- Email: [email protected]
Stop that e-mail! you are probably breaking the law!
Report Highlights
Impact of the EU Data Protection Directive on Transborder Data Flows, Christopher Millard. Page 47 The EU Data Protection Directive is likely to have a substantial impact on international businesses. Local data protection regimes will be undermined if there are no restrictions on the transfer of personal data to other jurisdictions for processing, storage or use. Almost all non-EU countries have no data protection legislation and must therefore be expected to be in the EU’s ‘inadequate’ category. Even in cases where consents or specific contractual arrangements are an option, it may take a considerable time and significant expense to obtain such consents or introduce revised contracts. Those who leave international data protection compliance to the last minute do so at their peril.
A Commercial View of the OECD Recommendation on Cryptography Policy, Chris Sundt. Page 50 Industry is becoming increasingly dependent on the Global Information Infrastructure for electronic commerce. Users and customers need to trust that infrastructure _--- and cryptography is a technology that can help build that trust. Unfortunately cryptography is controlled by governments, and this can inhibit its effective use internationally, undermining that trust.
a
The OECD has developed Guidelines on Cryptography Policy that provide a framework within which national policies should be defined - creating a consistent environment for international trade. This paper briefly describes why there is a problem that affects business, outlines what governments are currently doing, and summarizes the intent of the OECD Guidelines.
Stop That E-Mail! You are Probably Bill Hancock. Breaking the Law! Page 58 Because of the international nature of many networks, the opportunity to export technical data which is legally restricted for export from the US is highly probable. This article provides some background on relevant legal issues and other related US regulations that customers must adhere to when exporting any technical data outside the US - or face criminal and civil charges. These controls apply to computer technologies and information about such technologies, as well as other technical ‘data’ issues including biotechnology. In a now famous incident, a computer vendor in 1991 was fined over $8 million for disclosing restricted processor technology to countries not on the ‘V’ list at the Department of Commerce. Copying of certain algorithms (not necessarily cryptographic algorithms that is another issue) for software or scientific ‘endeavours’ could result in violation of applicable software export laws or national security export laws.
Information
Security Technical
Report, Vol. 2, No. 1
Report Highlights
??
??
Information transfer via E-mail, Lotus Notes, fax, telex or other electronic means is subject to the laws involved. Many sites are not properly adhering to US export regulations in the area of technical data and restricted technical science as prescribed by US law.
Encryption Controls are US Government Priority, Robert Bigelow. Page 62 ??
For many years encryption products were considered ‘munitions’ and controlled by the State Department (Foreign Ministry) under the International Traffic in Arms Regulations (ITAR).
Information Security Technical Report, Vol. 2, No. 1
??
.
??
Early last October several major technology vendors and user organizations announced formation of an alliance to develop an approach to strong encryption that would meet export controls. “We seriously doubt the new regulations will work, meet computer user demands, or be accepted by the private sector unless the administration radically changes its approach immediately.” The State Department, applying the ITAR, prohibited him from sending this paper or the program out of the country. When he sued, the Department allowed export of the paper which contained the entire source code of the program, but still denied him the right to send it in digital form!
9
Information Security Technical Report, Vol. 2, No. 1 (1997) 58-61
Stop That E-Mail! You are Probably Breaking the Law! By Bill Hancock, Network-l Inc.
Software and Technology,
While everyone now knows that exporting c yptography is nearly always a sensitive area from the legal and licensing point of view, this article highlights two other issues which may cause US businesses, and their agents or correspondents, particular difficulties.
Many networked sites, through the use of their telecommunications and datacommunications facilities, regularly transmit technical information to customer facilities throughout the world. In a recent technical security audit of the network facilities used by a customer in the US and UK, it was discovered that there were pressing legal issues that were not being properly addressed by customers which could result in serious fines and, in some cases, misdemeanour and felony charges against the individuals engaging in violations of US law. This article provides some background on relevant legal issues and other related US regulations that customers must adhere to when exporting any technical data outside the US or face criminal and civil charges. These issues apply to any company doing business in the US as well.
Areas of concern Apart from the well-known difficulties over the whole topic of exports of cryptographic equipment and technologies, both hardware and software, there are two other areas in which users of networks must be concerned: ??
58
Violation of export according to US law
of technical
data
??
Business dealings with ‘denied parties’ according to Dept of Commerce listings and US law
These two areas are discussed below.
