bernstein-9th.htm
cca07e54f19a409255f9dce1a79742beff07c4d5408d889683727914144aa6e8<!-- Lotus-Domino (Release 4.6.4 - March 23, 1999 on Windows NT/Intel) -->
<HTML>
<HEAD>
<TITLE>Bernstein-v-USDOJ - 9th Circuit Opinion</TITLE>
</HEAD>
<BODY TEXT="000000" BGCOLOR="ffffff">
<P>
6 May 1999. Thanks to CC.<BR>
Source:
<A HREF="http://www.ce9.uscourts.gov/web/newopinions.nsf/f606ac175e010d64882566eb00658118/febd2452a8a4d79b8825676900685b71?OpenDocument">http://www.ce9.uscourts.gov/web/newopinions.nsf/f606ac175e010d64882566eb00658118/febd2452a8a4d79b8825676900685b71?OpenDocument</A>
<P>
<HR>
<BR>
<B><FONT SIZE=2 FACE="Arial">Office of the Circuit Executive</FONT></B>
<TABLE BORDER=0 CELLSPACING=0>
<TR VALIGN=top>
<TD WIDTH="576" BGCOLOR="000080"><FONT SIZE=5 COLOR="ffffff" FACE="Arial">
U.S. Court of Appeals for the Ninth Circuit </FONT></TD>
</TR>
</TABLE>
<TABLE BORDER=0 CELLSPACING=0>
<TR VALIGN=top>
<TD WIDTH="576" BGCOLOR="f7f7f7" COLSPAN=2><FONT SIZE=2 COLOR="000080" FACE="Times New Roman">
<HR>
</FONT></TD>
</TR>
<TR VALIGN=top>
<TD WIDTH="576" BGCOLOR="f7f7f7" ROWSPAN=2 COLSPAN=2><FONT SIZE=2 COLOR="000080"
FACE="Times New Roman">Case Name:</FONT><BR>
<FONT SIZE=4 COLOR="000080" FACE="Arial">BERNSTEIN V USDOJ</FONT></TD>
</TR>
<TR>
</TR>
<TR VALIGN=top>
<TD WIDTH="202" BGCOLOR="f7f7f7"><FONT SIZE=2 COLOR="000080" FACE="Times New Roman">Case
Number:</FONT></TD>
<TD WIDTH="374" BGCOLOR="f7f7f7"><FONT SIZE=2 COLOR="000080" FACE="Times New Roman">Date
Filed:</FONT></TD>
</TR>
<TR VALIGN=top>
<TD WIDTH="202" BGCOLOR="f7f7f7"><FONT SIZE=4 COLOR="000080" FACE="Arial">97-16686</FONT></TD>
<TD WIDTH="374" BGCOLOR="f7f7f7"><FONT SIZE=4 COLOR="000080" FACE="Arial">05/06/99</FONT></TD>
</TR>
<TR VALIGN=top>
<TD WIDTH="576" BGCOLOR="f7f7f7" COLSPAN=2><FONT COLOR="000080" FACE="Times New Roman">
<HR>
</FONT></TD>
</TR>
</TABLE>
<P>
<BR>
<TT>FOR PUBLICATION</TT><BR>
<BR>
<TT>UNITED STATES COURT OF APPEALS</TT><BR>
<BR>
<TT>FOR THE NINTH CIRCUIT</TT><BR>
<BR>
<TT>DANIEL J. BERNSTEIN,<BR>
Plaintiff-Appellee,</TT><BR>
<BR>
<TT>v.</TT><BR>
<BR>
<TT>UNITED STATES DEPARTMENT OF<BR>
JUSTICE; UNITED STATES<BR>
DEPARTMENT OF COMMERCE;<BR>
DEPARTMENT OF STATE; UNITED STATES<BR>
DEPARTMENT OF DEFENSE; UNITED<BR>
STATES ARMS CONTROL AND<BR>
DISARMANENT AGENCY; NATIONAL<BR>
SECURITY AGENCY; UNITED STATES<BR>
No. 97-16686<BR>
DEPARTMENT OF ENERGY; CENTRAL<BR>
D.C. No.<BR>
INTELLIGENCE AGENCY; MADELINE E.<BR>
CV-97-00582<BR>
ALBRIGHT, United States Secretary of<BR>
MHP<BR>
State; WILLIAM M. DALEY, United<BR>
States Secretary of Commerce;
OPINION<BR>
WILLIAM COHEN, United States<BR>
Secretary of Defense; KENNETH A.<BR>
MINIHAN, Director, United States<BR>
National Security Agency; JOHN B.<BR>
HOLUM, Director, United States Arms<BR>
Control and Disarmanent Agency;<BR>
WILLIAM G. ROBINSON; GARY M.<BR>
ONCALE; AMBASSADOR MICHAEL<BR>
NEWLIN; CHARLES RAY; MARK KORO;<BR>
GREG STARK; DOES 1-100,<BR>
Defendants-Appellants.</TT><BR>
<BR>
<TT>Appeal from the United States District Court<BR>
for the Northern District of California</TT><BR>
<BR>
<TT>Marilyn Hall Patel, District Judge, Presiding</TT><BR>
<BR>
<TT>
4215<BR>
</TT><BR>
<BR>
<TT>Argued and Submitted<BR>
December 8, 1997--San Francisco, California</TT><BR>
<BR>
<TT>Filed May 6, 1999</TT><BR>
<BR>
<TT>Before: Myron H. Bright,* Betty B. Fletcher, and<BR>
Thomas G. Nelson, Circuit Judges.</TT><BR>
<BR>
<TT>Opinion by Judge B. Fletcher; Concurrence by<BR>
Judge Bright; Dissent by Judge T.G. Nelson</TT><BR>
<BR>
<BR>
<BR>
<BR>
<TT>
4251</TT><BR>
<TT>COUNSEL</TT><BR>
<BR>
<TT>Scott R. McIntosh (argued), Douglas N. Letter, United States<BR>
Department of Justice, Washington, D.C., for the defendants-<BR>
appellants.</TT><BR>
<BR>
<TT>Cindy A. Cohn (argued), McGlashan & Sarrail, San Mateo,<BR>
California, and Lee Tien, Berkeley, California, for the<BR>
plaintiff-appellee.</TT><BR>
<BR>
<TT>Ivan K. Fong, Covington & Burling, Washington, D.C., for<BR>
amicus curiae Electronic Privacy Information Center; Ameri-<BR>
can Civil Liberties Union; American Civil Liberties Union of<BR>
Northern California; Center For Democracy and Technology;<BR>
Computer Professionals for Social Responsibility; Economic<BR>
Strategy Institute; Free Congress Research and Education<BR>
Foundation; Human Rights Watch; Independence Institute;<BR>
International Information System Security Certification Con-<BR>
sortium; Internet Mail Consortium; Internet Society; National<BR>
Association of Manufacturers; Privacy International; U.S.<BR>
Public Policy Committee of the Association for Computing;<BR>
Dr. Whitfield Diffie; Dr. Peter Neumann; and Dr. Ronald<BR>
Rivest.</TT><BR>
<BR>
<TT>Garrett Epps, University of Oregon School of Law, Eugene,<BR>
Oregon, for amicus curiae Silicon Valley Software Industry<BR>
Coalition; Professor Keith Aoki; Professor Margreth Barrett;<BR>
Professor James Boyle; Professor Garrett Epps; Professor<BR>
Peter Jaszi; Professor David Lange; and Professor Eugene<BR>
Volokh.</TT><BR>
<BR>
<TT>Brian Conboy, Wilkie Farr & Gallagher, Washington, D.C.,<BR>
for amicus curiae Maynard Anderson; D. James Bidzos;</TT><BR>
<BR>
<TT>
4221<BR>
</TT><BR>
<BR>
<TT>National Computer Security Association; Mark Rasch; RSA<BR>
Data Security, Inc.; Dr. Eugene Spafford; and Dr. Ross<BR>
Stapleton-Gray.</TT><BR>
<BR>
<TT>J. Joshua Wheeler, Charlottesville, Virginia, for amicus<BR>
curiae Thomas Jefferson Center for the Protection of Free<BR>
Expression.</TT><BR>
<BR>
<TT>Richard D. Marks, Vinson & Elkins, Washington, D.C., for<BR>
amicus curiae Association for the Advancement of Science.</TT><BR>
<BR>
<TT>_________________________________________________________________</TT><BR>
<TT>OPINION</TT><BR>
<BR>
<TT>B. FLETCHER, Circuit Judge:</TT><BR>
<BR>
<TT>The government defendants appeal the grant of summary<BR>
judgment to the plaintiff, Professor Daniel J. Bernstein<BR>
("Bernstein"), enjoining the enforcement of certain Export<BR>
Administration Regulations ("EAR") that limit Bernstein's<BR>
ability to distribute encryption software. We find that the<BR>
EAR regulations (1) operate as a prepublication licensing<BR>
scheme that burdens scientific expression, (2) vest boundless<BR>
discretion in government officials, and (3) lack adequate pro-<BR>
cedural safeguards. Consequently, we hold that the challenged<BR>
regulations constitute a prior restraint on speech that offends<BR>
the First Amendment. Although we employ a somewhat nar-<BR>
rower rationale than did the district court, its judgment is<BR>
accordingly affirmed.</TT><BR>
<BR>
<TT>BACKGROUND</TT><BR>
<BR>
<TT>A. Facts and Procedural History</TT><BR>
<BR>
<TT>Bernstein is currently a professor in the Department of<BR>
Mathematics, Statistics, and Computer Science at the Univer-<BR>
sity of Illinois at Chicago. As a doctoral candidate at the Uni-</TT><BR>
<BR>
<TT>
4222<BR>
</TT><BR>
<BR>
<TT>versity of California, Berkeley, he developed an encryption<BR>
method -- "a zero-delay private-key stream encryptor based<BR>
upon a one-way hash function"1 -- that he dubbed "Snuffle."<BR>
Bernstein described his method in two ways: in a paper con-<BR>
taining analysis and mathematical equations (the "Paper") and<BR>
in two computer programs written in "C," a high-level com-<BR>
puter programming language ("Source Code"). Bernstein later<BR>
wrote a set of instructions in English (the "Instructions")<BR>
explaining how to program a computer to encrypt and decrypt<BR>
data utilizing a one-way hash function, essentially translating<BR>
verbatim his Source Code into prose form.</TT><BR>
<BR>
<TT>Seeking to present his work on Snuffle within the academic<BR>
and scientific communities, Bernstein asked the State Depart-<BR>
ment whether he needed a license to publish Snuffle in any of<BR>
its various forms. The State Department responded that Snuf-<BR>
fle was a munition under the International Traffic in Arms<BR>
Regulations ("ITAR"), and that Bernstein would need a<BR>
license to "export" the Paper, the Source Code, or the<BR>
Instructions.2 There followed a protracted and unproductive<BR>
series of letter communications between Bernstein and the<BR>
government, wherein Bernstein unsuccessfully attempted to<BR>
_________________________________________________________________<BR>
1 The term "hash function" describes a function that transforms an input<BR>
into a unique output of fixed (and usually smaller) size that is dependent<BR>
on the input. For some purposes (e.g. error checking, digital signatures),<BR>
it is desirable that it be impossible to derive the input data given only
the<BR>
hash function's output -- this type of function is known as a
"one-way</TT><BR>
<TT>hash function." Hash functions have many uses in cryptography and com-<BR>
puter science, and numerous one-way hash functions are widely known.<BR>
"Zero-delay" means that Snuffle can be used for interactive communica-<BR>
tions because it encrypts and decrypts on a character-by-character basis
--<BR>
the users need not complete an entire message before encrypting and send-<BR>
ing.<BR>
2 In June 1995, after Bernstein initiated this suit, the State Department<BR>
clarified its earlier determination, explaining that while ITAR did
restrict<BR>
