ECTI Blog » Encryption

What the New Encryption Rules Mean For U.S. Exporters

admin — Tue, 20 Jul 2010 15:24:28 +0000

This article originally appeared in a slightly different form in International Trade Law360, July 1, 2010. Reprinted with permission of Pillsbury Winthrop Shaw Pittman LLP.

by Sanjay Jose Mullick

The Obama administration has taken the first step in export control reform by easing the pathway for U.S. companies to export certain encryption items.

The First Export Control Reform

On June 25, the U.S. Department of Commerce’s Bureau of Industry and Security issued new regulations governing export controls on encryption. This rulemaking represents the first formal example of the president’s initiative to reform U.S. export controls by concentrating regulation on the most sensitive items.

The new regulations reflect a recognition that encryption is ubiquitous in today’s high-tech world and cannot be completely regulated. These rules also attempt to address the need for U.S. companies to be able to get to market quickly, to foster the competitiveness of U.S. industry. However, they do not accomplish a complete de-control of encryption, and the prior system will remain in place for many products.

Although the regulations have been published as an interim final rule with a request for comments, they likely reflect the prevailing framework for regulating encryption exports going forward. Let’s take a look at some of the key elements of the new rules and how they will impact exporters.

Company-Based Framework

The new rules move away from a regulatory approach based on disclosure of the technical characteristics of the product to be exported to one focused on the profile of the company that will be making the exports.

Encryption Registration

When President Obama first announced the export control reform initiative, he stated that he wanted to change the export authorization process for encryption items “from 30 days to 30 minutes” and the new rules accomplish that. Specifically, for “less sensitive” encryption items, and for mass market items, the prior requirement to submit a technical questionnaire to BIS for it to conduct a product review has been replaced with one whereby the exporting company submits an online “encryption registration.” The encryption registration consists of contact information, an overview of the company and an identification of what categories apply to the company’s products.

Once the registration is submitted to BIS, the agency immediately issues a registration number, and the company becomes authorized to export encryption products such as local area network products, small routers and mass market items. For these products, companies no longer have to submit a technical questionnaire response with information about the product’s encryption algorithms and no longer have to wait 30 days to obtain authorization to export to key markets such as China and India.

Under the prior rules, it was often a good business practice for companies to make available to their customers, distributors and other business partners the classifications BIS issued pursuant to ENC review requests. This was because when BIS classified a product, other companies could rely on that classification as authority to make their own exports of the product, even if that company had not submitted the classification. Under the new rules, BIS has indicated that an exporter may rely on a producer’s encryption registration (to export that producer’s encryption product) without itself having to file a distinct encryption registration.

Classification Report

The company registration requirement is coupled with a requirement for the company to file an annual self-classification report. The report consists of a listing of the encryption items the company has self-classified and exported. Specifically, the report consists of the following six elements: (i) product name; (ii) model/series/part number; (iii) primary manufacturer; (iv) export control classification number; (v) encryption authorization type, e.g., ENC; and (vi) item type selector, e.g., gateway, modem or virtual private network. The report can be filed by e-mail.

One aspect of License Exception ENC many companies have disliked has been the requirement to file semi-annual reports. Although not a requirement that impinged export authorization, that reporting requirement could pose an administrative burden because it required capturing several information fields for all the applicable transactions, and doing so in a way that they could be retrieved and converted into a spreadsheet. For certain encryption items, that reporting requirement no longer applies and has been replaced with the more streamlined annual self-classification report.

Two Key Developments

Although the general easing of export controls on encryption items is important, there are two developments that are particularly key because they extend the useful scope of License Exception ENC and entirely de-control a class of items, respectively.

Encryption Technology Included

One of the limitations of License Exception ENC had been that, as to several countries, it did not authorize exports of certain “technology” necessary for manufacturing, development or testing of encryption items. This would be relevant, for example, if a company were co-developing a product with a business partner overseas and needed to exchange certain technical specifications on encryption or engage in related technical discussions. Under the prior rule, the commodity and software could be exported under License Exception ENC, but the related technology had to wait for the longer approval of an export license, delaying product development.

The new rules now grant export authorization to items classified as ECCN 5E002 after submission of a classification request, either immediately or after 30 days, depending on the country. In now extending License Exception ENC to encryption technology, this one form of export authorization is enough to proceed with all tracks of product development, i.e., the commodity itself and now also both the related software and technology. Depending on the country, the authorization may not extend to encryption technology for more sensitive items, such as for cryptanalytic items, those with an open cryptographic interface and for “non-standard cryptography” (discussed further below). Notably, the authorization also does not extend at all to certain countries typically involved in offshore manufacture and software development. For example, although India is included, China and Russia are excluded.

Ancillary Encryption De-Controlled

The new rules also entirely release from the encryption controls items where “the primary function or set of functions” is neither (i) information security, (ii) computing, (iii) information storage or transmission, nor (iv) networking, and where the cryptographic functionality is limited to supporting the primary function or set of functions. Such items now include gaming, household appliances, fire alarm systems, inventory management software and business process automation. Exporters should review the entire list carefully to see if it applies to their business.

BIS took a sizable step in this direction in October 2008 when it created the exception for items that perform only “ancillary cryptography.” Although that allowed those products to escape the review requirement, it was somewhat confusing because the products still were classified, e.g., under ECCN 5A002 and required License Exception ENC for export. The new rule allows such products to be classified as EAR99, so long as any other aspect of their functionality does not trigger a specific ECCN.