Violation of export regulations for technical data Almost all sites with computers and telecommunications, due to the nature of their business, regularly use advanced computer processing and networking technologies. Further, many times client sites develop specific software algorithms to process highly technical data as well as develop new and unique methods to process and analyse scientific or sensitive technical data which is not only patentable, but also falls under restricted technologies, as defined by the US Department of Commerce. Because of the international nature of many networks, the opportunity to export technical data which is legally restricted in export by the US is highly probable. In the US, public law 96-72 (Sept 29 1979,93 Stat 503,50 App) provides three sections of specific interest: 2403 (General Provisions); 2404 (National Security Controls); and 2405 (Foreign Policy Controls). These controls apply to computer technologies and information about such technologies, as well as other technical ‘data’ issues including biotechnology. Further, the law prescribes penalties of up to five times the value of the export or $50 000 (whichever is higher) and not more than five years in jail for minor offences, to as much as individual fines of $1 million and up to 20 years in jail for certain levels of offence.
0167-4048/97/$17.00 0 1997, Elsevier Science Ltd
Stop That E-Mail! You are Probably Breaking the Law!
Since much of the time the network is devoted to the use of computer software, the chances for violation or abuse are very high. (For additional explanation, the reader is also directed to ‘Documents in Computer Law Software Protection’ by David Boner, Volume I, 1988, s3B.06). The US Department of Commerce, through its Export Counseling Division and also through the US Bureau of Customs, operates a system known as ELVIS (202-482-4811, option 0 on the keypad) which provides information on items which may be exported with and without licensing. In the case of technology and technical data, an export control classification number (ECCN) must be identified for information or technologies which fall under specific areas of export restriction. If no license is required, the data or technology is freely exported. If the information or technology falls into a category identified by the US Export Administration Regulations, then the ECCN for the item in question must be identified to the Dept. of Commerce by the exporter and a license applied for. The US Export Administration keeps a list of restricted export items in Section 799.1, categories 1 through 5, of its regulations. These regulations prescribe what may not be exported without a license, and what items are not ever allowed to be exported. This list changes frequently and may be modified by the US Department of Commerce based upon directives by the Executive branch or internal directives in the interest of the US. Items which will be exported, in any manner (electronic or otherwise), must be checked against this list to verify that a license for export is not required. In a now famous incident, a computer vendor in 1991 was fined over $8 million for disclosing restricted processor technology to countries not on the ‘V’ list at the Department of Commerce. In fact, the information was a data sheet and detailed technical specifications on a new
Information Security Technical Report, Vol. 2, No. 1
processor, which was sent out on a worldwide E-mail notice to the vendor’s offices and third This distribution of party customers. information was done without an export license to countries which included some on the restricted list of countries, and the vendor was found guilty and fined, with a warning that further violations could result in the shutting down of all international telecommunications links. It has been stated by vendor insiders that this action would result in the filing of Chapter 11 bankruptcy within 30 days of the event due to the amount of overseas business the vendor participates in. The situation has worried the vendor sufficiently to create a specific office for monitoring export compliance, with many qualified attorneys and technical personnel, to properly export technical data and products and to ensure adherence to the applicable laws. Interestingly enough, several countries which were on the restricted list in 1991 may now, in 1997, freely purchase the restricted technology without major export restrictions. Discussions over the phone with Department of Commerce employees and a visit on-site with other personnel identified the following potential exposures to the regulations: ??
??
Certain types of biotechnologies are restricted from certain countries, especially countries such as Iraq, Iran and, interestingly enough, Germany (an off-the-record comment made about the restriction involved the use of biochemical technologies in Germany in WWII and the desire to not repeat history). Pharmaceutical and chemical firms already restrict the access to certain parts of their compound database facilities by foreign nationals, who are not allowed access to the information in accordance with document 799.1. Further, some of the foreign nationals were in the US during the restrictions, and
59
Stop That E-Mail! You are Probably Breaking the Law!
also worked for the parent company of the US subsidiary, but were still restricted by the export covenants from access to the information in the compound database. ??
??
Copying of certain algorithms (not necessarily cryptographic algorithms - that is another issue) for software or scientific ‘endeavours’ could result in violation of applicable software export laws or national security export laws. Information on cutting-edge technology issues, such as human genome research projects and network switching facilities, have some very restrictive covenants that may cause some problems if a member company takes a customer’s algorithm or software component and while they are able to use and ‘see’ the component, redistributes the facility to a restricted party.