the Source Code and the Instructions, it did not restrict the Paper.</TT><BR>
<BR>
<TT>
4223<BR>
</TT><BR>
<BR>
<TT>determine the scope and application of the export regulations<BR>
to Snuffle.3</TT><BR>
<BR>
<TT>Bernstein ultimately filed this action, challenging the con-<BR>
stitutionality of the ITAR regulations. The district court found<BR>
that the Source Code was speech protected by the First<BR>
Amendment, see Bernstein v. Department of State , 922<BR>
F. Supp. 1426 (N.D. Cal. 1996) ("Bernstein I"), and subse-<BR>
quently granted summary judgment to Bernstein on his First<BR>
Amendment claims, holding the challenged ITAR regulations<BR>
facially invalid as a prior restraint on speech, see Bernstein v.<BR>
Department of State, 945 F. Supp. 1279 (N.D. Cal. 1996)<BR>
("Bernstein II").</TT><BR>
<BR>
<TT>In December 1996, President Clinton shifted licensing<BR>
authority for nonmilitary encryption commodities and tech-<BR>
nologies from the State Department to the Department of<BR>
Commerce. See Exec. Order No. 13,026, 61 Fed. Reg. 58,767<BR>
(1996). The Department of Commerce then promulgated reg-<BR>
ulations under the EAR to govern the export of encryption<BR>
technology, regulations administered by the Bureau of Export<BR>
Administration ("BXA"). See 61 Fed. Reg. 68,572 (1996)<BR>
(codified at 15 C.F.R. Pts. 730-74). Bernstein subsequently<BR>
amended his complaint to add the Department of Commerce<BR>
as a defendant, advancing the same constitutional objections<BR>
as he had against the State Department. The district court, fol-<BR>
lowing the rationale of its earlier Bernstein opinions, once<BR>
again granted summary judgment in favor of Bernstein, find-<BR>
ing the new EAR regulations facially invalid as a prior<BR>
restraint on speech. See Bernstein v. Department of State, 974<BR>
_________________________________________________________________<BR>
3 Bernstein notes that his difficulties with the State Department are
by</TT><BR>
<TT>no means unique. Declarations provided by Bernstein demonstrate ongo-<BR>
ing suppression of academic publication by the State Department under<BR>
ITAR. See Demberger Decl. (found in violation of ITAR for posting<BR>
encryption program on the internet); Junger Decl. (stated that ITAR<BR>
caused him to censor publication of his work for fear of violating the
regu-<BR>
lations); Zimmerman Decl. (target of a criminal investigation for publish-<BR>
ing encryption software on the internet).</TT><BR>
<BR>
<TT>
4224<BR>
</TT><BR>
<BR>
<TT>F. Supp. 1288 (N.D. Cal. 1997) ("Bernstein III"). The district<BR>
court enjoined the Commerce Department from future<BR>
enforcement of the invalidated provisions, an injunction that<BR>
has been stayed pending this appeal.</TT><BR>
<BR>
<TT>B. Overview of Cryptography</TT><BR>
<BR>
<TT>Cryptography is the science of secret writing, a science that<BR>
has roots stretching back hundreds, and perhaps thousands, of<BR>
years. See generally DAVID KHAN, THE CODEBREAKERS (2d ed.<BR>
1996). For much of its history, cryptography has been the<BR>
jealously guarded province of governments and militaries. In<BR>
the past twenty years, however, the science has blossomed in<BR>
the civilian sphere, driven on the one hand by dramatic theo-<BR>
retical innovations within the field, and on the other by the<BR>
needs of modern communication and information technolo-<BR>
gies. As a result, cryptography has become a dynamic aca-<BR>
demic discipline within applied mathematics. It is the<BR>
cryptographer's primary task to find secure methods to<BR>
encrypt messages, making them unintelligible to all except the<BR>
intended recipients:</TT><BR>
<BR>
<TT> Encryption basically involves running a readable<BR>
message known as "plaintext" through a computer<BR>
program that translates the message according to an<BR>
equation or algorithm into unreadable "ciphertext."<BR>
Decryption is the translation back to plaintext when<BR>
the message is received by someone with an appro-<BR>
priate "key."</TT><BR>
<BR>
<TT>Bernstein III, 974 F. Supp. at 1292. The applications of<BR>
encryption, however, are not limited to ensuring secrecy;<BR>
encryption can also be employed to ensure data integrity,<BR>
authenticate users, and facilitate nonrepudiation (e.g., linking<BR>
a specific message to a specific sender). See id.</TT><BR>
<BR>
<TT>It is, of course, encryption's secrecy applications that con-<BR>
cern the government. The interception and deciphering of for-</TT><BR>
<BR>
<TT>
4225<BR>
</TT><BR>
<BR>
<TT>eign communications has long played an important part in our<BR>
nation's national security efforts. In the words of a high-<BR>
ranking State Department official:</TT><BR>
<BR>
<TT> Policies concerning the export control of crypto-<BR>
graphic products are based on the fact that the
prolif-<BR>
eration of such products will make it easier for<BR>
foreign intelligence targets to deny the United States<BR>
Government access to information vital to national<BR>
security interests. Cryptographic products and soft-<BR>
ware have military and intelligence applications. As<BR>
demonstrated throughout history, encryption has<BR>
been used to conceal foreign military communica-<BR>
tions, on the battlefield, aboard ships and subma-<BR>
rines, or in other military settings. Encryption is
also<BR>
used to conceal other foreign communications that<BR>
have foreign policy and national security signifi-<BR>
cance for the United States. For example, encryption<BR>
can be used to conceal communications of terrorists,<BR>
drug smugglers, or others intent on taking hostile<BR>
action against U.S. facilities, personnel, or security<BR>
interests.</TT><BR>
<BR>
<TT>Lowell Decl. at 4 (reproduced in Appellant's Excerpts of<BR>
Record at 97). As increasingly sophisticated and secure<BR>
encryption methods are developed, the government's interest<BR>
in halting or slowing the proliferation of such methods has<BR>
grown keen. The EAR regulations at issue in this appeal evi-<BR>
dence this interest.</TT><BR>
<BR>
<TT>C. The EAR regulations4</TT><BR>
<BR>
<TT>The EAR contain specific regulations to control the export<BR>
of encryption software, expressly including computer source<BR>
_________________________________________________________________<BR>
4 Because the district court capably detailed the ITAR and EAR regula-<BR>
tory regimes, see Bernstein III, 974 F. Supp. at 1292-96, we present only<BR>
an overview of the relevant provisions here.</TT><BR>
<BR>
<TT>
4226<BR>
</TT><BR>
<BR>
<TT>code. Encryption software is treated differently from other<BR>
software in a number of significant ways. First, the term<BR>
"export" is specifically broadened5 with respect to encryption<BR>
software to preclude the use of the internet and other global<BR>
mediums if such publication would allow passive or active<BR>
access by a foreign national within the United States or any-<BR>
one outside the United States. 15 C.F.R. S 734.2(b)(9)(B)(ii).6<BR>
Second, the regulations governing the export of nonencryp-<BR>
tion software provide for several exceptions that are not appli-<BR>
cable to encryption software.7 In addition, although printed<BR>
materials containing encryption source code are not subject to<BR>
EAR regulation, the same materials made available on<BR>
machine-readable media, such as floppy disk or CD-ROM,<BR>
are covered. 15 C.F.R. S 734.3(b), Note to Paragraphs (b)(2)<BR>
& (b)(3). The government, moreover, has reserved the right<BR>
to restrict source code in printed form that may be easily<BR>
"scanned," thus creating some ambiguity as to whether<BR>
_________________________________________________________________</TT><BR>
<TT>5 "Export," even as applied to software generally, is defined quite<BR>
broadly to include any release, including oral exchanges of information<BR>
and visual inspections, in a foreign country or to a foreign national
within<BR>
the United States. 15 C.F.R. S 734.2(b)(2) & (3).<BR>
6 Specifically, 15 C.F.R. S 734.2(b)(9)(B)(ii) provides that "export"<BR>
includes:</TT><BR>
<BR>
<TT> downloading or causing the downloading of, such
software to<BR>
locations (including electronic bulletin boards, Internet
file trans-<BR>
fer protocol, and World Wide Web sites) outside the
U.S., or<BR>
making such software available for transfer outside
the United<BR>
States, over wire, cable, radio, electromagnetic,
photo-optical,<BR>
photoelectric or other comparable communications
facilities<BR>
accessible to persons outside the United States, including
trans-<BR>
fers from electronic bulletin boards, Internet file
transfer protocol<BR>
and World Wide Web sites, unless the person making the
soft-<BR>
ware available takes precautions adequate to prevent
unautho-<BR>
rized transfer of such code outside the United States.<BR>
7 These exceptions allow for export of software that is publicly avail-<BR>
able, 15 C.F.R. S 734.7(c); results from fundamental research or is educa-<BR>
tional, 15 C.F.R. SS 734.3(b)(3), 734.8, 734.9; is already available from<BR>
foreign sources, 15 C.F.R. S 768.1(b); or contains only a de minimis
quan-</TT><BR>
<TT>tity of domestically-derived content, 15 C.F.R.S 734.4(b)(2).</TT><BR>
<BR>
<TT>
4227<BR>
</TT><BR>
<BR>
<TT>printed publications are necessarily exempt from licensing.<BR>
