![[Join EFF]](/Icons/home/joineff.gif){kind=icon}
![[Act Now]](/Icons/home/actnow.gif){kind=icon}
![[Sign Up]](/Icons/home/signup.gif){kind=icon}
![[About EFF]](/Icons/home/abouteff.gif){kind=icon}
January 10,
2000 Billing Code: 3510
33-P
DEPARTMENT OF COMMERCE
Bureau of Export Administration
15 CFR Parts 734, 740, 742, 770, 772, and 774
[Docket No. ]
RIN: 0694-AC11
Revisions to Encryption Items
AGENCY: Bureau of Export Administration, Commerce
ACTION: Interim final; request for comments.
SUMMARY: This rule amends the Export Administration Regulations (EAR) to allow the export and reexport of any encryption commodity or software to individuals, commercial firms, and other non-government end-users in all destinations. It also allows exports and reexports of retail encryption commodities and software to all end-users in all destinations. Post-export reporting requirements are streamlined, and changes are made to reflect amendments to the Wassenaar Arrangement. This rule implements the encryption policy announced by the White House on September 16 and will simplify U.S. encryption export rules. Restrictions on terrorist supporting states (Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria), their nationals and other sanctioned entities are not changed by this rule.
DATES: This rule is effective (DATE OF PUBLICATION). Comments must be received on or before [INSERT 120 DAYS FROM DATE OF PUBLICATION].
ADDRESSES: Written comments on this rule should be sent to Frank J. Ruggiero, Regulatory Policy Division, Bureau of Export Administration, Department of Commerce, P.O. Box 273, Washington, DC 20044. Express mail address: Frank J. Ruggiero, Regulatory Policy Division, Bureau of Export Administration, Department of Commerce, 14th Street and Pennsylvania Ave, N.W., Room 2705, Washington, DC 20230.
FOR FURTHER INFORMATION CONTACT: James A. Lewis, Director, Office of Strategic Trade, at (202) 482-0092.
SUPPLEMENTARY INFORMATION:
BACKGROUND:
On September 16, 1999, the U.S. announced a new approach to its encryption export control policy. This approach rests on three principles: a technical review of encryption products in advance of sale, a streamlined post-export reporting system and a process that permits the government to review exports of strong encryption to foreign governments. The full range of national interests continue to be served by this new policy: supporting law enforcement and national security, protecting privacy and promoting electronic commerce. Encryption export controls will be simplified and U.S. companies will have new opportunities to sell their products in the global marketplace.
This regulation also implements changes for encryption items made by the Wassenaar Arrangement, including: conversion of Category 5- Part 2 (Information Security) of the Commerce Control List (CCL) to a positive list; creation of a Cryptography Note and removal of encryption software from the General Software Note; decontrol of 64-bit mass market software and commodities, including components; and decontrol of certain 512-bit key management products.
The EAR is amended as follows:
1. In §734.2, Important EAR Terms and Principles, unrestricted encryption source code under §740.13 (e), commercial encryption source code under §740.17(a)(5)(i) and retail products under §740.17(a)(3) are exempted from Internet download screening requirements in §734.2 (b)(9)(iii). A revised screening mechanism for other encryption products exported to government end-users is added. Please note that §734.2(b)(9) contains the relevant definitions for the export of encryption source code and object code software. In addition, cross-referencing changes are made to §§734.7, 734.8, and 734.9.
2. In §740.13, Technology and Software Unrestricted, changes are made to reflect amendments to the Wassenaar Arrangement. Specifically, encryption software is no longer eligible for mass market treatment under the General Software Note. Encryption commodities and software are now eligible for mass market treatment under the new Cryptography Note in Category 5 - Part 2 of the CCL. This Note multilaterally decontrols mass market encryption commodities and software up to and including 64-bits. Such products, after review and classification by BXA, are classified under Export Commodity Control Numbers (ECCNs) 5A992 or 5D992, thereby releasing them from "EI" (Encryption Items) and "NS" (National Security) controls, and making them eligible for export and reexport to all destinations (see §742.15(b)(1)(iii) of the EAR). Once mass market encryption software and commodities are released from "EI" controls they may be eligible for de minimis and publicly available treatment (see part 734 of the EAR).
3. Also in §740.13, to, in part, take into account the "open source" approach to software development, unrestricted encryption source code not subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed using the source code can, without review, be released from "EI" controls and exported and reexported under License Exception TSU. Intellectual property protection (e.g., copyright, patent, or trademark) would not, by itself, be construed as an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed using the source code. To qualify, exporters must notify BXA of the Internet location (e.g., URL or Internet address) or provide a copy of the source code by the time of export. These notifications are only required for the initial export; there are no notification requirements for end-users subsequently using the source code. Notification can be made by e-mail to crypt@bxa.doc.gov.
Review and classification are not required for foreign made products using this source code. Moreover, under §744.9, exporters of unrestricted encryption source code are not restrained from providing technical assistance to foreign persons working with such source code. In addition, exporters of source code are not subject to Internet download screening requirements under §734.2(b)(9)(iii). Posting of the source code on the Internet (e.g., FTP or World Wide Web site), where it may be downloaded by anyone, would not establish "knowledge" (as that term is defined in the EAR) of a prohibited export or reexport. Such posting would not trigger "red flags" necessitating the affirmative duty to inquire under the "Know Your Customer" guidance provided in Supplement No. 3 to Part 732. Otherwise, compliance with EAR requirements as to prohibited exports and reexports still apply.
4. In §740.17, Encryption Commodities and Software, language is added to implement the Administration's new policy. License Exception ENC (Encryption Commodities and Software) is revised as follows:
a. Encryption items under ECCNs 5A002, 5D002 or 5E002 can be
exported and
reexported to foreign subsidiaries of U.S. companies, including the
transfer of encryption
technology to their foreign employees in the U.S., without technical review
and classification.
Any items developed by the U.S. company for sale or retransfer outside the
U.S. company are
subject to review and classification by BXA. Foreign companies with
subsidiaries in the U.S. can
apply for Encryption Licensing Arrangements (ELAs) to obtain treatment
equivalent to that
extended to foreign subsidiaries of U.S. parent companies.
b. A new paragraph, entitled "Encryption commodities and
software," is created to
implement the broad authorization for encryption exports contained in the
September 16
announcement. Under this paragraph, any encryption commodity, software or
components of any
key length classified under ECCNs 5A002 and 5D002 can be exported and
reexported to
individuals, commercial firms and other non-government end-users. Previous
sector-specific
liberalizations for banks and financial institutions, health and medical
end-users and on-line
merchants are subsumed into this new paragraph. Previous restrictions
limiting exports to foreign
commercial firms for internal company proprietary use are removed. In
addition, foreign products
developed from encryption components, while subject to the EAR, do not
require review and
classification prior to reexport. Exports and reexports to government
end-users require a license.
c. A new paragraph entitled "Retail encryption commodities and software" is created. Retail encryption commodities and software under ECCNs 5A002 and 5D002 are those which are widely available and can be exported and reexported to any end-user (including any Internet and telecommunications service provider), to provide products and services (e.g., e commerce, client-server applications, or software subscriptions) to any end-user. The criteria to determine eligibility as a retail product include functionality, sales volume, distribution methods, ability to modify products and requirements for substantial support by the supplier. Substantial support for retail encryption commodities and software would mean a service contract or other significant vendor support beyond what is minimally necessary for the product's operation. Help desk calls are not considered substantial support. Refer to §740.17(a)(3) of the EAR for a detailed definition of retail encryption commodities and software (which may include components as well as encryption source code) and an illustrative, yet non-restrictive, list of such products. Finance specific, 56-bit non-mass market products with a key exchange greater than 512 bits and up to 1024 bits, network-based applications and other products which are functionally equivalent to retail products are considered retail products.
