Date: Thu, 3 Feb 1994 02:24:05 -0500 From: BITNET list server at BITNIC (1.7f) Subject: File: "LEGAL COMMERCE" To: gnu@cygnus.com CREN Information Center LEGAL COMMERCE May 31, 1990 Legal Aspects of International Network Communication The network access to foreign countries (especially those which may have restrictions placed upon the information which can legally be sent to them) which is now possible through CREN networks places significant legal responsibilities on CREN Members and Affiliates to ensure that they do not violate federal law by transmitting material to such foreign countries which is not allowed under current law and federal policy. The definitive policy statement regarding what data may be freely distributed is provided by the US Department of Commerce Export Administration Regulations, of which section 779.3, "General License GTDA; Technical Data Available to All Destinations" defines that information which may be distributed without special license from the Department of Commerce. It is the responsibility of each CREN Member and Affiliate to ensure that it abides by these regulations in all respects. The following letter of clarification to CREN from the US Department of Commerce is supplemented by the GTDA policy statement defining General Technical Data Availability and a memo from CREN's counsel, to provide CREN Members and Affiliates with an understanding of the legal issues of which they should be aware in using the networks for communication abroad. These three documents are all available from LISTSERV@BITNIC as the files LEGAL COMMERCE, LEGAL GTDA, and LEGAL COUNSEL, respectively. CREN Members and Affiliates are strongly advised to familiarize themselves with these documents and to take whatever steps are necessary to ensure that their staff and students are not in violation of the federal regulations in their use of the networks. ---------------------------------------------------------------------- UNITED STATES DEPARTMENT OF COMMERCE Bureau of Export Administration Washington, D.C. 20230 Jan. 18, 1990 Mr. James B. Conklin, Jr. Director BITNET Network Information Center EDUCOM 1112 16th Street, N.W. Washington, D.C. 20036 Dear Mr. Conklin: This is in further response to your request for an advisory opinion regarding any applicable U.S. Export Administration Regulations (EAR) that govern your proposal to provide BITNET access to the Soviet Union. We understand that BITNET is an electronic communications network that links computers at more than 480 universities, colleges, collaborating research centers, and some industrial-sector members in the United States. Moreover, BITNET forms a single logical network with NetNorth (Canada) and EARN (Western Europe), and this combined network serves over 1,300 members. The purpose of BITNET (along with EARN and NetNorth) is to permit users to share information (e.g. files and messages) via electronic mail. You indicate further that the BITNET network does not and will not allow a user to log onto another computer on the network. The BITNET guidelines preclude use of the network for commercial traffic. Industrial sector members "are not supposed to use BITNET to communicate with other industrial- sector members except in support of academic activity sponsored by an academic BITNET member." We presume that academic members may also not use the network for commercial traffic. The Office of Technology and Policy Analysis has already provided guidance on the possible physical export of certain commodities to the Soviet Union. However, you have called to inform us there will be no physical exports or reexports from the United States by BITNET of hardware for the network or for the gateway to connect the proposed members in the Soviet Union. Rather, the Soviets will import necessary equipment from third countries or the United Sates through their normal procurement channels. These probably will be no software exported or reexported from the United States by BITNET to establish the network gateway for the Soviet Union. However, you wish further discussion of the rules as they apply to technical data and software to be exported and reexported over the network once it is established. Prohibitions Against the Export of Technical Data and Software In the absence of a validated or general license, the EAR prohibits exports or reexports from the United States of computers, switches, software, and technical data. The term technical data is broadly defined to include virtually all know-how. In addition, the regulations apply to exports in any form, including electronic transmission from the United States and disclosure to a foreign national in the United States or abroad. These regulations apply to both individuals and institutions. As we have indicated to you in our prior correspondence, wide area networks exported to the Soviet Union require an individual validated license. If such validated licenses are issued for exports from the United States of items that will enable the consignee to build a network or establish a gateway for a network, then the EAR does not prohibit or require permission to establish or use such a network so long as prohibited exports are not made over the network. Moreover, the EAR does not require permission to establish a network gateway with wholly foreign origin commodities, software and technical data. However, I must underscore that this letter does not constitute permission or authority for BITNET or any BITNET member or user to export from the United States technical data or software over the BITNET system. Rather, each individual and each institutional member using BITNET for international transmissions is responsible for compliance with the EAR just as they are responsible for compliance with the EAR when making exports in any other fashion. Moreover, this letter should not be taken as an indication of whether third parties will be granted export licenses by the Department of Commerce for exports of commodities or software necessary to establish the gateway to the Soviet Union. Responsibility of BITNET The scope of responsibility of BITNET for the violations of the EAR by its members using the network is a question you have raised in meetings with our staff. You have explained that BITNET does not monitor traffic on the network. It is a non-secure network. However, BITNET does adopt usage limitations, and members find it in their self-interest to report violations of those rules to BITNET management. It is our understanding that if members see lines busy with commercial messages, they have an incentive to report that violation of your usage rules to BITNET management. Under the EAR, BITNET may not participate in any activity with actual knowledge or reason to know a member is about to use the network to export technical data or software unlawfully. Therefore, there is a level of care required of BITNET. The regulations do not require BITNET to initiate monitoring. In this respect, BITNET has taken the position that it is similar to a telephone common carrier, which is not responsible for the illegal export of technical data over its lines by a subscriber, so long as that happens without the knowledge or reason to know of the common carrier. In our opinion, BITNET has a closer relationship to its members than a telephone carrier has with its subscribers. This is because BITNET management is elected by the membership, BITNET sets network use guidelines, and at least on occasion, BITNET learns of violations of its own usage limitations from its members. For these reasons, BITNET has more opportunity to learn of the export activities of its members than does a telephone common carrier. In exercising its appropriate duty of care under the EAR, BITNET must take into account information provided to it by members in the normal course of BITNET's business. As