Sorry for the rushed character of this note - am working on another project which is eating up my available time. I just wanted to respond because I think Tim and Marshall are talking about different ends of the same process. At 03:37 PM 10/16/96 -0800, Tim May wrote:

At 10:56 AM -0700 10/16/96, Marshall Clow wrote:

...

A) This is not a change in the law. There is no law regarding export of encryption software. Congress has never passed any such law. These are State Department regulations, and presidential decrees. These regulations, which have the force of law to you and me, were never debated or voted upon by our elected representatives. They can be changed tomorrow the same way. In fact, they can be changed and the public need not even be notified.

Actually, as Greg Broiles pointed out in an article (on the Cypherpunks list) several weeks ago, Congress deliberately chooses to delegate much regulatory authority to other agencies.

As I understand the export-license process, there are multiple steps: 1. Commodity jurisdiction request: State Dept decides if ITAR controls the export of the item (e.g., is it a "defense article" or a "defense service" or "technical data", and not public domain, etc.)? 2. If ITAR does control the export, the State Dept decides (based on the characteristics of the item and the identity/location of the foreign recipient and the opinion(s) of other agencies consulted) whether or not to allow the export. The fact that these steps must be taken (and the general procedure for doing so) is a product of the Arms Export Control Act (passed by Congress, at 22 USC 2778 and thereabouts) and the ITARs (22 CFR 120 et seq), administrative regulations promulgated by the Dept of State. (To change the ITARs themselves, State Dept must publish notice of the proposed changes and solicit public comments, as well as make the final regs public in the CFRs and via the Federal Register). So the ITARs are "real laws", at least as real as any others. But the process by which these steps (deciding what will be a "munition", deciding whether or not a particular item is within one of those defined as munitions, deciding whether or not to allow an export) are taken involves policy choices whose motives and processes are not entirely clear, and which can be (and are) changed by the executive branch without notice or opportunity to comment. What I'm thinking of here are the rules like "40-bit RC4 is OK" and "3DES is never OK" and "56-bit DES with GAK is OK" and "disk bad, OCR text OK" which we're discovering through trial & error but are not, to my knowledge, part of the ITARs or elsewhere in the CFR or the USC. Also, Dept of State's decisions about individual exports and items are not subject to judicial review, by 22 USC 2778(h), an interpretation which is being challenged in the appeal in _Karn_. Interested readers might take a look at the district court's opinion in _Karn_ at <http://venable.com/oracle/oracle7.htm> and Stewart Baker's analysis of it at <http://www.us.net/~steptoe/summary.htm>. I think my understanding of the ITAR process is mediocre at best, I certainly welcome correction or clarification, although Jim Bell's predictable and wholly incorrect assertion that administrative regs only apply to government employees would be funny but for the fact that I know ordinary people (not government employees) who have been convicted of violating federal admin regs and the fines they paid (or are still paying), jail time spent, etc were all too real. My summary of admin law is deliberately vague because frankly admin law isn't my strong suit. Perhaps another list member with a superior understanding will fill in the gaps in my summaries. Also, Sean Sutherland wrote to ask (re the SPA's position on copyright liability):

I'm curious, do the Contributory Infringment and the Vicarious Liability for Infringment By Another Person claims have any legal basis, or are they just the inane rantings they appear to be?

I sent a long message to the list a few days ago (Sunday?) discussing contributory infringement. The short version of the message is "Yes, contributory infringement is valid, but not necessarily in this particular case". And ditto for vicarious liability, although I think vicarious liability isn't even plausibly arguable. They are neither novel nor especially remarkable facets of copyright law, although as Sean notes they do not have explicit textual support in the Copyright act. Vicarious liability is an extension of the legal doctrine of "respondeat superior", e.g., an employer/principal is liable for the actions of an employee/agent for actions taken within the scope of employment/agency. Contributory infringement is an extension of the principles of enterprise liability, where (very generally) people who undertake a common purpose/project will share liability, even where only one party directly caused the actual harm. _Sony v. Universal City Studios_ 464 US 417, 435 (1984). Nimmer on Copyright 12.04[A] notes that it's possible to read 17 USC 106's grant of the exclusive right to "authorize" the exercise of the other exclusive rights as excluding the authorization of infringement by third parties (making the illicit authorizer a direct infringer). But that reading seems awfully technical, and Nimmer cites no cases which rely on it (and later describes it as "overly facile"). In any event, yes, vicarious liability and contributory infringement are viable theories of recovery, but neither seems especially promising. Matt Ghio wrote and asked if a direct infringement must exist before a third party can be held liable for infringement. Nimmer (a relatively authoritative treatise on copyright) argues that it should not be possible to have third party liability without a direct infringement, with a reference to cases I haven't had time to look at yet. (at 12.04[A][3][a], if anyone's fortunate enough to have a copy of Nimmer at hand) -- Greg Broiles | "We pretend to be their friends, gbroiles@netbox.com | but they fuck with our heads." http://www.io.com/~gbroiles | |