From: Cindy Cohn <Cindy@McGlashan.com>
Date: Sat, 13 Jul 1996 14:51:47 +0800
To: Law &amp; Policy of Computer Communications              <CYBERIA-L@LISTSERV.AOL.COM>
Subject: Re: Can the inevitability of Software privacy be used to defeat the              ITAR? (fwd)
Message-ID: <199607122035.NAA22343@gw.quake.net>
MIME-Version: 1.0
Content-Type: text/plain


At 09:38 AM 7/11/96 -0400, Michael Froomkin wrote:
>Here's a fun legal issue that cropped up on the cypherpunks list

Nice try, but no cigar.  The problem with all of the "ITAR loophole" ideas
is that they only work where the rules are clearly articulated and carefully
followed by the administrative agencies.  Neither of those exist with the
ITAR..  There are no restrictions on the ODTC's ability to interpret the
ITAR however they see fit and to change those interpretations as they wish
to meet their goal: stopping folks from getting strong crypto easily.  

The best example of this is the mislabelled "crypto with a hole,"  in which
ODTC interprets the regulations as allowing them to limit software with no
cryptography in it at all but only hooks which could allow the insertion of
crypto later.  The ITAR says that they only regulate "software with the
capability of maintaining secrecy" and so on its face would not extend to
software which only has hooks for crypto.  But this doesn't stop ODTC and
there is no mechanism in place to allow anyone else to  stop them short of a
lawsuit or a change in the law by Congress.

So, having said that, here's where I think they could fit in the "piracy"
sublicense maneuver:

First, entering into the sublicensing agreement could be interpreted as a
"defense service."  By giving them a license you are "assisting the foreign
person" because, presumably, life is easier for them if they have a license.

Second, call the sub-license agreement "technical data" since it is related
to the crypto.

Or, as they did with Zimmermann, they just assume that the company had
something to do with the unauthorized export and begin an investigation.  If
it goes to indictment, better hope you have iron-clad evidence to convince
the jury that you had nothing to do with it.  If  you've gone ahead and
sub-licensed afterwards, making money off of the illegal act, I think it
would be difficult to convince a jury that you didn't have something to do
with it.  

Gotta write a brief now,

Cindy Cohn


>
>A. Michael Froomkin        | +1 (305) 284-4285; +1 (305) 284-6506 (fax)
>Associate Professor of Law |
>U. Miami School of Law     | froomkin@law.miami.edu
>P.O. Box 248087            | http://www.law.miami.edu/~froomkin
>Coral Gables, FL 33124 USA | It's hot here.  And humid.
>
>---------- Forwarded message ----------
>Date: Thu, 11 Jul 1996 04:06:05 +0000
>>From: Paul Elliott <paul.elliott@hrnowl.lonestar.org>
>To: cypherpunks mailing list <cypherpunks@toad.com>
>Subject: Can the inevitability of Software privacy be used to defeat the ITAR?
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>All software companies who sell (really licence) software
>must deal with the inevitability of software piracy. It
>is a brute fact that any usefully product sold in the U.S.
>will eventually appear as an unauthorized copy for sale
>abroad. This fact must be recognized in the software companies'
>business plan.
>
>The question occurs to me "why can not this fact be used to
>defeat the ITAR?"
>
>What is to prevent a U.S company to licence a foreign company
>to sublicence and distribute a Crypto product abroad, if that
>foreign company obtains that product on the pirate market?
>
>I am not a lawyer, but I look at the definition of "export"
>on page 612 of Applied Cryptography and nothing seems to
>obviously apply.
>
>The scenario I imagine is this: U.S. company produces a crypto
>product. To be generally useful, the product supports all languages.
>(Those CDROMs really do hold a lot of data.)
>After all, Americans do need to do business with foreigners.
>The company licences and distributes the product in the U.S.
>taking special care not to distribute the product to any foreign persons.
>When inevitability, the product appears in the pirate market outside
>the U.S., the company makes a contract with a foreign company
>allowing it to distribute it and sublicence it. The foreign company
>can get their copy from the pirate market, being authorized to get
>the copy by the U.S. company. When this deal is cut copies
>have already been exported and are already being sold by the
>pirates, against the will of the U.S. company.
>
>In this scenario, the U.S. company had done everything
>it possibly could to prevent the illegal export of its product. But
>when its efforts have inevitably failed, it makes money by
>sublicencing.
>
>When I look at the definition of Export on page 612 of applied
>cryptography, I see one clause that defines transferring registration
>as export, but only for aircraft, vessels and satellites.
>
>OK, cypherpunk legal types, there has got to be something wrong
>with this idea. There are a lot of smart people in the world,
>so if this idea was good, somebody else would have thought of
>it before now! But what is specifically is wrong with it?
>I want to be educated!
>
>- --
>Paul Elliott                                  Telephone: 1-713-781-4543
>Paul.Elliott@hrnowl.lonestar.org              Address:   3987 South Gessner
#224
>                                              Houston Texas 77063
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.3
>Charset: cp850
>
>iQCVAgUBMeR9nvBUQYbUhJh5AQGkYAP/bN0lmkjF6uZ92MmWIqdZwVmLmsiIUg9L
>XbtYaeawNCMdi2BnkDUu4j/G1rNngFuAmRwABE9UxKOnwjMU5lfmxHev5RP9/CBF
>81AnYc1bWeh52EuKJCKu47LMDn9PqfiCIGBwfRehgkZ72gO0+ywIP1fZrkwNNCF+
>Md76LqUE5Z4=
>=k7M5
>-----END PGP SIGNATURE-----
>
>
************************ 
Cindy A. Cohn                                                               
McGlashan & Sarrail, P. C.
177 Bovet Road, 6th Floor                                            
San Mateo, CA  94402
(415) 341-2585 (tel)
(415)341-1395 (fax)
Cindy@McGlashan.com
http://www.McGlashan.com