Not with a bang, but a whimper. That's how Daniel Bernstein's fight with
the federal government over cryptography regulations has wound to a
close. It is an unsatisfying
end to the eight years of court battles over the constitutionality
of export restrictions on cryptography.
Bernstein may be
better-known to the community as the author of qmail, djbdns, ezmlm and a number of other
popular (if not quite free) packages. Bernstein, now an associate professor in the department of Mathematics,
Statistics, and Computer Science with the University of Illinois, first
filed suit against the Department of State in 1995.
Before the first suit was filed, Bernstein was a PhD candidate working
in the field of cryptography at the University of California at
Berkeley. Bernstein had produced "Snuffle," a private-key encryption
system and requested a
decision in June, 1992 from the Department of State as to whether
the source code could be published on the "sci.crypt" newsgroups. The
that Snuffle was a "defense item" and Bernstein would need licenses for
export of Snuffle. After additional correspondence over the next three
years, Bernstein and the Electronic
Frontier Foundation filed suit against the
Department of State and a number of individuals. Bernstein argued
that the International Traffic In Arms Regulations (ITAR) requiring
licensing for export of cryptographic software were unconstitutional.
The Bernstein case produced a landmark
ruling that recognized code as a form of speech. The Department of State
asked Judge Marilyn Hall Patel to dismiss the case, arguing (among other
things) that export controls on encryption software do not constitute a
prior restraint of free speech. Patel, in refusing to dismiss the case,
issued an opinion in the case that source code is to be protected as speech under the First Amendment:
This court can find no meaningful difference between computer language,
particularly high-level languages as defined above, and German or
French...Like music and mathematical equations, computer language is
just that, language, and it communicates information either to a
computer or to those who can read it...For the purposes of First
this court finds that source code is speech.
Patel's ruling was the first that recognized source code as speech with
regards to consideration under the First Amendment. Courts had
previously recognized code as something that could be protected under copyright
law, but not as communication to be protected under the First Amendment.
Eventually, Bernstein won his case against the Department of State, with
Patel agreeing with Bernstein in 1996 that the regulations were
The victory, however, was short-lived. Regulation of encryption shifted
from the Department of State
under ITAR to the Commerce Department and a new set of regulations, the
Regulations (EAR). Bernstein challenged EAR, and
Patel also found that the EAR was
unconstitutional and enjoined the Department of State and the Commerce
Department from enforcing it.
The government appealed and the Ninth Circuit upheld Patel's decision,
finding that "encryption software, in its source code form and as
employed by those in the field of cryptography, must be viewed as
After failed appeals, the government changed the regulations and the
case was remanded back to Patel. Instead of requiring Bernstein or other
crypto researchers to acquire a license for every viewer of the
information, the government now wanted encryption items sent to the
Bureau of Industry and Security (BIS) for export approval. However, the
changes in EAR were
still not satisfactory to Bernstein or the EFF, and the legal battles
Unfortunately, in the U.S. judicial system, it is apparently not enough
to merely show that a particular law may be unconstitutional. One must
also show that the law in question may be used against you. Patel
dismissed Bernstein's case against the Department of Commerce on July 28
of this year for lack of standing. Patel also dismissed Bernstein's case
against the Department of State last week, after the Bush administration
said it would not attempt to enforce some of the encryption export
Though Bernstein seems safe from prosecution, at least at the moment,
the problem is that the export regulations remain on the books. There is
nothing stopping the government from prosecuting others for violation of
EAR at this time. Anyone seeking to export "encryption software" to any
country other than Canada must seek a license from the Commerce
Department, barring encryption software used for "authentication or
digital signature" functions alone.
Since this includes any distribution of software online, and even
"technical assistance" with the development of encryption software
subject to EAR, the EAR restrictions continue to pose at least a
potential threat to open source developers working with encryption in
the U.S. Violations of EAR could result in fines of up to $250,000 or
ten years in prison, so the threat is not one to be taken lightly.
While it would be nice to believe that the regulations will be
unenforced, it would have been a much better result if Bernstein could
have succeeded in having them thrown out entirely. For now, we will have
to settle for a partial victory.
Comments (5 posted)
The European Union Interchange of Data between Administrators project has
(with the help of NetProject) published a document on how to migrate over
to open source software. This document is available as a 148-page
Much of this document will seem like basic common sense to many readers.
