Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mozilla Firefox Not In Violation of US Export Rules

Soulskill posted more than 5 years ago | from the no-news-is-good-news dept.

Government 127

darthcamaro writes "While the internet may know no borders, the US government does. There are a number of rules that affect software vendors, including encryption export regulations from the US Department of Commerce and export sanctions by the Department of Treasury. But what do you do when your application is open source and freely available to anyone in the world? Do the same the rules apply? It's a question that Mozilla asked the US government about. The answer they received could have profound implications not just for Firefox but for all open source software vendors. 'We really couldn't accept the notion that these government rules could jeopardize the participatory nature of an open source project, so we sought to challenge it,' Harvey Anderson, VP and General Counsel of Mozilla, told InternetNews.com. 'We argued that First Amendment free speech rights would prevail in this scenario. The government took our filing and then we got back a no-violation letter, which is fantastic.'"

Sorry! There are no comments related to the filter you selected.

Oblig xkcd... (5, Funny)

Cheesetrap (1597399) | more than 5 years ago | (#29472963)

http://xkcd.com/504/ [xkcd.com]

Oh, and FireFirst? :)

Re:Oblig xkcd... (5, Insightful)

Cheesetrap (1597399) | more than 5 years ago | (#29473025)

Oh wow... Either /. searches and penalises for the letters f-i-r-s-t appearing in a primary post, or I just got bitchslapped at the speed of light.

I apologise.

Also, I should also mention the fact that legislation against encryption is ridiculously counter-productive; if the feds are after someone for any good reason, and that person is a criminal, they aren't going to respect such a restriction if they're already violating more serious laws. If all they succeed in doing is reducing legitimate commercial trade in such products, they're hurting themselves but at the same time improving the market tremendously for illicit dealers (note this observation applies to drugs as well, hmm).

Re:Oblig xkcd... (5, Insightful)

NoYob (1630681) | more than 5 years ago | (#29473163)

Crypto just takes some smart folks to create it. I get the impression that the US Government doesn't believe that people outside its borders are capable of developing their own.

Re:Oblig xkcd... (0, Flamebait)

Anonymous Coward | more than 5 years ago | (#29473305)

The American Advanced Encryption Standard, as with all significant American inventions, was created by Europeans, in this case by the Belgians.

Re:Oblig xkcd... (1)

Cheesetrap (1597399) | more than 5 years ago | (#29473419)

I guess you're trying to call them thieving BAEStards? :P

Seriously though, some purists would argue that since software is in fact just a form of maths in a usable form, it cannot be truly 'created', only discovered.

Re:Oblig xkcd... (0)

Anonymous Coward | more than 5 years ago | (#29474017)

And purer purists would argue it doesn't exist if it's not created. Or should I say constructed.

Re:Oblig xkcd... (0)

Toonol (1057698) | more than 5 years ago | (#29473703)

as with all significant American inventions, was created by Europeans

Sounds like you're trying to nurse a very bruised ego back to life.

Re:Oblig xkcd... (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#29475483)

You missed his point. Sounds more like yours just got bruised.

Re:Oblig xkcd... (2, Funny)

sakdoctor (1087155) | more than 5 years ago | (#29475653)

There is a single light of science, and to brighten it anywhere is to brighten it everywhere.

Re:Oblig xkcd... (3, Interesting)

Chris Burke (6130) | more than 5 years ago | (#29473543)

If all they succeed in doing is reducing legitimate commercial trade in such products, they're hurting themselves but at the same time improving the market tremendously for illicit dealers (note this observation applies to drugs as well, hmm).

Yeah, that's why the export restrictions were lifted in the late 90s. Because all it was doing was hurting our domestic encryption companies. Back then, when Mozilla was still Netscape, you had to assert that you were in the U.S. or download a version with weaker encryption. Free software that used strong encryption had to be hosted on sites outside the U.S.

That was over 10 years ago. Now we still have restrictions about exporting to certain not-our-friend countries, but ultimately that's because (despite more cynical interpretations) we know that they can get this technology without our assistance, but that doesn't mean we're going to hand it to them.

But while that makes sense for some technologies, it doesn't make much sense for a free software browser implementing SSL because for one there are plenty of other SSL implementations out there and for two us not handing it to them only leaves, oh, about a billion others more than happy to allow downloads from Iran.

So look at that -- perhaps technically against the rules, but practically meaningless, and in the spirit of the law they decided there was no problem. Someone in the Commerce Department was wearing their thinking cap! Good for them, and good for Mozilla.