Limitations of the Changes

Alas, the new rules do not ease the regulatory burden on all encryption products. Upon a closer review, chip manufacturers and software developers may conclude the amended regulations do not provide the benefits they may seem to offer at first glance.

Encryption Components

Still subject to the traditional requirement to submit a one-time product review (now termed a classification request) and to file semi-annual product export reports are certain “encryption components” and “equivalent or related software,” including (i) chips, chipsets, electronic assemblies and field programmable logic devices; (ii) cryptographic libraries, modules, development kits and toolkits; and (iii) application-specific hardware or software development kits.

Depending on the encryption algorithm and key length, this means those involved in supplying OEMs with the encryption elements of even consumer-type items, as well as companies engaged in cross-border development of their own products, generally will still likely have to follow the prior procedure. As before, whether exports are authorized to commence upon registration of the classification request or are subject to the 30-day waiting period will depend on the countries involved.

BIS has also been reluctant to grant mass market treatment to components of mass market end-items, e.g., the chip going into a consumer smartphone as opposed to the smartphone itself. This is because such components may not necessarily be sold in the same way as the final product and, until incorporated into it, they theoretically could be used in other applications.

In the future, perhaps BIS might consider extending mass market treatment to such components and software upon a clear demonstration that they are specially designed to be used exclusively with mass market end-items. For now, however, the new regulations re-affirm that generally encryption components will themselves have to satisfy the tests of large sales volume and general retail availability to be able to qualify for mass market treatment.

Non-Standard Cryptography

Also still subject to the prior review and reporting requirement are encryption commodities, software and components that provide or perform “non-standard cryptography.” That term is defined as “any implementation of ‘cryptography’ involving the incorporation or use of proprietary or unpublished cryptographic functionality, including encryption algorithms or protocols that have not been adopted or approved by a recognized international standards body… and have not otherwise been published.”

Carving out use of encryption that is published is a fairly significant policy development, but it does not go as far as it may seem.

Previously, a fairly common stumbling block for industry was using publicly available algorithms like Advanced Encryption Standard without recognizing that their incorporation or implementation into proprietary products was deemed to create a new and distinct encryption product requiring ENC review. Focusing controls on “non-standard cryptography” may go a long way toward exempting those end-products from classification and waiting period requirements.

However, use of such algorithms and protocols can still be considered nonstandard cryptography if—though standard themselves—they are being modified or customized in a particular way. Companies will likely have to conduct careful internal review of how they are using encryption before concluding they are not using “nonstandard cryptography.”

These are concepts that are new even to the regulators, so at this stage the full range of their scope and applicability is not entirely clear. Instead, sorting out exactly what fits this criteria can be expected to be a focus of discussion over the coming months.

Restricted Items

License Exception ENC continues to contain a subsection previously called “ENC Restricted,” which covers items such as network infrastructure software, commodities and components. BIS has revised and updated that list and it should be reviewed carefully. It also imposes classification, waiting period and reporting requirements. This subcategory of encryption items is significant because, for certain countries, an export license is required in order to export to governmental customers.

New Regulatory Architecture

In issuing the new encryption regulations, BIS indicated it would continue to review the rules, and certainly the real process of export control reform has only just begun. What these regulations do accomplish is the creation of a new architecture for regulating encryption that recognizes the reality that today encryption is a pervasive technology.

U.S. companies have to be able to develop products, consult with partners and service customers abroad swiftly to be able to compete effectively in a globalized world. At the same time, the speed at which technology can be deployed across borders places a greater strain on the systems that help safeguard national security.

As BIS consults with industry, this new framework should enable it to respond more quickly to market trends by more readily shifting items from a category of greater control to one of lesser control, calibrating the focus of export control resources on higher priority areas.

Sanjay Jose Mullick

International Trade

+1.202.663.8786

sanjay.mullick@pillsburylaw.com

Sanjay Mullick is a Washington-based member of Pillsbury’s International Trade practice, where he advises clients on export issues concerning encryption software and technology and on designing and implementing export control compliance programs.

BIS Ruling on Encryption Software

Danielle McClellan — Fri, 11 Sep 2009 17:03:04 +0000

BIS recently published an advisory opinion on downloads of encrypted “mass market” software. An undisclosed recipient asked BIS “whether a company would be in violation of the EAR if it allowed certain encrypted software, reviewed and classified by BIS as “mass market,” to be downloaded free of charge to anyone from the company’s website without restriction.” BIS responded by explaining that simply “publishing “mass market” encryption software to the internet where it may be downloaded by anyone NEITHER established “knowledge” of a prohibited export or reexport nor triggers any “red flags” necessitating the affirmative duty to inquire under “Know Your Customer” guidance provided in the EAR.”

So let’s break this down, if a person or company posts “mass market” encryption software on their website for free download and the download is anonymous then there is no EAR violation, even if a person from Iran, Cuba, Syria, Sudan or North Korea downloaded the software. There is a catch though, if the company/individual asks for a name and email before the download can occur, all bets are off and you or your company are now responsible for screening individuals. BIS stated that if the download is not anonymous (you obtain a name or email) the company becomes responsible for ensuring that no one from Iran, Cuba, Syria, Sudan or North Korea downloads the software. A license would be required for individuals from these countries. It should be noted that BIS did say that, “a violation would not occur if the IP address of the person downloading the software is collected by the software provider at the time of the download and stored as a “footprint” in the machine code of the software provider’s database, but is not tracked or used for any purpose by the software provider.

