22. Nations

Microsoft is an American company. Bill Gates lives in Washington State and so do most of the programmers under his dominion. The software they write gets used around the globe in countries big and small, and the money people pay for the software comes flooding back to the Seattle area, where it buys huge houses, designer foods, and lots of serious and very competitive consumption. Through the years, this sort of economic imperialism has built the great cities of Rome, London, Tokyo, Barcelona, and many other minor cities. History is just a long series of epochs when some company comes up with a clever mechanism for moving the wealth of the world home to its cities. Britain relied on opium for a while. Rome, it might be said, sold a legal system. Spain trafficked in pure gold and silver. Microsoft is selling structured information in one of the most efficient schemes yet.

Of course, these periods of wealth-building invariably come to an abrupt end when some army, which is invariably described as “ragtag,” shows up to pillage and plunder. The Mongolian hordes, the Visigoths, and the Vikings are just a few of the lightweight, lean groups that appeared over the horizon and beat the standing army of the fat and complacent society. This was the cycle of boom and doom that built and trashed empire after dynasty after great society.

Perhaps it's just a coincidence that Linus Torvalds has Viking blood in him. Although he grew up in Finland, he comes from the minority of the population for whom Swedish is the native tongue. The famous neutrality during World War II, the lumbering welfare states, the Nobel Peace Prize, and the bays filled with hiding Russian submarines give the impression that the Viking way is just a thing of the past, but maybe some of the old hack and sack is still left in the bloodlines.

The Linux movement isn't really about nations and it's not really about war in the old-fashioned sense. It's about nerds building software and letting other nerds see how cool their code is. It's about empowering the world of programmers and cutting out the corporate suits. It's about spending all night coding on wonderful, magnificent software with massive colonnades, endless plazas, big brass bells, and huge steam whistles without asking a boss “Mother, may I?” It's very individualistic and peaceful.

That stirring romantic vision may be moving the boys in the trenches, but the side effects are beginning to be felt in the world of global politics. Every time Linux, FreeBSD, or OpenBSD is installed, several dollars don't go flowing to Seattle. There's a little bit less available for the Microsoft crowd to spend on mega-mansions, SUVs, and local taxes. The local library, the local police force, and the local schools are going to have a bit less local wealth to tax. In essence, the Linux boys are sacking Seattle without getting out of their chairs or breaking a sweat. You won't see this battle retold on those cable channels that traffic in war documentaries, but it's unfolding as we speak.

The repercussions go deeper. Microsoft is not just a Seattle firm. Microsoft is an American company and whatever is good for Microsoft is usually good, at least in some form, for the United States. There may be some fraternal squabbling between Microsoft and Silicon Valley, but the United States is doing quite well. The info boom is putting millions to work and raising trillions in taxes.

The free software revolution undermines this great scheme in two very insidious ways. The first is subtle. No one officially has much control over a free software product, and that means that no country can claim it as its own. If Bill Gates says that the Japanese version of Windows will require a three-button mouse, then Japan will have to adjust. But Torvalds, Stallman, and the rest can't do a darn thing about anyone. People can just reprogram their mouse. If being boss means making people jump, then no one in the free software world is boss of anything. Free source code isn't on anyone's side. It's more neutral than Switzerland was in World War II. The United States can only take solace in the fact that many of the great free source minds choose to live in its boundaries.

The second effect is more incendiary. Free software doesn't pay taxes. In the last several centuries, governments around the world have spent their days working out schemes to tax every transaction they can find. First, there were just tariffs on goods crossing borders, then the bold went after the income, and now the sales tax and the VAT are the crowning achievement. Along the way, the computer with its selfless ability to count made this possible. But how do you tax something that's free? How do you take a slice out of something that costs nothing?

These are two insidious effects. The main job of governments is to tax people. Occasionally, one government will lust after the tax revenue of another and a war will break out that will force people to choose sides. The GPL and the BSD licenses destroy this tax mechanism, and no one knows what this will bring.

One of the best places to see this destabilization is in the efforts of the United States government to regulate the flow of encryption software around the globe. Open source versions of encryption technology are oozing through the cracks of a carefully developed mechanism for restricting the flow of the software. The U.S. government has tried to keep a lid on the technology behind codes and ciphers since World War II. Some argue that the United States won World War II and many of the following wars by a judicious use of eavesdropping. Codebreakers in England and Poland cracked the German Enigma cipher, giving the Allies a valuable clue about German plans. The Allies also poked holes in the Japanese code system and used this to win countless battles. No one has written a comprehensive history of how code-breaking shifted the course of the conflicts in Vietnam, Korea, or the Middle East, but the stories are bound to be compelling.