Remember, however, that the target readership is high-level
management, and one should not make too many assumptions with that crowd.
Thus, for example, we have suggestions like "have a clear understanding of
the reasons to migrate," "start with non-critical systems," and "ensure
that there is active support for the change from IT staff and users." All
of which is undoubtedly good advice.
The guidelines repeatedly suggest that, even if no changes are foreseen in
the near future, it is still a good idea to avoid doing things that would
make such a change harder in the future. Thus, web pages should be written
to work with all browsers, excessive use of scripts and macros in documents
should be avoided, standard file formats should be used, etc. This
suggestion, by itself, would make life a lot easier for many people even
if they never switch to free software.
The guidelines make specific suggestions for software to migrate to.
These include OpenOffice.org (best Office replacement, can run on Windows),
Evolution, Galeon (or Mozilla if it has to run on Windows too), MySQL, Exim
(Postfix is "an acceptable alternative"), PhpGroupWare, Apache, and Zope.
The report recommends GNOME over KDE ("netproject considers that
[GNOME] has a better architecture and believes it has a better
A great many migration scenarios are provided; here the guidelines begin to
resemble a system administration book. If you are looking for instructions
on how to export your Access data for ingest into MySQL or how to convert
your Word templates, this document has something for you. As a general
rule, the information provided will not be sufficient for those who do not
already have some expertise in making this sort of transition. It does,
however, show that the transition is possible and highlight some of the
The document concludes with 50 pages of appendices. There is a lengthy
list of available case studies, a detailed description of how mail systems
are put together, some fairly useless tables of package versions, a Red Hat
kickstart file for installing systems using the French language, and a
The Open Source Migration Guidelines may well prove to be a useful document
for managers trying to plan (or decide on) a change to free software in
their organizations. Its real value, however, may be found in a different
area. What the Guidelines provide is a convincing demonstration that this
transition can be done, and that the required tools exist. And that may be
what many people pondering free software need more than anything else.
Comments (none posted)
There have been a few developments in the SCO case over the last week or
so; time to check in and see what they are up to.
Much noise was made about the $50 million equity investment that the
company received. This money was presented as being from BayStar, a
venture capital firm. In fact, BayStar was the minority investor, having
put in $20 million. The rest came from the Royal Bank of Canada.
This is not a straightforward equity investment. The investors will be
getting "Series A convertible preferred stock," which brings no voting
rights. The holders of the stock do, however, get veto power over a number
of possible corporate actions, including taking on large debts or sales of
assets. The preferred stock can be converted to common stock at
$16.93/share whenever the investors wish. The investors can also force SCO
to buy back the stock (with cash) under certain conditions, including delisting of the
stock or financial problems that suggest bankruptcy is near.
After one year, SCO must pay an 8% dividend on the preferred stock; that
dividend goes up 2% per year to a maximum level of 12%. Starting next
year, SCO will have to come up with $4 million in cash flow to service
this dividend requirement.
In summary, SCO has tied itself to an investment scheme that is rather
more expensive than a straightforward stock issue would have been. For
those who are interested, the
full agreement is online at the SEC.
Meanwhile, in the courtrooms, the story is mostly one of motions going back
and forth. The company has submitted a new brief in support of its motion
to dismiss the Red Hat suit; this brief has been analyzed
in great detail over at Groklaw. Suffice to say that PJ was not
particularly impressed. We'll not duplicate the analysis on Groklaw, but
there is one paragraph (from the opening page) which is worthy of note:
Red Hat, despite the complete absence of any ownership rights
whatsoever in the Linux kernels, seeks a declaration that these
Linux kernels do not infringe SCO's intellectual property rights.
Similarly, Red Hat seeks redress based upon Lanham Act and state
law claims, despite the fact that the Linux kernel is provided to
any and all comers for free. This lack of ownership, combined with
a careful review of complete quotations and accurate statements of
law, makes clear that Red Hat's claims must fail.
A quick grep through the kernel source turns up an awful lot of Red Hat copyright statements.
Red Hat indisputably has ownership rights in the
Linux kernel. The fact that the relevant code has been placed under a
license that allows free redistribution under certain conditions does not
change that fact.
