January 19, 2011
On January 7, 2011, the United States Commerce Department’s Bureau of Industry and Security (BIS) published a final rule that eases export controls on some types of encryption software. See Publicly Available Mass Market Encryption Software and Other Specified Publicly Available Encryption Software in Object Code, 76 Fed. Reg. 1,059 (Jan. 7, 2011). The rule covers two types of encryption software:
(1) “Publicly available” encryption software in object code, with a symmetric key length greater than 64-bits, that has been determined to be mass market software under section 742.15(b) of the Export Administration Regulations (EAR) and that has been reclassified under Export Control Classification Number (ECCN) 5D992, and;
(2) “Publicly available” encryption software in object code classified under ECCN 5D002, when the corresponding source code meets the criteria for License Exception TSU (Technology and Software – Unrestricted), specified in Section 740.13(e) of the EAR.
Most publicly available software is not subject to export controls under the EAR. But certain publicly available encryption software has remained subject to EAR since the mid-1990s, when controls on commercial encryption were transferred to the Commerce Department. Pursuant to a recent review of encryption controls, BIS determined that there are no regulatory restrictions on making such mass market software “publicly available,” and that, once publicly available, removing it from the scope of the EAR would have no effect on export control policy. Further, BIS determined that making such material openly available for download by anyone, through posting it on the Internet, does not establish “knowledge” of a prohibited export or re-export under the EAR, and, as a result, such posting activity does not create an affirmative duty to inquire under the EAR’s “Know Your Customer” guidance.
Source code classified under ECCN5D002 that does not qualify for License Exception TSU remains subject to the EAR. Additionally, EAR procedures must still be used to place encryption materials outside of EAR jurisdiction under “mass market” or License Exception TSU designations. For the “mass market” provision applicable to key lengths greater than 64-bits, the requirements are provided in Section 742.15. Those requirements include submissions to both BIS and to the License Exception (ENC) Encryption Request Coordinator at the National Security Agency. Subject to allowances for certain end-users, written confirmation from BIS is required before such software can be exported or re-exported with ‘mass-market’ designation under ECCN 5D992. Analogous, though less stringent, notification rules apply to encryption software when the corresponding source code meets the criteria for License-Exception TSU. In that case, Section 740.13(e) requires that BIS and the ENC Encryption Request Coordinator be notified via email before an item can be eligible for License-Exception TSU. Notifications must include the Internet location of the source code, or copies of the actual source code, before taking action to make the software publicly available.
Senior government officials have described this final rule as a “clarification” of the encryption regime intended merely to result in greater simplification. “There is no effect on the operation of the EAR,” one government official said, “but this final rule will affect other agencies as they pertain to items on the CCL.”
Gibson, Dunn & Crutcher’s lawyers are available to assist with any questions you may have regarding these issues. For further information please contact the Gibson Dunn lawyer with whom you work or any of the following lawyers in the firm’s Washington, D.C. office:
© 2011 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.