[Board] Export Controls

Frank Warmerdam warmerdam at pobox.com
Thu Jun 5 08:34:58 PDT 2008 

Folks,

I've spent a half an hour reviewing the apache export control docs again,
and I thought I would summarize my understanding of them preparatory to our
meeting tomorrow.

I see two major issues.

1) There are some specific US laws related to export of crypto based products,
including anything that calls openssl libraries (anything using curl libraries
for instance for https access).   Basically, as long as the only crypto support
is ultimately via the openssl libraries we just need to issue a per-product
notification to the US government, and maintain stable public access to the
corresponding product source code for review by the government.

2) There are a wide variety of embargoed individuals and nations to which
various classes of products are not to be exported.  This is not limited to
crypto stuff.  As far as I can tell, Apache does not take any special steps
to ensure their products are not exported to these individuals and nations,
but they do make it very clear that anyone packaging Apache products is
responsible for complying with relavent regulations.


--

I think we can address (2) by maintain a disclaimer and terms of use document
referenced from various download locations on the OSGeo web site.  Something
similar to:

    http://www.apache.org/licenses/exports/

See the sections titled "Embargoed Destinations" and "Denied Parties List"
for particulars on embargoes.

I skimmed some of these lists, but was unable to find one that seemed to
list embargoed nations (as opposed to individuals and organizations).

I do not see any practice at Apache, or most other projects where
an automated attempt is made to restrict access to download servers or
code repositories based on the apparent nation of origin of IP #'s or
other such things.  I think in this regard Google is showing an
excess of caution and we don't need to replicate this.  I'd add that
any such effort is very leaky, and likely to deny access to parties
that should not be restricted.

-- 

For (1) I think we will need to review all our products (likely accomplished
on a per-project basis) and submit notifications for those with any use of
crypto.  In addition to the per-project notifications, I think we might need
to do a notification for aggregate binary releases we produce that are not
specifically associated with a single project, so OSGeo4W for instance.  I'm
a bit vague on this part.

We should also prepare a "process page" similar to:

   http://www.apache.org/dev/crypto.html

but I suspect we will use a somewhat more manual process.  We would also
need to add "crypto evaluation" to our incubation steps.

I would be very glad for input from others who have dealt with US export
regulations in the past to check some of my assumptions.  In particular,
I wonder if we should have some legal review by someone with experience
in this area.

I would note that I have in the past been asked about ECCN numbers for
GDAL.  I think it may make enterprises wishing to include some of our
component libraries more comfortable if they know we are addressing
our export requirements in a serious manner.

--

Lastly, I would like to repeat the last item from the Apache FAQ.

"""
Q: Isn't it somewhat weird that I, who am not a U.S. citizen nor resident,
should be constrained as to what or how I can commit to an ASF repository
by some U.S. law?

A: No. The ASF is a US-based corporation and must comply with U.S.
export controls. Incidentally, the U.S. is not the only country with
controls on cryptography. Many other nations have very similar
restrictions, primarily driven by the Wassenaar Arrangement.
"""

The point here is that export restrictions are not unique to the USA, though
they tend to be more organized about imposing them.  Some parts of this are
mandated by international treaties in force in many countries.

Best regards,
-- 
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up   | Frank Warmerdam, warmerdam at pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush    | President OSGeo, http://osgeo.org

More information about the Board mailing list