Re:Oblig xkcd... (1)

jonbryce (703250) | more than 5 years ago | (#29474781)

And you could still export it anyway. What you had to do was print out the source code, mail it to someone in Europe and have them scan it in and re-compile it.

Given that Russian cryptographers are at least as good as American ones, what is the point of it anyway?

Re:Oblig xkcd... (1)

TheRaven64 (641858) | more than 5 years ago | (#29475965)

Not true. Applied Cryptography contains only the weaker version of RSA in sample code (listings in a book, not compiled code) to get around export restrictions. To demonstrate how stupid these laws are, the key length is a constant at the start of the program. If you changed it from 128 to 1024, the book became illegal for export, but you could distribute the book with 128 as the constant and let people outside the USA change it to 1024 when they typed it in without any problems.

Oh, and the export restrictions aren't quite lifted. Strong encryption is classified as a munition now, which means you can export it to anywhere that isn't under an arms embargo.

Re:Oblig xkcd... (3, Insightful)

msimm (580077) | more than 5 years ago | (#29474195)

Right, criminals will still use it but the majority of the citizenry wouldn't and who is it the NSA is spying on again?

Re:Oblig xkcd... (1)

mckinleyn (1288586) | more than 5 years ago | (#29474205)

Also, I should also mention the fact that legislation against encryption is ridiculously counter-productive; if the feds are after someone for any good reason, and that person is a criminal, they aren't going to respect such a restriction if they're already violating more serious laws. If all they succeed in doing is reducing legitimate commercial trade in such products, they're hurting themselves but at the same time improving the market tremendously for illicit dealers (note this observation applies to drugs as well, hmm).

And guns, too, hmm?

Re:Oblig xkcd... (2, Insightful)

Kjella (173770) | more than 5 years ago | (#29473085)

About the XKCD... munitions yeah, but do you think it's the sort of munitions they'd let you have? The military already got a lot of neat stuff you don't get to play with.

What the heck is going on today? (5, Interesting)

MoxFulder (159829) | more than 5 years ago | (#29473423)

Did someone not tell me? Is it Government Does The Right Thing Day today???

So far we have, in succession, on Slashdot:

Not bad for one day. The cynic in me assumes all this is going to be reversed tomorrow... :-p

Re:What the heck is going on today? (1)

steelfood (895457) | more than 5 years ago | (#29473743)

Or it's just an elaborate April Fools joke that the feds are going to spring on us on April 1.

Re:What the heck is going on today? (2, Informative)

Anonymous Coward | more than 5 years ago | (#29474229)

Change you can believe in. :-)

Re:What the heck is going on today? (1)

icebrain (944107) | more than 5 years ago | (#29475411)

The cynic in me assumes all this is going to be reversed tomorrow...

If similar decisions by the BATFE are any indication, the State department (or whoever decided this) is going to turn around in a year or two and decide that it is export-restricted... and then make Mozilla run around and delete it from every computer outside the US or something.

Don't get too excited, in other words.

Re:What the heck is going on today? (1)

webheaded (997188) | more than 5 years ago | (#29475903)

It's only cynical when you aren't consistently proven right. In that case, you're just....realistic.

Re:Oblig xkcd... (2, Insightful)

jez9999 (618189) | more than 5 years ago | (#29475393)

I know I'm taking that cartoon way too seriously, but what the hell. The 2nd amendment doesn't guarantee people to right to export arms from the US. :-) US citizens already have the ability to 'keep and bear crypto', WITHIN the US.

Re:Oblig xkcd... (2, Informative)

TheRaven64 (641858) | more than 5 years ago | (#29475971)

The comic is also wrong. Strong crypto is still illegal to export from the US to any country under arms embargo. It is not illegal to export to other countries (it was until the mid '90s). It used to require an arms export license, and now it doesn't, but it is still regulated and still counts as a munition when exporting to embargo'd countries.

What good news (0, Troll)

gbarules2999 (1440265) | more than 5 years ago | (#29472971)

Firefox isn't breaking any laws, and neither am I! I for one decided not to break into a store and steal all of their merchandise. So both me and Firefox are not breaking any laws. What a great day it is to be alive.

Re:What good news (1, Funny)

gbarules2999 (1440265) | more than 5 years ago | (#29473317)

Sorry, Slashdot. I agree, that was a pretty bad post. I'll go away now.

free speech (1, Interesting)

wizardforce (1005805) | more than 5 years ago | (#29472975)

if firefox is shielded from these export restrictions because of first amendment protection wouldn't any open source implementation of strong encryption also be protected? wouldn't this make those export restrictions very nearly mute?

Re:free speech (2, Interesting)

X0563511 (793323) | more than 5 years ago | (#29473047)

I think the deal with this is that, being open, everyone is on the same level.

