UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF OHIO EASTERN DIVISION PETER D. JUNGER, ) CASE NO. 96 CV 1723 ) Plaintiff ) ) JUDGE NUGENT v. ) ) WARREN CHRISTOPHER, DEPART- ) MENT OF STATE; WILLIAM J. ) LOWELL, OFFICE OF DEFENSE ) TRADE CONTROLS; LT. GENERAL ) KENNETH A. MINIHAN, NATIONAL ) SECURITY AGENCY, ) ) Defendants. ) C BRIEF IN SUPPORT OF PLAINTIFF'S MOTION FOR PRELIMINARY INJUNCTION X TABLE OF CONTENTS SUMMARY OF THE ARGUMENT 1 INTRODUCTION 2 STATEMENT OF FACTS 4 A. Factual Background 4 B.The Regulatory Framework 6 DISCUSSION 11 I. Standards For Granting A Preliminary Injunction 11 II. The Likelihood Of Success On The Merits 11 A.ITAR's Registration and Licensing Scheme Infringes on Rights of Academic Freedom, Political Speech and Freedom of Association. 12 B.ITAR's Registration and Licensing Scheme Constitutes an Unconstitutional Prior Restraint. 14 C.ITAR's Registration and Licensing Scheme is Unconstitutionally Overbroad And Vague. 17 1. The regulations reach a substantial amount of protected speech 18 2. The regulations are vague and ambiguous. 19 D.There is no Statutory or Constitutional Basis for ITAR's Restrictions on the Domestic Publication and Dissemination of Cryptography. 23 III. Without the Injunction, the Plaintiff Will Suffer Irreparable Harm 26 IV. There is Little, If Any, Probability that the Injunction Will Cause Substantial Harm 26 V. The Public Interest Is Advanced by Issuance of the Injunction 26 CONCLUSION 27 TABLE OF ATHORITIES Cases ACLU v. Reno, 1996 U.S. Dist. Lexis 7919 (E.D. Pa., June 11, 1996) 4, 25 Apple Computer, Inc. v. Franklin Computer Corp., 714 F.2d 1240 (3rd Cir. 1983) 18 Bateman v. Mnemonics, Inc., 79 F.3d 1532 (11th Cir. 1996) 4 Bernstein v. U.S. Department of State, 922 F. Supp 1426 (N.D. Calif. 1996) 3, 18, 21 Board of Trustees of Leland Stanford Univ. v. Sullivan, 773 F.Supp. 472 (D.D.C. 1991) 18 Connally v. General Construction Co., 269 U.S. 385 (1926). 19 Dalton v. Specter, 114 S.Ct 1719 (1994) 24 Dambrot v. Central Michigan University, 55 F.3d 1177 (6th Cir. 1995) 12, 18 Dames & Moore v. Regan, 453 U.S. 654 (1981). 27 Dayton Area Visually Impaired Persons, Inc.v. Fisher, 70 F.3d 1474 (6th Cir. 1995) 25 Elrod v. Burns, 427 U.S. 347 (1976) 25 Forsyth County v. The Nationalist Movement, 505 U.S. 123 (1992) 15 Freedman v. Maryland, 380 U.S. 51 (1965) 15 FW/PBS, Inc. v. City of Dallas, 493 U.S. 215(1990) 15 Gentile v. State Bar of Nevada, 501 U.S. 1030 (1991) 20 Karn v. U.S. Dept. of State, 925 F.Supp. 1 (D.D.C.1996) 21 Kent v. Dulles, 357 U.S. 116 (1958) 25 Keyishian v. Board of Regents of University of New York, 385 U.S. 589 (1967) 12, 25 Kleindienst v. Mandel, 408 U.S. 753 (1972) 12 Kolender v. Lawson, 461 U.S. 352 (1983) 18 Kunz v. New York, 340 U.S. 290 (1951) 15 Lakewood v. Plain Dealer Publishing Co., 486 U.S. 750 (1988) 12, 16 Leonardson v. City of East Lansing, 896 F.2d 190 (6th Cir. 1990) 20 Members of City Council v. Taxpayers for Vincent, 466 U.S. 789 (1984). 15 Minarcini v. Strongsville City School Disr., 541 F.2d 577 (6th Cir. 1976). 12 Minneapolis Star & Tribune Co. v. Comm. of Revenue, 460 U.S. 575 (1983) 18 Nebraska Press Assoc. v. Stuart, 427 U.S. 539(1976). 14 New York Times Co. v. United States, 403 U.S. 713(1971) 14, 15 Papachristou v. Jacksonville, 405 U.S. 156 (1972) 20 Parate v. Isibor, 868 F.2d 821 (6th Cir. 1989) 23 Pittsburgh Press Co. v. Pittsburgh Commission on Human Relations, 413 U.S. 376 (1973). 15 Roberts v. United States Jaycees, 468 U.S. 609 (1984). 14 Sandison v. Michigan High School Athletic Assoc., Inc. 64 F.3d 1026 (6th Cir. 1995 11 Shuttlesworth v. Birmingham, 394 U.S. 147 (1969) 15 Smith v. California, 361 U.S. 147 (1957) 20 Smith v. Groguen, 415 U.S. 566 (1974) 20 Southeastern Promotions Ltd. v. Conrad, 420 U.S. 546 (1975) 15 Sweezy v. New Hampshire, 354 U.S. 234 (1957) 12 University of California Regents v. Bakke, 438 U.S. 265 (1978) 12 Statutes 22 U.S.C. § 1934(a) (1970) 23 22 U.S.C. § 2778 (1996) 1, 23 22 U.S.C. § 2778(a)(1) 6, 23 22 U.S.C. § 2778(c) 10 22 U.S.C. § 2794 (1996) 24 22 U.S.C. § 2794(7) 24 50 U.S.C. § 2401 et seq. 22 Public Law 103-160 (November 30, 1993) 24 Regulations 15 C.F.R. § 768 et seq. 22 22 C.F.R. § 120 et seq. 1, 2, 7 22 C.F.R. § 120.1 15, 23 22 C.F.R. § 120.3 24 22 C.F.R. § 120.4. 9 22 C.F.R. § 120.6 7, 11 22 C.F.R. § 120.9 10, 11 22 C.F.R. § 120.9(a) 9 22 C.F.R. § 120.10 12 22 C.F.R. § 120.10(a) 7, 8, 11 22 C.F.R. § 120.10(a)(1) 8, 9 22 C.F.R. § 120.10(a)(4). 8, 21 22 C.F.R. § 120.10(a)(5) 10 22 C.F.R. § 120.11 10, 11, 12 22 C.F.R. § 120.11(a)(1) 8 22 C.F.R. § 120.11(a)(2), (4) 22 22 C.F.R. § 120.11(a)(3) 8 22 C.F.R. § 120.11(a)(6) 8 22 C.F.R. § 120.11(a)(8) 8 22 C.F.R. § 120.16 9 22 C.F.R. § 120.17 9, 11, 19 22 C.F.R. § 120.17(a)(1) 8, 21 22 C.F.R. § 120.17(a)(3) 8, 22 22 C.F.R. § 120.17(a)(4) 9 22 C.F.R. § 121.1 (Category XIII(b)) 18, 21, 23 22 C.F.R. § 121.1, Category XIII(k) 8, 23 22 C.F.R. § 121.1,(Category XIII(b)(1)) 7, 8, 11, 19, 20 22 C.F.R. § 121.8(f) 7, 8, 11, 19, 20, 22 22 C.F.R. § 121.10 19 22 C.F.R. § 122. 10 22 C.F.R. Part 123 7, 10, 11 22 C.F.R. Part 124 10, 11 22 C.F.R. Part 125 10, 11 22 C.F.R. § 127.1. 10 22 C.F.R. § 127.3 10 22 C.F.R. § 127.10. 10 Other Elizabeth Corcoran, U.S. Closes Investigation In Computer Privacy Case, Wash. Post, January 12, 1996 6 Emerson, The Doctrine of Prior Restraint, 20 Law & Contemp. Probs. 648 (1955) 15 Alan Friedman, The Computer Glossary (7th ed. 1995) 3, 4 A. Michael Froomkin, The Metaphor is the Key: Cryptography, the Clipper Chip, and the Constitution, 143 U. Pa. L. Rev. 709 (1995). 2 Donald E. Knuth, The Art of Computer Programming, Fundamental Algorithms (2d ed., 1973). 3 National Research Council, Draft Report on Cryptography Policy, May 30, 1996, http://www. eff.org/pub/Privacy/Key_escrow/Clipper_III /9605_nrc_cryptopolicy_draft.report 24 Nimmer on Copyright (1995) 18 Report of the Committee on Foreign Relations on S 3439, Report No. 94-876, U.S. Senate, 94th Congress, 2d Sess.,(1976) 24 Ira. S. Rubenstein, Export Controls on Encryption Software in Coping with U.S. Export Controls, PLI Commercial Law Series No. A-705 (1994) 23 William Stallings, Protect Your Privacy: A Guide for PGP Users (1995) 6 John Swinson, Copyright or Patent or Both: An Algorithmic Approach to Computer Software Protection, 5 Harv. J. Law and Tec 145(1991) 3, 20 Loring Wirbel, State Dept. tries to quash APIs for PGP cryptography, Electronic Engineering Times, April 29, 1996 16 SUMMARY OF THE ARGUMENT In this motion, the plaintiff seeks a preliminary injunction to enjoin the defendants from interpreting, applying, and enforcing the International Traffic in Arms Regulations ("ITAR," "the regulations"), 22 C.F.R. §§ 120 et seq., to require that the plaintiff and his students register or obtain a license