IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA
________________________________________________
)
PHILIP R. KARN, Jr. )
)
Plaintiff, )
) Civ. A. No. 95-1812(LBO)
v. )
) (Judge Oberdorfer)
UNITED STATES DEPARTMENT OF STATE; )
and UNITED STATES DEPARTMENT OF )
COMMERCE; and WILLIAM A. REINSCH, )
Undersecretary of Commerce for the Bureau of )
Export Administration in his official capacity. )
)
Defendants. )
)
________________________________________________)
DECLARATION OF JAMES LEWIS
U.S. DEPARTMENT OF COMMERCE
I, James A. Lewis, do hereby state and declare as follows:
1. I am the Director, Office of Strategic Trade and Foreign
Policy Controls, Bureau of Export Administration, United States Department
of Commerce. I have held this position since January 13, 1996. Prior to
that time, I was a Foreign Service Officer at the United States Department
of State. I am responsible for, among other things, managing the
administration of those portions the Export Administration Regulations (15
C.F.R. Parts 730-774) (the EAR) governing the export of encryption items,
including responding to requests submitted to the Bureau of Export
Administration (BXA) for classifications relating to the licensing
requirements under the EAR for such items.
2. On or about April 20, 1998, the plaintiff in the above
litigation, Mr. Karn, filed a Declaration in which he describes a
comparison he made between the RSAREF 2.0 encryption source code library
included in Integrated TIS/DNSSEC source which he stated he found on the
Internet at http://www.toad.com/~dnssec, with the RSAREF 2.0 encryption
source code library from RSA Data Security Inc.'s FTP site,
ftp://ftp.rsa.com/rsaref/. Pursuant to a classification request submitted
by Lee Tien on behalf of Hugh Daniel on April 27, 1997, BXA had classified
Integrated TIS/DNSSEC under the EAR as EAR99, which means that the item can
be exported to most countries of the world without having to obtain a
validated export license from BXA./1
/1 Normally, information concerning classification requests is not made
publicly available in order to protect the confidentiality of exporters,
pursuant to section 12(c) of the Export Administration Act of 1979, as
amended (50 U.S.C. app Section 2412(c)). In this instance, however, the
exporter has made this information public. Attached hereto is a copy of
the letter submitted to BXA by Mr. Tien, as obtained from
http://www.toad.com.
3. Mr. Karn stated that the contents of both programs were
identical and that the RSAREF 2.0 directory contained within the Integrated
TIS/DNSSEC program included C-language source code files for the US Data
Encryption Standard (DES) and the RSA algorithm, a "public key"
cryptographic function designed for both authentication and
confidentiality. Mr. Karn also stated that the RSAREF 2.0 DES code
supports both "single" and "triple" (3DES) modes. Mr. Karn then compared
the DES/3DES codes in RSAREF with the DES/3DES codes that were included on
the Applied Cryptography source code disk that is at issue in this case and
which BXA had classified as being on the Commerce Control List (CCL) (15
C.F.R. Part 774) and classified as Export Control Classification Number
(ECCN) 5D002. Items that are controlled under ECCN 5D002 on the CCL
require a validated export license before they can be exported to all
countries, except Canada. While Mr. Karn acknowledged that those codes
were not identical, he asserted that the DES/3DES code in RSAREF was
derived from the code in Applied Cryptography, or both were derived from a
common ancestry. Mr. Karn stated that there were no meaningful
distinctions between the two versions of DES that could warrant classifying
the two products differently.
4. A copy of Mr. Karn's declaration was provided to my office
for technical review. In conducting that review, BXA again reviewed the
1997 request for a classification for Integrated DNSSEC submitted by Mr.
Tien. That classification request described the software as authentication
software that would be useful for improving the security of the Internet's
Domain Name System. The request noted that "Integrated DNSSEC is
authentication software used only to authenticate users or messages and the
encryption capability of the software is limited to encryption of data
needed for authentication . . . ." As Mr. Tien stated in his letter
seeking a classification from BXA, "[Integrated DNSSEC] uses [the source
code for the] RSAREF [crypto toolkit] . . . as an authentication tool. It
does not use any of RSAREF's cryptographic functionality other than in
service of authentication." Under the EAR, data authentication equipment
and software that calculates a Message Authentication Code or similar
result to ensure that no alteration of text has taken place, or to
authenticate users, but does not allow for encryption of data, text, or
media other than that needed for authentication does not require an export
license under ECCN 5A002 (the ECCN for encryption hardware) or ECCN 5D002.
See 15 C.F.R. Part 774, ECCNs 5A002 and 5D002. Thus, software that is
limited to performing a data authentication function is expressly excluded
from ECCN 5D002. Accordingly, based on what BXA understood the application
of the product to be, that the RSAREF toolkit was only used in Integrated
DNSSEC to authenticate users or messages, BXA advised Mr. Tien that his
client's product was classified under the EAR as EAR99.
5. As stated above, based on Mr. Karn's declaration, BXA
undertook a review of the classification provided to Mr. Tien in 1997 to
ensure that it was correct. Based on that review, BXA determined that,
while the RSAREF is used in the Integrated DNSSEC to authenticate users or
messages, the software also included the source code for RSAREF. That
source code can be used to encrypt files for authentication or, with
minimal amount of programming effort, to encrypt data for confidentiality
purposes. Indeed, RSA Data Security, Inc., the developer of RSAREF,
specifically notes in its webpage that the toolkit is subject to export
restrictions. Based on a review of the software referred to in Mr. Tien's
classification request,/2 BXA has notified Mr. Tien that the classification
for Integrated TIS/DNSSEC source code is revised and that export of the
Integrated DNSSEC program will require an export license from BXA. BXA has
also notified Mr. Tien that the present posting of the Integrated DNSSEC
source code on the Internet without taking the precautions set forth in
Section 734.2(b)(9) of the EAR constitutes an unauthorized export from the
United States. As a result of this revision to the classification provided
to Mr. Tien, Integrated DNSSEC source code is now subject to the same
export control requirements as Mr. Karn's diskette.
/2 BXA obtained a copy of the software from http://www.toad.com.
6. Since January 1, 1997, BXA processed approximately 1000
classification requests for encryption items; during the same period, we
processed approximately 150 requests for advisory opinions for encryption
items. Occasionally, it is necessary for BXA to reassess a prior
determination and so advise the exporter when information comes to our
attention that the original classification may be in error. In this
instance, the classification request for Integrated DNSSEC stressed at
length that the program was limited to authentication purposes only, which
is exempt from licensing requirements under the EAR. BXA sought to apply
the policy set forth in its regulations to the two separate classifications
at issue, the Karn diskette and the Integrated DNSSEC program, as we
initially understood those programs. As indicated, the Integrated DNSSEC
program was understood to fall within an exemption to export licensing
requirements, and that was how the EAR were initially applied to the
software by BXA. BXA applied the EAR to Karn's request accordingly,
classifying it under ECCN 5D002.
I declare under penalty of perjury that the foregoing is true and
correct.
DATE: June 19, 1998 /s/
James A. Lewis