Subject: Re: GNU and classified software
From: Frank Hecker <frank@collab.net>
Date: Fri, 23 Mar 2001 20:43:58 -0500

Norbert Bollow wrote:
> Lucas Vogel <lvogel@exponent.com> wrote:
> > Can GNU tools be used in the creation/use/distribution of classified
> > software?
> 
> Yes, as long as you just want to _use_the_tools_ for this
> purpose.
> 
> However you are not allowed to take parts of the source code of
> GNU programs and adapt them for inclusion in classified
> software.

I respectfully disagree. Based on my reading of it, the GPL does not
require that you make source code for derived works publicly available,
it requires only that you make the source code available to those to
whom you distribute the derived work. For example, IMO the NSA can take
unclassified publicly available GPLed software, create a derived work
that is itself classified (under relevant US government regulations),
and provide that derived work to (say) a US government contractor as
classified material. The NSA would comply with the requirements of the
GPL by (among other things) providing the contractor with the source
code for the NSA's modifications to the original GPLed software, and
providing the derived work as a whole under GPL terms and conditions.

The contractor would then be free to redistribute that work, including
NSA's modifications, to others under GPL terms and conditions. As it
happens, the contractor would be prohibited by US law from distributing
the work to anyone not authorized to handle classified material, but IMO
that is not a problem for the GPL, as discussed below.

I can't speak for the FSF, but I can quote from "What is Free Software":

"You should also have the freedom to make modifications and use them
privately in your own work or play, without even mentioning that they
exist."

This clearly implies the ability for an agency like NSA to use free
software internally, make modifications to it, and keep those
modifications to itself.

"The freedom to use a program means the freedom for any kind of person
or organization to use it on any kind of computer system, for any kind
of overall job, and without being required to communicate subsequently
with the developer or any other specific entity."

Again, this reinforces the idea that a free software license cannot
_mandate_ public disclosure; rather it must not _prohibit_ such
disclosure. ("The freedom to improve the program, and release your
improvements to the public ...") And in fact in the above example the
contractor receiving a classified GPL application from the NSA is
permitted to disclose it to the public under the terms of the GPL;
however in practice the contractor is prevented from exercising this
right by US laws relating to distribution of classified data.

Both "What is Free Software" and the GPL itself discuss cases where
distribution under the GPL (or other free software licenses) might be
restricted due to other legal issues. The GPL in Section 8 discusses
restrictions on distribution due to patents and/or interface copyrights,
and "What is Free Software" discusses restrictions due to government
export control regulations (e.g., for encryption code). In both cases
IMO the FSF makes clear that by complying with such restrictions you are
not violating the GPL or any other free software license. Restrictions
against distribution of classified data would IMO be considered exactly
equivalent in terms of their effect on the GPL.

As a final comment, I think the FSF did a very smart thing by
disallowing as free software licenses licenses that mandate public
disclosure of modifications. If free software licenses were either
required or allowed to mandated public disclosure, then IMO the end
result would have been to restrict significantly the environments in
which free software could be used.

Frank
-- 
Frank Hecker            work: http://www.collab.net/
frank@collab.net        home: http://www.hecker.org/