See 61 Fed. Reg. 68,575 (1996).</TT><BR>
<BR>
<TT>If encryption software falls within the ambit of the relevant<BR>
EAR provisions, the "export" of such software requires a pre-<BR>
publication license. When a prepublication license is<BR>
requested, the relevant agencies undertake a "case-by-case"<BR>
analysis to determine if the export is "consistent with U.S.<BR>
national security and foreign policy interests." 15 C.F.R.<BR>
S 742.15(b). All applications must be "resolved or referred to<BR>
the President no later than 90 days" from the date an applica-<BR>
tion is entered into the BXA's electronic license processing<BR>
system. 15 C.F.R. S 750.4(a). There is no time limit, however,<BR>
that applies once an application is referred to the President.<BR>
Although the regulations do provide for an internal adminis-<BR>
trative appeal procedure, such appeals are governed only by<BR>
the exhortation that they be completed "within a reasonable<BR>
time." 15 C.F.R. S 756.2(c)(1). Final administrative decisions<BR>
are not subject to judicial review. 15 C.F.R. S 756.2(c)(2).</TT><BR>
<BR>
<TT>DISCUSSION</TT><BR>
<BR>
<TT>I. Prior Restraint</TT><BR>
<BR>
<TT>The parties and amici urge a number of theories on us. We<BR>
limit our attention here, for the most part, to only one:<BR>
whether the EAR restrictions on the export of encryption soft-<BR>
ware in source code form constitute a prior restraint in viola-<BR>
tion of the First Amendment. We review de novo the district<BR>
court's affirmative answer to this question. See Roulette v.<BR>
Seattle, 97 F.3d 300, 302 (9th Cir. 1996).</TT><BR>
<BR>
<TT>[1] It is axiomatic that "prior restraints on speech and publi-<BR>
cation are the most serious and least tolerable infringement on<BR>
First Amendment rights." Nebraska Press Ass'n v. Stuart, 427<BR>
U.S. 539, 559 (1976). Indeed, the Supreme Court has opined<BR>
that "it is the chief purpose of the [First Amendment] guar-<BR>
anty to prevent previous restraints upon publication." Near v.</TT><BR>
<BR>
<TT>
4228<BR>
</TT><BR>
<BR>
<TT>Minnesota, 283 U.S. 697, 713 (1931). Accordingly, "[a]ny<BR>
prior restraint on expression comes . . . with a`heavy pre-<BR>
sumption' against its constitutional validity." Organization<BR>
for a Better Austin v. Keefe, 402 U.S. 415, 419 (1971). At the<BR>
same time, the Supreme Court has cautioned that"[t]he<BR>
phrase `prior restraint' is not a self-wielding sword. Nor can<BR>
it serve as a talismanic test." Kingsley Books, Inc. v. Brown,<BR>
354 U.S. 436, 441 (1957). We accordingly turn from"[t]he<BR>
generalization that prior restraint is particularly obnoxious" to<BR>
a "more particularistic analysis." Id. at 442.</TT><BR>
<BR>
<TT>[2] The Supreme Court has treated licensing schemes that<BR>
act as prior restraints on speech with suspicion because such<BR>
restraints run the twin risks of encouraging self-censorship<BR>
and concealing illegitimate abuses of censorial power. See<BR>
Lakewood v. Plain Dealer Publishing Co., 486 U.S. 750, 759<BR>
(1988). As a result, "even if the government may constitution-<BR>
ally impose content-neutral prohibitions on a particular man-<BR>
ner of speech, it may not condition that speech on obtaining<BR>
a license or permit from a government official in that offi-<BR>
cial's boundless discretion." Id. at 764 (emphasis in original).<BR>
We follow the lead of the Supreme Court and divide the<BR>
appropriate analysis into two parts. The threshold question is<BR>
whether Bernstein is entitled to bring a facial challenge<BR>
against the EAR regulations. See id. at 755. If he is so enti-<BR>
tled, we proceed to the second question: whether the regula-<BR>
tions constitute an impermissible prior restraint on speech.<BR>
See id. at 769.</TT><BR>
<BR>
<TT>A. Is Bernstein entitled to bring a facial attack?</TT><BR>
<BR>
<TT>[3] A licensing regime is always subject to facial challenge8<BR>
_________________________________________________________________<BR>
8 In using the term "facial challenge" in the prior restraint context, the<BR>
Supreme Court has meant two distinct things. First, if entitled to bring
a<BR>
facial challenge, a plaintiff need not apply for a license before
challenging<BR>
the licensing regime. See Lakewood, 380 U.S. at 755-56. This is a question<BR>
of standing. Second, a litigant challenging an enactment on its face
cham-</TT><BR>
<BR>
<TT>
4229<BR>
</TT><BR>
<BR>
<TT>as a prior restraint where it "gives a government official or<BR>
agency substantial power to discriminate based on the content<BR>
or viewpoint of speech by suppressing disfavored speech or<BR>
disliked speakers," and has "a close enough nexus to expres-<BR>
sion, or to conduct commonly associated with expression, to<BR>
pose a real and substantial threat of . . . censorship risks." Id.<BR>
at 759.</TT><BR>
<BR>
<TT>[4] The EAR regulations at issue plainly satisfy the first<BR>
requirement -- "the determination of who may speak and<BR>
who may not is left to the unbridled discretion of a govern-<BR>
ment official." Id. at 763. BXA administrators are empowered<BR>
to deny licenses whenever export might be inconsistent with<BR>
"U.S. national security and foreign policy interests." 15<BR>
C.F.R. S 742.15(b). No more specific guidance is provided.<BR>
Obviously, this constraint on official discretion is little better<BR>
than no constraint at all. See Lakewood, 486 U.S. at 769-70<BR>
(a standard requiring that license denial be in the "public<BR>
interest" is an "illusory" standard that "renders the guarantee<BR>
against censorship little more than a high-sounding ideal.").<BR>
The government's assurances that BXA administrators will<BR>
not, in fact, discriminate on the basis of content are beside the<BR>
point. See id. at 770 (presumption that official will act in good<BR>
faith "is the very presumption that the doctrine forbidding<BR>
unbridled discretion disallows."). After all,"the mere exis-</TT><BR>
<TT>tence of the licensor's unfettered discretion, coupled with the<BR>
power of prior restraint, intimidates parties into censoring<BR>
their own speech, even if the discretion and power are never<BR>
actually abused." Id. at 757.<BR>
_________________________________________________________________<BR>
pions the rights of those not before the court and thus may attack the
stat-<BR>
ute "whether or not his conduct could be proscribed by a properly drawn<BR>
statute." Freedman v. Maryland, 380 U.S. 51, 56 (1965); see also Secre-<BR>
tary of State of Md. v. J. H. Munson Co., 467 U.S. 947, 957 (1984);<BR>
Roulette, 97 F.3d at 303 n.3. This goes to the scope of the constitutional<BR>
challenge.</TT><BR>
<BR>
<TT>
4230<BR>
</TT><BR>
<BR>
<TT>The more difficult issue arises in relation to the second<BR>
requirement -- that the challenged regulations exhibit "a<BR>
close enough nexus to expression." We are called on to deter-<BR>
mine whether encryption source code is expression for First<BR>
Amendment purposes.9</TT><BR>
<BR>
<TT>We begin by explaining what source code is.10 "Source<BR>
code," at least as currently understood by computer program-<BR>
mers, refers to the text of a program written in a "high-level"<BR>
programming language, such as "PASCAL" or "C." The dis-<BR>
tinguishing feature of source code is that it is meant to be read<BR>
and understood by humans and that it can be used to express<BR>
an idea or a method. A computer, in fact, can make no direct<BR>
use of source code until it has been translated ("compiled")<BR>
into a "low-level" or "machine" language, resulting in<BR>
computer-executable "object code." That source code is<BR>
meant for human eyes and understanding, however, does not<BR>
mean that an untutored layperson can understand it. Because<BR>
source code is destined for the maw of an automated, ruth-<BR>
lessly literal translator -- the compiler -- a programmer must<BR>
_________________________________________________________________<BR>
9 As an initial matter, we note that the fact that the regulations reach
only<BR>
"exports" does not reduce the burden on Bernstein's First Amendment</TT><BR>
<TT>rights. It is Bernstein's right to speak, not the rights of foreign listeners
to<BR>
hear, that we are concerned with here. The government does not argue, nor<BR>
could it, that being cut off from a foreign audience, as distinguished from<BR>
a domestic one, does not implicate First Amendment concerns. See Bull-<BR>
frog Films, Inc. v. Wick, 847 F.2d 502, 509 n.9 (9th Cir. 1988). In addi-<BR>
tion, because the regulations define "export" to include the use of
internet<BR>
fora that may be accessible by foreign nationals, as well as domestic com-<BR>
munications with foreign nationals, we think it plain that the regulations<BR>
potentially limit Bernstein's freedom of speech in a variety of both domes-<BR>
tic and foreign contexts. See Reno v. American Civ. Lib. Union, 117 S. Ct.<BR>
2329, 2348-49 (1997) (rejecting government argument that restriction of<BR>
expression on the internet is justified because ample alternative channels<BR>
of communication exist).<BR>
10 In undertaking this task, we are mindful that computer technology,<BR>
and the lexicon of terms that accompanies it, is changing rapidly.
