Privacy Law and Policy Reporter
Cryptography is a key element of an effective electronic commerce infrastructure. Prior to the March 1996 federal election the Liberal/National Coalition stated in its online services policy that:
Encryption technology is essential to electronic commerce. Transactions will not be initiated unless people are confident that personal and financial information is protected from unauthorised interception. Heavy-handed attempts to ban strong encryption techniques will compromise commercial security, discouraging online service industries (particularly in the financial sector) from adopting Australia as a domicile. This would result in a substantial economic loss to the country.
The most significant regulation in Australia of strong encryption techniques is by means of export controls.In this article I briefly examine the background to those controls and discuss whether they effectively prohibit making cryptographic software available for download from an Internet site based in Australia.
Shortly after the Coalition was elected to government, Australia, along with approximately 30 other countries, became a party to the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies. ‘Dual-Use’ goods are those that may be used for both military and civilian purposes. By Article III(1) of the Arrangement, participating states agree to control all items set forth in the List of Dual-Use Goods and Technologies set out at Appendix 5 to the Arrangement, with the objective of preventing unauthorised transfers or retransfers (ie. exports and/or imports) of those items. Category 5 Part 2 of the List of Dual-Use Goods concerns ‘Information Security’. It specifies various items, including software, designed or modified to use cryptography to ensure information security. There are some narrow exceptions to the specified items, including access control equipment, such as automatic teller machines, using cryptography to protect passwords and cryptographic equipment specially designed and limited for use in machines for banking or money transactions.
Section 112 of the Customs Act 1901 (Cth) enables the making of regulations prohibiting the export of goods either absolutely or without having first obtained an export licence. Regulation 13E(2) of the Customs (Prohibited Exports) Regulations is as follows:
The exportation from Australia of goods specified in the defence and strategic goods list is prohibited unless:
(a) a licence in writing to export such of those goods as are specified in the licence has been granted by the Minister for Defence Industry, Science and Personnel or by an authorised person, and the licence is produced to a Collector ...
The ‘defence and strategic goods list’ is a document formulated by the Minister for Defence contained in the publication entitled ‘Australian Controls on the Export of Defence and Strategic Goods’ dated November 1996 as amended from time to time. Items 5A2, 5B2, 5C2, 5D2 and 5E2 (concerning information security, including items using cryptography) have been directly copied from Category 5 Part 2 of the Wassenaar Arrangement’s Dual Use List.
Both the regulation making power and reg 13E are clearly expressed so as to apply to ‘goods’. That term is not defined in the regulation but in the Customs Act, ‘goods’ is defined to ‘include (a) ships and aircraft; and (b) all kinds of movable personal property’.
For these export controls to prevent a person in Australia making encryption software available for download:
(a) software must fall within the definition of ‘goods’; and
(b) a transmission from server in Australia to a person outside Australia must constitute an ‘exportation’.
Can cryptographic software be regarded as ‘goods’? Because the definition of goods in the Customs Act is inclusive, it is necessary to consider whether software made available for download is ‘movable personal property’ or may otherwise be considered to be ‘goods’ according to the ordinary meaning of that term.
In Vickers v Young Customs officers had seized $8,000 in banknotes and $15,000 standing to the credit of Mr Vickers’ bank account under a power to seize certain ‘goods’. Mr Vickers challenged the seizure decision. Morling J held that in the context of the Customs Act, the ordinary meaning of ‘goods’ was a reference to tangible things that are physically movable. Hence, the banknotes were ‘goods’. However, the bank credit could only be considered to be ‘goods’ if it was ‘movable personal property’. Morling J explained how the categorisation of property as either movable or immovable is a feature of the private international law of succession. His Honour held that it was ‘inappropriate to treat intangible things ... as ‘movables’ for any purpose other than the conflict of laws.’ The decision to seize the bank credit was set aside. On this basis, it is unlikely that software made available for download (clearly an intangible) would be found to be ‘goods’ for the purposes of the Customs Act.
