At 11:57 PM 12/20/96 -0800, Greg Broiles wrote:

(Please keep in mind that I'm not a lawyer yet, and that my comments are intended only as the reflections of an amateur and are intended as discussion fodder, not legal advice.)

Folks seem to be very excited about Judge Patel's ruling in the Bernstein case - and with good reason. It was, for example, a first-page above-the-fold item in both of the Bay Area's legal newspapers today. Unfortunately, most of the media reports have done a poor job of interpreting the ruling, and it's easy to draw bad conclusions from erratic news reports about the case. The decision is available online <http://www.eff.org/pub/Legal/Cases/Bernstein_v_DoS/Legal/961206.decision> thanks to the folks at EFF. I thought list members might appreciate a summary of the decision and its potential effects.

Please comment on my (layman's) proposal that no "mens rea" ("guilty mind") can be attributed to a person who is relying on a not-yet-overturned judicial decision. In other words, if a person has a genuine belief that what he's doing has been upheld by the Patel ruling, he cannot be claimed to have had "mens rea." (I am presuming, here, that before he does anything, he "clears it" with a lawyer who assures him that what he's planning is at least covered in the Patel decision as being okay. I understand, of course, that "mens rea" may be irrelevant in CIVIL REGULATORY issues, but not in CRIMINAL ones.)

1. What the ruling said In brief, Judge Patel ruled that Category XIII(b) (the category which refers to cryptographic equipment/software) is unconstitutional because it functions as a prior restraint upon speech without providing important procedural safeguards which are required when a prior restraint scheme is put into place. She ruled that the "technical data" provision of the ITAR is also unconstitutional when it refers to technical data about Category XIII(b) items because of the lack of procedural safeguards.

Mopping up other points raised by the suit, Judge Patel ruled that the term "defense article" as defined in 22 CFR 120.6 should be read to elide the phrase "or technical data"; and that when interpreted that way, the terms "defense article", "defense service", and "technical data" are not unconstitutionally vague. She also ruled that the term "export" is not unconstitutionally vague, and writes (in 'dicta', which is legalese for "offhand comment", e.g., without precedential value but interesting as a hint re what's going on in the judge's mind) that placing software on an "Internet site" which can be accessed from a foreign country is an export for ITAR purposes.

What about leaving a floppy on a sidewalk in Des Moines, Iowa, which might be picked up by a wandering foreign tourist who happened nearby? Sheesh, these judges are real idiots, even when they accidently are coming to (mostly) the right conclusion. However, if being "on the Internet" is automatically presumed to be an export, why can't we program using remote-control editors which might, someday, be available on the Internet? (maybe they already are; somewhat analogous to the old timesharing computers of yore. If the underlying files were kept overseas, modified by specific editing commands sent to a remote system, presumably Patel's dicta would suggest that those files were never "exported" per se. They were formed and kept overseas, INTENTIONALLY, to avoid the later necessity of exporting them had they been kept in the US.) This would be an modifed and automated version of the way versions of PGP later than 1.0 were supposed to have been developed: Actual coding was done overseas, based on suggestions and comments from other countries. (including, presumably, the US.) Yes, realize that pessimism overtakes me here. "The system" never wants to admit a contradiction. I would argue, however, that whereever the system wishes to draw the line and call everything outside the line "an export," that decision should be considered binding on the government even when such a conclusion leads to unexpected and undesireable consequences. (for the government, at least...)

She also ruled that the "fundamental research in science and engineering" (120.11(8)) and "general scientific, mathematical, or engineering principles" (120.10(5)) exceptions to the definition of "technical data" are void because they are too vague. As far as I can tell, they are thus no longer available to potential ITAR defendants.

Wouldn't it be more accurate to say that they are no longer considered precisely defined exceptions, NOT that the exceptions no longer exist? It seems to me that if the "burden of non-ambiguity" falls on those writing the regulations, failure to eliminate ambiguity would have to be resolved in favor of tolerating actions that fall into the grey area. For example, if a law was passed that said, "pornographic writing is illegal," and the SC later determined that "pornographic" was ambiguously defined, what they WOULDN'T do is to make ALL writing illegal! (which would, obviously, be an over-broad restriction, in an of itself.) Otherwise, what would on the surface appear to be a overturning of a law would actually be a _broadening_ of it.

It's also unclear that Judge Patel's ruling is enough to make export of crypto source legal by people/organizations located even in the Northern District of CA. Venue is proper, in an ITAR case, in any jurisdiction which the defense articles have moved through. (18 USC 3237(a); _US v. Durrani_ 659 F.Supp 1177, 1182 (D. Conn, 1987); an easy analogy is to the _US v. Thomas_ "Amateur Action" case, where Tennessee venue was proper for prosecution of California defendants who sent porn into Tennessee.) So it's at least arguable that the feds could simply bring an ITAR prosecution in another district, if exported crypto flowed through that district.

But again, deal with the mens rea issue. If Patel said, "It's okay to export this software because the regulation is invalid," and you do so relying on this ruling, wouldn't any subsequent (criminal) prosecution both have to prove you did it, and ALSO prove that you were being unreasonable in relying on the ruling? (Are rulings of illegality somehow more "reasonable" than rulings of legality?) I'm not suggesting that her decision can't be overturned in the future; I'm suggesting that until it is overturned, each member the public is entitled to act in reliance on it, perhaps at least the ones in her jurisdiction.

So while the ruling has considerable historical, cultural, and symbolic significance, it's dangerous to assume that it means that export restrictions on crypto are dead.

However, wouldn't it be a good idea to take advantage of what is at least a temporary decision? If I were a large corporation, having just developed an excellent design for a crypto telephone, I might want to export it NOW, which is in effect taking advantage of a temporary loosening of restrictions. Jim Bell jimbell@pacifier.com