Never-</TT><BR>
<TT>theless, because the regulations speak in terms of "source code," we
prem-<BR>
ise our discussion on the meaning commonly ascribed to this term by the<BR>
programming community.</TT><BR>
<BR>
<TT>
4231<BR>
</TT><BR>
<BR>
<TT>follow stringent grammatical, syntactical, formatting, and<BR>
punctuation conventions. As a result, only those trained in<BR>
programming can easily understand source code.11</TT><BR>
<BR>
<TT>Also important for our purposes is an understanding of how<BR>
source code is used in the field of cryptography. Bernstein has<BR>
submitted numerous declarations from cryptographers and<BR>
computer programmers explaining that cryptographic ideas<BR>
and algorithms are conveniently expressed in source code.12<BR>
_________________________________________________________________<BR>
11 It must be emphasized, however, that source code is merely text, albeit<BR>
text that conforms to stringent formatting and punctuation requirements.<BR>
For example, the following is an excerpt from Bernstein's Snuffle source<BR>
code:</TT><BR>
<BR>
<TT>for (; ;)<BR>
(<BR>
uch = gtchr();<BR>
if (!(n & 31))<BR>
(<BR>
for (i = 0; i64; i++)<BR>
l
[ ctr[i] ] = k[i] + h[n - 64 + i]<BR>
Hash512 (wm, wl, level,
8);<BR>
)</TT><BR>
<BR>
<TT>As source code goes, Snuffle is quite compact; the entirety of the
Snuffle<BR>
source code occupies fewer than four printed pages.<BR>
12 Source code's power to convey algorithmic information is illustrated<BR>
by the declaration of MIT Professor Harold Abelson:</TT><BR>
<BR>
<TT> The square root of a number X is the number
Y such that Y<BR>
times Y equals X. This is declarative knowledge. It
tells us some-<BR>
thing about square roots. But it doesn't tell us how
to find a<BR>
square root.</TT><BR>
<BR>
<TT> In contrast, consider the following ancient
algorithm, attributed<BR>
to Heron of Alexandria, for approximating square
roots:</TT><BR>
<BR>
<TT> To approximate the square root of a positive
number X,</TT><BR>
<BR>
<TT> - Make a guess for the square root of X.</TT><BR>
<BR>
<TT> - Compute an improved guess as the average of the
guess<BR>
and X divided by the guess.</TT><BR>
<BR>
<TT> - Keep improving the guess until it is good
enough.</TT><BR>
<BR>
<TT>
4232<BR>
</TT><BR>
<BR>
<TT>That this should be so is, on reflection, not surprising. As<BR>
noted earlier, the chief task for cryptographers is the develop-<BR>
ment of secure methods of encryption. While the articulation<BR>
of such a system in layman's English or in general mathemati-<BR>
cal terms may be useful, the devil is, at least for cryptogra-<BR>
phers, often in the algorithmic details. By utilizing source<BR>
code, a cryptographer can express algorithmic ideas with pre-<BR>
cision and methodological rigor that is otherwise difficult to<BR>
achieve. This has the added benefit of facilitating peer review<BR>
-- by compiling the source code, a cryptographer can create<BR>
a working model subject to rigorous security tests. The need<BR>
for precisely articulated hypotheses and formal empirical test-<BR>
ing, of course, is not unique to the science of cryptography;<BR>
it appears, however, that in this field, source code is the pre-<BR>
ferred means to these ends.<BR>
_________________________________________________________________<BR>
Heron's method doesn't say anything about what
square roots</TT><BR>
<TT> are, but it does say how to approximate them. This
is a piece of<BR>
imperative "how to" knowledge.</TT><BR>
<BR>
<TT> Computer science is in the business of
formalizing imperative<BR>
knowledge -- developing formal notations and ways to
reason<BR>
and talk about methodology. Here is Heron's method
formalized<BR>
as a procedure in the notation of the Lisp computer
language:</TT><BR>
<BR>
<TT> (define (sqrtx)</TT><BR>
<BR>
<TT> (define (good-enough? guess)</TT><BR>
<BR>
<TT> ((abs (- (square guess) x))
