Archive for the ‘Encryption’ Category

What the New Encryption Rules Mean For U.S. Exporters

Tuesday, July 20th, 2010 by admin

This article originally appeared in a slightly different form in International Trade Law360, July 1, 2010.  Reprinted with permission of Pillsbury Winthrop Shaw Pittman LLP.

by Sanjay Jose Mullick

The Obama administration has taken the first step in export control reform by easing the pathway for U.S. companies to export certain encryption items.

The First Export Control Reform

On June 25, the U.S. Department of Commerce’s Bureau of Industry and Security issued new regulations governing export controls on encryption. This rulemaking represents the first formal example of the president’s initiative to reform U.S. export controls by concentrating regulation on the most sensitive items.

The new regulations reflect a recognition that encryption is ubiquitous in today’s high-tech world and cannot be completely regulated. These rules also attempt to address the need for U.S. companies to be able to get to market quickly, to foster the competitiveness of U.S. industry. However, they do not accomplish a complete de-control of encryption, and the prior system will remain in place for many products.

Although the regulations have been published as an interim final rule with a request for comments, they likely reflect the prevailing framework for regulating encryption exports going forward. Let’s take a look at some of the key elements of the new rules and how they will impact exporters. (more…)

Posted in BIS, CCL, Commerce Dept, EAR, Encryption, Export License, Uncategorized | Comments Off

BIS Ruling on Encryption Software

Friday, September 11th, 2009 by Danielle McClellan

BIS recently published an advisory opinion on downloads of encrypted “mass market” software. An undisclosed recipient asked BIS “whether a company would be in violation of the EAR if it allowed certain encrypted software, reviewed and classified by BIS as “mass market,” to be downloaded free of charge to anyone from the company’s website without restriction.” BIS responded by explaining that simply “publishing “mass market” encryption software to the internet where it may be downloaded by anyone NEITHER established “knowledge” of a prohibited export or reexport nor triggers any “red flags” necessitating the affirmative duty to inquire under “Know Your Customer” guidance provided in the EAR.” (more…)

Posted in BIS, Encryption, Export License, Information Technology | Comments Off

Commerce Relaxes EAR to Be More Like the ITAR

Wednesday, December 12th, 2007 by Danielle McClellan

It used to be that the International Traffic in Arms Regulations allowed a US citizen employee of a US exporter to carry export-license-required-technical data (technology) out of the country on his/her laptop while the EAR did not allow the same thing to happened. That has now changed.In the December 12, 2007 Federal Register, the Bureau of Industry and Security, Commerce has revised the Export Administration Regulations (EAR) to expand the export license exceptions Temporary Imports, Exports, and Reexports (TMP) and Baggage (BAG) to allow for certain exports and reexports of technology between two U.S. persons or their employees traveling or those that are temporarily assigned abroad.

The rule expands the availability of License Exceptions TMP and BAG but does not authorize any new release of technology. Any technology exported under the new rule may only be released to persons who may receive that same technology pursuant to other provisions of the EAR which means it will still be subject to restrictions applicable to technology exports and reexports. (more…)

Posted in EAR, Encryption, Federal Register, Information Technology, USA Regulations | Comments Off

Minute by Minute Report from Commerce Update Conference 2006

Tuesday, October 17th, 2006 by Scott Gearity

Editor’s Note:

If you didn’t make it to Update 2006, it turns out that the only thing you missed was the posh reception including sushi, crab cakes, and free drinks. You get all of the substance of the presentations here because Scott Gearity wrote a live report from the Commerce Department’s annual Update conference on October 16-17, 2006. Note the time stamp at the beginning of each point below.
–John Black

(more…)

Posted in AES, BIS, Canada, China, Commerce Dept, DDTC, Deemed Export, Defense Trade Controls, EAR, Encryption, FTS/Census, ITAR, OFAC, Sanctions, State Dept, USA Regulations | Comments Off

BIS Spring Cleaning

Friday, April 29th, 2005 by Scott Gearity

April 29 saw the publication of a sort of spring cleaning regulation from BIS in the form of updated contacts and minor administrative corrections.  Think of it as the bureaucratic equivalent of a good scrubbing and a new coat of paint.

Among the office number changes and snappy turns of a phrase like “this rule corrects a citation error in Sec. 762.1(a)(4) by revising the reference to Sec. 734.2(b)(7) to read Sec.  736.2(b)(7),” there is a mention of the office Commerce continues to insist on calling the “ENC Encryption Request Coordinator.” Elsewhere in the rule BIS refers to this mysterious place as “that organization.”

