Mozilla Firefox Not In Violation of US Export Rules

darthcamaro writes "While the internet may know no borders, the US government does. There are a number of rules that affect software vendors, including encryption export regulations from the US Department of Commerce and export sanctions by the Department of Treasury. But what do you do when your application is open source and freely available to anyone in the world? Do the same the rules apply? It's a question that Mozilla asked the US government about. The answer they received could have profound implications not just for Firefox but for all open source software vendors. 'We really couldn't accept the notion that these government rules could jeopardize the participatory nature of an open source project, so we sought to challenge it,' Harvey Anderson, VP and General Counsel of Mozilla, told InternetNews.com. 'We argued that First Amendment free speech rights would prevail in this scenario. The government took our filing and then we got back a no-violation letter, which is fantastic.'"

free speech

[wizardforce]

if firefox is shielded from these export restrictions because of first amendment protection wouldn't any open source implementation of strong encryption also be protected? wouldn't this make those export restrictions very nearly mute?

Re:free speech

[X0563511]

I think the deal with this is that, being open, everyone is on the same level.

Not so with closed algorithms.

Hypothetical: Selling NewCrypto to Russia, would result in Russia having an advantage over China, and China then being pissed at us for it.

Re:free speech

[Watson+Ladd]

In fact Phil did just that to bring the code to Canada.

This is a common problem for OSS

[MichaelSmith]

Why else would OpenBSD be distributed from Canada? And contributions of crypto code from the USA are very carefully checked IIRC.

What we obviously need:

[Hurricane78]

A virtual country to own virtual propery, including software as this. A country which by definition has no rules of any kind, and is outside of every jurisdiction, because you can't sue or attack anyone from it. It would work like an encrypted multi-mirrored darknet. Every real server participating, would store a set of "random noise" data blocks on his systems. Nobody could decrypt it, including that server. Only people inside the darknet with access to their private block could. Nobody could delete it, because there would always be at least 3 copies, floating in the darknet, encrypted differently, so that you would not be able to know that they contain the same data.

As an easter egg it would contain a honeypot, which would contain only one short sentence: "NOW WHAT, BITCHES?" ;)

this has been known for years

[Pretzalzz]

This is why the non-US archive for Debian went away.

Prior to the release of Debian 3.1, United States laws placed restrictions on the export of certain defense articles, which, unfortunately, included some types of cryptographic software. PGP and SSH, among others, fell into this category. It was legal however, to import such software into the US.

To prevent anyone from taking unnecessary legal risks, some Debian packages were only available from a site in Leiden, The Netherlands, until the release of Debian 3.1, which incorporates this software thanks to changes in United States law.

You should not need the non-US archive unless you are using a version of Debian from before Debian 3.1.

Debian 3.1 corresponds to 2005. I'm amazed that Mozilla was unaware of this and needed to ask someone.

Re:this has been known for years

[rattaroaz]

I'm amazed that Mozilla was unaware of this and needed to ask someone.

Probably because if they asked Slashdot, everyone would be telling them to quit asking Slashdot and call a lawyer, so that's what they did.

What the heck is going on today?

[MoxFulder]

Did someone not tell me? Is it Government Does The Right Thing Day today???

So far we have, in succession, on Slashdot:

• a bill introduced that would limit warantless wiretapping and remove retroactive immunity for spying telecoms,
• the FCC set to introduce net neutrality regulations, and now
• the U.S. government takes an entirely reasonable stance on crypto exports, without having its arm twisted

Not bad for one day. The cynic in me assumes all this is going to be reversed tomorrow... :-p

Re:Oblig xkcd...

[Chris+Burke]

If all they succeed in doing is reducing legitimate commercial trade in such products, they're hurting themselves but at the same time improving the market tremendously for illicit dealers (note this observation applies to drugs as well, hmm).

Yeah, that's why the export restrictions were lifted in the late 90s. Because all it was doing was hurting our domestic encryption companies. Back then, when Mozilla was still Netscape, you had to assert that you were in the U.S. or download a version with weaker encryption. Free software that used strong encryption had to be hosted on sites outside the U.S.

That was over 10 years ago. Now we still have restrictions about exporting to certain not-our-friend countries, but ultimately that's because (despite more cynical interpretations) we know that they can get this technology without our assistance, but that doesn't mean we're going to hand it to them.

But while that makes sense for some technologies, it doesn't make much sense for a free software browser implementing SSL because for one there are plenty of other SSL implementations out there and for two us not handing it to them only leaves, oh, about a billion others more than happy to allow downloads from Iran.

So look at that -- perhaps technically against the rules, but practically meaningless, and in the spirit of the law they decided there was no problem. Someone in the Commerce Department was wearing their thinking cap! Good for them, and good for Mozilla.

Re:So, according to our Government ...

[Ethanol-fueled]

KhaaaaaaaAAAAAAAAN!