In recent years, the job of eavesdropping on conversations around the world has fallen on the National Security Agency, which is loath to lose the high ground that gave the United States so many victories in the past. Cheap consumer cryptographic software threatened the agency's ability to vacuum up bits of intelligence throughout the world, and something needed to be done. If good scrambling software was built into every copy of Eudora and Microsoft Word, then many documents would be virtually unreadable. The United States fought the threat by regulating the export of all encryption source code. The laws allowed the country to regulate the export of munitions, and scrambling software was put in that category.

These regulations have caused an endless amount of grief in Silicon Valley. The software companies don't want someone telling them what to write. Clearing some piece of software with a bureaucrat in Washington, D.C., is a real pain in the neck. It's hard enough to clear it with your boss. Most of the time, the bureaucrat won't approve decent encryption software, and that means the U.S. company has a tough choice: it can either not export its product, or build a substandard one.

There are branches of the U.S. government that would like to go further. The Federal Bureau of Investigation continues to worry that criminals will use the scrambling software to thwart investigations. The fact that encryption software can also be used by average folks to protect their money and privacy has presented a difficult challenge to policy analysts from the FBI. From time to time, the FBI raises the specter of just banning encryption software outright.

The software industry has lobbied long and hard to lift these regulations, but they've had limited success. They've pointed out that much foreign software is as good as if not better than American encryption software. They've screamed that they were losing sales to foreign competitors from places like Germany, Australia, and Canada, competitors who could import their software into the U.S. and compete against American companies. None of these arguments went very far because the interests of the U.S. intelligence community always won when the president had to make a decision.

The free source code world tripped into this debate when a peace activist named Phil Zimmerman sat down one day and wrote a program he called Pretty Good Privacy, or simply PGP. Zimmerman's package was solid, pretty easy to use, and free. To make matters worse for the government, Zimmerman gave away all of the source code and didn't even use a BSD or GPL license. It was just out there for all the world to see.

The free source code had several effects. First, it made it easy for everyone to learn how to build encryption systems and add the features to their own software. Somewhere there are probably several programmers being paid by drug dealers to use PGP's source code to scramble their data. At least one person trading child pornography was caught using PGP.

Of course, many legitimate folks embraced it. Network Solutions, the branch of SAIC, the techno powerhouse, uses digital signatures generated by PGP to protect the integrity of the Internet's root server. Many companies use PGP to protect their e-mail and proprietary documents. Banks continue to explore using tools like PGP to run transaction networks. Parents use PGP to protect their kids' e-mail from stalkers.

The free source code also opened the door to scrutiny. Users, programmers, and other cryptographers took apart the PGP code and looked for bugs and mistakes. After several years of poking, everyone pretty much decided that the software was secure and safe.

This type of assurance is important in cryptography. Paul Kocher, an expert in cryptography who runs Cryptography Research in San Francisco, explains that free source software is an essential part of developing cryptography.“You need source code to test software, and careful testing is the only way to eliminate security problems in crypto-systems,” he says. “We need everyone to review the design and code to look for weaknesses.”

Today, security products that come with open source code are the most trusted in the industry. Private companies like RSA Data Security or Entrust can brag about the quality of their in-house scientists or the number of outside contractors who've audited the code, but nothing compares to letting everyone look over the code.

When Zimmerman launched PGP, however, he knew it was an explicitly political act designed to create the kind of veil of privacy that worried the eavesdroppers. He framed his decision, however, in crisp terms that implicitly gave each person the right to control their thoughts and words. “It's personal. It's private. And it's no one's business but yours,” he wrote in the introduction to the manual accompanying the software. “You may be planning a political campaign, discussing your taxes, or having an illicit affair. Or you may be doing something that you feel shouldn't be illegal, but is. Whatever it is, you don't want your private electronic mail (e-mail) or confidential documents read by anyone else. There's nothing wrong with asserting your privacy. Privacy is as apple-pie as the Constitution.”

Initially, Zimmerman distributed PGP under the GPL, but backed away from that when he discovered that the GPL didn't give him much control over improvements. In fact, they proliferated and it made it hard to keep track of who created them. Today, the source code comes with a license that is very similar to the BSD license and lets people circulate the source code as much as they want.

