[OSGeo-Discuss] Software Copyright ownership

Brian Russo brian at beruna.org
Mon Feb 15 11:50:29 PST 2010

EAR is the Export Administration Regulations, maintained by the Bureau
of Industry & Security within the US Department of Commerce.

Well I'm no lawyer so I cannot give legal advice nor confirm on this
matter. I do know that 740.13(e)(6) says that posting encryption
source code and object code online doesn't invoke the "know your
customer" obligations nor constitute knowledge of export, etc. A
simple solution may be to just mirror what Kerberos did and put up a
bunch of disclaimers - http://web.mit.edu/Kerberos/dist/index.html

Anecdotally, the fact that Mozilla got a 'no-violation' letter when
it's known that Firefox has been exported to Iran via Mozilla's
servers is interesting (though not a legal precedent).

I suggest contacting EFF or a similar group and asking their lawyers.

 - bri

On Mon, Feb 15, 2010 at 2:52 AM, Jorge Gaspar Sanz Salinas
<jsanz at osgeo.org> wrote:
> On 14 February 2010 22:44, Brian Russo <brian at beruna.org> wrote:
>> I'm having trouble thinking of any, since encryption isn't really a
>> big factor in most GIS software. Even if it is a component of the
>> software, as long as those encryption components reside outside of it
>> in openssl or similar - while it is an inconvenience - it can be
>> handled the same way this matter has been for years.
>> Distribute/produce the software inside the US without the encryption -
>> and then foreigners can obtain openssl from outside the US.. compile
>> the software, etc.
>> There are probably some GIS software packages that would fall under
>> the EAR, but since they meet the GSN requirements for being 'generally
>> available to the public', they are exempted 15 CFR §734.7(b). Likewise
>> even if there was a non-encryption product that somewhere fell under
>> ITAR, it is also exempt 22 CFR §125.1(a) since open source software is
>> in what ITAR considers accessibility in the public domain.
>> There's still of course the matter of places like North Korea/other
>> embargoed nations, but unless you're actively initiating such specific
>> transfers then there's no concern since the EAR language that I'm
>> aware of refers to 'downloading or causing the downloading...'.
> I don't know what "EAR" means on this context (not talking about EJBs,
> right?) but as it seems that your knowledge on this field is far
> better than mine, can you confirm if is or not a law infringement of
> the OSGeo Foundation to let Cuban or North Korean people to download
> any product from OSGeo stack*? The wiki text I've copied says the
> contrary, isn't it?
> * from its own servers like GDAL or hosted outside like Geonetwor,
> Geoserver, etc.

I can't confirm anything since I'm not a lawyer in this field, I just
have some familiarity with it having filled out the paperwork to
export high-tech items previously. If OSGeo does not have an attorney,
probably EFF could be consulted on the matter freely as I'm sure they
have experts on this topic. There are also some very knowledgeable
people on this matter in the Debian Project and probably other OS

However the law itself is surprisingly clear and is worth reading.

EAR refers to the Export Administration Regulations, noted in that
wiki you linked. They are regulated by the BIS which is part of the
Department of Commerce. They regulate the majority of export item. The
Department of State also regulates 'defense articles' via ITAR, but
since GIS software would most certainly be considered a 'dual purpose'
item, as long as it does not include encryption I'd be genuinely
shocked if it fell under ITAR. Even if it does, it being open source
really helps it.

As I mentioned previously, open source software meets the General
Software Note exemption under 15 CFR §734.7(b). I urge you to read the
language, but basically it says that if the software is "generally
available", via free or "reproduction cost" licensing, or like in a
library, or is used in a university, etc; then exporting it is rather
moot since any foreign national could simply walk in and grab a copy
if they wanted anyway. Open source software easily meets this

Likewise under ITAR, there is an exemption for non-encryption open
source software considered to be in the public domain (in the sense of
access, not licensing) under 22 CFR §125.1(a)

For encryption open source products, no license is required from BIS,
however you have to make a TSU notification -

Embargoed destinations and denied persons/entities are a no-go
regardless of any exemptions. However simply placing the source
code/object code on a website does not constitute export, knowledge of
export, nor does it

> Best
> --
> Jorge Gaspar Sanz Salinas
> Ingeniero en Geodesia y Cartografía
> http://wiki.osgeo.org/wiki/Jorge_Sanz
> _______________________________________________
> Discuss mailing list
> Discuss at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/discuss

More information about the Discuss mailing list