University of New South WalesFaculty of Law - Information Technology Law

C y b e r s p a c e - l a w

Distributing encryption software by the Internet: loopholes in Australian export controls

Patrick Gunning

Solicitor, Mallesons Stephen Jaques, Sydney

January 1998

Disclaimer: Personal opinions only. Discussion of the law is in general terms only; please seek legal advice so that your individual circumstances may be taken into account before relying on any part of this article.

  • Introduction
  • The Wassenaar Arrangement
  • Australia's export controls
  • The issues
  • Can cryptographic software be regarded as "goods"?
  • Is the transmission of files to a person outside Australia an "exportation"?
  • Conclusion
  • Introduction

    Cryptography is a key element of an effective electronic commerce infrastructure. Prior to the March 1996 federal election the Liberal/National Coalition stated in its online services policy that:[1]]

    "Encryption technology is essential to electronic commerce. Transactions will not be initiated unless people are confident that personal and financial information is protected from unauthorised interception. Heavy-handed attempts to ban strong encryption techniques will compromise commercial security, discouraging online service industries (particularly in the financial sector) from adopting Australia as a domicile. This would result in a substantial economic loss to the country."

    The most significant regulation in Australia of strong encryption techniques is by means of export controls.[2] In this article I briefly examine the background to those controls and discuss whether they effectively prohibit making cryptographic software available for download from an Internet site based in Australia.

    The Wassenaar Arrangement

    Shortly after the Coalition was elected to government, Australia, along with approximately 30 other countries, became a party to the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.[3]] "Dual-Use" goods are those that may be used for both military and civilian purposes. By Article III (1) of the Arrangement, participating states agree to control all items set forth in the List of Dual-Use Goods and Technologies set out at Appendix 5 to the Arrangement, with the objective of preventing unauthorised transfers or retransfers (ie. exports and/or imports) of those items.[4]] Category 5 Part 2 of the List of Dual-Use Goods concerns "Information Security". It specifies various items, including software, designed or modified to use cryptography to ensure information security. There are some narrow exceptions to the specified items, including access control equipment, such as automatic teller machines, using cryptography to protect passwords and cryptographic equipment specially designed and limited for use in machines for banking or money transactions.

    Australia's export controls

    Section 112 of the Customs Act 1901 (Cth) enables the making of regulations prohibiting the export of goods either absolutely or without having first obtained an export licence. Regulation 13E(2) of the Customs (Prohibited Exports) Regulations is as follows:

    "The exportation from Australia of goods specified in the defence and strategic goods list is prohibited unless: (a) a licence in writing to export such of those goods as are specified in the licence has been granted by the Minister for Defence Industry, Science and Personnel or by an authorised person, and the licence is produced to a Collector ..."

    The "defence and strategic goods list" is a document formulated by the Minister for Defence contained in the publication entitled "Australian Controls on the Export of Defence and Strategic Goods" dated November 1996 as amended from time to time.[5]] Items 5A2, 5B2, 5C2, 5D2 and 5E2 (concerning information security, including items using cryptography) have been directly copied from Category 5 Part 2 of the Wassenaar Arrangement's Dual Use List.

    Both the regulation making power and regulation 13E are clearly expressed so as to apply to "goods". That term is not defined in the regulation but in the Customs Act, "goods" is defined to "include (a) ships and aircraft; and (b) all kinds of movable personal property".

    The issues

    For these export controls to prevent a person in Australia making encryption software available for download:

    Can cryptographic software be regarded as "goods"?

    Because the definition of goods in the Customs Act is inclusive, it is necessary to consider whether software made available for download is "movable personal property" or may otherwise be considered to be "goods" according to the ordinary meaning of that term.

    In Vickers v Young[6] Customs officers had seized $8,000 in banknotes and $15,000 standing to the credit of Mr Vickers' bank account under a power to seize certain "goods". Mr Vickers challenged the seizure decision. Morling J held that in the context of the Customs Act, the ordinary meaning of "goods" was a reference to tangible things that are physically movable.[7] Hence, the banknotes were "goods". However, the bank credit could only be considered to be "goods" if it was "movable personal property". Morling J explained how the categorisation of property as either movable or immovable is a feature of the private international law of succession.[8] His Honour held that it was "inappropriate to treat intangible things ... as `movables' for any purpose other than the conflict of laws."[9] The decision to seize the bank credit was set aside. On this basis, it is unlikely that software made available for download (clearly an intangible) would be found to be "goods" for the purposes of the Customs Act.

