export policy, was Re: Package Maintainers Flags policy

Paul Wouters paul at xelerance.com
Tue May 26 14:09:32 UTC 2009


On Tue, 26 May 2009, Tom "spot" Callaway wrote:

Though I am also not a lawyer, I did look into things, being upstream
for openswan and an author of a book containing crypto, a rather crypto
heavy application and book...

> There are 6 countries that Fedora cannot be legally exported to (as a
> result of US export restrictions):
>
> Cuba, Iran, Iraq, North Korea, Sudan and Syria

I think technically, this restriction only applies on the export of the
software out of the US. For those outside the US, US law/doctrine does
not apply (even though the US claims it does). Rather, for most Western
countries, implementation of the Wassenaar Agreement in local law applies,
where some countries have extended the export restrictios as set forth in
the Wassenaar Agreement. In Europe, there is also the European Union
Dual-Use Export laws.

> These are known as the "T-6" countries. No individual associated with
> the Fedora project (or mirror site) should provide Fedora software to
> anyone in those countries, even if they are not in the US.

This is again US doctrine. It becomes even stranger as in my case, Fedora
imports openswan from The Netherlands, and then tells me I could not obtain
my own GPL licensed code to do what is legal within my country? Though in
this case, there is a large overlap of implementation of the Wassenaar
Agreement.

> "Because Fedora software contains encryption technology, Fedora software
> and technical information is subject to the U.S. Export Administration
> Regulations and other U.S. and foreign law, and may not be exported or
> re-exported to certain countries (currently Cuba, Iran, Iraq, North
> Korea, Sudan and Syria)

See above. Note that the Wassenaar Agreement excludes software that is
in the "public domain", eg free/open source software.

> or to persons or entities prohibited from
> receiving U.S. exports (including those (a) on the Bureau of Industry
> and Security Denied Parties List or Entity List, (b) on the Office of
> Foreign Assets Control list of Specially Designated Nationals and
> Blocked Persons, and (c) involved with missile technology or nuclear,
> chemical or biological weapons).

This is technically a violation of GPL, and could mean that
anyone distributing Fedora with those restrictions has lost their rights
to use and/or distribute the GPL software contained within Fedora.

> You may not download Fedora software or
> technical information if you are located in one of these countries, or
> otherwise affected by these restrictions. You may not provide Fedora
> software or technical information to individuals or entities located in
> one of these countries or otherwise affected by these restrictions. You
> are also responsible for compliance with foreign law requirements
> applicable to the import and use of Fedora software and technical
> information."

This is just boilerplate for more "US law applies to non-US citizens
because we say so" doctrine. Though it does not apply to non-US citizens,
there is a risk. I formulated it like this in the Openswan book:

Unrecognised international claims

Certain countries claim jurisdiction even outside their national
borders. Most notably, France claims the right to “regulate information
on foreign servers”, Italy assumes jurisdiction over sites "directed to
an Italian audience" and the US reserve the right to prosecute "offenses
against American interests" according to US law, irrespective of where
they take place.

You may want to consider the possibility that you can be sued or
prosecuted in another country. Additionally, if you are physically in
a country other than the Netherlands when you download our software,
you are probably subject to that country's jurisdiction anyway. And if
your download happens to pass a router under US control (say in Guam),
the US might make additional claims to rights for restriction of your
packets or even your person.


Note that this text was written a few years ago. For an updated situation,
one should probably consult their local lawyer, please the updates from
http://www.wassenaar.org/

Paul




More information about the fedora-devel-list mailing list