IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA

________________________________________
					)
PHILIP R. KARN, Jr.			)
					)
		Plaintiff,		)
					)	Civ. A. No. 95-1812(CRR)
	v.				)
					)	(Judge Charles R. Richey)
U.S. DEPARTMENT OF STATE, and		)
THOMAS E. MCNAMARA,			)
					)
		 Defendants.		)
					)
________________________________________)

Plaintiff's Supplemental Memorandum in Opposition to Defendants Motion to Dismiss or, in the Alternative, for Summary Judgment

Plaintiff submits this memorandum to correct what we believe are significant mischaracterizations of the record in the Defendants' Reply Memorandum filed December 18, 1995. We confine this submission to those misstatements and to pointing out the lack of any evidentiary support for many of the defendants' factual contentions. [1]

I. Defendants Have Mischaracterized Important Aspects of Our Position on Central Technical Issues of Fact

By taking selected quotations out of context, the defendants have distorted our position in at least three significant respects. They state that "plaintiff concedes that source code on his diskette is, with a few additional steps, part of 'an operating [encryption] program.'" (Defs. Reply at 1, emphasis added) That is not what we said, and a full quotation of our statement reveals the significant difference: "The information on the diskette can be converted into an operating program, but only through a process that requires at least three additional programming steps." (Pl. Opp. at 5, emphasis added) Our submission did not make the concession suggested by the defendants, but in fact asserted precisely the opposite factual contention: neither the diskette nor the book contains any "operating encryption program" and without the investment of time and significant programming skills, the source code listings at issue have absolutely no value or function beyond the information they communicate to a human being. The distinction between the defendants' articulation and ours goes to the heart of this case and illustrates why summary disposition is inappropriate.

The defendants understandably try to equate these source codes to an "operating encryption program" at every opportunity. They state, without evidentiary support, that export of the disk "would give foreigners a device that can be used to encrypt in 'a[n] hour or so'" (Defs. Reply at 7) when in fact the export of the diskette, in and of itself, would not add one bit of source code material to the library of information already available to any foreigner with the requisite programming skills and would not, in and of itself, give foreigners any device, much less an encryption device.

In yet another mischaracterization of the facts, defendants describe the diskette as "packaged, debugged encryption software," (Defs. Reply at 11) thus implying that all a recipient of the diskette has to do is shove it into the disk drive and "bingo," plaintext becomes encrypted. That image, as the defendants themselves must in candor acknowledge, is inaccurate. No individual, other than persons with specialized programming skills, can make any use whatsoever of the diskette, even with a computer, except to read from the computer screen exactly the same information that they can read in Part Five of the book. While source code listings are defined, at least by the plaintiff and other programmers, as "software," no qualified witness has, or we believe would, state that the diskette itself contains a functioning encryption program.

The substantial practical difference between computer source codes and an "operating program" lies at the heart of this dispute. If, as plaintiff contends, source code functions only to impart information to human beings that can be used, like a set of mechanical drawings for tanks, as part of a process of building a functioning program, then there can be little doubt that this case involves "pure speech" and not the export of any "device." If, as the defendants repeatedly and mistakenly imply, this diskette "functions" as an "operating encryption program" then the Court's analysis of the legal issues might well begin from a significantly different perspective.

Defendants engage in yet a third distortion of our position by stating that "plaintiff himself recognizes the national security interest in controlling the diskette, in stating his belief that widespread use of one code on the disk . . . could significantly reduce the ability of the [National Security Agency] to gather foreign intelligence." (Defs. Reply at 1, emphasis added) Once again we made precisely the opposite point. [2] The full quotation from our submission is unambiguous:

We acknowledge that at least one of the cyphers, IDEA, may well be strong enough that it cannot be routinely or economically broken by NSA and that widespread use of IDEA to encrypt messages could significantly reduce the ability of NSA to gather foreign intelligence. That probability, however, still does not mean that export of the IDEA encryption algorithm would pose any threat to the national security. The IDEA algorithm is already widely available throughout the world, in a fully-executable object code form, as part of the Pretty Good Privacy ("PGP") software. (Pl. Opp. at 32, emphasis added)

In short, we did not say what defendants say we said.

II. The Defendants' Reply Memorandum is Replete With Unsupported Factual Assertions

The defendants' Reply Memorandum is replete with factual assertions that have no evidentiary basis in the record. We respectfully submit that these repeated assertions illustrate why a mini-trial is necessary in order for this Court to develop an adequate record for purposes of deciding the novel issues raised in this case.