    To support this argument it is appropriate to refer to two decisions that discuss whether the licensing of software constitutes a supply of goods for the purposes of sale of goods legislation. Toby Constructions Products Pty Ltd v Computa Bar (Sales) Pty Ltd,10 concerned the supply of hardware and "off the shelf" software as a package. The relevant statutes also defined "goods" inclusively. Rogers J concluded that a sale of a computer system, comprising both hardware and software, did constitute a sale of goods within the meaning of the relevant legislation.[11] He went on to comment that it was debatable whether the mere licensing of software (without the supply of any tangible products) also constituted a sale of goods. St Albans City and District Council v International Computers Limited[12] was a decision by the English Court of Appeal. ICL had licensed (defective) software to the Council to assist the Council to collect the "community charge" (better known as the poll tax). ICL installed the software on the Council's computer system and did not supply any tangible products. Sir Iain Glidewell was of the opinion that the mere licensing of software (such as would be involved in making software available for download) was not a supply of "goods" within the relevant statutory definition.[13] This view is likely to be influential when the matter comes to be decided in Australia.

    On the basis of these cases, there are strong arguments to support the proposition that software licensed by itself (ie. without the concurrent supply of a storage device such as a disk or CD-ROM) should not be regarded as "goods" for the purposes of the Customs Act. If this is correct, those parts of the defence and strategic goods list that refer to software per se are ultra vires and of no effect.

    Is the transmission of files to a person outside Australia an "exportation"?

    Neither "export" nor "exportation" is defined in the Customs Act. Part VI of the Customs Act, which is concerned with regulating the exportation of goods, is drafted on the assumption that all goods will be exported from Australia by loading them on ships or aircraft.[14] This is consistent with Morling J's decision that "goods" as used in the Customs Act refers to tangible things. In Wesley-Smith v Balzary,15 a case involving charges under the Customs Act of exporting prohibited goods (firearms), it was held that for the purposes of this offence "export" means "knowingly to take goods out of Australia with the intention of landing them at some place out of Australia and actually landing them there or trans-shipping them so that they eventually land there."[16] It is clear from the judgment that this meaning was derived from a definition appearing in the Oxford Dictionary, namely that "export" means "to send out commodities of any kind from one country to another".

    It is interesting that US export controls specifically address the issue of network distribution. The definition of "export" relevant to encryption software in the US Export Administration Regulations[17] includes "downloading, or causing the downloading of, such software to locations ... outside the United States, over [various communication facilities], including transfers from electronic bulletin boards, Internet file transfer protocol and World Wide Web sites ..." It appears that this definition was included because of uncertainty as to whether electronic transmission would constitute "export".[18] The question of whether electronic transmission across national boundaries constituted an "importation" was considered by the Canadian Sub-committee on Copyright on the Information Highway. The Sub-committee was of the view that no "importation" occurred in such a case because the original material remained outside Canada, which was not the case with respect to importation of tangible things.[19]

    Arguably the most valuable thing received by a person who downloads software is the right to use it (usually, a copyright licence). However, as Gummow J pointed out in Australian Trade Commission v Film Funding & Management Pty Ltd, "[a] person who pays money for use and enjoyment outside Australia of rights which arise under Australian law is not paying for rights which are only protected in Australia."[20] Copyright is territorial in nature, with each party to the Berne Convention protecting works created in other jurisdictions as if they had been created under the party's local laws. Accordingly, in the context of a trans-national licence agreement, the licensee is being granted rights that arise under the laws of the foreign country. This feature also makes it difficult to characterise the electronic transmission of a "click-wrapped" copy of a computer program to a person outside Australia as an "exportation".

    Given the penal nature of the prohibition and the matters referred to above, it is possible that a court would conclude, on a strict interpretation, that no "exportation" takes place. However, it would be very difficult to defend a prosecution solely on this basis.