tolerance))</TT><BR>
<BR>
<TT> (define (improve guess)</TT><BR>
<BR>
<TT> (average guess (/ x guess)))</TT><BR>
<BR>
<TT> (define (try guess)</TT><BR>
<BR>
<TT> (if (good-enough? guess)</TT><BR>
<BR>
<TT> guess</TT><BR>
<BR>
<TT> (try (improve
guess))))</TT><BR>
<BR>
<TT> (try 1))</TT><BR>
<BR>
<TT>
4233<BR>
</TT><BR>
<BR>
<TT>[5] Thus, cryptographers use source code to express their<BR>
scientific ideas in much the same way that mathematicians<BR>
use equations or economists use graphs. Of course, both<BR>
mathematical equations and graphs are used in other fields for<BR>
many purposes, not all of which are expressive. But mathema-<BR>
ticians and economists have adopted these modes of expres-<BR>
sion in order to facilitate the precise and rigorous expression<BR>
of complex scientific ideas.13 Similarly, the undisputed record<BR>
here makes it clear that cryptographers utilize source code in<BR>
the same fashion.14</TT><BR>
<BR>
<TT>[6] In light of these considerations, we conclude that<BR>
encryption software, in its source code form15 and as<BR>
_________________________________________________________________<BR>
13 We are reminded of at least one occasion in which a judicial thinker<BR>
resorted to a mathematical equation to express a legal principle. See<BR>
United States v. Carroll Towing Co., 159 F.2d 169, 173 (2d Cir. 1947)<BR>
(Judge Hand's famous BPL formula to determine "when the absence of<BR>
a bargee or other attendant will make the owner of the barge liable for<BR>
injuries to other vessels if she breaks away from her moorings.").<BR>
14 Bernstein's Snuffle, in fact, provides an illustration of this point.
By<BR>
developing Snuffle, Bernstein was attempting to demonstrate that a one-<BR>
way hash function could be employed as the heart of an encryption<BR>
method. The Snuffle source code, as submitted by Bernstein to the State<BR>
Department, was meant as an expression of how this might be accom-<BR>
plished. The Source Code was plainly not intended as a completed encryp-<BR>
tion product, as demonstrated by the fact that it was incomplete and
not</TT><BR>
<TT>in a form suitable for final compiling. The Source Code, in fact, omits
the<BR>
hash function entirely -- until combined with such a function and com-<BR>
piled, Snuffle is incapable of performing encryption functions at
all.</TT><BR>
<BR>
<TT>Snuffle was also intended, in part, as political expression. Bernstein
dis-<BR>
covered that the ITAR regulations controlled encryption exports, but not<BR>
one-way hash functions. Because he believed that an encryption system<BR>
could easily be fashioned from any of a number of publicly-available one-<BR>
way hash functions, he viewed the distinction made by the ITAR regula-<BR>
tions as absurd. To illustrate his point, Bernstein developed Snuffle,
which<BR>
is an encryption system built around a one-way hash function.<BR>
15 We express no opinion regarding whether object code manifests a<BR>
"close enough nexus to expression" to warrant application of the prior<BR>
restraint doctrine. Bernstein's Snuffle did not involve object code, nor<BR>
does the record contain any information regarding expressive uses of<BR>
object code in the field of cryptography.</TT><BR>
<BR>
<TT>
4234<BR>
</TT><BR>
<BR>
<TT>employed by those in the field of cryptography, must be<BR>
viewed as expressive for First Amendment purposes, and thus<BR>
is entitled to the protections of the prior restraint doctrine. If<BR>
the government required that mathematicians obtain a pre-<BR>
publication license prior to publishing material that included<BR>
mathematical equations, we have no doubt that such a regime<BR>
would be subject to scrutiny as a prior restraint. The availabil-<BR>
ity of alternate means of expression, moreover, does not<BR>
diminish the censorial power of such a restraint -- that Adam<BR>
Smith wrote Wealth of Nations without resorting to equations<BR>
or graphs surely would not justify governmental prepublica-<BR>
tion review of economics literature that contain these modes<BR>
of expression.</TT><BR>
<BR>
<TT>The government, in fact, does not seriously dispute that<BR>
source code is used by cryptographers for expressive pur-<BR>
poses. Rather, the government maintains that source code is<BR>
different from other forms of expression (such as blueprints,<BR>
recipes, and "how-to" manuals) because it can be used to con-<BR>
trol directly the operation of a computer without conveying<BR>
information to the user. In the government's view, by target-<BR>
ing this unique functional aspect of source code, rather than<BR>
the content of the ideas that may be expressed therein, the<BR>
export regulations manage to skirt entirely the concerns of the<BR>
First Amendment. This argument is flawed for at least two<BR>
reasons.</TT><BR>
<BR>
<TT>[7] First, it is not at all obvious that the government's view<BR>
reflects a proper understanding of source code. As noted ear-<BR>
lier, the distinguishing feature of source code is that it is<BR>
meant to be read and understood by humans, and that it<BR>
cannot be used to control directly the functioning of a com-<BR>
puter. While source code, when properly prepared, can be eas-<BR>
ily compiled into object code by a user, ignoring the<BR>
distinction between source and object code obscures the<BR>
important fact that source code is not meant solely for the<BR>
computer, but is rather written in a language intended also for<BR>
human analysis and understanding.</TT><BR>
<BR>
<TT>
4235<BR>
</TT><BR>
<BR>
<TT>[8] Second, and more importantly, the government's argu-<BR>
ment, distilled to its essence, suggests that even one drop of<BR>
"direct functionality" overwhelms any constitutional protec-<BR>
tions that expression might otherwise enjoy. This cannot be so.16<BR>
The distinction urged on us by the government would prove<BR>
too much in this era of rapidly evolving computer capabilities.<BR>
The fact that computers will soon be able to respond directly<BR>
to spoken commands, for example, should not confer on the<BR>
government the unfettered power to impose prior restraints on<BR>
speech in an effort to control its "functional " aspects. The<BR>
First Amendment is concerned with expression, and we reject<BR>
the notion that the admixture of functionality necessarily puts<BR>
expression beyond the protections of the Constitution.</TT><BR>
<BR>
<TT>[9] The government also contends that the challenged regu-<BR>
lations are immune from prior restraint analysis because they<BR>
are "laws of general application" rather than being "directed<BR>
narrowly and specifically at expression." Lakewood, 486 U.S.<BR>
at 760-61. We cannot agree. Because we conclude that source<BR>
code is utilized by those in the cryptography field as a means<BR>
of expression, and because the regulations apply to encryption<BR>
source code, it necessarily follows that the regulations burden<BR>
a particular form of expression directly.</TT><BR>
<BR>
<TT>[10] The Supreme Court in Lakewood explored what it<BR>
means to be a "law of general application" for prior restraint<BR>
purposes. In that case, the Court cited a law requiring building<BR>
permits as a "law of general application" that would not be<BR>
subject to a facial attack as a prior restraint, reasoning that<BR>
such a law carried "little danger of censorship, " even if it<BR>
could be used to retaliate against a disfavored newspaper<BR>
seeking to build a printing plant. Id. at 761. In the Court's<BR>
view, "such laws provide too blunt a censorship instrument to<BR>
_________________________________________________________________<BR>
16 If it were, we would have expected the Supreme Court to start and end<BR>
its analysis of David Paul O'Brien's burning of his draft card with an<BR>
inquiry into whether he was kept warm by the ensuing flames. See United<BR>
States v. O'Brien, 391 U.S. 367 (1968).</TT><BR>
<BR>
<TT>
4236<BR>
</TT><BR>
<BR>
<TT>warrant judicial intervention prior to an allegation of actual<BR>
misuse." Id. Unlike a building permit ordinance, which would<BR>
afford government officials only intermittent and unpredict-<BR>
able opportunities to exercise unrestrained discretion over<BR>
expression, the challenged EAR regulations explicitly apply<BR>
to expression and place scientific expression under the cen-<BR>
sor's eye on a regular basis. In fact, there is ample evidence<BR>
in the record establishing that some in the cryptography field<BR>
have already begun censoring themselves, for fear that their<BR>
statements might influence the disposition of future licensing<BR>
applications. See, e.g., NATIONAL RESEARCH COUNCIL, CRYP-<BR>
TOGRAPHY'S ROLE IN SECURING THE INFORMATION SOCIETY 158<BR>
(1996) ("Vendors contended that since they are effectively at<BR>
the mercy of the export control regulators, they have consider-<BR>
able incentive to suppress any public expression of dissatis-<BR>
faction with the current process."). In these circumstances, we<BR>
cannot conclude that the export control regime at issue is a</TT><BR>
<TT>"law of general application" immune from prior restraint<BR>
analysis.17<BR>
_________________________________________________________________<BR>
17 The government also argues that the EAR regulations are "laws of<BR>
general application" because they are not purposefully aimed at suppress-<BR>
ing any particular ideas that may be expressed in source code. With<BR>
respect to this contention, the panel (including the dissenter) agree that
the<BR>
purpose of the regulations is irrelevant to prior restraint analysis. It
is clear<BR>
that a prior restraint analysis applies equally to content-neutral or
content-<BR>
based enactments. See FW/PBS, Inc. v. Dallas, 493 U.S. 215, 223 (1990)<BR>
(plurality opinion of O'Connor, J.) ("Because we conclude that the city's<BR>
licensing scheme lacks adequate procedural safeguards, we do not reach<BR>
. . . whether the ordinance is properly viewed as a content-neutral time,<BR>
place, and manner restriction. . . ."); Lakewood, 486 U.S. at 764 ("[E]ven<BR>
if the government may constitutionally impose content-neutral prohibi-<BR>
tions on a particular manner of speech, it may not condition that
speech</TT><BR>
<TT>on obtaining a license or permit from a government official in that
offi-<BR>
cial's boundless discretion.") (emphasis in original). Indeed, where unbri-<BR>
dled discretion is vested in a governmental official, it is difficult to
know<BR>
whether a licensing regime is content-based or content-neutral. Accord-<BR>
