EARN DOCUMENT Title: Link to Eastern Europe and PRC Author(s): Various Committee: Executive Document: EXEC22 90 EARN-MIN LISTSERV@UKACRL Revision: 0 Supercedes: Status: Information Maintainer: Access: Unrestricted ----------------------------------------------------------------------- Corporation for Research and Educational Networking Memorandum To: CREN Board of Trustees From: Ira Fuchs, President Date: January 23, 1990 Re: Link to Eastern Europe and PRC We have received the enclosed letter from the Commerce Dept. I am refer- ring this letter to legal counsel for an opinion but my reading of the document is that it permits Eastern European Countries and the People's Republic of China to connect. If legal counsel supports this view, I will request an immediate resolution instructing me to notify EARN and Educom that we will entertain applications from Eastern Europe and the PRC for connection to the network and will process them according to existing membership guidelines. I will instruct Educom to acquire the appropriate EAR guidelines and promulgate them to our members via the network. From: William L. Clements, Director, Office of Technology and Policy Analysis,United States Department of Commerce, Bureau of Export Adminis- tration, Washington D.C. 20230 Mr James B Concklin Jr Director BITNET Network Information Centre EDUCOM 1112 16th Street NW Washington DC 20036 Dear Mr Conklin This is in further response to your request for an advisory opinion regarding any applicable US Export Administration Regulations (EAR) that govern your proposal to provide BITNET access to the Soviet Union. We understand that BITNET is an electronic communications network that links computers at more than 480 universities, colleges, collaborating research centres and some industrial-sector members in the United States. Moreover, BITNET forms a single logical network with NetNorth (Canada) and EARN (Western Europe) and this combined network serves over 1,300 members. The purpose of BITNET (along with EARN and NetNorth) is to permit users to share information (eg files and messages) via elec- tronic mail. You indicate further that the BITNET network does not and will not allow a user to log onto another computer on the network. The BITNET guidelines preclude use of the network for commercial traffic. Industrial-sector members 'are not supposed to use BITNET to communicate with other industrial-sector members except in support of academic activity sponsored by an academic BITNET member'. We presume that aca- demic members may also not use the network for commercial traffic. The Office of Technology and Policy Analysis has already provided guid- ance on the possible physical export of certain commodities to the Soviet Union. However, you have called to inform us there will be no physical exports or re-exports from the United States by BITNET of hardware for the network or for the gateway to connect the proposed members in the Soviet Union. Rather, the Soviets will import necessary equipment from third countries or the United States through their normal procurement channels. There probably will be no software exported or re- exported from the United States by BITNET to establish the network gateway for the Soviet Union. However, you wish further discussion of the rules as they apply to technical data and software to be exported and re-exported over the network once it is established. Prohibitions Against the Export of Technical Data and Software In the absence of a validated or general license, the EAR prohibits exports or re-exports from the United States of computers, switches, software and technical data. The term technical data is broadly defined to include virtually all know-how. In addition, the regulations apply to exports in any form, including electronic transmission in the United States or abroad. These regulations apply to both individuals and insti- tutions. As we have indicated to you in our prior correspondence, wide area networks exported to the Soviet Union require an individual validated license. If such validated licenses are issued for exports from the United States of items that will enable the consignee to build a network or establish a gateway for a network, then the EAR does not prohibit or require permission to establish or use such a network so long as prohib- ited exports are not made over the network. Moreover, the EAR does not require permission to establish a network gateway with wholly foreign origin commodities, software and technical data. However, I must underscore that this letter does not constitute permis- sion or authority for BITNET or any BITNET member or user to export from the United States technical data or software over the BITNET system. Rather, each individual and each institutional member using BITNET for international transmissions is responsible for compliance with the EAR just as they are responsible for compliance with the EAR when making exports in any other fashion. Moreover, this letter should not be taken as an indication of whether third parties will be granted export li- censes by the Department of Commerce for exports of commodities or software necessary to establish the gateway to the Soviet Union. Responsibility of BITNET The scope of responsibility of BITNET for the violations of the EAR by its members using the network is a question you have raised in meetings with our staff. You have explained that BITNET does not monitor traffic on the network. It is a non-secure network. However, BITNET does adopt usage limitations, and members find it in their self-interest to report violations of those rules to BITNET management. It is our understanding that if members see lines busy with commercial messages, they have an incentive to report that violation of your usage rules to BITNET manage- ment. Under the EAR, BITNET may not participate in any activity with actual knowledge or reason to know a member is about to use the network to export technical data or software unlawfully. Therefore, there is level of care required of BITNET. The regulations do not require BITNET to