Not so with closed algorithms.

Hypothetical: Selling NewCrypto to Russia, would result in Russia having an advantage over China, and China then being pissed at us for it.

Re:free speech (0)

Anonymous Coward | more than 5 years ago | (#29475565)

China, along with every country that isn't the UK, is already pissed with you.

Re:free speech (5, Funny)

StikyPad (445176) | more than 5 years ago | (#29473115)

Moot. M-O-O-T.
n. Of no practical importance; irrelevant.

Mute is what people wish you'd be. Moot is what you are.

</nerdrage>

Re:free speech (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#29473145)

tell me... what if anything did that contribute to the GP's post? did your post contribute anything of value other than pedantry? No. mods... attack.

Re:free speech (5, Informative)

WNight (23683) | more than 5 years ago | (#29473239)

Yes, it contributed correctness to the world - always a good thing.

Seriously, it also (if the original poster is able to take criticism) helped them avoid this mistake in the future, potentially in front of a prospective client/etc.

There's a big difference between a typo or otherwise one-off failure and mistaking one word for another. It's nitpicking over typos because it's unlikely someone thinks 'teh' is correct, but when they use a word like mute in place of moot - not easily mistyped but easily mistaken - it's usually an indicator that they don't know better.

Re:free speech (1)

wizardforce (1005805) | more than 5 years ago | (#29473435)

mute/moot; It's a nasty habit.

Re:free speech (2, Informative)

steelfood (895457) | more than 5 years ago | (#29473767)

No, "irregardless" is a nasty habit. Mistaking there or their for they're or any combination thereof is a nasty habit, since it's usually laziness that drives people to use the spelling without the apostrophe.

Using mute for moot is like using affect instead of effect: a sign of ignorance. And as we all understand inherently, the best thing with which to counter ignorance is knowledge.

Re:free speech (1)

Machtyn (759119) | more than 5 years ago | (#29474225)

Speaking of this type of thing... It is "should have" not "should of". It is "could have" not "could of".

Also, They're there in their room.

Re:free speech (1)

Mozk (844858) | more than 5 years ago | (#29474523)

Mute and moot easily mistaken? They don't even sound the same unless you have an extreme case of yod-dropping [wikipedia.org] . Confusing those two just sounds like stupidity to me.

Re:free speech (0)

Anonymous Coward | more than 5 years ago | (#29473405)

"what if anything did" should be "what, if anything, did"

Re:free speech (3, Funny)

master5o1 (1068594) | more than 5 years ago | (#29473277)

2. Moot
n. The founder of 4chan.org
Synonym: mootle.

Re:free speech (1)

Will.Woodhull (1038600) | more than 5 years ago | (#29476345)

<pedant>While PP's correction of GP's improper choice of homonym is laudable, the incorrect definition PP provides, and the tacit approval of GP's errant usage that stems from that, are unfortunate. Give PP 1 point, but take away 2 points.

In some common dialects of English, "moot" and "mute" are closer in sound than are "there" and "they're"; they are homonyms in those dialects.

However while "moot" can take several different meanings, "Of no practical importance; irrelevant" is not one of them. The closest that "moot" comes to this meaning is in describing a point that has already been explored and determined in clear precedents so there can be no argument on that point. "Whether 64 bit encryption is not a munition is moot: that was decided years ago."

But more commonly "moot" is used to describe some point in a line of reasoning that cannot be validated without a discussion that is outside the scope of the current proceedings. The line of reasoning is therefore a "what if" situation, and cannot be used at the current time. </pedant>

Re:free speech (4, Informative)

Ronald Dumsfeld (723277) | more than 5 years ago | (#29473233)

if firefox is shielded from these export restrictions because of first amendment protection wouldn't any open source implementation of strong encryption also be protected? wouldn't this make those export restrictions very nearly mute?

Don't people remember what happened with Phil Zimmerman over PGP?

The munitions classification on encryption software was used against him for posting the PGP source code on Usenet. They really, really wanted to nail him to the wall over that one.

There was a certain irony in the restrictions on exporting crypto software deemed 'munitions'. You could take the source, publish it as a book in an OCR font (with the page numbers between comment delimiters), and export it anywhere in the world.

Re:free speech (3, Interesting)

Watson Ladd (955755) | more than 5 years ago | (#29473587)

In fact Phil did just that to bring the code to Canada.

Re:free speech (1)

macbeth66 (204889) | more than 5 years ago | (#29474179)

Don't people remember what happened with Phil Zimmerman over PGP?

