Export Control

Like it or not, simply electing to share more rights (rather than fewer) under copyright and patent law doesn’t exempt you from other national laws.

Export control. There, I’ve said
the two nasty, little words that upset many folks who are
interested in free and open source software.

I decided to write this article because of a recent
communication (certainly not the first that I have received) from
an individual in a country that is embargoed by the United States,
telling me that any end user license agreement for free and open
source software that contains an export control provision is not
free and open source. While I understand his perspective, his
position — that is, you cannot apply a free and open source
software license to software that is subject to export control
— would, in effect, kill much of the distribution (and
consequently, the development) of free and open source software in
much of the world.

Here’s why.

Free and open source licenses are, for the most part, about
sharing rights provided by copyright. The licenses aim to share the
rights to copy, modify, and distribute software with other parties.
Occasionally, such licenses also share rights arising under

Whether you view such licenses as unilateral permissions or
contracts, the agreements are private — that is, you are
permitted to enter into arrangements in any form you choose with
another party. However, there is at least one significant condition
that applies to all such arrangements: such arrangements
aren’t legal if they otherwise violate law.

Let me give you an example from real property law. Assume that I
own some land, and I am willing to give another person the right to
enter on that land and share its use. There is absolutely nothing
wrong with that, if that is what I want to do.

However, my grantee’s right to use the property is still
subject to all other government regulations that limit the use of
the property. For example, my grantee’s use must still
conform to the Clean Water Act over the use
of wetlands. The grantee’s use must also conform to zoning
laws, and must conform to environmental laws. My grantee
isn’t exempt from such laws simply because he or she
doesn’t own the property and are using it only with my
permission. Likewise, I have no right, absent government approval,
to grant permission to violate standing laws and codes.

When one produces and distributes software, whether in the
United States or in another national jurisdiction, that activity is
still subject to the national laws in which that person carries out
the production and distribution, and remains subject to the
national laws of the importing countries. Simply electing to share
more rights (rather than fewer) under copyright and patent law
doesn’t exempt the party from other national laws.

Many software developers and end-users think that export control
is something unique to the United States. This is simply not the
case. More than forty countries have national laws governing the
export of software containing cryptographic code, including
Australia, Canada, the United Kingdom, France, Germany, Belgium,
China, Argentina, Japan, and Russia, just to name a few. At least
19 countries have national laws governing the import of software
containing cryptographic code, including France, China, Russia,
South Korea, and Israel. Bert-Japp Koops has put together the
Crypto Law Survey of national laws,
available online at "http://rechten.uvt.nl/koops/cryptolaw/" class=

United States export control laws that affect software are
principally administered by the Bureau of Industry and Security
(BIS, although be forewarned that some other U.S. departments and
agencies, including State and Treasury, can sometimes get into the
act). The BIS rules generally apply to software products
incorporating encryption, but there are exceptions. Encryption used
solely for authentication, access control, or digital signatures
are exempt. At the same time, some export control rules restrict
the export of all goods to some countries — the so-called
embargoed countries — regardless of the product.

Interestingly, in the U.S., most of the export controls apply to
binary code. Exports of publicly-available source code are subject
to far fewer restrictions. Perhaps we have Philip Zimmerman to
thank for that, following the publication of his book "i">PGP Source Code and Internals in 1994, where he
published in print form the entire PGP source code. You can read
more about that at "http://www.philzimmermann.com/EN/essays/BookPreface.html" class=

So, do export control laws apply to you? If you’re a free
and open source software developer creating cryptographic code or
incorporating cryptographic code into other software, and
you’re located in one of the 40+ countries regulating the
export of encryption software, and you intend to make such code
available for free download over the Internet, you need to be aware
of the export controls of the country in which you are located. If
you make your source code freely available for download by the
general public, you may have little cause for concern, at least in
the U.S., but that doesn’t mean that no rules apply.

Export control is a highly complex area of law, and the
penalties for violations in the U.S. are quite severe. Prudence is

Comments are closed.