UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF OHIO EASTERN DIVISION PETER D. JUNGER, ) CASE NO. 96 CV 1723 ) Plaintiff ) ) JUDGE NUGENT v. ) ) WARREN CHRISTOPHER, DEPART- ) MENT OF STATE; WILLIAM J. ) PRELIMINARY INJUNCTION LOWELL, OFFICE OF DEFENSE ) TRADE CONTROLS; LT. GENERAL ) KENNETH A. MINIHAN, NATIONAL ) SECURITY AGENCY, ) ) Defendants. ) Plaintiff Peter D. Junger having moved this Court pursuant to Rule 65 of the Federal Rules of Civil Procedure for a preliminary injunction enjoining the defendants from interpreting, applying, and enforcing the International Traffic in Arms Regulations, 22 C.F.R. §§ 120 et seq., to require that the plaintiff and his students register or obtain a license or approval from the defendants before disclosing to any person or persons by speech, publication or any other means or by any medium, any unclassified information about cryptography, whether or not that information is included within the definition of "software" or "technical data" as those terms are defined in ITAR. FINDINGS OF FACT 1. The plaintiff, Peter D. Junger, is a citizen of the United States and a professor of law at the Case Western Reserve University Law School in Cleveland, Ohio. 2. The individual defendants are members of the executive branch of the government of the United States. The individual defendants are sued as officers or employees of the United States acting in their official capacities under color of law. 3. Warren Christopher is the United States Secretary of State. 4. William J. Lowell is the Director of the Department of State's Bureau of Politico-Military Affairs, Office of Defense Trade Controls ("ODTC"). 5. Lt. General Kenneth A. Minihan is the Director of the National Security Agency ("NSA"). 6. The defendants and their respective agencies (also referred to as "the government") are responsible for the interpretation and administration of the ITAR provisions at issue in this complaint. 7. Cryptography is the art or science of encoding or encrypting information and involves the exposition of scientific and mathematical ideas. Cryptography has significant uses for ensuring the security and confidentiality of information, and thus is a matter of public debate. 8. The plaintiff teaches a course entitled "Computers and the Law" at the Case Western Reserve University Law School ("CWRU Law School"). The plaintiff offered this course in the fall semester of each year since 1993 and is scheduled to offer it again this fall. 9. In May 1993, the plaintiff wrote a short encryption program that he intended to use in his class the following fall. 10. On numerous occasions beginning on or about May 7, 1993, the plaintiff contacted agents of the Department of Commerce, Department of State, including the ODTC, and the NSA to determine whether his program was subject to export requirements, but did not receive a clear and determinative answer. 11. The plaintiff has prepared, and continues to prepare, materials for his computer law course. The materials currently include, or will include, the source code, algorithm and representations of machine code for the encryption program initially created by the plaintiff in May 1993 along with the source codes, application programs and algorithms for other cryptographic systems, including the Diffie-Hellman key distribution protocol, the Hellman-Merkle public-key "knapsack" system (U.S. Patent Number 4,218,582) and the RSA and RC4 algorithms. The materials will also contain information on how to obtain and how to use programs implementing the DES, triple-DES, or RSA algorithms, such as the encryption program "Pretty Good Privacy" ("PGP"). The cryptographic information included in the plaintiff's materials, other than his program, was taken from public sources, including materials published in books, journals and on internet. 12. For fear of violating ITAR, the plaintiff has refrained from disclosing his program and other cryptographic information to foreign persons other than some Canadian students that he allowed to enroll in his computer and law class in 1994 under the belief that disclosure to Canadians was exempt from ITAR. For the same reason, the plaintiff has not disclosed his program and other cryptographic information at faculty discussions in the presence of foreign colleagues and, other than the Canadian students in 1994, he has not allowed foreign students to enroll in his computer and law class. The plaintiff has required, and continues to require, that students taking the class certify that they are citizens of the United States or admitted to permanent residence in the United States. 13. In class, the plaintiff has disclosed, and will continue to disclose, cryptographic information, including source codes, representations of machine code, and information on how to use and where to obtain functioning encryption programs to his students. For class this coming fall, the plaintiff will require students to participate in exercises that require them to obtain and have some hands on experience with cryptographic software. 14. In discussions on the internet, the plaintiff has been forced to be very careful not to disclose cryptographic information to foreign persons for fear of violating ITAR. Thus, for example, on or about August 22, 1994, after Paul Leyland of Oxford University Computing Services in Oxford, England, posted a short encryption program written in the "C" programming language and which performs the same encryption function as the plaintiff's program, to the sci.crypt.research newsgroup, the plaintiff could not respond, as he wished to, by posting his program to the newsgroup. Also, when the plaintiff sent Mr. Leyland an email message requesting permission to include Mr. Leyland's program in his course materials, the plaintiff could not disclose his program or Mr. Leyland's program to Mr. Leyland without violating ITAR. 15. The plaintiff wants to publish his course materials as a text book and has begun writing a law review article on ITAR and cryptography that will include his program and other cryptographic information. For fear of violating ITAR, the plaintiff hesitates to publish his course materials and any law review article that contains cryptographic information. 