The Reply Memorandum contains at least 10 assertions of "pure facts" that are devoid of any evidentiary support in the record. Even more significantly, all of these assertions are in fact simply wrong.

The unsupported factual allegations include:

1. Export of the diskette "would present a far greater threat to national security than does the appearance of some source code on the Internet." (Defs. Reply at 3) --- In fact the Internet is one of the primary means of facilitating exchange of information among cryptographers. See Supplemental Karn Declaration ¶ 2. Indeed a source code posted on a publicly-accessible "file transfer protocol" ("ftp") site is far easier to obtain and use than is a physical diskette that must be shipped or mailed through physical means. Id. By far the easiest way for a programmer to acquire cryptographic source codes is by direct computer-to-computer, disk-to-disk file transfers over the Internet. Physical shipment of the diskette is a far less efficient means of "spreading crypto" than is the Internet. Id. For example, Mr. Karn, using the searching features of the Internet World Wide Web, located the entire contents of the Applied Cryptography diskette at issue in this case on a public Internet site in Italy. Id. That Internet file included the exact same "Triple DES" source code that was the subject of the demonstrations in the Crowell and Karn declarations. Id. Locating the file took about 10 minutes. Id. It then took Mr. Karn only 1.7 seconds to transfer the file directly from the computer in Italy to his personal computer in San Diego, California. Id. This proves that Internet access is a more efficient means of acquiring a digital copy of the source codes than is the diskette. Anyone connected to the Internet anywhere in the world can obtain this code quickly and easily. Id.

2. The development of input/output routines is "not a significant task." (Defs. Reply at 5, n. 2) --- Whether a task is "significant" or not depends at least in part on the skills of the person performing it. Creation of input/output routines requires an understanding of computer programming that is not within the ken of the vast number of computer users. More significantly, the simple "test program" that NSA and Mr. Karn have demonstrated in this proceeding is by no means a fully-developed encryption program that would be used, in the real world, for encryption purposes. See Supplemental Karn Declaration ¶ 3. Practical programs require the design of sophisticated key-generation, key-management, user interface and input/output routines. Id. These additional routines are far more substantial, in terms of programming time, than the encryption algorithm alone. For example, the printed source code for PGP is 895 full pages in length. The encryption algorithm for that program, IDEA, takes only 16 pages. Id.

3. Conveying information is unlikely to be even an incidental purpose of the diskette. (Defs. Reply at 6) --- As we previously noted, the diskette contains source code comments which has absolutely no function except to convey information to a human being. See Plaintiffs' Opposition at 4; Plaintiffs Exhibits 3 and 4 Those comments are "ignored" by a compiler program and have value only as information capable of being understood and used by a human programmer. See Supplemental Karn Declaration ¶ 4.

4. The "principal function" of the diskette is "to serve as a physical device that can be used to encrypt information." (Defs. Reply at 7) -- The diskette simply cannot be used to encrypt anything. It isn't a "device" that functions to do anything. It is simply information in a form that can be "read" both by humans and computer compiling programs which, when used by skilled programmers, can be changed into a functioning program that does encrypt information, just as mechanical drawings can be used to make armaments. See Supplemental Karn Declaration ¶ 5.

5. "Export of the diskette would provide foreign recipients with . . . a tool that would help shield their communications from national security surveillance by the United States." (Defs. Reply at 9) --- There is a substantial difference between the acknowledged fact that a "skilled programmer" can use the diskette to produce a "functioning encryption device" and the implication by the defendants that exporting the diskette would transform every foreigner with a PC into an encryption-ready communicator whose e-mail would threaten national security. The defendants' assertion ignores the indisputable fact that fully functioning encryption programs, as well as the entire contents of the diskette at issue, are already widely available in foreign countries, an availability that makes the restrictions on this diskette immaterial with regard to the ability of foreigners to shield communications from surveillance. [3] See Supplemental Karn Decl. ¶ 6.

6. The diskette is "packaged, debugged encryption software." (Defs. reply at 11) --- The repetition of this mistaken implication that the diskette can, by itself, act as an encryption program would be dispelled by a simple in-court evidentiary presentation.

7. The exportability of this diskette "can be expected to result in far more actual use of encryption overseas." (Defs. Reply at 11) --- Given the pre-existing worldwide availability of fully-functioning encryption programs, in addition to the widespread availability of many of the source codes at issue in digital (computer-readable) form, a balanced consideration of the testimony of experts at a mini-trial would, we submit, conclusively show that the impact of the export of this diskette would be minimal, if not non-existent. This purely factual prognostication is a good example of why the Executive Branch's unsworn and unexamined assertions cannot serve as an adequate factual foundation for an informed judicial decision.