To support this argument it is appropriate to refer to two decisions that discuss whether the licensing of software constitutes a supply of goods for the purposes of sale of goods legislation. Toby Constructions Products Pty Ltd v Computa Bar (Sales) Pty Ltd, concerned the supply of hardware and ‘off the shelf’ software as a package. The relevant statutes also defined ‘goods’ inclusively. Rogers J concluded that a sale of a computer system, comprising both hardware and software, did constitute a sale of goods within the meaning of the relevant legislation. He went on to comment that it was debatable whether the mere licensing of software (without the supply of any tangible products) also constituted a sale of goods. St Albans City and District Council v International Computers Limited was a decision by the English Court of Appeal. ICL had licensed (defective) software to the Council to assist the Council to collect the ‘community charge’ (better known as the poll tax). ICL installed the software on the Council’s computer system and did not supply any tangible products. Sir Iain Glidewell was of the opinion that the mere licensing of software (such as would be involved in making software available for download) was not a supply of ‘goods’ within the relevant statutory definition. This view is likely to be influential when the matter comes to be decided in Australia.
On the basis of these cases, there are strong arguments to support the proposition that software licensed by itself (ie. without the concurrent supply of a storage device such as a disk or CD-ROM) should not be regarded as ‘goods’ for the purposes of the Customs Act. If this is correct, those parts of the defence and strategic goods list that refer to software per se are ultra vires and of no effect.
Is the transmission of files to a person outside Australia an ‘exportation’? Neither ‘export’ nor ‘exportation’ is defined in the Customs Act. Part VI of the Customs Act, which is concerned with regulating the exportation of goods, is drafted on the assumption that all goods will be exported from Australia by loading them on ships or aircraft. This is consistent with Morling J’s decision that ‘goods’ as used in the Customs Act refers to tangible things. In Wesley-Smith v Balzary, a case involving charges under the Customs Act of exporting prohibited goods (firearms), it was held that for the purposes of this offence ‘export’ means ‘knowingly to take goods out of Australia with the intention of landing them at some place out of Australia and actually landing them there or trans-shipping them so that they eventually land there.’ It is clear from the judgment that this meaning was derived from a definition appearing in the Oxford Dictionary, namely that ‘export’ means ‘to send out commodities of any kind from one country to another’.
It is interesting that US export controls specifically address the issue of network distribution. The definition of ‘export’ relevant to encryption software in the US Export Administration Regulations includes ‘downloading, or causing the downloading of, such software to locations ... outside the United States, over [various communication facilities], including transfers from electronic bulletin boards, Internet file transfer protocol and World Wide Web sites ...’. It appears that this definition was included because of uncertainty as to whether electronic transmission would constitute ‘export’.The question of whether electronic transmission across national boundaries constituted an ‘importation’ was considered by the Canadian Sub-committee on Copyright on the Information Highway. The Sub-committee was of the view that no ‘importation’ occurred in such a case because the original material remained outside Canada, which was not the case with respect to importation of tangible things.
Arguably the most valuable thing received by a person who downloads software is the right to use it (usually, a copyright licence). However, as Gummow J pointed out in Australian Trade Commission v Film Funding & Management Pty Ltd, ‘a person who pays money for use and enjoyment outside Australia of rights which arise under Australian law is not paying for rights which are only protected in Australia.’ Copyright is territorial in nature, with each party to the Berne Convention protecting works created in other jurisdictions as if they had been created under the party’s local laws. Accordingly, in the context of a trans-national licence agreement, the licensee is being granted rights that arise under the laws of the foreign country. This feature also makes it difficult to characterise the electronic transmission of a ‘click-wrapped’ copy of a computer program to a person outside Australia as an ‘exportation’.
Given the penal nature of the prohibition and the matters referred to above, it is possible that a court would conclude, on a strict interpretation, that no ‘exportation’ takes place. However, it would be very difficult to defend a prosecution solely on this basis.
Cryptographers in the US have regularly resorted to litigation to attempt to have the export restrictions that apply to encryption software judicially invalidated. In the US first amendment arguments may result in a finding that Congress does not have the power to restrict exports of encryption software in some forms. However, the prospects of a similar result in Australia are negligible since our ‘freedom of speech’ only protects ‘political’ speech. Nevertheless, based on the present state of the Customs Act, there are strong grounds to suggest that Australian cryptographers would prevail in a test case if they were to make software containing strong encryption available for download from an Australian server.
Patrick Gunning, Solictor, Mallesons Stephens Jaques, Sydney.
A shorter version of this article appeared in the Internet Law Bulletin (1998) Volume 1 No 2 — General Editor.