Canadian open source companies doing development in the U.S. are seldom aware of export regulations requiring encryption algorithms in the code to be filed with the U.S. Department of Commerce Bureau of Industry and Security (BIS).
Eran Strod, director of product marketing with Waltham, Mass.-based Black Duck Software Inc., said companies exporting code from the U.S. to other parts of the world must ensure compliance, yet that is a legal issue that developers are seldom aware of.
“Engineering groups are really tasked with getting a product working, and policy compliance to them is not something that they are measured on,” said Strod. “It’s not something they are taught in school.”
There are numerous kinds of encryption algorithms, but basically these algorithms transform data such that it can only be decrypted by way of a key.
Black Duck Software, a provider of management products for use in open source in application development, released last week version 5.0 of Black Duck Expert.
Strod said the new version of the tool, which finds encryptions and guides developers through the notification and filing process, has been upgraded to being able to recognize 450 encryption algorithms, along with a friendlier user interface and better integration with the Black Duck suite.
Aside from the fact that export compliance is considered a legal issue, Strod said the monolithic approach of open source development complicates the matter. Large components brought into the project often represent “millions of lines of code, and people don’t go looking for what’s in there,” he said.
A search of the Black Duck KnowledgeBase, a database of 220,000 open source projects, showed that more than 4,000 projects contained encryption algorithms that required filing.
But the fact that an additional 3,900 projects could potentially need filing reveals how murky this space can be.
Understanding compliance requirements, said Strod, requires a person with domain expertise to consider factors like product function, the country and business being exported to, encryption strength and key length, encryption function, and user base.
Benjamin Flowe, partner with Washington-based law firm Berliner, Corcoran & Rowe LLP, has new clients weekly who are surprised by the need to file with the BIS.
Flowe said that while it’s difficult for both small and big developer organizations to ensure they are compliant, larger companies are probably more aware of the requirements.
It’s not easy for developers to know when they’ve even got encryption algorithms in their code, said Flowe. “It used to be that I could talk to someone who knew every line of code because they wrote it or quality control checked it,” he said.
“These days, people pull from tool kits that are freely available all over the place. Sometimes encryption can be deep under the hood,” said Flowe.
Developers can become aware of their legal obligations in a number of ways, ranging from educational seminars (Flowe has given two presentations on export encryption compliance), to customers asking them to see the export classification number obtained upon filing, said Flowe.
Also, with mergers and acquisitions, “people realize they hadn’t really had their house in order. So it comes up in a number of ways,” said Flowe.
Getting compliant is important, said Flowe, given that statutory authorization for civil fines can be as much as $250,000.
“There are hundreds of cases where people have been fined, but most of the time they are not fining companies,” said Flowe. “But it’s just a question of how lucky you feel.”
And, although the government is usually reasonable when handling cases of non-compliance, said Flowe, nobody really likes to take that level of risk.