Previous Table of Contents Next


Export Control and International Traffic in Arms Regulations (22 CFR, Parts 120 through 128 130)

These regulations are used to control export of anything that could harm the security of the United States. This includes weapons, weapons systems, and cryptography. Vendors seeking to export must secure an export license. The approval process weaves a circuitous route among the Departments of Commerce, Defense, and State. Although the process has been a thorn in the side of U.S. software exporters, it has spawned a specialized consulting niche. This niche has been addressed by a number of independents, most recently by RSA Data Security, in Redwood City, CA. RSA recently announced a new division in the company, which will be headed by a former employee of the NSA, to assist companies in obtaining export licenses. There are also a number of independent consultants, such as Cecil Shure, president of CSI Associates, in Washington, DC, who specialize in exporting.

In fairness, the Clinton administration has been sending a number of signals that it is willing to relax the draconian regulations under certain circumstances. Among these, are the vendor’s willingness to give the government access to key-breaking information when the government asks for it, or as a part of the approval cycle. This is both good news and bad news for vendors. On the positive side, the approval process may, at last, be getting more export friendly. On the negative, non-US customers may not be willing to employ a product knowing that the U.S. government is able to “read their mail.”

LIABILITY ISSUES

Anyone can be named in a lawsuit or charged with a crime. The “who” can be an individual or an organization. Ancillary potential plaintiffs and defendants in Internet matters can include suppliers, customers, government agencies, and trade associations, to name a few possible candidates.

An International Perspective

In an unusually frank spirit of cooperation, the forum for suit was broadened in Europe to allow defamation plaintiffs domiciled in a Brussels Convention country to pursue remedies either where the publication originated or where the harm occurred. The choice of litigation could therefore be based on a greater likelihood of success under that country’s laws or the reputation for plaintiff sympathy. (Plaintiffs choose where to bring actions; defendants merely respond.) Reference for the European Court of Justice is C-68.93 and the U.K. reference is Shevill v. Presse Alliance CA (1992) All ER. The defendant was a French publisher, and the action was brought in the U.K. because the plaintiff felt that the U.K. was a more sympathetic jurisdiction. The court noted that circulation was greater in France than in the U.K., but that was not material to the selection of forums.

A Role in the Events

In general, a party cannot be found liable unless it had some part in the problematic acts. For purposes of the law, the party can just as easily be an organization (government or private) as well as an individual. Of particular interest to the Internet community is the issue of publisher liability. One who creates or edits the “news” is far more likely to be found culpable if there is a liability issue than one who merely distributes or transmits the news.

A New York case, Stratton Oakmont Inc. vs. Prodigy Services Co., No. 31063/94, 1995 WL 323710, 23 Media Law report 1794 (N.Y. Supreme Court 1995), was decided against the on-line service. The facts involved comments posted by an unidentified bulletin board user in October 1994. These comments on “Money Talk” contained allegedly libelous statements about Statton, an investment banking firm. Stratton sued both the poster and Prodigy.

The rationale behind this decision covered a number of relevant points. Prodigy employed moderators for the panels. These “Board Leaders” had a number of responsibilities over the bulletin board. These leaders were charged with enforcing the content guidelines set up by Prodigy (the guidelines themselves were considered another reason why Prodigy had control over content) and could use a special delete function to remove offending material. The court also noted that Prodigy employed software to screen postings for offensive language. Another critical aspect of this case was that the Board Leader of Money Talk was found to be an agent of Prodigy and that agent liability attached.

The opposite ruling (that is, finding that the service provider was not a publisher) was the 1991 case in the Southern District of New York, Cubby Inc. vs. CompuServe Inc., 776 F. Supp. 135 (S.D.N.Y. 1991). In this case, the court felt that CompuServe did not post any guidelines, take any role in controlling content, or promote itself as a family-oriented service, as Prodigy had.

Organizations can be found liable for the actions of their employees or agents under the legal doctrine of respondeat superior. Simply stated, employers can be liable for the acts of their employees acting within the scope of their employment. Therefore, software developers who accidentally unleash a virus or worm, as Morris did, may bring liability upon their employers. In addition, plaintiffs will continue to search for defendants with money. Often employers have more financial wherewithal than their employees and become the targets of legal action.

Some areas of the law look to what management actually knew or should have known given “due diligence” of the reasonable person under similar circumstances. Intentional acts by employees that can or should have been prevented by more direct action by management may also result in liability applying to the organization, even for intentional acts.

Another rule of law, which is that intentional criminal acts are a bar to liability, may also be applied in Internet security cases; however, there are no guarantees. Juries have often gone against facts that appear to be overwhelming and appellate jurisdictions have often labored to reach a decision based on abstract theories of society goodness. The absence of historical precedent makes legal actions by and about the Internet perfectly positioned for inconsistent decisions. Security practitioners who go down this uncharted road do so at their peril.

Product Liability

Anyone in the “stream of commerce” can be included as a party in a product liability matter. Included in the stream of commerce are designers, developers, manufacturers, distributors, representatives, and retailers. An aggressive plaintiff and competent counsel will seek to embroil any potential defendant in litigation. This is especially true if the defendant has significant financial resources or a track record of trying to settle rather than litigate matters. This will undoubtedly be an important aspect of future Internet legal activity.

LIABILITIES AND AVAILABLE REMEDIES

The ultimate purpose of remedies is to put the aggrieved party back into the position that he or she would have been in if the wrongdoer had not acted in the way that he or she did. Remedies can also be used to deter future negative behavior and compensate the plaintiff for wrongs against society committed by the defendant.

Money Damages

A court can award substantial sums of money to the aggrieved parties. Their rationale can be real or imagined. Amounts can be rational or irrational. Experts are often used to “prove up” damages. The role of the expert witness is to clarify facts for the court. As shown in a recent, celebrated criminal trial in Los Angeles, scientific, expert testimony does not necessarily ensure victory for the presenter. In addition to damages as a result of the defendant’s act or failure to act, damages can be awarded based on a “bad intent” on the part of the offender. These punitive damages can often be twice or three times the amount of actual damages.

Injunctions

An injunction is simply a court order prohibiting a party (or parties) from doing a specific action. To get an injunction during the pre-trial phase, plaintiffs have to demonstrate (among other things) that they will suffer irreparable harm if the injunction is not invoked, that the plaintiff is likely to win on the merits of the case (which will result in a permanent court ruling), and that the court will be able to enforce the injunction.


Previous Table of Contents Next

Copyright © CRC Press LLC