noted below, BITNET is also different from the telephone common carrier to the extent that BITNET maintains its own data services or data bases. BITNET itself is the exporter of such data if BITNET employees place the data on the network in a manner that renders it available to foreign users of the network. In our meetings, BITNET has indicated an interest in informing its members of the scope of the export controls imposed by the EAR. When you first inquired of OTPA in person, we were preparing a revision of General License GTDA, which has since been issued in final form on October 3, 1989. That general license is especially significant for members of the academic community because it clarifies the authority to export certain fundamental research and publicly available information to any destination, including the Soviet Union. General License GTDA: Fundamental Research, Publicly Available Information, and Educational Information We welcome the interest of BITNET in publishing the new General License GTDA on the network for your members. A copy is attached for your convenience. That rule includes several specific examples intended to illustrate the scope of the general license. A complete discussion of General License GTDA is beyond the scope of this letter. However, a few comments about GTDA are in order. General License GTDA authorizes the export of information arising during or resulting from fundamental research. Under General License GTDA, "fundamental research" is defined to be: [B]asic and applied research in science and engineering, where the resulting information is ordinarily published and shared broadly within the scientific community. Such research can be distinguished from proprietary research and from industrial development, design, production, and product utilization, the results of which ordinarily are restricted for proprietary reasons or specific national security reasons as defined . . . Section 779.3(c). General License GTDA also authorizes the export of information that is publicly available and educational information. Publicly available information includes, among other items, information generally accessible to the interested public in any form including: 1. Publication in periodicals and books, 2. Availability in libraries open to the public, or 3. Release at open conferences, meetings, etc. Educational information includes information: [R]eleased by instruction in catalog courses and associated teaching laboratories of academic institutions. Section 779.3(d). If information qualifies for General License GTDA under any category, the general license remains available even though not exported in the same form. For example, information taught in a catalog course at one university may be exported by a means other than release to foreign nationals in a classroom. In addition, the information may be exported by a party other than the first instructor or institution to teach the material in the classroom. It is also important to note that the publication of a patent in a government office accessible to the public makes the disclosed information "publicly available" within the meaning of this general license. (Of course, patented information is not in the public domain for purposes of intellectual property protection.) BITNET Data Services Your letter refers to user access to BITNET servers and data services. You have informed us by telephone that such information is not proprietary and is published electronically without restriction on distribution and without charge by the author or generator. For information and software placed on the network by BITNET officers and employees, BITNET is the exporter and is responsible for the proper general or validated license for its export. However, such information likely qualifies for General License GTDA. The questions and answers provided by the new rule should give you parameters of General License GTDA as it applies to such data. If you remain uncertain as to whether such data is publicly available or otherwise qualifies for General License GTDA, you may provide us with specific descriptions of the data and information surrounding its availability. We will then provide you with a formal classification as the general license eligibility. However, you have also told our staff that in the future, BITNET may add proprietary data bases that will not qualify for General License GTDA. If BITNET becomes the provider of such information in the future, BITNET will be the exporter. If you enter this area of distribution, BITNET will require classification of the technical data before you can determine the application of the EAR. You will also require more information concerning the EAR than we can provide in this letter. The know-how may or may not require a validated export license to all destinations. It may or may not require written assurances against reexport of the technical data to the Soviet Bloc, the PRC, and the boycotted countries of North Korea, Vietnam, Cambodia, Cuba, and Libya. Exports of Software Certain software requires a validated license for export to the Soviet Union. If your members or users export software by file transfer over the network, they must establish or obtain the appropriate general license or validated license. A few forms of software, such as semiconductor design software and software for numerical controlled machine tools, require a validated license to all destinations. Several other types of software are COCOM embargoed for the Soviet Union; and they may be exported to Free World destinations only after the exporter first receives from his consignee written assurances that the software will not be reexported to the Warsaw Pact, the PRC, and Country Groups S and Z (North Korea, Vietnam, Cambodia, Cuba, and Libya). The scope of this letter will not permit a complete description of every aspect of software controls under the EAR. However, we understand you intend to publish this letter on the network; and that will give BITNET users notice that the export of software requires an appreciation of the EAR. Remote Computing and Diversion in Place You have indicated that the network does not enable a user to log onto a remote computer and use the computing capabilities of that remote computer. Rather, the BITNET system only permits the remote party to compel the transfer of a file on a remote computer, when that file has been placed in the network by a user who knows that it will then be exported to a foreign user. If the network permitted remote computing by foreign users, that would raise questions for Commerce. For foreign computers, we have long applied a theory we refer to as diversion in place. For example, if a computer is exported to western country "A: for use in that country, then the stated end-use for the export is breached or violated if a user in eastern country "B" enters that computer via modem and telephone line in a manner that enable him to use the computing power of the computer. He is doing indirectly that which has not been authorized directly, i.e. use of such a computer in country "B." For supercomputer installations outside the United States and Japan, there are security safeguard plans in effect. While this may be more relevant for EARN, BITNET should also be aware of basic prohibitions: 1. Both direct and remote computational access by COCOM-proscribed nationals or work done on their behalf. 2. Transfer of technical data or software derived from the use of supercomputer which relate to COCOM- controlled items. I trust that this letter will answer your request regarding BITNET access to the Soviet Union and other destinations. If you have any more specific questions, please contact either Dan Cook at 377-4188 or Larry Christensen at 377-5305. Sincerely, William L. Clements Director Office of Technology and Policy Analysis