[439] in Commercialization & Privatization of the Internet
Re: TCP/IP export restrictions: extension of acceptable use?
daemon@ATHENA.MIT.EDU (Lee C. Varian)
Mon Mar 25 11:48:32 1991
Date: Mon, 25 Mar 1991 11:30:17 EST
From: "Lee C. Varian" <LVARIAN@pucc.PRINCETON.EDU>
To: "Manavendra K. Thakur" <thakur@zerkalo.harvard.edu>, com-priv@uu.psi.com
In-Reply-To: Your message of Mon, 25 Mar 91 01:15:11 EST
Manavendra, I am enclosing a copy of one of the documents which CREN
(BITNET/CSNET) makes available to its membership regarding some of the
export issues raised by wide-spread international networking. While I
personally find some of the aspects of export control both silly and
unenforceable, as a responsible manager of networking here at Princeton
University I will endeavor to enforce these restrictions even while I
urge the US Administration to relax or eliminate them.
Lee Varian, Princeton University, lvarian@pucc.princeton.edu
CREN Information Center LEGAL COMMERCE May 31, 1990
Legal Aspects of International Network Communication
The network access to foreign countries (especially those which may
have restrictions placed upon the information which can legally be sent
to them) which is now possible through CREN networks places significant
legal responsibilities on CREN Members and Affiliates to ensure that
they do not violate federal law by transmitting material to such foreign
countries which is not allowed under current law and federal policy.
The definitive policy statement regarding what data may be freely
distributed is provided by the US Department of Commerce Export
Administration Regulations, of which section 779.3, "General License
GTDA; Technical Data Available to All Destinations" defines that
information which may be distributed without special license from the
Department of Commerce. It is the responsibility of each CREN Member
and Affiliate to ensure that it abides by these regulations in all
respects.
The following letter of clarification to CREN from the US
Department of Commerce is supplemented by the GTDA policy statement
defining General Technical Data Availability and a memo from CREN's
counsel, to provide CREN Members and Affiliates with an understanding of
the legal issues of which they should be aware in using the networks for
communication abroad. These three documents are all available from
LISTSERV@BITNIC as the files LEGAL COMMERCE, LEGAL GTDA, and LEGAL
COUNSEL, respectively. CREN Members and Affiliates are strongly advised
to familiarize themselves with these documents and to take whatever
steps are necessary to ensure that their staff and students are not in
violation of the federal regulations in their use of the networks.
----------------------------------------------------------------------
UNITED STATES DEPARTMENT OF COMMERCE
Bureau of Export Administration
Washington, D.C. 20230
Jan. 18, 1990
Mr. James B. Conklin, Jr.
Director
BITNET Network Information Center
EDUCOM
1112 16th Street, N.W.
Washington, D.C. 20036
Dear Mr. Conklin:
This is in further response to your request for an advisory
opinion regarding any applicable U.S. Export Administration
Regulations (EAR) that govern your proposal to provide BITNET
access to the Soviet Union. We understand that BITNET is an
electronic communications network that links computers at
more than 480 universities, colleges, collaborating research
centers, and some industrial-sector members in the United
States. Moreover, BITNET forms a single logical network with
NetNorth (Canada) and EARN (Western Europe), and this
combined network serves over 1,300 members. The purpose of
BITNET (along with EARN and NetNorth) is to permit users to
share information (e.g. files and messages) via electronic
mail. You indicate further that the BITNET network does not
and will not allow a user to log onto another computer on the
network. The BITNET guidelines preclude use of the network
for commercial traffic. Industrial sector members "are not
supposed to use BITNET to communicate with other industrial-
sector members except in support of academic activity
sponsored by an academic BITNET member." We presume that
academic members may also not use the network for commercial
traffic.
The Office of Technology and Policy Analysis has already
provided guidance on the possible physical export of certain
commodities to the Soviet Union. However, you have called to
inform us there will be no physical exports or reexports from
the United States by BITNET of hardware for the network or
for the gateway to connect the proposed members in the Soviet
Union. Rather, the Soviets will import necessary equipment
from third countries or the United Sates through their normal
procurement channels. These probably will be no software
exported or reexported from the United States by BITNET to
establish the network gateway for the Soviet Union. However,
you wish further discussion of the rules as they apply to
technical data and software to be exported and reexported
over the network once it is established.
