At 09:38 AM 7/11/96 -0400, Michael Froomkin wrote:

Here's a fun legal issue that cropped up on the cypherpunks list

Nice try, but no cigar. The problem with all of the "ITAR loophole" ideas is that they only work where the rules are clearly articulated and carefully followed by the administrative agencies. Neither of those exist with the ITAR.. There are no restrictions on the ODTC's ability to interpret the ITAR however they see fit and to change those interpretations as they wish to meet their goal: stopping folks from getting strong crypto easily. The best example of this is the mislabelled "crypto with a hole," in which ODTC interprets the regulations as allowing them to limit software with no cryptography in it at all but only hooks which could allow the insertion of crypto later. The ITAR says that they only regulate "software with the capability of maintaining secrecy" and so on its face would not extend to software which only has hooks for crypto. But this doesn't stop ODTC and there is no mechanism in place to allow anyone else to stop them short of a lawsuit or a change in the law by Congress. So, having said that, here's where I think they could fit in the "piracy" sublicense maneuver: First, entering into the sublicensing agreement could be interpreted as a "defense service." By giving them a license you are "assisting the foreign person" because, presumably, life is easier for them if they have a license. Second, call the sub-license agreement "technical data" since it is related to the crypto. Or, as they did with Zimmermann, they just assume that the company had something to do with the unauthorized export and begin an investigation. If it goes to indictment, better hope you have iron-clad evidence to convince the jury that you had nothing to do with it. If you've gone ahead and sub-licensed afterwards, making money off of the illegal act, I think it would be difficult to convince a jury that you didn't have something to do with it. Gotta write a brief now, Cindy Cohn

A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin@law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's hot here. And humid.

---------- Forwarded message ---------- Date: Thu, 11 Jul 1996 04:06:05 +0000

...

From: Paul Elliott <paul.elliott@hrnowl.lonestar.org> To: cypherpunks mailing list <cypherpunks@toad.com> Subject: Can the inevitability of Software privacy be used to defeat the ITAR?

-----BEGIN PGP SIGNED MESSAGE-----

All software companies who sell (really licence) software must deal with the inevitability of software piracy. It is a brute fact that any usefully product sold in the U.S. will eventually appear as an unauthorized copy for sale abroad. This fact must be recognized in the software companies' business plan.

The question occurs to me "why can not this fact be used to defeat the ITAR?"

What is to prevent a U.S company to licence a foreign company to sublicence and distribute a Crypto product abroad, if that foreign company obtains that product on the pirate market?

I am not a lawyer, but I look at the definition of "export" on page 612 of Applied Cryptography and nothing seems to obviously apply.

The scenario I imagine is this: U.S. company produces a crypto product. To be generally useful, the product supports all languages. (Those CDROMs really do hold a lot of data.) After all, Americans do need to do business with foreigners. The company licences and distributes the product in the U.S. taking special care not to distribute the product to any foreign persons. When inevitability, the product appears in the pirate market outside the U.S., the company makes a contract with a foreign company allowing it to distribute it and sublicence it. The foreign company can get their copy from the pirate market, being authorized to get the copy by the U.S. company. When this deal is cut copies have already been exported and are already being sold by the pirates, against the will of the U.S. company.

In this scenario, the U.S. company had done everything it possibly could to prevent the illegal export of its product. But when its efforts have inevitably failed, it makes money by sublicencing.

When I look at the definition of Export on page 612 of applied cryptography, I see one clause that defines transferring registration as export, but only for aircraft, vessels and satellites.

OK, cypherpunk legal types, there has got to be something wrong with this idea. There are a lot of smart people in the world, so if this idea was good, somebody else would have thought of it before now! But what is specifically is wrong with it? I want to be educated!

- -- Paul Elliott Telephone: 1-713-781-4543 Paul.Elliott@hrnowl.lonestar.org Address: 3987 South Gessner

#224

Houston Texas 77063

-----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: cp850

iQCVAgUBMeR9nvBUQYbUhJh5AQGkYAP/bN0lmkjF6uZ92MmWIqdZwVmLmsiIUg9L XbtYaeawNCMdi2BnkDUu4j/G1rNngFuAmRwABE9UxKOnwjMU5lfmxHev5RP9/CBF 81AnYc1bWeh52EuKJCKu47LMDn9PqfiCIGBwfRehgkZ72gO0+ywIP1fZrkwNNCF+ Md76LqUE5Z4= =k7M5 -----END PGP SIGNATURE-----

************************ Cindy A. Cohn McGlashan & Sarrail, P. C. 177 Bovet Road, 6th Floor San Mateo, CA 94402 (415) 341-2585 (tel) (415)341-1395 (fax) Cindy@McGlashan.com http://www.McGlashan.com