Pundits have proclaimed that it is simply impossible to control data and software, once it has been made available via the Internet. Pamphleteers of the Information Age, like George Gilder (see George Gilder's Homepage) and John Perry Barlow (see John Perry Barlow's Homepage), have even suggested that the flow of data and software worldwide via the Internet will make tax collection impossible and render national governments obsolete.

Governments are not giving up without a fight, however. Exporting data and software from the United States is not a right protected by the Constitution, but rather a privilege which the Government may restrict or even deny. In some cases, you must apply for and obtain a license in order to legally export data and software from the United States, just as you must apply for and obtain a license in order to legally drive a car.

The United States is far from unique in this regard. Many other countries, including most of our major trading partners, also have enacted export control laws. (These laws are beyond the scope of this White Paper). In addition, the United States participates in several international export control regimes which are designed to harmonize the various national export control systems. (These international export control regimes are discussed briefly, below.)

Therefore, unless and until the pundits are proved correct, and the Constitution is amended or the United States export control laws are changed, companies and individuals who transfer data and software outside of the United States via the Internet need to comply with the arcane requirements of the United States export controls.

1.1. U.S. Export Control Law and Lore

The Congress has passed a number of laws which govern the export of data and software from the United States for reasons of national security and foreign policy. None of these laws mentions explicitly electronic "exports" via the Internet. Nevertheless, these laws apply to all exports of data and software, whether transferred via the Internet or other means. Federal Courts have upheld these laws in the face of multiple challenges, including charges that they are void for vagueness, and that they infringe upon Constitutionally protected freedom of speech under the First Amendment [FN1].

In addition to the export control laws passed by the Congress, the federal agencies responsible for implementing these laws have published voluminous regulations which more precisely delineate the requirements for the legal export of data and software. These regulations, and the related "lore" in the form of (largely unwritten) policies of the federal agencies charged with administering them, must be understood in order to comply with United States export controls.

Most Internet commerce is subject to control under the Export Administration Act ("EAA") [FN2] and implementing Export Administration Regulations ("EAR") [FN3] administered by the Commerce Department. Some Internet commerce is subject to control under the Arms Export Control Act ("AECA")[FN4] and implementing International Traffic in Arms Regulations (" ITAR")[FN5] administered by the State Department. A small, but interesting, subset of Internet commerce is subject to control under the embargo statutes, including the Trading with the Enemy Act [FN6], the International Emergency Economic Powers Act [FN7] and implementing regulations administered by the Treasury Department [FN8]. Each of these export control regimes, as they affect Internet commerce, is discussed below.

In order to determine which set of export controls apply to a particular transfer of data or software via the Internet, you must examine not only the nature of the data or software to be exported (i.e., whether it is "dual-use" or "munitions" in nature), but also its intended destination (i.e., whether the country of destination is subject to embargo by the U.S.).

1.1.1. "Dual-use" Export Controls

The vast majority of data and software exported from the United States via the Internet is so-called "dual-use", because it has both civilian and military applications. For example, the computers and telecommunications hardware which comprise the Internet itself, as well as data and software necessary for their operation and use, are considered to be dual-use. Such data and software are controlled for export under the EAA and EAR administered by the Commerce Department's Bureau of Export Administration.

The United States has implemented export controls on dual-use data and software continuously since 1949 [FN9]. The EAA and its predecessor statues are a living legacy of the Cold War. The last comprehensive revision was in 1979, when the Soviet Union was invading Afghanistan [FN10]. Since 1979, the Congress has passed minor amendments to the EAA, but its structure and content still reflect the Cold War era. Also, the Congress has permitted the EAA to expire on several occasions, requiring the President to issue an Executive Order to maintain his authority to control exports.

The last serious effort to rewrite the EAA occurred in the 103D Congress, which held a number of hearings and debated several bills to bring the EAA into the post-Cold War era during 1993 and 1994. However, when the 103D Congress failed to pass a new law, the EAA formally expired on August 15, 1994. Since then, the President has exercised his authority to control exports of dual-use data and software under Executive Order 12924 [FN11].

The 104th Congress has not made much progress on EAA renewal legislation, to date. In part, this is due to differences of views expressed in the debate conducted by the 103D Congress, which remain unresolved. In part, it is due to competing legislative priorities, such as implementing the Republicans' Contract with America and passing budget bills. Absent rapid action on the part of the 104th Congress, the President is certain to invoke his emergency powers once again and continue his authority to implement export controls under the EAA, when Executive Order 12924 expires on August 15, 1996.