So in the end you’re not violating any regulations if you post “mass market” encryption software on the web as long as the download is free and anonymous. Remember, this is a don’t ask, don’t tell relationship. If you ask for the information from the user you have to tell BIS and possibly get a license, if you don’t ask; you don’t have to talk to BIS at all.

Advisory Opinion: http://www.bis.doc.gov/policiesandregulations/advisoryopinions.htm

Commerce Relaxes EAR to Be More Like the ITAR

Danielle McClellan — Wed, 12 Dec 2007 22:04:13 +0000

It used to be that the International Traffic in Arms Regulations allowed a US citizen employee of a US exporter to carry export-license-required-technical data (technology) out of the country on his/her laptop while the EAR did not allow the same thing to happened. That has now changed.In the December 12, 2007 Federal Register, the Bureau of Industry and Security, Commerce has revised the Export Administration Regulations (EAR) to expand the export license exceptions Temporary Imports, Exports, and Reexports (TMP) and Baggage (BAG) to allow for certain exports and reexports of technology between two U.S. persons or their employees traveling or those that are temporarily assigned abroad.

The rule expands the availability of License Exceptions TMP and BAG but does not authorize any new release of technology. Any technology exported under the new rule may only be released to persons who may receive that same technology pursuant to other provisions of the EAR which means it will still be subject to restrictions applicable to technology exports and reexports.

The rule makes several changes to Section 740.9 which amends the “tools of trade” and the definition of U.S. persons which are applicable to export and report certain technology. Restrictions have also been added to prevent unauthorized export or reexport of technology which will require U.S. employers to demonstrate and document the reasons why the technology is needed by employees in business activities which are abroad. There will also be an additional requirement and guidance for the return or disposal of the technology, which will include an illustrative list of examples of technology that exists in a format that could facilitate a subsequent release of technology.

Section 740.14 amends the tools of trade provision which will authorize the export or reexport of certain technology to U.S. persons for use in the trade, occupation, employment, vocation, or hobby of the traveler or members of the U.S. person’s household, provided that they are U.S. persons, who are traveling or moving. The rule also provides a specific definition the above mentioned U.S. persons.

This rule also specifies certain restrictions applicable to the exports and reexports of certain types of encryption technology. The encryption technology will be controlled under ECCN 5E002 and will not be authorized under the new “tools of trade” and the new U.S. persons tools of trade will not authorize the export or reepxort of ECCN 5E002 technology to any destination found in the Country Group E:1 of Supplement No. 1 to part 740.

More information:

Federal Register Notice

Minute by Minute Report from Commerce Update Conference 2006

Scott Gearity — Wed, 18 Oct 2006 01:57:11 +0000

Editor’s Note:

If you didn’t make it to Update 2006, it turns out that the only thing you missed was the posh reception including sushi, crab cakes, and free drinks. You get all of the substance of the presentations here because Scott Gearity wrote a live report from the Commerce Department’s annual Update conference on October 16-17, 2006. Note the time stamp at the beginning of each point below.
–John Black

I have selected the key points (in my opinion) from Scott’s blog. (If you want to read the whole thing, go to his website, www.exportcontrolblog.com.)

8:38	Acting Under Secretary for Industry and Security Mark Foulon fast facts — he’s a Rhodes scholar and previously worked for a Democratic senator.
8:46	Last year: 34 criminal convictions and over $3 million in criminal fines; 104 administrative cases and $13+ million in penalties.
9:55	119 people arrested last year for Arms Export Control Act violations.
9:58	GS says DDTC’s backlog is 10,000 cases! Somewhat more staff, including military officers, increasingly mandatory D-Trade are helping.

Update Day 1: ENCRYPTION

10:37

ITCD completed 2301 reviews and classifications last year, 18% mass market encryption, 69% License Exception ENC, the balance a grabbag. Also, 837 licenses, the vast majority crypto IVLs.

10:45

On to encryption… don’t forget about Category 5, Part II’s see-through rule, which captures items with cryptographic capabilities regardless of whether or not data confidentiality is their main function.

10:56

A few important issues in encryption reviews:

Bundling: Should never involve something new, but rather two (or more) previously classified/reviewed items. For example, a program using the (very common) OpenSSL library is a new product from the BIS point of view, potentially requiring notification or review, and is not a bundle. Bottom line — and I’ve seen clients struggle with this often enough myself — it doesn’t matter where the crypto comes from, just that itt’s being used in some manner. Pender suggests listing parts/components of an item separately on a classification request, along with the bundle or combined product. (See Part 770.2(m) for more)
Open Source: Open source and publicly available are NOT synonymous.
Crypto aware: Hooks and calls to third party encryption can still make your product subject to encryption rules even in the absence of innate crypto functionality.
Dormant crypto: A product exported w/encryption features disabled is still considered an encryption item requiring review. Consider listing enabled/disabled separately on classification request. BIS wants to know:
- Is there an interface to install new software?
- Is the missing SW available for download?
- Just waiting for activation key?
- Can another product’s key be used?
- Enhances performance of other products?