Yes. Nothing. There was an investigation and after about three years of wasted tax dollars, no charges were brought. Ya gotta tell the whole story with a lead-in like that!

I think the whole thing was just a bully tactic by RSA. They didn't like the competition. Especially from an open source project.

Re:free speech (1)

giorgist (1208992) | more than 5 years ago | (#29473461)

Sure, can you launder me some money ? Maybe I can buy me a flag for my ship I got some flesh for sale.
Can you hold my "profits" ?

What, you gonna have some rules ?

Re:free speech (0)

Anonymous Coward | more than 5 years ago | (#29474559)

I think you mean "moot".

(you ignorant putz)

Re:free speech (1)

jonbryce (703250) | more than 5 years ago | (#29474797)

Yes it is, due to the First Amendment, and it does make the restrictions very nearly mute except that they already were.

Does this apply to further OSS? (1)

orta (786013) | more than 5 years ago | (#29472977)

So could this be used as a precedent for 'exporting' other decrypting code?

It means they found a back door... (4, Insightful)

Joce640k (829181) | more than 5 years ago | (#29472987)

Or some way to break the encryption, eg. they've got the boss of Verisign in their back pocket.

Re:It means they found a back door... (1)

Ronald Dumsfeld (723277) | more than 5 years ago | (#29473251)

Or some way to break the encryption, eg. they've got the boss of Verisign in their back pocket.

What possible use would having the boss of Verisign in their back pocket be?

Verisign fulfills a 'trust provider' function by signing people's website certificates. The only use for that would be to have a clean certificate for, say, a typosquatting site.

Re:It means they found a back door... (2, Insightful)

Joce640k (829181) | more than 5 years ago | (#29473257)

There's this thing called a "man in the middle attack" - see http://en.wikipedia.org/wiki/Man-in-the-middle_attack [wikipedia.org]
.

Re:It means they found a back door... (1)

Watson Ladd (955755) | more than 5 years ago | (#29473593)

Which can be fixed by having your own CA and disabling trust of the sent out list.

Re:It means they found a back door... (1)

cpghost (719344) | more than 5 years ago | (#29475525)

But which no regular users would do, as they trust the public CAs by default (if they even know what that is).

So, according to our Government ... (5, Insightful)

NoYob (1630681) | more than 5 years ago | (#29473003)

However, that exemption is nullified if the source code is distributed to any of the countries on the U.S embargo list, such as Cuba, Iran or North Korea.

Huh. I didn't realize that Cuba, Iran, and North Korea didn't have any mathematicians or anyone else that is capable of developing their own cryptography. Or that other countries that do not have a problem with those particular countries do not have that expertise either. I guess the US has a monopoly on that talent. It's a good thing that the US Government is embargoing crypto. It worked great for nuclear bomb technology after all!

Re:So, according to our Government ... (2, Insightful)

Anonymous Coward | more than 5 years ago | (#29473141)

Dude, you forgot the '/satire'.

The mods are kinda stupid.

Re:So, according to our Government ... (1)

master5o1 (1068594) | more than 5 years ago | (#29473295)

I didn't realise that Cuba, Iran and North Korea didn't have Internet access. Well, I kind of knew that Iran has/had crippled Internet from filtering, but who doesn't these days?

Re:So, according to our Government ... (1)

Chris Burke (6130) | more than 5 years ago | (#29473853)

It worked great for nuclear bomb technology after all!

Hehe. Nice one.

Re:So, according to our Government ... (3, Interesting)

Ethanol-fueled (1125189) | more than 5 years ago | (#29473881)

KhaaaaaaaAAAAAAAAN! [wikipedia.org]

Re:So, according to our Government ... (1)

TheRaven64 (641858) | more than 5 years ago | (#29476003)

I didn't realize that Cuba, Iran, and North Korea didn't have any mathematicians or anyone else that is capable of developing their own cryptography

Honestly? They probably don't. None of the encryption algorithms used by the US government are entirely US-made. They are the result of collaboration and review between mathematicians in the US, the EU, and even Russia and China. Even then, there have still been vulnerabilities related to slightly flawed implementations of the algorithms, though the algorithms themselves are (believed to be) sound.

Of course, that doesn't alter the fact that the embargo is stupid, especially given the fact that all of the algorithms used by Mozilla are implemented by OpenSSL, which is hosted in Canada and so can be exported worldwide.

This is a common problem for OSS (4, Interesting)

MichaelSmith (789609) | more than 5 years ago | (#29473023)

Why else would OpenBSD be distributed from Canada? And contributions of crypto code from the USA are very carefully checked IIRC.