or approval from the defendants before disclosing to any person or persons by speech, publication or any other means or by any medium, unclassified information about cryptography, whether or not that information is included within the definition of "software" or "technical data" as those terms are defined in ITAR. In seeking a preliminary injunction, the plaintiff need only show that there is a strong likelihood of success on the merits, that he has, and will continue to, suffer irreparable harm, that the preliminary injunction will not cause substantial harm to others and that granting the preliminary injunction is in the public interest. On the merits, the plaintiff argues that ITAR's export provisions on cryptographic information violate the First Amendment. Specifically, the plaintiff argues that ITAR's restrictions on cryptography (i) infringe on rights of academic freedom, political speech and freedom of association, (ii) constitute prepublication prior restraints that provide no judicial safeguards and (iii) are overbroad and vague allowing the defendants to arbitrarily and capriciously control practically all disclosures of unclassified cryptographic information. The plaintiff also argues (iv) that § 38 of the Arms Export Control Act of 1976, 22 U.S.C. § 2778 (1996), does not authorize the defendants to control the noncommercial, nonmilitary disclosure of unclassified technical and scientific information within the United States and, in particular, on the internet. INTRODUCTION Cryptography is the art and science of encoding or encrypting communication. Cryptography has broad applications for ensuring the security and privacy of electronic communication and commerce. Cryptographic applications can be used to keep communications, such as email, confidential, to keep the sender of a message anonymous and to authenticate electronic transac tions. In this action, the plaintiff challenges the constitutionality of an administrative licensing scheme imposed by the defendants (collectively, "the government") on the disclosure and exchange of cryptographic information. Specifically, the plaintiff challenges the constitutionality of provisions of the International Traffic in Arms Regulations ("ITAR," "the regulations"), 22 C.F.R. § 120 et seq. (1996), that require a license or approval from the defendants before the disclosure of cryptographic information to foreign persons and the transfer of such information out of the United States. The plaintiff, Professor Peter D. Junger, teaches law at Case Western Reserve University. Prof. Junger wants to teach, publish and exchange cryptographic information without having to petition the government. Under ITAR, Prof. Junger is required to register as an arms merchant and obtain a license before he is allowed to disclose cryptographic information to "foreign persons," including foreign students, within the United States and anyone, without limitation, outside the United States. The defendants' intent is to restrict the dissemination of cryptographic information, including the dissemination of unclassified, privately developed cryptographic software. None of the information or software that Prof. Junger seeks to disclose is classified, and most of it is widely available outside the United States. Nonetheless, all cryptographic information is potentially subject to ITAR. ITAR's export provisions on cryptography constitute a prepublication licensing scheme that has been drafted and interpreted in such a confusing way that the defendants can arbitrarily and capriciously exercise unlimited discretion to determine what is subject to ITAR and, thus, what requires a license. Failure to obtain a license before disclosing cryptographic information subject to ITAR carries severe criminal and civil penalties. As a result, ITAR has a chilling effect on Prof. Junger's speech and the extent to which people feel free to exchange confidential information and communicate over the internet. In the instant motion, Prof. Junger seeks a preliminary injunction enjoining the defendants from interpreting, applying and enforcing ITAR to restrict him and his students from disclosing unclassified cryptographic information, including cryptographic algorithms, source codes, representations of machine code and executable programs, to any person or persons, regardless of their status as foreign persons, and from posting cryptographic information on an FTP server or a World Wide Web ("Web") site without a license or approval from the defendants. STATEMENT OF FACTS A. Factual Background Peter Junger has taught law at Case Western Reserve University ("CWRU") for the last twenty-five years. Beginning in 1986 and each year since 1993, Prof. Junger has taught a course on computers and the law. The course principally focuses on issues in intellectual property law relating to computers and computer programs, but also covers a wide spectrum of issues from basic computer concepts, such as the way computers process data, to the legal and political issues created by emerging technology, such as the effects of the proposed Clipper Chip on individual privacy and free speech. In May 1993, Prof. Junger wrote a short encryption program. See Pl.'s Decl., Ex. A ¶ 7. Prof. Junger intended to use the program in class the following semester. However, because he suspected that his program might be subject to federal export laws he contacted the Department of Commerce's Bureau of Export Administration. From May 1993 to June 1993 and again in October 1995, Prof. Junger contacted the defendant agencies and other federal agencies to see if his program was subject to licensing. However, he was unable to get a determinative answer. And even if he had received a clear, determinative answer, the defendants would not have been bound by any answer given over the telephone. Prof. Junger was, and is, concerned that he would violate ITAR if he disclosed his program and related cryptographic information to foreign students. In 1993, believing that disclosure to Canadians was exempt under ITAR, Prof. Junger allowed two Canadian students to enroll in his class. Since then he has taken the precaution of opening his class only to students who are U.S. citizens or permanent residents. Other than allowing Canadian students to enroll in the computer and law class in 1993, Prof. Junger has not disclosed his program to foreign students and has refrained from disclosing his program in the presence of foreign colleagues. When Prof. Junger contacted Paul Leyland at Oxford University about including Mr. Leyland's encryption program in his course materials, Prof. Junger could not disclose his program to Mr. Leyland. Moreover, Prof. Junger could not disclose Mr. Leyland's own program to him