Copyright 1999. All rights reserved.
IN THE UNITED STATES COURT OF APPEALS
DANIEL J. BERNSTEIN,
U.S. DEPARTMENT OF COMMERCE, &tA,
ON APPEAL FROM THE UNITED STATES DISTRICT COURT
PETITION FOR PANEL REHEARING
[begin page i]
TABLE OF CONTENTS
[begin page ii]
Regulations and Other Materials
[begin page 1]
The President of the United States has determined that the uncontrolled export of encryption products would compromise this country's foreign intelligence gathering capabilities and jeopardize important national security and foreign policy interests. The President therefore has directed the Department of Commerce to regulate the export of encryption products under the Export Administration Regulations (EAR).
In this case, a divided panel of this Court has now reached the extraordinary conclusion that the encryption export provisions of the EAR are invalid on their face and in their entirety, thereby opening the door to the unrestricted export of encryption products. In so doing, the panel majority has overridden an important Presidential decision regarding national security and foreign policy. If left in place, the panel's decision will gravely compromise the ability of the United States to control the export of encryption products to potentially hostile foreign parties.
The panel decision presents two questions of exceptional legal and practical importance. The first is whether the export controls on encryption software in the form of electronic "source code" are a facially unconstitutional prior restraint on speech. The second is, if so, whether the export controls on encryption products other than source code must be invalidated as well. The significance of these issues led Judge Bright, the visiting judge who cast the deciding vote, to conclude that "[t]he importance of this case suggests that it may be appropriate for review by the United States Supreme Court." Before that step is taken, the importance of these issues -- and the panel's errors in deciding them -- call for further review by this Court.
[begin page 2]
STATEMENT OF THE CASE
1. a. The national security of the United States depends in part on the ability of the government to obtain timely information about the activities and plans of potentially hostile foreign governments, organizations, and individuals abroad. The government's foreign intelligence-gathering activities include signals intelligence (SIGINT), the collection and analysis of information from foreign electromagnetic signals. The SIGINT capabilities of the United States can be significantly compromised by the use of encryption -- the process of electronically "scrambling" a message to maintain the secrecy of its contents. Encryption can be performed both by dedicated hardware (such as the encryption circuitry found in wireless phones) and by software. Equipped with encryption software, a common desktop computer can be used by foreign intelligence targets to scramble data and communications.
Because encryption can be used to deny the United States access to vital foreign intelligence information, encryption products are subject to federal export controls. In 1996, the President assigned regulatory authority over the export of most encryption products to the Department of Commerce. In doing so, the President determined that "'[e]ncryption products, when used outside the United States, can jeopardize our foreign policy and national security interests" and can "threaten the safety of U.S. citizens here and abroad * * * ." 32 Weekly Comp. Pres. Doc. 2397 (Nov. 15, 1996). The President directed the Department of Commerce to control the export of encryption products "to ensure that export * * * would be consistent with U.S. foreign policy and national security interests." Id. at 2398.
[begin page 3]
The Department of Commerce is responsible for administering the Export Administration Regulations (EAR), 15 C.F.R. Parts 730-774. At the heart of the EAR is the Commerce Control List (CCL), which lists items that are subject to export controls under the EAR, Id. Part 774 Supp. No. 1. Generally speaking, items on the CCL may not be exported without a license from the Department's Bureau of Export Administration (BXA). Id. § 736.2(b)(1). Acting at the President's direction, the Department amended the EAR to add encryption items to the CCL. See 15 C.F.R. Part 774 Supp. No. 1, ECCN 5A002 (encryption hardware); id. ECCN 5D002 (encryption software).