According to 50 App 2403, the term ‘export’ applies to any method that is physical or electronic. This means that information transfer via E-mail, Lotus Notes, fax, telex or other electronic means is subject to the laws involved. This applies, also, to any customer’s entity, contractor or other party affiliated with customers. The author spent over two weeks working with
various attorneys, using LEXIS and various online facilities on the Internet to make any sense out of the regulations provided by the Department of Commerce. The author is certain that qualified legal counsel will find even more worrisome information regarding this issue. While the author is not a qualified counsellor of law, he can read, has worked with the subject in question before and has discussed these topics with qualified counsel. They are of the opinion that the above issues are correct and are, in the statement of one attorney, “the tip of the iceberg”.
60
The author, therefore, as a technical consultant to customers, cautions network owners and users that in the US , the transfer of specific technical information between the US and any foreign national entity may violate several very serious US laws and could result in fines or jail time for the offenders.
Business dealings with ‘denied parties’ according to Dept. of Commerce Listings and US Law The US Department of Commerce Bureau of Export Administration regularly publishes a document called “Denial Orders Currently Affecting Export Privileges” which is Supplements 1 and 2 to Part 788 of the Export Administration regulations. Section 787.12 of the Export Administration Regulations provides very specific guidelines on what transactions may or may not be conducted with specific companies and individuals in the US and abroad. The list provides names, addresses, dates, privileges allowed or denied and the Federal Register Citation regarding the restrictions on the list.
Summary The author has become very concerned that many sites are not properly adhering to US export regulations in the area of technical data and restricted technical science as prescribed by US law. The author strongly recommends that legal counsel be contacted with the above information, and procedures and documents be put into place to ensure that violation of any export law is not possible and that proper maintenance of restricted entities is maintained.
Information Security Technical Report, Vol. 2, No. 1
Stop That E-Mail! You are Probably Breaking the Law!
Further Information US Export Administration Regulations Subscription $88.00 per year in the US GPO stock no. 903-020-00000-8 Order from:
Superintendent of Documents US Government Printing Office Washington, DC 20402 202-783-3238 (Mon-Fri, 8am-4pm)
US Customs Service Main number for information:
202-927-6724
Department of Commerce ELVIS service: 202-482-4811 Book: ‘Netlaw - Your Rights in the Online World by Lance Rose Osborne-McGraw Hill ISBN O-07-882077-4 $19.95
Export Control Classification Numbers Bureau of Export Administration Operations Div, Room 2705 14th St & Pennsylvania Ave, NW Washington, DC 20230 Attn: Commerce Classification Requests Fax: 202-219-9179
Information Security Technical Report, Vol. 2, No. 1
61
Impact of the EU Data Protection Directive on Transborder Data Flows, Christopher Millard. Page 47 The EU Data Protection Directive is likely to have a substantial impact on international businesses. Local data protection regimes will be undermined if there are no restrictions on the transfer of personal data to other jurisdictions for processing, storage or use. Almost all non-EU countries have no data protection legislation and must therefore be expected to be in the EU’s ‘inadequate’ category. Even in cases where consents or specific contractual arrangements are an option, it may take a considerable time and significant expense to obtain such consents or introduce revised contracts. Those who leave international data protection compliance to the last minute do so at their peril.
A Commercial View of the OECD Recommendation on Cryptography Policy, Chris Sundt. Page 50 Industry is becoming increasingly dependent on the Global Information Infrastructure for electronic commerce. Users and customers need to trust that infrastructure _--- and cryptography is a technology that can help build that trust. Unfortunately cryptography is controlled by governments, and this can inhibit its effective use internationally, undermining that trust.
a
The OECD has developed Guidelines on Cryptography Policy that provide a framework within which national policies should be defined - creating a consistent environment for international trade. This paper briefly describes why there is a problem that affects business, outlines what governments are currently doing, and summarizes the intent of the OECD Guidelines.
Stop That E-Mail! You are Probably Bill Hancock. Breaking the Law! Page 58 Because of the international nature of many networks, the opportunity to export technical data which is legally restricted for export from the US is highly probable. This article provides some background on relevant legal issues and other related US regulations that customers must adhere to when exporting any technical data outside the US - or face criminal and civil charges. These controls apply to computer technologies and information about such technologies, as well as other technical ‘data’ issues including biotechnology. In a now famous incident, a computer vendor in 1991 was fined over $8 million for disclosing restricted processor technology to countries not on the ‘V’ list at the Department of Commerce. Copying of certain algorithms (not necessarily cryptographic algorithms that is another issue) for software or scientific ‘endeavours’ could result in violation of applicable software export laws or national security export laws.
Information
Security Technical
Report, Vol. 2, No. 1
Report Highlights
??
??
Information transfer via E-mail, Lotus Notes, fax, telex or other electronic means is subject to the laws involved. Many sites are not properly adhering to US export regulations in the area of technical data and restricted technical science as prescribed by US law.