The statutory requirements set forth in the EAA are implemented in the voluminous EAR. The EAR have been amended on average 50 times each year, by publication of new rules and orders in the Federal Register, in the 1990's. The EAR contains abstruse provisions which delineate the precise scope of dual-use data and software subject to control in excruciating detail. They also include detailed provisions describing the scope of General Prohibitions, License Exceptions, and procedures for obtaining export licenses, which must be mastered by individuals and companies engaged in Internet commerce.

Recognizing that the complexity of the EAR is an impediment to informed compliance, the Clinton Administration embarked on a comprehensive redrafting effort in 1993. The drafters began with a "plain sheet of paper", and published a completely recodified EAR in March of 1996. Although the new EAR remains lengthy and complex, it is a distinct improvement over its predecessor regulations.

The EAA and EAR serve important national security and foreign policy purposes. Therefore, the penalties for violation are severe. Criminal violations of the EAA and EAR are punishable by 10 years in prison and fines of 5 times the value of the export or $1,000,000.00, whichever is greater. Civil violations are punishable by fines of up to $10,000 per violation. In addition, the Commerce Department may impose administrative sanctions, including denial of export privileges! [FN12]

Indeed, the Commerce Department and the Customs Service, working with the Department of Justice, have prosecuted numerous individuals and companies for violating the EAA and EAR. For example, in 1991 Digital Equipment Corporation paid a fine of $2.4 million to settle alleged violations of the EAA and EAR. Literally hundreds of companies and individuals have been placed on the Commerce Department's Table of Denial Orders and had their export privileges revoked for violations of the EAA and EAR.

1.1.2. Munitions Export Controls

Some data and software in Internet commerce are controlled for export from the United States because they are considered to be "munitions". This includes not only data and software related to generally recognized implements of war, like guns and bombs, but also hardware and software implementing strong cryptography which are essential to Internet commerce. Munitions data and software are controlled under the AECA and implementing ITAR administered by the State Department's Office of Defense Trade Controls.

The AECA was enacted in 1976, and is a product of the post-Vietnam War era. [FN13] In the legislative history, members of Congress expressed concern that American companies were "merchants of death", promoting the export of munitions products and technologies contrary to the national security and foreign policy interests of the United States.

In light of these concerns, the Congress felt that American companies should be prohibited from exporting certain munitions, even if similar products are widely available outside of the United States. Thus, for example, the fact that software programs implementing strong cryptography are available from multiple Internet host computers located outside of the United States is not considered to be a compelling reason for relaxing strict export controls on such software under the AECA.

The statutory requirements set forth in the AECA are implemented in the ITAR. Unlike the EAR, the ITAR is relatively concise and amended infrequently. The last complete recodification was in 1993. [FN14] However, in part because of its brevity, compliance with the requirements of the ITAR can be complex for companies and individuals engaged in Internet commerce.

Because it is short and susceptible of multiple meanings, the ITAR leaves considerable room for interpretation. Often, licensing officers take very different views of the ITAR's provisions. In addition, the ITAR contains provisions which are distinctly counter-intuitive. For example, cryptographic software is considered to be "hardware" for purposes of the ITAR! Informed compliance requires not only knowledge of the law, but also experience with the lore surrounding it.

Criminal violations of the AECA and ITAR also are punishable by 10 years in prison and fines of 5 times the value of the export or $1,000,000.00, whichever is greater. Civil violations are punishable by fines of up to $100,000.00 per violation. In addition, the State Department may impose administrative sanctions, including denial of export privileges, and even suspend the violator's right bid on United States government contracts! [FN15]

The State Department, working with the Customs Service and the Department of Justice, has prosecuted numerous individuals and companies for violating the AECA and ITAR. For example, in 1994 and 1995 divisions of Teledyne [FN16] and Lockheed [ FN17] were denied export privileges under the AECA and ITAR.

1.1.3. Embargo Regimes

From time to time, the United States government has determined that the conduct of some governments is so abhorrent that broad economic sanctions, including but not limited to imposition of stringent export controls, are appropriate. Currently, broad economic sanctions are imposed against Cuba, Iran, Iraq, Libya and North Korea. In recent years, embargoes also have been imposed against Haiti, Nicaragua, Serbia and South Africa, among other countries.

The Trading with the Enemy Act is the statutory basis for the current embargoes of North Korea and Cuba. This World War I-era statute has lapsed, however, and the embargoes of Iran, Iraq, and Libya are authorized by Executive Orders issued under authority of the International Emergency Economic Powers Act of 1976 and other statutes.