initiate monitoring. In this respect, BITNET has taken the position that it is similar to a telephone common carrier, which is not responsible for the illegal export of technical data over its lines by a subscriber, so long as that happens without the knowledge or reason to know of the common carrier. In our opinion, BITNET has a closer relationship to its members than a telephone carrier has with its subscribers. This is because BITNET management is elected by the membership, BITNET sets network use guidelines, and at least on occasion, BITNET learns of violations of its own usage limitations from its members. For these reasons, BITNET has more opportunity to learn of the export activities of its members than does a telephone common carrier. In exercising its appropriate duty of care under the EAR, BITNET must take into account information provided to it by members in the normal course of BITNET's business. As noted below, BITNET is also different from the telephone common carrier to the extent that BITNET maintains its own data services or databases. BITNET itself is the exporter of such data if BITNET employ- ees place the data on the network in a manner that renders it available to foreign users of the network. In our meetings, BITNET has indicated an interest in informing its members of the scope of the export controls imposed by the EAR. When you first inquired of OTPA in person, we were preparing a revision of Gener- al License GTDA, which has since been issued in final form on 3 October 1989. That general license is especially significant for members of the academic community because it clarifies the authority to export certain fundamental research and publicly available information to any destina- tion, including the Soviet Union. General License GTDA: Fundamental Research, Publicly Available Informa- tion and Educational Information We welcome the interest of BITNET in publishing the new General License GTDA on the network for your members. A copy is attached for your con- venience. That rule includes several specific examples intended to illustrate the scope of the general license. A complete discussion of General License GTDA is beyond the scope of this letter. However, a few comments about GTDA are in order. General License GTDA authorises the export of information arising during or resulting from fundamental research. Under General License GTDA, 'fundamental research' is defined to be: (B)asic and applied research in science and engineering, where the resulting information is ordinarily published and shared broadly within the scientific community. Such re- search can be distinguished from proprietary research and from industrial development, design, production, and product utilisation, the results of which ordinarily are restricted for proprietary reasons or specific national security rea- sons as defined ....... Section 779.3(c). General License GTDA also authorises the export of information that is publicly available and educational information. Publicly available information includes, among other items, information generally accessi- ble to the interested public in any form including: 1. Publication in periodicals and books, 2. Availability in libraries open to the public, or 3. Release at open conferences, meetings, etc. Educational information includes information: (R)eleased by instruction in catalog courses and associated teaching laboratories of academic institutions. Section 779.3(d). If information qualifies for General License GTDA under any category, the general license remains available even though not exported in the same form. For example, information taught in a catalog course at one university may be exported by a means other than release to foreign nationals in a classroom. In addition, the information may be exported by a party other than the first instructor or institution to teach the material in the classroom. It is also important to note that the publi- cation of a patent in a government office accessible to the public makes the disclosed information 'publicly available' within the meaning of this general license. (Of course, patented information is not in the public domain for purposes of intellectual property protection.) BITNET Data Services Your letter refers to user access to BITNET servers and data services. You have informed us by telephone that such information is not proprie- tary and is published electronically without restriction on distribution and without charge by the author or generator. For information and software placed on the network by BITNET officers and employees, BITNET is the exported and is responsible for the proper general or validated license for its export. However, such information likely qualifies for General License GTDA. The questions and answers provided by the new rule should give your parameters of General License GTDA as it applies to such data. If you remain uncertain as to whether such data is publicly available or otherwise qualifies for General License GTDA, you may provide us with specific descriptions of the data and information sur- rounding its availability. We will then provide you with a formal clas- sification as to general license eligibility. However, you have also told our staff that in the future, BITNET may add proprietary databases that will not qualify for General License GTDA. If BITNET becomes the provider of such information in the future, BITNET will be the exporter. If you enter this area of distribution, BITNET will require classification of the technical data before you can deter- mine the application of the EAR. You will also require more information concerning the EAR than we can provide in this letter. The know-how may or may not require a validated export license to all designations. It may or may not require written assurances against re-export of the technical data to the Soviet Bloc, the PRC and the boycotted countries of North Korea, Vietnam, Cambodia, Cuba and Libya. Exports of Software Certain software requires a validated license for export to the Soviet Union. If your members or users export