Encryption Controls are US Government Priority, Robert Bigelow. Page 62 ??
For many years encryption products were considered ‘munitions’ and controlled by the State Department (Foreign Ministry) under the International Traffic in Arms Regulations (ITAR).
Information Security Technical Report, Vol. 2, No. 1
??
.
??
Early last October several major technology vendors and user organizations announced formation of an alliance to develop an approach to strong encryption that would meet export controls. “We seriously doubt the new regulations will work, meet computer user demands, or be accepted by the private sector unless the administration radically changes its approach immediately.” The State Department, applying the ITAR, prohibited him from sending this paper or the program out of the country. When he sued, the Department allowed export of the paper which contained the entire source code of the program, but still denied him the right to send it in digital form!
9
Information Security Technical Report, Vol. 2, No. 1 (1997) 58-61
Stop That E-Mail! You are Probably Breaking the Law! By Bill Hancock, Network-l Inc.
Software and Technology,
While everyone now knows that exporting c yptography is nearly always a sensitive area from the legal and licensing point of view, this article highlights two other issues which may cause US businesses, and their agents or correspondents, particular difficulties.
Many networked sites, through the use of their telecommunications and datacommunications facilities, regularly transmit technical information to customer facilities throughout the world. In a recent technical security audit of the network facilities used by a customer in the US and UK, it was discovered that there were pressing legal issues that were not being properly addressed by customers which could result in serious fines and, in some cases, misdemeanour and felony charges against the individuals engaging in violations of US law. This article provides some background on relevant legal issues and other related US regulations that customers must adhere to when exporting any technical data outside the US or face criminal and civil charges. These issues apply to any company doing business in the US as well.
Areas of concern Apart from the well-known difficulties over the whole topic of exports of cryptographic equipment and technologies, both hardware and software, there are two other areas in which users of networks must be concerned: ??
58
Violation of export according to US law
of technical
data
??
Business dealings with ‘denied parties’ according to Dept of Commerce listings and US law
These two areas are discussed below.
Violation of export regulations for technical data Almost all sites with computers and telecommunications, due to the nature of their business, regularly use advanced computer processing and networking technologies. Further, many times client sites develop specific software algorithms to process highly technical data as well as develop new and unique methods to process and analyse scientific or sensitive technical data which is not only patentable, but also falls under restricted technologies, as defined by the US Department of Commerce. Because of the international nature of many networks, the opportunity to export technical data which is legally restricted in export by the US is highly probable. In the US, public law 96-72 (Sept 29 1979,93 Stat 503,50 App) provides three sections of specific interest: 2403 (General Provisions); 2404 (National Security Controls); and 2405 (Foreign Policy Controls). These controls apply to computer technologies and information about such technologies, as well as other technical ‘data’ issues including biotechnology. Further, the law prescribes penalties of up to five times the value of the export or $50 000 (whichever is higher) and not more than five years in jail for minor offences, to as much as individual fines of $1 million and up to 20 years in jail for certain levels of offence.
0167-4048/97/$17.00 0 1997, Elsevier Science Ltd
Stop That E-Mail! You are Probably Breaking the Law!
Since much of the time the network is devoted to the use of computer software, the chances for violation or abuse are very high. (For additional explanation, the reader is also directed to ‘Documents in Computer Law Software Protection’ by David Boner, Volume I, 1988, s3B.06). The US Department of Commerce, through its Export Counseling Division and also through the US Bureau of Customs, operates a system known as ELVIS (202-482-4811, option 0 on the keypad) which provides information on items which may be exported with and without licensing. In the case of technology and technical data, an export control classification number (ECCN) must be identified for information or technologies which fall under specific areas of export restriction. If no license is required, the data or technology is freely exported. If the information or technology falls into a category identified by the US Export Administration Regulations, then the ECCN for the item in question must be identified to the Dept. of Commerce by the exporter and a license applied for. The US Export Administration keeps a list of restricted export items in Section 799.1, categories 1 through 5, of its regulations. These regulations prescribe what may not be exported without a license, and what items are not ever allowed to be exported. This list changes frequently and may be modified by the US Department of Commerce based upon directives by the Executive branch or internal directives in the interest of the US. Items which will be exported, in any manner (electronic or otherwise), must be checked against this list to verify that a license for export is not required. In a now famous incident, a computer vendor in 1991 was fined over $8 million for disclosing restricted processor technology to countries not on the ‘V’ list at the Department of Commerce. In fact, the information was a data sheet and detailed technical specifications on a new
Information Security Technical Report, Vol. 2, No. 1
processor, which was sent out on a worldwide E-mail notice to the vendor’s offices and third This distribution of party customers. information was done without an export license to countries which included some on the restricted list of countries, and the vendor was found guilty and fined, with a warning that further violations could result in the shutting down of all international telecommunications links. It has been stated by vendor insiders that this action would result in the filing of Chapter 11 bankruptcy within 30 days of the event due to the amount of overseas business the vendor participates in. The situation has worried the vendor sufficiently to create a specific office for monitoring export compliance, with many qualified attorneys and technical personnel, to properly export technical data and products and to ensure adherence to the applicable laws. Interestingly enough, several countries which were on the restricted list in 1991 may now, in 1997, freely purchase the restricted technology without major export restrictions. Discussions over the phone with Department of Commerce employees and a visit on-site with other personnel identified the following potential exposures to the regulations: ??
