[sword-devel] Sorry, I can't export sapphire.zip, but...

Paul Gear sword-devel@crosswire.org
Thu, 18 Nov 1999 20:20:24 +0000


Michael Paul Johnson wrote:

> At 16:16 11/17/1999 +0100, you wrote:
> >Hi,
> >
> >my name is Marten, I live in Germany.
> >I'm running sword and Bibletime under linux using the sword raw modules.
> >
> >Please tell me how I can get sapphire legally and in spite of U.S. export
> >restrictions and the cipher keys I need to use the enciphered
> >modules I need?
>
> You can get it from someplace where it is already outside of the USA or
> Canada (like maybe http://zerblatt.optiva.ee/pub/crypto/code/sapphire.zip)
> without breaking any U. S. or German laws. Even though someone obviously
> broke the law to export it once so that it eventually got posted in
> Estonia, I have no idea who that was. It wasn't me. I still can't legally
> export it directly to you, but if you find a sapphire.zip file anywhere you
> can legally get it from containing the following files, digitally signed by
> me with MD5SUM and PGP, then you have what you asked for.

Guys,

Until this message (and then reading the Sword 1.4.5 README), i was unaware
that Sword now depends on Sapphire.

Let me just make sure i'm understanding the facts:
- Sapphire is written in the U.S. and is a sufficiently sophisticated
encryption algorithm to make it unexportable under U.S. munitions law
- Commercially licensed texts are only available using Sapphire
- By default, Sword cannot be built without Sapphire
- The only version of Sapphire available internationally is a version
illegally exported without the author's knowledge or permission

<DISCLAIMER>
1.    I'm not looking for a flame war.
2.    I'm assuming that my grasp of the above facts is right.  If it's not,
please don't flame me for the discussion below, because it is based on this
assumption.
3.    Please make any discussion about this topic constructive, not flaming.
4.    I'm not looking for a flame war.
</DISCLAIMER>

Now that i've got that said  :-), let me proceed.

I find situation this unacceptable for a few reasons:

- Depending on an illegally exported version of Sapphire for international
users is:
        1)  possibly illegal in itself (This is especially relevant since Mike
has posted a URL to the illegal version.  There was recently a successful
lawsuit against a Swedish (?) college student for posting _links_ to
illegally-obtained MP3 files on his web site - admittedly in Europe, not the
U.S.),
        2)  unmaintainable in the medium to long term (because updates of the
software - including patch files - can't be exported), and
        3)  immoral anyway, because as Christians we should be endeavouring to
obey laws of the country we live in, and thus not promote the use of
illegally-obtained software

Hence i would recommend that:
- any reference to the illegally exported version of Sapphire be removed from
any sites affiliated with Sword, and that the owner of that site be requested
to remove it (for their own protection).
- the Sword libraries be changed to have Sapphire disabled by default.
- investigation into alternative encryption technologies that are exportable
and non-patent-encumbered begin as soon as possible.  (I'd be happy to do this
once i've got a reasonably functional GNOME frontend for Sword going, although
given my track record this could be a while ;-).  I've heard that
Blowfish/Twofish are quite a good family of algorithms, and fit these
criteria.  GNU Privacy Guard (GPG) could probably also be adapted for this
purpose.
- once such a system is found, all commercially licensed modules be switched
to use this encryption method.

What could happen if we don't do this:
- International users (at least in certain countries) will never be able to
legally use commercially-licensed Sword modules.  This is ironic considering
that some of the texts in question are actually non-English, and the most
advanced GUI frontend for Sword at present is BibleTime, a non-U.S. product.
- Mike could get sued/jailed by the government for exporting his software.  I
know you say you didn't do it, but how can you prove it?  Who is the govt.
going to look at if they start asking questions?  Even if they can't pin the
exporting of the software on you, they can probably still get you for not
securing your software sufficiently.  (Obviously, you have some legal grounds
for comebacks here, like arguing that once you've given it to another
American, you have no control over what they do with the software.  However,
it is still a legal minefield that you probably want to avoid.)
- Crosswire could be sued by the government for promoting use of an illegally
exported encryption technology.
- Commercial text vendors could be reluctant to license their material to us
due to the cloud that hangs over the encryption technology.

Again, please take these comments constructively.  Mike, i am not having a go
at your software - i haven't even looked at it.  I just think that because of
the place you wrote it, it is inappropriate for a project such as Sword.  (Why
not consider a holiday in Australia next time you write encryption code?  ;-)

Another disclaimer: please don't take this message as an endorsement of U.S.
encryption export law.  I think the laws are stupid and pointless, but they
are there, and i think we should make every effort to play it by the book.

Paul
---------
"He must become greater; i must become less." - John 3:30
http://www.bigfoot.com/~paulgear

P.S.  I've copied this to the bible-linux mailing list also.  Bob@logos.com,
please take note!  If you choose to make the next version of your library
software open source friendly, please don't encumber it like this!