without violating ITAR. Recently, the former Dean of CWRU law school requested a copy of Prof. Junger's course materials for a colleague in China, but sending the materials to a professor in China would clearly violate ITAR. Since he wrote his encryption program, Prof. Junger has added other cryptographic information to his course materials, including Mr. Leyland's program and the RSA algorithm. Prof. Junger wants to present the source codes for encryption programs and encryption algorithms to foreign students and faculty without having to petition the government. He wants to publish his course materials and is in the process of writing a law review article on ITAR and cryptography that would include material covered under the regulations. If published, the article would be available on LEXIS and WESTLAW, which may also constitute a violation of ITAR. Prof. Junger also wants to show students how to keep electronic communication, especially email, confidential. He wants to tell his students where to obtain functioning encryption software, such as PGP. The easiest way for Prof. Junger to distribute information is to make it available on an FTP server or a Web page connected to the internet. Thus, he wants to make cryptographic information, including executable programs, available on the internet. CWRU has already set up a Web page that could easily link to Prof. Junger's FTP server or his Web page at http:// samsara.law.cwru.edu. None of the information and software that Prof. Junger wants to disclose is classified. Outside of a direct threat to national security that the government can show is posed by a specific disclosure, Prof. Junger must be free to disclose cryptographic information and software to foreign persons within the United States and to send such information and software abroad without having to obtain a license. B.The Regulatory Framework Section 38 of the Arms Export Control Act ("AECA") authorizes the President to control the import and export of defense articles and defense services. 22 U.S.C. § 2778(a)(1). Under this grant, the President has authorized the Department of State, in consultation with the Department of Defense, to designate defense articles and services on the United States Munitions List ("USML") and promulgate regulations governing their import and export. The resulting regulations constitute the International Traffic in Arms Regulations ("ITAR," "the regulations"), 22 C.F.R. § 120 et seq. ITAR is divided into ten subparts, including definitions (Part 120), the USML (Part 121), registration and licensing requirements (Parts 122-25) and civil and criminal penalties (Part 127). The USML in Part 121 consists of various categories that cover physical items, such as missiles, launch vehicles and radar systems as well as "nonphysical items," such as software and other technical information. In particular, Category XIII(b) covers "Information Security Systems," which includes "cryptographic software" defined as "software with the capability of maintaining secrecy or confidentiality of information or information systems . . ." § 121.1, Category XIII(b)(1). In addition to the specific categories enumerated in Part 121, ITAR defines three general categories in Part 120, namely defense articles, technical data and defense services. A "defense article" is defined as "any item or technical data designated in § 121.1 of this subchapter [the USML]." § 120.6. Since cryptographic software is listed on the USML, it falls under the definition of a defense article. "Technical data," which is included in the definition of "defense article," is defined in § 120.10(a) and reads, in relevant part: (1) Information, other than software as defined in § 120.10(d) [sic], which is required for the design[,] development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles. This includes information in the form of blueprints, drawings, photographs, plans, instructions and documentation. . . . . (4) Software as defined in § 121.8(f) of this subchapter directly related to defense articles; (5) This definition does not include information concerning general scientific, mathematical or engineering principles commonly taught in schools, colleges and universities or information in the public domain as defined in § 120. 11. . . . § 120.10(a)(1), (4)-(5). Since cryptographic software is a defense article, apparently all information related to cryptographic software falls under the definition of "technical data" by virtue of subsection (1), unless exempted under subsection (5). Moreover, cryptographic software itself would seem to be technical data by virtue of subsection (4). Technical data is itself listed on the USML. In particular, Category XIII includes technical data (and defense services) related to cryptographic software. See § 121.1, Category XIII(k). Thus, both cryptographic software and cryptographic technical data are defense articles and cannot be exported without a license or written approval from the ODTC. According to ITAR, a defense article is exported if it is sent or taken outside the United States in any manner, § 120.17(a)(1), or disclosed or transferred in the United States to an embassy or agency of a foreign government, § 120.17(a)(3). Thus, as defense articles, cryptographic software and cryptographic technical data cannot be sent or taken out of the country without a license or written approval from the ODTC. To complicate matters, technical data has its own definition of "export" that radically differs from the definition of "export" for defense articles. For technical data, "export" means: (4)Dis closing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad. § 120.17(a)(4). Thus, technical data related to cryptographic software (and presumably the software itself), unless exempted, requires a license or written approval before it can be transferred or disclosed to foreign persons, including foreign students, within the United States. The disclosure of cryptographic software may also be regulated as the export of a defense service. A "defense service" is defined, in relevant part, as (1) [t]he furnishing of assistance (including training) to foreign persons, whether in the United States or abroad, in the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing or use of defense articles; or (2) The furnishing to foreign persons of any technical data controlled under this subchapter (see § 120.10) whether in the United States or abroad. § 120.9(a). A defense service is exported if it is performed "on behalf of, or for the benefit of, a foreign person, whether in the United States or abroad." § 120.17. Thus, cryptographic software and technical data may be subject to regulation if disclosed for the benefit of foreign students within