Encryption software patches for retail products remain eligible under License Exception TSU and certain upgrades for retail products, where the cryptographic functionality has not changed, are authorized under License Exception ENC. Also, foreign products developed from retail encryption components, while subject to the EAR, require no technical review or license authorization prior to reexport; however, post-export reporting requirements exist. Retail encryption products are not subject to Internet download screening requirements listed in §734.2(b)(9)(iii); however, all other general prohibitions, such as those for the seven terrorist-supporting countries, apply.
d. A new paragraph is added to License Exception ENC entitled "Telecommunications and Internet service providers." Telecommunications and Internet service providers can obtain and use any encryption product under this license exception to provide encryption services, including public key infrastructure services for the general public; however, provision of services specific to governments (e.g., running a virtual private network for a government agency), will require a license.
e. A paragraph entitled "Commercial encryption source code and general purpose encryption toolkits" is added. You may export and reexport general purpose encryption toolkits and encryption source code, not released under §740.13, classified under ECCN 5D002, subject to the following provisions:
(1) Commercial encryption source code which would be
considered publicly
available under §734.3 and which is subject to an express agreement
for the payment of a licensing
fee or royalty for commercial production or sale of any product developed
using the source code,
can be exported or reexported to any end-user. This source code, which
includes some
"community" source code, may be exported or reexported without review and
classification,
provided you have submitted to BXA, by the time of export, written
notification of the Internet
location (e.g., URL or Internet address) or a copy of the source code.
These notifications are only
required for the initial export; there are no notification requirements for
end-users subsequently
utilizing the source code. The notification can be sent via e-mail to
crypt@bxa.doc.gov.
(2) Encryption source code which would not be considered
publicly
available may be exported or reexported to any non-government end-user
after review and
classification by BXA.
(3) General purpose encryption toolkits may be exported and reexported after review and classification by BXA to any non-government end-user.
Note to this paragraph: Neither review and classification nor reexport
licensing
requirements are required under this section for foreign finished products
using U.S.-origin source
code, toolkits and components; yet the foreign finished products remain
subject to the EAR. Post
export reporting for foreign products developed for commercial sale with
source code and general
purpose encryption toolkits exported under this paragraph is limited to the
name and address of the
foreign manufacturer and certain non-proprietary technical information
about the foreign product.
Exporters should always be aware of the General Prohibitions identified in
part 736 of the EAR
(e.g., prohibited exports and reexports to Denied Persons and embargoed
destinations).
f. Grandfathering and Upgrades in Key Length: Encryption
commodities and
software previously approved under a license, or eligible for License
Exception ENC, excluding
items previously approved only to U.S. subsidiaries, can be exported and
reexported to non
government end-users without additional review and classification.
Previously classified financial
specific or certain 56-bit products are eligible for export and reexport to
any end-users without an
additional classification. All previously classified products can be
upgraded provided the only
change is in the key length used for confidentiality and key exchange.
Exporters must, prior to
export of an upgraded product, certify in a letter from a corporate
official the only change is the key
length for confidentiality or key exchange algorithms and there is no other
change in cryptographic
functionality.
g. Exporters may export any product to any non-government end-user 30 days after receipt by BXA of a complete classification request, unless otherwise notified by BXA. No exports to government end-users are allowed under this provision and BXA reserves the right to suspend eligibility in those instances where requested additional information has not been provided or when the classification review is not proceeding in an appropriate fashion.
h. Reporting requirements under License Exception ENC are eliminated for many encryption items. Remaining reporting requirements are streamlined to reflect business models normally used by exporters. Note that reporting requirements for exports and reexports of encryption components can be adjusted or reduced, on a case-by-case basis, provided an exporter supplies BXA with sufficient information during the initial technical review of the U.S. encryption component concerning its incorporation into a final foreign product. Examples include those components restricted by their design for use in certain types of products. BXA will notify exporters of such treatment in its classification determination. All required notifications, upgrade certifications and reports should be sent electronically or mailed to the addresses cited in this regulation.
Note to this paragraph: Post-export reporting is required for certain exports to foreign banks and financial institutions.
5. In part 740, Supplement No. 3 is removed. Supplement No. 3 previously listed countries eligible to receive certain encryption products; such products are now eligible for export and reexport to all destinations.
6. In §742.15, the licensing policy section for exports and reexports of encryption items is changed as follows:
a. Review and classification are required by BXA before certain encryption items can be released from "EI" and "NS" controls under ECCNs 5A992, 5D992 and 5E992. These items include: 64-bit mass market encryption commodities and software; certain encryption items up to and including 56-bits; and asymmetric key exchange algorithms not exceeding 512 bits or an elliptic curve at 112 bits. Encryption items under these ECCNs do not require a license or license exception and may be exported and reexported as "NLR" (No License Required).
b. Upgrades: 40 and 56-bit DES or equivalent mass market commodities and software previously classified as eligible for License Exception ENC or TSU may be upgraded to 64-bits for the confidentiality algorithm. Exporters must, prior to export of an upgraded product, certify to BXA in a letter from a corporate official that the only change is the key length for confidentiality or key exchange algorithms and there is no other change in cryptographic functionality. Note that other mass market encryption commodities and software previously exported under License Exception ENC or TSU are now classified as either 5A992 or 5D992 and eligible for "NLR" treatment. Encryption items under 5A992, 5D992 and 5E992 are not subject to Internet download screening requirements listed in §734.2(b)(9)(iii).
c. The licensing policies for exports and reexports of encryption items for banks and financial institutions, health and medical end-users, and on-line merchants, as well as U.S. subsidiaries, are subsumed into a new licensing policy paragraph for all encryption items under ECCNs 5A002, 5D002 or 5E002 eligible for License Exception ENC. For U.S. subsidiaries, any encryption item (including technology classified under 5E002 to foreign employees located in the U.S.) is permitted for export or reexport under License Exception ENC without review and classification. Also, any encryption item, including components, under ECCNs 5A002 or 5D002 can be exported and reexported to non-government end-users in all destinations. Retail products under 5A002 or 5D002 can be exported and reexported to all end-users.
d. Licenses required for exports and reexports of encryption items to governments, or Internet and telecommunications service providers for the provision of services specific to governments, may be considered favorably for civil uses.
e. Under Encryption Licensing Arrangements (ELAs), distributors and resellers can export and reexport under ELAs as long as they comply with restrictions contained in the ELA.