software by file transfer over the network, they must establish or obtain the appropriate general license or validated license. A few forms of software, such as semicon- ductor design software and software for numerical controlled machine tolls, require a validated license to all destinations. Several other types of software are COCOM embargoed for the Soviet Union; and they may be exported to Free World destinations only after the exporter first receives from his consignee written assurances that the software will not be re-exported to the Warsaw Pact, the PRC and Country Groups S and Z (North Korea, Vietnam, Cambodia, Cuba and Libya). The scope of this letter will not permit a complete description of every aspect of software controls under the EAR. However, we understand you intend to publish this letter on the network; and that will give BITNET users notice that the export of software requires an appreciation of the EAR. Remote Computing and Diversion in Place You have indicated that the network does not enable a user to log onto a remote computer and use the computing capabilities of that remote com- puter. Rather, the BITNET system only permits the remote party to compel the transfer of a file on a remote computer, when that file has been placed in the network by a user who knows that it will then be exported to a foreign user. If the network permitted remote computing by foreign users, that would raise questions for Commerce. For foreign computers, we have long ap- plied a theory we refer to as diversion in place. For example, if a computer is exported to western country 'A' for use in that country,then the stated end-use for the export is breached or violated if a user in eastern country 'B' enters that computer via modem and telephone line in a manner that enables him to use the computing power of the computer. He is doing indirectly that which has not been authorised directly, ie use of such a computer in country 'B'. For supercomputer installations outside the United States and Japan, there are security safeguard plans in effect. While this may be more relevant for EARN, BITNET should also be aware of the basic prohibi- tions. 1. Both direct and remote computational access by COCOM-proscribed nationals or work done on their behalf. 2. Transfer of technical data or software derived from the use of the supercomputer which relate to COCOM-controlled items. I trust that this letter will answer your request regarding BITNET access to the Soviet Union and other destinations. If you have any more specific questions, please contact either Dan Cook at 377-4188 or Larry Christensen at 377-5305. Sincerely, William E Clements Director Office of Technology and Policy Analysis From: Ira Fuchs To: Frode Griesen The following was just received from our attorney, Ed Bergman. After Board members have a chance to read this, I would like to propose that we 1. promulgate the GTDA regulations (as recommended by Bergman) to the membership (best method(s) of distribution to be determined); 2. that we begin immediately accepting membership applications from East European nations; 3. that I notify EARN of this decision and that CREN has no objection to their connecting East European members subject to the existing member- ship and usage rules as amended by the GTDA regulations. To: Ira Fuchs, President Cren Board of Trustees Date: February 7, 1990 From: Edward J. Bergman, Esquire CREN Corporate Counsel Re: Link to Eastern Europe and PRC OPINION MEMORANDUM This memorandum is in response to your request for an opinion of counsel regarding network connection by entities within Eastern European Coun- tries and The People's Republic of China. Following review of the United States Department of Commerce, Bureau of Export Administration, letter to Jim Conklin, dated 18 January 1990, hereafter "The Commerce Letter" (Exhibit A); The Export Regulation Act, USCA, Title 50, Appendix, Sections 2401 et seq; the General License GTDA, 15 CFR Part 779, Federal Register Vol. 54, No. 190, October 3, 1989, (Exhibit B); and telephone conferences with the Department of Commerce, we offer the following review and evaluation: Broadly speaking, the General License GTDA permits the exportation of non-proprietary information consisting of three principal categories: 1) Publicly available information 2) Fundamental research 3) Educational information We will refrain from restating or paraphrasing the General License GTDA which is, instead, attached as Exhibit "A" hereto. The salient common characteristic of the aforementioned categories is the lack of proprie- tary restrictions upon access to the information in question. Thus "fundamental" research generates information which is "ordinarily pub- lished and shared broadly within the scientific community," and "educa- tional information" comprehends information released "by instruction in catalog courses and associated teaching laboratories of academic insti- tutions." "Publicly available information" constitutes the broadest category comprehended within the General License GTDA and is well de- fined in Sec 779.3(b). Narrower categories are covered by Sec 779.3(e), (f) and (g). The information carried over the network will almost universally qualify for the licensing protection of the GTDA unless and until CREN decides to add proprietary data bases at some future time. CREN member guide- lines already prohibit use of the network for "commercial traffic". Presently, CREN does not disseminate or export technical data as an entity since CREN does not undertake activities other than internal organisation, policy making and membership related matters through its Board of Trustees and its prime contractor, EDUCOM. The members, not CREN, are the prospective exporters within this format. Logically, and in accordance with The' Commerce letter, the foregoing structure determines that CREN s principal, if not sole responsibility, is communication to the membership of applicable statutes and regula- tions governing restrictions on exportation of information. CREN is thus encouraged to transmit or publish the