On January 14, 2000, the U.S. Department of Commerce’s Bureau of Export Administration ("BXA") released the long-awaited revisions to the Export Administration Regulations ("EAR") which ease the export controls on encryption items. The revisions, which were first outlined in an announcement made on September 16, 1999, provide for a significant liberalization of U.S. export controls on encryption. The software industry has been critical of previous U.S. policies regarding the export of encryption items because the EAR restricted the export of relatively weak encryption that is readily available from foreign sources. As a result, U.S. companies have argued that the EAR rendered them uncompetitive in the global market for information security products and services. The new regulations represent a significant step toward improving the competitive posture of U.S. industry. The most salient changes are outlined herein.

Unrestricted Encryption Items

Perhaps most importantly, the new regulations remove certain encryption products, software, and technology from the encryption item export control restrictions under the EAR, including: (i) 56-bit encryption with an asymmetric key exchange algorithm not exceeding 512 bits; (ii) key management products with asymmetric key exchange algorithms not exceeding 512 bits; and (iii) encryption with a key length not exceeding 64 bits for the symmetric algorithm. These encryption items are still subject to a one-time review by BXA, prior to export, to determine their eligibility for release from the encryption export control restrictions. However, once reviewed and classified by BXA they will no longer require a license prior to export. Furthermore, because of their release, they will not be subject to the reporting requirements imposed on restricted encryption items under the regulations.

In addition, encryption source code, which is publicly available and which is not subject to an agreement providing for licensing fees or royalties for its use, is released from encryption controls and can now be exported under license exception TSU (Technology and Software – Unrestricted). Such software is not subject to a one-time review, but the exporter must provide written notification of the Internet location (i.e., URL or Internet address) where the source code is made available to the public, or otherwise provide a copy of the source code to the Department of Commerce prior to effecting an export of the code. Foreign products developed with the unrestricted source code are not subject to the EAR, and do not require a license prior to re-export.

The new regulations broaden license exception ENC (Encryption Commodities and Software) and thereby obviate the need for licenses prior to export for most other encryption items. The use of the license exception is subject to a one-time technical review and classification by BXA, and is further limited in usage largely to non-governmental end-users. Also, encryption still may not be exported without a license, or under any license exception, to Cuba, Iran, Iraq, Libya, North Korea, Sudan, or Syria because of current U.S. sanctions against those nations. As a result, the applicability of license exception ENC, which was previously limited to the export of encryption for certain end-uses – e.g., encryption supporting financial and medical institutions, has been significantly increased under the revised regulations. In addition, the license exception applies to several other unique export scenarios:

1. U.S. Subsidiaries. Encryption of any key length may now be exported to foreign subsidiaries of U.S. companies without review and classification. This includes source code and technology for internal company use. In addition, U.S. companies may transfer, under license exception ENC, encryption technology to their foreign national employees in the U.S. (except nationals of the seven sanctioned nations enumerated above) for internal company use, including for the purpose of developing new products. All items produced or developed by U.S. subsidiaries with encryption items under license exception ENC remain subject to the EAR export restrictions and require review and classification before any sale or transfer outside the company.
   
2. Retail Encryption. Encryption of any key length, which is considered to be a "retail product" after a one-time review and classification, may be exported to any end-user, including foreign governments. A "retail product" is one that is generally available to the public (e.g., by means of independent retail outlets, because it is specifically designed for individual consumer use, or because it is sold in large volume without restriction through mail order, electronic transactions, or via telephone) and must meet the following criteria: (i) the cryptographic functionality cannot be easily modified; (ii) it does not require substantial support for installation and use; (iii) the cryptographic functionality has not been customized to customer specification; and (iv) it is not a network infrastructure product.
   
3. Internet Service Providers. Internet service providers and telecommunications companies may use any encryption product for their internal use and to provide service to any end-user under license exception ENC. However, a license is required for the use of any non-retail product to provide services directly to foreign government end-users.
   
4. Publicly Available Source Code for a Fee. Publicly available encryption source code, which is subject to an express agreement for the payment of a licensing fee or royalty, can be exported or re-exported using license exception ENC to any end-user without review and classification, provided the exporter submits written notification to BXA prior to export, as described above for publicly available source code being exported for no fee.

Grandfathering

The new regulations grandfather previously reviewed encryption items from the review requirements necessary for eligibility under license exception ENC. Finance-specific and 56-bit products previously reviewed and classified by BXA can be exported or re-exported to any end-user, including government end-users, without an additional review by BXA. Other encryption items (i.e., non-financial products and other products with encryption greater than 56 bits), that were previously approved for export, can be exported or re-exported without further review under license exception ENC to any non-governmental end-user. In addition, encryption items previously eligible for license exception TSU may be upgraded in key length up to 64 bits and still be exported as mass market products without additional review by BXA. Exporters must certify to BXA that the only change in the encryption item is the key length prior to conducting the export.

Encryption products with open cryptographic interfaces remain controlled, and generally are not eligible for license exception ENC. Such products, which are defined by the regulations to include "[a] mechanism which is designed to allow a customer or other party to insert cryptographic functionality without the intervention, help or assistance of the manufacturer or its agent," may be exported under license exception ENC only to U.S. subsidiaries. Otherwise, these products must be licensed on a transaction basis or under a licensing arrangement approved by BXA.

Reporting Requirements

The new regulations continue to require extensive reporting requirements for the export of some encryption items. Exporters must provide semi-annual electronic reports to BXA, which include quantities exported and the name and address of the recipient. However, the new regulations exempt several types of exports from the reporting requirements, including: (i) exports to U.S. subsidiaries; (ii) exports of finance-specific products; (iii) exports of products with a symmetric key length not exceeding 64 bits or otherwise qualifying for mass market treatment; (iv) retail encryption to individuals; (v) exports made by free or anonymous download; and (vi) exports from or to a U.S. financial institution or its subsidiaries, affiliates, customers or contractors, in support of financial operations. In addition, the regulations provide flexibility with regard to a manufacturer’s responsibility for reporting exports by distributors, by allowing the manufacturer to only report the distributor’s name if the recipients name is not collected in the normal course of business. Presumably, the burden of reporting exports to the end-user would fall on the distributor if such information is not available to the manufacturer.

Analysis

The new regulations simplify and clarify previous export control requirements while simultaneously liberalizing the export control scheme under which encryption items are subject. These changes should facilitate the export of encryption products and products with encryption components by U.S. industry. Weak encryption, or encryption with a symmetric algorithm equal to or weaker than 64 bits, is now readily exportable. In addition, the new regulations significantly reduce the licensing requirements for stronger encryption. The emphasis has now shifted to the review and classification processes used by BXA for all encryption items – processes that are more commercially viable than obtaining new licenses on a transaction basis or obtaining and administering an encryption licensing arrangement.

The new regulations rely almost exclusively on review and classification, as well as reporting, to control the proliferation and export of encryption items. Exporters must continue to be ever diligent in preparing their commodity classification requests and in preparing the reports they submit to BXA. In addition, given the distinctions made by the regulations between government and non-government users, effective screening mechanisms are increasingly important to ensure export compliance even under a liberalized regulatory scheme. Furthermore, the expansion of license exception ENC does not relieve the exporter from ensuring that it does not export to any of the destinations, end-users, and end-uses otherwise proscribed by the Department of Commerce under the EAR.