The Internet has affected every aspect of commercial life. One of the most important, though often overlooked, is its impact on applicable U.S. export control laws. Companies today are struggling with a host of questions, among them:

• Do the export control laws apply to e-commerce? Or is e-commerce exempt?
• What types of restrictions apply? Can you go to jail for violating the rules?
• If your e-market exchange arranges an export to Iran, can you defend yourself by claiming that only your computer knew about the transaction?
• If your procurement system matches a seller with a known terrorist, can your shareholders sue the board of directors for failure to have a compliance program?
• How do you comply with the rules when your business model is firmly ensconced in cyberspace?

This column attempts to give some answers.

Do the export control laws apply to e-commerce, or is e-commerce exempt?

e-Commerce is not exempt from U.S. export control laws. I recently asked Amanda DeBusk, the assistant secretary for export enforcement at the Bureau of Export Administration, if anything in the export control laws exempted cyberspace or dot-coms. She answered: "You are accountable, and there are no cybernetic-based exemptions. So all of the obligations that you would normally have for looking at the 'denied persons' list and the 'entities' list for screening purposes would apply in this environment just as it would in any other environment." The "denied persons" and "entities" lists are two of the U.S. government's blacklists. As discussed below, it is illegal to deal with any parties on these lists.

I then asked about e-mail addresses of parties placing orders or asking to be matched with other parties. If such an e-mail address contains the country code of an embargoed country, could that signal a potential problem under the Export Administration regulations? "Yes," DeBusk responded. "If you get something with an e-mail address in Iraq on it, that clearly is a red flag. You need to be on the lookout for situations like these."

What types of restrictions apply?

Export control officials are responsible for ensuring that no U.S. business fosters the development of nuclear weapons, chemical and biological weapons, conventional weapons, or missiles that could be used by potential enemies of the United States. The export control laws are intended to reduce international terrorism, support other U.S. foreign policy initiatives, and implement U.S. embargoes on trade with countries such as Iraq, Iran, Libya, Sudan, Serbia, and Cuba. In addition, thousands of corporations and individuals are blacklisted by the U.S. government in support of these programs.

There are three types of license requirements that serve to control the export of goods.

The first is based upon the nature of the item (commodity, software, technology, or technical data). Licenses are required for exports of certain products to certain countries. Such products are specified on lists published by the Commerce Department, the State Department, the Department of Energy, and the Nuclear Regulatory Commission. These are known as the list-based controls.

The second type is based upon the item's end-use. For certain countries, no U.S.-origin export can be used for nuclear, missile, chemical, or biological weapons manufacturing. For example, a U.S.-made refrigerator cannot be used to store toxic weapons under development in India or Pakistan.

The third type of license requirement is driven by the end-user. The U.S. departments of Treasury, Commerce, and State all have blacklisted thousands of companies and individuals. It is a per se violation to deal with these entities in any way regardless of the technology being used and regardless of whether or not you are the actual exporter. It's important to stress that dealing with these parties is a violation whether or not you know that the government has blacklisted them.

The export control rules also apply to re-exports of U.S.-origin items from one foreign country to another, to certain foreign-made items incorporating U.S. content, and to certain foreign-made items produced with controlled U.S. technical data. "Export" is usually defined to include release or disclosure of information in the United States to foreign nationals and access abroad to a computer server in the United States. For munitions, it is illegal to match parties even if all of the parties are abroad and are dealing only in foreign-origin goods.

Can you go to jail for violating these rules?

The short answer is yes. Criminal standards require proof of willful intent. The government has met this standard of proof on a number of occasions. In 1998, for example, 13 corporate officials were indicted for trade violations. More recently, the government indicted a vice president of a major U.S. corporation who was in charge of the company's operations in China.

Individuals go to jail, of course, not corporations. For corporations, the most serious penalty is denial of export privileges. In 1998, 29 corporations were denied export privileges. This means they cannot export anything at all and cannot in any way benefit from exports. In addition, third parties are prohibited from dealing abroad in the items of a denied corporation. For an Internet company with a global footprint, such a penalty would probably mean the end of the business.

If your e-market exchange arranges an export to an embargoed country like Iran—or if it arranges financing, forwarding, or carriage of such an export—can you defend yourself by claiming that only your computer servers knew about the transaction?

No. If you program your computers in a way that ignores country codes and snail mail addresses in embargoed countries, this is viewed as a knowing violation. There is no defense that "only the computer knew." For example, assume that your Web site takes orders for software. If your servers take an order from Iran, a country embargoed by the United States, and they fill that order by downloading software to the e-mail address with an Iranian country code, that is a violation. You have violated the rules even if no one in the organization was aware in advance that the computer filled an order to Iran. Arguably, the people who programmed the computers in this way also have committed the violation.

If your procurement system matches a seller with a listed terrorist such as Osama Bin Ladin, can your shareholders sue the board of directors for failure to have a compliance program?

Yes. The Delaware courts have interpreted standard corporate law as requiring a compliance program that addresses those regulations affecting the corporation's businesses. If the corporation utterly fails to establish such a compliance program—and if it incurs legal fees, administrative fines, and criminal fines—then the stockholders may sue each member of the board of directors personally to recover those costs. It is not a good career move to put the board of directors at risk for such liability.

How do you comply with the rules when your business model is in cyberspace?

Customers and trading partners expect service at Internet speed. Designers of commercial Web sites know that users quickly become disenchanted with a site that requires them to click their mouse more than they feel is absolutely necessary. Similarly, each compliance-related click of the mouse takes time and diminishes the attractiveness of your business on the Internet. For that reason, as a practical matter, you have to run the trade rules in an automated mode if buyers are downloading software or technology, or if you hope to conduct compliance at a reasonable speed with accuracy and audit trails.

Automation is essential for examining e-mail addresses closely to avoid dealing with parties in embargoed countries. The government will not permit you to knowingly deal with a party whose e-mail address indicates that it is from an embargoed country.

The export control laws apply to all forms of commerce, including e-commerce. Compliance can be a daunting task. However, good compliance and accurate documentation can make you money. They can speed up border crossings, keep your customers happy, reduce buffer inventory kept in your customers' countries, and lower your carrying charges. In cyberspace, your customers expect an immediate response and a nearly immediate delivery. Doing business at Internet speed means fulfilling export compliance responsibilities at Internet speed as well.