Chapter 1
Further Reading
This book is not about politics. Software should not be about politics. If you are interested in these historical and political matters, we can recommend some excellent books that deal with these subjects.
Firstly, the following table lists some very useful non-fiction guides:
Crypto: how the Code Rebels Beat the Government— Saving Privacy in the Digital Age
Steven Levy, Diane Pub Co, ISBN 0-7567-5774-6.
Secrets and Lies: Digital Security in a Networked World
Bruce Schneier, Hungry Minds Inc, ISBN 0-471-45380-3.
Database Nation : The Death of Privacy in the
21st Century
Simpson Garfinkel, O'Reilly, ISBN 0-596-00105-3.
Cracking DES: Secrets of Encryption Research,
Wiretap Politics and Chip Design
Electronic Frontier Foundation, O'Reilly,
ISBN 1-56592-520-3.
This book gives an excellent overview of the history and politics surrounding modern cryptography and software.
(Another book by Levy, 'Hackers', gives a similar overview for computer technology in general.)
This book talks about the true and false claims and thoughts behind using cryptography.
This book shows the danger of the information age and the massive collecting of the digital bits of our lives and the mistakes made with this data.
The story behind the building of the DES Cracker machine.
And if you want some engaging bedtime reading, try the books on the following list:
1984 |
A classic you should have read by now. |
George Orwell, Penguin Books Ltd, |
|
ISBN 0-14-012671-6. |
|
True Names |
A story about anonymity written before the Internet |
Vernor Vinge, Tor Books, ISBN 0-312-86207-5. |
was invented. |
|
|
Fahrenheit 451 |
The classic about information restriction. |
Ray Bradbury, Voyager, ISBN 0-00-718170-1. |
|
Cryptonomicon |
A story about information 'havens' and the use of crypto. |
Neal Stephenson, Arrow, ISBN 0-09-941067-2. |
(Another recommended book by Stephenson is The |
|
Diamond Age.) |
|
|
Using Openswan
If reading about the politics and license issues has made you nervous about the legality of your use of Openswan, do not worry. The following section will explain the legalities of Openswan, though you should not read this section as a replacement for the advice of a skilled lawyer. Treat it more as the basic information you would supply to your lawyer to determine your specific case.
19
Introduction
If you are in doubt whether or not it is legal for you to use Openswan, consult a lawyer!
Copyright and License Conditions
Openswan is based in large part on FreeS/WAN. The copyright of that code lies with the respective developers, who all released their code under the GNU Public License. All the patches to FreeS/WAN are copyright of the respective authors and released under the GPL. New Openswan code written by Xelerance is copyright of Xelerance, and is also released under the GPL.
The GPL does not discriminate against use. Anyone is encouraged to use this software as they see fit, whether for a homebrew VPN or a nuclear power plant. As programmers, we, the authors of this book, believe that we do not have the skills, nor should we have the authority, to distinguish rebels from freedom fighters or insurgents from dissidents. We provide the tools; it is society's responsibility to provide the ethical framework. Should we limit our own freedom to grow out of fear that someone might use our software for something bad? Should we never have picked up those stones to make tools because some of us would use them as weapons? Should the toolmaker dictate what goals are righteous? If we limit the use of our cryptography to certain people, how much different would that be from the movie studios telling us in which country, using what vendors and software we can play our purchased movie? Should your car agree with your destination? Precisely some of these concerns about individual freedoms were originally behind the project to bring IPsec to the Linux kernel.
Writing and Contributing Code
Since Openswan is released under the GPL, any modifications or additions to the code that are distributed will have to be released under the same license, the GPL. Though you could also release modifications under a BSD license, as soon as the code is incorporated into Openswan, it is (as the BSD license allows) re-released under the GPL. Failure to comply to the GPL will mean that you no longer have the legal right to use or distribute Openswan at all.
Though at first this might seem simple and straightforward, but there can be some additional hassle. What if you just received a patch to Openswan from a vendor under a Non Disclosure Agreement (NDA)? Are you allowed to publish this patch? Probably not, as you would be violating the NDA with the vendor and be in violation of your contract, a civil offense. Of course, in this (unfortunately not so hypothetical) case, the vendor is actually violating the GPL and could be sued by any of the copyright holders of Openswan even if they have no business
relationship with the vendor. The vendor has also committed a civil offense. The third party clause in the GPL guarantees that copyright holders can sue whoever is responsible for violations without having been a victim of that violation personally. If a copyright holder who has signed an NDA finds that the copyright has been violated, the copyright holder—whether it is a company or an individual—could probably sue since a contract can never be used as a protection scheme against a civil offense.
