UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF OHIO EASTERN DIVISION CASE NO. PETER D. JUNGER, Plaintiff v. JUDGE WARREN CHRISTOPHER, DEPARTMENT OF STATE; WILLIAM J. LOWELL, OFFICE OF DEFENSE TRADE CONTROLS; LT. GENERAL KENNETH A. MINIHAN, NATIONAL SECURITY AGENCY, Defendants. COMPLAINT FOR DECLARATORY AND INJUNCTIVE RELIEF 1. This is an action for declaratory and injunctive relief brought by a law professor to protect his rights and the rights of others to teach, publish and otherwise disclose unclassified cryptographic information to foreign students and other foreign persons without first obtaining a license or approval from the government. The plaintiff challenges the constitutionality of specific provisions of the International Traffic in Arms Regulations ("ITAR," "the regulations"), 22 C.F.R. 120 et seq., that require a license or approval from the government before "exporting" cryptography and seeks to enjoin the defendants from using, or threatening to use, such provisions to restrict him and others from disclosing cryptographic information. JURISDICTION, VENUE AND PARTIES 2. This action arises under the First and Fifth Amendments to the United States Constitution and the constitutional doctrine of separation of powers. Declaratory relief is sought under 28 U.S.C. 2201-02. The jurisdiction of this Court is invoked pursuant to 28 U.S.C. 1331. 3. The plaintiff resides in the Northern District of Ohio. Since this is a suit against officials and/or agencies of the federal government, venue is proper under 28 U.S.C. 1391(e). 4. The plaintiff, Peter D. Junger, is a citizen of the United States and a professor of law at the Case Western Reserve University School of Law in Cleveland, Ohio. 5. The individual defendants are members of the executive branch of the government of the United States. The individual defendants are sued as officers or employees of the United States acting under color of law in their official capacities. 6. Warren Christopher is the United States Secretary of State. 7. William J. Lowell is the Director of the Department of State's Bureau of Politico-Military Affairs, Office of Defense Trade Controls ("ODTC"). 8. Lt. General Kenneth A. Minihan is the Director of the National Security Agency ("NSA"). 9. The defendants and their respective agencies (also referred to as "the government") are responsible for the interpretation and administration of the ITAR provisions at issue in this complaint. BACKGROUND 10. The plaintiff teaches a course entitled "Computers and the Law" at the Case Western Reserve University Law School ("CWRU Law School"). The plaintiff has offered this course in the fall semester of each year since 1993 and is scheduled to offer it again this fall. 11. In May 1993, the plaintiff wrote a short encryption program that he intended to use in his class the following fall. 12. On numerous occasions beginning on or about May 7, 1993, the plaintiff contacted the Department of Commerce, Department of State, the ODTC and the NSA to determine whether his program was subject to export regulations. To the best of plaintiff's knowledge and information, any answer that the plaintiff received, or may have received, from the persons he contacted is not binding on their respective agencies and thus cannot be relied on by the plaintiff or anyone else. 13. The plaintiff has prepared, and continues to prepare, materials for his computer law course. These materials include (i) a casebook, which the plaintiff is currently revising for use in class this coming fall, (ii) handouts supplementing and extending the information contained in the casebook and (iii) duplicates of some of those materials and additional materials that will be available on the plaintiff's World Wide Web ("WWW," "Web") server at http://samsara. law.cwru.edu or other WWW servers linked to the plaintiff's server. 14. These materials referred to in the above paragraph currently include, or will include, the source code, algorithm and representations of machine code for the encryption program initially created by the plaintiff in May 1993 along with the source codes, application programs and algorithms for other cryptographic systems, including the Diffie-Hellman key distribution protocol, the Hellman-Merkle public-key "knapsack" system (U.S. Patent Number 4,218,582) and the RSA and RC4 algorithms. The materials will also contain information on how to obtain and how to use programs implementing the DES, triple-DES, or RSA algorithms, such as the encryption program "Pretty Good Privacy" ("PGP"). The cryptographic information included in the plaintiff's materials, other than his program, was taken from public sources, including materials published in books, journals and on internet. 15. For fear of violating ITAR, the plaintiff has refrained from disclosing his program and other cryptographic information to foreign persons other than some Canadian students that he allowed to enroll in his computer and law class in 1994 under the belief that disclosure to Canadians was exempt from ITAR. For the same reason, the plaintiff has not disclosed his program and other cryptographic information at faculty discussions in the presence of foreign colleagues and, other than the Canadian students in 1994, he has not allowed foreign students to enroll in his computer and law class. The plaintiff has required, and continues to require, that students taking the class certify that they are citizens of the United States or admitted to permanent residence in the United States. 16. In class, the plaintiff has disclosed, and will continue to disclose, cryptographic information, including source codes, representations of machine code, and information on how to use and where to obtain functioning encryption programs to his students. For class this coming fall, the plaintiff will require students to participate in exercises that require them to obtain and have some hands on experience with cryptographic software. 