ITAR/real law, copyright

[Greg Broiles]

Sorry for the rushed character of this note - am working on another project
which is eating up my available time. I just wanted to respond because I
think Tim and Marshall are talking about different ends of the same process.

At 03:37 PM 10/16/96 -0800, Tim May wrote:
>At 10:56 AM -0700 10/16/96, Marshall Clow wrote:
>>A) This is not a change in the law. There is no law regarding export of
>>encryption software.
>>Congress has never passed any such law. These are State Department
>>regulations, and presidential decrees. These regulations, which have the
>>force of law to you and me, were never debated or voted upon by our
>>elected representatives. They can be changed tomorrow the same way. In
>>fact, they can be changed and the public need not even be notified.
>
>Actually, as Greg Broiles pointed out in an article (on the Cypherpunks
>list) several weeks ago, Congress deliberately chooses to delegate much
>regulatory authority to other agencies.

As I understand the export-license process, there are multiple steps:

1. Commodity jurisdiction request: State Dept decides if ITAR controls the
export of the item (e.g., is it a "defense article" or a "defense service"
or "technical data", and not public domain, etc.)? 

2. If ITAR does control the export, the State Dept decides (based on the
characteristics of the item and the identity/location of the foreign
recipient and the opinion(s) of other agencies consulted) whether or not to
allow the export. 

The fact that these steps must be taken (and the general procedure for
doing so) is a product of the Arms Export Control Act (passed by Congress,
at 22 USC 2778 and thereabouts) and the ITARs (22 CFR 120 et seq),
administrative regulations promulgated by the Dept of State. (To change the
ITARs themselves, State Dept must publish notice of the proposed changes
and solicit public comments, as well as make the final regs public in the
CFRs and via the Federal Register). So the ITARs are "real laws", at least
as real as any others.

But the process by which these steps (deciding what will be a "munition",
deciding whether or not a particular item is within one of those defined as
munitions, deciding whether or not to allow an export) are taken involves
policy choices whose motives and processes are not entirely clear, and
which can be (and are) changed by the executive branch without notice or
opportunity to comment. What I'm thinking of here are the rules like
"40-bit RC4 is OK" and "3DES is never OK" and "56-bit DES with GAK is OK"
and "disk bad, OCR text OK" which we're discovering through trial & error
but are not, to my knowledge, part of the ITARs or elsewhere in the CFR or
the USC. Also, Dept of State's decisions about individual exports and items
are not subject to judicial review, by 22 USC 2778(h), an interpretation
which is being challenged in the appeal in _Karn_. Interested readers might
take a look at the district court's opinion in _Karn_ at
<http://venable.com/oracle/oracle7.htm> and Stewart Baker's analysis of it
at  <http://www.us.net/~steptoe/summary.htm>.

I think my understanding of the ITAR process is mediocre at best, I
certainly welcome correction or clarification, although Jim Bell's
predictable and wholly incorrect assertion that administrative regs only
apply to government employees would be funny but for the fact that I know
ordinary people (not government employees) who have been convicted of
violating federal admin regs and the fines they paid (or are still paying),
jail time spent, etc were all too real. My summary of admin law is
deliberately vague because frankly admin law isn't my strong suit. Perhaps
another list member with a superior understanding will fill in the gaps in
my summaries. 

Also, Sean Sutherland wrote to ask (re the SPA's position on copyright
liability):

>I'm curious, do the Contributory Infringment 
>and the Vicarious Liability for Infringment By Another Person claims have
any 
>legal basis, or are they just the inane rantings they appear to be?

I sent a long message to the list a few days ago (Sunday?) discussing
contributory infringement. The short version of the message is "Yes,
contributory infringement is valid, but not necessarily in this particular
case". And ditto for vicarious liability, although I think vicarious
liability isn't even plausibly arguable. They are neither novel nor
especially remarkable facets of copyright law, although as Sean notes they
do not have explicit textual support in the Copyright act. Vicarious
liability is an extension of the legal doctrine of "respondeat superior",
e.g., an employer/principal is liable for the actions of an employee/agent
for actions taken within the scope of employment/agency. Contributory
infringement is an extension of the principles of enterprise liability,
where (very generally) people who undertake a common purpose/project will
share liability, even where only one party directly caused the actual harm.
_Sony v. Universal City Studios_ 464 US 417, 435 (1984). Nimmer on
Copyright 12.04[A] notes that it's possible to read 17 USC 106's grant of
the exclusive right to "authorize" the exercise of the other exclusive
rights as excluding the authorization of infringement by third parties
(making the illicit authorizer a direct infringer). But that reading seems
awfully technical, and Nimmer cites no cases which rely on it (and later
describes it as "overly facile").

In any event, yes, vicarious liability and contributory infringement are
viable theories of recovery, but neither seems especially promising.

Matt Ghio wrote and asked if a direct infringement must exist before a
third party can be held liable for infringement. Nimmer (a relatively
authoritative treatise on copyright) argues that it should not be possible
to have third party liability without a direct infringement, with a
reference to cases I haven't had time to look at yet. (at 12.04[A][3][a],
if anyone's fortunate enough to have a copy of Nimmer at hand) 

--
Greg Broiles                |  "We pretend to be their friends,
gbroiles at netbox.com         |   but they fuck with our heads."
http://www.io.com/~gbroiles |
                            |