GOSS, FOSS, SBIR, and ITAR issues

221 views
Skip to first unread message

agent209

unread,
Aug 20, 2012, 12:47:24 PM8/20/12
to mil...@googlegroups.com
Hi all,

My company finished up an SBIR project and would like to open source the results. It is cyber related, and there were ITAR restrictions, but no classification.

I submitted the code through the public disclosure process, just as I have previously done for publishing papers. This time, however, they want me to sign a document where I give up all of my SBIR data rights. My concern is that, if I do so, then I cannot control the licensing of the software - e.g. I can't stipulate GPL.

Here's the clause that concerns me:

1.     VisiTrend, LLC, waives its SBIR Data Rights for ... The Government is granted an unlimited nonexclusive license to use, modify, reproduce, release, perform, display or disclose the following (Clearance Type) and the data contained therein.


Now, GPL will give the government everything they want. However, if I just give up SBIR rights, then I can't stipulate GPL. Maybe I'm not understanding this?

My nightmare scenario is: 1. I sign this and release code under GPL, 2. the government isn't under GPL because of this doc, 3. DoD gives my code to another Prime for another project, 4. the other Prime close sources our product, and makes money off of it, without releasing modifications under GPL or paying us for commercial licensing, 5. we end up competing with our own code for contracts

I have asked the DoD component if there are other options for public disclosure where I don't give up my SBIR data rights, and they are saying no.

Any thoughts on how to proceed?
Feedback, recommendations, etc. is really appreciated.

thanks,
John



The issue is, I want to release this code as GPL. If I give up all rights, then I can't enforce that licensing. This means, the DoD could give my code to a prime, which then competes against me, with my own product. That is fine with me, as long as they are also held to GPL. I'm not keen on that if they take my code, close source it, and start making money on it.


Ben Francis

unread,
Aug 20, 2012, 2:47:36 PM8/20/12
to mil...@googlegroups.com
Your concerns are justified. The GPL is a restrictive license for that reason. It keeps companies from close-sourcing your own code and using it to compete against you. A company could do that if it was a permissive license like BSD.




--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
 
www.mil-oss.org

Harley Garrett

unread,
Aug 20, 2012, 6:18:57 PM8/20/12
to mil...@googlegroups.com
John this subject has yet to be fully resolved since its more complex than it needs to be. A quick disclaimer: I'm no lawyer. I did learn to read when I was a kid though and always interested in how our government spends our tax dollars.  

I've been tracking the Navy's efforts since 2003 to urge their PMs to use Open Architecture (OA) in developing systems. OA is not OSS but (my opinion) adopting OSS code sharply increases the benefits of OA. For years OSS was seen by the established culture as career limiting at best and non-compliant with DoD policy at least. It was not until June 2007 when the Navy CIO established an OSS policy later adopted/clarified by DoD in Oct 2009 (see attachment 1). 

During this time OA began to get Navy traction and they created a "Software Hardware Asset Reuse Enterprise" or "SHARE" repository for code re-use in an attempt to prevent re-inventing the wheel every time a new system development was funded. Results have not been good. I looked at that last year as some of us thought since Open Source Projects are coming of age in the civil sector, why couldn't some form of OSPs help transition SHARE into a type of "Navy apps store"? That paper did not take on the SBIR issue but last fall at a conference I heard government acquisition people voice concerns that SBIR Phase III goals were not being met. 

If something is developed 100% with tax payer dollars, the government owns the code and can give it to any contractor (if not precluded by ITAR) they want. Since the FAR did not address this issue, the government created a special "SBIR Rights" FAR clause. The paper at attachment 3 attempts to highlight the lack of actual protection "SBIR Rights" actually gives the SBIR inventor as well as the ambiguity of "Government Purpose Rights" vs SBIR Rights.

The whole idea of SBIRs assumes the inventor/developer wants to protect his Intellectual Property (IP) and sell his product as long as possible without losing it to his competition. So my conclusion was by definition, the SBIR developer is interested in getting a Return on his (at least partial) Investment (ROI). To make that happen, the Navy -- if it wants his SBIR in a program of record - should buy the SW from him and give him a 5-7 year sole source contract (Service Level Agreement or SLA) to support and update the code - including modifications driven by Navy needs. During that period, the Navy can use the code on other programs but not outside the terms of the SLA.

I think the dilemma you are faced with is you've already used the SBIR process to develop the code hence a GPL is diametrically at odds with the whole idea of a SBIR process. On the other hand, until you sell it, its yours to decide GPL (or another OSS license type) or proprietary.

My guess is if you did publish under GPL at the outset, the government might not use it since many in the government see the GPL as "viral" due to its (albeit perceived) "copy left" provisions. By the same token, if you give them unlimited data rights the GPL cannot be enforced. Worse, if you publish under the GPL and then give them unlimited data rights, you'll be in violation of the GPL. You can't have it both ways.

If you do publish it with an open license, your objectives for preventing it from being closed are best served by the GPL. I think its fairly safe to say that GPL allows you to distribute (or "convey" or "propagate") but you do not "have to" do that. Section 2 of the GPLv3 says you may "convey" to others with the "sole purpose" of having them make modifications "exclusively" for you. The statement goes on to say "Those thus making (modifications) ...for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material (e.g. GPL'd) outside their relationship with you".

Seems to me if one inserted "DoD" in the place of "you" DoD could distribute any GPLv3 code to their contractors without risk of non-compliance while still preventing them from making any copies outside the DoD/contractor contractual relationship.

Bottom line is if I read your objectives right, I certainly would not give them unlimited rights and even if you GPL the code they may have trouble enforcing their contractor's compliance. So if you are concerned that DoD will give your code to other DoD contractors who would use it to "compete" against you, then you might want to consider sticking with SBIR rights or negotiating a 5-year SLA per attachment 3 p.8 as a prelude for publishing it later under GPL?

Anyway I hope this helps. If not, deep six it. If you want to talk offline shoot me an email at beer...@bellsouth.net

Harley 











  

DoD CIO Clarifying Guidance OSS 16Oct2009.pdf
White Paper v1.1 Navy OA Implemenation; Ideas for Improvement FINAL 17MAR11.pdf
SBIR SW Data Rights in Navy OA Implementation: Facilitator or Obstacle? WP 1.0 17Dec11.pdf

Mike Dupont

unread,
Aug 20, 2012, 6:27:01 PM8/20/12
to mil...@googlegroups.com

On Mon, Aug 20, 2012 at 4:47 PM, agent209 <agen...@gmail.com> wrote:
The Government is granted an unlimited nonexclusive license to use, modify, reproduce, release, perform, display or disclose the following (Clearance Type) and the data contained therein.