The scope of each embargo is slightly different, depending on the facts and circumstances which gave rise to the Executive Order. In some cases, the Executive Orders have implemented more comprehensive embargoes that than the Congress would have authorized through legislation. In other cases, the Executive Orders have been issued in order to avoid even tougher sanctions by the Congress.

Several months after issuance of a new Executive Order imposing sanctions, the Treasury Department's Office of Foreign Assets Control typically issues new implementing regulations. These regulations provide guidance with respect to the scope and effect of the embargoes, and the relationship between the Treasury Department's regulations and other U.S. export controls.

In most cases, the Commerce Department cedes its export control jurisdiction to the Treasury Department once an embargo has been imposed. However, in some cases the Commerce Department retains jurisdiction over some types of exports and reexports. It is essential to review the particulars of the specific statute, Executive Order and implementing regulations in question prior to exporting to an embargoed country.

Criminal violations of the embargo regimes are punishable by imprisonment and fiscal penalties which vary depending on the authorizing statute. Civil violations are punishable by fines which also depend on the authorizing statute. Administrative penalties, including forfeiture, can be imposed, too.

1.1.4. Other U.S. Export Controls

Other federal agencies administer export controls of various scope and effect. For example, the Energy Department controls unclassified activities, including exports of information, related to foreign atomic energy programs. [FN18] The Patent and Trademark Offices regulates the export of technical information required for the purpose of filing patent applications outside of the United States. [FN19] However, these and other export controls are encountered far less frequently in the realm of Internet commerce.

1.2. Multilateral Export Controls

The United States is not the sole source for many types of data and software which traverse the Internet. Therefore, the United States government participates in a number of multilateral export control regimes which are designed to harmonize the export controls of the member countries.

The most important of the multilateral regimes are the so-called New Forum (successor to COCOM), the Nuclear Suppliers Group, the Missile Technology Control Regime, the Australia Group (for chemical and biological weapons) and the Supercomputer Suppliers Regime. The membership, targets and procedures of each regime are different. However, they potentially may serve an important function by ensuring that there is a "level playing field" for companies located in different countries which may be engaged in Internet commerce.

2. Which Export Controls Apply to My Data and Software?

The first question you must answer in order to legally export via the Internet is: Which export controls apply to my data or software? Is my data or software considered by the U.S. Government to be dual-use or munitions in nature? To answer this threshold question, you must review the Commerce Control List of the EAR and the U.S. Munitions List of the ITAR.

2.1. Dual-use Data and Software -- The Commerce Control List

The Commerce Department's Bureau of Export Administration publishes a list of data and software which are subject to the jurisdiction of the EAA and EAR, known as the Commerce Control List. [FN20] If your data or software is described on the Commerce Control List, then it is subject to the export control jurisdiction of the Commerce Department under the EAA and EAR.

The Commerce Control List of the EAR contains detailed descriptions of the various types of data and software subject to control as dual-use items. The types of data and software described are very diverse.

For example, Sun Microsystems is the largest provider of computers serving as Internet hosts. Sun's computers themselves, information describing their installation, operation and use, and Sun's Solaris operating system, are controlled as dual-use items under Category 4 - Computers on the Commerce Control List of the EAR.

To take another example, Cisco Systems is the leading provider of routers which guide information from one computer to another on the Internet. Cisco's routers themselves, information describing their installation, operation and use, and Cisco's software which provides dynamic adaptive routing of IP packets, are controlled as dual-use items under Category 5 - Telecommunications on the Commerce Control List of the EAR.

2.2. Munitions Data and Software -- The U.S. Munitions List

The State Department's Office of Defense Trade Controls publishes a list of data and software which are subject to the jurisdiction of the AECA and ITAR, known as the U.S. Munitions List. [FN21] If your data or software is described on the U.S. Munitions List of the ITAR, then it is subject to the export control jurisdiction of the State Department under the AECA and ITAR.

The U.S. Munitions List of the ITAR contains summary descriptions of data and software which are controlled as munitions. Most of the data and software which are described on the U.S. Munitions List have a direct and obvious relationship to guns and bombs. However, the U.S. Munitions List also governs exports of some satellites, wireless telephony and other computers and communications products which might not ordinarily be regarded as munitions. One particularly problematic provision of the U.S. Munitions List is Category XIII - Auxiliary Military Equipment which controls cryptographic hardware and software.