Now, you know, I know, and the American people know that the National Security Agency exists.  It’s not a secret any more.  They have a website.  Nor is it classified that NSA plays a vital role in formulating US export controls on encryption.  Former BIS undersecretary Bill Reinsch noted it all the way back in 1998.  Brian Nilsson mentioned discussions with NSA at a Regulations and Procedures Technical Advisory Committee (RPTAC) meeting in 2001.  Peter Lichtenbaum thanked Norm Lacroix for working with them just last year.  In December, BIS even spilled the beans by pointing out in the last encryption reg that the ENC Encryption Request Coordinator has a @nsa.gov email address.  So what’s with the pseudonym?

Not mentioned by BIS is that NSA is no longer accepting documents via fax.  Their old number (301) 688-8183 is no longer in service and no one seems to be distributing the new one.

Posted in BIS, Encryption, USA Regulations | Comments Off

Guide to New US Encryption Export Regulations

Thursday, June 27th, 2002 by Guest Author

(Editor’s Note:  Even companies who do not manufacture encryption products may find themselves exporting software or hardware that employs encryption.  Special thanks to Felice, a leading expert on crypto controls, for her clear overview of the new crypto rules. )

INTRODUCTION

US rules on the export of encryption technology have been changing on the average of every 8 months, beginning in December of 1996. The only constant has been that the rules have been overwhelmingly confusing and ambiguous. The latest go-round of changes happed on June 6, 2002.  (Please note that the export regulations governing the export of encryption technology consist of general rules and myriad exceptions to these rules. Therefore, the following should be viewed as an overview and your particular situation should be analyzed with reference to the actual regulation. Such exotica as source code, beta-test software, open cryptographic application programming interfaces, etc, are beyond the scope of this article.

LEGAL AUTHORITY

The US has the legal authority to control the export of encryption technology under the Export Administration Act . The regulations that implement this law are called the Export Administration Regulations (“EAR”). You can view the regs on-line at http://www.bis.doc.gov. If you are primarily interested in crypto exports you will want to look at section 740.17. This section will reference other sections, but the bulk of the specific rules regarding encryption will be here.

PLAYERS

The Bureau of Export Administration (BIS) is the primary agency you need to deal with if you want to get export approval for your encryption products. However, the National Security Agency is heavily involved in the process, so you will often need to deal with them.

CLASSIFYING YOUR ENCRYPTION PRODUCTS

ECCNs 5A992, 5D992 and 5E992

Certain products that use encryption technology for limited functions fall under 5A992 (hardware) or 5D992 (software). These products are generally of the following nature:

–Authentication

–Access Control Systems

–Digital Signature

–Some Smart Cards

–Some cell phones and components

Other products also fall within these two ECCNs namely:

–Products that use 56-bit DES or comparable algorithm and key exchange under 512

–Products that use 64-bit symmetric algorithms for data confidentiality and are “mass market”

–Products that use symmetric algorithms of any key length for data confidentiality and are “mass-market.”

ECCNs 5A002, 5B002, 5D002

If your product uses encryption and is not covered by the above-mentioned categories, then it is likely caught by 5A002 (hardware), 5B002 (test and production equipment) and 5D002 (software). Technology to make items covered by 5A002, 5B002 or 5D002 is covered by 5E002. Products covered by these ECCNs may be exported in many cases using License Exception ENC. Exports not allowed under ENC need an individual license or Encryption Licensing Arrangement.

EXPORTING ITEMS CLASSIFIED AS 5A992, 5D992 or 5E992

If you make a product that uses encryption (regardless of key length) for limited functions like user authentication, access control, digital signature, or banking you can “self-classify” and ship under No License Required (NLR.)

For products using symmetric algorithms with 64-bit key lengths or less or asymmetric algorithms of 512 bits or less, a simple notification to BIS and NSA is all that is needed to be able to ship under NLR.

If you think you qualify for the exemption for strong crypto “mass market” products, you must file a “review request” to see if BIS agrees with you. The definition of mass market is taken from the Cryptography Note of the regulations:

a. Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following:

1. Over-the-counter transactions;

2. Mail order transactions;

3. Electronic transactions; or

4. Telephone call transactions;

b. The cryptographic functionality cannot be easily changed by the user; and

c. Designed for installation by the user without further substantial support by the supplier.