Is that not normal? If the federal gov owns it, it will be under the public domain and no restrictions can be stipulated? 
http://en.wikipedia.org/wiki/Copyright_status_of_work_by_the_U.S._government
mike


--
James Michael DuPont
Member of Free Libre Open Source Software Kosova http://flossk.org
Saving wikipedia(tm) articles from deletion http://SpeedyDeletion.wikia.com
Contributor FOSM, the CC-BY-SA map of the world http://fosm.org
Mozilla Rep https://reps.mozilla.org/u/h4ck3rm1k3

Harley Garrett

unread,
Aug 20, 2012, 7:38:45 PM8/20/12
to mil...@googlegroups.com
Hey Mike,

Don't agree its "normal" if the product was produced under SBIR but 1) proper markings are very important. Any material not marked will be assumed unrestricted at the least and perhaps public domain (see link below on markings), 2) whether SBIR rights really protect a developer's IP is arguable to say the least. Theoretically they can't give the code to anyone other than a "support contractor" and only then under an NDA. However, the term support contractor is now defined as a non-development contractor. Thats a step in the right direction since support contractors support but don't develop (or modify). 

http://www.farsmarterbids.com/regs/fars/section.php?sectionID=02520227-7025

Even with SBIR rights there are concerns. Non-Disclosures are supposed to protect you but ...?

As to unlimited rights that is not a slam dunk in my view. If the code was developed 100% on SBIR funding or mixed SBIR with private funds, then SBIR rights can be claimed. If developed 100% private funds, then you can claim limited or even restricted rights (placing the most restrictions on the government). I'm attaching a lengthy FAR clause but highlighted several areas that may illustrate how complex data rights have been made to be. One more thing - if SBIR developed I don't thing there is any requirement to claim SBIR rights. That is certainly true with privately funded code. The owner can choose to release it to public domain or GPL it - his/her choice.

If a developer GPL's his/her code the government absolutely can't claim unlimited data rights since that would give them the right to restrict who they give it to and under what conditions - in violation of the GPL. The GPL either is "the license" or it isn't. Under GPR the govt can use it  even for competitions amongst their contractors -- but if its GPL then anyone could use it "against the developer" anyway albeit the playing field would be somewhat level.

BTW I also don't agree if the government owns the code its automatically in the public domain. GPR is not Public Domain - if it were then why have a FAR clause on GPR?. Unlimited data rights is public domain but only if the government chooses to make it that way. If they don't, it only means they could but didn't. But don't take my word for it as I said I'm no lawyer.

Good luck. I surely don't want to lead anyone astray so encourage people to do their own research. Complicated issue and I guess that's why we have lawyers. I'm on CST so can't tarry longer.

Cheers

Harley


FAR 252.227-7018.pdf

agent209

unread,
Aug 20, 2012, 9:34:55 PM8/20/12
to mil...@googlegroups.com, hgar...@gtsms.com
Harley,

You're spot on for most of this.

I don't think GPL is at odds with SBIR actually. The real issue is the ITAR (can't release data to non-US citizens). ITAR has nothing to do with data rights and the DoD contracting agent I'm working with is conflating these issues. I'm trying to figure out a way to work around this.

Here's a point by point break down:
1. I want to open source, but cannot as long as it has ITAR constraints
2. To strip the ITAR constraints I have to put it through a public disclosure process
3. I submitted the code for public disclosure, but this time (unlike others), the DoD is saying they will only do it if I sign away my SBIR data rights

In short, I'm just trying to figure out how to strip ITAR from something so I can disclose it publicly, without giving away my SBIR data rights. The motivation for all of this is to open source the code. So, I thought someone here might have dealt with this.

Harley, I've come to the same conclusions, but was hoping someone else here might have dealt with this. Ultimately, I will probably sign away my rights so that I can open source, even if I can't enforce that on DoD contractors. Practically speaking, we're still the best people to modify and extend the code, and that should be evident to anyone else. We can also offer a free version, so...

Very open to further ideas though.

thanks,
John


On Monday, August 20, 2012 7:38:45 PM UTC-4, Harley Garrett wrote:
Hey Mike,

Don't agree its "normal" if the product was produced under SBIR but 1) proper markings are very important. Any material not marked will be assumed unrestricted at the least and perhaps public domain (see link below on markings), 2) whether SBIR rights really protect a developer's IP is arguable to say the least. Theoretically they can't give the code to anyone other than a "support contractor" and only then under an NDA. However, the term support contractor is now defined as a non-development contractor. Thats a step in the right direction since support contractors support but don't develop (or modify). 

http://www.farsmarterbids.com/regs/fars/section.php?sectionID=02520227-7025

Even with SBIR rights there are concerns. Non-Disclosures are supposed to protect you but ...?

As to unlimited rights that is not a slam dunk in my view. If the code was developed 100% on SBIR funding or mixed SBIR with private funds, then SBIR rights can be claimed. If developed 100% private funds, then you can claim limited or even restricted rights (placing the most restrictions on the government). I'm attaching a lengthy FAR clause but highlighted several areas that may illustrate how complex data rights have been made to be. One more thing - if SBIR developed I don't thing there is any requirement to claim SBIR rights. That is certainly true with privately funded code. The owner can choose to release it to public domain or GPL it - his/her choice.

If a developer GPL's his/her code the government absolutely can't claim unlimited data rights since that would give them the right to restrict who they give it to and under what conditions - in violation of the GPL. The GPL either is "the license" or it isn't. Under GPR the govt can use it  even for competitions amongst their contractors -- but if its GPL then anyone could use it "against the developer" anyway albeit the playing field would be somewhat level.

BTW I also don't agree if the government owns the code its automatically in the public domain. GPR is not Public Domain - if it were then why have a FAR clause on GPR?. Unlimited data rights is public domain but only if the government chooses to make it that way. If they don't, it only means they could but didn't. But don't take my word for it as I said I'm no lawyer.

Good luck. I surely don't want to lead anyone astray so encourage people to do their own research. Complicated issue and I guess that's why we have lawyers. I'm on CST so can't tarry longer.

Cheers

Harley


On Mon, Aug 20, 2012 at 5:27 PM, Mike Dupont <jamesmikedupont@googlemail.com> wrote:

On Mon, Aug 20, 2012 at 4:47 PM, agent209 <agen...@gmail.com> wrote:
The Government is granted an unlimited nonexclusive license to use, modify, reproduce, release, perform, display or disclose the following (Clearance Type) and the data contained therein.

