Developers, distributors, and users of Free and Open Source Software (FOSS) often face a host of legal issues which they need to keep in mind. Although areas of law such as copyright, trademark, and patents are frequently discussed, these are not the only legal concerns for FOSS. One area that often escapes notice is export controls. It may come as a surprise that sharing software that performs or uses cryptographic functions on a public website could be a violation of U.S. export control law.
Export controls is a term for the various legal rules which together have the effect of placing restrictions, conditions, or even wholesale prohibitions on certain types of export as a means to promote national security interests and foreign policy objectives. Export control has a long history in the United States that goes back to the Revolutionary War with an embargo of trade with Great Britain by the First Continental Congress. The modern United States export control regime includes the Department of State’s regulations covering export of munitions, the Treasury Department’s enforcement of United States’ foreign embargoes and sanctions regimes, and the Department of Commerce’s regulations applying to exports of “dual-use” items, i.e. items which have civil applications as well as terrorism, military, or weapons of mass destruction-related applications.
In the aftermath of World War II, the strategic importance of cryptographic technology had been clearly established, and cryptographic items were recognized as important subjects in U.S export control policy. Initially, encryption software and technology items were viewed as entirely military in nature, and their export was accordingly severely limited. However, this conclusion was challenged in the 1960s by the global financial system’s increasing use of wired money transfer which presented a compelling international civilian market demand for cryptography. In 1975 the U.S. released the IBM-developed and NSA-modified Data Encryption Standard (DES) for use by government and commercial parties. This release is commonly seen as a pivotal moment for the growth of civil cryptography internationally. However, even with DES, cryptographic software was still the exclusive domain of large corporations and academic researchers, and was far from a matter of public concern.
The personal computer boom and the spread of the Internet in the 1980s and 1990s contributed to a massive increase in the market for cryptographic software among the broader public for use in, among other things, e-commerce. The government, faced with the competing interests of the civilian demand for strong cryptography and the intelligence value of prohibiting access to cryptographic items by foreign powers, developed regulations that encouraged companies to create domestic and international variants of their products with different levels of cryptographic functionality, and further scrambled to assure its own domestic access to data through efforts such as the failed backdoor Clipper chip. This period of efforts by the government to restrict broader access to strong encryption despite popular demand is often referred to as the “crypto wars”. Export controls for encryption software were relaxed in a steady progression throughout the late 1990s, and by January 10, 2000 the rules were amended to the point that most saw the crypto wars as over and done with.
Although encryption software today is no longer classified primarily as a munition, the crypto wars did not end export controls on encryption software entirely. Moreover, in recent years the topic of encryption policy is in the realm of mainstream public debate once again. Export of encryption software is still regulated (chiefly by the Department of Commerce regime for dual-use goods) and violations of those regulations are enforced.
Export controls compliance
FOSS cryptography is a powerful tool for protecting the confidentiality, integrity, and authentication of information against even the most capable adversaries, but distributing these tools may carry some risk. While some distributors of FOSS encryption software may qualify for some of the low-or-no burden exemptions, exclusions, and exceptions from the Department of Commerce’s prohibitions on export, others may face significant compliance obligations.
When it comes to ensuring export controls compliance there is no substitute for consultation with a knowledgeable attorney. Determining applicable obligations under the export control regimes and the best way to satisfy those obligations can be a complex and challenging task which sometimes requires not only a mastery of the law, but also a competent grasp of the software in question.