Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Firefox Not In Violation of US Export Rules

Posted by Soulskill on from the no-news-is-good-news dept.

darthcamaro writes "While the internet may know no borders, the US government does. There are a number of rules that affect software vendors, including encryption export regulations from the US Department of Commerce and export sanctions by the Department of Treasury. But what do you do when your application is open source and freely available to anyone in the world? Do the same the rules apply? It's a question that Mozilla asked the US government about. The answer they received could have profound implications not just for Firefox but for all open source software vendors. 'We really couldn't accept the notion that these government rules could jeopardize the participatory nature of an open source project, so we sought to challenge it,' Harvey Anderson, VP and General Counsel of Mozilla, told InternetNews.com. 'We argued that First Amendment free speech rights would prevail in this scenario. The government took our filing and then we got back a no-violation letter, which is fantastic.'"

38 of 127 comments (clear)

  1. Oblig xkcd... by Cheesetrap · · Score: 5, Funny

    http://xkcd.com/504/

    Oh, and FireFirst? :)

    1. Re:Oblig xkcd... by Cheesetrap · · Score: 5, Insightful

      Oh wow... Either /. searches and penalises for the letters f-i-r-s-t appearing in a primary post, or I just got bitchslapped at the speed of light.

      I apologise.

      Also, I should also mention the fact that legislation against encryption is ridiculously counter-productive; if the feds are after someone for any good reason, and that person is a criminal, they aren't going to respect such a restriction if they're already violating more serious laws. If all they succeed in doing is reducing legitimate commercial trade in such products, they're hurting themselves but at the same time improving the market tremendously for illicit dealers (note this observation applies to drugs as well, hmm).

    2. Re:Oblig xkcd... by Kjella · · Score: 2, Insightful

      About the XKCD... munitions yeah, but do you think it's the sort of munitions they'd let you have? The military already got a lot of neat stuff you don't get to play with.

      --
      Live today, because you never know what tomorrow brings
    3. Re:Oblig xkcd... by NoYob · · Score: 5, Insightful

      Crypto just takes some smart folks to create it. I get the impression that the US Government doesn't believe that people outside its borders are capable of developing their own.

      --
      It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
    4. Re:Oblig xkcd... by Chris+Burke · · Score: 3, Interesting

      If all they succeed in doing is reducing legitimate commercial trade in such products, they're hurting themselves but at the same time improving the market tremendously for illicit dealers (note this observation applies to drugs as well, hmm).

      Yeah, that's why the export restrictions were lifted in the late 90s. Because all it was doing was hurting our domestic encryption companies. Back then, when Mozilla was still Netscape, you had to assert that you were in the U.S. or download a version with weaker encryption. Free software that used strong encryption had to be hosted on sites outside the U.S.

      That was over 10 years ago. Now we still have restrictions about exporting to certain not-our-friend countries, but ultimately that's because (despite more cynical interpretations) we know that they can get this technology without our assistance, but that doesn't mean we're going to hand it to them.

      But while that makes sense for some technologies, it doesn't make much sense for a free software browser implementing SSL because for one there are plenty of other SSL implementations out there and for two us not handing it to them only leaves, oh, about a billion others more than happy to allow downloads from Iran.

      So look at that -- perhaps technically against the rules, but practically meaningless, and in the spirit of the law they decided there was no problem. Someone in the Commerce Department was wearing their thinking cap! Good for them, and good for Mozilla.

      --

      The enemies of Democracy are
    5. Re:Oblig xkcd... by msimm · · Score: 3, Insightful

      Right, criminals will still use it but the majority of the citizenry wouldn't and who is it the NSA is spying on again?

      --
      Quack, quack.
    6. Re:Oblig xkcd... by jez9999 · · Score: 2, Insightful

      I know I'm taking that cartoon way too seriously, but what the hell. The 2nd amendment doesn't guarantee people to right to export arms from the US. :-) US citizens already have the ability to 'keep and bear crypto', WITHIN the US.

