[Board] Export Controls

Arnulf Christl arnulf.christl at wheregroup.com
Fri Jun 6 05:41:59 PDT 2008 

On Thu, June 5, 2008 17:34, Frank Warmerdam wrote:
> Folks,
>
>
> I've spent a half an hour reviewing the apache export control docs again,
>  and I thought I would summarize my understanding of them preparatory to
> our meeting tomorrow.

Thank you for the concise report.

I want to add that some issues around this topic are not compatible with
many aspects of Open Source governance. We will simply not be able to find
consensus. So we have to take a different approach and I think it will
follow the path outlined by Frank here (see below for more comments).

> I see two major issues.
>
>
> 1) There are some specific US laws related to export of crypto based
> products, including anything that calls openssl libraries (anything using
> curl libraries for instance for https access).   Basically, as long as the
> only crypto support is ultimately via the openssl libraries we just need
> to issue a per-product notification to the US government, and maintain
> stable public access to the corresponding product source code for review
> by the government.
>
> 2) There are a wide variety of embargoed individuals and nations to which
>  various classes of products are not to be exported.  This is not limited
> to crypto stuff.  As far as I can tell, Apache does not take any special
> steps to ensure their products are not exported to these individuals and
> nations, but they do make it very clear that anyone packaging Apache
> products is responsible for complying with relavent regulations.
>
>
> --
>
>
> I think we can address (2) by maintain a disclaimer and terms of use
> document referenced from various download locations on the OSGeo web site.
> Something
> similar to:
>
> http://www.apache.org/licenses/exports/
>
>
> See the sections titled "Embargoed Destinations" and "Denied Parties
> List"
> for particulars on embargoes.
>
> I skimmed some of these lists, but was unable to find one that seemed to
> list embargoed nations (as opposed to individuals and organizations).
>
> I do not see any practice at Apache, or most other projects where
> an automated attempt is made to restrict access to download servers or code
> repositories based on the apparent nation of origin of IP #'s or other
> such things.  I think in this regard Google is showing an excess of
> caution and we don't need to replicate this.  I'd add that any such effort
> is very leaky, and likely to deny access to parties that should not be
> restricted.
>
> --
>
>
> For (1) I think we will need to review all our products (likely
> accomplished on a per-project basis) and submit notifications for those
> with any use of crypto.  In addition to the per-project notifications, I
> think we might need to do a notification for aggregate binary releases we
> produce that are not specifically associated with a single project, so
> OSGeo4W for instance.  I'm
> a bit vague on this part.
>
> We should also prepare a "process page" similar to:
>
>
> http://www.apache.org/dev/crypto.html
>
>
> but I suspect we will use a somewhat more manual process.  We would also
> need to add "crypto evaluation" to our incubation steps.
>
> I would be very glad for input from others who have dealt with US export
> regulations in the past to check some of my assumptions.  In particular, I
> wonder if we should have some legal review by someone with experience in
> this area.
>
> I would note that I have in the past been asked about ECCN numbers for
> GDAL.  I think it may make enterprises wishing to include some of our
> component libraries more comfortable if they know we are addressing our
> export requirements in a serious manner.
>
> --
>
>
> Lastly, I would like to repeat the last item from the Apache FAQ.
>
>
> """
> Q: Isn't it somewhat weird that I, who am not a U.S. citizen nor resident,
>  should be constrained as to what or how I can commit to an ASF
> repository by some U.S. law?
>
> A: No. The ASF is a US-based corporation and must comply with U.S.
> export controls. Incidentally, the U.S. is not the only country with
> controls on cryptography. Many other nations have very similar
> restrictions, primarily driven by the Wassenaar Arrangement. """
>
>
> The point here is that export restrictions are not unique to the USA,
> though they tend to be more organized about imposing them.  Some parts of
> this are mandated by international treaties in force in many countries.
>
> Best regards,

What else? Due to the immaterial nature of software, the debatable
senselessness of the term "intellectual property" and many more aspects
that thoroughly render all kinds of export restriction policies for this
kind of "non-material good" defunct this whole issue is a simple matter of
theory.

Unsurprisingly I therefore have no problem complying to these export
regulations as they have no effect whatsoever on the way we work. One
little detail that we should be explicit about is that OSGeo must not
propose to its members[0] to break these rules or sanction [1],[2] such
activities.

[0] OSGeo Charter Members Only
[1] http://dict.leo.org/ende?lp=ende&p=wlqAU.&search=Strafma%DFnahmen
[2] http://dict.leo.org/ende?lp=ende&p=wlqAU.&search=Zustimmungen

-- 
Arnulf Christl
http://www.wheregroup.com

More information about the Board mailing list