Open Source Could Be a Casualty of the Trade War

When I heard that ARM was to stop doing business with Huawei, I was a little bit puzzled as to how that worked: ARM is a British company owned by a Japanese conglomerate; how was the US able to extend its influence beyond its citizens and borders? A BBC report indicated that ARM had concerns over its US origin technologies. I discussed this topic with a friend of mine who works for a different non-US company that has also been asked to comply with the ban. He told me that apparently the US government has been sending cease and desist letters to some foreign companies that derive more than 25% of their revenue from US sources, threatening to hold their market access hostage in order to coerce them from doing business with Huawei.

Thus, America has been able to draw a ring around Huawei much larger than its immediate civilian influence; even international suppliers and non-citizens of the US are unable to do business with Huawei. I found the intent, scale, and level of aggression demonstrated by the US in acting against Huawei to be stunning: it’s no longer a skirmish or hard-ball diplomacy. We are in a trade war.

I was originally under the impression that the power to pull this off was a result of Trump’s Executive Order 13873 (EO13873), “Securing the Information and Communications Technology and Services Supply Chain”. I was wrong. Amazingly, this was nothing more than a simple administrative ruling by the Bureau of Industry and Security through powers granted via the “EAR” (Export Administration Regulation 15 CFR, subchapter C, parts 730-774), along with a sometimes surprisingly broad definition of what qualifies as export-controlled US technology. The administrative ruling cites Huawei’s indictment for willfully selling equipment to Iran as justification for commuting a broad technology export ban upon Huawei’s global operations.

Going Nuclear: Executive Order 13873
If a simple administrative ruling can inflict such widespread damage, what sorts of consequences does EO13873 hold? I decided to look up the text and read it.

EO13873 states there is a “national emergency” because “foreign adversaries” pose an “unusual and extraordinary threat to national security” because they are “increasingly creating and exploiting vulnerabilities in information and communications technology services”. Significantly, infocomm technology is broadly defined to include hardware and software, as well as on-line services.

It’s up to the whims of the administration to figure out who or what meets that criteria for a “foreign adversary”. While no entities have yet been designated as a foreign adversary, it is broadly expected that Huawei will be on that list.

According to the text of EO13873, being named a foreign adversary means one has engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the US. In the case of Huawei, there has been remarkably little hard evidence of this. The published claims of backdoors or violations found in Huawei equipment are pretty run-of-the-mill; they could be just diagnostic or administrative tools that were mistakenly left into a production build. If this is the standard of evidence required to designate a foreign adversary, then most equipment vendors are guilty and at risk of being designated an adversary. For example, glaring flaws in Samsung SmartTVs enabled the CIA’s WeepingAngel malware to listen in on your conversations, yet Samsung is probably safe from this list.

If Huawei has truly engaged in a long-term pattern of conduct significantly adverse to national security, surely, some independent security research would have already found and published a paper on this. Given the level of fame and notoriety such a researcher would gain for finding the “smoking gun”, I can’t imagine the relative lack of high-profile disclosures is for a lack of effort or motivation. Hundreds of CVEs (Common Vulnerabilities and Exposures) have been filed against Huawei, yet none have been cited as national security threats. Meanwhile, even the NSA agrees that the Intel Management Engine is a threat, and has requested a special setting in Intel CPUs to disable it for their own secure computing platforms.

If Huawei were to be added to this list, it would set a significantly lower bar for evidence compared to the actions against similarly classified adversaries such as Iran or North Korea. Lowering the bar means other countries can justify taking equivalent action against the US or its allies with similarly scant evidence. This greatly amplifies the risk of this trade war spiraling even further out of control.

Supply Chains are an Effective but Indiscriminate Weapon
How big a deal is this compared to say, a military action where bombs are being dropped on real property? Here’s some comparisons I dug up to get a sense of scale for what’s going on. Huawei did $105 billion revenue in 2018 – 30% more than Intel, and comparable to the GDP of Ukraine – so Huawei is an economically significant target.


Above: Huawei 2018 revenue in comparison to other companies or country’s GDP.

Now, let’s compare this to the potential economic damage of a bomb being dropped on a factory: let’s say an oil refinery. One report indicated that the largest oil refinery explosion since 1974 caused around $1.8 billion in economic damage. So carving Huawei out of the global supply chain with an army of bureaucrats is better bang for the buck than sending in an actual army with guns, if the goal is to inflict economic damage.


