1996-12-21 - Reflections on the Bernstein ruling

Header Data

From: Greg Broiles <gbroiles@netbox.com>
To: cryptography@c2.net
Message Hash: 919cd07f5abd2574d8a47e7e529212546ab7868b53e0b043d711d0f0ece9b423
Message ID: <>
Reply To: N/A
UTC Datetime: 1996-12-21 07:55:10 UTC
Raw Date: Fri, 20 Dec 1996 23:55:10 -0800 (PST)

Raw message

From: Greg Broiles <gbroiles@netbox.com>
Date: Fri, 20 Dec 1996 23:55:10 -0800 (PST)
To: cryptography@c2.net
Subject: Reflections on the Bernstein ruling
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain

(Please keep in mind that I'm not a lawyer yet, and that my comments are
intended only as the reflections of an amateur and are intended as
discussion fodder, not legal advice.)

Folks seem to be very excited about Judge Patel's ruling in the Bernstein
case - and with good reason. It was, for example, a first-page
above-the-fold item in both of the Bay Area's legal newspapers today.
Unfortunately, most of the media reports have done a poor job of
interpreting the ruling, and it's easy to draw bad conclusions from erratic
news reports about the case. The decision is available online
thanks to the folks at EFF. I thought list members might appreciate a
summary of the decision and its potential effects.

1. What the ruling said

In brief, Judge Patel ruled that Category XIII(b) (the category which
refers to cryptographic equipment/software) is unconstitutional because it
functions as a prior restraint upon speech without providing important
procedural safeguards which are required when a prior restraint scheme is
put into place. She ruled that the "technical data" provision of the ITAR
is also unconstitutional when it refers to technical data about Category
XIII(b) items because of the lack of procedural safeguards.

Mopping up other points raised by the suit, Judge Patel ruled that the term
"defense article" as defined in 22 CFR 120.6 should be read to elide the
phrase "or technical data"; and that when interpreted that way, the terms
"defense article", "defense service", and "technical data" are not
unconstitutionally vague. She also ruled that the term "export" is not
unconstitutionally vague, and writes (in 'dicta', which is legalese for
"offhand comment", e.g., without precedential value but interesting as a
hint re what's going on in the judge's mind) that placing software on an
"Internet site" which can be accessed from a foreign country is an export
for ITAR purposes.

She also ruled that the "fundamental research in science and engineering"
(120.11(8)) and "general scientific, mathematical, or engineering
principles" (120.10(5)) exceptions to the definition of "technical data"
are void because they are too vague. As far as I can tell, they are thus no
longer available to potential ITAR defendants.

2. What the ruling didn't say

Judge Patel declined to address the merits of two of Bernstein's arguments:
that cryptographic software is independently worthy of First Amendment
protection as a tool which enables confidential speech and privacy, and
that the ITAR scheme violates the Administrative Procedure Act.

She also refused to grant Bernstein a preliminary injunction which would
have prohibited the US Government from prosecuting him for teaching his
class this spring, because her ruling means that his proposed activities
are not (for now) illegal.

The opinion also narrowly fails to say whether or not Category XIII(b) is
content-based or content-neutral; but reaches its conclusion by pointing
out that such a determination isn't necessary, because even if XIII(b) is
content-neutral, it is still unconstitutional. (* My reading of the opinion
diverges from the EFF's, as reported in their 12/17 press release, on this
point. I think my interpretation is correct. YMMV.)

3. What the ruling means

Some messages that I've seen have suggested that her ruling means that the
ITAR does not apply to crypto of any kind; or that crypto can now be
exported in, variously, the Ninth Circuit, or Northern California, or
Berkeley. Strictly speaking, Judge Patel's ruling is not binding precedent
in any court. The doctrine of "stare decisis", which says that courts
should not disturb existing precedent, suggests that other district courts
in the Northern District of California will follow Judge Patel's ruling, at
least until the Ninth Circuit addresses the issue (in this case or a
different one). But "stare decisis" is a policy statement, not law; and, as
the decision in _Karn v. Dept of State_ makes clear (by ruling that the
First Amendment does not prevent applying Category XIII(b) to source code),
district courts around the country are free to disagree with each other and
issue contradictory or incompatible opinions. (I'm interested in any
analysis which would suggest that her ruling is binding on the ND CA courts
for reasons other than stare decisis; I'm not aware of other grounds, but I
don't know everything, either. Comments?)

Further, Judge Patel's ruling yesterday is dependent upon her earlier
ruling which held that source code is speech for First Amendment purposes.
That ruling has not yet been reviewed at the appellate level, and is not
uncontroversial nor universally accepted. If another court disagrees with
that ruling, Judge Patel's otherwise convincing reasoning in this case
(which says that the lack of procedural safeguards for this prior-restraint
scheme is unconstitutional) is irrelevant - because without speech, the
First Amendment (and its hostility to prior restraint) isn't applicable.
It's also significant because her earlier ruling said that source code is
speech - and her reasoning for reaching that result does not apply to
object code or executables. 

It's also unclear that Judge Patel's ruling is enough to make export of
crypto source legal by people/organizations located even in the Northern
District of CA. Venue is proper, in an ITAR case, in any jurisdiction which
the defense articles have moved through. (18 USC 3237(a); _US v. Durrani_
659 F.Supp 1177, 1182 (D. Conn, 1987); an easy analogy is to the _US v.
Thomas_ "Amateur Action" case, where Tennessee venue was proper for
prosecution of California defendants who sent porn into Tennessee.) So it's
at least arguable that the feds could simply bring an ITAR prosecution in
another district, if exported crypto flowed through that district. (But I
don't think they can do so against Dan Bernstein because of "res judicata",
a doctrine which says that once two parties have fully litigated an issue,
they cannot come back to the same court - or a different one - and ask to
relitigate the same issue.) 

So while the ruling has considerable historical, cultural, and symbolic
significance, it's dangerous to assume that it means that export
restrictions on crypto are dead.

Greg Broiles                | US crypto export control policy in a nutshell:
gbroiles@netbox.com         | 
http://www.io.com/~gbroiles | Export jobs, not crypto.