10

I'm an independent software developer who has developed a program that links to the OpenSSL libraries for the purpose of allowing users to decrypt, filter and re-encrypt secure content. For example, one of the filtering engines in this software contains a transparent HTTPS proxy where the user can load filtering rules such as Adblock Plus Filters (EasyList) and have the proxy transparently remove matching content before presenting it the user.

I intend on publishing the entire source code on Github.com and publishing binaries releases, both under the GNU GPL v3 (or any later version). I've spoken with EXCOL to try to get a formal ruling on whether or not such a program is subject to control under Import/Export law in Canada. However, they simply don't want to make a ruling over the phone or email and the only clear ruling they've given me is that due to the nature of the product and how I'm releasing it, I'm not eligible to apply for an export permit (because there is no Consignee). The other thing they made clear is that uploading something to a website is classified as "exporting".

As such, they've told me the only thing I can do is apply for an Advisory Opinion, which they told me straight up is going to take "a very long time" because their priority is on processing actual applications, not giving opinions. Plus they basically told me that the opinion is useless, because it's based on your supplied specification and not the actual "product", so the opinion can be revoked/changed/thrown out.

There is some language in the official guide to applying for a permit that suggests that software placed in "the public domain" is not subject to control, with the definition of "public domain" meaning generally available to the public, not the typical interpretation as applied to copyright.

Note:

This does not release such "technology" controlled in entries 1-1.E.2.e. and 1-1.E.2.f . and 1-8.E.2.a. and 1-8.E.2.b.

Controls do not apply to "technology" in the "public domain", to "basic scientific research" or to the minimum necessary information for patent applications. General Software Note:

The Lists do not control "software" which is any of the following:

1. Generally available to the public by being:
    Sold from stock at retail selling points, without restriction, by means of :
        1. Over-the-counter transactions;
        2. Mail order transactions;
        3. Electronic transactions; or
        4. Telephone call transactions; and
    Designed for installation by the user without further substantial support by the supplier; or

     Note: Entry 1 of the General Software Note does not release "software" controlled by Category 5, Part 2 ("Information Security").
2. "In the public domain"; or
3. The minimum necessary "object code" for the installation, operation, maintenance (checking) or repair of those items whose export has been authorised.

Note : Entry 3 of the General Software Note does not release “software” controlled by Category 5 - Part 2 (“Information Security”).

The definition of "public domain" is given as:

"In the public domain" - General Technology Note, General Software Note, 2-22 This means "technology" or "software" which has been made available without restrictions upon its further dissemination.

Note:
Copyright restrictions do not remove "technology" or "software" from being "in the public domain".

Also, I was able to find a presentation a Canadian Firm made to TD Bank, posted here that seems to interpret this language as meaning that open source software is exempt from control:

"Open Source” Exception – permit is not required if the software containing the cryptographic function is in the public domain

They then further qualify this with the following statement:

Does not apply where open source software is combined with proprietary software – i.e. open source cryptographic program (OpenSSL, etc...) integrated as security feature in or linked into company’s proprietary software.

OpenSSL is a collection of open source crypto libraries, so this further qualification on the exception is meaning to say that closed source applications linking to open source crypto are not covered. Since this is a negating statement, the inverse must necessarily be true, that open source software linking to something like OpenSSL is covered. This is my interpretation, I have contacted the lawyer who made the presentation hoping to get clarification.

So my question is, am I interpreting this information correctly? That as long as the source is open to the public, made generally available, that one can legally "export" aka publish such a work legally without an export permit?

Mark
  • 6,722
  • 32
  • 51

1 Answers1

3

I'm posting an answer hoping it is not the final answer, but rather in the hopes that it inspires a better answer itself. The open source or "public domain" exception cited in my question has some constraints placed on it. For example, software that falls under 1-1.E.2.e, 1-1.E.2.f, 1-8.E.2.a and 1-8.E.2.b are not covered by the exception. So, here is a summary of every one of those sections, and the sections that those sections reference:

Section 1-1.E.2.e - "Technology" for the installation, maintenance or repair of materials specified by 1-1.C.1.

Section 1-1.C.1 covers Materials specially designed for use as absorbers of electromagnetic waves, or intrinsically conductive polymers, as follows:

... Not included because my software has absolutely nothing to do with materials of any kind. Entire section is about qualifying a type of material this rule applies to.

1-1.E.2.f - "Technology" for the repair of "composite" structures, laminates or materials specified by 1-1.A.2., 1-1.C.7.c. or 1-1.C.7.d.

Section 1-1.A.2 covers "Composite" structures or laminates, having any of the following:

... Not included because my software has absolutely nothing to do with materials of any kind. Entire section is about qualifying a type of material this rule applies to.

Section 1-1.C.7.c covers Ceramic-ceramic "composite" materials with a glass or oxide-"matrix" and reinforced with fibres having all of the following:

... Not included because my software has absolutely nothing to do with materials of any kind. Entire section is about qualifying a type of material this rule applies to.

Section 1-1.C.7.d covers Ceramic-ceramic "composite" materials, with or without a continuous metallic phase, incorporating particles, whiskers or fibres, where carbides or nitrides of silicon, zirconium or boron form the "matrix";

Section 1-8.E.2 Other "technology" defined as follows:

a. "Technology" for the "development", "production", repair, overhaul or refurbishing (re-machining) of propellers specially designed for underwater noise reduction;

b. "Technology" for the overhaul or refurbishing of equipment specified by 1-8.A.1., 1-8.A.2.b., 1-8.A.2.j., 1-8.A.2.o. or 1-8.A.2.p.

I've omitted copying quite a bit of text, but I kept the title/summary portions to illustrate that all of the exceptions to the open source or "public domain" exception have something to do with software related to restricted physical materials. There are some other exceptions to the general exception, notably the "Information Security" constraint, but note that the "Information Security" constraint applies specifically to Entries 1 and 3, and the open source or "public domain" exception is defined in entry 2.

Just for fun, the definition of "Information Security":

"Information security" - Cat 5P2 All the means and functions ensuring the accessibility, confidentiality or integrity of information or communications, excluding the means and functions intended to safeguard against malfunctions. This includes "cryptography", "cryptographic activation", cryptanalysis, protection against compromising emanations and computer security.

Technical Note:

'Cryptanalysis': the analysis of a cryptographic system or its inputs and outputs to derive confidential variables or sensitive data, including clear text. (ISO 7498-2-1988 (E), paragraph 3.3.18).

After reviewing each of the constraints placed on the various exceptions, I believe the spirit of the law here is to control:

  1. Closed source "Information Security" software that defines or uses cryptography, regardless of whether the linked crypto software is open source or not.

  2. Closed source or open source software that is even remotely related to the study or production of physical materials that you require an export permit for. Basically, if the program even mentions a material that you'd need an export permit for, you probably need an export permit for the software, regardless of whether it's open source or not.

Again this is not meant to be a final answer. I'm simply posting more information about the question and my thoughts on it, hoping to assist in creating a better answer than this. Plus, a whole lot of rep is going to go down the toilet without another answer. :)