BIS and NSA have stated that they are going to be “strict” when considering requests to classify strong encryption products as “mass market.” Specifically, they want proof that the product is sold in a computer store like CompUSA.

For all software, hardware and technology controlled by 5A992, 5D992 and 5E992 you can export to all countries except the terrorist countries, to all end-users except the bad guys under NLR and no reporting is required.

EXPORTING ITEMS CLASSIFIED AS 5A002, 5B002, 5D002 and 5E002

License Exception ENC is the authority that allows you to export most encryption products covered by ECCNs 5A002, 5B002, 5D002 and 5E002. However, before you can use this license exception, you usually need to submit a Commodity Classification request to the BIS/NSA. (If your shipments are confined to subsidiaries of US companies you don’t have to go through this step.) You also have to keep records of who you ship to because you need to report to BIS and NSA who you ship to every six months.  You can export products to any end-user under ENC in the following countries immediately upon filing a Commodity Classification Request.

Austria, Australia, Belgium, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Poland, Portugal, Spain, Sweden, Switzerland, United Kingdom

If your product uses strong encryption but you want to sell outside these countries, you need to wait 30 days before shipping and you cannot ship to “government end-users” unless your product qualifies as a “retail” product. If it qualifies as a “retail product” it can go to any end-user in any country other than the bad countries under ENC. If it is not a “retail product” it can only go to non-government end-users under ENC. You will be informed when your Commodity Classification is complete if your product qualifies as retail.

Retail vs. Non-Retail

The concept of “retail” is similar to the concept of “mass-market” discussed previously. “Retail” products generally available to the public by being

(1) sold through retail outlets,

(2) specially designed for individual consumer use, OR

(3) which are or will be sold in large volume without restrictions through mail order, electronic or telephone sales.

However, these “retail” products CANNOT:

(a) allow the cryptographic functionality to be easily changed by the user,

(b) require substantial support to install and use

(c) be modified or customized for the customer and

(d) be designed to be used as network infrastructure products.

Examples of “retail” products are general purpose operating systems that don’t qualify as “mass-market”, chips designed for retail products, low end routers, firewalls and VPNs designed for the SOHO market, desktop applications that do not qualify as “mass-market”, low end servers and application specific servers, network and security management products designed for low end computers and products which contain short range wireless encryption software/components.

RECORDKEEPING

You need to keep records of whom you provide encryption products (i.e., controlled under ECCNs 5A002, 5B002, 5D002 or 5E002) to under license exception ENC. The reason why you need to do this is because you will need to send a report to the Bureau Industry and Security and the National Security Agency twice a year. (See Reporting section below.)

REPORTING

You are required to send in reports to the BIS and the NSA that contains information on who you ship to, and what kind of technical review the product has undergone. This is only necessary for products that are shipped under license exception ENC. Reports are required for shipments under ENC, EXCEPT in the following instances:

1. You are shipping to a subsidiary of a U.S. company

2. You are shipping to a US bank or financial institution or anyone that does business with them.

3. You are shipping weak crypto products (e.g., under 64-bits).

4. You are shipping a “retail” product to an individual consumer.

5. You are making the software available via free or anonymous download.

6. You are shipping single processor computers, laptops and hand-held devices that are pre-loaded or bundled with encryption software.

The reports are due according to the following schedule:

–For shipments made between January 1st and June 30th, the report is due on August 1st.

–For shipments made between July 1st and December 31st, the report is due on February 1st.

You need to prepare the report in an electronic format and send via e-mail or load onto disk and send to the mailing addresses below:

e-mail addresses:

crypt@bis.doc.gov

enc@ncsc.mil

OR

mailing addresses:

Bureau of Industry and Security

US Department of Commerce

Office of Strategic Trade and Foreign Policy Controls

14th Street and Pennsylvania Avenues

Room 2705

Washington, D.C. 20230

Attn: Encryption Reports

ENC Encryption Request Coordinator

9800 Savage Road

Suite 6131

Ft. Meade, MD 20755-6000

The report should identify:

–Company name and address,

–Contact person and contact information,

–Reporting period

–And for each product the report should include:

–Product name and license or CCATS number for the product

–Ship-to-parties name and addresses, and the quantities and dates of shipment for each

by Felice Laird, Export Strategies

Posted in EAR, Encryption, Information Technology, USA Regulations | Comments Off