Above: A section of “The 100 Largest Losses, 1974-2013: Large Property Damage Losses in the Hydrocarbon Industry, 23rd Edition”.

The problem is, unlike previous wars fought in distant territories, the splash damage of a trade war is not limited to a geographic region. The abrupt loss of Huawei as a customer will represent billions of dollars in losses for a large number of US component suppliers, resulting in collateral damage to US citizens and companies. Even though only a couple weeks have passed, I have first-hand awareness of one US-based supplier of components to Huawei who has gone from talks about acquisition/IPO to talks about bankruptcy and laying off hundreds of well-paid American staff; doubtless there will be more stories like this.

Reality Check: Supply Chains are Not Guided Missiles
The EAR was implemented 40 years ago, during the previous Cold War, as part of an effort to weaponize the US dollar. The US dollar’s power comes in part from the fact that most crude oil is traded for US dollars – countries like Saudi Arabia won’t accept any other currency in payment for its oil. Therefore sanctioned countries must acquire US dollars on the black market at highly unfavorable rates, resulting in a heavy economic toll on the sanctioned country. However, it’s worth taking a moment to note some very important differences between previous sanctions which used the US dollar as a weapon, and the notional use of the electronics supply chain as a weapon.

The most significant difference is that the US truly has an axiomatic monopoly on the supply of US dollars. Nobody can make a genuine US dollar, aside from the US – by definition. However, there is no such essential link between a geopolitical region and technology. Currently, US brands sell some of the best and most competitively priced technology, but also little of it is manufactured within the US. US may have one of the largest markets, but it does not own the supply chain.

It’s no secret that the US has outsourced most of its electronics supply chain overseas. From the fabrication of silicon chips, to the injection molding of plastic cases, to the assembly of smartphones, it happens overseas, with several essential links going through or influenced by China. Thus weaponizing the electronics supply chain is akin to fighting a war where bullets and breeches are sourced from your enemy. Victory is not inconceivable in such a situation, but it requires planning and precision to ensure that the first territory captured in the war hosts the factories that supply your base of power.

Using the global supply chain as a weapon is like launching a missile where your enemy controls the guidance systems: you can point it in the right direction, but where it goes after launch is out of your hands. Some of the first casualties of this trade war will be the American businesses that traded with Huawei. And if China chooses to reciprocate and limit US access to its supply chain, the US could take a hard hit.

Unintended Consequences: How Weaponized Trade Could Backfire And Weaken US Tech Leadership
One of the assumed outcomes of the trade war will be a dulling of China’s technical prowess, now that its access to the best and highest performing technology has been cut off. However, unlike oil or US dollars, US dominance in technology is not inherently linked to geographic territories. Instead, the reason why the US has maintained such a dominant position for such a long time is because of a free and unfettered global market for technology.

Technology is a constant question of “make vs. buy”: do we invest to build our own CPU, or just buy one from Intel or ARM? Large customers routinely consider the option of building their own royalty-free in-house solutions. In response to such threats, US-based providers lower their prices or improve their offerings, thus swinging the position of their customers from “make” to “buy”.

Thus, large players are rarely without options when their technology suppliers fail to cooperate. Huge companies routinely groom internal projects to create credible hedge positions that reduce market prices for acquiring various technologies. It just so happens the free market has been very effective at dissuading the likes of Huawei from investing the last hundred million dollars to bring those internal projects to market: the same market forces that drove the likes of the DEC Alpha and Sun Sparc CPUs to extinction have also kept Huawei’s CPU development ambitions at bay.

The erection of trade barriers disrupts the free market. Now, US companies will no longer feel the competitive pressure of Huawei, causing domestic prices to go up while reducing the urgency to innovate. In the meantime, Huawei will have no choice but to invest that last hundred million dollars to bring a solution to market. This in no way guarantees that Huawei’s ultimate solution will be better than anything the US has to offer, but one would be unwise to immediately dismiss the possibility of an outcome where Huawei, motivated by nationalism and financially backed by the Chinese government, might make a good hard swing at the fences and hit a home run.