      --
      == Jez ==
      Do you miss Firefox? Try Pale Moon.
    7. Re:Oblig xkcd... by sakdoctor · · Score: 2, Funny

      There is a single light of science, and to brighten it anywhere is to brighten it everywhere.

    8. Re:Oblig xkcd... by TheRaven64 · · Score: 2, Informative

      The comic is also wrong. Strong crypto is still illegal to export from the US to any country under arms embargo. It is not illegal to export to other countries (it was until the mid '90s). It used to require an arms export license, and now it doesn't, but it is still regulated and still counts as a munition when exporting to embargo'd countries.

      --
      I am TheRaven on Soylent News
  2. It means they found a back door... by Joce640k · · Score: 4, Insightful

    Or some way to break the encryption, eg. they've got the boss of Verisign in their back pocket.

    --
    No sig today...
    1. Re:It means they found a back door... by Joce640k · · Score: 2, Insightful

      There's this thing called a "man in the middle attack" - see http://en.wikipedia.org/wiki/Man-in-the-middle_attack
      .

      --
      No sig today...
  3. So, according to our Government ... by NoYob · · Score: 5, Insightful

    However, that exemption is nullified if the source code is distributed to any of the countries on the U.S embargo list, such as Cuba, Iran or North Korea.

    Huh. I didn't realize that Cuba, Iran, and North Korea didn't have any mathematicians or anyone else that is capable of developing their own cryptography. Or that other countries that do not have a problem with those particular countries do not have that expertise either. I guess the US has a monopoly on that talent. It's a good thing that the US Government is embargoing crypto. It worked great for nuclear bomb technology after all!

    --
    It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
    1. Re:So, according to our Government ... by Anonymous Coward · · Score: 2, Insightful
      Dude, you forgot the '/satire'.

      The mods are kinda stupid.

  4. This is a common problem for OSS by MichaelSmith · · Score: 4, Interesting

    Why else would OpenBSD be distributed from Canada? And contributions of crypto code from the USA are very carefully checked IIRC.

    --
    http://michaelsmith.id.au
    1. Re:This is a common problem for OSS by Cheesetrap · · Score: 3, Funny

      I could maybe understand this law making sense in the cold war era, and/or as it relates to hardware crypto, but it seems pretty irrelevant and ignorant for them to try and restrict the exchange of digital informa-- I'm sorry, for a second there I was thinking that politicians and legislators actually had a grasp on reality, please excuse my momentary lapse.

    2. Re:This is a common problem for OSS by Anonymous Coward · · Score: 5, Informative

      You're right. See their Crypto page. In fact, they build their binary releases only in Canada, Sweden, and Germany to avoid ITAR type restrictions.

    3. Re:This is a common problem for OSS by harmonise · · Score: 2, Informative

      Why else would OpenBSD be distributed from Canada?

      Because the project leader is Canadian. The lack of crypto export laws in Canada is just a bonus.

      --
      Cory Doctorow talking about cloud computing makes as much sense as George W Bush talking about electrical engineering.
    4. Re:This is a common problem for OSS by MichaelSmith · · Score: 2, Informative

      I work in Aerospace and it is much the same. The loss to US business is not that bad because ITAR extends to any business which deals with the USA. So most external competitors will be subject to the same laws.

      --
      http://michaelsmith.id.au
  5. Re:free speech by X0563511 · · Score: 2, Interesting

    I think the deal with this is that, being open, everyone is on the same level.

    Not so with closed algorithms.

    Hypothetical: Selling NewCrypto to Russia, would result in Russia having an advantage over China, and China then being pissed at us for it.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  6. It is quite sad to note.... by dan_sdot · · Score: 3, Insightful

    ... that an innovative business like Mozilla needs to live in fear of the government and nervously await its blessing.

  7. Re:free speech by StikyPad · · Score: 5, Funny

    Moot. M-O-O-T.
    n. Of no practical importance; irrelevant.

