Last week an obviously confused reporter at internetnews.com reported what he thought were the details of a letter from the Bureau of Industry and Security (“BIS”) received by Mozilla, the open-source project responsible for Firefox, Thunderbird and other Internet applications, relating to downloads of the program by computer users in Iran. The article seemed to suggest that Mozilla had filed a voluntary disclosure with BIS that it had allowed downloads of its open-source encryption source code by Iranians. The article seemed to suggest further that Mozilla had received a letter from BIS stating that this was not a violation.
But that’s not what happened. BIS released yesterday an Advisory Opinion that, although identifying details have been removed, clearly addresses the situation described in the internetnews.com article. And, significantly, the advisory opinion doesn’t address exports of source code but instead addresses export of compiled source code and, specifically, compiled source code including mass market encryption software. Under section 746.7(a)(1) of the Export Administration Regulations (“EAR”) exports of compiled mass market encryption software (or any other compiled encryption software) to Iran would require a BIS license. The Advisory Opinion held that as long as the IP address of the party downloading the software in Iran (or other sanctioned country) was logged by Mozilla’s server but not otherwise used by Mozilla (say, for example, to serve to the user a web page in Farsi), the company did not have sufficient knowledge of an export of encryption software to Iran to be liable under the regulations.
Even though I don’t believe that, as a matter of policy, downloads of web browsers with encryption features ought to be subject to export controls, the reasoning of the Advisory Opinion is, to say the least, a bit odd. It seems fairly well-established that knowledge is not a required to establish a violation of the EAR. Specifically, section 764.2(a), which defines violations of the EAR, doesn’t contain a knowledge requirement, nor does General Prohibition No. 1 which would be the predicate to a violation of section 764.2(a). Perhaps this signals a retreat by BIS from its traditional concept of strict liability for violations of the EAR.
Even so, the final sentence of the Advisory Opinion may nullify, as a practical matter, any significance the opinion may have with respect to software downloads in sanctioned countries:
Please note that this advisory opinion is confined to interpretation of the EAR, and does not address the sanctions regulations implemented by the Office of Foreign Assets Control [“OFAC”]
And, as we all know, other major software companies, such as Google and Microsoft, have prohibited downloads in sanctioned countries due to fears of OFAC penalties.
Copyright © 2009 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)