEW, 466 F.Supp. 605, 619 n. 9 (D.D.C. 1979) (Richey, J.) ("While deference is normally accorded an agency's expertise in interpreting a statute enacted by Congress, . . . such deference should certainly be accorded the agency's interpretation of its own regulation").

13. OLC advised that the export of technical data could be controlled consistent with the Constitution where such export is directly related to the provision of technical assistance to a foreign national or entity. OLC's analysis is consistent with the decision by the Court of Appeals for the Ninth Circuit in United States v. Edler Industries, Inc., 579 F.2d 516 (9th Cir. 1978). See Pl. Exh. No. 6, July 5, 1984 OLC opinion at 2.

14. A few months after the 1984 OLC opinion, the State Department indicated that its practice concerning the export of technical data would be consistent with Edler (and hence with OLC's advice). See Preamble to Revisions of International Traffic in Arms Regulations (Final Rule) 49 Fed. Reg. 47682, 47683 (Dec. 6, 1984).

15. See Spawr Optical, 864 F.2d at 1472 (whether the defendant's laser mirrors at issue were covered by the CCL not reviewable); Mandel, 914 F.2d at 1218 (discovery barred into whether the "items listed in the indictment" were on the CCL since designation was non-reviewable). The fact that these were criminal proceedings, Pl. Opp. at 39, favors defendants' position. If a court could not review the specific designation of a commodity as subject to export controls when a person's very liberty was at stake, review is equally impermissible where the administrative action at issue is simply whether export of a commodity is subject to the licensing jurisdiction of either the State or Commerce Departments.