    Mute is what people wish you'd be. Moot is what you are.

    </nerdrage>

    --
    https://www.eff.org/https-everywhere
  8. What we obviously need: by Hurricane78 · · Score: 4, Interesting

    A virtual country to own virtual propery, including software as this. A country which by definition has no rules of any kind, and is outside of every jurisdiction, because you can't sue or attack anyone from it. It would work like an encrypted multi-mirrored darknet. Every real server participating, would store a set of "random noise" data blocks on his systems. Nobody could decrypt it, including that server. Only people inside the darknet with access to their private block could. Nobody could delete it, because there would always be at least 3 copies, floating in the darknet, encrypted differently, so that you would not be able to know that they contain the same data.

    As an easter egg it would contain a honeypot, which would contain only one short sentence: "NOW WHAT, BITCHES?" ;)

    --
    Any sufficiently advanced intelligence is indistinguishable from stupidity.
    1. Re:What we obviously need: by evanbd · · Score: 2, Informative

      You mean something like Freenet?

      The hard problems for such a network involve things like searching and routing. Freenet isn't exactly fast, but it's worlds more secure than anything else for this sort of thing (even so, it's far from perfect). It's also quite usable for things like browsing freesites (Freenet-hosted websites), and publishing controversial content (though large, unpopular files don't stay around forever, due to limits on disk space (and probably some bugs, but we're working on those)).

      Of course, if the problem is the encryption itself, which Freenet makes rather heavy use of, the problem is rather harder.

  9. It's not just "free speech,"... by msauve · · Score: 3, Insightful

    but that thought, or words on a page, are very simply not munitions, disingenuous government definitions be damned.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  10. Paradox by gmuslera · · Score: 2, Insightful

    Getting an approval by local laws saying that local laws don't apply? Looks pretty much to the liar paradox. Or local laws (as in US country laws, like the ones that forbids exporting crypto) don't apply or apply (like the US country laws that gives the 1st amendment),

    If you want to push that open source projects, developed with the cooperation from people from all countries are not restricted to the laws of a single country, thats ok, no need to put a country-specific 1st amendment to justify it. Else the exporting crypto restrictions could be applied but was made an exception in hat case.

  11. this has been known for years by Pretzalzz · · Score: 5, Interesting
    This is why the non-US archive for Debian went away.

    Prior to the release of Debian 3.1, United States laws placed restrictions on the export of certain defense articles, which, unfortunately, included some types of cryptographic software. PGP and SSH, among others, fell into this category. It was legal however, to import such software into the US.

    To prevent anyone from taking unnecessary legal risks, some Debian packages were only available from a site in Leiden, The Netherlands, until the release of Debian 3.1, which incorporates this software thanks to changes in United States law.

    You should not need the non-US archive unless you are using a version of Debian from before Debian 3.1.

    Debian 3.1 corresponds to 2005. I'm amazed that Mozilla was unaware of this and needed to ask someone.

    1. Re:this has been known for years by Nemyst · · Score: 3, Insightful

      They probably wanted a clear, black-on-white reply that they could present to court or to potential litigators should any threat arise. Better safe than sorry, they say?

    2. Re:this has been known for years by rattaroaz · · Score: 3, Interesting

      I'm amazed that Mozilla was unaware of this and needed to ask someone.

      Probably because if they asked Slashdot, everyone would be telling them to quit asking Slashdot and call a lawyer, so that's what they did.

  12. Re:free speech by Ronald+Dumsfeld · · Score: 4, Informative

    if firefox is shielded from these export restrictions because of first amendment protection wouldn't any open source implementation of strong encryption also be protected? wouldn't this make those export restrictions very nearly mute?

    Don't people remember what happened with Phil Zimmerman over PGP?

    The munitions classification on encryption software was used against him for posting the PGP source code on Usenet. They really, really wanted to nail him to the wall over that one.