    Cryptographers in the USA have regularly resorted to litigation to attempt to have the export restrictions that apply to encryption software judicially invalidated.[21]]] In the USA first amendment arguments may result in a finding that Congress does not have the power to restrict exports of encryption software in some forms. However, the prospects of a similar result in Australia are negligible since our "freedom of speech" only protects "political" speech. Nevertheless, based on the present state of the Customs Act, there are strong grounds to suggest that Australian cryptographers would prevail in a test case if they were to make software containing strong encryption available for download from an Australian server.

    [1] See "Personal privacy and commercial security" at .

    [2] Note that some have argued that the amendments to the Telecommunications Act 1997 (Cth) contained in the Telecommunications Legislation Amendment Act 1997 (Cth) may require carriage service providers, where possible, to decrypt communications when served with an interception warrant: see Greg Taylor "Legitimate interception or total overkill?" (1998) 1 INTLB 11 at 12-13. The legislation requires carriage service providers to ensure that communications passing over their networks may be listened to or recorded without the knowledge of the persons making the communications pursuant to an interception warrant: ss. 319, 320(2) and 324. However, it is difficult to see how this places an obligation on carriage service providers to decrypt any encrypted communications. It has never been thought that carriers had an obligation to translate conversations taking place in languages other than English when co-operating with an interception warrant.

    [3] The treaty was signed in July 1996. For its text see . For a brief background to the Arrangement and further references see Bert-Jaap Koops, "A Survey of Cryptography Laws and Regulations" (1996) 12 CLSR 349.

    [4] A copy of the Dual Use List obtained from the government of the USA under Freedom of Information laws is at .

    [5] The list is available online at .

    [6] (1982) 65 FLR 260.

    [7] (1982) 65 FLR 260 at 275.

    [8] It appears that the movable/immovable distinction is more commonly used in civil law systems: see Thiel v Federal Commissioner of Taxation (1988) 21 FCR 122 at 131. For discussion of the concept of movable and immovable property in the context of the private international law of succession see Haque v Haque (No 2) (1965) 114 CLR 98. It has been held that rights to an Australian patent were `movables' for the purposes of the private international law of succession: In re Usines de Melle and Firmin Boinot's Patent (1954) 91 CLR 42 at 48.

    [9] (1982) 65 FLR 260 at 276.

    10 [1983] 2 NSWLR 48

    [11] [1983] 2 NSWLR 48 at 54

    [12] [1996] 4 All ER 481.

    [13] [1996] 4 All ER 481 at 493.

    [14] See particularly Part VI Division 2 "Entry and clearance of goods for export"

    15 (1977) 14 ALR 681.

    [16] (1977) 14 ALR 681 at 688.

    [17]15 CFR SS 734.2(b)(9)(ii).

    [18] See discussion of the report by the National Research Council in Bernstein v US Department of State 945 F.Supp 1279 at 1294 (1996)

    [19] See RG Howell "Canada" in Association Littéraire et Artistique International, Copyright in cyberspace, Copyright and the Global Information Infrastructure (Otto Cramwinckel, 1997) at pp. 282-283. Note that the author (RG Howell) disagrees with the Sub-committee's view, arguing that something has entered Canada and that it is irrelevant that the original copy remains outside Canada.

    [20] (1989) 24 FCR 595 at 608.

    [21] There are three principal cases, each of which was commenced prior to 30 December 1996 when the regulatory basis of the export controls on encryption software changed from the International Traffic in Arms Regulations (ITAR) (administered by the State Department) to the Export Administration Regulations (EAR) (administered by the Commerce Department). Conflicting decisions were handed down in 1996 in respect of the ITAR prohibitions: see Bernstein v US Department of State 922 F.Supp 1426 (1996), 945 F.Supp 1279 (1996) and Karn v US Department of State 925 F.Supp 1 (1996), 107 F.3d 923 (1997). The complaints in these cases were re-pleaded following the introduction of the EAR restrictions. On 25 August 1997 the EAR restrictions were held invalid by Patel J in the US District Court (N.D. Ca.) - see decision at . This case is presently on appeal to the Ninth Circuit Court of Appeals. The third case is Junger v Daley (no decision prior to the 30 December 1996 regulatory change). The supplemental and amended complaint in Junger filed on 2 September 1997 is at . In addition to these three cases, Philip Zimmerman was famously investigated in relation to the posting of Pretty Good Privacy to USENET.