8. "Many foreign users would be more likely to trust and use encryption software coming directly from reputable sources" than to use the programs available on the Internet. (Defs. Reply at 11) --- This precise argument was made by Clinton Brooks, a high-ranking NSA employee, at a 1995 conference in Washington, D.C. which was also attended by Mr. Karn. See Supplemental Karn Declaration ¶ 7. At that meeting Mr. Karn explained why fully documented programs with published source code, such as the PGP program that is available over the Internet, are often considered by cryptographers to be more reliable and "trustworthy" than the programs available directly from software manufacturers. Id. The basic fallacy in Mr. Brooks argument is that the best way to know that an encryption program does not have a "hidden back door" or virus that makes it insecure is to make the source code available for public inspection and allow users to recompile it for themselves. Id. Anyone who buys a commercial encryption program necessarily places their trust in the integrity and competence of the software manufacturer. Id.. The importance of inspecting cryptographic source code and not simply using executable programs is illustrated by the fact that the United States Government apparently insists on obtaining and inspecting the source code of every program that it procures for use in secure, or classified, environments . Id.

9. Export of the diskette "would clearly expose the important governmental interests at stake to more harm." (Defs. Reply at 12) --- This unsupported ipse dixit stands as a simple assertion of counsel, unsupported by any declaration. No NSA official has stated that the export of this diskette poses any increased threat to any governmental interest. We sincerely submit that such an assertion, were it to be made, could not withstand judicial scrutiny. The Defendants' submission in this case is a bald claim that Executive Branch assertions of potential harm are beyond judicial competence to evaluate and that, because this is a national security issue, it is not a triable issue of fact. The contention is wrong as a matter of fact and law. It will not require any disclosure of classified information for the plaintiff to prove, at trial, that the pre-existing worldwide availability of functioning encryption programs as well as source codes renders the export of this diskette immaterial with respect to any realistic concerns of national security.

10. "Plaintiff cannot possibly possess the breadth of knowledge, information, expertise, and judgment" necessary to determine impact of export of this diskette on national security. (Defs. Reply at 13) -- It is not necessary to know any classified information to know that the export of this diskette does not add one iota of meaningful source code to the wealth of information already publicly available. Mr. Karn is personally qualified to testify as to the public availability of these and other source codes and compiled, fully-functioning programs. He is equally qualified to express an expert opinion on the absence of any marginal increase in the "cryptographic database" from export of this diskette. Moreover, our proof at the trial will not rest on Mr. Karn's testimony alone, but will include live testimony from others, perhaps including former NSA officials and nationally-recognized authorities, about the present state of availability of computer cryptography outside the United States and the comparative significance, or lack thereof, of this diskette. This will not, as defendants suggest, be a case where national security concerns will render plaintiff's proof "unavailable". (See Defs. Reply at 13, n. 8) Furthermore, it is not the law that the Executive Branch can simply intone the talismanic phrase "national security" and immunize their regulation of communications from judicial scrutiny. The Supreme Court did not bow blindly to that argument in the Pentagon Papers case and for good reason. We submit that the evidence presented in a mini-trial evidence will prove that exports of this diskette do not pose any additional threat to nation security.

These 10 unsupported factual assertions, almost all of which happen to be simply wrong, amply demonstrates why there are material facts in dispute and this matter is not ripe for summary determination.

Conclusion

						Respectfully submitted,
						______________________________
Of Counsel					Kenneth C. Bass, III
  Teresa Dondlinger Trissell			Thomas J. Cooper
						Venable, Baetjer, Howard &
						  Civiletti, LLP
						1201 New York Avenue, N.W.
						Suite 1100
						Washington, D.C.   20005
						(202) 962-4890

Date:  December 22, 1995			Counsel for Plaintiff

footnotes

1 Defendants' Reply contains a number of legal arguments with which we do not agree, particularly the defendants' construction of the O'Brien decision and the role of this Court in cases involving national security. We will not prolong this submission with responding to those arguments, believing that such a response is more appropriate for the oral argument.

2 The statement in our memorandum is more accurately described as a "contention of counsel" than as a personal "recognition" of Mr. Karn's.

3 The Executive Branch, at the insistence of the Congress, has undertaken a comprehensive survey of the foreign availability of foreign cryptography, but has to date declined to make that study available publicly.