Are Open‑Source Projects on GitHub Subject to U.S. Export Controls?

Recent U.S. export‑control actions against Huawei and Docker have led users to notice that GitHub’s Terms of Service contain a clause stating that information uploaded to GitHub.com, GitHub Enterprise Server, or any product may be subject to U.S. export‑control laws, including the Export Administration Regulation (EAR).

GitHub Agreement Screenshot

Some readers wondered whether open‑source code on GitHub is now regulated. The situation is more nuanced.

“Feeling Like a Spy”

The Apache Software Foundation (ASF) also includes similar export‑control language on its website, indicating that software developed through its public forums and distributed via U.S. servers is subject to U.S. export regulations, even under the Apache License.

Because GitHub is the largest open‑source hosting platform, the presence of such clauses has caused concern among developers, some joking that cloning code now feels like espionage.

Users are advised to keep backups on alternative platforms and consider the risk of relying on a single hosting service.

By forking open‑source software in a third country, recompiling it, and releasing it under a different name, one can potentially bypass export‑control restrictions.

The clause in GitHub’s agreement is not new; it already lists embargoed countries such as Cuba, Iran, North Korea, Sudan, and Syria, and notes that the list may change.

Rest Assured

Legal expert Lin Cheng‑xia, a consultant for the Open‑Source Society, explains that open‑source software that does not involve encryption is not controlled by the EAR. Only software that includes encryption technology falls under the regulation and requires a license.

According to the EAR, exporting software abroad or providing it to foreign persons from the United States generally requires a license, but software that is "publicly available" is exempt.

Even publicly available software must obtain a license if it incorporates non‑public encryption methods.

Lin assures that mainstream open‑source projects are unlikely to be restricted unless the U.S. changes its export‑control rules, and that most open‑source on GitHub is publicly accessible and does not need licensing.

The impact is mainly on enterprises that wish to purchase, deploy, or redistribute software internally; they may need to consider export‑control compliance, while the open‑source community itself remains largely unaffected.

Source: Quantum Bit (公众号量子位)