The export controls on cryptography are the subject of a separate White Paper entitled Export of Cryptography. For purposes of this paper, however, it is sufficient to state that many software programs are offered in two versions. One version utilizes "weak" cryptography and is controlled under the Commerce Control List of the EAR. The other version utilizes "strong" cryptography and is controlled under the U.S. Munitions List of the ITAR.

A good example of this split in jurisdiction is Netscape's Navigator web browser. Netscape offers two versions of its popular web browser, one with strong encryption controlled under the ITAR and another with weak encryption controlled under the EAR. Hence, it may be important to determine the specific version of software you wish to export, in order to comply with the export control laws!

2.3. Resolving Conflicts Between the Lists

In some cases, like the export controls on cryptography, the Commerce Control List and the U.S. Munitions List either are silent as to which agency controls a particular type of data or software, or contain overlapping descriptions. Conflicts between the two lists are resolved through the Commodity Jurisdiction Procedure of the ITAR. [FN22]

Exporters wishing to verify the appropriate export control regime are required to submit a letter to the State Department which describes the data or software at issue in detail, as well as the data or software's origins and current uses. Generally, a product brochure or other supporting documentation is enclosed with the letter, in support of the Commodity Jurisdiction Request.

The State Department consults with the Departments of Commerce and Defense and issues a Commodity Jurisdiction Determination to the exporter. If the exporter disagrees with the State Department's decision, an appeal is available to higher levels of the State Department. However, the final determination of whether a particular type of data or software is controlled under the Commerce Control List or the U.S. Munitions List rests with the State Department, and is not subject to review by federal courts.

3. Dual-use Export Licensing

After determining that your of data or software is, in fact, a dual-use item subject to the jurisdiction of the Commerce Department pursuant to the EAA, you next must examine the export licensing requirements set forth in the EAR. There are essentially three possibilities: (a) your data or software is exempt from licensing because it meets the definition of "public domain" under the EAR; (b) your data or software may be exported pursuant to a License Exception under the EAR; or (c) your data or software requires an export license issued by the Commerce Department prior to export.

After verifying and complying with the export licensing requirements, you also must review the export clearance provisions of the EAR, which in some instances may require the filing of a Shipper's Export Declaration with the Bureau of the Census. [FN23] Finally, all exporters of dual-use data and software subject to the EAR must keep records of their exports for a period of five years from the last known export or reexport. [FN24]

3.1. Public Domain Data and Software

Most dual-use data and software traversing the Internet today falls within the definition of "public domain". [FN25] The EAR contains a lengthy definition of public domain, but a useful shorthand definition is as follows: if data or software is made available to all persons who desire to obtain it free of charge or at a cost which is reasonably related to the cost of distribution, then it qualifies a being in the public domain. Data and software (freeware) which is dual-use in nature and is in the public domain may be exported to all destinations without an export license issued by the Commerce Department.

For example, the product literature and technical white papers describing Sun Microsystems' and Cisco's computers, routers and software which are available for free downloading from web and FTP sites qualify as "public domain" and may be exported without restriction via the Internet to all destinations. In fact, you can place any dual-use data or software into the public domain, simply by making it available for free downloading via the Internet.

3.2. General Prohibitions and License Exceptions

Once secure mechanisms for on-line payment have been developed and implemented, an increasing number of companies will use the Internet distribute data and software for a fee. Such data and software does not qualify as being in the public domain. Therefore, you must review the General Prohibitions [FN26] and License Exceptions [FN27] in order to determine whether such data and software may be exported under an exception to the export license requirements of the EAR.

The EAR contains a number of General Prohibitions. The most important of these General Prohibitions state that the exporter must obtain an export license from the Commerce Department before exporting data or software (1) to a prohibited end-user, (2) for a prohibited end-use, or (3) to a prohibited destination.

Prohibited end-users are set forth in the Commerce Department's Table of Denial Orders. Prohibited end-uses include the design, development, production, stockpiling or use of so-called "weapons of mass destruction", which include nuclear, chemical and biological weapons and missiles. Prohibited destinations are the embargoed countries (currently Cuba, Iran, Iraq, Libya and North Korea) and countries which support international terrorism (currently Syria and Sudan). All exports to prohibited end-users, for prohibited end-uses, or to prohibited destinations, require an export license issued by the Commerce Department.

Assuming that your proposed export is not subject to one of the General Prohibitions, you next must determine whether one of the License Exceptions applies. You do not have to apply to the Commerce Department in order to export under one of the License Exceptions. Just follow the rules in the EAR, and send your data or software over the Internet!