“I place no restraints on your modifying the source code for your own use,” he writes in the accompanying documentation, and then catches himself.“However, do not distribute a modified version of PGP under the name 'PGP' without first getting permission from me. Please respect this restriction. PGP's reputation for cryptographic integrity depends on maintaining strict quality control on PGP's cryptographic algorithms and protocols.”

Zimmerman's laissez-faire attitude, however, doesn't mean that the software is available with no restrictions. A holding company named Public Key Partners controlled several fundamental patents, including the ones created by Ron Rivest, Adi Shamir, and Len Adleman. Zimmerman's PGP used this algorithm, and technically anyone using the software was infringing the patent.

While “infringing on a patent” has a certain legal gravitas, its real effects are hard to quantify. The law grants the patent holders the right to stop anyone from doing what is spelled out in the patent, but it only allows them to use a lawsuit to collect damages. In fact, patent holders can collect triple damages if they can prove that the infringers knew about the patent. These lawsuits can be quite a hassle for a big company like Microsoft, because Microsoft is selling a product and making a profit. Finding a number to multiply by three is easy to do. But the effects of the lawsuits on relatively poor, bearded peace activists who aren't making money is harder to judge. What's three times zero? The lawsuits make even less sense against some guy who's using PGP in his basement.

Still, the threat of a lawsuit was enough of a cudgel to worry Zimmerman. The costs, however, put a limit on what PKP could demand. In the end, the two parties agreed that PGP could be distributed for non-commercial use if it relied upon a toolkit known as RSAREF made by PKP's sister company, RSA Data Security. Apparently, this would encourage people to use RSAREF in their commercial products and act like some free advertising for the toolkit.

The patent lawsuit, however, was really a minor threat for Zimmerman. In 1994, the U.S. government started investigating whether Zimmerman had somehow exported encryption software by making it available on the Internet for download. While Zimmerman explicitly denounced violating the laws and took pains to keep the software inside the country, a copy leaked out. Some suggest it was through a posting on the Net that inadvertently got routed throughout the world. Was Zimmerman responsible? A branch of the U.S. Customs launched a criminal investigation in the Northern District of California to find out.

Of course, determining how the source code got out of the country was a nearly impossible exercise. Unless Zimmerman confessed or somehow kept some incriminating evidence around, the prosecutors faced a tough job painting him as a lawbreaker. The software was available for free to anyone inside the country, and that meant that everyone had at least an opportunity to break the law. There were no purchase records or registration records. No one knew who had PGP on their disk. Maybe someone carried it across the border after forgetting that the source code was on a hard disk. Maybe a foreigner deliberately came into the U.S. and carried it out. Who knows? Zimmerman says it blew across the border “like dandelion seeds blowing in the wind.”

To make matters worse for the forces in the U.S. government that wanted to curtail PGP, the patent held by RSA wasn't filed abroad due to different regulations. Foreigners could use the software without care, and many did. This was the sort of nightmare that worried the parts of the U.S. intelligence-gathering branch that relied upon wholesale eavesdropping.

Eventually, the criminal investigation amounted to nothing. No indictments were announced. No trials began. Soon after the investigation ended, Zimmerman helped form a company to create commercial versions of PGP. While the free versions continue to be available today and are in widespread use among individuals, companies often turn to PGP for commercial products that come with a license from PKP. When the RSA patent expires in September 2000, the people will be free to use PGP again. ¹⁶

Zimmerman's experiences show how free source code turned into a real thorn in the side of the U.S. government. Businesses can be bought or at least leaned on. Merchandise needs to flow through stores and stores have to obey the law. Red tape can ruin everything. But free software that floats like dandelion seeds can't be controlled. People can give it to each other and it flows like speech. Suddenly it's not a product that's being regulated, but the free exchange of ideas between people, ideas that just happen to be crystallized as a computer program.

Of course, a bureaucracy has never met something it couldn't regulate, or at least something it couldn't try to regulate. Zimmerman's experience may have proved to some that governments are just speed bumps on the infobahn of the future, but others saw it as a challenge. Until the end of 1999, the U.S. government has tried to tighten up the restrictions on open source versions of encryption technology floating around the world. The problem was that many countries around the globe explicitly exempt open source software from the restrictions, and the United States has lobbied to tighten these loopholes.

The best place to begin this story may be in the trenches where system administrators for the U.S. government try to keep out hackers. Theo de Raadt, the leader of the OpenBSD team, likes to brag that the U.S. government uses OpenBSD on its secure internal network. The system designers probably made that choice because OpenBSD has been thoroughly audited for security holes and bugs by both the OpenBSD team and the world at large. They want the best code, and it's even free.