7. In §770.2, Commodity interpretations, a new interpretation for "Encryption commodity and software reviews" is added. This interpretation clarifies which encryption items require a review and what a review entails.
8. In part 772, Definition of terms, definitions for the following terms are added: Asymmetric Algorithm, Encryption Component, Government End-User, Open Cryptographic Interface and Symmetric Algorithm.
9. In part 774, the Commerce Control List, ECCNs 5A002 and 5D002 are revised to reflect changes in the Wassenaar Arrangement, and the Cryptography Note is added as Note 3 to Category 5 - Part 2.
In addition to these changes, BXA is making the following clarifications and interpretations for all encryption items subject to the EAR.
1. The review and classification process is used to classify encryption items for their proper licensing mechanism and not to delay or deny a proposed transaction. Once a classification request is received, the item's specifications are reviewed and processed in accordance with §748.3 of the EAR to determine its classification. Once completed, exporters will receive a document by mail informing them of the product's technical classification and proper licensing mechanism. The EAR also provides an appeal process for exporters unsatisfied with BXA's product classification (see §756.2 of the EAR).
2. It is BXA's intent to allow end-users of encryption items to provide their customers with encryption products and services. However, exports to Internet and telecommunications service providers are subject to restrictions when providing services specific to government end users.
3. It was not the intent of the new Wassenaar language for ECCN 5A002 to be more restrictive concerning Message Authentication Codes (MAC). "Data authentication equipment that calculates a Message Authentication Code (MAC) or similar result to ensure no alteration of text has taken place, or to authenticate users, but does not allow for encryption of data, text or other media other than that needed for the authentication" continues to be excluded from control under 5A002. These commodities are controlled under ECCN 5A992.
4. Note that §740.8, Key Management Infrastructure (KMI),
authorizes the export and
reexport of certain encryption software and commodities under License
Exception KMI and will
continue as an eligible licensing mechanism for encryption products.
5. A number of companies have expressed concern that the European
Union (EU) may
implement a general authorization permitting encryption items to be
exported freely within the EU
and other specified countries. If and when the EU implements such an
authorization, the
Administration will take the necessary steps to ensure U.S. exporters are
not disadvantaged.
6. Note that Serbia and the Taliban controlled areas of Afghanistan are embargoed destinations.
7. Please refer to the BXA website at "www.bxa.doc.gov" for a
detailed explanation of
the EAR, the Commerce Control List, the licensing process and key terms
used in this regulation.
Although the Export Administration Act (EAA) expired on August 20, 1994,
the President invoked
the International Emergency Economic Powers Act and continued in effect the
EAR, and, to the
extent permitted by law, the provisions of the EAA in Executive Order 12924
of August 19, 1994,
as extended by the President's notices of August 15, 1995 (60 FR 42767),
August 14, 1996 (61
FR 42527), August 13, 1997 (62 FR 43629), August 13, 1998 (63 FR 44121),
and August 10,
1999 (64 F.R. 44101).
Rulemaking Requirements
1. This interim final rule has been determined to be significant for purposes of E.O. 12866.
2. Notwithstanding any other provision of law, no person is required to respond to, nor shall any person be subject to a penalty for failure to comply with a collection of information, subject to the requirements of the Paperwork Reduction Act (PRA), unless that collection of information displays a currently valid OMB Control Number. This rule involves collections of information subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.). These collections have been approved by the Office of Management and Budget under control numbers 0694-0088, "Multi-Purpose Application" and 0694-0104, "Commercial Encryption Items Transferred from the Department of State to the Department of Commerce." The Department has submitted to OMB an emergency request for approval of the changes to the collection of information under OMB control number 0694-0104.
This interim final rule reduces the annual burden hours associated
with collection 0694
0104 from 703 hours to 692 hours, and reduces collection 0694-0088 by 200
burden hours. For
collection 0694-0104, it is estimated it will take companies 5 minutes to
complete notifications for
source code under License Exceptions TSU and ENC. It will take companies
15 minutes to
complete upgrade notifications. For reporting under License Exception ENC
and licenses for
encryption items, it will take companies 4 hours to complete semi-annual
reporting requirements.
Comments on collection 0694-0104 are welcome, and will be accepted
until [INSERT 90
DAYS FROM DATE OF PUBLICATION]. Comments are invited on: (a) whether the
collection of
information is necessary for the proper performance of the functions of the
agency, including
whether the information shall have practical utility; (b) the accuracy of
the agency's estimate of the
burden of the proposed collection of information; (c) ways to enhance the
quality, utility, and
clarity of the information to be collected; and (d) ways to minimize the
burden of the collection of
information on respondents, including through the use of automated
collection techniques or other
forms of information technology. Comments regarding these burden estimates
or any other aspect
of the collection of information, including suggestions for reducing the
burdens, should be
forward to Frank J. Ruggiero, Regulatory Policy Division, Office of
Exporter Services, Bureau of
Export Administration, Department of Commerce, P.O. Box 273, Washington,
D.C. 20044, and
David Rostker, Office of Management and Budget, OMB/OIRA, 725 17th Street,
NW,
NEOB Rm. 10202, Washington, D.C. 20503.
3. This rule does not contain policies with Federalism implications sufficient to warrant preparation of a Federalism assessment under Executive Order 13132.
4. The provisions of the Administrative Procedure Act (5 U.S.C. 553)
requiring notice of
proposed Rulemaking, the opportunity for public participation, and a delay
in effective date, are
inapplicable because this regulation involves a military and foreign
affairs function of the United
States (Sec. 5 U.S.C. 553(a)(1)). Further, no other law requires that a
notice of proposed
rulemaking and an opportunity for public comment be given for this interim
final rule. Because a
notice of proposed rulemaking and an opportunity for public comment are not
required to be given
for this rule under 5 U.S.C. or by any other law, the analytical
requirements of the Regulatory
Flexibility Act (5 U.S.C. 601 et seq. ) are not applicable.
However, because of the importance of the issues raised by this
regulation, it is issued in interim final form and comments will be
considered in the development of final regulations. Accordingly, the
Department of Commerce encourages interested persons who wish to
comment to do so at the earliest possible time to permit the fullest
consideration of their views.