Is that not normal? If the federal gov owns it, it will be under the public domain and no restrictions can be stipulated? 
http://en.wikipedia.org/wiki/Copyright_status_of_work_by_the_U.S._government
mike


--
James Michael DuPont
Member of Free Libre Open Source Software Kosova http://flossk.org
Saving wikipedia(tm) articles from deletion http://SpeedyDeletion.wikia.com
Contributor FOSM, the CC-BY-SA map of the world http://fosm.org
Mozilla Rep https://reps.mozilla.org/u/h4ck3rm1k3

--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+unsubscribe@googlegroups.com

Mike Dupont

unread,
Aug 20, 2012, 11:44:48 PM8/20/12
to mil...@googlegroups.com
HI Harley, thanks for the input and the detail analysis. I am new to
this list/topic area and have a lot to learn. I was speaking only
normal for my basic understanding of PD from fed government sources.
I was just approved on this list and I did not even see the entire
thread.
thanks!
mike

Wheeler, David A

unread,
Aug 21, 2012, 8:44:28 AM8/21/12
to mil...@googlegroups.com

Harley Garrett:

> My guess is if you did publish under GPL at the outset, the government might not use it since many in the government see the GPL as "viral" due to its (albeit perceived) "copy left" provisions.

 

At least in parts of the Navy, this misunderstanding is widespread.  “Viral” is just name-calling, and it’s unprofessional, but it clearly happens.  People call Microsoft “viral” too, but few people call Microsoft “viral” in formal documents; we should show the same courtesy to billion-dollar companies like Red Hat and Oracle, who use the GPL.

 

> By the same token, if you give them unlimited data rights the GPL cannot be enforced. Worse, if you publish under the GPL and then give them unlimited data rights, you'll be in violation of the GPL. You can't have it both ways.

 

Sure you can.  Many companies base their businesses on being able to simultaneously release software under 2 different licenses.  There’s nothing wrong with releasing software to the government under government-purpose rights (GPR), and to the world under the GPL.  The GPR-GPL combination has probably happened many times, though I don’t have stats handy.

 

--- David A. Wheeler

 

 

agent209

unread,
Aug 21, 2012, 9:41:00 AM8/21/12
to mil...@googlegroups.com
Yes, it's called dual licensing. Harley is right that I won't be able to enforce GPL on anything released under that separate government license though. 

John

Harley Garrett

unread,
Aug 21, 2012, 11:43:06 AM8/21/12
to mil...@googlegroups.com
Thanks John very much. You hit the nail squarely on the head too. I sense a contracting officer backed by legal beagles. Its clearly a policy matter that appears to hinge on the ITAR process which as you point out should be based on national security issues not data rights. Equally disturbing is the argument that to disclose it publicly you must give up SBIR rights. That is pretty iron fisted if you ask me and does nothing to resolve the issue.

Does this issue need resolving? My answer to that is if you have run into it others surely will. The next question in your case is "Is the ITAR ruling necessary and if so, what impact does that have on getting the best SW technology into DoD programs of record?". If this is a show stopper there will likely be others who believe, as you do, in Open Source as the best collaborative venue for developing - and sustaining - high quality software. 

The Defense Daily has its annual OA Summit in DC 18Oct12 (site link below)

http://openarchitecturesummit.com/

I'm of the opinion that summits in the past have dwelt more on hardware and interfaces in OA than SW with little daylight given to OSS. I think your situation is a good example of why we need more open discussion on policy matters, particularly SW policy matters. Neither you nor I have any say-so over ITAR (nor should we) or data rights issues but unless someone highlights how current policies and/or interpretations are more of an obstacle than they should be to adopting OSS into defense systems, then such issues will remain under the radar.

I don't know where you are physically (I'm in MS) but I plan to be at the Summit so if you are around perhaps we can meet. For now however, it seems like the best solution is to stick with SBIR with the intent of re-publishing in GPL down stream?

V/r

Harley

To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com

Wheeler, David A

unread,
Aug 21, 2012, 12:57:57 PM8/21/12
to mil...@googlegroups.com

Mike Dupont:

>The Government is granted an unlimited nonexclusive license to use, modify, reproduce, release, perform, display or disclose the following (Clearance Type) and the data contained therein.

> Is that not normal? If the federal gov owns it, it will be under the public domain and no restrictions can be stipulated?  http://en.wikipedia.org/wiki/Copyright_status_of_work_by_the_U.S._government

 

No, it’s more complicated than that.

 

If it’s “a work prepared by an officer or employee of the U.S. government as part of that person's official duties” then no copyright applies.  That doesn’t mean it gets to the public; lots of government information is never released to the public, even though in many cases it *should* be released.

 

If it was developed by a *contractor*, then the contract applies.  The “default case” for the DoD is VERY different from the “default case” for everyone else.  See this paper:

  http://journal.thedacs.com/issue/56/180


--- David A. Wheeler

 

 

James Neushul

unread,
Aug 21, 2012, 5:20:37 PM8/21/12
to mil...@googlegroups.com

Great response Doc . Spot on..

The concept of the Fork applies in this situation.  If the developer wants the code to be GPL - it can be so up until a foolish employer prohibits this.

Closing the source kills the Golden Goose.  This is what we are trying to teach with MIL-OSS n the DOD.

Responsible developers and vendors who want to work in this part of the century - WANT our Warfighters to benefit from the exponential factor of  public collaborative development that GPL provides.  When foolish PMs dead end good projects - the option remains for the GPL fork.

Of course - we'd rather not pay for the stupid - this is where the FAR tends to protect the Govt from it's foolish employees.  The vendor can GPL up until told not .  The closed fork is a sucker's game.

Software is a dynamic product.  It must remain supported as the IT world changes.  Even the US DOD can't afford to pay for this all on their own.  Even Microsoft fails conspicuously at this and they are the epitome of the closed source success model..

In summary - if you are forced to diverge - keep a GPL fork.

Neutron

--

Kane McLean

unread,
Aug 21, 2012, 5:33:05 PM8/21/12
to mil...@googlegroups.com
A link to this thread was passed around some colleagues today. The question we had was can the government even request that SBIR rights be relinquished in the first place? No one was sure if that should have been in the contract from the start.

Kane

Harley Garrett

unread,
Aug 21, 2012, 6:06:30 PM8/21/12
to mil...@googlegroups.com
Welcome Mike but I think the best crew chief on this topic is probably David Wheeler so check out his responses too. He's done far more research than I have. It is a troubling topic and lots of misconceptions. Frankly every time I read the FAR or DFAR after I'm done I'm not sure where I've been.

V/r
Harley

Wheeler, David A

unread,
Aug 21, 2012, 6:35:27 PM8/21/12
to mil...@googlegroups.com

I was wondering about that too; I didn’t reply because I had to think about it.

 

The point of ITAR is to limit the export of defense and military related technologies beyond US persons.  I think it’s suspicious if the government *REQUIRES* that rights be given to it, just to get an ITAR release.  That is not the purpose of ITAR.  That may even be illegal; I know that some other actions vaguely like this *ARE* illegal.  However, ITAR is a specialist’s domain; I’m not even a lawyer, never mind an ITAR lawyer.  I suspect you’ve left the world of “common case, here’s well-known answer”.

 

You really need to *run* to an attorney who knows ITAR.  If this is illegal, a little letter from a lawyer might be all you need to get things unstuck.