16. For fear of violating ITAR, the plaintiff has refrained from making his course materials available to others with whom he would like to share information. Thus, on or about May 29, 1996, Peter M. Gerhart, who was then the Dean of CWRU Law School, requested a copy of the plaintiff's course materials for a colleague in the People's Republic of China. The plaintiff was forced to deny this request since the materials contained information that could not be sent to China without a license or other permission from the ODTC. 17. None of the cryptographic information that the plaintiff seeks to teach, publish or otherwise disclose is classified information, and all of it, other than the plaintiff's program, is available in books, libraries and on the internet. 18. Cryptographic software is classified as a "munition" under Category XIII of the United States Munitions List ("USML"), 22 C.F.R. § 121.1, and, thus, a "defense article" under 22 C.F.R. § 120.6. 19. At least some, if not all, of what is included under the definition of "cryptographic software" is included under the definition of "technical data" in 22 C.F.R. § 120.10, which is also listed on the USML under Category XIII and, thus, is a defense article. The furnishing of cryptographic software and cryptographic technical data to foreign persons may constitute a "defense service," as defined in 22 C.F.R. § 120.9. 20. The definition of "export" in 22 C.F.R. § 120.17 includes "sending or taking a defense article out of the United States in any manner," 22 C.F.R. § 120.17(a)(1), "[d]isclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad, 22 C.F.R. § 120.17(a)(4), and "performing a defense service on behalf of, or for the benefit of, a foreign person," 22 C.F.R. § 120.17(a)(5). 21. Under 22 C.F.R. Part 122, a person who intends to export a defense article or provide a defense service "on behalf of, or for the benefit of, a foreign person" must register with the ODTC for a fee of at least $250.00 even if that person is not in the business of manufacturing or exporting defense articles or defense services. 22. Under 22 C.F.R. Parts 123-25, a person must obtain a license or written approval from the ODTC before exporting a defense article, defense service or technical data unless specifically exempted. 23. Absent some exemption, a person must register with the ODTC and obtain a license or written approval from the ODTC before exporting cryptographic software and/or technical data. 24. The public domain exemption in § 120.11 and the exemption for general scientific, mathematical or engineering principles in § 120.10(a)(5) do not exempt all of the cryptographic information that the plaintiff seeks to disclose. 25. 22 C.F.R. § 127.1 makes it is unlawful to export or attempt to export from the United States any defense article or technical data or to furnish any defense service for which a license or written approval is required ... without first obtaining the required license or written approval from the Office of Defense Trade Controls. 26. Under the provisions of ITAR referred to in the above paragraphs, the defendants can require a license or government approval prior to the dissemination of privately developed, unclassified cryptographic software and/or technical data to any foreign person within the United States and anyone, without limitation, outside the United States. 27. The plaintiff has been, and is, compelled to exclude students who are "foreign persons" from his computer law course because it would be a violation of the ITAR for him to disclose cryptographic software and/or cryptographic technical data that is not specifically exempted under ITAR to foreign students without first applying for and obtaining a license or approval from the ODTC. 28. The plaintiff is prohibited from disclosing cryptographic software and/or cryptographic technical data that is not specifically exempted under ITAR to foreign students, lawyers, professional colleagues and all other foreign persons without first applying for and obtaining a license or approval from the ODTC. 29. The plaintiff is prohibited from publishing his course materials and law review articles that contain cryptographic software and/or cryptographic technical data that is not specifically exempted under ITAR if the course materials and law review articles are available to foreign persons within the United States or available outside the United States without first applying for and obtaining a license or approval from the ODTC. 30. The plaintiff is prohibited from publishing cryptographic software and/or cryptographic technical data that is not specifically exempted under ITAR on the internet without first applying for and obtaining a license or approval from the ODTC. 31. The plaintiff must register for a fee with the ODTC before disclosing cryptographic software and/or technical data that is not specifically exempted under ITAR to foreign students and foreign colleagues or publishing cryptographic software and/or technical data on the internet. 32. ITAR's restrictions on the export of "cryptographic software" and "technical data" without a license or the government's approval have chilled the plaintiff's speech and have caused him to restrict his research and censor his publications and communications with foreign persons. CONCLUSIONS OF LAW The Plaintiff has a strong likelihood of prevailing on the merits of his cause and establishing that: 33. The provisions of ITAR regulating the export of cryptographic software and cryptographic technical data constitute a prepublication registration and licensing scheme that does not provide for judicial review and thus constitute an unconstitutional prior restraint in violation of the First Amendment to the United States Constitution. 