- The United States maintains a comprehensive program of export controls, which regulate the export of United States origin goods, software and technical data.
- This export control program is embodied principally in three separate sets of laws and regulations, as follows:
2.1. The State Department's Office of Defense Trade Controls regulates the export of "defense articles" and "defense services" under authority of the Arms Export Control Act, 22 U.S.C. 2778, and the International Traffic in Arms Regulations, 22 C.F.R. Parts 120-130. 2.1.1. This State Department export control program covers, and is limited to, "defense articles" listed on the United States Munitions List, and related "defense services"; 2.1.2. Category XIII(b) of the United States Munitions List covers cryptographic systems and software (including key management systems) with the capability of maintaining secrecy or confidentiality of information or information systems;
Thus, encryption software products used in connection with the Internet, such as Netscape's Navigator, may be subject to the export controls embodied in the International Traffic in Arms Regulations;
2.1.3. An export license or other specific authorization from the State Department's Office of Defense Trade Controls is generally required for the export of any such "defense articles" or "defense services" to any foreign destination, except Canada. 2.2. The Commerce Department's Bureau of Export Administration controls the export of commercial and "dual use" products, software and technology under authority of the Export Administration Act, 50 U.S.C. App. 2401 et seq. (now expired), the International Emergency Economic Powers Act, 50 U.S.C. 1701 et seq., and the Export Administration Regulations, 15 C.F.R. Parts 768-799. 2.2.1 The Commerce Department's export control program covers virtually all commodities, software and technical data of United States origin, as listed on the Commerce Control List, 15 C.F.R. 799.1, Supp. No. 1 (except items specifically covered by separate export control programs, such as the State Department's munitions export control program, supra). 2.2.2. Most products on the Commerce Control List may be exported to most countries of the world under authority of one of several general licenses, but a number of restrictions and validated export licensing requirements apply to the export of such products:
(a) to restricted or embargoed foreign destinations;
(b) for proscribed end-users; and
(c) to proscribed or restricted end-users.
2.2.3. The Treasury Department's Office of Foreign Assets Control controls financial and commercial transactions, including export transactions, with specific foreign countries, under authority of the Trading with the Enemy Act, 50 U.S.C. App. 5, the International Emergency Economic Powers Act, 50 U.S.C. 1701 et seq., and regulations issued thereunder (published in Title 31 of the Code of Federal Regulations). 2.2.4 The current United States embargoes on trade and financial transactions with Cuba, North Korea, Libya, Iran and Iraq are implemented by regulations issued by the Office of Foreign Assets Control under the foregoing statutes. 2.2.5 The embargoes established by the Office of Foreign Assets Control extend to persons and firms, wherever located, that are deemed to be owned or controlled by the government of one of the foregoing embargoed countries.
Such persons and firms are referred to as Specially Designated Nationals or "SDNs"
- Violators of any of the export control restrictions and provisions of these three statutory and regulatory programs are subject to severe criminal, civil and administrative penalties.
3.1. Any person or firm, whether located in the United States or abroad, that has been found to have violated these export control laws and regulations may be subject to an export denial order and placed on the Commerce Department's "Table of Denial Orders" or "TDO". 3.2. A person or firm on the TDO is ineligible to participate in any transaction involving products exported, or to be exported, from the United States, and all persons and firms are prohibited from engaging in any transaction with a person or firm on the TDO that may involve the export or reexport of United States origin commodities, software or technical data. 3.3. The United States export control laws and regulations also forbid any person or firm from participating in any transaction where that person or firm knows or has reason to know that United States origin commodities, software or technical data may be exported or reexported in violation of the United States export controls. 3.3.1. United States persons and firms therefore have a duty of due diligence, even with respect to domestic transactions, to assure that they are not parties to a transaction that may result in the diversion of United States origin products to an unauthorized foreign destination, end-user or end-use.
- The United States export control laws and regulations define the concept of an "export" broadly, to include:
4.1. The actual shipment or transmission of technical data out of the United States; 4.2. Any release of technology or source code to a foreign national, whether such release takes place in the United States or abroad; and 4.3. Any release of technical data of United States origin in a foreign country. Thus: 4.3.1. An "export" of software or technical data is deemed to have occurred for export control purposes any time any United States origin software or technical data is transmitted abroad over the Internet; 4.3.2. Because there are few, if any, restrictions on access to the Internet from around the world, the person or firm that places United States origin technical data or software on the Internet is likely to be deemed to have reason to know that such technical data or software is likely to be exported.