 

--- David A. Wheeler

Harley Garrett

unread,
Aug 21, 2012, 6:38:55 PM8/21/12
to mil...@googlegroups.com
Hi David. I very much appreciate your wisdom on this.

Definitely parts of the Navy think "viral" witness p.99 of the draft OSA Contract Guidebook v1.0 15Dec11. Their treatment of GPL/LGPL and GPL in general seems a bit threatening if not biased. Mostly what you cannot do vs what you can do. If I were a PM I might view using OSS as a career limiting move and shy away. At least RH is blazing a trail and lately have done well getting modules IA certified too.

I stand corrected on dual licensing. That said I view that as somewhat risky. FSF seems to be doing a good job keeping up with what (they say) is compatible with GPL versions and what is not. But I have not found any GPR as on their lists either compatible or incompatible. But perhaps that list is only for non-government licenses. If you can shed light on that I'd appreciate it. If it can be firmly determined where FSF and the government both agree, it would help clear the air I think.

V/r

Harley


--

Harley Garrett

unread,
Aug 21, 2012, 6:47:32 PM8/21/12
to mil...@googlegroups.com
Good idea David. I may be all washed up but seems to me the need for ITAR and the need for data rights are two different things and one should not be used as a hammer on the other. At the very least "requiring" specific government data rights as a pre-condition for obtaining ITAR licenses is heavy handed and tramples on the rights of those who created the product especially if they used their own funds sans any government contract.

I have no problem with an individual or firm spending their own $ to develop something which then does not pass muster with the ITAR folks. That is simply a risk the firm took and if they planned on exporting they should have looked into that before investing. I do have a problem with the government using data rights as a reason to deny or grant an export license. A big problem with that.

V/r
Harley

Wheeler, David A

unread,
Aug 21, 2012, 6:51:14 PM8/21/12
to mil...@googlegroups.com

By definition, a government-purpose-rights (GPR) license is NOT open source software (OSI), and is non-free (FSF), because GPR limits your use rights.  These follow from the definitions; GPR limits use rights, while the Open Software Definition and the Free Software Definition forbid that.

 

Software can be released under more than one license, though.  If one of those licenses is OSS, then the software is OSS; otherwise it is not.  As I noted earlier, some companies’ business models are based on this.  E.G., MySQL can be gotten as GPL (which is OSS) or via a proprietary license (which provides a different set of rights).  You could release software under GPL+GPR, with the same notion.  If the government got GPL+GPR, they can choose either license.

 

--- David A. Wheeler

 

 

From: mil...@googlegroups.com [mailto:mil...@googlegroups.com] On Behalf Of Harley Garrett
Sent: Tuesday, August 21, 2012 6:39 PM
To: mil...@googlegroups.com
Subject: Re: [mil-oss] GOSS, FOSS, SBIR, and ITAR issues

 

Hi David. I very much appreciate your wisdom on this.

Wheeler, David A

unread,
Aug 21, 2012, 7:02:51 PM8/21/12
to mil...@googlegroups.com

It’s actually illegal to require that unlimited rights be given up as a *requirement* for contract award *before* the award.  The government can use the proposed rights as a way to prefer one proposal over another (and they should!), but the government can’t flatly require rights like unlimited rights.

 

This is not the same situation, but it is suspiciously similar.   So similar that a judge might take a very dim view of a government agency that is trying to require additional rights for an export control license.  This might even be considered abuse.  After all, if the government can’t require rights *BEFORE* award, why should the government be allowed to require additional rights AFTER award?  But I don’t know; this may be unpleasant but perfectly legal.  The answer depends on the ITAR rules, which are complex.

 

You need RUN to a lawyer.   If you *do* get it resolved, let me know.

--- David A. Wheeler

agent209

unread,
Aug 21, 2012, 11:42:11 PM8/21/12
to mil...@googlegroups.com
Hi David, Harley, 

You make great points. I think the contracts person I'm dealing with is just confused rather than trying to be sneaky. Unfortunately, I haven't found anyone who understands ITAR. Not even the government personel could answer basic questions I had. And, the last SBIR lawyer I found cost upwards of $700 an hour.

I'm confident that if the code is cleared for public disclosure, then that effectively removes any ITAR restrictions and I can open source it. That said, the document for public disclosure does not even reference ITAR. The subject is: "Agreement and Approval for Public Release of SBIR Data Rights". However, in the waiving of my SBIR data rights, it has a slot to be filled in which references classification types. I'm assuming that's where we could write ITAR, even though it technically is not a classification. It just seems absurd to clear something for public disclosure, but only to U.S. citizens. How would that work?

I will let you know how it ends up. My goal at this point is just to clear it for public disclosure and strip it of ITAR, even if that means I have to sign away my SBIR data rights. SBIR data rights only last for 5 years anyway from contract end.  So ultimately this will be dual licensed either way - a special license for the government, and then whatever I release it under. It just gets weird if they government gives the code to a contractor. But, there's nothing I can do about that. Technically, what they have asked for does not include the ability to sub-license. And, I'm granting the license to the government, not anyone else. So, technically, I think I would have a case to enforce GPL on any contractors who did manage to get the code. 

Bottom line, I think it is extremely unlikely any of this will be an issue. As long as I can open source, I'm happy. I just hoped I wasn't an edge case and there would be a clear solution, but apparently I am. 
 
Thanks so much for all the feedback and input. I will definitely look to become more involved in this community, and also try and relate the outcome of this to guide future individuals and policy.

John

Kit Plummer

unread,
Aug 22, 2012, 12:03:46 AM8/22/12
to mil...@googlegroups.com
Hey John.

If you can "write up" the abstract for your story and any of the details, we can get it loaded in the Mil-OSS wiki.

Kit

Sean

unread,
Aug 22, 2012, 12:41:19 AM8/22/12
to mil...@googlegroups.com
On Monday, August 20, 2012 12:47:24 PM UTC-4, agent209 wrote:
Here's the clause that concerns me:

1.     VisiTrend, LLC, waives its SBIR Data Rights for ... The Government is granted an unlimited nonexclusive license to use, modify, reproduce, release, perform, display or disclose the following (Clearance Type) and the data contained therein.


I may be misunderstanding something and don't claim to be as intimately familiar with ITAR issues, but the clause you reference seems like a simple sharing of rights.  The key term there is nonexclusive.  The first part might be of concern (what data rights are being waived and which are retained??), but the latter part isn't very concerning.  Even sounds like the Gov may be able to (effectively) open source it with those unlimited rights.

That said ITAR and classification trumps licensing.

On Tuesday, August 21, 2012 11:42:11 PM UTC-4, agent209 wrote:

I'm confident that if the code is cleared for public disclosure, then that effectively removes any ITAR restrictions and I can open source it. That said, the document for public disclosure does not even reference ITAR. The subject is: "Agreement and Approval for Public Release of SBIR Data Rights". However, in the waiving of my SBIR data rights, it has a slot to be filled in which references classification types. I'm assuming that's where we could write ITAR, even though it technically is not a classification. It just seems absurd to clear something for public disclosure, but only to U.S. citizens. How would that work?

