In the context of software, export control has a fairly encompassing definition and restricts the "disclosure of source code to foreign nationals", even if the disclosure occurs domestically, even if no money changes hands, and also if the distribution occurs over the Internet [1], the rationale of which is to achieve "national security, foreign policy, military or even economic purposes" [2].
The primary concern of export controls is "dual-use software" that contains substantial domestic origin content or technology [3]. Dual-use software refers to software that has both civilian and military uses [4]. Apart from General Export Authorisations which provide a blanket approval for export to certain countries [5], the EU requires that the exporters exercise "due dilligence" in understanding how the exported product will be used and must notify the authorities that the items are exported under the Union General Export Authorisation [6]. As for the UK, transfer of dual-use software falls under the ambit of the Export Control Order 2008, prospective exporters will need a license, keep records of these exports, and subject those records to inspection on request [7].
Global Positioning System (GPS) is an example of a dual-use technology [8] that can be used for civilian navigation purposes or to guide missiles to a target. Before 2014, GPS receivers that could function above 60,000 feet and at 1,000 knots velocity were subject to the International Traffic in Arms Regulations as they had the propensity to be used for military purposes [9].
On the software front, security tools such as Nessus or Metasploit used for vulnerability scanning has also been deemed as dual-use [10]. On one hand, they can be used by organizations to scan for vulnerabilities in their assets so they can be patched. However, they can also be used by hackers to discover vulnerabilities in other's devices, so as to exploit and compromise them for nefarious reasons.
Metasploit is open source and available to download on GitHub. It appears that the responsibilities of export control has been levied onto the intermediary, GitHub, which complies with US Export Administration Regulations to restrict the export of code to selected countries [12]. GitHub is home to more than 400 million code repositories from over 4 million organizations [13], who take advantage of their source code versioning and hosting services to store their software. Thus, it would make sense for regulators to capitalize on these intermediaries and gatekeepers to effectively achieve export control aims.
[1] Brock A (ed), Open Source Law, Policy, and Practice (Second edition, Oxford University Press 2022), pp. 275, 277
[2] ibid, pp. 276 - 277
[3] ibid
[4] ibid
[5] ibid, 279
[6] Regulation (EU) No 1232/2011 of the European Parliament and of the Council of 16 November 2011 amending Council Regulation (EC) No 428/2009 setting up a Community regime for the control of exports, transfer, brokering and transit of dual-use items, ANNEX IIb, Part 3
[7] Export Control Order 2008, Part 5
[8] Silic, Mario. "Dual-Use Open Source Security Software in Organizations – Dilemma: Help or Hinder?"" Computers & Security 39 (2013): 386–95, pp. 387
[9] Inside GNSS, "U.S. Eases Export Regulations for GPS Receivers" https://insidegnss.com/u-s-eases-export-regulations-for-gps-receivers/ accessed 28 March 2025
[10] Mario (n 7), pp. 390 - 391
[11] rapid7, "Metasploit Framework" https://github.com/rapid7/metasploit-framework accessed 28 March 2025
[12] GitHub, "GitHub and Trade Controls" https://docs.github.com/en/site-policy/other-site-policies/github-and-trade-controls accessed 28 March 2025
[13] GitHub, "About GitHub: Let's build from here" https://github.com/about accessed 28 March 2025