The EAR's encryption export provisions draw a basic distinction between hardware and software that can be used to perform encryption, on the one hand, and information about cryptography, on the other hand. Generally speaking, the EAR requires a license for the export of encryption hardware and encryption software. See id. § 742.15. In contrast, cryptographic information (referred to under the EAR as encryption "technology") may be freely exported without a license, as long as it is "publicly available." See 15 C.F.R. § 734.3(b)(3). "Publicly available" cryptographic information includes information that has been or will be published; information that is disseminated through academic instruction; and information produced by fundamental research. Id. §§ 734.7-734.9. The EAR thus does not require scholars or other persons to apply for a license in order to engage in the public exchange of [begin page 4] information and ideas about cryptography, either here or abroad.1
b. Software programs consist of a set of instructions to a computer that causes the computer to perform a specified task -- in the case of encryption software, the task of encrypting data. The EAR defines "encryption software" as "source code, object code, applications software, or system software" that "provide[s] [the] capability of encryption functions or confidentiality of information * * * ." 15 C.F.R. Part 772. Software in the form of "object code" represents computer instructions as a sequence of binary digits (0s and 1s) that can be executed directly by the computer. Software in the form of "source code" represents the same computer instructions in "specialized alphanumeric [programming] languages." Sega Enterprises, Ltd. v. Accolade, Inc., 977 F.2d 1510, 1514 n.2 (9th Cir. 1993).
Encryption source code can be written and understood by computer scientists and mathematicians who are trained in the particular programming language. However, encryption source code can also be used by other persons for the practical purpose of making a computer perform encryption. It is undisputed that a computer user can convert encryption source code into encryption object code "with the press of a button on a computer" (ER 301 (joint stipulation)), thereby enabling the computer to encrypt data. It is for this reason that the President has directed the [begin page 5] Department of Commerce to include encryption source code among the encryption products whose export is controlled under the EAR. 61 Fed. Reg. 58,768 (Nov. 16, 1996); 32 Weekly Comp. Pres. Doc. at 2398. The EAR does not require a license for the export of printed materials, such as books and journals on the subject of cryptography, that include encryption source code in printed (as opposed to electronic) form. See 15 C.F.R. § 734.3(b)(3) Note.
2. a. The plaintiff in this case, Daniel Bernstein, is a computer science professor who wishes to distribute encryption software in source code form to foreign as well as domestic recipients. Bernstein brought suit against the federal government in 1995, arguing that controls on the export of encryption source code violate the First Amendment. Bernstein asserted that programmers and other persons exchange encryption source code as a means of expressing ideas about cryptography, and hence that encryption source code is "speech" for purposes of the First Amendment. Proceeding from that premise, Bernstein argued, inter alia, that the export controls on encryption source code represent an unconstitutional prior restraint on speech.
Bernstein has never applied for an export license, and he therefore did not (and could not) argue that the government has sought to prevent him from speaking about cryptography by denying him an export license. Instead, Bernstein argued that the export controls are subject to facial invalidation under the prior restraint doctrine, regardless of how the licensing requirements have been or may be applied to him.
The District Court for the Northern District of California entered summary judgment in favor of Bernstein, holding that the EAR's controls on the export of [begin page 6] encryption source code are facially unconstitutional under the prior restraint doctrine. 974 F. Supp. 1288 (1997). Although the district court's prior restraint reasoning applied only to encryption source code, the district court issued a declaratory judgment that applied not just to source code, but to all "encryption and decryption software and related devices and technology" subject to the EAR. Id. at 1310. In addition, the district court issued an injunction prohibiting the Department of Commerce from enforcing the export controls in specified respects. Id. at 1310-1311.
On appeal, the government argued, inter alia, that the export controls on encryption source code are not facially invalid under the prior restraint doctrine. The government further argued that even if the controls on source code exports were assumed to violate the First Amendment, there is no corresponding infirmity in the export controls on other encryption items, and hence the district court's declaratory judgment and injunction must be narrowed in any event.
b. On May 6, 1999, a divided panel of this Court issued a decision affirming the district court. Judge Fletcher wrote the panel opinion, Senior Judge Bright of the Eighth Circuit wrote a brief concurrence, and Judge T.G. Nelson dissented.
Writing for the majority, Judge Fletcher ruled that the export controls on encryption source code are an unconstitutional prior restraint on speech. Op. 4228-41. Judge Fletcher concluded that Bernstein is entitled to bring a facial challenge to the export controls, without showing (or being able to show) that he has sought an export license or been denied a license on impermissible grounds. Id. at 4229-38. Judge Fletcher then held that the export controls lack procedural provisions [begin page 7] that she deemed necessary to satisfy a facial prior restraint challenge. Id. at 4239-41.