The interest in investing in alternative technologies goes beyond Huawei. Before the trade war, hardly anyone in the Chinese government had heard about RISC-V, an open-source alternative to Intel and ARM CPUs. Now, my sources inform me it is a hot topic. While RISC-V lags behind ARM and Intel in terms of performance and maturity, one key thing it had been lacking is a major player to invest the money and manpower it takes to close the gap. The deep irony is that the US-based startup attempting to commercialize RISC-V – SiFive – will face strong headwinds trying to tap the sudden interest of Chinese partners like Huawei directly, given the politics of the situation.

Collateral Damage: Open Source
The trade war also begs a question about the fate of open source as a whole. For example, according to the 2017 Linux Foundation report, Huawei was a Platinum sponsor of the Linux Foundation – contributing $500,000 to the organization – and they were responsible for 1.5% of the code in the Linux kernel. This is more influence than Facebook, more than Texas Instruments, more than Broadcomm.

Because the administrative action so far against Huawei relies only upon export license restrictions, the Linux Foundation has been able to find shelter under a license exemption for open source software. However, should Huawei be designated as a “foreign adversary” under EO13873, it greatly expands the scope of the ban because it prohibits transactions with entities under the direction or influence of foreign adversaries. The executive order also broadly includes any information technology including hardware and software with no exemption for open source. In fact, it explicitly states that “…openness must be balanced by the need to protect our country against critical national security threats”. While the context of “open” in this case refers to an “investment climate”, I worry the text is broad enough to easily extend its reach into open source technologies.

There’s nothing in Github (or any other source-sharing platform) that prevents your code from being accessed by a foreign adversary and incorporated into their technological base, so there is an argument that open source developers are aiding and abetting an enemy by effectively sharing technology with them. Furthermore, in addition to considering requests to merge code from a technical standpoint, one has to also consider the possibility that the requester could be subject to the influence of Huawei, in which case accepting the merge may put you at risk of stiff penalties under the IEEPA (up to $250K for accidental violations; $1M and 20 years imprisonment for willful violations).

Hopefully there are bright and creative lawyers working on defenses to the potential issues raised by EO13873.

But I will say that ideologically, a core tenant of open source is non-discriminatory empowerment. When I was introduced to open source in the 90’s, the chief “bad guy” was Microsoft – people wanted to defend against “embrace, extend, extinguish” corporate practices, and by homesteading on the technological frontier with GNU/Linux we were ensuring that our livelihoods, independence, and security would never be beholden to a hostile corporate power.

Now, the world has changed. Our open source code may end up being labeled as enabling a “foreign adversary”. I never suspected that I could end up on the “wrong side” of politics by being a staunch advocate of open source, but here I am. My open source mission is to empower people to be technologically independent; to know that technology is not magic, so that nobody will ever be a slave to technology. This is true even if that means resisting my own government. The erosion of freedom starts with restricting access to “foreign adversaries”, and ends with the government arbitrarily picking politically convenient winners and losers to participate in the open source ecosystem.

Freedom means freedom, and I will stand to defend it.

Now that the US is carpet-bombing Huawei’s supply chain, I fear there is no turning back. The language already written into EO13873 sets the stage to threaten open source as a whole by drawing geopolitical and national security borders over otherwise non-discriminatory development efforts. While I still hold hope that the trade war could de-escalate, the proliferation and stockpiling of powerful anti-trade weapons like EO13873 is worrisome. Now is the time to raise awareness of the threat this poses to the open source world, so that we can prepare and come together to protect the freedoms we cherish the most.

I hope, in all earnestness, that open source shall not be a casualty of this trade war.

40 Responses to “Open Source Could Be a Casualty of the Trade War”

  1. Ben Hutchings says:

    I already know of one open source contribution, related to Huawei hardware, that was delayed due to uncertainty over the US sanctions.

  2. J. Peterson says:

    I have to wonder about the veracity of the petroleum industry loss report you cite. Shouldn’t the 2010 Deepwater Horizon explosion top the list? Wikipedia cites economic losses in the $40-90B range.

    I tried to download the report, but the link comes back empty.

    • K. Cross says:

      The report is a PDF file that comes up on my Firefox. It lists a “Blowout/explosion/fire” that occurred on an “Upstream” plant in the Gulf of Mexico on 4/21/2010 which *might* be the Deepwater Horizon event. It lists a property loss of $600 Million, which is a lot less than the Wikipedia numbers. The report might be limiting the amount to just the damage to their equipment, and Wikipedia could be including damages to the surrounding economy.