Re:This is a common problem for OSS (3, Funny)

Cheesetrap (1597399) | more than 5 years ago | (#29473097)

I could maybe understand this law making sense in the cold war era, and/or as it relates to hardware crypto, but it seems pretty irrelevant and ignorant for them to try and restrict the exchange of digital informa-- I'm sorry, for a second there I was thinking that politicians and legislators actually had a grasp on reality, please excuse my momentary lapse.

Re:This is a common problem for OSS (1)

Nyeerrmm (940927) | more than 5 years ago | (#29473225)

Can you imagine the political difficulties in trying to reduce ITAR restrictions? Even if a politician does recognize that reform is needed, its unlikely they'll have the guts to do it, since the attack ads are so easy to write. Remember, ITAR stands for International Trade in Arms Restrictions. No one wants to be pro-proliferation.

We deal with the same things in the space industry, since rockets tend to resemble missiles. ITAR is ultimately a stranglehold on American businesses in a globalized world and needs to be reformed -- unfortunately reform is likely to be a complex, wonky issue, and one that is far too easy to be demonized.

Re:This is a common problem for OSS (2, Informative)

MichaelSmith (789609) | more than 5 years ago | (#29474783)

I work in Aerospace and it is much the same. The loss to US business is not that bad because ITAR extends to any business which deals with the USA. So most external competitors will be subject to the same laws.

Re:This is a common problem for OSS (0)

Anonymous Coward | more than 5 years ago | (#29475685)

ITAR needs to die.

I worked on a ITAR project last year (me being based in the UK).

It places stupid costs which shouldn't exist for example ITAR data needs to be controlled with an authorized users list. If your receiving ITAR exports via email (perfectly legal) and your company has a good email retention policy you suddenly have to track and remove your export emails from the backup's. Let not forget that you can have a team of engineers in the UK and have the ITAR license for the UK. Suddenly you can't use non-British people unless you get special clearance for them. You also need an ITAR export license which can take anything between 3-6 months depending on the US congress's whim.

As for loss of business the software we used was for demo purposes, after looking into things we've decided to develop our own version of it because its cheaper than exporting the American version (We got it from the US wing of the company).

Re:This is a common problem for OSS (1)

feronti (413011) | more than 5 years ago | (#29475855)

The loss to US businesses is in the overhead of ensuring compliance. The cost of non-compliance is incredibly high; my company is currently listed as a restricted company because someone forgot to label some component specs that were covered under ITAR, and those specs then were sent to a non-US company. We now have to waste almost an hour a month on training that basically boils down to "If you're sending something outside the company, make sure to clear it with Trade Compliance first." Not to mention the huge fines and loss of business as a result of being restricted.

Re:This is a common problem for OSS (5, Informative)

Anonymous Coward | more than 5 years ago | (#29473111)

You're right. See their Crypto page. [openbsd.org] In fact, they build their binary releases only in Canada, Sweden, and Germany to avoid ITAR type restrictions.

Re:This is a common problem for OSS (0)

Anonymous Coward | more than 5 years ago | (#29473223)

Why else would OpenBSD be distributed from Canada?

Because Theo lives in Alberta, and the main host is a local(ish) university.

PGP, Debian? Was all sorted out surely? (0)

Anonymous Coward | more than 5 years ago | (#29473255)

I thought this was all sorted out after the PGP fiasco? I wasn't too sure if it was sorted out when us.gov decided that some relevant law had expired, but I definitely thought it was sorted out. After all, debian dropped non-us because of this clearing up.

"Industry and public interest groups lobbied for liberalization, and the Clinton Administration reformed the outdated U.S. export controls on encryption items in a series of graduated steps, culminating the new US Regulations" -- http://www.debian.org/legal/cryptoinmain [debian.org] .

Re:This is a common problem for OSS (2, Informative)

harmonise (1484057) | more than 5 years ago | (#29473657)

Why else would OpenBSD be distributed from Canada?

Because the project leader is Canadian. The lack of crypto export laws in Canada is just a bonus.

It is quite sad to note.... (3, Insightful)

dan_sdot (721837) | more than 5 years ago | (#29473065)

... that an innovative business like Mozilla needs to live in fear of the government and nervously await its blessing.

It happens. (1)

Tubal-Cain (1289912) | more than 5 years ago | (#29473363)

It's a natural part of innovation. More entrenched companies don't test these boundaries, and so don't risk running afoul of government red tape.

