Communications Litigation Today was a service of Warren Communications News.

BIS Removes Certain Publicly Available Encryption Software from EAR Jurisdiction

January 7, 2011 by Marie Rapport|Top News

The Bureau of Industry and Security has issued a final rule, effective January 7, 2011, which removes certain publicly available mass market encryption software and certain other specified publicly available encryption software in object code from the jurisdiction of the Export Administration Regulations. BIS also comments on the issue of public availability, “knowledge”, and “red flags.”

BIS states that this final rule will result in the simplification of the regulatory provisions for publicly available mass market software and publicly available specified encryption software in object code, and will have no effect on export control policy1. BIS adds that this final rule does not result in the decontrol of source code classified under Export Control Classification Number (ECCN) 5D002.

Certain Mass Market Encryption Software Removed from EAR Control

BIS is removing from the jurisdiction of the EAR publicly available encryption software in object code with a symmetric key length greater than 64-bits that has been determined to be mass market software either by BIS review or exporter self-classification2 and has been reclassified from ECCN 5D002 to ECCN 5D992.3

As a result, BIS is amending the EAR to provide that, once the encryption registration is submitted in accordance with 15 CFR 742.15(b)(7), and the encryption software is properly classified as "mass market" under the relevant requirements of section 742.15(b), if the software is then made "publicly available," it is not subject to the EAR.

BIS states that software authorized for export and reexport under 15 CFR 742.15(b)(1) pursuant to encryption registration and self-classification must still be included in the exporter’s annual self-classification report for the calendar year during which it was self-classified as "mass market" software.

Certain Other Specified Publicly Available Encryption Software Removed from EAR Control

BIS is also removing from the jurisdiction of the EAR publicly available encryption software in object code classified under ECCN 5D002, when the corresponding source code meets the criteria specified under License Exception TSU4.

BIS Comments on “Knowledge” and “Red Flags”

During its review in preparation for this final rule, BIS noted the EAR currently provide that making certain encryption software "publicly available" by posting it on the Internet where it may be downloaded by anyone does not establish "knowledge" of a prohibited export or reexport. Additionally, such activity also does not trigger any "red flags" that impose an affirmative duty to inquire under the "Know Your Customer" guidance provided in the EAR.

Therefore, a person or company does not violate the EAR if it posts "mass market" encryption software on the Internet for free and anonymous download (i.e., makes it "publicly available"), and the software is downloaded by an anonymous person from anywhere in the world. In addition, if the person or company "publishes" mass market encryption software by another means, the person or company does not violate the EAR.

1BIS has determined that because there are no regulatory restrictions on making such software "publicly available," and because, once it is "publicly available," by definition it is available for download by any end user without restriction, removing it from the jurisdiction of the EAR will have no effect on export control policy.

2Such a mass market classification determination can be made either by a BIS review under 15 CFR 742.15(b)(3) or for software that does not require review by a self-classification by the exporter under 15 CFR 742.15(b)(1).

3ECCN 5D992 software is controlled for anti-terrorism reasons, and requires a license for export to Iran, Cuba, Syria, Sudan and North Korea.

4 License Exception TSU (technology and software-unrestricted) at15 CFR 740.13(e)(1) authorizes the export and reexport of encryption object code if both the object code and the source code from which it is compiled would be considered publicly available under 15 CFR 734.3(b)(3), were they not classified under ECCN 5D002. 15 CFR 740.13(e)(3) requires that the source code or the location of the source code be notified before becoming eligible for License Exception TSU. As with the publicly available mass market encryption software, such object code may be exported to any destination, via anonymous download, without violating the EAR.

BIS contact (general) - Sharron Cook (202) 482-2440

BIS contact (technical) -- Information Technology Division (202) 482-0707

(D/N 100108014-0121-01, FR Pub 01/07/11)