The period for submission of comments will close [INSERT 120 DAYS FROM DATE OF PUBLICATION]. The Department will consider all comments received before the close of the comment period in developing final regulations. Comments received after the end of the comment period will be considered if possible, but their consideration cannot be assured. The Department will not accept public comments accompanied by a request that a part or all of the material be treated confidentially because of its business proprietary nature or for any other reason. The Department will return such comments and materials to the persons submitting the comments and will not consider them in the development of final regulations. All public comments on these regulations will be a matter of public record and will be available for public inspection and copying. In the interest of accuracy and completeness, the Department requires comments in written form. Comments should be provided with 5 copies.
Oral comments must be followed by written memoranda, which will also be a matter of public record and will be available for public review and copying.
The public record concerning these regulations will be maintained in the Bureau of Export Administration Freedom of Information Records Inspection Facility, Room 6881, Department of Commerce, 14th Street and Pennsylvania Avenue, N.W., Washington, DC 20230. Records in this facility, including written public comments and memoranda summarizing the substance of oral communications, may be inspected and copied in accordance with regulations published in Part 4 of Title 15 of the Code of Federal Regulations. Information about the inspection and copying of records at the facility may be obtained from the Bureau of Export Administration Freedom of Information Officer, at the above address or by calling (202) 482-0500.
List of Subjects
15 CFR part 734
Administrative practice and procedure, Exports, Foreign trade.
15 CFR part 740
Administrative practice and procedure, Exports, Foreign trade, Reporting
and record
keeping requirements.
15 CFR parts 742, 770, 772, and 774
Exports, Foreign Trade.
Accordingly, parts 734, 740, 742, 770, 772, and 774 of the Export Administration Regulations (15 CFR parts 730 through 799) are amended as follows:
1. The authority citation for part 734 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13020, 61 FR 54079, 3 CFR, 1996 Comp. p. 219; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; Notice of November 12, 1998, 63 FR 63589, 3 CFR, 1998 Comp., p. 305; Notice of August 10, 1999, 64 FR 44101 (August 13, 1999).
2. The authority citation for part 740 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; Notice of August 10, 1999, 64 FR 44101 (August 13, 1999).
3. The authority citation for part 742 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 18 U.S.C. 2510 et seq.; 22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; E.O. 12058, 43 FR 20947, 3 CFR, 1978 Comp., p. 179; E.O. 12851, 58 FR 33181, 3 CFR, 1993 Comp., p. 608; E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; Notice of November 12, 1998, 63 FR 63589, 3 CFR, 1998 Comp., p. 305; Notice of August 10, 1999, 64 FR 44101 (August 13, 1999).
4. The authority citation for part 770 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; Notice of August 10, 1999, 64 FR 44101 (August 13, 1999).
5. The authority citation for part 772 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; Notice of August 10, 1999, 64 FR 44101 (August 13, 1999).
6. The authority citation for part 774 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 10 U.S.C. 7420; 10 U.S.C. 7430(e); 18 U.S.C. 2510 et seq.; 22 U.S.C. 287c, 22 U.S.C. 3201 et seq., 22 U.S.C. 6004; 30 U.S.C. 185(s), 185(u); 42 U.S.C. 2139a; 42 U.S.C. 6212; 43 U.S.C. 1354; 46 U.S.C. app. 466c; 50 U.S.C. app. 5; E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; Notice of August 10, 1999, 64 FR 44101 (August 13, 1999).
PART 734 - [AMENDED]
7. Section 734.2 is amended by revising paragraph (b)(9)(ii) and adding new paragraph (b)(9)(iii) to read as follows:
§734.2 Important EAR terms and principles
(9) * * *
(ii) The export of encryption source code and object code software controlled for "EI" reasons under ECCN 5D002 on the Commerce Control List (see Supplement No. 1 to part 774 of the EAR), except for source code eligible for export under §§740.13(e) and 740.17(a)(5)(i), includes downloading, or causing the downloading of, such software to locations (including electronic bulletin boards, Internet file transfer protocol, and World Wide Web sites) outside the U.S., or making such software available for transfer outside the United States, over wire, cable, radio, electromagnetic, photo optical, photoelectric or other comparable communications facilities accessible to persons outside the United States, including transfers from electronic bulletin boards, Internet file transfer protocol and World Wide Web sites, unless the person making the software available takes precautions adequate to prevent unauthorized transfer of such code.
(iii) Subject to the General Prohibitions described in part 736 of the EAR, such precautions for Internet transfers of products eligible for export under §§740.17 (a)(2) (encryption software products), (a)(5)(ii) (certain encryption source code) and (a)(5)(iii) (encryption toolkits) shall include such measures as:
(A) The access control system, either through automated means or human intervention, checks the address of every system outside of the U.S. or Canada requesting or receiving a transfer and verifies such systems do not have a domain name or Internet address of a foreign government end-user (e.g. ".gov," ".gouv," ".mil" or similar addresses);
(B) The access control system provides every requesting or receiving party with notice that the transfer includes or would include cryptographic software subject to export controls under the Export Administration Regulations, and anyone receiving such a transfer cannot export the software without a license or other authorization; and
(C) Every party requesting or receiving a transfer of such software must acknowledge affirmatively that the software is not intended for use by a government end- user, as defined in Part 772, and he or she understands the cryptographic software is subject to export controls under the Export Administration Regulations and anyone receiving the transfer cannot export the software without a license or other authorization. BXA will consider acknowledgments in electronic form provided they are adequate to assure legal undertakings similar to written acknowledgments.
8. Section 734.4 is amended by revising the last sentence of paragraph (b) to read as follows: "Certain encryption commodities, software and technology controlled under ECCNs 5A992, 5D992, and 5E992 may be eligible for de minimis (refer to §742.15(b)(1))."
9. Section 734.7 is amended by revising paragraph (c) to read as follows:
§734.7 Published information and software
* * * * *
(c) Notwithstanding paragraphs (a) and (b) of this section, note that
encryption software
controlled under ECCN 5D002 for "EI" reasons on the Commerce Control List
(refer to
Supplement No. 1 to part 774 of the EAR) remains subject to the EAR (refer
to §§740.13(e) and
740.17(a)(5)(i) of the EAR for release under license exception).
10. Section 734.8 is amended by revising the last sentence of
paragraph (a) to read as
follows: "Note that the provisions of this section do not apply to
encryption software controlled
under ECCN 5D002 for "EI" reasons on the Commerce Control List (refer to
§§740.13(e) and
740.17(a)(5)(i) of the EAR for release under license exception)."
11. Section 734.9 is amended by revising the last sentence of the
introductory paragraph to
read as follows: "Note that the provisions of this section do not apply to
encryption software
controlled under ECCN 5D002 for "EI" reasons on the Commerce Control List
(refer to §§740.13
(e) and 740.17(a)(5)(i) of the EAR for release under license exception)."