I wouldn't be as confident from your description alone.  ITAR does place absurd restrictions on some software (just search on "ITAR controversy").  Moreover, ITAR and classification are not commutative in any sense.  The only relation is that ITAR says a lot about what you cannot do with classified data disclosure.

Kerberos is (or at least was) a common example of a code cleared for public disclosure but technically is/was covered under ITAR.  Some years ago, I was working on an open source project that looked into embedding Kerberos (client and server) as an authentication subsystem only to abandon the effort due to ITAR restrictions.  To bundle Kerberos, the project would have had to either tightly control downloads, submit a formal request for exemption to the state department (which had some fees associated, iirc), or host all downloads from outside the US and pretend the US devs weren't working on that part of the code.  The effort was abandoned.

I'd try to get in touch with your DoD component's legal office myself, or spend the $700 (include it in your next contract bid).  Otherwise, the ITAR terms are not entirely terrible to follow:  http://pmddtc.state.gov/regulations_laws/itar_official.html

Cheers!
Sean

agent209

unread,
Aug 22, 2012, 9:35:46 AM8/22/12
to mil...@googlegroups.com
Hi Sean, 


On Wednesday, August 22, 2012 12:41:19 AM UTC-4, Sean wrote:

On Monday, August 20, 2012 12:47:24 PM UTC-4, agent209 wrote:
Here's the clause that concerns me:

1.     VisiTrend, LLC, waives its SBIR Data Rights for ... The Government is granted an unlimited nonexclusive license to use, modify, reproduce, release, perform, display or disclose the following (Clearance Type) and the data contained therein.


I may be misunderstanding something and don't claim to be as intimately familiar with ITAR issues, but the clause you reference seems like a simple sharing of rights.  The key term there is nonexclusive.  The first part might be of concern (what data rights are being waived and which are retained??), but the latter part isn't very concerning.  Even sounds like the Gov may be able to (effectively) open source it with those unlimited rights.


I think you're misunderstanding. The other posts do a great job of elucidating every aspect of this. Your intuition is right though, the first part is most of what makes it concerning. Giving up SBIR data rights is a big deal.
 
That said ITAR and classification trumps licensing.

On Tuesday, August 21, 2012 11:42:11 PM UTC-4, agent209 wrote:

I'm confident that if the code is cleared for public disclosure, then that effectively removes any ITAR restrictions and I can open source it. That said, the document for public disclosure does not even reference ITAR. The subject is: "Agreement and Approval for Public Release of SBIR Data Rights". However, in the waiving of my SBIR data rights, it has a slot to be filled in which references classification types. I'm assuming that's where we could write ITAR, even though it technically is not a classification. It just seems absurd to clear something for public disclosure, but only to U.S. citizens. How would that work?

I wouldn't be as confident from your description alone.  ITAR does place absurd restrictions on some software (just search on "ITAR controversy").  Moreover, ITAR and classification are not commutative in any sense.  The only relation is that ITAR says a lot about what you cannot do with classified data disclosure.

Kerberos is (or at least was) a common example of a code cleared for public disclosure but technically is/was covered under ITAR.  Some years ago, I was working on an open source project that looked into embedding Kerberos (client and server) as an authentication subsystem only to abandon the effort due to ITAR restrictions.  To bundle Kerberos, the project would have had to either tightly control downloads, submit a formal request for exemption to the state department (which had some fees associated, iirc), or host all downloads from outside the US and pretend the US devs weren't working on that part of the code.  The effort was abandoned.

Thanks for sharing! Now I have to go look into this. Argh! I can't reconcile how one could be "cleared for public disclosure" but still be under ITAR. That is clearly someone writing laws who has never used a computer. 
 

I'd try to get in touch with your DoD component's legal office myself, or spend the $700 (include it in your next contract bid).  Otherwise, the ITAR terms are not entirely terrible to follow:  http://pmddtc.state.gov/regulations_laws/itar_official.html


Yeah, I have been in touch with the contracting agent who is the legal point of contact. They don't really give you a line to their legal representation. The agent is the one that sent me that document to sign. And, $700 is an hourly rate for an SBIR lawyer, it's not what the total cost would be. For that I couldn't wager a guess as this has already dragged on for far too long, considering how silly this all is. And, as I mentioned, even among legal people I talk to, no one seems to get ITAR. And the fact that it has nothing to do with data rights but has been conflated in this doc, just makes it even more difficult.

thanks, 
John

 
Cheers!
Sean

agent209

unread,
Aug 22, 2012, 9:36:01 AM8/22/12
to mil...@googlegroups.com
Will do!

Wheeler, David A

unread,
Aug 22, 2012, 10:34:17 AM8/22/12
to mil...@googlegroups.com

> It just seems absurd to clear something for public disclosure, but only to U.S. citizens. How would that work?

 

Don’t pretend that the export control regulations always make *sense*, or that they always work cleanly with classification.  That way lies madness… or at least getting mad :-).

 

First of all, the export control regulations are completely separate from other laws and regulations (like classification and copyright).  The combinations don’t always make sense, nor are they even *supposed* to make sense.  Instead, focus on “what you need to accomplish” and just work to comply with all laws and regulations.  If you consider them different sets of laws/regulations, and that you have comply with all separately, it will make more sense.  It’s really best to treat them completely separately.  Trivial example: the term “public domain” has a DIFFERENT meaning in export control law and copyright.

 

Second, one of the purposes (as I understand it) of export control laws is to implement embargoes of physical goods.  As you’ve no doubt noticed, intellectual works don’t operate the same way as physical goods, and the laws don’t always do a good job distinguishing between them.

 

There are fundamental reasons the export control regulations are complicated.  The export control regulations were written many years ago, and have to be coordinated internationally.  The result is that it’s *extremely* hard to fix even really serious problems, and few changes occur.   All laws, like software, have bugs; the difficulty of repair is what has made the export control laws hard to deal with.  My opinion, anyway.

 

The bottom line is that the export control regulations are complicated & nasty things to understand, and in a few cases they are ridiculous.  But they threaten jail time and stiff fines… so you gotta do ‘em.

 

In a few cases what to do is “obvious” – I try to collect those obvious answers and disseminate that info.  But beyond that, you really do need a lawyer.

 

--- David A. Wheeler

 

 

 

 

From: mil...@googlegroups.com [mailto:mil...@googlegroups.com] On Behalf Of agent209
Sent: Tuesday, August 21, 2012 11:42 PM
To: mil...@googlegroups.com
Subject: [mil-oss] Re: GOSS, FOSS, SBIR, and ITAR issues

 

Hi David, Harley, 

 

You make great points. I think the contracts person I'm dealing with is just confused rather than trying to be sneaky. Unfortunately, I haven't found anyone who understands ITAR. Not even the government personel could answer basic questions I had. And, the last SBIR lawyer I found cost upwards of $700 an hour.