    There was a certain irony in the restrictions on exporting crypto software deemed 'munitions'. You could take the source, publish it as a book in an OCR font (with the page numbers between comment delimiters), and export it anywhere in the world.

    --
    Where's the Kaboom?
    There's supposed to be an Earth-shattering Kaboom.
  13. Re:free speech by WNight · · Score: 5, Informative

    Yes, it contributed correctness to the world - always a good thing.

    Seriously, it also (if the original poster is able to take criticism) helped them avoid this mistake in the future, potentially in front of a prospective client/etc.

    There's a big difference between a typo or otherwise one-off failure and mistaking one word for another. It's nitpicking over typos because it's unlikely someone thinks 'teh' is correct, but when they use a word like mute in place of moot - not easily mistyped but easily mistaken - it's usually an indicator that they don't know better.

  14. Re:free speech by master5o1 · · Score: 3, Funny

    2. Moot
    n. The founder of 4chan.org
    Synonym: mootle.

    --
    signature is pants
  15. Mozilla General Counsel considered clueless? by bonze · · Score: 5, Informative

    Ho-hum. Unrestricted export of open-source products incorporating encryption from the US has been legal for quite a while. All you have to do is file an application with the Feds under the Export Regs Section 740.13 "TECHNOLOGY AND SOFTWARE -- UNRESTRICTED (TSU)" before you make the source and binaries available, and you don't have to screen downloads or worry if the Officially Designated Bad Guys download your code: your ass is covered.

    This war was won a loooong time ago by Philip Zimmermann when the Feds wanted to crush him for releasing PGP. All props go to Phil!

  16. The Regulation in point: by bonze · · Score: 3, Informative

    Section 740.13 (e) "(6) "Knowledge" of a prohibited export or reexport. Posting of source code or corresponding object code on the Internet (e.g., FTP or World Wide Web site) where it may be downloaded by anyone would not establish "knowledge" of a prohibited export or reexport. See Section 740.13(e)(4) of the EAR for prohibited knowing exports to Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. In addition, such posting would not trigger "red flags" necessitating the affirmative duty to inquire under the "Know Your Customer" guidance provided in Supplement No. 3 to part 732 of the EAR."

    Just to establish that this is really... not news. Just PR, move along folks, nothing to see here.

  17. Its only semi-fantastic. by Seor+Jojoba · · Score: 3, Informative

    "The government took our filing and then we got back a no-violation letter, which is fantastic.'"

    Mozilla basically asked if it would be okay if Mozilla (not you, not me, not everybody else) could put strong encryption in their software. They didn't get a court ruling--they got permission. And there's nothing wrong with that, but it doesn't mean they are some champions of free speech rights. No, it means that they have successfully looked after their own interests. And other, particularly smaller, open source developers shouldn't expect to have the same good fortune in getting permission.

    Not to be too grumpy. It is good news that somebody was exempted from a stupid regulation.

  18. What the heck is going on today? by MoxFulder · · Score: 5, Interesting

    Did someone not tell me? Is it Government Does The Right Thing Day today???

    So far we have, in succession, on Slashdot:

    Not bad for one day. The cynic in me assumes all this is going to be reversed tomorrow... :-p

    --
    My bicyles
    1. Re:What the heck is going on today? by Anonymous Coward · · Score: 2, Informative

      Change you can believe in. :-)

  19. Re:free speech by Watson+Ladd · · Score: 3, Interesting

    In fact Phil did just that to bring the code to Canada.

    --
    Inventions have long since reached their limit, and I see no hope for further development.-- Frontinus, 1st cent. AD
  20. Re:free speech by steelfood · · Score: 2, Informative

    No, "irregardless" is a nasty habit. Mistaking there or their for they're or any combination thereof is a nasty habit, since it's usually laziness that drives people to use the spelling without the apostrophe.

    Using mute for moot is like using affect instead of effect: a sign of ignorance. And as we all understand inherently, the best thing with which to counter ignorance is knowledge.

    --
    "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."