??
Certain types of biotechnologies are restricted from certain countries, especially countries such as Iraq, Iran and, interestingly enough, Germany (an off-the-record comment made about the restriction involved the use of biochemical technologies in Germany in WWII and the desire to not repeat history). Pharmaceutical and chemical firms already restrict the access to certain parts of their compound database facilities by foreign nationals, who are not allowed access to the information in accordance with document 799.1. Further, some of the foreign nationals were in the US during the restrictions, and
59
Stop That E-Mail! You are Probably Breaking the Law!
also worked for the parent company of the US subsidiary, but were still restricted by the export covenants from access to the information in the compound database. ??
??
Copying of certain algorithms (not necessarily cryptographic algorithms - that is another issue) for software or scientific ‘endeavours’ could result in violation of applicable software export laws or national security export laws. Information on cutting-edge technology issues, such as human genome research projects and network switching facilities, have some very restrictive covenants that may cause some problems if a member company takes a customer’s algorithm or software component and while they are able to use and ‘see’ the component, redistributes the facility to a restricted party.
According to 50 App 2403, the term ‘export’ applies to any method that is physical or electronic. This means that information transfer via E-mail, Lotus Notes, fax, telex or other electronic means is subject to the laws involved. This applies, also, to any customer’s entity, contractor or other party affiliated with customers. The author spent over two weeks working with
various attorneys, using LEXIS and various online facilities on the Internet to make any sense out of the regulations provided by the Department of Commerce. The author is certain that qualified legal counsel will find even more worrisome information regarding this issue. While the author is not a qualified counsellor of law, he can read, has worked with the subject in question before and has discussed these topics with qualified counsel. They are of the opinion that the above issues are correct and are, in the statement of one attorney, “the tip of the iceberg”.
60
The author, therefore, as a technical consultant to customers, cautions network owners and users that in the US , the transfer of specific technical information between the US and any foreign national entity may violate several very serious US laws and could result in fines or jail time for the offenders.
Business dealings with ‘denied parties’ according to Dept. of Commerce Listings and US Law The US Department of Commerce Bureau of Export Administration regularly publishes a document called “Denial Orders Currently Affecting Export Privileges” which is Supplements 1 and 2 to Part 788 of the Export Administration regulations. Section 787.12 of the Export Administration Regulations provides very specific guidelines on what transactions may or may not be conducted with specific companies and individuals in the US and abroad. The list provides names, addresses, dates, privileges allowed or denied and the Federal Register Citation regarding the restrictions on the list.
Summary The author has become very concerned that many sites are not properly adhering to US export regulations in the area of technical data and restricted technical science as prescribed by US law. The author strongly recommends that legal counsel be contacted with the above information, and procedures and documents be put into place to ensure that violation of any export law is not possible and that proper maintenance of restricted entities is maintained.
Information Security Technical Report, Vol. 2, No. 1
Stop That E-Mail! You are Probably Breaking the Law!
Further Information US Export Administration Regulations Subscription $88.00 per year in the US GPO stock no. 903-020-00000-8 Order from:
Superintendent of Documents US Government Printing Office Washington, DC 20402 202-783-3238 (Mon-Fri, 8am-4pm)
US Customs Service Main number for information:
202-927-6724
Department of Commerce ELVIS service: 202-482-4811 Book: ‘Netlaw - Your Rights in the Online World by Lance Rose Osborne-McGraw Hill ISBN O-07-882077-4 $19.95
Export Control Classification Numbers Bureau of Export Administration Operations Div, Room 2705 14th St & Pennsylvania Ave, NW Washington, DC 20230 Attn: Commerce Classification Requests Fax: 202-219-9179
Information Security Technical Report, Vol. 2, No. 1
61