 

I'm confident that if the code is cleared for public disclosure, then that effectively removes any ITAR restrictions and I can open source it. That said, the document for public disclosure does not even reference ITAR. The subject is: "Agreement and Approval for Public Release of SBIR Data Rights". However, in the waiving of my SBIR data rights, it has a slot to be filled in which references classification types. I'm assuming that's where we could write ITAR, even though it technically is not a classification

 

I will let you know how it ends up. My goal at this point is just to clear it for public disclosure and strip it of ITAR, even if that means I have to sign away my SBIR data rights. SBIR data rights only last for 5 years anyway from contract end.  So ultimately this will be dual licensed either way - a special license for the government, and then whatever I release it under. It just gets weird if they government gives the code to a contractor. But, there's nothing I can do about that. Technically, what they have asked for does not include the ability to sub-license. And, I'm granting the license to the government, not anyone else. So, technically, I think I would have a case to enforce GPL on any contractors who did manage to get the code. 

 

Bottom line, I think it is extremely unlikely any of this will be an issue. As long as I can open source, I'm happy. I just hoped I wasn't an edge case and there would be a clear solution, but apparently I am. 

 

Thanks so much for all the feedback and input. I will definitely look to become more involved in this community, and also try and relate the outcome of this to guide future individuals and policy.

 

John



On Monday, August 20, 2012 12:47:24 PM UTC-4, agent209 wrote:

Hi all,

My company finished up an SBIR project and would like to open source the results. It is cyber related, and there were ITAR restrictions, but no classification.

I submitted the code through the public disclosure process, just as I have previously done for publishing papers. This time, however, they want me to sign a document where I give up all of my SBIR data rights. My concern is that, if I do so, then I cannot control the licensing of the software - e.g. I can't stipulate GPL.

Here's the clause that concerns me:

1.     VisiTrend, LLC, waives its SBIR Data Rights for ... The Government is granted an unlimited nonexclusive license to use, modify, reproduce, release, perform, display or disclose the following (Clearance Type) and the data contained therein.


Now, GPL will give the government everything they want. However, if I just give up SBIR rights, then I can't stipulate GPL. Maybe I'm not understanding this?

My nightmare scenario is: 1. I sign this and release code under GPL, 2. the government isn't under GPL because of this doc, 3. DoD gives my code to another Prime for another project, 4. the other Prime close sources our product, and makes money off of it, without releasing modifications under GPL or paying us for commercial licensing, 5. we end up competing with our own code for contracts

I have asked the DoD component if there are other options for public disclosure where I don't give up my SBIR data rights, and they are saying no.

Any thoughts on how to proceed?
Feedback, recommendations, etc. is really appreciated.

thanks,
John



The issue is, I want to release this code as GPL. If I give up all rights, then I can't enforce that licensing. This means, the DoD could give my code to a prime, which then competes against me, with my own product. That is fine with me, as long as they are also held to GPL. I'm not keen on that if they take my code, close source it, and start making money on it.

Mike Dupont

unread,
Aug 22, 2012, 11:22:26 AM8/22/12
to mil...@googlegroups.com
Thanks, I am going to learn a lot on this list! 
all the best from Kosovo, I am organizing the fourth edition of a conference I founded, http://www.flossk.org/en/blog/software-freedom-kosova-2012#

mike

Harley Garrett

unread,
Aug 22, 2012, 11:32:58 AM8/22/12
to mil...@googlegroups.com
With a GPL + GPR scenario, would the source code for each be identical? Seems to me the developer would have have different versions? One for GPL and one for GPR? Thanks David

Harley Garrett

agent209

unread,
Aug 22, 2012, 11:48:51 AM8/22/12
to mil...@googlegroups.com, hgar...@gtsms.com
In a general dual licensing scenario, the code would be identical. It's just released under 2 different licenses. 

In the case of a developer, it would depend on how they got the code. I don't think the government having a license means that they can give that same license to a developer unless they are technically operating as a government agent. Thus, Ball Aerospace might have a developer in a government lab, who could develop under the GPR license, but they couldn't take that code back to Ball and use it elsewhere. I could be wrong there. 

John

agent209

unread,
Aug 22, 2012, 11:52:14 AM8/22/12
to mil...@googlegroups.com
Quick update: 

I've been told by the DoD that ITAR indeed is separate and I would have to take this up with the state dept. ITAR is completely different from classification issues, which makes this really weird. 

Apparently there is a "public domain" loophole in ITAR, but this doesn't apply to tools. Interesting short read: http://www.stanford.edu/dept/DoR/C-Res/itar.html

I'm talking to some lawyers tomorrow. I'll ultimately post the disposition of this so hopefully people in the future can more easily navigate these issues.

Harley Garrett

unread,
Aug 22, 2012, 11:59:40 AM8/22/12
to mil...@googlegroups.com
In a general dual licensing scenario, the code would be identical. It's just released under 2 different licenses.

Seems to me if the code were identical, the 2 different licenses would have to be compatible would they not?

Harley

Miles Fidelman

unread,
Aug 22, 2012, 12:03:52 PM8/22/12
to mil...@googlegroups.com
agent209 wrote:
>
>>
>> My company finished up an SBIR project and would like to open
>> source the results. It is cyber related, and there were ITAR
>> restrictions, but no classification.
>>
>> I submitted the code through the public disclosure process,
>> just as I have previously done for publishing papers. This
>> time, however, they want me to sign a document where I give
>> up all of my SBIR data rights. My concern is that, if I do
>> so, then I cannot control the licensing of the software -
>> e.g. I can't stipulate GPL.
>>
>>
>> Here's the clause that concerns me:
>>
>> 1.VisiTrend, LLC, waives its SBIR Data Rights for ... The
>> Government is granted an unlimited nonexclusive license to
>> use, modify, reproduce, release, perform, display or disclose
>> the following (Clearance Type) and the data contained therein.
>>
>>
>> Now, GPL will give the government everything they want.
>> However, if I just give up SBIR rights, then I can't
>> stipulate GPL. Maybe I'm not understanding this?
>>
>> My nightmare scenario is: 1. I sign this and release code
>> under GPL, 2. the government isn't under GPL because of this
>> doc, 3. DoD gives my code to another Prime for another
>> project, 4. the other Prime close sources our product, and
>> makes money off of it, without releasing modifications under
>> GPL or paying us for commercial licensing, 5. we end up
>> competing with our own code for contracts
>>

Exactly the right thing to be worried about. That's why SBIRs have
defined SBIR data rights in the first place. The government gets
government purpose rights which should preclude your nightmare scenario,
you get the option to dual-license for everybody else.