What we obviously need: (4, Interesting)

Hurricane78 (562437) | more than 5 years ago | (#29473135)

A virtual country to own virtual propery, including software as this. A country which by definition has no rules of any kind, and is outside of every jurisdiction, because you can't sue or attack anyone from it. It would work like an encrypted multi-mirrored darknet. Every real server participating, would store a set of "random noise" data blocks on his systems. Nobody could decrypt it, including that server. Only people inside the darknet with access to their private block could. Nobody could delete it, because there would always be at least 3 copies, floating in the darknet, encrypted differently, so that you would not be able to know that they contain the same data.

As an easter egg it would contain a honeypot, which would contain only one short sentence: "NOW WHAT, BITCHES?" ;)

Re:What we obviously need: (1)

countertrolling (1585477) | more than 5 years ago | (#29473549)

I felt a great disturbance in the Net, as if millions of anchors were suddenly dropped and it went silent.

Re:What we obviously need: (2, Informative)

evanbd (210358) | more than 5 years ago | (#29473627)

You mean something like Freenet [freenetproject.org] ?

The hard problems for such a network involve things like searching and routing. Freenet isn't exactly fast, but it's worlds more secure than anything else for this sort of thing (even so, it's far from perfect). It's also quite usable for things like browsing freesites (Freenet-hosted websites), and publishing controversial content (though large, unpopular files don't stay around forever, due to limits on disk space (and probably some bugs, but we're working on those)).

Of course, if the problem is the encryption itself, which Freenet makes rather heavy use of, the problem is rather harder.

It's not just "free speech,"... (3, Insightful)

msauve (701917) | more than 5 years ago | (#29473137)

but that thought, or words on a page, are very simply not munitions, disingenuous government definitions be damned.

Re:It's not just "free speech,"... (1)

TheRaven64 (641858) | more than 5 years ago | (#29476013)

So, do the blueprints for a nuclear bomb or for an ICBM count as munitions or free speech in your black-and-white world?

Re:It's not just "free speech,"... (1)

msauve (701917) | more than 5 years ago | (#29476405)

It's up to the state to protect the secrecy of such information.

Once they're out, then it's free speech.

Not just my opinion. Read up on "prior restraint."

Paradox (2, Insightful)

gmuslera (3436) | more than 5 years ago | (#29473149)

Getting an approval by local laws saying that local laws don't apply? Looks pretty much to the liar paradox. Or local laws (as in US country laws, like the ones that forbids exporting crypto) don't apply or apply (like the US country laws that gives the 1st amendment),

If you want to push that open source projects, developed with the cooperation from people from all countries are not restricted to the laws of a single country, thats ok, no need to put a country-specific 1st amendment to justify it. Else the exporting crypto restrictions could be applied but was made an exception in hat case.

Re:Paradox (1)

Itninja (937614) | more than 5 years ago | (#29473193)

Getting an approval by local laws saying that local laws don't apply?

Is that not the entire purpose of the Judicial branch of US Government(tm)?

Re:Paradox (0)

Anonymous Coward | more than 5 years ago | (#29474895)

Sorry, you got it wrong. They're getting an approval by local lows saying that one law (free speech) trumps the other (encryption export ban) in this situation. No paradox here.

Re:Paradox (1)

cpghost (719344) | more than 5 years ago | (#29475491)

Getting an approval by local laws saying that local laws don't apply? Looks pretty much to the liar paradox.

It's not a paradox if the law specifically says: "You can't do that, unless you get permission."

this has been known for years (5, Interesting)

Pretzalzz (577309) | more than 5 years ago | (#29473173)

This is why the non-US archive for Debian went away.

Prior to the release of Debian 3.1, United States laws placed restrictions on the export of certain defense articles, which, unfortunately, included some types of cryptographic software. PGP and SSH, among others, fell into this category. It was legal however, to import such software into the US.

To prevent anyone from taking unnecessary legal risks, some Debian packages were only available from a site in Leiden, The Netherlands, until the release of Debian 3.1, which incorporates this software thanks to changes in United States law.

You should not need the non-US archive unless you are using a version of Debian from before Debian 3.1.

Debian 3.1 corresponds to 2005. I'm amazed that Mozilla was unaware of this and needed to ask someone.

Re:this has been known for years (3, Insightful)

Nemyst (1383049) | more than 5 years ago | (#29473283)

They probably wanted a clear, black-on-white reply that they could present to court or to potential litigators should any threat arise. Better safe than sorry, they say?

FAIL - they asked the wrong Agency!!! (0)

Anonymous Coward | more than 5 years ago | (#29476005)

The linked article doesn't clearly say so but articles elsewhere state that Mozilla sent their query to and received the no-violation letter from the Department of Commerce.