the United States. Before a person "exports" cryptographic software or other cryptographic information, he must apply for a license unless the software or information is exempt from regulation. If he intends on exporting a defense article or a defense service, he must first register as an arms merchant, which requires a registration fee of at least two hundred and fifty dollars. See §§ 122.1-2. The application and licensing requirements differ according to whether a defense article, technical data or a defense service is exported. See Part 123 (requirements for export of unclassified defense articles), Part 124 (requirements for export of defense services) and Part 125 (requirements for export of technical data and classified defense articles). Therefore, a person intending to export cryptographic information must know whether he will be exporting a defense article, technical data or a defense service. Under ITAR, it is unlawful to export or attempt to export a defense article, technical data or a defense service for which a license is required without a license or written approval from the ODTC. See § 127.1. A person who exports cryptographic software or other cryptographic information without obtaining a license or ODTC approval faces severe criminal and civil penalties. See § 127.3, § 127.10. A violation of the regulations carries with it a potential fine of up to one million dollars and ten years in prison. See 22 U.S.C. § 2778(c). The encryption algorithms, source codes, representations of machine codes and executable programs that Prof. Junger wants to disclose presumably fall under both the definitions of "cryptographic software" and "technical data." Other information that Prof. Junger wants to disclose, for example, documentation and information on where to obtain and how to use encryption programs, falls under the definition of "technical data" unless exempted under § 120.10(a)(5) or § 120.11. Any cryptographic software and technical data that Prof. Junger discloses to foreign students may also be subject to regulation as the performance of a "defense service" under § 120.9. DISCUSSION I. Standards For Granting A Preliminary Injunction In determining whether to issue a preliminary injunction, the Court is obligated to consider four factors: (i) the likelihood that the party seeking the preliminary injunction will succeed on the merits; (ii)whether the party seeking the injunction will suffer irreparable harm without the injunction; (iii)the probability that the injunction will cause substantial harm to others; and (iv) whether the public interest is advanced by the issuance of the injunction. See Dayton Area Visually Impaired Persons, Inc. v. Fisher, 70 F.3d 1474, 1480 (6th Cir. 1995) (citing Washington v. Reno, 35 F.3d 1093, 1099 (6th Cir. 1994)); Sandison v. Michigan High School Athletic Assoc., Inc. 64 F.3d 1026, 1030 (6th Cir. 1995). As the Court in Sandison observed, the four factors are "not prerequisites that must be satisfied. These factors simply guide the discretion of the court; they are not meant to be rigid and unbending requirements." Id.(emphasis in original). II. The Likelihood Of Success On The Merits The plaintiff challenges the provisions of ITAR that require registration and a license before the export of cryptographic software and other cryptographic information. Specifically, the plaintiff challenges the definitions of "cryptographic software" in 22 C.F.R. §§ 121.1(Category XIII(b)(1)), 121.8(f), "defense article" in § 120.6, "defense service" in § 120.9, "technical data" in § 120.10, "public domain" in § 120.11 and "export" in § 120.17 read together with the registration and licensing provisions in 22 C.F.R. Parts 123-25. The challenged regulations are unconstitutional because they constitute a blatant system of overbroad and vague prior restraints that violate rights of academic freedom, political speech and freedom of association. Moreover, there is no evidence whatsoever that Congress authorized a licensing scheme on the free, nonmilitary disclosure of unclassified technical and scientific information within the United States or on the internet. A.ITAR's Registration and Licensing Scheme Infringes on Rights of Academic Freedom, Political Speech and Freedom of Association. "[T]he purpose of the free speech clause . . . is to protect the market in ideas, broadly understood as the public expression of ideas, narratives, concepts, imagery, opinions ‹ scientific, political, or aesthetic . . ." Dambrot v. Central Michigan University, 55 F.3d 1177, 1188 (6th Cir. 1995)(quoting Swank v. Smart, 898 F.2d 1247, 1250 (7th Cir. 1990)(Posner, J.)). This conception of the First Amendment as protecting a "marketplace of ideas" is nowhere more relevant than in academic contexts, and thus it is well established that academic freedom is a "special concern of the First Amendment." See Keyishian v. Board of Regents of University of New York, 385 U.S. 589, 603 (1967); see also University of California Regents v. Bakke, 438 U.S. 265, 312 (1978) ("Academic freedom, though not a specifically enumerated constitutional right, has long been viewed as a special concern of the First Amendment".) The First Amendment allows Prof. Junger to decide what he wants to teach, how it should be taught and to whom he can teach. See Sweezy v. New Hampshire, 354 U.S. 234, 263 (1957) (Frankfurter, J., concurring)(describing the "essential freedoms" of a university); see also Parate v. Isibor, 868 F.2d 821, 827 (6th Cir. 1989)(extending university freedoms to individual professors). The First Amendment also protects the rights of professors and students to receive and exchange information. See Kleindienst v. Mandel, 408 U.S. 753, 762-63 (1972)(recognizing that the First Amendment protects the right to receive information and ideas); Minarcini v. Strongsville City School Disr., 541 F.2d 577 (6th Cir. 1976)(recognizing a First Amendment "right to know" in academic contexts). Thus, the First Amendment protects Prof. Junger's rights to publish and exchange cryptographic information with foreign professors, researchers and students without having to obtain a license. Prof. Junger believes that it is important for his students to have an understanding of cryptography and believes that the best way for his students to gain an understanding of cryptography is to have some exposure to encryption algorithms and programs. Cryptography has profound implications for individual privacy, law enforcement and government access to confidential information. Recently, the National Research Council ("NRC") recommended an open public debate on the government's cryptography policy. See Ex. B1, NRC Press Release, May 30, 1996. In this context, a knowledge of cryptography is vital for an