PART 740 - [AMENDED]
12. Section 740.8 is amended by revising the address in paragraph (b)(2) to read as follows:
Attn: KMI Encryption Request Coordinator
9800 Savage Road, Suite 6131
Fort Meade, MD 20755-6000
* * * * *
13. Section 740.13 is amended by:
a. By revising the introductory paragraph;
b. By revising paragraph (d)(2); and
c. By adding new paragraph (e) to read as follows:
§740.13 Technology and software unrestricted (TSU)
(d) * * *
(2) Software not eligible for this license exception. This license exception is not available for certain encryption software controlled under ECCN 5D002. (Refer to the Cryptography Note in Category 5 - part 2 of the Commerce Control List for information on Mass Market Encryption commodities and software. Also refer to §§742.15(b)(1) and 748.3(b) of the EAR for information on item classifications for release from "EI" controls and "NS" controls).
(e) Unrestricted encryption source code.
(1) Encryption source code controlled under 5D002, which would be
considered
publicly available under §734.3(b)(3) and which is not subject to an
express agreement for the
payment of a licensing fee or royalty for commercial production or sale of
any product developed
with the source code, is released from "EI" controls and may be exported or
reexported without
review under License Exception TSU, provided you have submitted written
notification to BXA of
the Internet location (e.g. URL or Internet address) or a copy of the
source code by the time of
export. Submit the notification to BXA and send a copy to ENC Encryption
Request Coordinator
(see §740.17(g)(5) for mailing addresses). Intellectual property
protection (e.g., copyright, patent
or trademark) will not, by itself, be construed as an express agreement for
the payment of a
licensing fee or royalty for commercial production or sale of any product
developed using the
source code.
(2) You may not knowingly export or reexport source code or
products developed
with this source code to Cuba, Iran, Iraq, Libya, North Korea, Sudan or
Syria.
(3) Posting of the source code on the Internet (e.g., FTP or World Wide Web site) where the source code may be downloaded by anyone would not establish "knowledge" of a prohibited export or reexport, including that described in paragraph (e)(2) of this section. In addition, such posting would not trigger "red flags" necessitating the affirmative duty to inquire under the "Know Your Customer" guidance provided in Supplement No. 3 to Part 732.
14. Section 740.17 is revised to read as follows:
§740.17 Encryption commodities and software (ENC).
(a) Exports and reexports of certain encryption commodities and software. As enumerated in this section, you may export and reexport encryption commodities, software and components (as defined in part 772) under License Exception ENC. License Exception ENC cannot be used if the encryption commodity or software provides an open cryptographic interface (as defined in part 772), unless the export is to a subsidiary of a U.S. company, as described in paragraph (a)(1) of this section.
(1) Encryption commodities, software, and technology for U.S. subsidiaries. You may export and reexport any encryption item of any key length under ECCNs 5A002, 5D002 and 5E002 to foreign subsidiaries of U.S. companies (as defined in part 772) without review and classification. This includes source code and technology for internal company use, such as the development of new products. U.S. firms may also transfer under License Exception ENC encryption technology (5E002) to their foreign employees in the U.S., (except nationals of Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria) for internal company use, including the development of new products. All items produced or developed by U.S. subsidiaries with encryption commodities, software and technology exported under this paragraph are subject to the EAR and require review and classification before any sale or retransfer outside of the U.S. company.
(2) Encryption commodities and software. You may export and reexport any encryption commodity, software and component after review and classification by BXA under ECCNs 5A002 and 5D002 to any individual, commercial firm or other non-government end-user. Encryption products classified under this paragraph require a license for export and reexport to government end-users (as defined in part 772). The former restriction limiting exports or reexports to internal company proprietary use is removed.
(3) Retail encryption commodities and software. You may
export and reexport to
any end-user encryption commodities, software and components which have
been reviewed and
classified as retail under ECCNs 5A002 and 5D002. Retail encryption
commodities, software and
components are products:
(i) Generally available to the public by means of any of the
following:
(A) sold in tangible form through retail outlets independent of the manufacturer;
(B) specifically designed for individual consumer use and sold or transferred through tangible or intangible means; or
(C) sold in large volume without restriction through mail order transactions, electronic transactions, or telephone call transactions; and
(ii) Meeting all of the following:
(A) the cryptographic functionality cannot be easily changed by the user;
(B) do not require substantial support for installation and use;
(C) the cryptographic functionality has not been modified or customized to customer specification; and
(D) are not network infrastructure products such as high end routers or switches designed for large volume communications.
(iii) Subject to the criteria in paragraphs (a)(3)(i) and (ii) of this section, retail encryption products include (but are not limited to) general purpose operating systems and their associated user-interface client software or general purpose operating systems with embedded networking and server capabilities; non-programmable encryption chips and chips that are constrained by design for retail products; low-end routers, firewalls and networking or cable equipment designed for small office or home use; programmable database management systems and associated application servers; low-end servers and application-specific servers (including client-server applications, e.g., Secure Socket Layer (SSL)-based applications) that interface directly with the user; and encryption products distributed without charge or through free or anonymous downloads.
(iv) Encryption products and network-based applications
which provide
functionality equivalent to other encryption products classified as retail
will be considered retail.
(v) Encryption products exported or reexported under
paragraph (a)(3) of
this section can be used to provide services to any entity.
(vi) Finance-specific encryption commodities and software of any key length restricted by design (e.g., highly field-formatted with validation procedures and not easily diverted to other end-uses) and used to secure financial communications such as electronic commerce will be considered retail encryption products.
(vii) 56-bit products with key exchange mechanisms greater than 512 bits and up to and including 1024 bits, or equivalent products not classified as mass market, will be considered retail.
(4) Internet and Telecommunications service providers.
Certain restrictions apply to
Internet and telecommunications service providers. Any Internet or
telecommunications service
provider can obtain retail products under License Exception ENC and use
them to provide any
service to any entity. Internet and telecommunications service providers
can obtain and use any
encryption product for their internal use and to provide any service under
License Exception ENC.
However, a license is required for the use of any product not classified as
retail to provide services
specific to government end-users, e.g., WAN, LAN, VPN, voice and
dedicated-link services;
application specific and e-commerce services and PKI encryption services
specifically for
government end-users only.
(5) Commercial encryption source code and general purpose
toolkits. You may
export and reexport encryption source code not released under
§740.13(e) or general purpose
toolkits (application specific toolkits are covered under components, as
defined in part 772),
subject to the following provisions:
(i) Encryption source code, which would be considered publicly available under §734.3(b)(3) and which is subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed using the source code, can be exported or reexported using License Exception ENC to any end-user without review and classification, provided you have submitted to BXA, by the time of export, written notification of the Internet location (e.g. URL or Internet address) or a copy of the source code. You may not knowingly export or reexport source code or products developed with this source code to Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria. Posting of the source code on the Internet (e.g., FTP or World Wide Web site) where the source code may be downloaded by anyone would not establish "knowledge" of a prohibited export or reexport. In addition, such posting would not trigger "red flags" necessitating the affirmative duty to inquire under the "Know Your Customer" guidance provided in Supplement No. 3 to part 732.