17. In discussions on the internet, the plaintiff has been forced to be very careful not to disclose cryptographic information to foreign persons for fear of violating ITAR. Thus, for example, on or about August 22, 1994, after Paul Leyland of Oxford University Computing Services in Oxford, England, posted a short encryption program written in the "C" programming language and which performs the same encryption function as the plaintiff's program, to the sci.crypt.research newsgroup, the plaintiff could not respond, as he wished, by posting his program to the newsgroup. Moreover, when the plaintiff sent Mr. Leyland an email message requesting permission to include Mr. Leyland's program in his course materials, the plaintiff could not disclose his program or Mr. Leyland's program to Mr. Leyland without violating ITAR. 18. The plaintiff wants to publish his course materials as a text book and has begun writing a law review article on ITAR and cryptography that will include his program and other cryptographic information. For fear of violating ITAR, the plaintiff hesitates to publish his course materials and any law review article that contains cryptographic information. 19 For fear of violating ITAR, the plaintiff has refrained from making his course materials available to others with whom he would like to share information. Thus, on or about May 29, 1996, Peter M. Gerhart, who was then the Dean of CWRU Law School, requested a copy of the plaintiff's course materials for a colleague in the People's Republic of China. The plaintiff was forced to deny this request since the materials contained information that could not be sent to China without a license or other permission from the ODTC. 20. None of the cryptographic information that the plaintiff seeks to teach, publish or otherwise disclose is classified information, and all of it, other than the plaintiff's program, is available in books, libraries and on the internet. 21. The plaintiff has been informed and believes that the defendants have taken the position that software that contains no cryptographic routines whatsoever, but which could be modified to include cryptographic routines, (also referred to as "crypto with a hole") is subject to regulation under ITAR. 22. The plaintiff is required to register for a fee with the ODTC and obtain a license or approval before he can lawfully "export" his program or other cryptographic information that is not specifically exempted under ITAR. 23. The definition of "export" in 22 C.F.R. 120.17 includes "sending or taking a defense article out of the United States in any manner," 22 C.F.R. 120.17(a)(1), "[d]isclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad, 22 C.F.R. 120.17(a)(4), and "performing a defense service on behalf of, or for the benefit of, a foreign person," 22 C.F.R. 120.17(a)(5). 24. Cryptographic software is classified as a "munition" under Category XIII of the United States Munitions List ("USML"), 22 C.F.R. 121.1, and, thus, a "defense article" under 22 C.F.R. 120.6. 25. At least some, if not all, of what is included under the definition of "cryptographic software" is included under the definition of "technical data" in 22 C.F.R. 120.10, which is also listed on the USML under Category XIII and, thus, is a defense article. The furnishing of cryptographic software and cryptographic technical data to foreign persons may also constitute a "defense service," as defined in 22 C.F.R. 120.9. 26. Under 22 C.F.R. Part 122, a person who intends to export a defense article or provide a defense service "on behalf of, or for the benefit of, a foreign person" must register with the ODTC for a fee of at least $250.00 even if that person is not in the business of manufacturing or exporting defense articles or defense services. 27. Under 22 C.F.R. Parts 123-25, a person must obtain a license or written approval from the ODTC before exporting a defense article, defense service or technical data unless some specific exemption applies. 28. Thus, absent some exemption, a person must register with the ODTC and obtain a license or written approval from the ODTC before exporting cryptographic software and/or technical data. 29. The public domain exemption in 22 C.F.R. 120.11 and the exemption for general scientific, mathematical or engineering principles in 22 C.F.R. 120.10(a)(5) do not exempt all of the cryptographic information that the plaintiff seeks to disclose. 30. 22 C.F.R. 127.1 makes it is unlawful to export or attempt to export from the United States any defense article or technical data or to furnish any defense service for which a license or written approval is required ... without first obtaining the required license or written approval from the Office of Defense Trade Controls. 31. Under the provisions of ITAR referred to in the paragraphs above, the defendants can require a license or government approval prior to the dissemination of privately developed, unclassified cryptographic software and/or technical data to any foreign person within the United States and to anyone, without limitation, outside the United States. CLAIMS FOR RELIEF Count One: Prior restraint 32. The plaintiff realleges and incorporates herein paragraphs 1 to 31 as if fully rewritten. 