The problem here is that the Department of Commerce is the authoritative control over Export Administration Regulations (EAR), including the Commerce Control List which Mozilla likely (probably rightly) thought their exports could be considered to be violating, but encryption is (also) controlled under International Traffic in Arms Regulations (ITAR http://en.wikipedia.org/wiki/International_Traffic_in_Arms_Regulations [wikipedia.org] ) which is authoritatively administered by the Department of State. It does not matter what pronouncements you have from Commerce, you can still be prosecuted and penalized by State for ITAR violations.

That's not a theoretical-type warning either -- companies been prosecuted by State for ITAR violations and essentially been told 'so?' when they showed State their 'no-violation' letter from Commerce. Perhaps Mozilla's VP should augment the company's General Counsel with an import/export lawyer?

Re:this has been known for years (3, Interesting)

rattaroaz (1491445) | more than 5 years ago | (#29473287)

I'm amazed that Mozilla was unaware of this and needed to ask someone.

Probably because if they asked Slashdot, everyone would be telling them to quit asking Slashdot and call a lawyer, so that's what they did.

Re:this has been known for years (0)

Anonymous Coward | more than 5 years ago | (#29473289)

Yeah, the "export" version of Netscape went away with like version 4.5. Someone down at Mozilla must just be bored or something.

Re:this has been known for years (1)

TheRaven64 (641858) | more than 5 years ago | (#29476023)

They don't need to ask someone, but for open source code there is still a requirement to notify the Department of Commerce's Bureau of Industry and Security. Beyond that notification, no review is needed (and it's just a notification, not a request for permission).

Why bother asking? (1)

funkatron (912521) | more than 5 years ago | (#29473275)

Buying hosting in a few countries without this particular silly law isn't difficult. Why waste time with the government? Especially when what they got isn't all that good:

However, that exemption is nullified if the source code is distributed to any of the countries on the U.S embargo list, such as Cuba, Iran or North Korea.

Re:Why bother asking? (1)

PhxBlue (562201) | more than 5 years ago | (#29473591)

Buying hosting in a few countries without this particular silly law isn't difficult. Why waste time with the government?

So they can get a crack at replacing Internet Explorer as the browser of choice for U.S. Government computer systems?

Re:Why bother asking? (1)

DMiax (915735) | more than 5 years ago | (#29475283)

how do you suggest they put the code on those servers without breaking the law?

Mozilla General Counsel considered clueless? (5, Informative)

bonze (1578437) | more than 5 years ago | (#29473307)

Ho-hum. Unrestricted export of open-source products incorporating encryption from the US has been legal for quite a while. All you have to do is file an application with the Feds under the Export Regs Section 740.13 "TECHNOLOGY AND SOFTWARE -- UNRESTRICTED (TSU)" before you make the source and binaries available, and you don't have to screen downloads or worry if the Officially Designated Bad Guys download your code: your ass is covered.

This war was won a loooong time ago by Philip Zimmermann [wikipedia.org] when the Feds wanted to crush him for releasing PGP. All props go to Phil!

The Regulation in point: (3, Informative)

bonze (1578437) | more than 5 years ago | (#29473369)

Section 740.13 (e) "(6) "Knowledge" of a prohibited export or reexport. Posting of source code or corresponding object code on the Internet (e.g., FTP or World Wide Web site) where it may be downloaded by anyone would not establish "knowledge" of a prohibited export or reexport. See Section 740.13(e)(4) of the EAR for prohibited knowing exports to Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. In addition, such posting would not trigger "red flags" necessitating the affirmative duty to inquire under the "Know Your Customer" guidance provided in Supplement No. 3 to part 732 of the EAR."

Just to establish that this is really... not news. Just PR, move along folks, nothing to see here.

Re:Mozilla General Counsel considered clueless? (0)

Anonymous Coward | more than 5 years ago | (#29474753)

you must be a lair... errr lawyer :P

Re:Mozilla General Counsel considered clueless? (0)

Anonymous Coward | more than 5 years ago | (#29474855)

So does this really mean that one needs a permission, automatically granted, in the US to publish and republish some free software?

DJB vs. US (0)

Anonymous Coward | more than 5 years ago | (#29474901)

Actually the case you meant to refer to was: http://en.wikipedia.org/wiki/Bernstein_v._United_States

Re:Mozilla General Counsel considered clueless? (1)

Toad-san (64810) | more than 5 years ago | (#29476085)

Phil didn't win anything for anybody, at least not for a long long time. The Info-ZIP Workgroup went through the same grief back in the 80's when we were trying to back-engineer Phil Katz' ZIP / UNZIP utilities, porting them to virtually every known operating system in the world.