Update Day 1: CHINA CONTROLS

1:32	$2.4 billion of the $38.9 billion in exports to China last year were shipped under BIS license. There were about $12.5 million in denials.
1:42	The new proposed China rule clarifies that the policy is to deny the export of National Security controlled items to Chinese military end-use. Also creates new authorization Validated End User (VEU) — a whitelist of sorts for vetted Chinese entities. You could think of this as an “open” Special Comprehensive License (SCL).. Open in the sense that it’s use wouldn’t be restricted to a single applicant like a SCL.
2:15	Q: How will the rule affect the Chinese ARJ program? A: If OEMs are commercial entities, we’ll consider them, but if they have a military pedigree not so much.
2:16	Q: Will the rule impact civil aircraft flying Chinese leaders? A: Tough one, we’ve received a number of comments about this.
2:18	Q: The definition of military end-use sounds a lot like the ITAR. Is this rule redundant? A: We are only looking at end-use, not end-user.
2:19	Q: What’s the status of Hong Kong? A: Status quo — one country, two systems. That goes for the EAR, too. HK maintains a “first rate and very responsive” export control system.

Update Day 1: STATE DEPARTMENT EXPORT CONTROLS

Courtesy Doug Jacobson of International Trade Law News, here’s his summary of this morning’s deemed export breakout session:

Department of State Export Controls and Licensing, Ann Ganzer, Director of Office of Defense Trade Controls Policy

—Provided an overview of DDTC. The ITAR is an illustration of what is controlled. “We believe that we control things that have not been invented yet.”

—Licenses — Going electronic. Had a wake for Ellie Net on Friday. D-Trade licenses get processed first. First, look at applicant first. Exporting is a privilege not a right. Look at end-user and end-use. Look at foreign policy. What impact on country seeking equipment, etc. Look at human rights impact on other countries.

—DOD reviews 1/3 of applications. Staffed to other agencies, such as NASA. But DDTC makes final decision.

—Congressional notifications. When required, DDTC does not notify Congress when it is not in session. This impacts the licensing timetable.

—Deemed exports under State… DDTC looks at all citizenships held.

—DDTC Venezuela sanctions not in accordance with BIS. Working on revising ITAR, but should assume in section 126.1. [Editor’s Note: Hmmm, compliance by assumption. Assume the ITAR means things it doesn’t say. I guess this is nothing new. —JB]

—DDTC processed 70K applications in FY 2006. Greg Suchan noted 10,000 case backlog will it ever get fixed? “always hopeful”. Like filling a bathtub with drain open. Have a few new people, but are new. Take time to train. Times are decreasing.

—Punted brokering questions.

—Aircraft Parts — Does ITAR part ever lose its ITAR identity? Section 38(f) requires congressional notification to remove from USML. If aircraft part, needs to be removed from USML before migrating to commercial. Easier to use commercial components on military aircraft, rather than the reverse.

—Item on USML does not lose its character. Used QRS-11 as example. Three CJs held that QRS-11 was on USML. “Bomb in a suitcase is still a bomb, not a suitcase.” QRS-11 carve-out for stand-by instruments. Carve out for FPAs in night vision. Carve out for personal protection gear.

—Providing USML item to foreign person in US would require a license. Transfer of title can be an export. [Editor’s Note: The ITAR says transfer of tech data and aircraft, vessel or satellite to foreign person in the US is an export, but it does not say the transfer of other defense articles to foreign persons in the US is an export. —JB]

—Best not to contact licensing officers, contact Response Team. [Editor’s Note: But make sure you don’t get a wrong interpretation of the ITAR from the RT. —JB]

—Due diligence on buying and selling ITAR within US. Depends on case. Confirming registration is good. Depends on who you are selling to though.

—Voluntary disclosures — Concerned about companies that do not submit VSDs.

—Freight forwarders and export licenses — if FF can fulfill requirements of exporter under ITAR, they can apply for and obtain a license. However, if a FF can’t open the package then they can’t apply for a license.

—Whether to release licenses to a customer is the exporter’s decision.

—Example of an item that is first used for military, but not subject to ITAR. For example, an aircraft part that was first used by military while waiting for FAA certification.

—DDTC considers all citizenships when reviewing licenses. Thus, if person holds Chinese citizenship, prohibits exports of USML items to China and Chinese nationals.

—DDTC wants to get the word out. Has long-relationship with SIA, but interested in working with other organizations.

—10% increase in CJs in 2006. Total of 364. Expect companies to do their own CJs, but consult with DDTC in gray areas or where you can’t figure it out. Working with groups to develop best practices in CJs.

—DDTC has been successful on keeping aircraft parts from Iran’s military.

—President Bush has only waived sanctions on China three time. Very rare. Examples included bomb disposal equipment and chemical weapons destructions equipment.