ingly, the government's purpose in censoring encryption source code is,<BR>
at this stage of our First Amendment inquiry, beside the point. In other<BR>
words, a prepublication licensing regime that has a chilling and censorial<BR>
effect on expression is properly subject to facial attack as a prior
restraint,</TT><BR>
<BR>
<TT>
4237<BR>
</TT><BR>
<BR>
<TT>[11] Because the prepublication licensing scheme chal-<BR>
lenged here vests unbridled discretion in government officials,<BR>
and because it directly jeopardizes scientific expression, we<BR>
are satisfied that Bernstein may properly bring a facial chal-<BR>
lenge against the regulations.18 We accordingly turn to the<BR>
merits.<BR>
_________________________________________________________________<BR>
whatever the purpose behind its enactment. See Lakewood, 486 U.S. at<BR>
759 (upholding facial attack against newsrack ordinance because of censo-<BR>
rial effects, without discussing governmental purpose for enacting the<BR>
ordinance).<BR>
18 It is at this juncture that we part ways with the dissent. The dissent<BR>
concedes that source code can be expressive. Nevertheless, the dissent<BR>
contends that Bernstein is not entitled to bring a facial attack against
the<BR>
EAR regulation. This argument, it seems to us, is based on two founda-<BR>
tions.</TT><BR>
<BR>
<TT>First, the dissent conceives of the exchange of source code among sci-<BR>
entists as "conduct." We disagree. The source code at issue here is text<BR>
intended for human understanding, albeit in a specialized language. To say<BR>
that the "export" of this text is "conduct " for First Amendment purposes,<BR>
rather than straightforward scientific "expression," is to call into
question<BR>
all distribution and circulation of scientific texts that communicate ideas<BR>
by using specialized languages. Of course, source code may be functional<BR>
as well as expressive. We are not persuaded, however, that that fact trans-<BR>
mogrifies the distribution of scientific texts from "expression" into<BR>
"conduct" deserving of diminished First Amendment protection.</TT><BR>
<BR>
<TT>Having cast the question as one relating to "conduct," the dissent then<BR>
takes a second step. Drawing from Lakeside, the dissent asks whether the<BR>
"conduct" -- the exchange of cryptographic source code -- is "commonly<BR>
associated with expression." This question the dissent answers in the nega-<BR>
tive; in other words, the dissent concludes that source code is not used<BR>
expressively often enough. We find this conclusion somewhat perplexing,<BR>
as there is nothing in the record to support it. Bernstein has introduced<BR>
extensive expert evidence to support his contention that source code is
fre-<BR>
quently used for expressive purposes. The government, however, has<BR>
failed to introduce anything into the record to rebut this evidence. In
fact,<BR>
the government has made it clear that it means to control the export of<BR>
source code no matter how commonly associated it may be with<BR>
expresssion: "Whatever ideas may be reflected in the software, or the<BR>
intent of the exporter to convey ideas, the NSA recommends that encryp-<BR>
tion software be controlled for export solely on the basis of what it
does.</TT><BR>
<TT>. . ." Second Lowell Decl., Appellant's Excerpts of Record at
104.</TT><BR>
<BR>
<TT>
4238<BR>
</TT><BR>
<BR>
<TT>B. Are the regulations an impermissible prior restraint?</TT><BR>
<BR>
<TT>[12] "[T]he protection even as to previous restraint is not<BR>
absolutely unlimited." Near, 283 U.S. at 716. The Supreme<BR>
Court has suggested that the "heavy presumption " against<BR>
prior restraints may be overcome where official discretion is<BR>
bounded by stringent procedural safeguards. See FW/PBS,<BR>
493 U.S. at 227 (plurality opinion of O'Connor, J.);<BR>
Freedman v. Maryland, 380 U.S. 51, 58-59 (1965); Kingsley<BR>
Books, 354 U.S. at 442-43; 11126 Baltimore Blvd. v. Prince<BR>
George's County, 58 F.3d 988, 995 (4th Cir. 1995) (en banc).<BR>
As our analysis above suggests, the challenged regulations do<BR>
not qualify for this First Amendment safe harbor. 19 In<BR>
Freedman v. Maryland, the Supreme Court set out three fac-<BR>
tors for determining the validity of licensing schemes that<BR>
impose a prior restraint on speech: (1) any restraint must be<BR>
for a specified brief period of time; (2) there must be expedi-<BR>
tious judicial review; and (3) the censor must bear the burden<BR>
of going to court to suppress the speech in question and must<BR>
_________________________________________________________________</TT><BR>
<TT>19 The Supreme Court has also suggested that the presumption against<BR>
prior restraints may be overcome where publication would directly and<BR>
imminently imperil national security. See New York Times Co. v. United<BR>
States, 403 U.S. 713, 730 (1971) (Stewart, J., joined by White, J., concur-<BR>
ring); Near, 283 U.S. at 716; see also United States v. The Progressive,<BR>
Inc., 467 F. Supp. 990, 992 (W.D. Wisc. 1979). In order to justify a prior<BR>
restraint on national security grounds, the government must prove the pub-<BR>
lication would "surely result in direct, immediate, and irreparable damage<BR>
to our Nation or its people." New York Times, 403 U.S. at 730 (Stewart,<BR>
J., joined by White, J., concurring); see also id. at 726-27 (Brennan, J.,<BR>
concurring) (finding that national security is a sufficient interest only<BR>
where there is "governmental allegation and proof that publication must<BR>
inevitably, directly, and immediately cause the occurrence of an event kin-<BR>
dred to imperiling the safety of a transport already at sea"); Burch
v.</TT><BR>
<TT>Baker, 861 F.2d 1149, 1155 (9th Cir. 1988) ("Prior restraints are
permissi-<BR>
ble in only the rarest of circumstances, such as imminent threat to
national<BR>
security.").</TT><BR>
<BR>
<TT>The government does not argue that the prior restraint at issue here
falls<BR>
within the extremely narrow class of cases where publication would<BR>
directly and immediately imperil national security.</TT><BR>
<BR>
<TT>
4239<BR>
</TT><BR>
<BR>
<TT>bear the burden of proof.20 See 380 U.S. at 58-60. The district<BR>
court found that the procedural protections provided by the<BR>
EAR regulations are "woefully inadequate" when measured<BR>
against these requirements. Bernstein III, 974 F. Supp. at<BR>
1308. We agree.</TT><BR>
<BR>
<TT>[13] Although the regulations require that license applica-<BR>
tions be resolved or referred to the President within 90 days,<BR>
see 15 C.F.R. S 750.4(a), there is no time limit once an appli-<BR>
cation is referred to the President. Thus, the 90-day limit can<BR>
be rendered meaningless by referral. Moreover, if the license<BR>
application is denied, no firm time limit governs the internal<BR>
appeals process. See 15 C.F.R. S 756.2(c)(1) (Under Secretary<BR>
"shall decide an appeal within a reasonable time after receipt<BR>
of the appeal."). Accordingly, the EAR regulations do not sat-<BR>
isfy the first Freedman requirement that a licensing decision<BR>
be made within a reasonably short, specified period of time.<BR>
See FW/PBS, 493 U.S. at 226 (finding that "a prior restraint<BR>
that fails to place time limits on the time within which the<BR>
decisionmaker must issue the license is impermissible"); Riley<BR>
v. National Fed. of the Blind, 487 U.S. 781, 802 (1988)<BR>
(licensing scheme that permits "delay without limit" is imper-<BR>
missible); Vance v. Universal Amusement Co., 445 U.S. 308,</TT><BR>
<TT>315-17 (1980) (prior restraint of indefinite duration is imper-<BR>
missible). The EAR regulatory regime further offends<BR>
Freedman's procedural requirements insofar as it denies a dis-<BR>
appointed applicant the opportunity for judicial review.21 See<BR>
_________________________________________________________________<BR>
20 Whether all three Freedman factors apply to all prior restraints
is the<BR>
subject of dispute. Compare FW/PBS, 493 U.S. at 229-30 (plurality opin-<BR>
ion of O'Connor, J.) (finding the government does not bear the burden of<BR>
going to court to defend its licensing requirement where restrained speak-<BR>
ers are likely to challenge the restraint in court) with id. at 239
(Brennan,<BR>
J., concurring in judgment) ("We have never suggested that our insistence<BR>
on Freedman procedures might vary with the particular facts of the prior<BR>
restraint before us."). Because we conclude that the EAR regulations fail<BR>
Freedman's first two procedural requirements, we need not reach the issue<BR>
of whether the third Freedman factor applies in this case.</TT><BR>
<TT>21 As noted earlier, the BXA enjoys essentially unbounded discretion<BR>
under the EAR regulations in administering the license process.
Accord-</TT><BR>
<BR>
<TT>
4240<BR>
</TT><BR>
<BR>
<TT>15 C.F.R. S 756.2(c)(2); FW/PBS, 493 U.S. at 229 (plurality<BR>
opinion of O'Connor, J.) (finding failure to provide "prompt"<BR>
judicial review violates Freedman); Freedman, 380 U.S. at 59<BR>
(licensing procedure must assure a prompt final judicial deci-<BR>
sion).</TT><BR>
<BR>
<TT>[14] We conclude that the challenged regulations allow the<BR>
government to restrain speech indefinitely with no clear<BR>
criteria for review. As a result, Bernstein and other scientists<BR>
have been effectively chilled from engaging in valuable scien-<BR>
tific expression. Bernstein's experience itself demonstrates<BR>
the enormous uncertainty that exists over the scope of the reg-<BR>
ulations and the potential for the chilling of scientific expres-<BR>
sion. In short, because the challenged regulations grant<BR>
boundless discretion to government officials, and because<BR>
they lack the required procedural protections set forth in<BR>
Freedman, we find that they operate as an unconstitutional<BR>
prior restraint on speech.22 See Lakewood, 486 U.S. at 769-<BR>
772 (holding that newsrack licensing ordinance was an imper-<BR>
missible prior restraint because it conferred unbounded dis-<BR>
cretion and lacked adequate procedural safeguards).<BR>
_________________________________________________________________<BR>
ingly, even if the challenged regulations provided for judicial review,
the</TT><BR>
<TT>lack of explicit limits on the decisionmaker's discretion would likely
make<BR>
such review meaningless. In this sense, the presence of unbounded discre-<BR>
tion itself may be considered fatal for purposes of prior restraint review.<BR>