>>
>> I have asked the DoD component if there are other options for
>> public disclosure where I don't give up my SBIR data rights,
>> and they are saying no.
>>
>> Any thoughts on how to proceed?
>>

You have SBIR data rights by default, which gives you the right to
license to everybody else on any terms you want. The only issue at hand
is ITAR - and the process for public release under ITAR should, in
theory, be completely independent of the data rights clause.

Sounds like the contract agent is trying to extort you, possibly without
knowledge of your COTR. My best suggestion is to start playing hardball.

Ask them to back up their position, in writing. Ask them to document
why giving up your SBIR data rights has anything to do with lifting ITAR
restrictions. Ask them to cite a FAR or DFAR clause that gives them the
authority to negotiate ITAR against data rights, or for that matter to
even ask that you give up SBIR data rights. Chances are you're talking
to someone a level or two below the actual contract officer anyway.

It might also be worth trying to track down who is in the decision chain
for approving for public release. It could well be that you end up
waiving your data rights, and still don't get approved for public release.

Your best position is if they've already said, say in an email, that
they won't apply ITAR restrictions if you give up data rights - that's a
tacit admission that there's nothing that needs to be restricted. Then
you can play hardball - talk to the DoD component's SBIR office, maybe
up-level to the IG's office, maybe even your congress-critter. After
all, the SBIR program is supposed to be about helping small firms launch
new products, not about stealing them.

Miles Fidelman

--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra

agent209

unread,
Aug 22, 2012, 12:16:39 PM8/22/12
to mil...@googlegroups.com, hgar...@gtsms.com
It appears not. MySQL is GPL. However, they also offer a commercial license so that you can embed MySQL in your app and not be bound by the terms of the GPL. Thus, MySQL is released under 2 different licenses that are not compatible. 

Mozilla actually uses this model to circumvent issues of non-compatible licenses. 

A quick search returned this which seems clear: http://www.oss-watch.ac.uk/resources/duallicence2.xml

The key is that only the copyright holder can do this (unless they give permission to someone else). Thus, if I gave you a GPL license for some code, you couldn't go and release it under another license. 

I'm pursuing this model because I want to share all of our work. At the same time, if people use our work to make money, I either want them to share their work as well, or I want to make money also. Dual licensing enables me to provide either option, just as MySQL does. 

John

Wheeler, David A

unread,
Aug 22, 2012, 12:36:13 PM8/22/12
to mil...@googlegroups.com

Harley:

> Seems to me if the code were identical, the 2 different licenses would have to be compatible would they not?

 

No, for dual-licensing it’d be pointless if the licenses WERE compatible.  I think you’re confusing “may I use this?” with “may I combine it with other software?”

 

Under copyright law, you can always use, modify, and redistribute software that YOU have the copyright to, subject to classification, export control, etc.  There’s a special case for US government employees, let’s not go there.

 

For you to use, modify, or redistribute software written by *anyone* *else*, you have to have a license (permission) to do those things.  Such licenses may have conditions, or you may have to agree to contract to get a license.

 

The original rights-holder doesn’t have to license the same software the same way to everyone.  Microsoft may choose to sell BIGCORP a license to use Microsoft Office for all its users for $BIGNUM, and sell SMALLCORP a license for its users for a different $SMALLNUM.  Microsoft may choose to additionally license the source code for Office to SOMEGOV, under the condition that SOMEGOV not redistribute it.  And so on.

 

The *original* rights-holder may release the same software under more than one license. As long the recipient complies with at least ONE of the license conditions, then they can receive and use the software under the conditions of THAT license.

 

So far so good.  Now, what happens if you want to mix the code into a larger work?  Well, then you have to find some combination of licenses, for each component, that together let you do that.  If a component has more than one license that applies to it, then at least one of those licenses has to let you do what you want.

 

--- David A. Wheeler

 

Sean

unread,
Aug 22, 2012, 2:27:48 PM8/22/12
to mil...@googlegroups.com

On Wednesday, August 22, 2012 9:35:46 AM UTC-4, agent209 wrote:

On Wednesday, August 22, 2012 12:41:19 AM UTC-4, Sean wrote:

On Monday, August 20, 2012 12:47:24 PM UTC-4, agent209 wrote:
Here's the clause that concerns me:

1.     VisiTrend, LLC, waives its SBIR Data Rights for ... The Government is granted an unlimited nonexclusive license to use, modify, reproduce, release, perform, display or disclose the following (Clearance Type) and the data contained therein.

I may be misunderstanding something and don't claim to be as intimately familiar with ITAR issues, but the clause you reference seems like a simple sharing of rights.  The key term there is nonexclusive.  The first part might be of concern (what data rights are being waived and which are retained??), but the latter part isn't very concerning.  Even sounds like the Gov may be able to (effectively) open source it with those unlimited rights.

I think you're misunderstanding. The other posts do a great job of elucidating every aspect of this. Your intuition is right though, the first part is most of what makes it concerning. Giving up SBIR data rights is a big deal.

Perhaps, but the preceding discussion was predominantly about GPR and GPL issues, which are rather orthogonal issues to the two-part clause you referenced (which is *not* GPR).  The main point was that the latter part by itself is not very concerning (by itself) as it doesn't limit what you can do.  As noted, the real issue is that the Government is being granted as much control as you have with their version and you could end up commercially competing with your own code without SBIR protections.  That's the case with open source too, though, if someone else merely offers better support or a faster rate of development.  If you plan on releasing as open source software (which we all trust you do), you'll want to establish authority through merit to protect your trade.  Maintaining SBIR rights are an easy way, but far from the only way.

Thanks for sharing! Now I have to go look into this. Argh! I can't reconcile how one could be "cleared for public disclosure" but still be under ITAR. That is clearly someone writing laws who has never used a computer.

Export Administration Regulations (EAR) are in the same boat.  Cleared for public disclosure, but not to everyone.  If you just fire up an Apache server and host a tarball of open source goodness, you could technically be in violation of the EAR.  It's the set of laws that prohibit doing business with foes.  Does it make sense?  Not really.  Does it limit someone in North Korea from getting a copy of Firefox?  Probably not.  It is a federal law with teeth?  Absolutely.
 
Yeah, I have been in touch with the contracting agent who is the legal point of contact. They don't really give you a line to their legal representation. The agent is the one that sent me that document to sign. And, $700 is an hourly rate for an SBIR lawyer, it's not what the total cost would be. For that I couldn't wager a guess as this has already dragged on for far too long, considering how silly this all is. And, as I mentioned, even among legal people I talk to, no one seems to get ITAR. And the fact that it has nothing to do with data rights but has been conflated in this doc, just makes it even more difficult.

You could just try giving them a call.  Army Legal, Air Force Legal, CIO, etc, all have publicly posted contact information and some offer a variety of consultative services.

Cheers!
Sean
 

Harley Garrett

unread,
Aug 22, 2012, 6:25:29 PM8/22/12
to mil...@googlegroups.com
Last transmission exceeded file size limits. Retransmitting:

Wow. And I thought the ITAR was complicated. Thanks David very much.

