Re: Exporting Issues related with US laws
Hi again! Guys, I'm really thankful you took the time to spend on this matter!! I'm going to contact the developer, and make him up-to-date with this thread. Hope he may join us and make the situation a bit clear for all, and offer himself help throw this way. Meanwhile, thanks a *lot* for all your time and have a nice day. Greetings! Dererk -- [EMAIL PROTECTED]: ~$ grep -ir 'power in your hands' /proc/ /proc/version: Debian GNUine Perception BOFH excuse #359 YOU HAVE AN I/O ERROR - Incompetent Operator error. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Exporting Issues related with US laws
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello there! I would like to ask you for help again, now with something it has been around in Debian a few years ago: US exporting laws. The developer of a software I'm about to package, faced the problem of exporting cryptography libraries outside the US, he finally turned out his view and he will make his main repository available outside the US, punctually in the U.K. But now, the problem goes back to us, when having mirrors in the US, mirroring outside the whole world. I paste here the full paper in which the developer faces this concern. (Link http://dpfp.berlios.de/wikka.php?wakka=ExportIssuesLegal) Now, here are the questions, How does it affect us? What could we do? - Export control issues /This is a copy of the document I am sending onto legal types in hope of getting reliable advice on the situation here. For more general info, see ExportIssuesFAQ http://dpfp.berlios.de/wikka.php?wakka=ExportIssuesFAQ/ INTRO libdpfp is a software project which aims to develop support for fingerprint scanning and matching using hardware manufactured by DigitalPersona http://dpfp.berlios.de/wikka.php?wakka=DigitalPersona/edit. The end result would mean (amongst other possibilities) that users are able to optionally login with a fingerprint instead of, or perhaps in addition to, their password. The current libdpfp homepage is: http://dpfp.berlios.de∞ These fingerprint scanners are only simple imaging devices. Any analysis of the fingerprint images (e.g. to decide whether two prints are from the same finger or not) must be performed on the host computer. Therefore, to become a useful piece of software, libdpfp must implement functionality for both downloading of images from the device *and* performing comparison/matching operations on such images. libdpfp is being developed as an open-source software project. In this style, all source code for the software is released to the public with no royalties. The licensing model for this software encourages users to redistribute and modify the software and generally only implies restrictions to preserve the open nature of the software. This development model encourages transparency, high software quality, and collaborative community-based development. The license chosen for this software is the GNU Lesser General Public License, version 2.1 (Feburary 1999). The exact license text can be found at: http://www.gnu.org/licenses/lgpl.html∞ Under this model, the software is published in both source and binary (compiled object code) forms on the internet. Downloads of this software are unrestricted and the license does not place any restrictions on the usage of the software. License acceptance is only required for distribution (under copyright law you do not have any distribution rights without the license). libdpfp can be viewed as a prototype for a future software project of increased scope. libdpfp is written specifically for one type of fingerprinting hardware from one manufacturer, however there are many other devices on the market which are currently not well supported on open-source operating systems such as Linux and FreeBSD http://dpfp.berlios.de/wikka.php?wakka=FreeBSD/edit. Once libdpfp is usable for both image capture and fingerprint matching, I plan to start a new project which will support a whole variety of fingerprint readers on these operating systems. As a sidenote, I am now in a position to start this new project, however these legal concerns are barring both the publication of a feature-complete version of libdpfp and any distribution of any new project based on it. I do not believe that I am currently in any trouble, as there have been no fully-functional releases of libdpfp. Existing releases can only download fingerprint images from the hardware and perform basic enhancement, no fingerprint matching is offered at this time. I do have fingerprint matching implemented locally but I do not plan to distribute this new version until the legal issues are understood. Although there have been a few other small code contributions, libdpfp has been primarily developed by myself. All development has been carried out in my spare time, and I don't expect to make any money from this software. The only sponsorship received so far has been from community members who have donated fingerprint readers to aid development. POTENTIAL ISSUES WITH EXPORT CONTROL The legal issues which I am concerned about are concerning US export control regulations. The most challenging part of libdpfp development has been developing code to compare one fingerprint image with another. This is a larger problem than it may sound, as the fingerprint images must be considerably enhanced before any analysis can take place. After analysis has been completed on both prints, the next problem is deciding how the analysis results can be used to produce a comparison between the images (i.e. a decision whether
Re: Exporting Issues related with US laws