Prohibitions Against the Export of Technical Data and
Software
In the absence of a validated or general license, the EAR
prohibits exports or reexports from the United States of
computers, switches, software, and technical data. The term
technical data is broadly defined to include virtually all
know-how. In addition, the regulations apply to exports in
any form, including electronic transmission from the United
States and disclosure to a foreign national in the United
States or abroad. These regulations apply to both
individuals and institutions.
As we have indicated to you in our prior correspondence, wide
area networks exported to the Soviet Union require an
individual validated license. If such validated licenses are
issued for exports from the United States of items that will
enable the consignee to build a network or establish a
gateway for a network, then the EAR does not prohibit or
require permission to establish or use such a network so long
as prohibited exports are not made over the network.
Moreover, the EAR does not require permission to establish a
network gateway with wholly foreign origin commodities,
software and technical data.
However, I must underscore that this letter does not
constitute permission or authority for BITNET or any BITNET
member or user to export from the United States technical
data or software over the BITNET system. Rather, each
individual and each institutional member using BITNET for
international transmissions is responsible for compliance
with the EAR just as they are responsible for compliance with
the EAR when making exports in any other fashion. Moreover,
this letter should not be taken as an indication of whether
third parties will be granted export licenses by the
Department of Commerce for exports of commodities or software
necessary to establish the gateway to the Soviet Union.
Responsibility of BITNET
The scope of responsibility of BITNET for the violations of
the EAR by its members using the network is a question you
have raised in meetings with our staff. You have explained
that BITNET does not monitor traffic on the network. It is a
non-secure network. However, BITNET does adopt usage
limitations, and members find it in their self-interest to
report violations of those rules to BITNET management. It is
our understanding that if members see lines busy with
commercial messages, they have an incentive to report that
violation of your usage rules to BITNET management.
Under the EAR, BITNET may not participate in any activity
with actual knowledge or reason to know a member is about to
use the network to export technical data or software
unlawfully. Therefore, there is a level of care required of
BITNET. The regulations do not require BITNET to initiate
monitoring. In this respect, BITNET has taken the position
that it is similar to a telephone common carrier, which is
not responsible for the illegal export of technical data over
its lines by a subscriber, so long as that happens without
the knowledge or reason to know of the common carrier. In
our opinion, BITNET has a closer relationship to its members
than a telephone carrier has with its subscribers. This is
because BITNET management is elected by the membership,
BITNET sets network use guidelines, and at least on occasion,
BITNET learns of violations of its own usage limitations from
its members.
For these reasons, BITNET has more opportunity to learn of
the export activities of its members than does a telephone
common carrier. In exercising its appropriate duty of care
under the EAR, BITNET must take into account information
provided to it by members in the normal course of BITNET's
business.
As noted below, BITNET is also different from the telephone
common carrier to the extent that BITNET maintains its own
data services or data bases. BITNET itself is the exporter
of such data if BITNET employees place the data on the
network in a manner that renders it available to foreign
users of the network.
In our meetings, BITNET has indicated an interest in
informing its members of the scope of the export controls
imposed by the EAR. When you first inquired of OTPA in
person, we were preparing a revision of General License GTDA,
which has since been issued in final form on October 3, 1989.
That general license is especially significant for members of
the academic community because it clarifies the authority to
export certain fundamental research and publicly available
information to any destination, including the Soviet Union.
General License GTDA: Fundamental Research, Publicly
Available Information, and Educational Information
We welcome the interest of BITNET in publishing the new
General License GTDA on the network for your members. A copy
is attached for your convenience. That rule includes several
specific examples intended to illustrate the scope of the
general license. A complete discussion of General License
GTDA is beyond the scope of this letter. However, a few
comments about GTDA are in order.
General License GTDA authorizes the export of information
arising during or resulting from fundamental research. Under
General License GTDA, "fundamental research" is defined to
be:
[B]asic and applied research in science and
engineering, where the resulting information is
ordinarily published and shared broadly within the
scientific community. Such research can be
distinguished from proprietary research and from
industrial development, design, production, and
product utilization, the results of which
ordinarily are restricted for proprietary reasons
or specific national security reasons as defined .
. . Section 779.3(c).