For John, I used to work export licenses once in awhile for my employer since we produced several items of military electronics. One in-house development was an alternate STU-III (secure telephone) we hoped to export but without the SW that encoded conversations. Just a blank EEPROM the receiving country could use to store their own. But we never got approval for that even though sans the encryption code, it was just another phone (hardware). I recall when I retired, the system time lines had improved dramatically. I'm not sure that is the case today.

I think (more research required) until the mid-1970's  exports were largely controlled by the Dept of Commerce (DOC). Most were licenses were issued largely to monitor export/import traffic. DOC had a Commodity Control List (CCL) but only to separate uncontrolled (but monitored) commercial commodities from others which need a bit more oversight as to who the intended end-user was. But during the 60's and early 70's, some technologies -- particularly those making more and more use of software for their operations - were seen as "dual use" (military or civil). 

In 1976 Congress passed the Arms Export Control Act followed shortly by EO 11958 which allocated responsibilities to DoD & State. That led to the ITAR as the implementing reg overseen by the State Department's Office of Defense Trade Controls (DTC). The US Munitions List (USML or just "ML") is part of the ITAR but State usually defers to DoD on what goes on the ML. Part 121 of the ITAR covers the ML. Software is mostly discussed in 121.1 Category Xiii (b) subparas (1), (2), (3) and (4) and in section 121.8 (e), (f), and (g). See:

http://www.fas.org/spp/starwars/offdocs/itar/p121.htm

Both DOC (Commerce) and State have "Commodity Jurisdiction" classifications and, (surprise surprise) ambiguities gave potential exporters fits. DOC's Commerce Control List (CCL) has some software classifications but such items are not on the ML. The take away here is a firm that wants to export doesn't know whether to approach DOC or State for an export license. In 1996, the National Security Council (NSC) issued "guidance" to make both State & DOC's Commodity Jurisdiction processes compatible. To the extent they are now is anyone's guess.  

Then in 2000, Congress instructed the IG's of Commerce, Energy, Defense, and State to audit the ITAR process. They did and the State IG's report (attached) is an interesting read. I don't know if their annual reviews are still on-going or not. I think the ML multi-year reviews are still on-going to remove items from the ML more than adding items to it. 

Reading through the attached and the ITAR sections (more research is needed) you can see that getting an answer on whether you can export or not and under what conditions, as a minimum, may require 1) establishing who has jurisdiction (State or Commerce) and 2) a technical review by a DoD Lab, NIST, or in some cases a DOE lab. However, nowhere do I find data rights mentioned.

So I'm not sure who your COTR or the KO is but thanks to David's inputs and others, you should be able to get a fair "hearing" and determination from the DTC (albeit it might take a few months) regardless of what license type you publish under. If DoD wants the technology, I'd keep my SBIR rights and dual license GPL for export purposes. If they balk and want you to strip SBIR as a pre-condition for ITAR then as one gent mentioned, ask them to pony up a FAR/DFAR clause and a governing ITAR Chapter or sub-paragraph. If they (somehow) do, a fall back position might be to offer the government GPR and dual license it GPL for exports. Least its worth a shot.

Harley

--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
DoDUSMLreview.pdf

G. Andrew Stone

unread,
Aug 22, 2012, 11:19:59 PM8/22/12
to mil...@googlegroups.com
Here's an example dual license header:

/*
* Copyright (C) 2002-2012 <Your Company Here> Inc. All Rights Reserved.
*
 * This file is available under a commercial license from the
* copyright holder or the GNU General Public License Version 2.0.
*
* The source code for this program is not published or otherwise
* divested of its trade secrets, irrespective of what has been
* deposited with the U.S. Copyright office.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* For more information, see the file COPYING provided with this
* material.
*/

Previously, the company I work for had 2 separate top level licenses and we would run a python script to swap in the appropriate license on every source file.  However, this was found to be irritating as we moved to a github model where our customers and GPL users could pull the bug fixes directly from source control rather then relying on a periodic bugfix release. 

The contract we sign with our customers contains the commercial/military license that this header refers to.  The good thing about this is that there is no divergence between the GPL (FOSS) and commercial verisons; they are the same file and same repository!

If you choose to use something similar, please have your lawyer review it for your particular situation.

Regards,
Andrew

--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.

Harley Garrett

unread,
Aug 23, 2012, 3:22:17 PM8/23/12
to mil...@googlegroups.com
Hey Andrew that is very helpful! Thanks very much! One question - what type of commercial /military license did you use in addition to the GPL? Were both Top Level licensed commercial/military in addition to the GPL or was the GPL one of those? Thanks Andrew

Harley

Scott Clark

unread,
Aug 27, 2012, 8:21:05 PM8/27/12
to mil...@googlegroups.com, hgar...@gtsms.com
Harley and others are right.  Export (including ITAR) considerations are separate issues from data rights.  The good news is that software that is public domain does not require an export license from DoC.  In Jan 2011 that rule was extended to software containing encryption capabilities that is public domain (such as OpenSSL).  That's the case for software that is currently public domain, so before releasing you have to make a determination of the jurisdiction.  ITAR is the first test you have to make as it over-rides all other export rules.  The ITAR covers a lot of things but the general tests are "primarily for defense purposes" and "re-use for WMD".  There are more considerations and it's wise to seek the counsel of export compliance experts regardless of whether your product falls under ITAR.  In general the intended end-use of something is as important (or more) as the thing itself.  If it falls under ITAR then it may be difficult to make a case for open source.  The reason you want professional expertise on your determination is that many people will knee-jerk and throw out ITAR in the same way they want to classify everything.  It's also important because releasing something as open source is not the same thing as selling or providing technical services.

For example here's an excerpt from the update for public domain encryption software (http://www.bis.doc.gov/news/2010/fr_01072011.pdf):

"During its review, BIS noted that the EAR currently provide that making certain encryption software ‘‘publicly available’’ by posting it on the Internet where it may be downloaded by anyone does not establish ‘‘knowledge’’ of a prohibited export or reexport.  Additionally, such activity also does not trigger any ‘‘red flags’’ that impose an affirmative duty to inquire under the ‘‘Know Your Customer’’ guidance provided in the EAR (see 67 FR 38855, 38857, June 6, 2002). Therefore, a person or company does not violate the EAR if it posts ‘‘mass market’’ encryption software on the Internet for free and anonymous download (i.e., makes it ‘‘publicly available’’), and the software is downloaded by an anonymous person from anywhere in the world. In addition, if the person or company ‘‘publishes’’ mass market encryption software by another means,the person or company does not violate the EAR."

Of course the above applies to the general export rules and things may be different if we're talking ITAR (which is generally more restrictive).  So clear as mud right?  At the very least this hopefully gives you some questions to ask when you talk to the export compliance experts.


Scott
Reply all
Reply to author
Forward
0 new messages