Eran Strod
Director of Product Marketing
estrod@blackducksoftware.com
Tim YeatonLast week the open source hosting giant sourceforge.net officially blocked access to its site by any users located in Cuba, Iran, North Korea, Sudan, and Syria. Sourceforge was compelled to do this by the United States Export Administration Regulations (EAR) which controls the transfer of encryption technology like software to countries outside the U.S. and to certain individuals within the U.S. The EAR contains detailed guidelines about what individuals and companies operating within the US may and may not do with encryption technology.

The EAR allows “publicly available” code like open source to be hosted on websites in the US and freely downloaded under a special rule called License Exception TSU. However, TSU still restricts “knowing” exports to country group E (the countries listed above). Simply making code available on a website is not knowledge and does not trigger “red flags.”

What is interesting is that US Commerce Department (Bureau of Industry and Security) has written an advisory opinion allowing free and anonymous downloads for “mass market” items as long as the hosting site is not capturing user contact information. “Mass market” is a legal term for commercial items that have applied for and received that designation from the BIS. Does the note on “mass market” bless the industry to allow open source downloads to country group E? Common sense might say ‘yes,’ but this is a legal question that would have to be settled by the BIS.

Mozilla General Counsel Harvey Anderson argued this point to the BIS. Mozilla noticed that users from country group E (namely Iran) were downloading Firefox which contains encryption. The Mozilla Foundation now had knowledge that the code was being exported to Iran – a clear violation of license exception TSU.  Mozilla made a voluntary disclosure of the situation to authorities who reviewed the facts and provided Mozilla with a no-violation letter.

Anderson was quoted in the press saying that this ruling was a victory for the open source movement and applies to the broader open source community. That might be true, but a definitive statement would have to come from the BIS itself. Anderson rightly encourages other organizations to seek legal counsel for their own situations.

Mozilla Firefox is freely and anonymously downloadable. SourceForge allows anonymous downloads but requires users to register before participating in other aspects of the site. The registration gives them knowledge of a user’s identity and location. That could very well be the problem that SourceForge has addressed with their new access policy.

Update: In response to a passionate response from their user community, SourceForge has decided to change their export policy to allow project leaders to set access controls on a project-by-project basis.   In reading the first few comments, it looks like users are more comfortable with this approach. The Apache Foundation takes a similar approach in terms of asking developers to understand and comply with the regulations.  If you need help understanding your obligations under US export administration regulations, Black Duck has some good introductory white papers on the subject.  There is also some good training material on the BIS website.

Post to Twitter