informed political debate and, thus, is as much political speech as academic speech. In a 1981, the Justice Department's Office of Legal Counsel ("OLC") concluded that ITAR could not be constitutionally applied to "communications of unclassified information" by persons, for example, university professors "who are not directly connected or concerned in any way with any foreign conduct carrying dangerous potential for the United States." See Ex. D, OLC memorandum dated July 1, 1981, at 212. Prof. Junger is not connected to any foreign person or government that poses a threat to the United States, and none of the information he seeks to disclose is classified. Nonetheless, his teaching, publication and research are subject to regulation under ITAR. If Prof. Junger discloses his program and other cryptographic information to foreign students and foreign colleagues, he must apply for, and obtain, a license or approval from the defendants. Thus, Prof. Junger must choose between petitioning the government and allowing foreign students in his class or exchanging research with foreign colleagues. The choice placed on Prof. Junger unduly burdens his rights and the rights of students and colleagues to free association as well as free expression. Prof. Junger seeks to engage in academic and political discourse with students and colleagues. Where individuals seek to engage in expression protected by the First Amendment, the constitution recognizes a corresponding right to freedom of association. See Roberts v. United States Jaycees, 468 U.S. 609, 617-18 1984). ITAR's restrictions on the export of cryptography are unconstitutional restrictions on academic and political speech and free association. ITAR does not require Prof. Junger to apply for and obtain a license before he can speak, publish or communicate information about most subjects to foreign persons, but it does require him to apply for and obtain a license before communicating cryptographic information to foreign persons. If the government is allowed to regulate academic and political speech and restrict rights of free association, it cannot regulate by imposing overbroad and vague prior restraints. B.ITAR's Registration and Licensing Scheme Constitutes an Unconstitutional Prior Restraint. Prior restraints "are the most serious and least tolerable infringement on first amendment rights." Nebraska Press Assoc. v. Stuart, 427 U.S. 539, 559 (1976). As often quoted by the courts, "[a]ny system of prior restraints of expression comes to this Court bearing a heavy presumption against its constitutional validity." New York Times Co. v. United States, 403 U.S. 713, 714 (1971)(per curiam)(quoting Bantam Books, Inc. v. Sullivan, 372 U.S. 58, 70 (1963)(citations omitted)). "[T]he clearest form of prior restraint arises in those situations where the government. . . undertakes to prevent future publication or other communication without advance approval of an executive official." Emerson, The Doctrine of Prior Restraint, 20 Law & Contemp. Probs. 648, 655 (1955). The administrative licensing scheme in ITAR, which requires a license before exporting any type of cryptographic software no matter how trivial, constitutes the clearest and most blatant form of prior restraint. Under ITAR, a person must obtain an imprimatur or a license before publishing a book or article containing cryptographic software, distributing encryption programs on the internet or disclosing cryptographic information to a foreign person even if the information is unclassified and poses no threat to national security. The propensity to chill speech, especially the propensity to cause self censorship, is the great danger of prior restraints. "The special vice of a prior restraint is that communication will be suppressed, either directly or by inducing excessive caution in the speaker, before an adequate determination [has been made] that it is unprotected by the First Amendment." Pittsburgh Press Co. v. Pittsburgh Commission on Human Relations, 413 U.S. 376, 390 (1973). Prof. Junger's speech has been, and continues to be, chilled to the point of freezing. He has refrained from teaching his class to foreign students, discussing his work with foreign colleagues and publishing material that contains cryptographic information. In order for the government to impose a prior restraint on cryptographic information, the government must demonstrate that a specific disclosure poses a "direct, immediate and irreparable" threat to national security. See New York Times, 403 U.S. at 730 (Stewart, J., concurring). The government cannot come close to meeting that burden given the broad range of information that is subject to ITAR. Moreover, the prior restraints imposed by ITAR represent a prepublication licensing scheme which, unlike an injunction, prohibits the exchange of cryptographic information without a prior judicial determination of "direct, immediate and irreparable" harm. Even if the government could demonstrate a "direct, immediate and irreparable" harm, it cannot regulate by imposing a licensingscheme that has no narrow, objective standards by which to determine what may, and what may not, be disclosed. See Forsyth County v. The Nationalist Movement, 505 U.S. 123, 131 (1992). Nor can the government impose a licensing scheme that lacks procedural safeguards. See Freedman v. Maryland, 380 U.S. 51, 58-60 (1965). The Supreme Court has consistently invalidated licensing schemes giving an official or agency virtually unlimited discretion to act without objective, narrowly drawn standards. See, e.g., Lakewood v. Plain Dealer Publishing Co., 486 U.S. 750 (1988) (invalidating ordinance giving the mayor discretion to deny permit applications for newsracks on public party on any terms he deems necessary and reasonable); Southeastern Promotions Ltd. v. Conrad, 420 U.S. 546 (1975) (invalidating action of a municipal board in refusing to allow production of the musical Hair in a city theater because it would not be "in the best interest of the community"); Shuttlesworth v. Birmingham, 394 U.S. 147 (1969) (invalidating ordinance that gave city commission unbridled discretion to prohibit parades and demonstrations); Kunz v. New York, 340 U.S. 290 (1951) (invalidating ordinance that gave police commissioner unbridled discretion to prohibit public worship meetings). ITAR is susceptible to so many different interpretations, see infra, that it allows the defendants to exercise "unbridled" discretion to grant or deny licenses. There are no discernable, objective standards or criteria behind the defendants' decisions. Thus, when Prof. Junger asked Major Oncale at the ODTC about the licensing criteria, he was in effect told that there weren't any. See Pl.'s Decl. ¶ 11. If officials