The EAR and Open Source Software

The EAR defines the scope of certain items, including software and technology, that may be subject to export restrictions. The EAR provides for Export Control Classification Numbers, or “ECCNs,” for different types of items, including software and technology. Some items are subject to the EAR, meaning that they are inside the EAR’s scope and may only be exported if: the EAR permits the export without a license, a license exception applies, or a license to export is obtained.

This is where open source technologies are advantageous because the EAR explicitly exempts most software and technology made available as open source. Some items are specifically not “subject to” the EAR at all, meaning that they are “outside the regulatory jurisdiction of the EAR and are not affected by these regulations.” [1] Specifically, the EAR states in § 734.3(b), [2] “The following are not subject to the EAR:” and then lists, “Information and ‘software’ that: (i) Are published, as described in § 734.7”. The reference to § 734.7 is important as this section states materials that are “published” are not subject to the EAR. Specifically, the EAR § 734.7 states, [3]

… unclassified “technology” or “software” is “published,” and is thus not “technology” or “software” subject to the EAR, when it has been made available to the public without restrictions upon its further dissemination…

Open source software from The Linux Foundation and project communities we work with is “published” as described in EAR § 734.7.

The following typical scenarios (but not an exhaustive list) are not subject to the EAR because “open source” is “published”:

• Open source software that is published publicly is not subject to the EAR

• Open source specifications that are published publicly are not subject to the EAR

• Open source files that describe the designs for hardware that are published publicly are not subject to the EAR

• Open source software binaries that are published publicly are not subject to the EAR

The key word is the word “published.” For the purposes of the EAR, if the open source technology is publicly available without restrictions upon its further dissemination, then it is “published” and therefore “not subject to” the EAR. It would be a major shift in existing policy for the EAR to be changed to make “published” software and technology subject to EAR restrictions, and we are not aware of any current discussion for such a change.

The US position that publicly available software or technology is not subject to export control is not specific to the US regulations, but is similarly reflected in European Union export control regulations with exclusions from certain controls for software and other technology that is “in the public domain.” [4]

Additionally, activities that do not relate to software, technology or other items within the EAR’s scope are not subject to the EAR. [5] Non-technical collaboration falls into this category: meetings about business matters, event planning, marketing, and similar activities are not subject to the EAR, because they are outside its scope.

To meet the requirement of “published” under the EAR, open source communities may need to take one additional step if the project includes non-standard cryptography technology.

Footnotes

[1]

See § 734.2(a)(1), currently available at https://www.ecfr.gov/cgi-bin/text-idx?node=pt15.2.734&rgn=div5#se15.2.734_12

[2]

See § 734.3(b), currently available at https://www.ecfr.gov/cgi-bin/text-idx?node=pt15.2.734&rgn=div5#se15.2.734_13

[3]

See § 734.7, currently available at https://www.ecfr.gov/cgi-bin/text-idx?node=pt15.2.734&rgn=div5#se15.2.734_17

[4]

See, e.g., Regulation (EU) 2021/821 of the European Parliament and of the Council of 20 May 2021, under “General Technology Note (GTN)” and “General Software Note (GSN)”, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021R0821.

[5]

There are certain narrow exceptions where licenses are required if US persons engage in activities that support certain weapons of destruction end uses and military intelligence end-uses or end-users in some countries.