Sep

24

The Firefox in the Win House?

Posted by at 7:55 pm on September 24, 2009
Category: BISIran SanctionsOFAC

firefox_iranLast week an obviously confused reporter at internetnews.com reported what he thought were the details of a letter from the Bureau of Industry and Security (“BIS”) received by Mozilla, the open-source project responsible for Firefox, Thunderbird and other Internet applications, relating to downloads of the program by computer users in Iran. The article seemed to suggest that Mozilla had filed a voluntary disclosure with BIS that it had allowed downloads of its open-source encryption source code by Iranians. The article seemed to suggest further that Mozilla had received a letter from BIS stating that this was not a violation.

But that’s not what happened. BIS released yesterday an Advisory Opinion that, although identifying details have been removed, clearly addresses the situation described in the internetnews.com article. And, significantly, the advisory opinion doesn’t address exports of source code but instead addresses export of compiled source code and, specifically, compiled source code including mass market encryption software. Under section 746.7(a)(1) of the Export Administration Regulations (“EAR”) exports of compiled mass market encryption software (or any other compiled encryption software) to Iran would require a BIS license. The Advisory Opinion held that as long as the IP address of the party downloading the software in Iran (or other sanctioned country) was logged by Mozilla’s server but not otherwise used by Mozilla (say, for example, to serve to the user a web page in Farsi), the company did not have sufficient knowledge of an export of encryption software to Iran to be liable under the regulations.

Even though I don’t believe that, as a matter of policy, downloads of web browsers with encryption features ought to be subject to export controls, the reasoning of the Advisory Opinion is, to say the least, a bit odd. It seems fairly well-established that knowledge is not a required to establish a violation of the EAR. Specifically, section 764.2(a), which defines violations of the EAR, doesn’t contain a knowledge requirement, nor does General Prohibition No. 1 which would be the predicate to a violation of section 764.2(a). Perhaps this signals a retreat by BIS from its traditional concept of strict liability for violations of the EAR.

Even so, the final sentence of the Advisory Opinion may nullify, as a practical matter, any significance the opinion may have with respect to software downloads in sanctioned countries:

Please note that this advisory opinion is confined to interpretation of the EAR, and does not address the sanctions regulations implemented by the Office of Foreign Assets Control [“OFAC”]

And, as we all know, other major software companies, such as Google and Microsoft, have prohibited downloads in sanctioned countries due to fears of OFAC penalties.

Permalink

Bookmark and Share

Copyright © 2009 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

5 Comments:

Clif, thanks for making these points. I didn’t publish anything on this due the significant misinformation in the original article and several subsequent reports.

As you correctly pointed out, the critical aspect here is the last sentence of BIS’s Advisory Opinion that refers to OFAC’s sanctions regimes. Anyone contemplating downloads of software in embargoed countries must also take a close look at the prohibitions on direct or indirect exports of software contained in those regulations (i.e., 31 CFR § 560.204) before authorizing such downloads.

-Doug Jacobson

Comment by Doug Jacobson on September 24th, 2009 @ 8:59 pm

Is BIS (or anyone) aware of the simple fact that IP addresses can be trivially spoofed by anyone through anonymizers (or leased shell accounts) making restrictions based on IP address virtually meaningless?

Comment by jd on September 25th, 2009 @ 5:12 am

While true it can be “spoofed” by making it appear you’re in the US when in reality you’re in Iran, in this case they are talking about IPs originating in Iran, which is not a place likely to be “spoofed” 🙂

Best practice would be to restrict downloads from those IP blocks associated with embargoed countries. It’s trivial. It would not stop somebody using a proxy but would at the very least show that you are attempting to comply with the law.

Comment by Reader on September 25th, 2009 @ 7:02 am

Clif –

I’m pretty sure we don’t have to worry (hope?) that BIS will step back from its strict liability interpretation of the EAR for enforcement purposes! My guess would be that the internal BIS review of the opinion as it was drafted, didn’t note the potential impact of this statement.

Comment by Mike Turner on September 25th, 2009 @ 7:21 am

The strict liability standard was set out in Iran Air v. Kugelman, so it would probably take a deliberate rule change or a published interpretation for BIS to sound a “retreat” that exporters could rely upon. In this case, one would suspect that First Amendment concerns and Berman Amendment concerns require this result with respect to open source software. The exclusion of open source encryption software from the definition of publicly available technology that is not “subject to the EAR” has always raised First Amendment red flags. As the Sixth Circuit found in Junger v. Daley, encryption source code is protected expression, but its functionality merits something less than strict scrutiny. A strict liability standard as applied to downloads available free on the web would probably not pass any of the three prongs of the Central Hudson test. The Bernstein court was even less kind to the government.

Comment by Hillbilly on September 25th, 2009 @ 12:18 pm