(ii) Encryption source code which would neither be considered publicly available nor includes source code that when compiled provides an open cryptographic interface (see §740.17(f)), may be exported or reexported using License Exception ENC to any non government end-user after review and classification by BXA.
(iii) General purpose encryption toolkits may be exported or reexported after review and classification by BXA under License Exception ENC to any non-government end-user.
(iv) Any foreign product developed for commercial sale using encryption source code or general purpose toolkits exported under paragraph (a)(5) of this section is subject to reporting requirements under paragraph (g)(3) of this section. Foreign products developed by bundling or compiling of source code are not subject to this reporting requirement.
(b) Ineligible destinations. No encryption item(s) may be exported or reexported under this license exception to Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria.
(c) Transfers. Transfers of encryption items listed in paragraph (a) of this section to government end-users or end-uses within the same country are prohibited unless otherwise authorized by license or license exception.
(d) Exports and reexports of foreign products incorporating U.S. encryption source code, components or general purpose encryption toolkits. Foreign products developed with or incorporating U.S.-origin encryption source code, components or toolkits remain subject to the EAR, but do not require review and classification by BXA and can be exported or reexported without further authorization.
(e) Eligibility for License Exception ENC.
1) Review and classification. You may initiate review and classification of your encryption commodities and software as required by paragraph (a) of this section by submitting a classification request in accordance with the provisions of §748.3(b) and Supplement 6 to part 742 of the EAR. Indicate "License Exception ENC" in Block 9: Special purpose, on form BXA-748P. Submit the original request to BXA in accordance with §748.3 of the EAR and send a copy of the request to ENC Encryption Request Coordinator (see paragraph (g)(5) of this section for mailing addresses). Thirty days after receipt of a complete classification request by BXA, unless otherwise notified by BXA, exporters may export and reexport to any non-government end-user any encryption product eligible under paragraphs (a)(2), (a)(4) and (a)(5) of this section. No exports to government end-users are allowed under this provision, and BXA reserves the right to suspend eligibility to export while a classification is pending.
(2) Grandfathering. Finance-specific and 56-bit products previously reviewed and classified by BXA can be exported or reexported to any end-user without further review. Other encryption commodities, software or components previously approved for export can be exported and reexported without further review to any non-government end-user under the provisions of §740.17 (a). This includes products approved under a license, an Encryption Licensing Arrangement, or previously classified as eligible to use License Exception ENC (except for those products which were only authorized for export to U.S. subsidiaries). Exports to government end-users require a license unless BXA has classified the product as a "retail" product under paragraph (a)(3) of this section.
(3) Key Length Increases. Exporters can increase the key lengths of previously classified products and continue to export without another review. No other change in the cryptographic functionality is allowed.
(i) Any product previously classified as 5A002 or 5D002 can, with any upgrade to the key length used for confidentiality or key exchange algorithms, be exported or reexported under provisions of License Exception ENC to any non-government end-user without an additional review. Another classification is necessary to determine eligibility as a "retail" product under paragraph (a)(3) of this section.
(ii) Exporters must certify to BXA in a letter from a
corporate official that
the only change to the encryption product is the key length for
confidentiality or key exchange
algorithms and there is no other change in cryptographic functionality.
Certifications must include
the original authorization number issued by BXA and the date of issuance.
BXA must receive this
certification prior to any export of an upgraded product. The
certification should be sent to BXA,
with a copy sent to the ENC Encryption Request Coordinator (see paragraph
(g)(5) of this section
for mailing addresses).
(f) Open cryptographic interfaces. License Exception ENC shall
not apply to exports or
reexports of encryption commodities, software and components (unless
exported to a subsidiary of
a U.S. company under paragraph (a)(1) of this section), if the
encryption product provides an open
cryptographic interface (as defined in part 772). This does not apply to
source code that would be
considered publicly available under §734.3(b)(3).
(g) Reporting requirements.
(1) No reporting is required for exports of:
(iv) Retail products exported to individual consumers;
(v) Any export made via free or anonymous download; and
(vi) Any export made from or to a U.S. bank, financial institution or their subsidiaries, affiliates, customers or contractors for banking or financial operations.
(2) Exporters must provide all available information as follows:
(i) For items exported to a distributor or other reseller, the name and address of the distributor or reseller and the quantity exported and, if collected in the normal course of business, the end-user's name and address;
(ii) For items exported through direct sale, the name and
address of the
recipient and the quantity exported (except for retail products if the
end-user is an individual
consumer); and
(3) For direct sales or transfers of encryption components,
commercial source code
described under §740.17(a)(5) or general purpose encryption toolkits
to foreign manufacturers,
you must submit the names and addresses of the manufacturers using such
encryption
components, commercial source code or general purpose encryption toolkits
and a non-proprietary
technical description of the products for which the component, source code
or toolkit are being
used (e.g., brochures, other documentation, descriptions or other
identifiers of the final foreign
product; the algorithm and key lengths used; general programming interfaces
to the product, if
known; any standards or protocols that the foreign product adheres to; and
source code, if
available).
(4) Exporters of encryption commodities, software and components which were previously classified under License Exception ENC, or which have been licensed for export under an Encryption Licensing Arrangement, must comply with the reporting requirements of this section.
(5) Beginning [INSERT Date of Publication], you must submit reports required under this section semi-annually to BXA, unless otherwise provided in this paragraph. For exports occurring between January 1 and June 30, a report is due no later than August 1. For exports occurring between July 1 and December 31, a report is due no later than February 1. For exports and reexports to Internet and telecommunications service providers of network infrastructure products (e.g., high-end routers or switches designed for large volume communications), reports are due by the time of export. Reports must include the classification or other authorization number. These reports must be provided in electronic form to BXA; suggested file formats for electronic submission include spreadsheets, tabular text or structured text. Exporters may request other reporting arrangements with BXA to better reflect their business models. Reports should be sent electronically to crypt@bxa.doc.gov, or disks and CDs can be mailed to the following addresses:
(i) Department of Commerce
Bureau of Export Administration
Office of Strategic Trade and Foreign Policy Controls
14th Street and Pennsylvania Ave., N.W., Room 2705
Washington, D.C. 20230
Attn: Encryption Reports
(ii) A copy of the report should be sent to:
Attn: ENC Encryption Request Coordinator
9800 Savage Road, Suite 6131
Ft. Meade, MD 20755-6000
(h) Distributors and Resellers. U.S. or foreign distributors, resellers or other entities who are not original manufacturers of encryption commodities and software are permitted to use License Exception ENC only in instances where the export or reexport meets the applicable terms and conditions of §740.17.