Update Day 2: ENFORCEMENT PLENARY

3:01	Deputy Assistant Secretary for Export Enforcement Wendy Wysong offers FY2006′s enforcement statistics: 34 criminal convictions w/$3 million in criminal fines, 104 administrative cases w/$13.1 million in administrative penalties and 180 warning letters. That includes both export and antiboycott cases. [See the BIS FOIA site for full details of many of these.]
3:13	Antiboycott slice of the pie included 9 administrative settlements totaling $80,000 plus 3 warning letters, which is more than last year (but still seems quite limited).
3:18	Prohibited boycott requests from Kuwait, Yemen, and Iraq increased from 2005. Most requests originating in Iraq are from the Iraqi Government.
3:25	BIS completed 242 pre-license checks (23 unfavorable) and 700 post-shipment verifications (145 unfavorable) in FY2006. Based in part on these checks, BIS will soon be publishing additional names to the Unverified List.
3:26	Wysong makes the case for voluntary self-disclosure: it’s a mitigating factor of great weight, BIS gives at least a 50% discount off the maximum fine as credit and acknowledges the exporter’s cooperation. There are signs that her pitch may be working. The number of VSDs has increased from 78 in FY04 to 148 the following year and 157 in FY05. Only 7 of the resolved cases from the past three years have resulted in fines of any size.

Update Day 2: INTERNATIONAL PERSPECTIVES ON EXPORT CONTROLS

1:13	Berge says Sweden didn’t have an export control law until 1986 (which was coincidentally the last act signed by the prime minister of the day before he was assassinated)
1:27	As is the situation in most countries other than the US, the Canadian EICB controls both dual-use and military goods. A one-stop shop. However, Canada’s export control regulators do not have their own enforcement branch.
1:29	That’s interesting — licensing officers in Canada are organized by company rather than commodity, so they get to know exporters a bit better.
1:33	Canada maintains an Area Control List (ACL), a sort of sanctions list, which for now has a membership of one — Myanmar — but is about to add another — Belarus.
1:37	The Canadian official is heavily stressing all the similarities between the US and Canadian export control systems, perhaps not a bad strategy when attempting to stave off implementing of the Commerce’s 2005 proposal to limit the export of items subject to MT controls to Canada.
1:39	In certain cases, the Canadians require their exporters to demonstrate US reexport authorization in order to obtain export approval from the EICB.
1:50	Q: How does Canada treat Cuba and Iran? A: We mention the US controls in our guide and administer some of our own based on the control lists, but there’s no embargo.
1:51	Q: What are the most significant differences between US and Canadian export control systems? A: Reexports and deemed exports are not restricted by Canada.
1:54	Q: Do Canadian companies require licenses to reexport US origin items back to the US? A: Few exports from Canada to the US need a license.
1:56	Q: How does Canada feel about potentially losing the MT piece of the Canadian exemption? A: We want to keep it and hope US industry advocates for that position.

Update Day 2: A SYSTEMATIC APPROACH TO CLASSIFICATION

10:18	Gene Christiansen, the longtime and more than a little grandfatherly BIS engineer may well be the only guy who can tell a joke with the punchline “EAR99″ and actually get a laugh.
10:22	The first of what I expect will be for than a few helpful tips from Christiansen — classification isn’t just about finding a spot for your product on the Commerce Control List. Don’t exclude the other possibilities — specifically, that the item is publicly available or that it is not subject to BIS jurisdiction (i.e. it’s on the US Munitions List rather than the CCL).
10:29	If you take a published textbook, extract from it and modify it in some way, the resulting text is not necessarily publicly available. According to Christiansen, even just highlighting the pertinent piece could be construed as a modification which removes something from public availability.
10:37	Denzil Tice of DDTC: Commodity jurisdiction determination is the first step in trade compliance. It’s also an ongoing effort, since the ITAR captures not just items designed for a military use, but items modified or adapted for one.
10:43	Only about 300 CJs issued by State each year.
10:54	CJ Tips: Remember that you’re writing for two audiences. First, the non-technical reviewers and second the technical people. Be up front and limit the background and flag-waiving. Do your research. Don’t assume State understands the item up for CJ. Fully explain any government funding, including what type. MilSpec/MilStd does not necessarily mean subject to the ITAR, but you should explain fully. If your marketing materials or website indicate a predominantly military application, explain why that differs from your CJ request.
11:24	Q: Can you elaborate on MilStd? If an item is designed to a military standard, but for a commercial application, is it still under the EAR? A: Yes. There are military specifications for chocolate chips and dog cookies. That doesn’t mean they’re subject to the ITAR.
11:30	Q: How long does it take to process a CJ? A: About 160 days right now. Items are getting more complex even though we’re not seeing a huge increase in numbers of requests.

Update Day 2: FOREIGN POLICY CONTROLS AND SANCTIONS

8:53	BIS plans a policy of denial for Cuba for medical equipment intended for medical tourism there or in support of Cuban-Venezuelan medical care for petroleum exchanges.
8:56	Cuba licensing stats — 303 applications, 175 of which were approved, 8 were denied and 119 returned without action. Also, 166 AGR notices, 163 of which were approved and 3 were incomplete. Average processing time 30 days.
8:58	Iraq licensing stats — 112 applications, 76 approved, 36 RWA’d, 0 denied. Average processing time 29 days. Armored passenger vehicles, personal protective equipment and crime control item are the main exports, mostly to US forces and Iraqi Government.
9:06	Libya stats — 303 applications, 259 approved, 1 denied, 43 RWA’d. Avg processing time 35 days.
9:09	North Korea stats — 9 applications, 1, approved, 1 denied, 7 RWA’d (all of the RWA’s were related). 14 day average processing time.
9:13	Syria — 249 applications, 169 of which were approved (no denial/RWA breakdown provided). Computer hardware, software, electronic equipment are among the items frequently denied. Average processing time 28 days.
9:19	Sudan — both OFAC and BIS have jurisdiction, submit applications to both simultaneously. Stats — approved 17 licenses, avg. processing time 22 days (no application figure provided). Telecom, computers and software among the items authorized.