      Note: The report says “The lease operator has set up a us$20 billion compensation fund, and the loss has led to attempts to
      place a temporary ban on drilling activity in us coastal waters.”

      • bunnie says:

        I think that’s correct — the report just focus on the damage caused to equipment, not the associated economic losses of e.g. environmental impact, subsequent lawsuits and so forth.

        Which I think is the number I wanted to compare against, because the question I was wondering about was how effective economic sanctions are compared to say, a targeted strike on a military installation, which represents a large loss of equipment but is relatively isolated otherwise.

        • Paul Boddie says:

          From the article: “One report indicated that the largest oil refinery explosion since 1974 caused around $1.8 billion in economic damage.”

          For the record, referencing the corresponding table entry, Piper Alpha was an oil platform not an oil refinery: the “upstream” indicator is probably meant to communicate this. Of course, your broader point does not depend on the precise nature of that tragic event.

  3. David Marceau says:

    You are so right about all these issues.
    You are eloquent. Thank you for being a true hero.
    What we need are leaders looking to make this a win – win for every citizen in all countries.
    Trump and Trudeau and Xi Jinping have to think very hard to correct their decision paths in order to make that happen.

  4. tz says:

    I’ve given up on OpenSource, probably more than a year ago. I don’t contribute to anything and don’t license anything new under even the GPL.

    The government and Huawei aren’t the problem. The Social Justice Warriors are.

    Now there are licenses that if I’ve said something ANYONE finds offensive on Twitter, Facebook or on a blog or comment in the last two decades, they will push to remove me from a project. Linus was finally harassed enough to adopt one of these toxic Code of Conducts.

    It isn’t about harassment. It is about anyone, including those who have NEVER contributed to a project, and not who have been personally contacted, but if I said “bradley” instead of “chelsea manning”, I’m deadnaming so am evil and should be shunned from everywhere.

    http://paul-m-jones.com/post/2016/01/19/on-the-proposed-php-code-of-conduct/

    http://esr.ibiblio.org/?p=6918

    There are other examples. Or like now BlackHat conference that invited a very smart legislator to talk about how to handle hacking… but a few people instead of avoiding the keynote (I’ve been told if I dont like it, just don’t listen or watch) decided to get him banned.

    I give up. The SJWs have taken over opensource and are more concerned about screeching and pointing and getting anyone who has ever said anything that anyone might find offensive – worse than China’s social credit score – banned from contributing, banned from conferences, and unpersoned. See James Damore and Google – he was trying to find a solution.

    Huawei? Bans? I was there when crypto code was considered a “munition”. I wrote a one page faxable crypto proxy to allow SSL. PGP5 had to be published as a book and mailed or faxed to Europe. I could have been arrested if I made a mistake. Now no one cares about that. Because I’m not a SJW authorized victim and wish to have rational conversations, I would be villified, attacked, doxxed.

    No Thankyou.

    Let opensource die the death of intolerant SJW diversity.

    • anon says:

      You should stop taking LSD.

    • xD says:

      Also, whaaat???
      You can always fork GPL code, really doesn’t matter if you can contribute directly or not!!
      Team up with some like-minded people if you feel that alone you can’t keep up with upstream, or strip down the code to keep only what you think is really needed, or just, you know, write a wrapper or something, this being the easiest option…
      Many possibilities that closed source doesn’t offer you…

    • nutjob says:

      Well, the Codes of Conduct are working. They’re designed to get rid of people who find them offensive. You won’t be missed.

    • Mark Hahn says:

      To a Believer with an axe to grind, everything is a conspiracy. Take your meds.

      • Thomas Birch says:

        TZ, you are a very awesome human being!

        In the previous comment Mark has suggested that you take your meds. You may not presently be prescribed meds. What I believe Mark is saying is that everyone would love it if you spent a little more time contributing in ways that add shared value to this world. Also, I think he thinks you may benefit from speaking with a counselor.

        I know I want you to succeed, TZ. Getting caught up in concerns over how other people would like to be named or addressed is, well, it is not consequential as the topic at hand is. Our collective independence could depend on successful F/OSS. I assure you that future does not depend on pronoun selections used to speak to each other.

