The Open Technology Institute is currently engaged in a joint project on export controls with Privacy International and Digitale Gesellschaft. The blog post is also available on the Privacy International blog.
Export controls have something of a bad reputation in technology circles, and for good reason. The “crypto wars” were about draconian policies regulating how people could buy, sell and use cryptography which prevented people from being able to employ encryption techniques and technologies to protect their information and communications. While the controls were eventually changed, the crypto wars have shaped how many software engineers and open source advocates view export controls.
For those in the arms control world however, export controls can be considered a useful tool in constraining the general inclination of governments and defense manufacturers to sell weapons and other technology for national interest and profit.
While the crypto-wars as we understood them then may be over, the threat that export controls represent to the development and exchange of free and open source software continues to be a very real concern. This will without doubt be one of the biggest worries among many when it comes to subjecting surveillance systems to export control.
Privacy International, the Open Technology Institute, and Digitale Gesellschaft are acutely aware of the potential negative consequences of excessively broad export controls, but believe that the updating of existing export controls is necessary to protect human rights in the new technological environment. Export controls are not a silver bullet, but one of many important tools that can be used to limit the sale of surveillance technology around the world. That’s why we are at the forefront of this debate to push for appropriate controls on relevant dual-use technology while focusing on the technical and policy analysis required to avoid unintended negative consequences.
Controlling software
What’s important to understand is that the practicality of enforcing export controls plays a key role in determining what is and what isn’t controlled. “The ability to control effectively the export of the goods” is therefore one of the key determinants that decide what items get put within the dual-use control list.1
While best practices concerning the need to control the exchange of software were recognized as far back as 2006 there is an inherent difficulty in controlling open-source and free software. As a result, open-source and free software is exempt from control under the Wassenaar Arrangement. As the General Software Note within the Wassenaar Dual Use List makes clear, software generally available to the public or in the public domain is not subject to control (a legacy of the crypto-wars, however, is that this exemption does not apply to cryptographic items).
General Software Note
The Lists do not control “software” which is any of the following: Generally available to the public by being: * Sold from stock at retail selling points without restriction, by means of: * Over the counter transactions; * Mail order transactions; * Electronic transactions; * Telephone transactions; Designed for the installation by the user without further substantial support from the supplier; In the public domain;2 or The minimum necessary “object code” for the installation, operation, maintenance (checking) or repair of those items whose export has been authorized.
The fact that copyright restrictions do not remove technology or software from being in the public domain is important considering that open-source software is distributed under copyright. Further, there are also exceptions for technology within the General Technology Note: Controls do not apply to "technology"3 "in the public domain"4, to "basic scientific research"5 or to the minimum necessary information for patent applications.
Technical Notes
1. 'Technical data' may take forms such as blueprints, plans, diagrams,
2. models, formulae, tables, engineering designs and specifications, manuals and instructions written or recorded on other media or devices such as disk, tape, read-only memories.
3. 'Technical assistance' may take forms such as instruction, skills, training, working knowledge, consulting services. 'Technical assistance' may involve transfer of 'technical data'.
Summing up: it is our view that open source software is not subject to control on the basis of the Wassenaar Control List, but this exemption does not apply to “information security” items, i.e. controlled cryptography products that remain restricted as a legacy of the crypto wars.
Implementation
What is key to remember is that the Wassenaar Arrangement is an intergovernmental negotiation forum and its practical effects are seen at the national level. As the Free Software Foundation itself has pointed out, while Wassenaar itself appears to exempt free software, this hasn’t in the past stopped individual states trying to control it. It is how the individual states interpret the agreements, how they define the terms, how they actually implement them and what caveats they apply that is all-important. That’s what our project aims to assist with - more details following soon.
Notes
1.. For updated criteria, see: http://www.wassenaar.org/controllists/2005/Criteria_as_updated_at_the_December_2005_PLM.pdf
2.. Copyright restrictions do not remove "technology" or "software" from being "in the public domain".
3. Technology is defined as: Specific information necessary for the "development", "production" or "use" of a product. The information takes the form of technical data or technical assistance.
4. Here, “in the public domain” is defined as: "technology" or "software" which has been made available without restrictions upon its further dissemination.
5. Basic scientific research is defined as: Experimental or theoretical work undertaken principally to acquire new knowledge of the fundamental principles of phenomena or observable facts, not primarily directed towards a specific practical aim or objective.
