LWN.net Weekly Edition for October 23, 2003

Bernstein wins, sort of

Not with a bang, but a whimper. That's how Daniel Bernstein's fight with the federal government over cryptography regulations has wound to a close. It is an unsatisfying end to the eight years of court battles over the constitutionality of export restrictions on cryptography.

Bernstein may be better-known to the community as the author of qmail, djbdns, ezmlm and a number of other popular (if not quite free) packages. Bernstein, now an associate professor in the department of Mathematics, Statistics, and Computer Science with the University of Illinois, first filed suit against the Department of State in 1995.

Before the first suit was filed, Bernstein was a PhD candidate working in the field of cryptography at the University of California at Berkeley. Bernstein had produced "Snuffle," a private-key encryption system and requested a decision in June, 1992 from the Department of State as to whether the source code could be published on the "sci.crypt" newsgroups. The response was that Snuffle was a "defense item" and Bernstein would need licenses for export of Snuffle. After additional correspondence over the next three years, Bernstein and the Electronic Frontier Foundation filed suit against the Department of State and a number of individuals. Bernstein argued that the International Traffic In Arms Regulations (ITAR) requiring licensing for export of cryptographic software were unconstitutional.

The Bernstein case produced a landmark ruling that recognized code as a form of speech. The Department of State asked Judge Marilyn Hall Patel to dismiss the case, arguing (among other things) that export controls on encryption software do not constitute a prior restraint of free speech. Patel, in refusing to dismiss the case, issued an opinion in the case that source code is to be protected as speech under the First Amendment:

Patel's ruling was the first that recognized source code as speech with regards to consideration under the First Amendment. Courts had previously recognized code as something that could be protected under copyright law, but not as communication to be protected under the First Amendment. Eventually, Bernstein won his case against the Department of State, with Patel agreeing with Bernstein in 1996 that the regulations were unconstitutional.

The victory, however, was short-lived. Regulation of encryption shifted from the Department of State under ITAR to the Commerce Department and a new set of regulations, the Export Administration Regulations (EAR). Bernstein challenged EAR, and Patel also found that the EAR was unconstitutional and enjoined the Department of State and the Commerce Department from enforcing it.

The government appealed and the Ninth Circuit upheld Patel's decision, finding that "encryption software, in its source code form and as employed by those in the field of cryptography, must be viewed as expressive."

After failed appeals, the government changed the regulations and the case was remanded back to Patel. Instead of requiring Bernstein or other crypto researchers to acquire a license for every viewer of the information, the government now wanted encryption items sent to the Bureau of Industry and Security (BIS) for export approval. However, the changes in EAR were still not satisfactory to Bernstein or the EFF, and the legal battles continued.

Unfortunately, in the U.S. judicial system, it is apparently not enough to merely show that a particular law may be unconstitutional. One must also show that the law in question may be used against you. Patel dismissed Bernstein's case against the Department of Commerce on July 28 of this year for lack of standing. Patel also dismissed Bernstein's case against the Department of State last week, after the Bush administration said it would not attempt to enforce some of the encryption export regulations.

Though Bernstein seems safe from prosecution, at least at the moment, the problem is that the export regulations remain on the books. There is nothing stopping the government from prosecuting others for violation of EAR at this time. Anyone seeking to export "encryption software" to any country other than Canada must seek a license from the Commerce Department, barring encryption software used for "authentication or digital signature" functions alone.

Since this includes any distribution of software online, and even "technical assistance" with the development of encryption software subject to EAR, the EAR restrictions continue to pose at least a potential threat to open source developers working with encryption in the U.S. Violations of EAR could result in fines of up to $250,000 or ten years in prison, so the threat is not one to be taken lightly.

While it would be nice to believe that the regulations will be unenforced, it would have been a much better result if Bernstein could have succeeded in having them thrown out entirely. For now, we will have to settle for a partial victory.

Comments (5 posted)

The EU Open Source Migration Guidelines

The European Union Interchange of Data between Administrators project has (with the help of NetProject) published a document on how to migrate over to open source software. This document is available as a 148-page PDF file.

Much of this document will seem like basic common sense to many readers. Remember, however, that the target readership is high-level management, and one should not make too many assumptions with that crowd. Thus, for example, we have suggestions like "have a clear understanding of the reasons to migrate," "start with non-critical systems," and "ensure that there is active support for the change from IT staff and users." All of which is undoubtedly good advice.

The guidelines repeatedly suggest that, even if no changes are foreseen in the near future, it is still a good idea to avoid doing things that would make such a change harder in the future. Thus, web pages should be written to work with all browsers, excessive use of scripts and macros in documents should be avoided, standard file formats should be used, etc. This suggestion, by itself, would make life a lot easier for many people even if they never switch to free software.

The guidelines make specific suggestions for software to migrate to. These include OpenOffice.org (best Office replacement, can run on Windows), Evolution, Galeon (or Mozilla if it has to run on Windows too), MySQL, Exim (Postfix is "an acceptable alternative"), PhpGroupWare, Apache, and Zope. The report recommends GNOME over KDE ("netproject considers that [GNOME] has a better architecture and believes it has a better future").

A great many migration scenarios are provided; here the guidelines begin to resemble a system administration book. If you are looking for instructions on how to export your Access data for ingest into MySQL or how to convert your Word templates, this document has something for you. As a general rule, the information provided will not be sufficient for those who do not already have some expertise in making this sort of transition. It does, however, show that the transition is possible and highlight some of the potential pitfalls.

The document concludes with 50 pages of appendices. There is a lengthy list of available case studies, a detailed description of how mail systems are put together, some fairly useless tables of package versions, a Red Hat kickstart file for installing systems using the French language, and a glossary.