    • Clsid says:

      I have given up on open source on the desktop, being that MacOS is so freaking good in that respect. But the thing is though open source doesn’t belong to anyone, I don’t like everybody posting everything to Github for the same reason that centralizing everything a la sourceforge will eventually lead to a single point of failure situation. Something like Freshmeat connected to personal repos everywhere would be more ideal. But when sourceforge failed, even though there was disruption, everybody moved on and something else appeared on the radar.

      So don’t lose perspective just because you are not a team player or like to play/endure petty group politics. Just find a friend or two and you can develop something awesome like OpenBSD.

    • aki009 says:

      Amen. That describes my view on this topic also. And gauging by some of the responses, well stated.

  5. Rick Sanchez says:

    World War 3 is coming, US verses China. The SJWS already destroyed open source with the code of conduct.

  6. Dave says:

    What was the name of that Corporate Giant that managed to buy out GitHub?
    That was after most moved over to that platform.
    Just cannot remember the name, but ignorance of this is no excuse.

    • bunnie's perlfriend says:

      This is bunnie’s partner. That was my bad; bunnie’s first draft mentioned that Microsoft owns Github, but I edited it out because I thought it distracted from the message.

      When he writes long blog posts, I cut out sentences / paragraphs that I feel distracts from the message.

  7. […] Open Source Could Be a Casualty of the Trade War 5 by Supermighty | 1 comments on Hacker News. […]

  8. […] seems I’m not the only one thinking along these lines. Bunnie Huang has blogged ‘Open Source Could Be a Casualty of the Trade War‘, which also has a thread on Hacker […]

  9. Anon says:

    So forcing China to move to risc-v is actually a win for open source ISAs and risc-v as an ISA and open-source movement to delete the barriers erected by arm and intel.

    Second, it will take hua-wei more than several hundred million dollars and a year to “invest in their own tech [stack]”. assuming China doesn’t just steal the us EDA tech (which it probably has), there is no way they will be able to replicate all the various EDA tools needed to build a chip in modern process technologies. If they HAVE stolen it, then they don’t understand the technology and they will not be able to innovate new solutions to new tech problems – thus they will not be able to scale well with tech advancement. That’s just for one layer of the stack. Now extend and revise a similar argument for other layers

    Third, assuming they do invest into their own tech stack, that is actually a net win because then they are actually not stealing tech to catch up, and innovating technology that they themselves will need to protect – ie, they develop respect for intellectual property and are forced to at least consider the moral dilemnas incurred with protecting their own intellectual property especially within their own country – ie from tech theft from other Chinese firms against huaiwei, thus forcing legal reform within their country as well. This could ostensibly lead to the development of more fractured governments as each state firm carves its own trench, leading to the possible development of pseudo democratic voting systems within their single party bloc. Which will be tantamount to the beginnings of a two party system – a net win for human rights and democracy.

    Fourth, as important as oss is, we have seen continually that source code in and of itself is not that important compared to the technological branding. A chip is replaceable, Ruby on Rails is replaceable, wordpress is replaceable, but Facebook and WeChat are not, once they have reached their scale. You could use all of the oss tech built and used in Facebook and still not even achieve one peanuts worth of success. The real battle here is between brands, and China has already locked down their own market from external brands through the great firewall and anti competitive laws against foreign companies. Using parts of OSS code to penalize and ostracive products is a weapon used to protect large brands and specific markets (ie WeChat vs all, alibaba vs amazon, Uber vs didi, etc), it is not a peanuts worth of concern to the average medium sized oss project (that has hundreds of contributors who all check the veracity of each other’s patches).

    • Clsid says:

      I find it curious that you are unable to see an alternative path of development since you are trying to base what you would like to happen in China, based on the development of the Western world. If anything I have seen, China and its culture is a very different ballgame. The fact that you have communism added to the mix just make it even more strange, but time and again, China has proven that it can only be ruled in an effective way through a strong centralized government. The experiments with a republic only ended working for a tiny island and when you see the amount of minorities living in China, you immediately realize that if true democracy takes hold, the country would split into 3 or 4 pieces.

      As for the technological advancement part, just like the fine article points out, science is not a mistery or a cult, that if you do not belong you are left out. I saw first-hand the kind of advances they have done in synthetic crystal making and stealing had very little to do with it. You do not reach the advancements that the Chinese industry has through stealing alone, since as you mention, even if you steal you have to be able to understand what you are stealing. It has been pointed out before that the Japanese did the same in the 60s/70s and look where they are now. I believe that in the end we will have two major competitors in the world and that is a good thing for everyone involved in the end, even if it ends up splitting the internet and everything.