Let's return to the examples above. Suppose that Sun Microsystems or Cisco wishes to charge a fee for technical support to customers using its products. Technical support for computers and routers lawfully exported also may be exported, via the Internet, under a License Exception of the EAR.

Suppose further that Sun Microsystems or Cisco wishes to export bug fixes to its software programs to licensed users. Electronic downloads of such software bug fixes also would qualify for export under a License Exception of the EAR.

Only by carefully reviewing the General Prohibitions and License Exceptions in the EAR, however, can an exporter determine whether a License Exception is available and what conditions (if any) must be met in order to qualify. The good news is that 99% of dual-use exports from the United States qualify for one of the License Exceptions. For the other 1 % of exports where a License Exception is not available, however, you must apply to the Commerce Department and obtain an export license.

3.3. Applying for and Obtaining Export Licenses

If your dual-use data or software is not in the public domain, and does not qualify for a License Exception, then you must file an application for an export license with the Commerce Department's Bureau of Export Administration. The application form is available from the Commerce Department in Washington, D.C., and from the various regional offices. In addition, you may submit applications electronically through third party services offered by various vendors. Whether filed in paper or electronically, the application must disclose the material facts of the proposed transaction, including a description of the particular data or software to be exported, the final destination, end-user and end-use, for review by the Commerce Department and other federal agencies.

The Commerce Department's Bureau of Export Administration received approximately 10,000 applications for export licenses in 1995. The vast majority of these were approved, ultimately. However, exporters have complained for a number of years that the Commerce Department does not act within a commercially reasonable period of time, and that deals are lost due to bureaucratic infighting between the various federal agencies with authority to review such applications.

Under Executive Order 12981 issued in December of 1995, the Commerce Department is supposed to act on all export license applications within 90 days of receipt. [FN28] However, the Executive Order also specifies that the Departments of Defense, Energy, and State, as well as the Arms Control and Disarmament Agency, now have authority to review all export license applications prior to approval. The Executive Order provides for a dispute resolution procedure, including escalation to the President for a final decision, if necessary, in the event of disagreements between the reviewing agencies. This Executive Order is expected to reduce the most egregious delays encountered by applicants in the past. However, so far, the average processing time for export license applications actually has increased, as more agencies are reviewing more licenses than they had in the past! Only time will tell if Executive Order 12981 constitutes a real improvement over past practice.

The "bottom line" is that you should review the definition of public domain and the available License Exceptions carefully, and take advantage of them whenever possible, in order to reap the full benefits presented by Internet commerce.

4. Munitions Export Licensing

After determining that your data and software are, in fact, munitions subject to the jurisdiction of the State Department under the AECA and ITAR, you must file an Application for Registration with (and pay a fee to) the State Department's Office of Defense Trade Controls simply in order to be eligible to obtain export licenses.

Once registered, there are essentially three possibilities: (a) your data or software is exempt from licensing because it meets the definition of "public domain" under the ITAR; (b) your data or software may be exported pursuant to a specific exemption under the ITAR; or (c) your data or software requires an export license issued by the State Department prior to export.

After determining the licensing requirements, you also must comply with the export clearance requirements of the ITAR, including filing of and any required Shipper's Export Declarations. Finally, exporters of munitions data and software must keep records of all exports for a period of five years from the expiration of any license or other approval issued by the Department of State.

4.1. Public Domain Data and Software

Unfortunately, the Definition of "public domain" under the ITAR is far more restrictive than its counterpart in the EAR. [FN29] For example, you cannot simply "post" data or software on an Internet site and give it away, thereby rendering such data or software in the "public domain".

In order to qualify as being in the public domain, your data or software must be available to the public through one of the following means:

(1) Through sales at newsstands and bookstores;

(2) Through subscriptions which are available without restriction to any individual who desires to obtain or purchase the published information;

(3) Through second class mailing privileges granted by the U.S. Government;

(4) At libraries open to the public or from which the public can obtain documents;

(5) Through patents available at any patent office;

(6) Through unlimited distribution at a conference, meeting, seminar, trade show or exhibition, generally accessible to the public, in the United States;

(7) Through public release (i.e., unlimited distribution) in any form (e.g., not necessarily in published form) after approval by the cognizant U.S. government department or agency; or

(8) Through fundamental research in science and engineering at accredited institutions of higher learning in the U.S., where the resulting information is ordinarily published and shared broadly in the scientific community.