PART 742 - [AMENDED]
15. Section 742.15 is revised to read as follows:
§742.15 ENCRYPTION ITEMS
Encryption items can be used to maintain the secrecy of information, and thereby may be used by persons abroad to harm national security, foreign policy and law enforcement interests. The U.S. has a critical interest in ensuring that important and sensitive information of the public and private sector is protected. Consistent with our international obligations as a member of the Wassenaar Arrangement, the U.S. has a responsibility to maintain control over the export of encryption items. As the President indicated in E.O. 13026 and in his Memorandum of November 15, 1996, export of encryption software, like export of encryption hardware, is controlled because of this functional capacity to encrypt information on a computer system, and not because of any informational or theoretical value that such software may reflect, contain, or represent, or that its export may convey to others abroad. For this reason, export controls on encryption software are distinguished from controls on other software regulated under the EAR.
(a) License requirements. Licenses are required for exports and reexports to all destinations, except Canada, for items controlled under ECCNs having an "EI" (for "encryption items") under the "Control(s)" paragraph. Such items include: encryption commodities controlled under ECCN 5A002; encryption software controlled under ECCN 5D002; and encryption technology controlled under ECCN 5E002. Refer to part 772 of the EAR for the definition of "encryption items".
(b) Licensing policy. The following licensing policies apply to items identified in paragraph (a) of this section. Except as otherwise noted, applications will be reviewed on a case-by-case basis by BXA, in conjunction with other agencies, to determine whether the export or reexport is consistent with U.S. national security and foreign policy interests. For subsequent bundling and updates of these items see paragraph (n) of §770.2 of the EAR.
(1) Encryption commodities, software and technology under
ECCNs 5A992,
5D992 and 5E992. Certain encryption commodities, software and
technology may, after
classification by BXA as ECCNs 5A992, 5D992 or 5E992, be released from "EI"
or "NS"
controls. Items controlled under these ECCNs are eligible for export and
reexport to all
destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria.
Refer to §748.3(b)(3)
of the EAR for additional information regarding classification requests.
The following encryption
items may be eligible for such treatment:
(i) 56-bit encryption commodities, software and
technology. Encryption
commodities, software and technology up to and including 56-bits with an
asymmetric key
exchange algorithm not exceeding 512 bits may be classified under ECCNs
5A992, 5D992 or
5E992.
(ii) Key management products. Products which only provide key management with asymmetric key exchange algorithms not exceeding 512 bits may be eligible for classification under ECCNs 5A992 or 5D992.
(iii) 64-bit mass market encryption commodities and software. (A) Mass market encryption commodities and software with key lengths not exceeding 64-bit for the symmetric algorithm may be eligible for classification by BXA under ECCNs 5A992 or 5D992. Refer to the Cryptography Note (Note 3) to part 2 of Category 5 of the CCL for a definition of mass market encryption commodities and software. Key exchange mechanisms, proprietary key exchange mechanisms, or company proprietary commodities and software implementations may also be eligible for this treatment. Refer to Supplement No. 6 to part 742 and §748.3(b)(3) of the EAR for additional information.
(B) Mass market encryption commodities and software (e.g., 40 and 56-bit DES or equivalent) previously eligible for License Exception TSU (or for hardware, ENC) may increase key lengths for the confidentiality algorithm up to 64 bits and still be exported as a mass market product without an additional review. Exporters must certify to BXA in a letter from a corporate official the only change to the encryption product is the key length for confidentiality or key exchange algorithms and there is no other change in cryptographic functionality. Certifications must include the original authorization number issued by BXA and the date of issuance. BXA must receive this certification prior to any export of upgraded products. The certification should be sent to BXA, with a copy to ENC Encryption Request Coordinator at the following addresses:
(1) Department of Commerce
Bureau of Export Administration
Office of Strategic Trade and Foreign Policy
Controls
14th Street and Pennsylvania Ave., N.W., Room 2705
Washington, D.C. 20230
(2) A copy of the report should be sent to:
Attn: ENC Encryption Request Coordinator
9800 Savage Road, Suite 6131
Ft. Meade, MD 20755-6000
(iv) For classification of these encryption items under these ECCNs, mark "NLR" in Block 9: Special purpose, on form BXA-748P, of your classification request.
(2) Encryption commodities and software eligible for classification under ECCNs 5A002, 5D002 and 5E002 and qualified for License Exception ENC. Items classified by BXA as retail products under ECCNs 5A002 and 5D002 are permitted for export and reexport to any end user. All other encryption commodities, software and components classified by BXA under ECCNs 5A002 and 5D002 may be exported to any individual, commercial firm or other non government end-user. Any encryption item (including technology classified under 5E002) will be permitted for export or reexport to U.S. subsidiaries (as defined in part 772). Products developed using U.S. encryption items are subject to the EAR. No exports are authorized to Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria.
(3) Encryption licensing. Exporters may submit applications for licenses or Encryption Licensing Arrangements for exports and reexports of encryption items not eligible for license exception, including exports and reexports of encryption technology to strategic partners of U.S. companies (as defined in part 772). For Encryption Licensing Arrangements, the applicant must specify the sales territory and class of end-user. Encryption Licensing Arrangements granted for exports of unlimited quantities for all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria, are valid for four years, and may require reporting. Licenses are required for exports of encryption items to governments, or Internet and telecommunications service providers for the provision of services specific to governments, and may be favorably considered for civil uses, e.g., social or financial services to the public; civil justice; social insurance, pensions and retirement; taxes and communications between governments and their citizens.
16. Supplement No. 6 to part 742 is revised to read as follows:
(a) Requests for encryption items will be processed in thirty (30) days from receipt of a properly completed request.
(b) To submit a classification request for a technical review of
commodities and software,
ensure that the information provided includes brochures or other
documentation or specifications
(to include applicable cryptographic source code) related to the
technology, commodity or
software, as well as any additional information which you believe would
assist the review process.
You must provide the following information in a cover letter to the
classification request:
(1) Clearly state at the top of the page either "ENC" or "NLR" -
30 Day Technical
Review Requested;"
(2) State that you have reviewed and determined that the
commodity or software
subject to the classification request meets the criteria of this
Supplement;
(3) State the name of the commodity or software product being
submitted for
review;
(4) State how the commodity or software has been written to
preclude user
modification of the encryption algorithm, key management mechanism, and key
space;
(5) State that a duplicate copy has been sent to the ENC Encryption Request Coordinator;
(6) Provide the following information for the commodity or software product:
(i) Description of all encryption algorithms and key
lengths, e.g. source
code, and how the algorithms are used. If any combination of different
algorithms are used in the
same product, also state how each is applied to the data.
(ii) Pre-processing information of plaintext data before
encryption (e.g.
compression of the data).
(iii) Post-processing information of cipher text data after encryption (e.g. packetization of the encrypted data).
(iv) For classification requests regarding object code or Java byte code, describe what techniques (including obfuscation, private access modifiers, final classes) are used to protect against decompilation and misuse.