See Lakewood, 486 U.S. at 769-70 (striking down a licensing scheme<BR>
where the mayor could merely claim that the license" `is not in the public<BR>
interest' when denying a permit application").</TT><BR>
<BR>
<TT>22 Our conclusion relating to the Source Code also resolves the status
of<BR>
the regulations as applied to the Instructions. Because the Instructions
are<BR>
essentially a translation of the Source Code into English, they are, if
any-<BR>
thing, nearer the heartland of the First Amendment. Consequently, to the<BR>
extent the challenged regulations are unconstitutional as applied to the<BR>
Source Code, they necessarily are unconstitutional as applied to the<BR>
Instructions.</TT><BR>
<BR>
<TT>
4241<BR>
</TT><BR>
<BR>
<TT>C. Concluding comments.</TT><BR>
<BR>
<TT>We emphasize the narrowness of our First Amendment<BR>
holding. We do not hold that all software is expressive. Much<BR>
of it surely is not. Nor need we resolve whether the chal-<BR>
lenged regulations constitute content-based restrictions, sub-<BR>
ject to the strictest constitutional scrutiny, or whether they are,<BR>
instead, content-neutral restrictions meriting less exacting<BR>
scrutiny. We hold merely that because the prepublication<BR>
licensing regime challenged here applies directly to scientific<BR>
expression, vests boundless discretion in government offi-<BR>
cials, and lacks adequate procedural safeguards, it constitutes<BR>
an impermissible prior restraint on speech.</TT><BR>
<BR>
<TT>We will, however, comment on two issues that are<BR>
entwined with the underlying merits of Bernstein's constitu-<BR>
tional claims. First, we note that insofar as the EAR regula-<BR>
tions on encryption software were intended to slow the spread<BR>
of secure encryption methods to foreign nations, the govern-<BR>
ment is intentionally retarding the progress of the flourishing<BR>
science of cryptography. To the extent the government's<BR>
efforts are aimed at interdicting the flow of scientific ideas<BR>
(whether expressed in source code or otherwise), as distin-<BR>
guished from encryption products, these efforts would appear<BR>
to strike deep into the heartland of the First Amendment. In<BR>
this regard, the EAR regulations are very different from<BR>
content-neutral time, place and manner restrictions that may<BR>
have an incidental effect on expression while aiming at sec-<BR>
ondary effects.</TT><BR>
<BR>
<TT>Second, we note that the government's efforts to regulate<BR>
and control the spread of knowledge relating to encryption<BR>
may implicate more than the First Amendment rights of cryp-<BR>
tographers. In this increasingly electronic age, we are all<BR>
required in our everyday lives to rely on modern technology<BR>
to communicate with one another. This reliance on electronic<BR>
communication, however, has brought with it a dramatic dim-<BR>
inution in our ability to communicate privately. Cellular</TT><BR>
<BR>
<TT>
4242<BR>
</TT><BR>
<BR>
<TT>phones are subject to monitoring, email is easily intercepted,<BR>
and transactions over the internet are often less than secure.<BR>
Something as commonplace as furnishing our credit card<BR>
number, social security number, or bank account number puts<BR>
each of us at risk. Moreover, when we employ electronic<BR>
methods of communication, we often leave electronic<BR>
"fingerprints" behind, fingerprints that can be traced back to<BR>
us. Whether we are surveilled by our government, by crimi-<BR>
nals, or by our neighbors, it is fair to say that never has our<BR>
ability to shield our affairs from prying eyes been at such a<BR>
low ebb. The availability and use of secure encryption may<BR>
offer an opportunity to reclaim some portion of the privacy<BR>
we have lost. Government efforts to control encryption thus<BR>
may well implicate not only the First Amendment rights of<BR>
cryptographers intent on pushing the boundaries of their sci-<BR>
ence, but also the constitutional rights of each of us as poten-<BR>
tial recipients of encryption's bounty. Viewed from this<BR>
perspective, the government's efforts to retard progress in</TT><BR>
<TT>cryptography may implicate the Fourth Amendment, as well<BR>
as the right to speak anonymously, see McIntyre v. Ohio Elec-<BR>
tions Comm'n, 115 S. Ct. 1511, 1524 (1995) , the right against<BR>
compelled speech, see Wooley v. Maynard, 430 U.S. 705, 714<BR>
(1977), and the right to informational privacy, see Whalen v.<BR>
Roe, 429 U.S. 589, 599-600 (1977). While we leave for<BR>
another day the resolution of these difficult issues, it is impor-<BR>
tant to point out that Bernstein's is a suit not merely concern-<BR>
ing a small group of scientists laboring in an esoteric field, but<BR>
also touches on the public interest broadly defined.</TT><BR>
<BR>
<TT>II. Scope of Declaratory Relief</TT><BR>
<BR>
<TT>The government also challenges the scope of the declara-<BR>
tory relief granted by the district court. The government<BR>
argues that the relief provided is invalid in two respects: (1)<BR>
that the relief extends to encryption object code and encryp-<BR>
tion commodities; (2) that the relief extends to encryption<BR>
technology. The district held that</TT><BR>
<BR>
<TT>
4243<BR>
</TT><BR>
<BR>
<TT> the Export Administration Regulations, 15 C.F.R.
pt.<BR>
730 et seq. (1997) and all rules, policies and prac-<BR>
tices promulgated or pursued thereunder insofar as<BR>
they apply to or require licensing for encryption and<BR>
decryption software and related devices and technol-<BR>
ogy are in violation of the First Amendment on the<BR>
grounds of prior restraint and are, therefore, uncon-<BR>
stitutional as discussed above, and shall not be<BR>
applied to plaintiff's publishing of such items,<BR>
including scientific papers, algorithms or computer<BR>
programs.</TT><BR>
<BR>
<TT>Bernstein III, 974 F. Supp. at 1310. We review the district<BR>
court's grant of declaratory relief de novo. See Crawford v.<BR>
Lungren, 96 F.3d 380, 384 (9th Cir. 1996); Ablang v. Reno,<BR>
52 F.3d 801, 803 (9th Cir. 1995).</TT><BR>
<BR>
<TT>This inquiry leads us into the uncertain jurisprudence of<BR>
"severability." See generally John Copeland Nagle,<BR>
Severability, 72 N.C. L. REV. 203 (1993). The general princi-<BR>
ple is clear: "[A] court should refrain from invalidating more<BR>
of [a] statute than is necessary . . . . `[W]henever an act of<BR>
Congress contains unobjectionable provisions separable from<BR>
those found to be unconstitutional, it is the duty of this court<BR>
to so declare, and to maintain the act in so far as it is valid.' "<BR>
Alaska Airlines, Inc. v. Brock, 480 U.S. 678, 684 (1987)<BR>
(quoting Regan v. Time, Inc., 468 U.S. 641, 652 (1984)); see<BR>
also National Collegiate Athletic Ass'n v. Miller , 10 F.3d 633,<BR>
640 (9th Cir. 1993). The applicable legal standard has also<BR>
been oft repeated: "[u]nless it is evident that the Legislature<BR>
would not have enacted those provisions which are within its<BR>
power, independently of that which is not, the invalid part<BR>
may be dropped if what is left is fully operative as a law."<BR>
Buckley v. Valeo, 424 U.S. 1, 108 (1976) (per curiam); accord</TT><BR>
<TT>NCAA v. Miller, 10 F.3d at 640. Thus, in the general case,<BR>
severability analysis properly focuses on legislative intent.<BR>
See Alaska Airlines, Inc., 480 U.S. at 685.</TT><BR>
<BR>
<TT>
4244<BR>
</TT><BR>
<BR>
<TT>This case, however, is not the general case. First, the chal-<BR>
lenged enactment here is a regulation, rather than a statute. As<BR>
a result, we cannot look to the usual public sources to deter-<BR>
mine the intentions of the drafters. Nevertheless, we agree<BR>
with the government that the EAR regulations can be concep-<BR>
tually severed into component parts governing commodities,<BR>
software, and technology. We also assume that the Depart-<BR>
ment of Commerce, even if barred from imposing prepublica-<BR>
tion licensing on encryption source code, would have enacted<BR>
regulations controlling the export of encryption commodities,<BR>
object code, and technology.</TT><BR>
<BR>
<TT>But while the district court may have erred in treating soft-<BR>
ware and commodities as the same item, the integrated struc-<BR>
ture of the regulations does not permit us to sever the various<BR>
provisions in the manner requested by the government. To<BR>
sever the unconstitutional portion of the regulations, we<BR>
would have to line edit individual sections, deleting or modi-<BR>
fying the definition of "software" while retaining "commod-<BR>
ities" and "technology." We would then have to redefine gen-<BR>
eral terms such as "items" which refer collectively to com-<BR>
modities, software, and technology. We have neither the<BR>
power nor the capacity to engage in line by line revisions of<BR>
the challenged regulations or to redefine terms within the reg-<BR>
ulations. See Hill v. Wallace, 259 U.S. 44, 70-71 (1922);<BR>
American Booksellers Ass'n v. Hudnut, 771 F.2d 323, 332-33<BR>
(7th Cir. 1985). To do so would be to improperly invade the<BR>
province reserved to the Executive. Accordingly, we affirm<BR>
the district court's grant of declaratory relief.</TT><BR>
<BR>
<TT>CONCLUSION</TT><BR>
<BR>
<TT>Because the prepublication licensing regime challenged by<BR>
Bernstein applies directly to scientific expression, vests<BR>
boundless discretion in government officials, and lacks ade-<BR>
quate procedural safeguards, we hold that it constitutes an<BR>
impermissible prior restraint on speech. We decline the invita-<BR>
tion to line edit the regulations in an attempt to rescue them</TT><BR>
<BR>
<TT>
4245<BR>
</TT><BR>
<BR>
<TT>from constitutional infirmity, and thus endorse the declaratory<BR>
relief granted by the district court.</TT><BR>
<BR>
<TT>AFFIRMED.</TT><BR>
<BR>
<TT>_________________________________________________________________</TT><BR>
<BR>
<TT>BRIGHT, Circuit Judge, separately concurring.</TT><BR>
<BR>
<TT>I join Judge Fletcher's opinion. I do so because the speech<BR>
aspects of encryption source code represent communication<BR>
between computer programmers. I do, however, recognize the<BR>
validity of Judge Nelson's view that encryption source code<BR>
also has the functional purpose of controlling computers and<BR>
in that regard does not command protection under the First<BR>
Amendment. The importance of this case suggests that it may<BR>
be appropriate for review by the United States Supreme<BR>
Court.</TT><BR>
<BR>
<TT>_________________________________________________________________</TT><BR>