General License GTDA also authorizes the export of
information that is publicly available and educational
information. Publicly available information includes, among
other items, information generally accessible to the
interested public in any form including:
1. Publication in periodicals and books,
2. Availability in libraries open to the public, or
3. Release at open conferences, meetings, etc.
Educational information includes information:
[R]eleased by instruction in catalog courses and
associated teaching laboratories of academic
institutions. Section 779.3(d).
If information qualifies for General License GTDA under any
category, the general license remains available even though
not exported in the same form. For example, information
taught in a catalog course at one university may be exported
by a means other than release to foreign nationals in a
classroom. In addition, the information may be exported by a
party other than the first instructor or institution to teach
the material in the classroom. It is also important to note
that the publication of a patent in a government office
accessible to the public makes the disclosed information
"publicly available" within the meaning of this general
license. (Of course, patented information is not in the
public domain for purposes of intellectual property
protection.)
BITNET Data Services
Your letter refers to user access to BITNET servers and data
services. You have informed us by telephone that such
information is not proprietary and is published
electronically without restriction on distribution and
without charge by the author or generator. For information
and software placed on the network by BITNET officers and
employees, BITNET is the exporter and is responsible for the
proper general or validated license for its export. However,
such information likely qualifies for General License GTDA.
The questions and answers provided by the new rule should
give you parameters of General License GTDA as it applies to
such data. If you remain uncertain as to whether such data
is publicly available or otherwise qualifies for General
License GTDA, you may provide us with specific descriptions
of the data and information surrounding its availability. We
will then provide you with a formal classification as the
general license eligibility.
However, you have also told our staff that in the future,
BITNET may add proprietary data bases that will not qualify
for General License GTDA. If BITNET becomes the provider of
such information in the future, BITNET will be the exporter.
If you enter this area of distribution, BITNET will require
classification of the technical data before you can determine
the application of the EAR. You will also require more
information concerning the EAR than we can provide in this
letter. The know-how may or may not require a validated
export license to all destinations. It may or may not
require written assurances against reexport of the technical
data to the Soviet Bloc, the PRC, and the boycotted countries
of North Korea, Vietnam, Cambodia, Cuba, and Libya.
Exports of Software
Certain software requires a validated license for export to
the Soviet Union. If your members or users export software
by file transfer over the network, they must establish or
obtain the appropriate general license or validated license.
A few forms of software, such as semiconductor design
software and software for numerical controlled machine tools,
require a validated license to all destinations. Several
other types of software are COCOM embargoed for the Soviet
Union; and they may be exported to Free World destinations
only after the exporter first receives from his consignee
written assurances that the software will not be reexported
to the Warsaw Pact, the PRC, and Country Groups S and Z
(North Korea, Vietnam, Cambodia, Cuba, and Libya).
The scope of this letter will not permit a complete
description of every aspect of software controls under the
EAR. However, we understand you intend to publish this
letter on the network; and that will give BITNET users notice
that the export of software requires an appreciation of the
EAR.
Remote Computing and Diversion in Place
You have indicated that the network does not enable a user to
log onto a remote computer and use the computing capabilities
of that remote computer. Rather, the BITNET system only
permits the remote party to compel the transfer of a file on
a remote computer, when that file has been placed in the
network by a user who knows that it will then be exported to
a foreign user.
If the network permitted remote computing by foreign users,
that would raise questions for Commerce. For foreign
computers, we have long applied a theory we refer to as
diversion in place. For example, if a computer is exported
to western country "A: for use in that country, then the
stated end-use for the export is breached or violated if a
user in eastern country "B" enters that computer via modem
and telephone line in a manner that enable him to use the
computing power of the computer. He is doing indirectly that
which has not been authorized directly, i.e. use of such a
computer in country "B."
For supercomputer installations outside the United States and
Japan, there are security safeguard plans in effect. While
this may be more relevant for EARN, BITNET should also be
aware of basic prohibitions:
1. Both direct and remote computational access by
COCOM-proscribed nationals or work done on their
behalf.
2. Transfer of technical data or software derived from
the use of supercomputer which relate to COCOM-
controlled items.
I trust that this letter will answer your request regarding
BITNET access to the Soviet Union and other destinations. If
you have any more specific questions, please contact either
Dan Cook at 377-4188 or Larry Christensen at 377-5305.
Sincerely,
William L. Clements
Director
Office of Technology and Policy Analysis
