Most software that is “publicly available” – as that term is defined in the US Export Administration Regulations (“EAR”) – is not subject to the export control restrictions contained in the EAR. However, certain encryption software remains subject to the EAR even if it is publicly available.
Today, the Commerce Department’s Bureau of Industry and Security ("BIS") issued a rule liberalizing its treatment of certain publicly available encryption software in object code and simplifying the export regulations affecting this type of software. Effective today, companies exporting the object code of certain publicly available software with encryption functionality will be subject to the same “publicly available” rule as software without such functionality.
In 1996, most encryption software was transferred from the US Munitions List and controls under the International Traffic in Arms Regulations to the Commerce Control List and control under the EAR. Since that time, however, various encryption software has been excluded from the “publicly available” treatment available to all other types of software. The scope of this exclusion has been narrowed over time, and until today it applied to (1) encryption software controlled for “EI” reasons under ECCN 5D002 and (2) mass market encryption software with a symmetric key length exceeding 64-bits controlled under ECCN 5D992.
Under today’s rule change, encryption source code classified under ECCN 5D002 remains subject to the EAR even if it is publicly available. However, BIS has removed the following two kinds of encryption software from the jurisdiction of the EAR:
- publicly available encryption software in object code with a symmetric key length greater than 64-bits that has been determined to be mass market software under section 742.15(b) of the EAR and has been reclassified under ECCN 5D992; and
- publicly available encryption software in object code classified under ECCN 5D002 when the corresponding source code meets the criteria specified in section 740.13(e) of the EAR.
Companies will now be able to export such software without regard to the export control restrictions in the EAR.
BIS made today's regulatory change as a result of a review of the provisions of the EAR retaining jurisdiction over "publicly available" encryption software. Based on its review, BIS determined that removing the software discussed above from the EAR's jurisdiction would have no impact on export control policy because there are no restrictions on making such software "publicly available" and, once so available, it is able to be downloaded by any user without restriction. BIS’ rationale is consistent with our experience that the controls abolished today have amounted to frustrating procedural restrictions in situations presenting no risk to US national security. This rule change is thus a good implementation of Obama Administration policy to streamline export regulation without compromising national security.