[Fingerforce-devel] 0.4 release soon?

Daniel Drake dsd at gentoo.org
Mon Nov 26 23:14:22 UTC 2007

Radek Bartoň wrote:
> OK, thanks for clearance. I understand that that there are no restrictions to 
> use it in derived work anywhere

The export administration regulations do not reach into areas defined by 
standard copyright law. But yes, like all NIST software the licensing of 
this software is "uncopyrighted and in the public domain".

The export issues concern the contents/capabilities of the software.

> but they are if both you distribute it from 
> US and it is not publicly avaiable anyway.

The EAR covers all exports by default but includes some exceptions that 
make certain exports not subject to the EAR. One such exception is for 
publicly available information, or information that is made public at 
the point of exportation.

> This is then same issue as with 
> cypher algorithms and for example FreeType library.

No, those issues are related to encryption and have entirely different 
requirements under the EAR. For a full writeup of crypto stuff vs EAR, 
see http://www.debian.org/legal/cryptoinmain

The exception I noted above (publicly available information) actually 
has a counter-exception clause, the real exception is more along the 
lines of: if your software is publicly available information, it is not 
subject to the EAR, unless it contains crypto/cypher code.

So unfortunately projects like freetype/openssl/X aren't able to use the 
same escape clause that we're using here.

> So the comments in NBIS 
> code is just feint to fullfill US laws and not meaned as intentioned 
> restriction for NBIS usage on the part of its developers.

Not sure exactly which comment you're referring to.

This comment is written by NIST:
> It is our understanding that this falls within ECCN 3D980, which covers
> software associated with the development, production or use of certain
> equipment controlled in accordance with U.S. concerns about crime control
> practices in specific countries.
> Therefore, this file should not be exported, or made available on fileservers,
> except as allowed by U.S. export control laws.
> Do not remove this notice.

They are not required to include that notice by law, but given that they 
think it would be a violation then it's quite sensible for them to do 
so. However NIST told me previously that they actually don't know 
whether NBIS would be classified under ECCN 3D980, they just think that 
it might and are playing it safe (and have no interest in finding out a 
real answer).

In other words, they aren't very familiar with the EAR, which is obvious 
considering they've also missed the public information exception and the 
whole thing is made redundant.

The reason this comment exists is because they do not have an accurate 
understanding of the EAR. I have confirmed that their export precautions 
are unnecessary.

Or you may have been referring to this comment is written by me:
> /* NOTE: Despite the above notice (which I have not removed), this file is
>  * being legally distributed within libfprint; the U.S. Export Administration
>  * Regulations do not place export restrictions upon distribution of
>  * "publicly available technology and software", as stated in EAR section
>  * 734.3(b)(3)(i). libfprint qualifies as publicly available technology as per
>  * the definition in section 734.7(a)(1).
>  *
>  * For further information, see http://reactivated.net/fprint/US_export_control
>  */

This is not required by law and does not place any restrictions on the 
use of the software. It's a simple clarification given that I have not 
removed NIST's own notice.


More information about the Fingerforce-devel mailing list