Update Day 1: DEEMED EXPORT

Once again courtesy Doug Jacobson of International Trade Law News, here is a write-up of today’s deemed export breakout:

—Congress authorized an increased budget for deemed export compliance activities, which resulted in an increase in BIS deemed export staff from three to six.

—BIS received 840 deemed export applications in FY 2006. BIS approved most applications received and less than 1% were denied. Almost 60% of the deemed export licenses received were for PRC foreign nationals, followed by India (13%), Iran (7%), Russia and Germany (2% each) and UK (1%).

—While some applications languish, most deemed export licenses are processed in 40 days (down from 70+ days a few years ago)).

—Technology that is publicly available is classified as EAR99 and is not subject to licensing requirement in most cases (exceptions are Cuban-born nationals or prohibited uses). Take a look at the Q&As on BIS website regarding “use” technology issues. [Editor’s Note: Publicly available technology is not really classified as EAR99 and it is exportable to Cuba and Cuban nationals without a license. –JB]

—In the May 31, 2006 FR notice, BIS reaffirmed existing policy with respect to third-country nationals. The existing policy is based on most recent established citizens or permanent residence. U.S. citizens, green card holders, are not subject to deemed export licensing requirements.

—Scope of “fundamental research” also remains unchanged. Fundamental research exclusion based on technology that is ordinarily shared with scientific community. May be instances where preexisting controlled technology may be used and therefore deemed export requirements may come into play. Certain controlled fundamental research that is protected (placing a box around the research or technology), may be subject to the EAR. See the BIS advisory opinion on patents on research.

—Deemed Export Advisory Committee (DEAC). Purpose of the DEAC is to base policy on collaboration with affected communities. DEAC met for first time last Thursday. Program is only chartered for one year and is expected to make its recommendation by next Fall. Will meet several times over the next few months to get various perspectives and comments. Meeting will be published in FR in advance.

Update Day 1: CENSUS FOREIGN TRADE STATISTICS REGULATIONS

3:53	FTD ombudsman Jerome Greenwell takes over.
4:01	there were 1.1 million shipments in AES in July alone, representing 97% of the total
4:04	Census beginning an audit project starting January. They will concentrate on companies which are non-compliant Option 4 filers, those reporting late, and those with numerous unresolved fatal errors.
4:09	Census will give USPPIs one year of past AES data upon request for free (older than that there’s a fee), which could be a useful audit tool. (Of course, you should be keeping copies of everything you submit to Census in the first place.)
4:14	ES Fatal Error = No ITN = No Export, capish?
4:17	Don’t forget AES proof of filing citation. See FTSR Letter 168 for more.
4:29	Census benchmark for AES compliance is 95 percent. Be below that for 3 consecutive months and you should expect to get a phone call (or worse).
4:38	Q: Can something be done about the slow ITN response on Fridays? A: Yes, try another day.
4:41	Q: What’s are the proportions of filings by USPPI or agent? A: 60-65% by agent, the balance by USPPI.
4:42	Q: Who gets fatal error reports? A: Always goes to filer, not necessarily USPPI.
4:51	Q: What happens after your third voluntary disclosure within a year? A: You get penalized
4:52	Q: Will post-departure filing go away? A: Don’t know
4:55	Q: How do I confirm that no forwarders are using my EIN without authorization? A: Request records from Census. Hope to automate this.
5:03	Q: Will AES be ready for HTS revision in 2007? A: Yes.
5:05	Q: Our Miami-based forwarders won’t provide bills of lading or airway bills? A: Tell us who they are, we’ll give them a call.

Update Day 2: OFAC

Doug Jacobson of International Trade Law News reports from today’s OFAC breakout session:

Dennis Wood, OFAC’s Assistant Director for Compliance, Outreach and Implementation, opened the program by providing some interesting quotes
from the bible, the U.K. Government and others on compliance-related issues.

—He also noted that OFAC has authority to “visit” companies and that such outreach activities will continue.

—Dennis mentioned the ABN AMRO enforcement case which led to the imposition of an $80 million penalty on the bank. In that case OFAC partnered with a number of other regulatory agencies to impose a multitude of penalties. He predicts that future fines will be increased as a result of inter-agency efforts to address compliance failures.

—After donning an OFAC jacket, Dennis turned the podium over to Hans Huber, a member of OFAC’s compliance and outreach division.

—OFAC jurisdiction is broad and applies to U.S. citizens and permanent resident aliens located anywhere in the world or any individual physically located in the U.S., such as a Chinese national located in the U.S. With respect to companies, the issue of foreign subsidiaries is often the most problematic. Such decisions are made on a case-by-case basis, but OFAC could always take action against the U.S. parent if the subsidiary is beyond the reach of U.S. jurisdiction.

—Next, Hans discussed the comprehensive sanctions on Cuba, Iran and Sudan. Hans noted that his PowerPoint slide discussing comprehensive sanctions sent someone to jail as a result of an indirect export to Iran. When OFAC conducted a search of the target company, they found a copy of Hans’ presentation which noted that Iran was a prohibited destination.