    • Nathan Myers says:

      Evidently you did not read the recent announcement of a mainland x86-alike with performance marching midrange Intel offerings.

    • UncleOxidant says:

      “Second, it will take hua-wei more than several hundred million dollars and a year to “invest in their own tech [stack]”. assuming China doesn’t just steal the us EDA tech (which it probably has), there is no way they will be able to replicate all the various EDA tools needed to build a chip in modern process technologies.”

      Yes, EDA would seem to be the fly in the ointment here. However, they could just continue to use the EDA tools they already have (it’s not that hard to get around the licensing issues). And there is a good amount of open source and academic EDA code out there that could be used as a basis for developing their own EDA tools. China could make this a priority for their universities and pour a lot of resources into it.

  10. […] bao – June 22, 2019 1 0 Facebook Twitter Google+ Pinterest […]

  11. David Arnold says:

    Two comments:

    Huawei contributed and owns a significant number of the Standards-Essential Patents in the 5G standards. If it is not possible to pay license fees to Huawei for their use, how will anyone implement 5G ?

    Secondly, for those who parrot the statement that Huawei steals technology, you might notice in the same article that they’re the biggest contributor to the 5G standards development. They have no need to “steal” IP from US (or other) technology companies.

    https://www.iam-media.com/who-leading-5g-patent-race

  12. Interesting analysis, Bunnie. I am wondering if the threat extends to open source software, I would be keen to understand what OSI would have to say as well as the Software Conservancy, the EFF and FSF. The GPL is powerful in that one cannot place restriction of use and it would be important to understand if a state can place a restriction on the GPL and if that will even hold validity. Perhaps FSF, EFF and the Conservancy should trigger, when appropriate, legal action in the US to address such actions.

    I did write [0] about the Huawei issue but did not know of the other nuances your post has brought up.

    Thanks for the post. Much more to think about.

    [0] https://harishpillay.wordpress.com/2019/05/20/the-enormous-empowering-of-free-and-open-source-software-ecosystem/

    • bunnie says:

      I believe there is a doctrine that a contract can be found unenforceable if the purpose of the agreement is to achieve an illegal end. The GPL is a type of contract. Executive Order 13873 is an implementation of a law, the IEEPA. If law enforcement finds that e.g., Huawei is a foreign adversary, it thus becomes unlawful to acquire technology from Huawei.

      My guess is that both in theory and in practice, law beats contract, even if the law is newer than the contract. If you had a contract with a city to dump pollution into a waterway, and then a clean water act is passed, it would stand to reason the dumping contract would be found unenforceable and in fact unlawful. Likewise, if you had a contract which said this code shall have no restrictions placed on it, but then the law says, “but you can’t share technology with adversaries”, then it would stand to reason that the non-discrimination clause of the contract is enforceable up to the point of dealings with foreign adversaries. (I’m not a lawyer, just speculating, so don’t take this as legal advice). This would be my guess of the theory, at least.

      In practice, law definitely can beat contract, because even if the law is ultimately struck down and found to be incorrect, the attorney general of the US is allowed broad discretion to prosecute activities that are thought to be unlawful in their judgment. So if the attorney general were to find that say, Huawei contributing to Linux were contrary to US national security interests, it could at least begin to prosecute members of the open source community. Even if that prosecution ends up not putting anyone in jail or paying a fine, the prosecution it self can be a tortuous process, even driving some to suicide (remember the case of Aaron Swartz). So in practice, I worry there is a hazard to even create a plausible theory that could enable the prosecution of open source developers under national security interests.

      Another potential consequence of the executive order is that it can be used as a political football to lock open source projects out of the US economy. As a concrete example, should RISC-V generally become perceived as the “Chinese option” for general purpose CPUs, ARM could lobby to get Chinese RISC-V makers designated as foreign adversaries, effectively blocking them from selling into the US market. Thus ARM may have a long-term incentive to cease its immediate relationship with Huawei; if it can successfully brand RISC-V as the technology of foreign adversaries, US law can be abused to restrict its import and thus secure ARM’s continued monopoly on the US market. This is also why allowing an extremely low bar of evidence for the determination of adversary status is so dangerous. Lots of laws and rules get passed during times of conflict that seem like good ideas, which later get abused in times of peace.