20
Chapter 1
It is therefore important to realize that if you distribute GPL code in binary-only form, and you cannot release the source code—for instance, because you yourself bought the code as binary-only—you are still violating the GPL, and you can be sued and restrained from using Openswan in your products by a court. So those who are thinking of implementing certain hardware IPsec accelerators for Openswan, of which they cannot redistribute the patches, should definitely have a long talk with their lawyers.
Legality of Using Openswan
If you release a new product based on Openswan (or any other GPL software for that matter), you are quite free to ship Openswan on the CD of your new product—as long as you meet the GPL license requirements such as supplying the Openswan source code to any interested party.
However, there might be other laws that apply to you. Different countries have varying legal requirements, since many countries consider cryptography as munitions, as a weapon. So even though the copyright holders of Openswan say you can use it, your government, or a completely other government or international body, might deem that you may not use it. So the first thing to do is to check whether your own government allows you to use cryptography.
A survey in 1999 by the Electronic Privacy Information Center (EPIC) found the following countries limit the use of cryptography by their own citizens: Belarus, China, Israel, Kazakhstan, Pakistan, Russia, Saudi Arabia, Singapore, Tunisia, Vietnam, and Venezuela. France and Belgium were on this list for a long time, and the US allow their citizens to use cryptography, but if it is used to commit an offense, the use of cryptography itself is an offense on its own. Countries on this list probably also restrict or ban the import of cryptographic software.
You should also be aware that some Western governments are considering a ban on crypto as part of anti-terrorist measures, so be sure to get up-to-date information from your government.
International Agreements
Apart from national law, whether or not you may use or export cryptography also depends on international treaties that countries adhere to. International treaties that may apply to your country are the 1886 Bern Convention on copyrights (though it was last amended in 1979), the 1995 Wassenaar Arrangement on the export restrictions of munitions to 'Evil Regimes', amended in 1998 to get an additional section on cryptography guidelines, and the European Union Dual-Use Export laws. Then there are also recommendations and guidelines from the Organization for Economic Cooperation and Development (OECD), the European Union, the G-7/G-8, the Council of Europe, the Organization for Security and Co-operation in Europe (OSCE but also sometimes called OVSE) and perhaps the UN Security Council has issued a specific resolution boycotting your country from receiving munitions, which would include cryptographic software.
Probably the most relevant international agreement is the Wassenaar Arrangement, which has a special exemption in the General Software Notes, entry 2, for software which is in 'the public domain'. The use of public domain should probably be interpreted as "readily available at no cost". This would seem to include Openswan.
21
Introduction
The list of restricted countries varies between the various international agreements, partially as a result of the Wassenaar Arrangement that dictated the individual countries are responsible for implementing the Arrangement in local law. Sometimes, a country is not completely banned, but a separate export license is required before you can export cryptography to those restricted countries. The list of restricted countries at this point probably includes Cuba, Iran, Iraq, Libya, North Korea, Sudan, Syria and strangely enough international organizations such as the United Nations. But again, the implementation of the Wassenaar Arrangement varies from country to country, so check the export laws of your own country.
For example, the following countries have listed extra restrictions on top of the Wassenaar Arrangement: Australia, France, New Zealand, Russia, and the US.
The Wassenaar Arrangement website has a convenient list of countries and contact information for their respective government departments that deal with export.
So far, we have only covered the receiver of the cryptographic software. But there is also law that applies to the export of cryptographic software in the country of the sending party.
International Law and Hosting Openswan
Xelerance is a company incorporated under Canadian law. Distribution of the code happens from servers located in the Netherlands, therefore Dutch export law applies. Xelerance still needs to adhere to export restrictions on crypto code. It is legal to export cryptographic code from Canada to The Netherlands.
Xelerance does not own the copyright on all the code in Openswan. We can only speak for the parts that are copyrighted by Xelerance. But as far as we know, no separately copyrighted code by US individuals or companies is included. And even if some lines were written by US citizens, Canadian law seems to dictate that software is Canadian if more than 50% of the code has been written by Canadians, a requirement that Openswan easily satisfies.
Xelerance, however, cannot be held responsible for where the code is exported to, since the code is free software. The Netherlands and Canada signed the Wassenaar Agreement, which exempts 'public domain' software. The Netherlands also complies with the European Union Dual-Use Export laws. As far as we know, we are not violating any export laws, meaning that whoever downloads Openswan cannot be accused of assisting in an export violation.
Unrecognized International Claims
Certain countries claim jurisdiction even outside their national borders. Most notably, France claims the right to regulate information on foreign servers, Italy assumes jurisdiction over sites directed to an Italian audience, and the US reserves the right to prosecute offenses against American interests according to US law irrespective of where they take place.
You may want to consider the possibility that you can be sued or prosecuted in another country. Additionally, if you are physically in a country other than the Netherlands when you download our software, you are probably subject to that country's jurisdiction anyway.
22