________________________________________ ) PHILIP R. KARN, Jr. ) ) Plaintiff, ) ) Civ. A. No. 95-1812(CRR) v. ) ) (Judge Charles R. Richey) U.S. DEPARTMENT OF STATE, and ) THOMAS E. MCNAMARA, ) ) Defendants. ) ) ________________________________________)
I, Philip R. Zimmermann, do hereby state and declare as follows:
1. I reside at 3021 Eleventh Street in Boulder, Colorado. I have lived in Boulder since 1978 and am an independent software engineer and developer of cryptographic products.
2. I have devoted much of my professional career to the development and understanding of computer programs for the encryption of data and electronic mail that will allow individuals a high degree of privacy in their communications.
3. In 1991, I developed software known as PGP (The term "PGP" stands for Pretty Good Privacy). PGP combines the convenience of the Rivest-Shamir-Adleman (RSA) public key cryptosystem with the speed of fast conventional cryptographic algorithms, fast message digest algorithms, data compression, and sophisticated key management.
4. PGP can be used to encrypt files on a computer with a password; to encrypt electronic mail and to "sign" documents with a tamper-proof digital signature to prevent forgeries and modifications.
5. I am the author of PGP: Source Code and Internals, a book published by the Massachusetts Institute of Technology Press. The book was published in March of 1995. It is priced at $55. It has ISBN 0-262-24039-4.
6. On January 24, 1995, the MIT Press submitted a Commodity Jurisdiction Request to the Office of Defense Trade Controls in the U.S. Department of State regarding the book. The purpose of the Request was to confirm MIT's conclusion that the book was not subject to export controls under the International Traffic in Arms Regulations ("the ITAR"). To date, there has been no response to the Request.
7. This Request indicated that the book set out the source code for PGP (Version 2.6.2), and it contains the latest version of PGP. It went on to note that the source code in the book is all the code that is required for a full implementation of the PGP applications. The Request also stated that the source code is printed in the book in a standard font so that it can be read by humans. The font used is also capable of being scanned by computer scanners. If the source code were scanned in and then run through a compiler program, it would be translated into an executable application or object code, which could then be read and executed by a computer to encrypt text and binary files.
8. The Request stated that the book is within the definition of the term "public domain" in the ITAR and that it is not subject to the export control jurisdiction of the Department of State.
9. I have reviewed portions of the Memorandum of Points and Authorities filed by the U.S. Department of Justice in support their Motion to Dismiss, or in the alternative for Summary Judgment in the case of Philip R. Karn, Jr. v. U.S. Department of State. More particularly, I reviewed the statement on page 28 of the memorandum that indicated that the Government may reconsider the export control status of cryptographic printed source codes, i.e., source codes that are printed in books or journals. I also reviewed footnote 22 on page 28, which indicated that "the status under the USML of source codes printed in a book is again under consideration by the State Department through another pending CJ [commodity jurisdiction] request."
10. I believe that the commodity jurisdiction request referred on page 28 of the Justice filing is the one which was filed by MIT Press for my book, PGP: Source Code and Internals. I am further informally advised that the National Security Agency has considered the Request and recommended that the book be controlled for export under the ITAR and that the Department of Commerce has recommended that it not be subject to ITAR controls.
I declare under penalty of perjury that the foregoing is true and correct.
[signed] Philip R. Zimmermann Date: December ,1995