34. The provisions of ITAR regulating the export of cryptographic software and cryptographic technical data, as written and as interpreted by the defendants, control a substantial amount of speech and have been drafted and applied in such a confusing way that the plaintiff and others cannot be sure which specific disclosures of cryptographic information are exempt from ITAR or require a license or written approval from the ODTC. Thus, they are overbroad and vague, facially and as applied to the plaintiff's conduct, in violation of the First and Fifth Amendments to the United States Constitution. 35. The provisions of ITAR regulating the export of cryptographic software and cryptographic technical data are content-based restrictions on speech. 36. The provisions of ITAR regulating the export of cryptographic software and cryptographic technical data are not narrowly drawn, and the government does not have a compelling interest to regulate all cryptographic information, including privately developed, unclassified information. Therefore, provisions of ITAR regulating the export of cryptographic software and cryptographic technical data violate the First Amendment. 37. The provisions of ITAR regulating the export of cryptographic software and cryptographic technical data restrict the plaintiff's rights to teach, research and publish unclassified cryptographic information in whatever manner he chooses to whom he chooses and, thus, violate the plaintiff's academic freedom rights under the First Amendment. 38. The provisions of ITAR regulating the export of cryptographic software and cryptographic technical data restrict the rights of foreign students and foreign professors within the United States to receive cryptographic information and, thus, violate the rights of foreign students and professors within the United States to receive information under the First Amendment. 39. The provisions of ITAR regulating the export of cryptographic software and cryptographic technical data restrict the rights of the plaintiff and U.S. citizens and permanent residents to freely associate with foreign persons to discuss cryptographic information and further restrict the rights of foreign persons within the United States to discuss cryptographic information with U.S. citizens and permanent residents and, thus, violate the plaintiff's and others' freedom of association rights under the First Amendment. 40. The provisions of ITAR requiring the identification of each foreign recipient of cryptographic software and cryptographic technical data constitute compelled disclosures and, thus, violate the plaintiff's and other's freedom of association rights under the First Amendment. 41. The provisions of the ITAR regulating the export of cryptographic software and cryptographic technical data allow the defendants to control the dissemination of cryptographic information within the United States and on the internet. 42. The authority of the defendants to implement ITAR is based on § 38 of the Arms Export Control Act ("AECA"), 22 U.S.C. § 2778. See 22 C.F.R. § 120.1. 43. The AECA does not authorize the registration or licensing of disclosures of unclassified cryptographic information within the United States, including disclosures of unclassified cryptographic information on the internet. 44. By requiring registration and a license prior to the disclosure of cryptographic software and/or cryptographic technical data within the United States, the defendants are engaged in controlling the exchange of cryptographic information between persons within the United States and restricting the dissemination of cryptographic information on the internet. The defendants have therefore adopted a de facto policy of restricting the domestic dissemination of unclassified cryptographic information without Congressional authorization in violation of the constitutional doctrine of separation of powers. 45. Section 2778(h) of the AECA precludes judicial review of the designation of items as defense articles. 46. In the alternative, if the AECA authorizes the defendants to regulate disclosures of unclassified cryptographic software and cryptographic technical data within the United States, § 2778(h) of the AECA unconstitutionally deprives the Judiciary of its responsibility to review potential restrictions on information and expression in violation of the constitutional doctrine of separation of powers. IRREPARABLE HARM AND OTHER FACTORS 47. The plaintiff has established that there is a strong likelihood that his First Amendment rights are threatened by ITAR's export regulations. In particular, Prof. Junger is continually precluded from teaching foreign students and publishing on cryptography as long as what he intends on teaching and publishing contains cryptographic software and technical data, and thus, he has established irreparable harm. 48. The plaintiff, at this stage of the proceedings, is not seeking to enjoin the defendants from applying and enforcing the regulations against all persons. He is seeking a preliminary injunction only to prevent the defendants from applying and enforcing ITAR against him and his students. There is little, if any, likelihood that disclosures of cryptographic information by Prof. Junger or his students would compromise the national security of the United States. 49. The public interest strongly supports the injunction. As this case concerns the rights of a university professor to teach what he wants to whom he wants, this cases raises rights of academic freedom, which are a special concern for the society as a whole. ORDER IT IS HEREBY ORDERED that the defendants and their agents, employees, attorneys, successors in office, assistants and all persons acting in concert and cooperation with them, shall be preliminarily enjoined from interpreting, applying, and enforcing the International Traffic in Arms Regulations, 22 C.F.R. §§ 120 et seq., to require that the plaintiff and his students register or obtain a license or approval from the defendants before disclosing to any person or persons by speech, publication or any other means or by any medium, any unclassified information about cryptography, whether or not that information is included within the definition of "software" or "technical data" as those terms are defined in ITAR. Dated at Cleveland, Ohio, this ___ day of ___________, 1996. BY THE COURT: UNITED STATES DISTRICT JUDGE