We got unofficial rumbles from US Customs, NSA, etc. that they would crush our virtual fingers if we dared release source code (and everything in Info-ZIP was full open source) for the ZIP encryption. (PKWare had restrictions too against export, but they could and did pretty much ignore that.) But we were actively distributing source, and that was somehow ... different. And far more heinous.

Amazingly, coincidentally, miraculously, some of the Workgroup boyos in France produced some wondrous code that (wooo!) gave us full PKZIP encrypt / decrypt capabilities. So since we were now _importing_ the encryption algorithms from France ... we thumbed our noses at the Powers That Be and went about their business, distributing the whole source code package world-wide.

The rumbles just kind of went away, and that was the end of that.

Since I was the official "coordinator" for source code archiving, distribution, compatibility, coordination, etc., I know whereof I speak. And I'd already been through the "No Export of Encryption Technology To Those Godless Commies" grief with a commercial encryption package of my own (CryptoMax and CryptoComm).

Glad to see the Feds finally realized that Ivan, Ming, and all those other 'orrible folks were perfectly capable of inventing their own encryption if they had to, and quit all that silliness. And also glad to see that Zimmerman didn't go to jail. I sure was surprised to read all that PGP source code in Dr. Dobbs :-) (And weren't THEY the brave ones to publish it too? Usenet be damned; Dr. Dobbs should get the credit on that one!

Thanks DJB (1)

Ice Station Zebra (18124) | more than 5 years ago | (#29473375)

You had the balls to sue the United States Government. http://export.cr.yp.to/ [cr.yp.to]

Its only semi-fantastic. (3, Informative)

Seor Jojoba (519752) | more than 5 years ago | (#29473411)

"The government took our filing and then we got back a no-violation letter, which is fantastic.'"

Mozilla basically asked if it would be okay if Mozilla (not you, not me, not everybody else) could put strong encryption in their software. They didn't get a court ruling--they got permission. And there's nothing wrong with that, but it doesn't mean they are some champions of free speech rights. No, it means that they have successfully looked after their own interests. And other, particularly smaller, open source developers shouldn't expect to have the same good fortune in getting permission.

Not to be too grumpy. It is good news that somebody was exempted from a stupid regulation.

Re:Its only semi-fantastic. (0)

Anonymous Coward | more than 5 years ago | (#29475361)

ok, so they move out of the US, you do know that there is an entire world out there, right?

Re:free speech (1)

clint999 (1277046) | more than 5 years ago | (#29475045)

Crypto just takes some smart folks to create it. I get the impression that the US Government doesn't believe that people outside its borders are capable of developing their own.

Early Netscape (1)

bryan1945 (301828) | more than 5 years ago | (#29475419)

I remember sometime back in the dark ages when I upgraded Netscape to 64 or 128 bit encryption and you had to do a song and dance saying "Yes, I live in America" to download the new version. Does the government really think that only the US can come up with tough-to-break encryption schemes?

What are they talking about? (1)

trifish (826353) | more than 5 years ago | (#29475459)

Huh? I mean seriously what are these Mozilla people talking about?

Open source projects have been exempted by the US from crypto export restrictions for years.

See this page:
http://www.bis.doc.gov/encryption/pubavailencsourcecodenofify.html [doc.gov]

The only thing an open source admin needs to do is to notify the authorities of the fact that he is making it available for download. That's it.

I wonder how good the Mozilla lawyers really are...

Re:What are they talking about? (1)

yuna49 (905461) | more than 5 years ago | (#29475909)

Open source projects have been exempted by the US from crypto export restrictions for years.

Yes, but not to embargoed countries like Cuba, Iran, and North Korea. Mozilla consulted with the Federal Government after becoming aware of downloads to Iran.

From TFA, "During a recent Firefox download event, Mozilla posted a map on its Web site showing where downloads were occurring. Anderson said it became clear that a substantial number of downloads were coming from Iran. Mozilla then had knowledge that it was exporting to Iran, which could have put it in violation of the U.S export regulations, exposing the firm to criminal and financial penalties."

Export of crypto != Trading with "Enemy" countries (1)

originalhack (142366) | more than 5 years ago | (#29476461)

NO MONEY ... NO FOUL

A lot of posters (all of them) are mixing up 2 issues. The problem here is not that the crypto functions were exported from the US. The problem is that US companies are not permitted to do business with, for example, people or companies located with Iran.

When you make a product available on the internet, even a free one, people download it from all over and this could be considered "doing business" and IP filters are a rather silly way to try to stop it. The more straightforward approach is to "follow the money." In this case, there is no money to follow and ... no money, no foul. Sounds like a good precedent for all kinds of TRADE restrictions.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?