33. The plaintiff has been, and is, compelled to exclude students who are "foreign persons" from his computer law course because it would be a violation of the ITAR for him to disclose cryptographic software and/or cryptographic technical data that is not specifically exempted under ITAR to foreign students without first applying for and obtaining a license or approval from the ODTC. 34. The plaintiff is prohibited from disclosing cryptographic software and/or cryptographic technical data that is not specifically exempted under ITAR to foreign students, lawyers, professional colleagues and all other foreign persons without first applying for and obtaining a license or approval from the ODTC. 35. The plaintiff is prohibited from publishing his course materials and law review articles that contain cryptographic software and/or cryptographic technical data that is not specifically exempted under ITAR if the course materials and law review articles are available to foreign persons within the United States or available outside the United States without first applying for and obtaining a license or approval from the ODTC. 36. The plaintiff is prohibited from publishing cryptographic software and/or cryptographic technical data that is not specifically exempted under ITAR on the internet without first applying for and obtaining a license or approval from the ODTC. 37. The plaintiff must register for a fee with the ODTC before disclosing cryptographic software and/or technical data that is not specifically exempted under ITAR to foreign students and foreign colleagues or publishing cryptographic software and/or technical data on the internet. 38. ITAR's restrictions on the export of "cryptographic software" and "technical data" without a license or the government's approval have chilled the plaintiff's speech and have caused him to restrict his research and censor his publications and communications with foreign persons. 39. There is no provision of ITAR that allows for judicial review of ODTC decisions. 40. The provisions of ITAR referred to in the paragraphs above constitute a prepublication registration and licensing scheme, and thus a prior restraint on free expression, in violation of the First Amendment to the United States Constitution. Count Two: Overbreadth and Vagueness 41. The plaintiff realleges and incorporates herein paragraphs 1 to 40 as if fully rewritten 42. The provisions of ITAR referred to in the paragraphs above, as written and as interpreted by the defendants, control a substantial amount of speech. The provisions in question govern all disclosures of cryptographic software and all disclosures of cryptographic technical data that are not specifically exempted, including disclosures of unclassified information. 43. The provisions of ITAR referred to in the paragraphs above, as written and as interpreted by the defendants, have been drafted and applied in such a confusing way that the plaintiff cannot be sure what cryptographic information is exempt from ITAR and what requires a license or written approval from the ODTC. As a result, the plaintiff's speech has been, and continues to be, chilled. 44. The provisions of ITAR referred to in the paragraphs above, as written and as interpreted by the defendants, have been drafted and applied in such a confusing way that persons other than the plaintiff cannot be sure what cryptographic information is exempt from ITAR and what requires a license or written approval from the ODTC. The plaintiff is informed and believes that, as a result, the speech of others has been, and continues to be, chilled. 45. To the best of plaintiff's knowledge and information, there are no published criteria or standards available to him or the public on which the defendants base their decisions to grant or deny licenses for the export of cryptographic information other than guidelines for the export of mass market encryption software. 46. The provisions of ITAR referred to in the paragraphs above are overbroad and vague, facially and as applied to the plaintiff's conduct, and are thus unconstitutional in violation of the First and Fifth Amendments to the United States Constitution. Count Three: Restrictions on Academic Freedom and Political Speech 47. The plaintiff realleges and incorporates herein paragraphs 1 to 46 as if fully rewritten. 48. The provisions of ITAR referred to in the paragraphs above restrict the plaintiff's rights to teach, research and publish unclassified cryptographic information in whatever manner he chooses and to whom he chooses. 49. The provisions of ITAR referred to in the paragraphs above also restrict and the rights of the plaintiff and others, particularly foreign students and foreign professors within the United States, to receive and discuss unclassified cryptographic information. 50. A knowledge of cryptography is important for understanding and evaluating government efforts to establish key escrow systems, such as the Clipper Chip, that have significant consequences for individual rights. Thus, cryptographic information is a matter of public debate, and in the context of a public debate, restrictions on cryptographic information are restrictions on political speech. 51. The provisions of ITAR referred to in the paragraphs above are not narrowly drawn, and the government does not have a compelling interest to regulate all unclassified cryptographic information. 52. The provisions of ITAR referred to in the paragraphs above are unconstitutional restrictions on academic and political speech in violation of the First Amendment . Count Four: Freedom of Association 53. The plaintiff realleges and incorporates herein paragraphs 1 to 52 as if fully rewritten. 54. The provisions of ITAR referred to in the paragraphs above require that the plaintiff apply for, and obtain, a license or approval from the government before allowing foreign students to enroll in his class, before allowing foreign professors to attend faculty discussions where cryptographic software and other cryptographic information is discussed and before posting cryptographic software and/or other cryptographic information on the internet where it may be available to foreign persons. 55. The provisions of ITAR referred to in the paragraphs above restrict the rights of the plaintiff and U.S. citizens and permanent residents to freely associate with foreign persons to discuss cryptographic information and further restrict the rights of foreign persons within the United States to discuss cryptographic information with U.S. citizens and permanent residents. 