SourceForge, Encryption, and U.S. Export Control Restrictions

I was registering the Adapto project on SourceForge today, and when I got to the Export Control question, ended up spending more than few minutes researching U.S. export regulations relating to software and cryptography. Be warned though, I am not a lawyer and the following is not legal advice. I urge you to consult a professional for advice specific to your situation.

SourceForge is operated by Geeknet, Inc., a publicly traded US-based company. When someone outside the U.S. downloads code from a SourceForge project, SourceForge is actually exporting the code from the U.S.

Export of software including cryptography functions from the U.S. is controlled by the Bureau of Industry and Security (BIS) according to the Export Administration Regulations (EAR) and the Commerce Control List (CCL). This includes software that only calls encryption functions in an external library, such as the PHP openssl_public_encrypt and openssl_public_decrypt functions.

In 2010, the BIS amended the EAR by excluding software products where the use of encryption is ancillary to its primary function and the primary function is not information security or the sending, receiving or storing of information, where the cryptographic functionality is limited to supporting the primary function of the software product, and when details will be provided upon request to a U.S. authority (see EAR Controls for Items that Use Encryption on the U.S. BIS website).

Adapto is a small PHP framework targeted at creating data management applications with minimal code. Although Adapto includes cryptographic functions (implemented through PHP library functions), they are provided only for potential use by an application program and are not used in the normal operation of the framework. They are also not used in the tutorial demo application included with Adapto, and so it appears export of Adapto from the U.S. is not controlled.

Since Adapto does incorporate encryption, it has been noted in the SourceForge project Metadata, but since it is not controlled based on the above analysis, the project does not require reporting to the U.S. government as noted by SourceForge.