This narrow definition of public domain can cause some odd results. For example, the Data Encryption Standard ("DES") algorithm has been published by the U.S. Government in the U.S. Federal Register and by others in many textbooks which are available in libraries and bookstores. However, software which implements the DES standard is not in the public domain, and may not be exported without an export license issued by the State Department!

4.2. Exemptions to License Requirements

Whereas 99% of dual-use data and software controlled by the Commerce Department are exported under License Exceptions, the corresponding "exemptions" available under the ITAR are much more limited. [FN30] Virtually all ITAR-controlled data and software which does not fall within the definition of public domain requires an export license prior to export to all destinations (except Canada).

4.3. Applying for and Obtaining Export Licenses

Whereas the Commerce Department has a single form used to apply for export licenses, the State Department offers multiple licensing options. Most frequently, you will use either Form DSP-5 (for a permanent export) or Form DSP-73 (for a temporary export). [FN31] However, certain transactions require you to submit a draft contract, styled as a Technical Assistance Agreement, Manufacturing License Agreement, Distribution Agreement or Distribution Arrangement, which must be approved by the State Department and executed by the parties prior to export. [FN32]

Thus, the real art in ITAR licensing resides in (1) choosing the most appropriate type of export license for your proposed transaction, (2) carefully managing the inter-agency review process in order to ensure that the approval is granted in a timely fashion, and (3) structuring the transaction so that it can be approved subject only to limitations, provisos and other conditions imposed by the State Department which will not frustrate the intentions of the parties.

All export license applications are reviewed by the State Department's Office of Defense Trade Controls. A majority of applications also are reviewed by the State Department's Office of Arms Transfer and Export Controls, by other regional and functional bureaus of the State Department, and by the Department of Defense. Typical processing time can vary considerably, from several days to many months, depending on the number of entities at the State and Defense Departments involved in the review of a particular application and other factors. Some cases also require Congressional notification, which can further delay the processing of an application. The lengthy review process, and fact that limitations, provisos and other conditions may be imposed on the proposed transfer, make ITAR licensing hard work, indeed!

The good news is that exporters may utilize the Internet to actually effect any export which has been approved by the State Department. The ITAR does not restrict the exporter to utilizing any specific means of transferring data or software for which an export license has been issued by the State Department.

5. Export Licensing Under the Embargo Regimes

The embargo regimes are administered by the Treasury Department's Office of Foreign Assets Control. Much smaller than the Commerce or State Department bureaucracies which administer export controls on dual-use and munitions data and software and license a fairly predictable annual volume of trade, the Treasury Department must react to world events which are unpredictable and fast-breaking. In responding to world crises, the Treasury Department works closely with the State Department, and less closely with other federal agencies.

Each of the embargo regimes contains export licensing requirements which are similar to those under the EAR and ITAR. Each contains provisions defining data and software which are in the public domain, provides for exports without prior written approval under so-called General Licenses (the equivalent of License Exception under the EAR and exemptions under the ITAR), and sets forth requirements for obtaining export licenses. Because definitions and requirements vary from regime to regime, and are encountered infrequently in Internet commerce, they will not be discussed in detail in this White Paper.

6. Practical Tips for Compliance with U.S. Export Controls

Following are some practical suggestions for complying with United States export control laws, regulations and requirements which govern Internet commerce.

6.1. Keeping Current

The EAR, ITAR and embargo regulations are amended on average every second business day by publication of rules and orders in the Federal Register. These new rules and order are effective as of the date of publication. Hence, it is not sufficient simply to review the printed regulations. Access to on-line same-day updates, either through the Government Printing Office's web site (GPO)or one of the many commercial providers of government publications, is essential to informed compliance.

6.2. Benchmarking Best Industry Practices

In many cases, there are no definitive "answers" available from the Government, because an issue is too contentious or there is no time to seek an opinion. Conformance to best industry practices is a useful fallback, when a definitive "yes" or "no" is not available. This is highlighted in the case of the open issues, discussed below.

7. Open Issues

7.1. What Constitutes an "Export" via the Internet?

At first blush, "what constitutes an 'export' via the Internet?" appears to be an existential question worthy of debate only by those who participate in more obscure groups on the Usenet. However, it is an important question for purposes of U.S. export control laws and regulations. Does an export occur when data or software is posted on a server in the United States? Or, when that data or software is downloaded by a party outside of the United States?

During the investigation of Phil Zimmermann for illegally exporting PGP via the Internet, federal officials formulated a theory that PGP had been exported at the time it was posted on the Internet, when it became (theoretically) beyond the power of the Customs Service to conduct a detention, search and seizure. Of course, this begs the questions, where had the software been exported, by whom, to whom, and for what purpose?