—Next, Susan Hutner of OFAC’s licensing division was introduced. She started by talking about Sudan, which changed dramatically on Friday. The Darfur Peace and Accountability Act restricts the President from lifting current sanctions and restricts OFAC from implementing certain sanctions on Southern Sudan. The new executive order issued by President Bush reimposed sanctions on the Government of Sudan. It also prohibits all transactions by U.S. persons relating to Sudan’s petroleum or petrochemical industries, including, but not limited to, oilfield services and oil or gas pipelines. The problematic issue is that transshipments through Northern Sudan are still restricted, which further complicates transactions. Continue to watch OFAC’s website for more information.

—Regarding the Palestinian Authority (PA), there are a number of general licenses that authorize certain transaction with the PA. Sanctions are not territorial, but apply to transactions with the PA (the government of West Bank and Gaza).

— Allison Cooper, Chief of OFAC’s investigation unit, discussed some compliance-related horror stories that led to enforcement actions. The common theme in each of theme will be a systemic breakdown in compliance. She also discussed some red flags, such as making sure that Iranian flag vessels are not involved in the shipment. She noted that most of the issues arose as a result of the payment for goods. Many of the enforcement actions also relate to subsidiaries of U.S companies.

—Regarding penalties and consequences, Hans noted that the proposed penalty is going to be the statutory maximum or the value of the goods. OFAC will take into account aggravating and mitigating factors.

—Regarding effective compliance strategies, the foundation to compliance is to screen the parties to the transaction. If you have a screening hit, the exporter has to do the necessary due diligence to determine if the hit is the intended target or not. For example, Hans noted that Cuba City, Wisconsin is not a prohibited destination.

— Scott Gearity, www.exportcontrolblog.com

BIS Spring Cleaning

Scott Gearity — Fri, 29 Apr 2005 22:07:45 +0000

April 29 saw the publication of a sort of spring cleaning regulation from BIS in the form of updated contacts and minor administrative corrections. Think of it as the bureaucratic equivalent of a good scrubbing and a new coat of paint.

Among the office number changes and snappy turns of a phrase like “this rule corrects a citation error in Sec. 762.1(a)(4) by revising the reference to Sec. 734.2(b)(7) to read Sec. 736.2(b)(7),” there is a mention of the office Commerce continues to insist on calling the “ENC Encryption Request Coordinator.” Elsewhere in the rule BIS refers to this mysterious place as “that organization.”

Now, you know, I know, and the American people know that the National Security Agency exists. It’s not a secret any more. They have a website. Nor is it classified that NSA plays a vital role in formulating US export controls on encryption. Former BIS undersecretary Bill Reinsch noted it all the way back in 1998. Brian Nilsson mentioned discussions with NSA at a Regulations and Procedures Technical Advisory Committee (RPTAC) meeting in 2001. Peter Lichtenbaum thanked Norm Lacroix for working with them just last year. In December, BIS even spilled the beans by pointing out in the last encryption reg that the ENC Encryption Request Coordinator has a @nsa.gov email address. So what’s with the pseudonym?

Not mentioned by BIS is that NSA is no longer accepting documents via fax. Their old number (301) 688-8183 is no longer in service and no one seems to be distributing the new one.

Guide to New US Encryption Export Regulations

Guest Author — Fri, 28 Jun 2002 02:56:38 +0000

(Editor’s Note: Even companies who do not manufacture encryption products may find themselves exporting software or hardware that employs encryption. Special thanks to Felice, a leading expert on crypto controls, for her clear overview of the new crypto rules. )

INTRODUCTION

US rules on the export of encryption technology have been changing on the average of every 8 months, beginning in December of 1996. The only constant has been that the rules have been overwhelmingly confusing and ambiguous. The latest go-round of changes happed on June 6, 2002. (Please note that the export regulations governing the export of encryption technology consist of general rules and myriad exceptions to these rules. Therefore, the following should be viewed as an overview and your particular situation should be analyzed with reference to the actual regulation. Such exotica as source code, beta-test software, open cryptographic application programming interfaces, etc, are beyond the scope of this article.

LEGAL AUTHORITY

The US has the legal authority to control the export of encryption technology under the Export Administration Act . The regulations that implement this law are called the Export Administration Regulations (“EAR”). You can view the regs on-line at http://www.bis.doc.gov. If you are primarily interested in crypto exports you will want to look at section 740.17. This section will reference other sections, but the bulk of the specific rules regarding encryption will be here.

PLAYERS

The Bureau of Export Administration (BIS) is the primary agency you need to deal with if you want to get export approval for your encryption products. However, the National Security Agency is heavily involved in the process, so you will often need to deal with them.

CLASSIFYING YOUR ENCRYPTION PRODUCTS

ECCNs 5A992, 5D992 and 5E992

Certain products that use encryption technology for limited functions fall under 5A992 (hardware) or 5D992 (software). These products are generally of the following nature:

–Authentication

–Access Control Systems

–Digital Signature

–Some Smart Cards

–Some cell phones and components

Other products also fall within these two ECCNs namely:

–Products that use 56-bit DES or comparable algorithm and key exchange under 512

–Products that use 64-bit symmetric algorithms for data confidentiality and are “mass market”

–Products that use symmetric algorithms of any key length for data confidentiality and are “mass-market.”

