Wes doesn't seem to buy my crypto export theory, apparently because of Linux or Open Source.  Of course, I have no idea why they pulled WASTE, but if the flurry of emails is any indication, people really don't understand the current state of U.S. crypto regulations.  Yes, software is still to a certain extent treated like a munition.  I'll attempt to give a few (admittedly oversimplified) rules of thumb related to export of encryption software.

If a proprietary product (e.g. Groove, Windows, Notes, Kubi, Office, etc.) either 1) implements crypto algorithms, or 2) directly utilizes open-source crypto libraries (e.g. Crypto++, RSAREF, etc.), it must apply for an export license appropriate for that sort of product before ever distributing it – whether physically, on the 'net, etc.

If an open-source product (e.g. Linux, Chandler, PGP, Jabber, etc.) either 1) implements crypto algorithms, or 2) directly utilizes open-source crypto libraries, then prior to distributing or redistributing it (e.g. physically, on the 'net, via a mirror site, etc.) U.S. parties are subject to notification requirements under which the gov't must be given access to that publicly available source code.

Regardless of whether a party needs a license or is simply subject to notification requirements, one must make diligent efforts to prevent export or re-export to the T-7 nations (which, I have heard, is now the T-6).

Simply stated, if you are in the U.S. and are hosting source code for a modified Linux or Mozilla distribution, or if for example you're currently hosting a mirror of the WASTE source code, you have an affirmative obligation to notify the government, and furthermore you have an affirmative obligation to use efforts to block the “rogue” nations.  Otherwise, you're violating export laws.

Now, back to WASTE.  If indeed AOL corporate (the code's owner) intended to open source the product, then it would be subject to the same notification requirements and blocking requirements.  Individuals may choose the civil disobedience route, but as a major public corporation they've got quite a bit to lose if they don't follow U.S. export laws.

However, let's say that AOL really does regard this as proprietary software, as its web page now seems to imply, and that the shadowy Dick Pumpaloaf didn't just write the doc … he indeed posted Justin's code without AOL's consent.  Then AOL would have had to apply for an export license, which takes many many months for a technical review and, in our experience takes on average about six months just for renewals or major version modifications.

(Please remember, though, IANAL – so seek your own counsel.) [Ray Ozzie's Weblog]

Leave a comment