The Open Source Migration Guidelines may well prove to be a useful document for managers trying to plan (or decide on) a change to free software in their organizations. Its real value, however, may be found in a different area. What the Guidelines provide is a convincing demonstration that this transition can be done, and that the required tools exist. And that may be what many people pondering free software need more than anything else.

Comments (none posted)

Catching up with SCO

There have been a few developments in the SCO case over the last week or so; time to check in and see what they are up to.

Much noise was made about the $50 million equity investment that the company received. This money was presented as being from BayStar, a venture capital firm. In fact, BayStar was the minority investor, having put in $20 million. The rest came from the Royal Bank of Canada.

This is not a straightforward equity investment. The investors will be getting "Series A convertible preferred stock," which brings no voting rights. The holders of the stock do, however, get veto power over a number of possible corporate actions, including taking on large debts or sales of assets. The preferred stock can be converted to common stock at $16.93/share whenever the investors wish. The investors can also force SCO to buy back the stock (with cash) under certain conditions, including delisting of the stock or financial problems that suggest bankruptcy is near.

After one year, SCO must pay an 8% dividend on the preferred stock; that dividend goes up 2% per year to a maximum level of 12%. Starting next year, SCO will have to come up with $4 million in cash flow to service this dividend requirement.

In summary, SCO has tied itself to an investment scheme that is rather more expensive than a straightforward stock issue would have been. For those who are interested, the full agreement is online at the SEC.

Meanwhile, in the courtrooms, the story is mostly one of motions going back and forth. The company has submitted a new brief in support of its motion to dismiss the Red Hat suit; this brief has been analyzed in great detail over at Groklaw. Suffice to say that PJ was not particularly impressed. We'll not duplicate the analysis on Groklaw, but there is one paragraph (from the opening page) which is worthy of note:

A quick grep through the kernel source turns up an awful lot of Red Hat copyright statements. Red Hat indisputably has ownership rights in the Linux kernel. The fact that the relevant code has been placed under a license that allows free redistribution under certain conditions does not change that fact.

What is going on here is that the SCO Group, despite its ongoing bluster about intellectual property rights, is trying to deprive those who have contributed to the Linux kernel of their rights. This denial of Red Hat's rights goes along with SCO's attacks on the GPL. SCO would like nothing better than to invalidate all rights on the kernel - except, of course, those it claims to own itself. As long as others have rights to the kernel and the GPL holds, SCO cannot make a serious go at a general Linux tax.

The court records in Delaware show that SCO has filed to change its legal representation in the Red Hat case. Such a change in the middle of an ongoing case is generally unexpected. According to Groklaw, SCO is using some of its BayStar money to trade up to a higher-class, better-connected law firm.

In Utah, SCO is trying to fight (or at least delay) IBM's "motion to compel" the company to disclose the exact nature of its claims. From IBM's latest filing opposing a request from SCO for a delay:

Again, see Groklaw (where else?) for the details.

SCO has a new agreement with Boies, Schiller & Flexner, the law firm representing it in the IBM case. The company's recent 8K filing describes the new deal:

In other words, Boies et al. are no longer willing to work for a straight contingency deal. The 20% fee could yet be lucrative - it is not clear whether it includes the $50 million from BayStar and RBC - but Boies is now getting $1 million and almost $7 million worth of stock as well regardless of the outcome of any litigation. SCO's lawyers win whether its client does or not.

The 8K filing also notes that Microsoft has pumped another $8 million worth of "licensing fees" into SCO.

SCO has backed down from its threats to "cancel" SGI's Unix license. At the latest conference call, Darl McBride noted that SCO was happy with the (about 200 lines) of code that SGI has removed from the kernel; he seems to have stopped talking about the XFS filesystem. Mr. McBride also, in response to a question, stated that SCO did not have any other Unix vendors in its sights. He did, however, make a rather chilling statement about SCO's several thousand end-user Unix licensees. There is, apparently, something in those contracts which makes those users - if they also use Linux - look like especially tempting targets. SCO remains a good company to avoid signing contracts with.

Comments (7 posted)

Time for another Europatent push

As described in this FFII alert, the software patent proposal recently voted in the European Parliament may yet get pushed aside. "If UK ministers cannot be convinced otherwise before 10 November, it is believed they will push for the Council to adopt a November 2002 draft text, which is even worse than the infamous McCarthy report. The European Parliament's rules for second reading make it very difficult for MEPs to fix a bad text from the Council." There will be a meeting of "patent officials from across Europe" held on October 23 to work out the next steps for the establishment of software patents in Europe. FFII is requesting that everybody who can contact their (national) Parliament members to help them understand why software patents are a bad idea. This battle is not yet over. (Thanks to James Heald)

Comments (18 posted)

Page editor: Jonathan Corbet

Inside this week's LWN.net Weekly Edition

• Security: SPF; new vulnerabilities in fetchmail, fileutils, gdm, and ircd.
• Kernel: The unfinished SCSI job; cpusets; kobjects and sysfs.
• Distributions: No More Free Beer?
• Development: The Freedesktop.org Project, new versions of ALSA, LADCCA, knoda, CUPS, mod_security, Albert, Gnomoradio, Helix Player, GStreamer, RTSynth, gphoto, Mozilla, GCC, PHP, gputils.
• Press: Open Source Everywhere, free software in Mexico, Asian Linux push, Maddog and Stroustrup interviews, JACK app tutorial, centralized debugging.
• Announcements: The GNU-Darwin hunt for proprietary code, GNOME Foundation election, Open Source Migration Guidelines, EclipseCon 2004, SANE 2004 CFP.

Next page: Security>>