(v) For classification requests regarding components:
(A) Reference the application for the components if
known;
(B) State if there is a general programming interface to the component;
(C) State whether the component is constrained by function;
(D) List any standards and protocols that the component adheres to;
(E) Include a complete description of all functionalities and their accessibility; and
(F) Encryption components need to be clearly identified to include the name of the manufacturer, component model number, or other identifier.
(vi) For classification requests regarding source code:
(A) If applicable, reference the executable product
that has already
received a technical review;
(B) Include whether the source code has been modified and, if modified, provide the technical details on how the source code was modified;
(C) Include a copy of the sections of the source code that contain the encryption algorithm, key management routines, and their related calls.
PART 770 - [AMENDED]
17. Section 770.2 is amended by adding new paragraph (n) to read as follows:
§770.2 Commodity interpretations.
* * * * *
(n) Interpretation 14: Encryption commodity and software reviews.
Classification of encryption
commodities or software is required to determine eligibility for all
licensing mechanisms except
source code (see §§740.13(e) and 740.17(a)(5)(i)) and exports to
subsidiaries of U.S. firms (see
§740.17(a)(1)). Note that subsequent bundling, patches, upgrades or
releases, including name
changes, may be exported or reexported under the applicable provisions of
the EAR without
further technical review as long as the functional encryption capacity of
the originally reviewed
encryption product has not been modified or enhanced. This does not extend
to products
controlled under a different category on the CCL.
PART 772 - [AMENDED]
18. Part 772 is amended by removing the definitions for "Health and
medical end-user" and
"On-line merchant" and adding definitions for "asymmetric algorithm",
"encryption component",
"government end-user", "open cryptographic interface", and "symmetric
algorithm" in alphabetical
order, to read as follows:
PART 772 - DEFINITIONS OF TERMS
* * * * *
"Asymmetric algorithm". (Cat 5, part II) A cryptographic algorithm using different, mathematically-related keys for encryption and decryption. A common use of "asymmetric algorithms" is key management.
* * * * *
"Symmetric algorithm". (Cat 5, part II) A cryptographic algorithm using an identical key for both encryption and decryption. A common use of "symmetric algorithms" is confidentiality of data.
* * * * *
PART 774 - [AMENDED]
19. In Supplement No. 1 to part 774, Category 5 - Telecommunications and Information Security is amended:
a. By revising the "Notes" that immediately follow the heading for "Information Security";
b. By revising ECCNs 5A002; and
c. By revising the Licensing Requirements section of ECCN 5D002 to read as follows:
CATEGORY 5 - TELECOMMUNICATIONS AND "INFORMATION SECURITY"
* * * * *
Part II - "Information Security"
Note 1: The control status of "information security" equipment, "software", systems, application specific "electronic assemblies", modules, integrated circuits, components, or functions is determined in Category 5, part 2 even if they are components or "electronic assemblies" of other equipment.
Note 2: Category 5 - part 2 encryption products, when accompanying their user for the user's personal use, are eligible for License Exceptions TMP or BAG.
Note 3: Cryptography Note: ECCNs 5A002 and 5D002 do not control items that meet all of the following:
a. Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following:
1. Over-the-counter transactions;
2. Mail order transactions;
3. Electronic transactions; or
4. Telephone call transactions;
b. The cryptographic functionality cannot be easily changed by the user;
c. Designed for installation by the user without further substantial support by the supplier;
d. Does not contain a "symmetric algorithm" employing a key length exceeding 64-bits; and
e. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter's country in order to ascertain compliance with conditions described in paragraphs (a) through (d) of this note. See §742.15(b)(1) of the EAR.
* * * * *
5A002 Systems, equipment, application specific "electronic assemblies", modules and integrated circuits for "information security", and other specially designed components therefor.
* * * * *
List of Items Controlled
Unit: $ value
Technical Note: Parity bits are not included in the key length.
a. Systems, equipment, application specific "electronic assemblies", modules and integrated circuits for "information security", and other specially designed components therefor:
a.1. Designed or modified to use "cryptography" employing digital techniques performing any cryptographic function other than authentication or digital signature having any of the following:
Technical Notes:
1. Authentication and digital signature functions include their associated key management function.
2. Authentication includes all aspects of access control where there is no encryption of files or text except as directly related to the protection of passwords, Personal Identification Numbers (PINs) or similar data to prevent unauthorized access.
3. "Cryptography" does not include "fixed" data compression or coding techniques.
Note: 5A002.a.1 includes equipment designed or modified to use "cryptography" employing analogue principles when implemented with digital techniques.
a.1.a. A "symmetric algorithm" employing a key length in excess of 56-bits; or
a.1.b. An "asymmetric algorithm" where the security of the algorithm is based on any of the following:
a.1.b.1. Factorization of integers in excess of 512 bits (e.g., RSA);
a.1.b.2. Computation of discrete logarithms in a multiplicative group of a finite field of size greater than 512 bits (e.g., Diffie-Hellman over Z/pZ); or
a.1.b.3. Discrete logarithms in a group other than mentioned in 5A002.a.1.b.2 in excess of 112 bits (e.g., Diffie-Hellman over an elliptic curve);
a.2. Designed or modified to perform crypto analytic functions;
a.3. [Reserved]
a.4. Specially designed or modified to reduce the compromising emanations of information-bearing signals beyond what is necessary for the health, safety or electromagnetic interference standards;
a.5. Designed or modified to use cryptographic techniques to generate the spreading code for "spread spectrum" or the hopping code for "frequency agility" systems;
a.6. Designed or modified to provide certified or certifiable "multilevel security" or user isolation at a level exceeding Class B2 of the Trusted Computer System Evaluation Criteria (TCSEC) or equivalent;
a.7. Communications cable systems designed or modified using mechanical, electrical or electronic means to detect surreptitious intrusion.
* * * * *
5D002 Information Security - "Software".
License Requirements
Reason for Control: NS, AT, EI
Control(s) Country Chart
NS applies to entire entry NS Column 1
AT applies to entire entry AT Column 1
EI applies to encryption items transferred from the U.S. Munitions List to the Commerce Control List consistent with E.O. 13026 of November 15, 1996 (61 FR 58767) and pursuant to the Presidential Memorandum of that date. Refer to §742.15 of the EAR.
* * * * *
20. Supplement No. 2 to part 774 (General Technology and Software Notes) is amended by revising the Note paragraph 2 (General Software Note) to read as follows:
SUPPLEMENT NO. 2 TO PART 774 - GENERAL TECHNOLOGY AND SOFTWARE NOTES
* * * * *
2. * * *
Note: The General Software Note does not apply to "software"
controlled by Category 5 -
part 2 ("Information Security"). For "software" controlled by Category 5,
part 2, see Supplement
No. 1 to part 774, Category 5, part 2, Note 3 - Cryptography Note.
* * * * *
DATED:
R. Roger Majak
Assistant Secretary
for Export Administration
Please send any questions or comments to webmaster@eff.org
