Chapter 24
Vigorien: Security, Export Controls, and GPL Compliance

This case study introduces how concerns of “security through obscurity” and regulatory problems can impact GPL compliance matters.

24.1 The Facts

Vigorien distributes a back-up solution product that allows system administrators to create encrypted backups of file-systems on Unix-like computers. The product is based on GNU tar, a backup utility that replaces the standard Unix utility simply called tar, but has additional features.

Vigorien’s backup solution added cryptographic features to GNU tar, and included a suite of utilities and graphical user interfaces surrounding GNU tar to make backups convenient.

FSF discovered the violation from a user report, and determined that the cryptographic features were the only part of the product that constituted a derivative work of GNU tar; the extraneous utilities merely made shell calls out to GNU tar. FSF requested that Vigorien come into compliance with the GPL by releasing the source of GNU tar, with the cryptographic modifications, to its customers.

Vigorien released the original GNU tar sources, but kept the cryptographic modifications proprietary. They argued that the security of their system depending on keeping the software proprietary and that regardless, USA export restrictions on cryptographic software prohibited such a release. FSF disputed the first claim, pointing out that Vigorien had only one option if they did not want to release the source: they would have to remove GNU tar from the software and not distribute it further. Vigorien rejected this suggestion, since GNU tar was an integral part of the product, and the security changes were useless without GNU tar.

Regarding the export control claims, FSF proposed a number of options, including release of the source from one of Vigorien’s divisions overseas where no such restrictions occurred, but Vigorien argued that the problem was insoluble because they operated primarily in the USA.

The deadlock on the second issue was resolved when those cryptographic export restrictions were lifted shortly thereafter, and FSF again raised the matter with Vigorien. At that point, they dropped the first claim and agreed to release the remaining source module to their customers. They did so, and the violation was resolved.

24.2 Lessons Learned

Removing the GPL’d portion of the product is always an option. Many violators’ first response is to simply refuse to release the source code as the GPL requires. FSF offers the option to simply remove the GPL’d portions from the product and continue along without them. Every case where this has been suggested has led to the same conclusion. Like Vigorien, the violator argues that the product cannot function without the GPL’d components, and they cannot effectively replace them.

Such an outcome is simply further evidence that the combined work in question is indeed a modified version of the original GPL’d component. If the other components cannot stand on their own and be useful without the GPL’d portions, then one cannot effectively argue that the work as a whole is not a based on the GPL’d portions.

The whole product is not always covered. In this case, Vigorien had additional works aggregated. The backup system was a suite of utilities, some of which were the GPL and some of which were not. While the cryptographic routines were tightly coupled with GNU tar and clearly made a whole new combined work of both components, the various GUI utilities were separate and independent works merely aggregated with the distribution of the GNU-tar-based product.
“Security” concerns do not exonerate a distributor from GPL obligations, and “security through obscurity” does not work anyway. The argument that “this is security software, so it cannot be released in source form” is not a valid defense for explaining why the terms of the GPL are ignored. If companies do not want to release source code for some reason, then they should not base the work on GPL’d software. No external argument for noncompliance can hold weight if the work as a whole is indeed a modified version of a GPL’d program.

The “security concerns” argument is often floated as a reason to keep software proprietary, but the computer security community has on numerous occasions confirmed that such arguments are entirely specious. Security experts have found — since the beginnings of the field of cryptography in the ancient world — that sharing results about systems and having such systems withstand peer review and scrutiny builds the most secure systems. While full disclosure may help some who wish to compromise security, it helps those who want to fix problems even more by identifying them early.

External regulatory problems can be difficult to resolve. The GPL, though grounded in copyright law, does not have the power to trump regulations like export controls. While Vigorien’s “security concerns” were specious, their export control concerns were not. It is indeed a difficult problem that FSF acknowledges. We want compliance with the GPL and respect for users’ freedoms, but we certainly do not expect companies to commit criminal offenses for the sake of compliance. We will see more about this issue in our next case study.