Dererk [EMAIL PROTECTED] writes: The developer of a software I'm about to package, faced the problem of exporting cryptography libraries outside the US, he finally turned out his view and he will make his main repository available outside the US, punctually in the U.K. On reading the whole message, I'd like to summarise for those who (like me) believe they already know the answer: Daniel Drake (a UK citizen currently living in the USA) wants to release, under the GNU LGPL, software that involves fingerprint recognition algorithms. This, according to Daniel's research into the laws, falls foul of US munitions export regulation under a category separate from cryptographic algorithms — and does *not* have an exception allowing export of free software. I don't have an answer, but I hope for a successful conclusion that allows free release of this software. -- \ I went camping and borrowed a circus tent by mistake. I didn't | `\ notice until I got it set up. People complained because they | _o__)couldn't see the lake. -- Steven Wright | Ben Finney -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Exporting Issues related with US laws
On Tue, 21 Aug 2007, Ben Finney wrote: Dererk [EMAIL PROTECTED] writes: The developer of a software I'm about to package, faced the problem of exporting cryptography libraries outside the US, he finally turned out his view and he will make his main repository available outside the US, punctually in the U.K. On reading the whole message, I'd like to summarise for those who (like me) believe they already know the answer: Daniel Drake (a UK citizen currently living in the USA) wants to release, under the GNU LGPL, software that involves fingerprint recognition algorithms. This, according to Daniel's research into the laws, falls foul of US munitions export regulation under a category separate from cryptographic algorithms — and does *not* have an exception allowing export of free software. I don't have an answer, but I hope for a successful conclusion that allows free release of this software. Yeah, this is something that will be hard to answer. Could Daniel Drake write up a brief summation of what he's found so Debian can either get an SPI-hired laywer or the SFLC to determine what needs to be done in addition to what we're already doing so that it can be distributed from main? [It'd give us a starting point to figure out the right questions to ask a lawyer.] Don Armstrong -- The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair. -- Douglas Adams _Mostly Harmless_ http://www.donarmstrong.com http://rzlab.ucr.edu
Re: Exporting Issues related with US laws
Ben Finney [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Dererk [EMAIL PROTECTED] writes: The developer of a software I'm about to package, faced the problem of exporting cryptography libraries outside the US, he finally turned out his view and he will make his main repository available outside the US, punctually in the U.K. On reading the whole message, I'd like to summarise for those who (like me) believe they already know the answer: Daniel Drake (a UK citizen currently living in the USA) wants to release, under the GNU LGPL, software that involves fingerprint recognition algorithms. This, according to Daniel's research into the laws, falls foul of US munitions export regulation under a category separate from cryptographic algorithms — and does *not* have an exception allowing export of free software. I don't have an answer, but I hope for a successful conclusion that allows free release of this software. Yeah, this does not look good. He can legally export to England (no licence needed, but paperwork might need to be filed). However, he would need a licence to export to many countries, Specifically all countries with checks in column CC1 or AT1 need a licence to export. (The relevent chart is at http://www.gpo.gov/bis/ear/pdf/738spir.pdf). Further, exporting to england with the intention of re-exporting from there may be considered a crime in the US. (Which is absurd, but the whole munitions control system is mostly absurd anyway). There looks to be no relevent blanket exceptions to licence requirements for that catagory. Yuck. IANAL IANADD. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Exporting Issues related with US laws
Interesting that fingerprint matching algorithms should fall into this category as well. Don't listen to a word I say ;) I would say that as a UK citizen what he does with the software one he reaches the UK should not be an issue as long as it is within the UK's laws (says one member of the jury) Unfortunately as we all know the FBI has decided that their jurisdiction extends globally, so were they to learn of this they would probably take issue. This letter is a little confusing? Who is actually exporting the software from the UK, is it the person in the United States? Does the person who is giving the software to the person in the UK know that they will export it, or did they tell them they would not?
Re: Exporting Issues related with US laws
Pat [EMAIL PROTECTED] writes: Who is actually exporting the software from the UK, is it the person in the United States? Does the person who is giving the software to the person in the UK know that they will export it, or did they tell them they would not? My understanding was that the proposed scenario has the same person playing both roles: while living in the USA he exports it from the USA to the UK, then upon returning to the UK exports it from there. I don't expect that to affect the legality of any of the actions, but it may clear up the confusion noted above. -- \ I don't know half of you half as well as I should like, and I | `\ like less than half of you half as well as you deserve. -- | _o__)Bilbo Baggins | Ben Finney -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