are allowed to act with "unbridled discretion," licensing becomes censorship. See Lakewood v. Plain Dealer Publishing Co., 486 U.S. 750, 757 (1988)(citations omitted). In such cases, the First Amendment requires the strictest procedural safeguards: "(1) any restraint prior to judicial review can be imposed only for a specified brief period during which the status quo must be maintained; (2) expeditious judicial review of that decision must be available; and (3) the censor must bear the burden of going to court to suppress the speech and must bear the burden of proof once in court." FW/PBS, Inc. v. City of Dallas, 493 U.S. 215, 227-28 (1990)(citing Freedman, 380 U.S. at 58-60)). ITAR contains no provision for judicial review. Without a showing of "direct, immediate and irreparable" harm, discernable standards and a mechanism to provide for expeditious judicial review, the provisions of ITAR that require a license or the defendants' approval before the disclosure of cryptographic software and other cryptographic information must be struck down as unconstitutional prior restraints. C. ITAR's Registration and Licensing Scheme is Unconstitutionally Overbroad And Vague. A law is unconstitutionally overbroad on its face if there is "a realistic danger that the [law] itself will significantly compromise recognized First Amendment protections of parties not before the court. . . ." Members of City Council v. Taxpayers for Vincent, 466 U.S. 789, 801 (1984). Prof. Junger raises the rights of others, as well as himself, and thus challenges the regulations on both facial and applied grounds. Prof. Junger raises the rights of foreign and U.S. students to receive and exchange cryptographic software and other cryptographic information. He also raises the rights of those who desire to sell functioning encryption software overseas, those who desire to distribute privately developed encryption software on the internet, and those who desire to develop and distribute software applications with cryptographic interfaces ("crypto with a hole"). Prof. Junger challenges the provisions of ITAR that require a license or ODTC approval for the export of cryptographic software and other cryptographic information. The challenged provisions include the definitions of "export," "cryptographic software," "technical data" and "defense service." These definitions are unconstitutionally overbroad because they reach expression protected by the First Amendment that has little to do with the intended purpose of the AECA and ITAR, namely, the regulation of arms exports. This circuit has adopted a two-part test to analyze facial overbreadth challenges. A regulation is facially overbroad if it "reaches a substantial amount of constitutionally protected speech" and is "constitutionally invalid under the void for vagueness doctrine." See Dambrot v. Central Michigan University, 55 F.3d 1177, 1182-83 (6th Cir. 1995). 1. The regulations reach a substantial amount of protected speech In 1981 and 1984, the Justice Department's Office of Legal Counsel ("OLC") was asked to review proposed revisions to ITAR. In both reviews, the OLC concluded that proposed revisions were unconstitutionally overbroad because they could be applied in contexts that would not pose a threat to national security. See Ex. D, OLC memorandum dated July 1, 1981, at 212; Ex. E, OLC memorandum dated July 5, 1984, at 12, 14-15. The present version of ITAR continues to reach communication that is protected by the First Amendment and that does not pose a threat to national security. Cryptographic software and cryptographic technical data are technical and scientific expression and are, thus, protected by the First Amendment. See Board of Trustees of Leland Stanford Univ. v. Sullivan, 773 F.Supp. 472, 474 (D.D.C. 1991)(scientific expression is speech protected by the First Amendment). Recently, in Bernstein v. U.S. Department of State, 922 F. Supp 1426, 1436 (N.D. Calif. 1996), the court explicitly held that source code is speech protected by the First Amendment. Arguably, the provisions regulating the export of cryptographic software and technical data control only protected speech. Documentation and other information on where to obtain and how to use cryptographic programs are clearly speech. Even executable programs in machine code, which are afforded copyright protection, should fall within the province of the First Amendment under Minneapolis Star & Tribune Co. v. Comm. of Revenue, 460 U.S. 575 (1983). In Minneapolis Star & Tribune, the Court struck down a sales and use tax on newsprint and ink. While newsprint and ink are not themselves speech, they play a direct and obvious role in publication. Likewise, in the context of electronic communication, such as email, executable encryption programs play a direct and vital role in the publication of confidential and privileged communication and thus are protected by the First Amendment. Cf. ACLU v. Reno, 1996 U.S. Dist. Lexis 7919, at *198 (E.D. Pa., June 11, 1996) (opinion by Dalzell, J.) (finding that the internet is afforded the broadest possible First Amendment protection). The regulations, as written and as interpreted by the defendants, control the communication of information that is neither classified nor poses a threat to national security. The definitions of "cryptographic software," §§ 121.1 (Category XIII(b)(1)), 121.8(f), and "technical data," § 121.10, cover an extremely broad range of speech from information on where to obtain and how to use publicly available encryption programs to the encryption programs themselves. The definitions of "export" in § 120.17 include the communication of cryptographic software and cryptographic information within the United States and arguably all communications of cryptographic software and information to foreign persons. Thus, the regulations control a substantial amount of protected speech. 