General License GTDA over the network. Perhaps the most troublesome and elusive aspect of The Commerce letter deals with its elaboration of "BITNET" responsibilities. "BITNET" is burdened by a "level of care" commensurate with its organisational structure in which members elect "management", "use guidelines" are established, and Trustees or the prime contractor could, at times, learn of the content of transmitted information. That "level of care", howev- er, appears limited to reportage of prospective member violations which are known or should be known by "BITNET" to be forthcoming. The Commerce Letter evinces confusion about what or who "BITNET" is, ie the members, the Board, and/or the prime contractor. It mistakenly refers to "BITNET employees." Conferences with the Department of Com- merce reveal that the problem lies in a lack of actual guidelines or regulations on the duty of care issue. This paucity of data is not likely to be remedied. In practice, should a Trustee or a representative of the prime contractor know of a prospective violation or have reason to know of a prospective violation, and fail to prevent or report same, CREN could be prosecuted for said violation. If a member knows of a prospective violation or has reason to know of a prospective violation by another member and fails to report same, the passive but aware member would almost certainly not be prosecuted unless it received a benefit from the violation, either pecuniary or in the sense, for example, that it was collaborator in wrongfully disseminated research data. Without some connection between the members regarding the improperly disseminat- ed information, prosecution of the non-reporting, but aware member, would apparently be deemed too remote. No regulation or stated opinion of the Department of Commerce imposes a duty on CREN to actively monitor network transmission. Sanctions for violations of the Export Regulations Act, Act and regula- tions promulgated thereunder are covered by Section 2410 of the Act. Three categories of sanctions exist. Ordinary violations which are not wilful are punished by fines of "not more than five times the value of the exports involved or 50,000.00, whichever is greater, or imprisoned not more than 5 years, or both." (Corporations cannot be imprisoned and, assuming we do not have a violation by an individual acting outside the scope of his corporate duties, it is almost inconceivable that incarcer- ation would be an issue). Wilful violations involve somewhat more com- plex sub-categories but, in the worst instance, expose the corporate offender to fines up to five times the value of the exports involved or 1,000,000.00, and the individual violator to fines up to 250,000.00 or imprisonment for up to 10 years, or both. Civil penalties are also authorised up to 10,000.00 for each violation along with potential suspension or revocation of authority to export. In conclusion, counsel recommends that the proposed connection of enti- ties within Eastern European Countries and The People's Republic of China to the network proceed via entertainment of such applications for processing according to existing membership guidelines. It is further recommended that the General License GTDA Section 2410 of the Export Regulation Act, the Commerce Letter and the Memorandum Opinion of Coun- sel be disseminated to the membership over the network. All interested parties should be aware that a conservative approach mandates that any questions or grey areas be the subject of inquiries addressed to coun- sel. From: Ira Fuchs Date: February 12, 1990 To: Frode Griesen The following appeared in the current issue of Science magazine (v.247, p520): BITNET Headed for New Frontiers Researchers in Eastern Europe should soon be able to collaborate with the colleagues in the West using a computer network. The US Department of Commerce last week informed CREN - The Corporation for Research and Educational Networking - that it had no specific objections to making the BITNET computer network available to research institutions in east- ern European countries. BITNET has become an increasingly popular way for scientists to communi- cate with one another. BITNET founder Ira Fuchs says the political changes in Eastern Europe convinced him that the time was right to seek permission for those countries to join the network. "We have been trying to push Commerce to give us an answer", says Fuchs, who is now president and CEO of CREN. "I figured if ever there was a time to make this happen, this was it." Fuchs says BITNET or its counterpart, the European Academic Research Network (EARN) has received applications from the Soviet Union, Czecho- slovakia, Hungary, Poland, and Bulgaria to establish network sites. He hopes that it will also be possible to extend services to China. Yugo- slavia already has a BITNET site. The Commerce Department has been concerned that electronic mail could make it easier for someone to send prohibited exports to countries not part of a Western alliance known as COCOM. "From' an export control perspective we'd probably prefer they didn't do this", says Dan Cook of the Commerce Department's export administration. But if someone wanted to use BITNET for espionage, he says, "it's noth- ing they couldn't do by putting something in an envelope and putting postage on it. It's not how you communicate but what you communicate that we control." Fuchs says CREN' will probably help promulgate export control rules so there won t be any accidental slip-ups. CREN officials were worried that they would be required to scrutinise network messages in search of violators. "Obviously as an organisation we don t want to be held liable if somebody goofs", says Fuchs. CREN's lawyer is studying a seven-page legal opinion from Commerce Department lawyers advising them on how they can proceed. If there are no problems, CREN should start evaluating applications from Eastern countries within weeks. "This has been something we've been working on for a long time", says Fuchs. "I made it my New Year's resolution that it had to happen in 1990."