On the other hand, suppose that data or software has been exported only when a person outside of the United States has connected with a host computer in the United States and actually downloaded the bits. How can the export control laws realistically regulate such conduct?

Companies engaged in Internet commerce should seriously consider the possibility that the government will attempt to assert the theory developed in the Zimmermann case. Thus, the question becomes, what due diligence is required prior to posting data or software on the Internet in order to prevent it from falling into the "wrong" hands?

7.2. What Due Diligence is Required for Internet Commerce?

It seems reasonably clear that you must exercise the same due diligence before exporting data or software via electronic mail that you must exercise before exporting data via fax or software recorded on media via snailmail. You know the recipient of your e-mail, and you must ensure that the recipient is authorized to receive the data or software in compliance with the EAR or ITAR. In Internet commerce, however, we frequently encounter electronic downloads by anonymous persons in unknown countries. What due diligence is required in order to legally export data or software to them?

No one has suggested that there is a completely secure means of preventing unauthorized access to data and software posted on the Inte rnet for viewing and downloading. Moreover, neither the EAR nor the ITAR specifies that companies or individuals must take any specific affirmative actions to ensure that their data and software are not downloaded by unauthorized persons.

At the end of the day, every effort to ensure that data and software are not exported via the Internet contrary to U.S. export control laws can be reduced to some form of a trust model. Various companies and individuals may make it more (or less) difficult to defeat the systems in place to monitor export control compliance, but no system is completely secure.

Unless and until the Government mandates that individuals and companies engaged in Internet commerce must meet a prescribed standard of due diligence, the recommended course of action is to benchmark the best industry practices, periodically, and adopt those safeguards which are reasonably widespread.

For example, Netscape requires persons who download Netscape Navigator from the company's web site to represent and warrant that they are not prohibited end-users, engaged in prohibited activities or located in embargoed countries prior to downloading the dual-use version of its web browser. This appears to be representative of the standard industry practice, where a product is eligible for export under a License Exception under the EAR.

On the other hand, where a product requires an export license under the ITAR because it is on the U.S. Munitions List, considerably more rigorous due diligence seems to be the standard practice. For example, the MIT web site which includes PGP software requires persons wishing to download the encryption software to complete a questionnaire confirming that they are American citizens located in the United States before they are given an password to, and location of, the file which contains PGP. The password and location are changed from time to time, as well. Variations on this practice can be found at industry web sites, too.

As the "best" practices evolve, over time, the standard of care expected of participants in Internet commerce will, too.

8. Closing Comments

Although none of the U.S. export control laws and regulations currently require that companies implement a formal export control compliance program, most large companies (and many small companies, as well) have such a program in place. A good export control compliance program not only reduces the risk of an inadvertent violation, but equally importantly allows companies to take advantage of liberalizations which are promulgated from time to time. The existence of a formal export control compliance program also may be viewed by the enforcement agencies as a mitigating factor, in the event of a compliance investigation.

It is generally desirable to draw from different departments of a company in order to fashion a useful export control compliance program, because U.S. export controls affect virtually all aspects of a company's international operations. Although the program may be formally organized under the legal or finance department, it probably should include representatives from engineering, marketing and other departments with responsibility for a company's product development, sales and support.

The United States and its allies have imposed comprehensive export controls continuously since the beginning of the Cold War. However, during the past half century, the international political environment has changed dramatically. Modern technology seems to be advancing at an accelerating pace. Meanwhile, the multilateral agreements between and among the United States and its allies, and the implementing U.S. laws and regulations have changes slowly, and cautiously. New technologies, like the Internet, present a continuing challenge to governments seeking to impose export controls for national security and foreign policy purposes, and to companies which must comply in order to realize the benefits of Internet commerce.

FOOTNOTES

1. United States v. Edler Industries, 579 F.2d 516 (9th Cir. 1978).
2. 50 U.S.C. App. 2401 et seq.
3. 15 CFR 730 et seq.
4. 22 U.S.C. 2778.
5. 22 CFR 120 et seq.
6. 50 U.S.C. App. 1 et seq.
7. 50 U.S.C. 1701 et seq.
8. 31 CFR 500 et seq.
9. Pub. L. No. 81-11.
10. Pub. L. No. 96-72, §13(a).
11. 3 CFR, 1994 Comp., p. 917.
12. 22 CFR 127.
13. Pub. L. No. 94-329 §201.
14. 58 FR 39280.
15. 22 U.S.C. 2778.
16. 60 FR 30150.
17. 59 FR 51653.
18. 10 CFR 110.
19. 35 U.S.C. §§181 to 188.
20. 15 CFR 774.
21. 22 CFR 121.1.
22. Id. at 120.4.
23. 15 CFR 30.
24. Id. at 762.
25. Id. at 734.
26. Id. at 736.
27. 15 CFR 740.
28. 60 FR 62981.
29. 22 CFR 120.11.
30. Id. at 123.16.
31. Id. at 123.
32. Id. at 124.