2. The regulations are vague and ambiguous. A law is void for vagueness if persons "of common intelligence must necessarily guess at its meaning and differ as to its application." Connally v. General Construction Co., 269 U.S. 385, 391 (1926). In First Amendment contexts, the void for vagueness doctrine requires a higher degree of specificity than might otherwise be permissible. See Smith v. Groguen, 415 U.S. 566, 573 (1974); see also Smith v. California, 361 U.S. 147, 151 (1957); N.A.A.C.P. v. Button, 371 U.S. 415, 432-33 (1963). The prohibition on vague regulations is based on the need to minimize the risk of discriminatory enforcement. Gentile v. State Bar of Nevada, 501 U.S. 1030, 1051 (1991); Kolender v. Lawson, 461 U.S. 352, 357 (1983); Leonardson v. City of East Lansing, 896 F.2d 190, 196 (6th Cir. 1990). It is also based on the need to provide fair notice to persons of prohibited conduct. See Papachristou v. Jacksonville, 405 U.S. 156, 162 (1972); Leonardson, 896 F.2d at 196. ITAR's restrictions on cryptography fail to provide fair notice of what is subject to regulation and allow the defendants to adopt arbitrary and inconsistent positions. Specifically, the restrictions on the export of cryptographic software and technical data fail to provide fair notice of what is cryptographic software, what is technical data and what, if anything, is exempt from the registration and licensing requirements. The definition of "cryptographic software" in § 121.1 (Category XIII(b)(1)) together with § 121.8(f) is both overbroad and vague. "Software" is defined so broadly in § 121.8(f) that it includes much more than the source codes and executable machine codes of encryption programs such as the one Prof. Junger wrote. The definition of "software" in § 121.8(f) includes, without limitation, system designs, logic flow (presumably represented by flow charts) and algorithms. Algorithms, for example, can be expressed in a variety of languages from English to more "technical" languages such as mathematics and programming languages. See Computer Software Protection, 5 Harv. J. Law and Tech at 146-47. Because the definition of "software" in ITAR includes algorithms and other non-code information, the defendants can regulate information expressed in English and mathematics. Thus, the defendants have classified a purely academic paper in mathematics as a defense article, see Bernstein, 922 F. Supp at 1439 (N.D. Calif. 1996), and could classify a simple encryption algorithm that says, in English, "replace each letter in a word with the next letter of the alphabet" or, in mathematics, "A+1=B, B+1=C, . . ., Z+1=A" as a defense article. The definition of "cryptographic software" is also vague because it includes programs that were not written as encryption programs. The defining characteristic of cryptographic software is software with "the capability of maintaining secrecy or confidentiality of information." § 121.1, Category XIII(b). Software that is written for purposes other than the encryption of information, for example, translation programs such as UUENCODE and decompression programs such as Stuffit, can be used to maintain secrecy or confidentiality, but are not ordinarily thought of as encryption programs. Moreover, any software program, including email and wordprocessing programs, that can incorporate cryptography may be subject to control. ITAR is especially vague in its definition of "technical data" and in particular in the lack of any clear distinction between cryptographic software and technical data. The definition of "technical data" specifically includes software directly related to defense articles. See § 120.10 (a)(4). Since cryptographic software is a defense article, it should fall under the definition of "technical data" in § 120.10(a)(4). However, the defendants have ruled that cryptographic software is not technical data. See Ex. H, letter from Martha C. Harris to Phil Karn dated October 7, 1994. The defendants have excluded cryptographic software fromthe definition of "technical data" to avoid the public domain exemption in § 121.11, which they construe as applying only to technical data. The public domain exemption should exempt cryptographic software from regulation if it is generally available to the public and meets certain criteria. However, if the public domain exemption only applies technical data, the defendants can control cryptographic software even if it is widely available in bookstores and on the internet. In practice, the defendants have inconsistently applied the public domain exemption to cryptographic software. In response to a commodity jurisdiction request, the ODTC held that Applied Cryptography, a book by Bruce Schneier, was not subject to regulation under ITAR even though the book contains the source codes of a number of encryption algorithms. See Ex. I, letter from William B. Robinson to Phil Karn dated March 2, 1994. The source codes clearly fall under the definition of "cryptographic software." in § 121.8(f), but the ODTC ruled that the book was in the public domain and exempt from regulation. If cryptographic software is regulated only as a defense article, it should be freely disclosed within the United States to foreign persons who are not agents of a foreign government. See § 120.17(a)(1),(3). However, the defendants have interpreted "export" for defense articles to include the posting of cryptographic software on the internet. See Ex. C, ODTC letter to James Demberger dated September 22, 1994. Moreover, the disclosure of cryptographic software and technical data within the United States can be regulated as the export of a defense service if disclosed "on behalf of, or for the benefit of, foreign persons." See §120.17(a)(5). Even the disclosure of technical data in the public domain, for example, information on where to obtain and how to use PGP, may be subject to regulation. Thus, the ambiguities in the definitions enable the defendants to manipulate the meanings of crucial terms to avoid the public domain exemption, as well as any other exemption, and cover practically all disclosures of cryptographic information to foreign persons within the United States and anyone, including U.S. citizens, outside the United States. D. There is no Statutory or Constitutional Basis for ITAR's Restrictions on the Domestic Publication and Dissemination of Cryptography. ITAR was promulgated pursuant to § 38 of the AECA. See 22 C.F.R. § 120.1. Section 38 authorizes the President to control the import and export of defense articles and defense services "[i]n furtherance of world peace and the security and foreign policy of the United States." 22 U.S.C. § 2778(a)(1). There is nothing, however, in the statutory language or legislative history of § 38 or its predecessor, § 414 of the Mutual Security Act of 1954, 22 U.S.C. § 1934(a) (1970), that authorizes the President to establish a licensing scheme on the publication and dissemination of unclassified cryptography within the United States. The language of the AECA strongly suggests that any restrictions that ITAR can place on information and publication, other than information relating to purchase and export negotiations must be directly related to military applications. See § 2778(a). The legislative history also provides no evidence of Congressional intent to regulate the domestic dissemination and publication of cryptographic information. Section 414 of the Mutual Security Act of 1954 delegated to the President the authority to control "the export of . . . arms, ammunition and implements of war, including technical data related thereto." 