Subject: Re: GNU and classified software
From: Frank Hecker <frank@collab.net>
Date: Wed, 25 Apr 2001 16:21:05 -0400

jean_camp@harvard.edu wrote:
> I do not see how it is possible to develop free software in a classified
> environment.
> 
> Where is the error in my logic?

After participating in the various discussions about this, I agree with
your conclusion, although I think there are some subtleties worth noting
on the way to reaching it:

First, to pick a minor nit: You're quoting from the OSD; if we're
talking about "free software" (as distinguished from "open source") I
think it would be more appropriate to quote from "What is Free
Software?" and related FSF documents. But that doesn't actually change
the argument, since the FSF documents contain language which has similar
effect.

Next, the original question (way back when) was about using free
software tools (e.g., GCC, GNU Emacs) to develop classified software. I
see no issue there, assuming that the development process is such that
the classified software doesn't end up incorporating code from the free
software.

The interesting case is where software is developed in a classified
environment and then distributed to others under what purports to be a
free software (or open source) license; this includes cases where the
newly developed software is considered a derivative work of free
software or open source software developed outside the classified
environment. (If the original software was distributed under the GPL
then there's a lot of circumstances where the newly developed software
could come under this umbrella.) The question is whether and in what
cases distribution of such newly developed software would not satisfy
the criteria for free software or open source software.

To start with, there is (at least in my opinion) some ambiguity as to
what would actually constitute "distribution" and thus trigger licensing
requirements. Is transfer of classified software solely within (say) the
NSA "distribution" in the licensing sense? I don't think so. Transfer
between the NSA and the CIA? Maybe not -- they're both agencies of the
US government. Transfer between the NSA and a private government
contractor working under contract to NSA? Maybe. Transfer between the
NSA and GCHQ in the UK? Definitely.

Assume "distribution" does occur. I believe, and I think many would
agree, that an organization creating software and distributing it under
a free software (or open source) license can arbitrarily choose to whom
they distribute it; they are not compelled by the FSF criteria nor by
the OSD to distribute it to everyone. Thus there is no problem arising
solely from choosing to distribute classified software under a free
software license to only those who have proper clearances. The OSD and
FSF criteria rather prohibit placing restrictions on the licensors'
ability to redistribute to certain groups.

Now if the recipients of such classified software could potentially
declassify the software themselves, without needing the permission of
the distributor of the software, then IMO there would not necessarily be
a problem. The distributor/licensor of the software would not in fact
have put any real restriction on the recipient/licensee; the recipient
may not choose to declassify, but could if they chose. However I do not
believe that classification works this way in general. For example, I
doubt very much that GCHQ could unilaterally declassify material
provided to it by the NSA; I'm sure there are binding legal agreements
between the US and UK governments that prevent this.

So, given this point (which is courtesy of Norbert Bollow), I agree that
in general it would not be possible to create and distribute classified
software under a free software (or open source) license and actually
meet the FSF (or OSD) criteria. This implies (among other things) that
it would not be possible to incorporate publicly available GPLed
software into classified applications and distribute those applications
without violating the GPL terms. (I'm of course assuming that the
"incorporation" is such that a derived work of the GPLed software would
in fact be created.)

A similar argument would apply to software created by a private
individual or organization and distributed to others under a
non-disclosure agreement, unless recipients had the legal power to
breach the NDA and release the software to those who had not signed it.

Frank
-- 
Frank Hecker            work: http://www.collab.net/
frank@collab.net        home: http://www.hecker.org/