56. The plaintiff and anyone else intending to disclose cryptographic information for which a license is required, other than those exporting mass encryption software, must identify each and every recipient of the information, including every foreign persons within the United States who receives the information, in order to obtain a license from the ODTC. 57. By requiring the identification of all recipients of cryptographic information, the defendants are compelling the disclosure of foreign persons who pose no threat to national security and with whom the plaintiff and others communicate. 58. It is practicably impossible for the plaintiff to name each recipient of cryptographic information that receives the information from the plaintiff's web site or FTP server. 59. The provisions of ITAR referred to in the above paragraphs violate the plaintiff's and other's freedom of association rights under the First Amendment. Count Five: Separation of Powers 60. The plaintiff realleges and incorporates herein paragraphs 1 to 59 as if fully rewritten. 61. The provisions of the ITAR referred to in the paragraphs above allow the defendants to control the dissemination of cryptographic information within the United States and on the internet. 62. The authority of the defendants to implement and enforce ITAR is based on 38 of the Arms Export Control Act ("AECA"), 22 U.S.C. 2778. 63. The AECA does not authorize the registration or licensing of disclosures of unclassified cryptographic information within the United States, including disclosures of unclassified cryptographic information on the internet. 64. By requiring registration and a license prior to the disclosure of unclassified cryptographic software or cryptographic technical data within the United States, the defendants are engaged in controlling the exchange of cryptographic information between persons within the United States, including the dissemination of cryptographic information on the internet. The defendants have therefore adopted a de facto policy of restricting the domestic dissemination of unclassified cryptographic information which has the direct effect of restricting the availability of cryptographic software within the United States. 65. Congress, and not the Executive, is constitutionally responsible for formulating and determining domestic policy on cryptography and for placing restrictions on the availability of cryptographic software within the United States. 66. Congress has not delegated its responsibility referred to in the paragraph above to the President or the defendants. 67. By designating unclassified cryptographic software and technical data as defense articles, the defendants are regulating information and expression as defense articles. 68. Section 2778(h) of the AECA precludes judicial review of the designation of items as defense articles. 69. To the extent that the AECA authorizes the defendants to regulate disclosures of unclassified cryptographic software and cryptographic technical data within the United States, 2778(h) of the AECA unconstitutionally deprives the Judiciary of its responsibility to review potential restrictions on information and expression. 70. Thus, the defendants act in violation of the constitutional doctrine of separation of powers by regulating unclassified cryptographic information in violation within the United States. PRAYER FOR RELIEF WHEREFORE, the plaintiff demands that judgment be entered against the defendants. Specifically, the plaintiff demands such declaratory, injunctive and other relief as follows: (1) A declaration that the provisions of the International Traffic in Arms Regulations, 22 C.F.R. 120 et seq., referred to in the paragraphs above that require registration and a license or government approval before the "export" of unclassified "cryptographic software" and "cryptographic technical data," as those terms are defined in ITAR, are unconstitutional in violation of the First and Fifth Amendments and the constitutional doctrine of separation of powers. (2) A declaration that, to the extent that the Arms Export Control Act, 22 U.S.C. 2778, authorizes the regulation of unclassified cryptographic software and cryptographic technical data within the United States, 2778(h) is unconstitutional in violation of the constitutional doctrine of separation of powers. (3) Preliminary and permanent injunctions enjoining the defendants from interpreting, applying, and enforcing the International Traffic in Arms Regulations, 22 C.F.R. 120 et seq., to require that the plaintiff and his students register or obtain a license or approval from the defendants before disclosing to any person or persons by speech, publication or any other means or by any medium, any unclassified information about cryptography, whether or not that information is included within the definition of "software" or "technical data" as those terms are defined in ITAR. (4) A permanent injunction enjoining the defendants from interpreting, applying and enforcing the International Traffic in Arms Regulations, 22 C.F.R. 120 et seq., to require that any person or persons register or obtain a license or approval from the government before disclosing to any other person or persons by speech, publication or any other means or by any medium, any unclassified information about cryptography, whether or not that information is included within the definition of "software" or "technical data" as those terms are defined in ITAR; (5) An award of attorney fees pursuant to the Equal Access to Justice Act, costs and such other relief as the Court deems proper. Respectfully submitted, GINO J. SCARSELLI (0062327) KEVIN FRANCIS O'NEILL (0010481) 664 Allison Dr. Professor of Law Richmond Hts., OH 44143-2904 Cleveland-Marshall College of Law (216) 291-8601 1801 Euclid Ave. Cleveland, OH 44115 RAYMOND VASVARI (0055538) (216) 687-2286 1300 Bank One Center 600 Superior Ave. East Cleveland, OH 44114-2650 (216) 522-1925 Attorneys for the Plaintiff