Encryption Law

The export of commercial encryption products is regulated by the Bureau of Industry and Security. Rules governing exports and reexports of encryption items are found in the Export Administration Regulations (EAR), 15 C.F.R. Parts 730-774. Sections 740.13, 740.17 and 742.15 of the EAR are the principal references for the export and reexport of encryption items. The following is a summary of the applicable law.


Important EAR Terms and Principles: §734.2


Definition of Export:


Export means an actual shipment or transmission of items subject to the EAR out of the United States, or release of technology or software subject to the EAR to a foreign national in the United States.


Export of encryption source code and object source code software


For purposes of the EAR, the export of encryption source code and object code software means: (a) an actual shipment, transfer or transmission out of the United States; or (b) a transfer of such software in the United States to an embassy or affiliate of a foreign country


The export of encryption source code includes downloading, or causing the downloading of, such software to locations (including electronic bulletin boards, Internet file transfer protocol, and World Wide Web sites) outside the U.S. or making such software available for transfer outside the United States, over wire, cable, radio, electromagnetic, photo optical, photo electronic or other comparable communications facilities accessible to persons outside the United States, unless the person making the software available takes precautions adequate to prevent unauthorized transfer of such code.


Precautions for Internet transfers of products eligible for export shall include such measures as:


  1. The access control system, either through automated means or human intervention, checks the address of every system outside the U.S. or Canada requesting or receiving a transfer and verifies such systems do not have a domain name or Internet address of a foreign government end user.

  2. The access control system provides every requesting or receiving party with notice that the transfer includes or would include cryptographic software subject to export controls under EAR, and anyone receiving such a transfer cannot export the software without a license or other authorization; and

  3. Every party requesting or receiving a transfer of such software must acknowledge affirmatively that the software is not intended for a foreign government end user, and that he understands the cryptographic software is subject to export controls under the EAR.


To read the whole section, visit:

http://www.access.gpo.gov/bis/ear/pdf/734.pdf


Encryption Items: § 742.15


Encryption items can be used to maintain the secrecy of information, and thereby may be used by persons abroad to harm U.S. national security, foreign policy and law enforcement interests. The United States has a critical interest in ensuring that important and sensitive information of the public and private sector is protected.


Consistent with our international obligations as a member of the Wassenaar Arrangement, the United States has a responsibility to maintain control over the export and reexport of encryption items.


Exports and reexports of encryption software, like exports and reexports of encryption hardware, are controlled because of this functional capacity to encrypt information, and not because of any informational or theoretical value that such software may reflect, contain, or represent, or that its export or reexport may convey to others abroad. For this reason, export controls on encryption software are distinguished from controls on other software regulated under the EAR.


Licensing Requirements and Policy


A license is required to export or reexport encryption items controlled for national security reasons. Most encryption items may be exported without a license pursuant to the License Exceptions set forth in § 740.17 of the EAR. For exports and reexports that are not eligible for a license exemption, exporters must submit an application to obtain authorization under a license or Encryption Licensing Arrangement.


Applications are reviewed by BIS on a case-by-case basis to determine whether the export is consistent with U.S. national security and foreign policy interests. Encryption Licensing Arrangements (ELAs) may be authorized for exports of unlimited quantities of encryption commodities and software to national or federal government bureaucratic agencies for civil use and to state and local governments. ELAs are valid for four years and may require post-export reporting or pre-shipment notification.

Review Requirements for mass market encryption commodities and software exceeding 64 bits:


Mass market encryption commodities and software employing a key length greater than 64 bits for the symmetric algorithm are subject to the EAR and require review by BIS and the Encryption Request Coordinator prior to export.


A new product review is required if a change is made to the cryptographic functionality (algorithms) or other technical characteristics affecting mass market eligibility of the originally reviewed product (performance enhancements to provide network infrastructure services, or customizations to end user specifications).


A new product review is not required when a change involves: the subsequent bundling, patches, upgrades or releases of a product; name changes, or changes limited to updates of encryption software components where the product is otherwise unchanged.


Procedures for requesting review:


To request review of encryption commodities, submit the forms provided in the supplement and include specific information describing how your products qualify for mass market treatment.


Action by BIS:


Once BIS has completed review, you will receive written confirmation concerning the eligibility of your items for export as mass market encryption commodities or software. If, during the review BIS determines that your encryption items do not qualify for mass market treatment or are otherwise classified, BIS will notify you and will review your commodities or software for eligibility under other License Exceptions.


Exclusions from review requirements:


The following commodities and software do not require review prior to export as mass market products:


  1. short range wireless encryption functions

  2. ancillary cryptogography


Examples of mass market encryption products:


Mass market encryption products include, but are not limited to, general purpose operating systems and desktop applications (email, browsers, games, word processors, database, financial application or utilities) designed for use with computers, laptops, or handheld devices; commodities and software for client internet appliances and client wireless LAN devices; home use networking commodities and software (personal firewalls, cable modems for personal computers) and portable or mobile civil communications commodities and software (PDAs, radios or cellular products).

For the whole section, see

http://www.access.gpo.gov/bis/ear/pdf/742.pdf



Technology and Software – Unrestricted: § 740.13


This license exception authorizes exports of encryption source code that would be considered publicly available under the EAR.


Encryption Source Code:


This paragraph authorizes export without review of encryption source code considered publicly available under the EAR. Such source code is eligible for License exception even if it is subject to an express agreement or licensing fee or royalty for commercial production or sale of any product developed using the source code. This paragraph also authorizes the export of the corresponding object code if both the source and object code are considered publicly available.


You must notify BIS and the Encryption request coordinator via email of the Internet location of the source code or provide them each a copy of the source code at or before the time you take action to make the software publicly available. If you give BIS an the Internet location of the code, you must notify BIS every time the location of the code changes but you are not required to notify them of updates or modifications made to the encryption software at the previously notified location.


To view the whole section, visit:

http://www.access.gpo.gov/bis/ear/pdf/740.pdf

Sources

The Bureau of Industry and Security Website, “Encryption,” available at http://www.bis.doc.gov/encryption/default.htm


15 C.F.R. § 734.3 (2010), available at http://www.access.gpo.gov/bis/ear/pdf/734.pdf


15 C.F.R. § 742.15 (2010), available at http://www.access.gpo.gov/bis/ear/pdf/742.pdf


15 C.F.R. § 740.13 (2010), available at http://www.access.gpo.gov/bis/ear/pdf/740.pdf


Law Overview

Return to the law summary More…

Case Law

Check out recent and past cases related to encryption law More…