ECCNs 5A002, 5B002, 5D002

If your product uses encryption and is not covered by the above-mentioned categories, then it is likely caught by 5A002 (hardware), 5B002 (test and production equipment) and 5D002 (software). Technology to make items covered by 5A002, 5B002 or 5D002 is covered by 5E002. Products covered by these ECCNs may be exported in many cases using License Exception ENC. Exports not allowed under ENC need an individual license or Encryption Licensing Arrangement.

EXPORTING ITEMS CLASSIFIED AS 5A992, 5D992 or 5E992

If you make a product that uses encryption (regardless of key length) for limited functions like user authentication, access control, digital signature, or banking you can “self-classify” and ship under No License Required (NLR.)

For products using symmetric algorithms with 64-bit key lengths or less or asymmetric algorithms of 512 bits or less, a simple notification to BIS and NSA is all that is needed to be able to ship under NLR.

If you think you qualify for the exemption for strong crypto “mass market” products, you must file a “review request” to see if BIS agrees with you. The definition of mass market is taken from the Cryptography Note of the regulations:

a. Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following:

1. Over-the-counter transactions;

2. Mail order transactions;

3. Electronic transactions; or

4. Telephone call transactions;

b. The cryptographic functionality cannot be easily changed by the user; and

c. Designed for installation by the user without further substantial support by the supplier.

BIS and NSA have stated that they are going to be “strict” when considering requests to classify strong encryption products as “mass market.” Specifically, they want proof that the product is sold in a computer store like CompUSA.

For all software, hardware and technology controlled by 5A992, 5D992 and 5E992 you can export to all countries except the terrorist countries, to all end-users except the bad guys under NLR and no reporting is required.

EXPORTING ITEMS CLASSIFIED AS 5A002, 5B002, 5D002 and 5E002

License Exception ENC is the authority that allows you to export most encryption products covered by ECCNs 5A002, 5B002, 5D002 and 5E002. However, before you can use this license exception, you usually need to submit a Commodity Classification request to the BIS/NSA. (If your shipments are confined to subsidiaries of US companies you don’t have to go through this step.) You also have to keep records of who you ship to because you need to report to BIS and NSA who you ship to every six months. You can export products to any end-user under ENC in the following countries immediately upon filing a Commodity Classification Request.

Austria, Australia, Belgium, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Poland, Portugal, Spain, Sweden, Switzerland, United Kingdom

If your product uses strong encryption but you want to sell outside these countries, you need to wait 30 days before shipping and you cannot ship to “government end-users” unless your product qualifies as a “retail” product. If it qualifies as a “retail product” it can go to any end-user in any country other than the bad countries under ENC. If it is not a “retail product” it can only go to non-government end-users under ENC. You will be informed when your Commodity Classification is complete if your product qualifies as retail.

Retail vs. Non-Retail

The concept of “retail” is similar to the concept of “mass-market” discussed previously. “Retail” products generally available to the public by being

(1) sold through retail outlets,

(2) specially designed for individual consumer use, OR

(3) which are or will be sold in large volume without restrictions through mail order, electronic or telephone sales.

However, these “retail” products CANNOT:

(a) allow the cryptographic functionality to be easily changed by the user,

(b) require substantial support to install and use

(d) be designed to be used as network infrastructure products.

Examples of “retail” products are general purpose operating systems that don’t qualify as “mass-market”, chips designed for retail products, low end routers, firewalls and VPNs designed for the SOHO market, desktop applications that do not qualify as “mass-market”, low end servers and application specific servers, network and security management products designed for low end computers and products which contain short range wireless encryption software/components.

RECORDKEEPING

You need to keep records of whom you provide encryption products (i.e., controlled under ECCNs 5A002, 5B002, 5D002 or 5E002) to under license exception ENC. The reason why you need to do this is because you will need to send a report to the Bureau Industry and Security and the National Security Agency twice a year. (See Reporting section below.)

REPORTING

You are required to send in reports to the BIS and the NSA that contains information on who you ship to, and what kind of technical review the product has undergone. This is only necessary for products that are shipped under license exception ENC. Reports are required for shipments under ENC, EXCEPT in the following instances:

1. You are shipping to a subsidiary of a U.S. company

2. You are shipping to a US bank or financial institution or anyone that does business with them.

3. You are shipping weak crypto products (e.g., under 64-bits).

4. You are shipping a “retail” product to an individual consumer.

5. You are making the software available via free or anonymous download.

6. You are shipping single processor computers, laptops and hand-held devices that are pre-loaded or bundled with encryption software.

The reports are due according to the following schedule:

–For shipments made between January 1st and June 30th, the report is due on August 1st.

–For shipments made between July 1st and December 31st, the report is due on February 1st.

You need to prepare the report in an electronic format and send via e-mail or load onto disk and send to the mailing addresses below:

e-mail addresses:

crypt@bis.doc.gov

enc@ncsc.mil

mailing addresses:

Bureau of Industry and Security

US Department of Commerce

Office of Strategic Trade and Foreign Policy Controls

14th Street and Pennsylvania Avenues

Room 2705

Washington, D.C. 20230

Attn: Encryption Reports

ENC Encryption Request Coordinator

9800 Savage Road

Suite 6131

Ft. Meade, MD 20755-6000

The report should identify:

–Company name and address,

–Contact person and contact information,

–Reporting period

–And for each product the report should include:

–Product name and license or CCATS number for the product

–Ship-to-parties name and addresses, and the quantities and dates of shipment for each

by Felice Laird, Export Strategies