By its terms, Judge Fletcher's First Amendment reasoning applies only to the export controls on encryption source code. Nevertheless, Judge Fletcher decided that encryption source code cannot be severed from the other encryption items covered by the EAR, and hence concluded that the district court's declaratory judgment properly extended to all encryption items. Id. at 4243-45. Judge Fletcher stated that removing source code from the encryption export provisions would require the court to "engage in line by line revisions of the challenged regulations," a step that would "improperly invade the province reserved to the Executive." Id. at 4245.
Judge Nelson, in dissent, concluded that Bernstein is not entitled to bring a facial challenge to the export controls under the prior restraint doctrine. Id. at 4246-51. He noted that under governing precedents of the Supreme Court and this Court, a facial challenge is inappropriate "unless, at a minimum, the challenged statute is directed narrowly and specifically at expression or conduct commonly associated with expression." Id. at 4249 (quoting City of Lakewood v. Plain Dealer Pub Publishing Co., 486 U.S. 750, 760 (1988), and Roulette v. City of Seattle, 97 F.3d 300, 305 (9th Cir. 1996)). Here, he explained, the fact "[t]hat encryption source code may on occasion be used expressively does not mean that its export is 'conduct commonly associated with expression' or that the EAR regulations are directed at expressive conduct." Id. at 4249 (emphasis in original). He pointed out that the EAR's encryption export provisions are not limited to encryption source code, but rather encompass all encryption products, "whether software or hardware." Id. at 4250. He further [begin page 8] noted that the EAR "is not specifically directed toward stifling the expressive nature or source code or Bernstein's academic discussions about cryptography," as evidenced by the fact that no license is required to export printed materials containing encryption source code. Ibid.
Judge Bright, who cast the deciding vote, concurred separately. Id. at 4246. While agreeing with Judge Fletcher that encryption source code can be used for "communication between computer programmers," he also acknowledged "the validity of Judge Nelson's view that encryption source code also has the functional purpose of controlling computers and in that regard does not command protection under the First Amendment." He concluded that "[t]he importance of this case suggests that it may be appropriate for review by the United States Supreme Court."
THE DIVIDED PANEL'S INVALIDATION OF FEDERAL EXPORT CONTROLS ON ENCRYPTION PRODUCTS SHOULD BE REHEARD
The divided panel decision in this case presents compelling grounds for further review by this Court. The panel has declared that the federal government's controls on the export of encryption products, adopted at the direction of the President to protect the national security and foreign policy of the United States, are invalid on their face and in their entirety. As discussed below, the panel majority's decision rests on fundamental errors regarding First Amendment and severability law. As a result of those errors, the panel has placed the entire encryption export regime in jeopardy. The potential consequences of repudiating the President's decisions regarding [begin page 9] encryption export controls are grave and far-reaching. Before the views of the panel majority become the law of this Circuit, and unrestricted export of encryption products receives this Court's imprimatur, further review is imperative.
I. The EAR's Export Controls on Encryption Source Code Are Not a Facially Unconstitutional Prior Restraint
As explained above, the EAR requires a license for the export of items that can be used to encrypt data. The panel majority held that because the EAR's encryption export controls include encryption source code, and because it is possible to export source code for the purpose of conveying cryptographic information reflected in the source code itself, the encryption export controls are subject to facial invalidation on prior restraint grounds. As explained by Judge Nelson, that holding is fundamentally inconsistent with governing First Amendment precedents.
The Supreme Court's decision in Lakewood establishes the standards for "distinguish[ing] laws that are vulnerable to facial challenge [on prior restraint grounds] from those that are not." 486 U.S. at 759. In order for a licensing law to be subject to facial invalidation, it "must have a close enough nexus to expression, or to conduct commonly associated with expression, to pose a real and substantial threat" of censorship. Ibid. A facial challenge to a licensing statute will be entertained only if the licensing scheme "is directed narrowly and specifically at expression or conduct commonly associated with expression." Id. at 760 (emphasis added); Roulette, 97 F.3d at 305. If the law is not directed "narrowly and specifically" at expressive activities, it "provide[s] too blunt a censorship instrument to warrant judicial [begin page 10] intervention prior to an allegation of actual misuse." Lakewood, 486 U.S. at 761.
