IP: more on two on New Encryption Regulations

[David Farber <farber () cis upenn edu>]

----Original Message-----
From:           shapj () us ibm com
To:             farber () cis upenn edu
Subject:        Re: IP: Twp on New Encryption Regulations
Date:           Thursday, January 13, 2000 7:05 AM

[For IP]

> > * Source code that is "not subject to an express agreement for the
payment
> > of a licensing fee or royalty for commercial production or sale of any
> > product developed with the source code" is freely exportable to all but
the
> > T-7 terrorist countries.
>
> [Brett Glass writes:]
> ...The way I read this, ... code licensed under
> the GNU General Public License (GPL) would not be exportable, because the
> license restricts the development of a commercial product based on the
code.

I took part in some of the review process for the new regs, and I think
Brett is mistaken. Code licensed under GPL does not require payment of a
licensing fee or royalty and is therefore exportable under the above
regulation. The fact that such code places the same restriction on the
surrounding product is immaterial to the regulation.

The curious point that nobody seems to want to comment on is that the
regulation *only* lightens the load for open source code. The question that
we really should be asking is: "What is it about open source that warrants
this exemption, or shouldn't we extend it to software in general?" IMHO,
the answers respectively are "nothing" and "of course."

The second question we should be raising is "What about secure operating
systems?" Crypto is essentially useless if the end system is insecure.
Today, such operating systems are not exportable. The effect of this law is
that you can't sell a secure OS to an international corporate customer. An
OS you can't sell is pretty useless, so nobody develops them.

What the current policy means that *everyone* is naked and vulnerable
together. Because of the DoD's "commercial off the shelf procurement"
policy (basically a good idea), the armed forces are in the same boat as
the rest of us. For that matter, NATO derives a significant portion of its
equipment from the US. Most importantly, the command and control designs
for NATO are compatible with US designs.

With apologies to Tom Lehrer:

     ... and if the bomb that drops on you
     gets the Chinese embassy too
     they'll be nobody left behind to grieve.

Hopefully, we will fix this problem before some clever enemy commander
drops a US-launched device on a US target.

Jonathan S. Shapiro, Ph. D.
Research Staff Member
IBM T.J. Watson Research Center
Email: shapj () us ibm com
Phone: +1 914 784 7085  (Tieline: 863)
Fax: +1 914 784 6576