“They're running Network Flight Recorder,” de Raadt says. “It's a super sniffing package and an intrusion detection system. They can tell you if bad traffic happens on your private little network that the firewall should have stopped. They have OpenBSD running NFR on every network. They run an IPSEC vpn back to a main network information center where they look and do traffic analysis.”

That is, the departments watch for bad hackers by placing OpenBSD boxes at judicious points to scan the traffic and look for incriminating information. These boxes, of course, must remain secure. If they're compromised, they're worthless. Turning to something like OpenBSD, which has at least been audited, makes sense.

“They catch a lot of system administrators making mistakes. It's very much a proactive result. They can see that a sys admin has misconfigured a firewall,” he says.

Normally, this would just be a simple happy story about the government getting a great value from an open source operating system. They paid nothing for it and got the results of a widespread, open review looking for security holes.

De Raadt lives in Canada, not the United States, and he develops OpenBSD there because the laws on the export of encryption software are much more lenient. For a time, Canada did not try to control any mass market software. Recently, it added the requirement that shrinkwrapped software receive a license, but the country seems willing to grant licenses quite liberally. Software that falls into the public domain is not restricted at all. While OpenBSD is not in the public domain, it does fit that definition as set out by the rules. The software is distributed with no restrictions or charge. By the end of 1999, senior officials realized that the stop crypt policy was generating too many ironic moments.

This is just another example of how free source software throws the traditional-instincts regulatory system for a loop. Companies sell products, and products are regulated. Public domain information, on the other hand, is speech and speech is protected, at least by the U.S. Constitution. Relying on Canada for network security of the Internet was too much.

In January 2000, the U.S. government capitulated. After relentless pressure from the computer industry, the government recognized that high-quality encryption software like OpenBSD was common throughout the world. It also recognized that the quality was so good that many within the United States imported it. The government loosened restrictions and practically eliminated them for open source software. While many people are still not happy with the new regulations, open source encryption software can now flow out of the United States. The distributors need only notify the U.S. government about where the software is available. The commercial, proprietary encryption software was not as lucky. The regulations are now substantially easier on the corporations but they still require substantial review before an export license is granted.

The difference in treatment probably did not result from any secret love for Linux or OpenBSD lurking in the hearts of the regulators in the Bureau of Export Affairs at the Department of Commerce. The regulators are probably more afraid of losing a lawsuit brought by Daniel Bernstein. In the latest decision released in May 1999, two out of three judges on an appeals panel concluded that the U.S. government's encryption regulations violated Bernstein's rights of free speech. The government argued that source code is a device not speech. The case is currently being appealed. The new regulations seem targeted to specifically address the problems the court found with the current regulations.

Encryption software is just the beginning of the travails as the government tries to decide what to do about the free exchange of source code on the Net. Taxes may be next. While people joke that they would be glad to pay 10 percent sales tax on the zero dollars they've spent on GNU software, they're missing some of the deeper philosophical issues behind taxation. Many states don't officially tax the sale of an object; they demand the money for the use of it. That means if you buy a stereo in Europe, you're still supposed to pay some “use tax” when you turn it on in a state. The states try to use this as a cudgel to demand sales tax revenue from out-of-state catalog and mail-order shops, but they haven't gotten very far. But this hasn't stopped them from trying.

What tax could be due on a piece of free software? Well, the state could simply look at the software, assign a value to it, and send the user a bill. Many states do just that with automobiles. You might have a rusted clunker, but they use the Blue Book value of a car to determine the tax for the year and each year they send a new bill. This concept proved to be so annoying to citizens of Virginia that Jim Gilmore won the election for governor with a mandate to repeal it. But just because he removed it doesn't mean that others will leave the issue alone.

If governments ever decide to try to tax free software, the community might be able to fight off the request by arguing that the tax is “paid” when the government also uses the free software. If 7 out of 100 Apache servers are located in government offices, then the government must be getting 7 percent returned as tax.

One of the most difficult problems for people is differentiating between wealth and money. The free software movement creates wealth without moving money. The easy flow of digital information makes this possible. Some folks can turn this into money by selling support or assisting others, but most of the time the wealth sits happily in the public domain.

Today, the Internet boom creates a great pool of knowledge and intellectual wealth for the entire society. Some people have managed to convert this into money by creating websites or tools and marketing them successfully, but the vast pool of intellectual wealth remains open and accessible to all. Who does this belong to? Who can tax this? Who controls it? The most forward-thinking countries will resist the urge to tax it, but how many will really be able to keep on resisting?