As shown by Judge Nelson, the EAR's export controls are not subject to a facial invalidation under these standards. To begin with, Bernstein has not shown that the specific activity at issue here -- the export of encryption software in source code form -- is "expression or conduct commonly associated with expression." As explained above, source code is a set of instructions to a computer, and it serves the wholly non-expressive purpose of controlling the computer's operation. That does not mean, of course, that the export of encryption source code may never be undertaken for expressive purposes. But exporting encryption source code nonetheless stands in obvious contrast to activities such as holding parades or distributing handbills, which are almost always undertaken for expressive purposes.
Moreover, even if the export of encryption source code were ordinarily an expressive activity, the EAR's export controls are not "directed narrowly and specifically" at that activity. Rather, the EAR's controls on the export of encryption source code are simply part and parcel of its general controls on the export of encryption products. The encryption export controls apply equally to the export of all encryption items, including hardware and object code as well as source code. 15 C.F.R. § 742.15; see also id. Part 774 Supplement No. 1 (CCL), ECCN 5D002 Note ("encryption software is treated * * * in the same manner as a[n] [encryption] commodity"). Thus, far from targeting expressive activities, the EAR is an example of a "law of general application * * * not aimed at conduct commonly associated with expression." Lakewood, 486 U.S. at 760-61; cf. Jones Intercable of San Diego, Inc. [begin page 11] v. City of Chula Vista, 80 F.3d 320, 325 (9th Cir. 1996) (disallowing facial challenge to law that "applies to conduct as well as speech, and encompasses many potential activities having no expressive function"). In holding that the export controls are subject to facial invalidation, the majority opinion simply disregarded the breadth of the EAR's encryption provisions, erroneously treating the regulations as if the export of source code were the only export activity being regulated.
B. At a more basic level, the prior restraint ruling reflects a misunderstanding of the nature of the EAR's encryption export controls. The majority opinion characterizes the EAR as an "effort to regulate and control the spread of knowledge relating to encryption." Op. 4242. The opinion further states that, "[t]o the extent the government's efforts are aimed at interdicting the flow of scientific ideas * * * , as distinguished from encryption products, these efforts would appear to strike deep into the heartland of the First Amendment." Ibid. (emphasis in original).
The suggestion that the government is trying to "regulate and control the spread of knowledge relating to encryption," and that its "efforts are aimed at interdicting the flow of scientific ideas," is fundamentally inconsistent with the structure of the encryption export controls. While the EAR carefully controls the export of products that can be used to encrypt data, it does not attempt to restrict the public dissemination of information about cryptography. As explained above, no license is required under the EAR to engage in the public exchange of cryptographic information, either here or abroad (see p. 3 supra). It is therefore unsurprising that cryptography is the subject of numerous college courses, academic symposia, [begin page 12] textbooks, and fundamental research published in scholarly journals -- none of which require government approval, permission, or review. See ER 108-297, 305-419. Moreover, when encryption source code is reproduced in a printed medium such as a book of journal, rather than in a computer-ready electronic medium, the source code itself may be exported without a license (see p. 5 supra). These provisions confirm that the export of encryption software is controlled, as explained by the President, solely "because of such software's functional capacity [to encrypt data], rather than because of any possible informational value of such software * * * ." 61 Fed. Reg. 58,768. The fact that the EAR deliberately permits the open exchange of information about cryptography further demonstrates that the export controls on encryption source code are "too blunt a censorship instrument to warrant judicial intervention prior to an allegation of actual misuse" Lakewood, 486 U.S. at 761).
C. Because the encryption export controls are not "directed narrowly and specifically" at expression, they do not require the procedural provisions identified by the majority (Op. 4240-41) in order to survive a facial challenge. One of the majority procedural suggestions warrants further comment: the suggestion that licensing decisions must be subject to judicial review (id. at 4241).