22 U.S.C. § 2778 (1972)(emphasis added). In a review of "public" cryptography, i.e., privately developed cryptography, by the Justice Department in 1978, the Office of Legal Counsel ("OLC") stated that "further Congressional authorization would obviously be necessary in order to extend governmental controls to domestic as well as foreign disclosures of public cryptographic information." Ex. F, OLC Memorandum to Dr. Frank Press, May 11, 1978, at 15. Absent clear authority under the AECA, the defendants are acting without Congressional authorization by requiring a license before the domestic publication and dissemination of unclassified cryptographic information. Although the Supreme Court has held that not every action by executive officials outside the scope of their statutory authority is a constitutional violation of separation of powers, Dalton v. Specter, 114 S.Ct 1719 (1994), the actions of these defendants violate separation of powers: The broad sweep of ITAR's export controls allows the defendants to legislate in the area of domestic affairs. ITAR explicitly defines "export" to include the disclosure of technical data and the performance of defense services within the United States, and the defendants have interpreted "export" to include publication on the internet. Any control over strictly domestic disclosures and transfers of information is beyond the authority granted by the AECA or any other export control legislation. Moreover, by controlling the publication of cryptographic information to usenet groups and web sites on the internet and the availability of application programs, such as email programs, that contain encryption, the defendants necessarily control the exchange of information between U.S. citizens within the United States. See ACLU v. Reno, 1996 U.S. Dist. LEXIS 7919 at *22-3 (approximately 60 percent of host computers connected to the internet are located within the United States). Delegated authority must be narrowly construed where agencies, acting under apparent Congressional authority, threaten personal freedoms. See Kent v. Dulles, 357 U.S. 116, 129 (1958). Here, the conduct of the defendants threatens the First Amendment rights of Prof. Junger and others to speak and publish cryptographic information. If controls can be placed on the domestic publication of cryptographic information and the dissemination of cryptographic information on the internet that do not violate the First Amendment, it is up to Congress to craft such legislation. The Executive cannot impose restrictions on publication under the guise of controlling arms exports. Assuming that the AECA has implicitly authorized the President to regulate the dissemination of cryptographic information within the United States and on the internet, the system of prior restraints imposed by ITAR and the actions of the defendants must be reviewable by the courts. Section 2778(h) of the AECA precludes judicial review of designations of items on the USML. To the extent that § 2778(h) precludes judicial review of the designation of cryptographic software and cryptographic technical data on the USML and specific determinations by the defendants that information protected by the First Amendment is subject to licensing, § 2778(h) is unconstitutional in violation of separation of powers. III. Without the Injunction, the Plaintiff Will Suffer Irreparable Harm It is well established that "the loss of First Amendment freedoms, for even minimal periods of time, unquestionably constitutes irreparable injury." Elrod v. Burns, 427 U.S. 347, 373 (1976) (citing to New York Times Co. v. United States, 403 U.S. 713 (1971)); Dayton Area Visually Impaired Persons, Inc. v. Fisher, 70 F.3d 1474, 1489-90 (6th Cir. 1995), cert. denied, Dayton Area Visually Impaired Persons, Inc. v. Montgomery, 116 S.Ct. 1421 (1996). As the Sixth Circuit has recently stated, "to the extent that the plaintiffs have established a substantial likelihood that they could succeed on the merits of their First Amendment claims, they have also established the possibility of irreparable harm . . . ." Id. at 1490. Thus, to the extent that Prof. Junger has established a strong likelihood of success on the merits, he has established irreparable harm. IV. There is Little, If Any, Probability that the Injunction Will Cause Substantial Harm At this stage of the proceedings, Prof. Junger is not seeking to enjoin the defendants from applying and enforcing the regulations against all persons. He is seeking a preliminary injunction only to prevent the defendants from applying and enforcing ITAR against him and his students. The defendants can hardly claim that any disclosure by Prof. Junger or his students would in any way compromise the national security of the United States. V. The Public Interest Is Advanced by Issuance of the Injunction "[T]he public as a whole has a significant interest in ensuring . . . protection of First Amendment liberties." Dayton Area Visually Impaired, 70 F.3d at 1490. Moreover, as this case concerns the rights of a university professor to teach what he wants to whom he wants, this cases raises rights of academic freedom, which are a special concern for the society as a whole. See Keyishian v. Board of Regents of University of New York, 385 U.S. 589, 603 (1967). CONCLUSION For the foregoing reasons, the plaintiff's motion for preliminary injunction should be granted. Respectfully submitted, GINO J. SCARSELLI (0062327) KEVIN FRANCIS O'NEILL (0010481) 664 Allison Dr. Professor of Law Richmond Hts., OH 44143-2904 Cleveland-Marshall College of Law (216) 291-8601 1801 Euclid Ave. Cleveland, OH 44115 RAYMOND VASVARI (0055538) (216) 687-2286 1300 Bank One Center 600 Superior Ave. East Cleveland, OH 44114-2650 (216) 522-1925 CERTIFICATE OF SERVICE The undersigned hereby certifies that a copy of the foregoing was served on August __, 1996, by personal delivery to the Office of the United States Attorneys upon Elizabeth M. Sweeney, United States Attorney, 1800 Bank One Center, 600 Superior Avenue Northeast, Cleveland, Ohio 44114 and by certified mail on August ___, 1996, upon the following: Janet Reno The Department of State and Attorney General of the United States Warren Christopher, Secretary of State Main Justice Building 2201 C Street, NW 10th & Constitution Ave., NW Washington D.C. 20520 Washington D.C. 20530 The National Security Agency and The Office of Defense Trade Controls and Lt. General Kenneth A. Minihan, Director William J. Lowell, Director 9800 Savage Rd. 1700 Lynn Street Fort Mead, MD 20755-6000 Rosslyn. VA 22209 Respectfully submitted, _______________________ Gino J. Scarselli (0062327) 664 Allison Drive Richmond Hts., OH 44143 Tel. 216-291-8601 Fax 216-291-8601 Attorney for the Plaintiff