      Finally, for the question of software v. hardware: while it’s clearly easier to enforce a ban on the trade of hardware, I don’t think it means software is in the clear. The EAR has an exemption for open source code, but the executive order was very specific to mention that software should be restricted, and I see no reason why hawkish lawmakers would allow an open source loophole, absent vigorous lobbying by the open source community. I have also seen some comment on software is speech therefore it is protected. To be clear, the protectable aspect of software is that software is a form of human expression (like poetry), therefore it is speech. However, courts have ruled that the functional aspects of software can be regulated, licensed, patented, etc. Thus there is some wiggle room for hawks to reign in the notional “first amendment” protections. Although I hope that would meet fierce resistance, it doesn’t prevent a few unlucky developers from being subject to the stress of prosecution and litigation while the protests work their way through the system. Also, there is significant momentum around the idea that not all speech should be free, particularly around “fake news” or “false facts”. If code contributed by foreign adversaries is found to be protectable as speech, then it becomes open to the theory that their “expression” may potentially harbor statements that could undermine democratic processes, and therefore it could be subject to censorship.

      While I hope *none* of these crazy theories are ever exercised, the key point is that none of these theories were even possible before the executive order was issued. Just as we might hope that the pile of uranium someone brought into the room is never assembled into a bomb, it’s probably worth asking, why in the heck are we even allowing this toxic substance in the room in the first place, and what can we do to remove or contain it?

      • Nathan Myers says:

        A license is not a contract. There is a separate body of law for licenses. Licenses can refer to contracts, and vice versa, and lots of lawyers and judges would like to conflate them because contract law is more familiar. But a license doesn’t need agreement from all parties, and it doesn’t depend on “consideration” being exchanged. That is the reason saying “I never signed the GPL” is meaningless.

        That said, yes, a license is a creature of law, government — and, yes, international treaty. Treaties are trickier to set aside than contracts.

  13. […] Open Source Could Be a Casualty of the Trade War. […]

  14. […] Open Source Could Be a Casualty of the Trade War […]

  15. aki009 says:

    I’m surprised that few if any of these discussions even mention the negative effects of the one-sided economic formula that’s been promulgated by China for decades. The underlying concept had been to “help” China enter the international community of nations that use trade to assure peace and to improve prosperity within their borders, but with the expectation that at some points the one-sided training wheels would come off.

    However, instead of appreciating the assistance they have received, the Chinese have belligerently effectively demanded that the unfair trade practices should be continued into perpetuity. *That* has caused far more damage to American (and other non-Chinese) businesses than this short-term “trade war” ever could.

    Add to this the destabilizing military and expansionist ambitions of China, and it is obvious why the current state of affairs is not only a good thing, but ultimately forestalls far worse conflicts in the future.

    Balanced international trade has been the basis of the longest relatively peaceful period in modern days, bringing an end to the Soviet Union and effectively uniting Germany and France that could not have been further apart after more than 2,000 years of wars.

    So how about we all embrace President Trump’s work to bring about conditions that will forestall an otherwise inevitable military confrontation?

  16. Adrian says:

    I agree with most of the essay, but you lost me at “Collateral Damage: Open Source”.

    Don’t those restrictions already apply to the numerous countries and entities sanctioned by the US, like Iran, North Korea, Cuba to mention a few? I don’t know how this is managed and enforced today, but legally the situation doesn’t seem to be any different.

  17. […] Never thought of this downside of open source before. SECURITY NOW 724 HIDE YOUR RDP NOW!. Kazakhstan is telling citizens to install a root cert into their browser so they can perform man- in-the-middle attacks. An interesting question is how browser makers should respond. More interesting is what if Kazakhstan responds by making their own browser based on open source, compromising it, and requring its use? Black Mirror should get on this. Software around us appears real, but has actually been replaced by pod-progs. Also, Open Source Could Be a Casualty of the Trade War […]

  18. […] and open hardware hacker Bunnie Huang has written about at length, in a blog post entitled “Open Source Could Be a Casualty of the Trade War“. It’s well-worth reading and pondering, because the relatively minor recent problems […]

  19. […] blogger suspects such a net may soon ensnare one of our favorite things. Bunnie’s Blog warns, “Open Source Could Be a Casualty of the Trade War.” The writer checked out Executive Order 13873, and considers how the incredibly broad text could […]