This Court itself has previously recognized that export decisions of this kind are fundamentally unsuited for judicial review. In United States v. Mandel, 914 F.2d 1215 (9th Cir. 1990), the Court held that Executive Branch decisions about what items should be subject to export controls under the EAR present "political questions" that are not subject to judicial review. See 914 F.2d at 1222-23. The Court [begin page 13] explained, inter alia, that the criteria governing the imposition of export controls under the EAR, including the effect of the controls on "the foreign policy or national security interests of the United States," are "quintessentially matters of policy entrusted by the Constitution to the Congress and the President, for which there are no meaningful standards of judicial review." 914 F.2d at 1223; see also United States v. Martinez, 904 F.2d 601, 602-603 (11th Cir. 1990). Judicial review is particularly unworkable with respect to encryption products, because export licensing decisions always involve an appraisal of the potential impact of proposed encryption exports on the government's SIGINT and cryptanalysis capabilities. Not only is this an inherently discretionary national security judgment by the Executive Branch, but it may involve extraordinarily sensitive information that, for obvious reasons, cannot be publicly disclosed or discussed. Judicial review is therefore a fundamentally unworkable solution to the panel majority's concerns.
II. The Export Controls on Encryption Source Code Are Severable From the Export Controls on other Encryption Products
Even if the export controls on encryption source code were facially unconstitutional, which they are not, the panel majority erred by ruling that the export controls on encryption source code are not severable from those applicable to other encryption products. The severability ruling results in a decision that goes far beyond Bernstein's software, to types of encryption products that Bernstein himself has never sought to export and lacks standing to litigate. Although the panel majority's underlying prior restraint ruling is highly damaging by itself, the severability ruling [begin page 14] significantly compounds the harm.
Under basic severability standards, "[u]nless it is evident that the Legislature would not have enacted those provisions which are within its power, independently of that which is not, the invalid part may be dropped if what is left is fully operative as a law." Buckley v. Valeo, 424 U.S. 1, 108 (1976) (per curiam); see, e.g., K Corp. v. Cartier, Inc., 486 U.S. 282, 294 (1988) (severability of federal regulations). Applying these standards, it is manifest that the export controls on other encryption products should be severed, if necessary, from the controls on encryption source code. As Judge Fletcher herself recognized (Op. 4245), it is hardly "evident" that the President and the Department of Commerce "would not have enacted those provisions which are within their power," i.e., export controls on encryption products other than source code. And if the export controls on encryption source code are removed, "what is left is fully operative as a law," albeit a less effective law.
The panel's refusal to sever encryption source code is squarely inconsistent with the Supreme Court's recent severability ruling in Reno v. ACLU, 117 S.Ct.2329 (1998). In Reno, the Court held that 47 U.S.C. § 223(a), which prohibits the knowing electronic transmission of any "communication which is obscene or indecent" to children, was unconstitutional with respect to "indecent" messages but not with respect to "obscene" ones. Rather than invalidating the entire provision, the Court "sever[ed] the term 'or indecent' from the statute, leaving the rest of § 223(a) standing." 117 S. Ct, at 2350. In so doing, the Court engaged in precisely the kind of "line edit[ing]" of "individual sections" (Op. 4245) that the panel majority refused [begin page 15] to undertake here. The Supreme Court found it proper to engage in this kind of revision because "the restriction of 'obscene' material enjoys a textual manifestation separate ftom that for 'indecent' material." Ibid. So too here: encryption source code "enjoys a textual manifestation separate from that" for encryption object code (and other encryption products), because it is separately and distinctly identified in the EAR's underlying definition of "encryption software" (see p. 4 supra). The panel therefore should have severed "source code" from the definition of "encryption software," leaving the remainder of the definition -- and the EAR's export controls on products other than encryption source code -- undisturbed. In these circumstances, it is the panel majority's wholesale condemnation of the encryption export controls, not the readily accomplished severing of encryption source code, that "improperly invade[s] the province reserved to the Executive" (Op. 4245).
For the foregoing reasons, this appeal should be reheard.