<BR>
<TT>T.G. NELSON, Circuit Judge, Dissenting:</TT><BR>
<BR>
<TT>Bernstein was not entitled to bring a facial First Amend-<BR>
ment challenge to the EAR, and the district court improperly<BR>
granted an injunction on the basis of a facial challenge. I<BR>
therefore respectfully dissent.</TT><BR>
<BR>
<TT>The basic error which sets the majority and the district<BR>
court adrift is the failure to fully recognize that the basic func-<BR>
tion of encryption source code is to act as a method of con-<BR>
trolling computers. As defined in the EAR regulations,<BR>
encryption source code is "[a] precise set of operating instruc-<BR>
tions to a computer, that when compiled, allows for the execu-<BR>
tion of an encryption function on a computer." 15 C.F.R. pt.<BR>
722. Software engineers generally do not create software in<BR>
object code--the series of binar</TT>
<P>
digits (1's and 0's)--which<BR>
tells a computer what to do because it would be enormously<BR>
<BR>
<TT>
4246<BR>
</TT><BR>
<BR>
<TT>difficult, cumbersome and time-consuming. Instead, software<BR>
engineers use high-level computer programming languages<BR>
such as "C" or "Basic" to create source code as a shorthand<BR>
method for telling the computer to perform a desired function.<BR>
In this respect, lines of source code are the building blocks or<BR>
the tools used to create an encryption machine. See e.g., Pat-<BR>
rick Ian Ross, Bernstein v. United States Department of State,<BR>
13 Berkeley Tech. L.J. 405, 410-11 (1998) ("[E]lectronic<BR>
source code that is ready to compile merely needs a few<BR>
keystrokes to generate object code--the equivalent of flipping<BR>
an `on' switch. Code used for this purpose can fairly easily be<BR>
characterized as `essentially functional.' "); Pamela Samuel-<BR>
son et al., A Manifesto Concerning Legal Protection of Com-<BR>
puter Programs, 94 Colum. L. Rev. 2308, 2315-30 (1994)<BR>
("[P]rograms are, in fact, machines (entities that bring about<BR>
useful results, i.e., behavior) that have been constructed in the<BR>
medium of text (source code and object code)."). Encryption</TT><BR>
<TT>source code, once compiled, works to make computer com-<BR>
munication and transactions secret; it creates a lockbox of<BR>
sorts around a message that can only be unlocked by someone<BR>
with a key. It is the function or task that encryption source<BR>
code performs which creates its value in most cases. This<BR>
functional aspect of encryption source code contains no<BR>
expression; it is merely the tool used to build the encryption<BR>
machine.</TT><BR>
<BR>
<TT>This is not to say that this very same source code is not<BR>
used expressively in some cases. Academics, such as Bern-<BR>
stein, seek to convey and discuss their ideas concerning com-<BR>
puter encryption. As noted by the majority, Bernstein must<BR>
actually use his source code textually in order to discuss or<BR>
teach cryptology. In such circumstances, source code serves<BR>
to express Bernstein's scientific methods and ideas.</TT><BR>
<BR>
<TT>While it is conceptually difficult to categorize encryption<BR>
source code under our First Amendment framework, I am still<BR>
inevitably led to conclude that encryption source code is more<BR>
like conduct than speech. Encryption source code is a building</TT><BR>
<BR>
<TT>
4247<BR>
</TT><BR>
<BR>
<TT>tool. Academics and computer programmers can convey this<BR>
source code to each other in order to reveal the encryption<BR>
machine they have built. But, the ultimate purpose of encryp-<BR>
tion code is, as its name suggests, to perform the function of<BR>
encrypting messages. Thus, while encryption source code<BR>
may occasionally be used in an expressive manner, it is inher-<BR>
ently a functional device.</TT><BR>
<BR>
<TT>We are not the first to examine the nature of encryption<BR>
source code in terms of First Amendment protection. Judge<BR>
Gwin of the United States District Court for the Northern Dis-<BR>
trict of Ohio also explored the function versus expression<BR>
conundrum of encryption source code at some length in<BR>
Junger v. Daley, 8 F. Supp. 2d 708 (N.D. Ohio 1998). Junger,<BR>
like Bernstein, is a professor, albeit a law professor, who<BR>
wished to publish in various forms his work on computers,<BR>
including a textbook, Computers and the Law. The book was<BR>
determined by the Government to be subject to export without<BR>
a license, but his software programs were determined to come<BR>
within the licensing provisions of the EAR. In the course of<BR>
rejecting Junger's claims, the court said:</TT><BR>
<BR>
<TT> Like much computer software, encryption source<BR>
code is inherently functional; it is designed to
enable<BR>
a computer to do a designated task. Encryption<BR>
source code does not merely explain a cryptographic<BR>
theory or describe how the software functions. More<BR>
than describing encryption, the software carries out<BR>
the function of encryption. The software is essential<BR>
to carry out the function of encryption. In doing this<BR>
function, the encryption software is indistinguishable<BR>
from dedicated computer hardware that does encryp-<BR>
tion.</TT><BR>
<BR>
<TT> In the overwhelming majority of
circumstances,<BR>
encryption source code is exported to transfer func-<BR>
tions, not to communicate ideas. In exporting func-<BR>
tioning capability, encryption source code is
like</TT><BR>
<BR>
<TT>
4248<BR>
</TT><BR>
<BR>
<TT> other encryption devices. For the broad majority
of<BR>
persons receiving such source code, the value comes<BR>
from the function the source code does.</TT><BR>
<BR>
<TT>Id. at 716. The Junger decision thus adds considerable sup-<BR>
port for the propositions that encryption source code cannot<BR>
be categorized as pure speech and that the functional aspects<BR>
of encryption source code cannot be easily ignored or put<BR>
aside.</TT><BR>
<BR>
<TT>Both the district court and the majority hold that because<BR>
source code can be used expressively in some circumstances,<BR>
Bernstein was entitled to bring a facial challenge to the EAR.<BR>
Such an approach ignores the basic tenet that facial challenges<BR>
are inappropriate "unless, at a minimum, the challenged stat-<BR>
ute `is directed narrowly and specifically at expression or con-<BR>
duct commonly associated with expression.' " Roulette v. City<BR>
of Seattle, 97 F.3d 300, 305 (9th Cir. 1996) (quoting City of<BR>
Lakewood v. Plain Dealer Publishing Co., 486 U.S. 750, 760<BR>
(1988)). That encryption source code may on occasion be<BR>
used expressively does not mean that its export is "conduct<BR>
commonly associated with expression" or that the EAR regu-<BR>
lations are directed at expressive conduct. See id. at 303 ("The<BR>
fact that sitting can possibly be expressive, however, isn't<BR>
enough to sustain plaintiffs' facial challenge."); see also<BR>
Junger, 8 F. Supp. 2d at 718 ("[T]he prior restraint doctrine<BR>
is not implicated simply because an activity may on occasion</TT><BR>
<TT>be expressive.").</TT><BR>
<BR>
<TT>The activity or conduct at issue here is the export of<BR>
encryption source code. As I noted above, the basic nature of<BR>
encryption source code lies in its functional capacity as a<BR>
method to build an encryption device. Export of encryption<BR>
source code is not conduct commonly associated with expres-<BR>
sion. Rather, it is conduct that is normally associated with<BR>
providing other persons with the means to make their com-<BR>
puter messages secret. The overwhelming majority of people<BR>
do not want to talk about the source code and are not inter-</TT><BR>
<BR>
<TT>
4249<BR>
</TT><BR>
<BR>
<TT>ested in any recondite message that may be contained in<BR>
encryption source code. Only a few people can actually<BR>
understand what a line of source code would direct a com-<BR>
puter to do. Most people simply want to use the encryption<BR>
source code to protect their computer communications. Export<BR>
of encryption source code simply does not fall within the<BR>
bounds of conduct commonly associated with expression such<BR>
as picketing or handbilling. See Roulette, 97 F.3d at 303-04.</TT><BR>
<BR>
<TT>Further, the EAR regulates the export of encryption tech-<BR>
nology generally, whether it is software or hardware. See 15<BR>
C.F.R. S 742.15; Junger, 8 F. Supp. 2d at 718 ("The Export<BR>
Regulations do not single out encryption software."). These<BR>
regulations are directed at preventing the functional capacity<BR>
of any encryption device, including its source code, from<BR>
being exported without a government license. The EAR is not<BR>
specifically directed towards stifling the expressive nature of<BR>
source code or Bernstein's academic discussions about cryp-<BR>
tography. This is demonstrated by the fact that the regulations<BR>
do not object to publication in printed form of learned articles<BR>
containing source code. See 15 C.F.R. S 734.3. Thus, the EAR<BR>
is generally directed at non-expressive conduct--the export of<BR>
source code as a tool to make messages secret and impervious<BR>
to government eavesdropping capabilities.</TT><BR>
<BR>
<TT>Because this is a law of general application focused at con-<BR>
duct, Bernstein is not entitled to bring a facial challenge. The<BR>
district court's injunction based upon the finding of a facial<BR>
prior restraint is thus impermissible. This is not to say that<BR>
Bernstein's activities would not be entitled to First Amend-<BR>
ment protection, but that the legal path chosen to get that pro-<BR>
tection must be the correct one. We should be careful to<BR>
"entertain[ ] facial freedom-of-expression challenges only<BR>
against statutes that, `by their terms,' sought to regulate `spo-<BR>
ken words,' or patently `expressive or communicative<BR>
conduct.' " Roulette, 97 F.3d at 303 (citing Broadrick v.<BR>
Oklahoma, 413 U.S. 601, 612-13 (1973)). Bernstein may very<BR>
well have a claim under an as-applied First Amendment anal-</TT><BR>
<BR>
<TT>
4250<BR>
</TT><BR>
<BR>
<TT>ysis; however, such a claim must be left to the district court's<BR>
determination in the first instance. Here, the district court did<BR>
not rule on Bernstein's as-applied claims. I would therefore<BR>
vacate the district court's injunction and remand for consider-<BR>
ation of Bernstein's as-applied challenges to the EAR.<BR>
Accordingly, I respectfully dissent.</TT><BR>
<BR>
<BR>
<HR>
<P>
<I>[End]</I>
</BODY></HTML>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed