Unless you are a brand-new reader of this blog, you know that I am generally a fan of the open-source approach to software design. One of the more successful recent open-source projects is Mozilla’s Firefox Web browser, which has managed to acquire an estimated 23% of the browser market. Besides its own success, it has arguably pushed Microsoft to upgrade its browser, Internet Explorer, more frequently, even as Internet Explorer’s market share has dropped from 90+% to about 66%.
Since the early days of the Web, there has been a technical and legal issue, little known except among lawyers and hard-core geeks, that has affected Web browsers. In order to implement the TSL/SSL protocol that is used to secure communications between the browser and the Web site (often indicated by the little lock icon shown), the browser must include cryptographic software.
And therein lies the rub. For many years, the export of cryptographic devices and software has been regulated by the Arms Export Control Act, implemented by the International Traffic in Arms Regulations [ITAR], published by the Department of State. From Wikipedia:
For practical purposes, ITAR regulations dictate that information and material pertaining to defense and military related technologies (for items listed on the US Munitions List) may only be shared with US Persons unless authorization from the Department of State is received or a special exemption is used.
A “US Person” is a US citizen, a permanent resident not employed by a foreign government or organization, a part of the US government, or a corporation or other organization located in the US and subject to US law. Up until 1996-97, strong cryptography was covered and its export was forbidden. (I have, somewhere, a T-shirt that in the early 1990s was classified as a munition of war, because it had one of the encryption algorithms used in the PGP software package printed on it. Even to wear it in a place where one of my English or German friends might see it would violate the law. Note that they would not have to actually see it; merely the possibility that they might would violate the law.) So, for years, “export” versions of browsers could use encryption keys no longer than 40 bits.
After a couple of US Appeals Court rulings that printed materials (e.g., books) containing cryptographic algorithms were protected as free speech under the First Amendment to the US Constitution, the rules were relaxed in the late 1990s. However, persons associated with certain specified countries (e.g., Cuba, North Korea) were still subject to export prohibitions.
For a commercial software publisher like Microsoft, this is a bloody nuisance, especially in an era when software is commonly distributed over the Internet. For a free software project, which is not only distributed but developed over the Internet, it is a rule almost impossible to comply with, since the source code is freely available. Although the rules do contain an exemption for open-source software, that exemption is not universal:
However, that exemption is nullified if the source code is distributed to any of the countries on the U.S embargo list, such as Cuba, Iran or North Korea.
Fortunately, Internet News is reporting that Mozilla has obtained a “no violation” letter from the US government, affirming that its “exports” are permitted. Although it is not an all-purpose “Get Out of Jail Free” card (the Mozilla organization would probably get in trouble if they were to sell cryptographic software to the government of Iran, for example), the letter does provide an exemption for the distribution and development of source code that are crucial to the project.
It is heartening to see all the parties involved come to a sensible conclusion.