Open-source software: Export Uncontrollable

News & Analysis
Open-source software: Export Uncontrollable

Privacy International is currently engaged in a joint project on export controls with the Open Technology Institute and Digitale Gesellschaft. The blog post below was co-written by Edin Omanovic and Tim Maurer and is also available on the OTI blog.

Export controls have something of a bad reputation in technology circles, and not without good reason.

The crypto wars that imposed draconian polices regulating how people could buy, sell and use cryptography stifled the free exchange of ideas, and prevented people from being able to employ encryption techniques and technologies to protect their information and communications. These policies were fought against by PI alongside many others, while OTI continues to push for the free flow of information and export of personal communications technology in countries subject to US sanctions. While the controls were eventually changed to allow for the free flow of cryptography (for the most part), the crypto wars have shaped how many software engineers and open source advocates view export controls.

For those in the arms control world however, export controls can be considered a useful tool in constraining the general inclination of governments and defence manufactures to sell weapons for profit and national interest without being restricted by human rights obligations.

While the crypto-wars as we understood them then may be over, the threat that export controls represent to the development and exchange of free and open source software continues to be a very real concern. This will without doubt be one of the biggest worries among many when it comes to subjecting surveillance systems to export control.

Privacy International, the Open Technology Institute, and Digitale Gesellschaft are acutely aware of the potential negative consequences of excessively broad export controls, but believe that the updating of existing export controls is necessary to protect human rights in the new technological environment. Export controls are not a silver bullet, but one of many important tools that can be usedto limit the sale of surveillance technology around the world. That’s why we are at the forefront of this debate to push for appropriate controls on surveillance technology while fighting to ensure legitimate technologies such as communications tools and security research software are excluded.

Controlling software

What’s important to understand is that the practicality of enforcing export controls plays a key role in determining what is and what isn’t controlled. “The ability to control effectively the export of the goods” is therefore one of the key determinants that decide what items get put within the dual-use control list .

While best practices concerning the need to control the exchange of software were recognized as far back as 2006, there is still an inherent difficulty in controlling open-source and free software.

As a result, open-source and free software is exempt from control under the Wassenaar Arrangement. As the General Software Note within the Wassenaar Dual Use List makes clear, software generally available to the public or in the public domain is not subject to control:

GENERAL SOFTWARE NOTE
The Lists do not control "software" which is any of the following:

1. Generally available to the public by being:
a. Sold from stock at retail selling points without restriction, by means of:

1. Over-the-counter transactions;
2. Mail order transactions;
3. Electronic transactions; or
4. Telephone call transactions; and
b. Designed for installation by the user without further substantial support by the supplier;

Note  Entry 1 of the General Software Note does not release "software" controlled by Category 5 - Part 2 ("Information Security").

2. "In the public domain"; or
3. The minimum necessary "object code" for the installation, operation, maintenance (checking) or repair of those items whose export has been authorised.

Note Entry 3 of the General Software Note does not release "software" controlled by Category 5 - Part 2 ("Information Security").

Here, “in the public domain” is defined as:

"technology" or "software" which has been made available without restrictions upon its further dissemination.

Note Copyright restrictions do not remove "technology" or "software" from being "in the public domain".

The fact that copyright restrictions do not remove technology or software from being in the public domain is important considering that open-source software is distributed under copyright.

Further, there are also exceptions for technology within the General Technology Note:

Controls do not apply to "technology" "in the public domain", to "basic scientific research" or to the minimum necessary information for patent applications.

Technology is defined as:

Specific information necessary for the "development", "production" or "use" of a product. The information takes the form of technical data or technical assistance. (…)
Technical Notes
1. 'Technical data' may take forms such as blueprints, plans, diagrams, 
models, formulae, tables, engineering designs and specifications, manuals and instructions written or recorded on other media or devices such as disk, tape, read-only memories.
2. 'Technical assistance' may take forms such as instruction, skills, training, working knowledge, consulting services. 'Technical assistance' may involve transfer of 'technical data'.

Basic scientific research is defined as:

Experimental or theoretical work undertaken principally to acquire new knowledge of the fundamental principles of phenomena or observable facts, not primarily directed towards a specific practical aim or objective.

Summing up: it is our view that open source software is not subject to control on the basis of the Wassenaar Control List. Controls on cryptography are slightly more problematic as they are explicitly not exempted within the General Software Note if they are generally available to the public or if it is used as part of object code for already-authorised items. Within the specific section on “information security” however, they are released from control if they are made generally available to the public, subject to several other conditions. Cryptographic software that is "in the public domain” is explicitly not caught and is therefore exempt from licensing.

Implementation

What is key to remember is that the Wassenaar Arrangement is an intergovernmental negotiation forum and its practical effects are seen at the national level. As the Free Software Foundation itself has pointed out, while Wassenaar itself appears to exempt free software, this hasn’t in the past stopped individual states trying to control it. It is how the individual states interpret the agreements, how they define the terms, how they actually implement them and what caveats they apply that is all-important.