April 14, 2021

Software and Export Control

Today’s New York Times, in an article by John Schwartz, reports on the availability of export-controlled software outside the U.S. Certain software that has defense applications is not allowed to be shipped to “pariah countries” such as North Korea and Iraq. Unauthorized copies of such software are available for sale in China, and presumably the Chinese sellers would be willing to ship them anywhere.

The article works hard to conflate export violations with copyright infringement, even using the word “piracy” in the title, and claiming that “Digital piracy … has moved into more dangerous territory” as “[a] black market has emerged for scientific and engineering software powerful enough to fall under United States export restrictions.”

The implication is that the Internet is a big part of the problem. And yet a careful reading of the article reveals no evidence that the illicit copies of the software left the U.S. via the Internet (as opposed to being mailed or hand-carried). Certainly the black market in export-controlled software was flourishing long before the Internet became popular.

The real problem is the illusion that a software package can be sold widely, even to customers outside the U.S., without its becoming available to a motivated adversary who wants it. Even if it were somehow made impossible to copy export-controlled software packages, our adversaries would still be able to buy or steal authorized copies.

This is obvious to people who have experience in the export-control wars. Stewart Baker, who was General Counsel at the National Security Agency during the crypto export control debates, points out the folly of the current approach:

To his mind, Mr. Baker said, [these] problems are part of a broader trend of mistakenly looking at national security issues as problems for law enforcement. “O.K., you can’t prosecute ’em,” he said. “Well, duh.”