DOD Memo on Open Source Software Likely to Forget about EAR's Encryption Rules

Joab Jackson of Government Computer News reported on comments made by the Office of the Secretary of Defense's Daniel Risacher at the Red Hat Government Users and Developers conference on October 8, 2008. Mr. Risacher told the audience that the Department of Defense intends to release a memorandum, possibly in early November, to clarify DOD's policy on the use of open source software. The memo will distinguish open source software from freeware and shareware, which DOD Instruction 8500.2 says DOD should not use due to an inability of DOD to obtain source code and regular and routine maintenance for freeware and shareware. In these respects, Mr. Risacher noted, open source software is not akin to freeware or shareware at all, and perhaps even preferable to commercial-off-the-shelf (COTS) software, as access to source code is free of most proprietary restrictions and maintenance of open source software is often provided free of charge.

Mr. Risacher went on to explain that the memo will also encourage the US Government to contribute source code back into the open source projects, insofar as:

• the government has the rights to the code;
• release of the code is in the best interests of the government, and;
• sharing the code does not violate any other government restrictions - like the International Traffic in Arms Regulations (ITAR).

Mr. Risacher opined that any such US Government contributions would be into the public domain.

Here, the ITAR will not pose an obstacle. The ITAR defines software as technical data at 120.10(a)(4). At 125.4(b)(13), the ITAR empowers the cognizant US Government department or agency to publicly release technical data in any form. Per 120.11(a)(7), any such technical data publicly released is in the public domain. The ITAR permits the US Government to contribute source code to the public domain. It would be helpful to industry if the US Government tagged the data as publicly released via 125.4(b)(13) at those times the government chooses to contribute otherwise ITAR-controlled source code to open source projects.

The more substantial burden to the government's prospective contributions is posed by the Export Administration Regulations (EAR). Per EAR's 740.13(e)(3), for encryption software or source code that would be controlled under ECCNs 5D002 or 5E002, respectively, notice must be sent to the Bureau of Industry and Security (BIS) and the ENC Encryption Request Coordinator at or before the time action is taken to make the software or source code publicly available. The notification must include either the internet location of the software or source code or a hardcopy of the source code. Moreover, BIS and the ENC Encryption Request Coordinator must be kept apprised of any changes to the source code if a hardcopy is provided and, if instead an internet location is provided, each time the internet location changes. Failure to comply with the notification requirements blocks access to license exception TSU and results in violation of the EAR for release of 5D002 software and/or 5E002 software to foreign persons without a license. BIS does not make available a list of internet locations of encryption software and source code notified and qualifying for license exception TSU, so it would be helpful if the government tagged the data as available for license exception TSU when the notification requirements have been satisfied.

Ironically, the ITAR would permit the government to publicly release military-strength encryption software categorized under USML Category XIII without additional requirements. Only the EAR's controls on strong commercial encryption software would require the government to fulfill an obligation to avoid violation of other government restrictions. It will be interesting to see if and how the DOD memo takes into account these different control regimes.