B. Export Controls on Encryption Software
- As noted above, with very limited exceptions, encryption software is classified for export control purposes as a "defense article" or "munition", and requires a validated export license from the State Department for export to any foreign destination, except Canada
1.1. It is the State Department's (informal) position, therefore, that to place any encryption software on the Internet, the following restrictions and controls would have to be put in place: 1.1.1. The system would have to be configured so that log-ins from outside the United States would be refused connection to the Internet server, or if permitted to connect, would be refused access to the encryption software; or 1.1.2. The system would have to have a time dependent user name and password, under which the system operator could verify that the request for access comes from the United States or Canada before the user can obtain access to the encryption software; 1.1.3. The system would also have to have an export control and compliance statement that the user would have to read and acknowledge before obtaining access to the encryption software. 1.2. Encryption software developed abroad may also be subject to the United States export controls embodied in the International Traffic in Arms Regulations if that software contains or embodies any United States origin encryption code. 1.2.1. Because the State Department takes the position that encryption software is a "defense article" under Category XIII(b) of the United States Munitions List, that code remains subject to United States export controls even if it has been posted on a bulletin board or is available over the Internet; 1.2.2. By contrast, encryption software developed abroad would not be within the export control jurisdiction of the United States if it has been developed solely with (i) foreign origin technology; and (ii) United States origin information and documentation that is in the public domain;
C. Distribution of Software over the Internet
- Even if a software product does not include encryption functions or features, its distribution over the Internet may raise significant export control problems and issues under the Commerce Department's export control program.
- Software products that are truly "freeware" may be eligible for export to all foreign destinations, without restriction, under authority of general license GTDA, only if the following terms and conditions are met:
2.1 The software is generally available to the public in any form, either free or at a price that does not exceed the cost of reproduction and distribution; 2.1.1. The Commerce Department's question and answer guidelines indicate that, under such circumstances, general license GTDA may be available for software and databases that are posted on a bulletin board or are distributed over the Internet. 2.1.2. General license GTDA is not, however, available for software that is on the Internet where: (a) Such software embodies encryption functions or features and is treated as a "defense article" under the United States Munitions List; (b) The supplier of such software charges a fee for access to a user version of the software; or (c) The software is regarded as proprietary by the supplier thereof, and has been posted on the bulletin board or Internet without the supplier's authorization. 2.1.3. If a software product is, in fact, eligible for export under general license GTDA, United States export control concerns are minimal, as it can be accessed by a person in an embargoed country, or by a person or firm listed on the TDO or the SDN list, without violation of the United States export control laws and regulations. 2.2. Software products that the supplier thereof regards as proprietary are not eligible for export, over the Internet or otherwise, under general license GTDA. 2.2.1. In order to distribute such software products over the Internet, the supplier must (i) analyze the export control status of such products (i.e., classification on the Commerce Control List); and (ii) implement controls on access by unauthorized persons, from unauthorized destinations and for unauthorized end-uses. 2.3. Classification: The Export Administration Regulations establish two (2) general licenses for the export of proprietary technical data and software: 2.3.1 General license GTDU permits the export of proprietary technical data and software to most countries of the world (except Cuba, Libya, North Korea, Iran and Iraq). 2.3.2. General license GTDR permits the export of restricted proprietary technical data and software only to eligible countries in Country Groups T and V. (a) The export of restricted technical data or software to an eligible destination under general license GTDR is subject to the precondition that the exporter obtain from its foreign consignee written assurance against reexport to a restricted destination; (b) Thus, to distribute GTDR software over the Internet there would have to be a system in place by which any user abroad would furnish the supplier with an appropriate written assurance before that user could have access to the software in question. 2.4. Regardless of classification between general license GTDU and GTDR, there would also have to be a system in place to assure compliance with the destination, end-user and end-use export control restrictions with respect to any software distributed over the Internet. 2.4.1. Because of the embargo on virtually all exports of United States origin commodities, software and technical data to Cuba, Libya, North Korea, Iran and Iraq, there should be a system that would deny access to the software to any user located in any of those countries. (a) Correspondingly, there should be a system for screening prospective users, in order to deny access to the software to any SDN that is owned or controlled by the government of any such embargoed country. 2.4.2. There should also be a system to screen and deny access to any user that is listed on the TDO. 2.4.3. The United States export control laws also prohibit the export of any proprietary technical data or software without a validated export license to certain specified destinations, where the supplier knows that such technical data or software will be used in connection with: (a) Nuclear weapons activities; (b) Activities relating to the design, development, production, storage, handling or use of chemical or biological weapons; or (c) Activities relating to the design, development, production or use of missiles. 2.5 In order to assure good faith compliance with the foregoing export control restrictions and requirements, software suppliers that propose to place proprietary software products (such as demonstration versions of those products) on the Internet, should implement the following export compliance steps: 2.5.1. Restrictions on access to the software from embargoed and restricted countries, to the extent technically feasible (perhaps in collaboration with the Internet carrier or the operator of the relevant server); 2.5.2. Notices to all prospective users of the software, indicating that the software is subject to United States export controls and may not be transferred or exported to any proscribed or restricted destination, and may not be used for any unauthorized end-use (such as a nuclear, chemical or biological weapons or missile application) or by any unauthorized end-user (such as a person or firm on the TDO or SDN list); 2.5.3. A written (including electronic mail message) certification by the end-user as to its eligibility to access the software, and its undertaking to comply with all applicable United States export control laws and regulations; 2.5.4. To the extent feasible, the screening of prospective users, by name and address, against embargoed and restricted destinations, and against the TDO and SDN list.