What is going on here is that the SCO Group, despite its ongoing bluster
about intellectual property rights, is trying to deprive those who have
contributed to the Linux kernel of their rights. This denial of Red
Hat's rights goes along with SCO's attacks on the GPL. SCO would like
nothing better than to invalidate all rights on the kernel - except, of
course, those it claims to own itself. As long as others have rights to
the kernel and the GPL holds, SCO cannot make a serious go at a general
The court records in Delaware show that SCO has filed to change its legal
representation in the Red Hat case. Such a change in the middle of an
ongoing case is generally unexpected. According to Groklaw,
SCO is using some of its BayStar money to trade up to a higher-class,
better-connected law firm.
In Utah, SCO is trying to fight (or at least delay) IBM's "motion to
compel" the company to disclose the exact nature of its claims. From IBM's
latest filing opposing a request from SCO for a delay:
There is nothing for SCO to say in response to IBM's motion except
that it will provide all of the information IBM has requested. As
stated in IBM's motion, SCO does not claim the right to withhold
responsive information based on any of its boilerplate objections
to these interrogatories. By contrast, further delay will compound
the prejudice imposed upon IBM by SCO's delay of more than three
months. This case has been pending more than seven months, and SCO
has still failed to disclose what its claims are about.
Groklaw (where else?) for the details.
SCO has a new agreement with Boies, Schiller & Flexner, the law
firm representing it in the IBM case. The
company's recent 8K filing describes the new deal:
As part of this modification, which is subject to a definitive
agreement, the law firm would receive a contingent fee of 20
percent of the proceeds from certain events related to is
protection of SCO's intellectual property rights, including certain
licensing fees, settlements, judgments, equity financings or a sale
of SCO during the pendancy of litigation or through settlement,
subject to certain agreed upon credits for amounts received as
discounted hourly fees or prior contingency payments. In addition,
this modification may result in the payment to such law firm of up
to $1,000,000 and the issuance of up to 400,000 shares of SCO's
In other words, Boies et al. are no longer willing to work for a straight
contingency deal. The 20% fee could yet be lucrative - it is not clear
whether it includes the $50 million from BayStar and RBC - but Boies
is now getting $1 million and almost $7 million worth of stock as
well regardless of the outcome of any litigation. SCO's lawyers win
whether its client does or not.
The 8K filing also notes that Microsoft has pumped another $8 million
worth of "licensing fees" into SCO.
SCO has backed down from its threats to "cancel" SGI's Unix license. At
the latest conference call, Darl McBride noted that SCO was happy with the
(about 200 lines) of code that SGI has removed from the kernel; he seems to
have stopped talking about the XFS filesystem. Mr. McBride also, in
response to a question, stated that SCO did not have any other Unix vendors
in its sights. He did, however, make a rather chilling statement about
SCO's several thousand end-user Unix licensees. There is, apparently,
something in those contracts which makes those users - if they also use
Linux - look like especially tempting targets. SCO remains a good company
to avoid signing contracts with.
Comments (7 posted)
As described in this FFII
, the software patent proposal recently voted in the European
Parliament may yet get pushed aside. "If UK ministers cannot be
convinced otherwise before 10 November, it is believed they will push for
the Council to adopt a November 2002 draft text, which is even worse than
the infamous McCarthy report. The European Parliament's rules for second
reading make it very difficult for MEPs to fix a bad text from the
" There will be a meeting of "patent officials from across
Europe" held on October 23 to work out the next steps for the
establishment of software patents in Europe. FFII is requesting that
everybody who can contact their (national) Parliament members to help them
understand why software patents are a bad idea. This battle is not yet
over. (Thanks to James Heald)
Comments (18 posted)
Page editor: Jonathan Corbet
Inside this week's LWN.net Weekly Edition
- Security: SPF; new vulnerabilities in fetchmail, fileutils, gdm, and ircd.
- Kernel: The unfinished SCSI job; cpusets; kobjects and sysfs.
- Distributions: No More Free Beer?
- Development: The Freedesktop.org Project,
new versions of ALSA, LADCCA, knoda, CUPS, mod_security,
Albert, Gnomoradio, Helix Player, GStreamer, RTSynth, gphoto,
Mozilla, GCC, PHP, gputils.
- Press: Open Source Everywhere, free software in Mexico, Asian Linux push,
Maddog and Stroustrup interviews, JACK app tutorial, centralized debugging.
- Announcements: The GNU-Darwin hunt for proprietary code, GNOME Foundation election,
Open Source Migration Guidelines, EclipseCon 2004, SANE 2004 CFP.