BIBLIOGRAPHY

Auerbach, Stuart Pentagon Loses Round in Export Controls Fight Reagan Opposes Bid To Boost Defense Role, The Washington Post, July 21, 1994.

Bamford, James, and Madsen, W., The Puzzle Palace, Second Edition, Penguin Books, 1995.

Bulkeley, William M., Cipher Probe: Popularity Overseas of Encryption Code Has the U.S. Worried -- Grand Jury Ponders if Creator 'Exported' the Program Through the Internet -- 'Genie is Out of the Bottle', The Wall Street Journal, April 28, 1994, p.A1.

Bulkeley, William M., Cryptographer Is Told by U.S. that Case is Over, The Wall Street Journal, January 12, 1996, p.B2.

Corcoran, Elizabeth, Scrambling for a Policy on Encryption Exports; As Technology Advances, U.S. and Industry Seek Compromise That Balances Public, Private Fears, The Washington Post, February 25, 1996, p.H1.

Corcoran, Elizabeth, U.S. Closes Investigation In Computer Privacy Case; Export of Encryption Program Was at Issue, The Washington Post, January 12, 1996, p.A11.

Davis, Bob, Clipper Chip Is Your Friend, NSA Contends, The Wall Street Journal, March 22, 1994, p.B1.

Levy, Steven, Battle of the Clipper chip, New York Times Magazine, June 12, 1994, §6 at 1.

Lewis, Peter H., Software author focus of U.S. inquiry, New York Times, April 10, 1995, p.D4.

Lewis, Peter H., Technology: On the Net, New York Times, September 11, 1995, p.D4.

Lewis, Peter H., Suit Over Restrictions on Encryption Software Clears Early Hurdle, New York Times, April 18, 1996, p.D7.

Liebman, John R. and Root, William A., United States Export Controls. (3rd ed. 1993)

Lo, Wei, A Pathfinder to U.S. export control laws and regulations. William S. Hein & Co., Buffalo, N.Y., 1994

Markoff, John, Wrestling over the key to the codes, New York Times, May 9, 1993, §3, at 1.

Markoff, John, Industry to set its own data security code, New York Times, July 13, 1993, p.D3.

Markoff, John, Shift expected on computer exports, New York Times, August 27, 1993. p.D4.

McCoy, Charles, Visionary or Cyberspace Cadet: John Perry Barlow, the high priest of high tech, Has some harsh words for network-hungry corporations, The Wall Street Journal, November 14, 1994, p.R20.

Metcalfe, Bob, Free Markets for Telecom: Clipper Chip Won't Stop Internet Pirates, The Wall Street Journal, March 22, 1994, p.A14.

Pearl, Daniel, Encryption-Software Plan Presented Using 'Keys' Held by Escrow Agents, The Wall Street Journal, August 18, 1995, p.A3.

Ramirez, Anthony, Move gains to liberalize U.S. high-tech exports, New York Times, September 21, 1993, p.D1.

Rubinstein, Ira S., Export Controls On Encryption Software, Practising Law Institute, Commercial Law and Practice Course Handbook Series, 733 PLI/Comm 401, December 1995.

Sandberg, Jared, New Proposals On Encryption Get Tepid Response, The Wall Street Journal, February 26, 1996, p.B4.

Schneier, Bruce, Applied Cryptography, Second Edition, John Wiley & Sons, Inc., New York, 1996.

Schrage, Michael, Code Blues: Why the Clipper Chip Plan Is Having Unintended Effects, The Washington Post, April 15, 1994, p.B3.

Schwartz, John, Bill Would Ease Curbs on Encoding Software Exports, The Washington Post, November 23, 1993, p.C1.

Schwartz, John, Privacy Program: An On-Line Weapon?; Inventor May Face Indictment for Encryption Software Sent Abroad, The Washington Post, April 3, 1995, p.A1.

Shimomura, Tsutomu with Markoff, John, TAKEDOWN, The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw - By the Man Who did It, Hyperion, New York, NY, 1996.