Last year BIS, in an “interim rule,” amended the rules governing the export and reexport of encryption items in the EAR. The revisions were more form than substance in that the majority of the changes focused on restructuring and simplifying the encryption rules, particularly License Exception ENC, which is now organized by whether a review, waiting period or reporting is required.
However, BIS eased, although only to a limited extent, the restrictions on encryption exports by removing the notification requirements for low strength encryption items, increasing the symmetric key length thresholds for exemption from the 30-day waiting period, adding to the list of countries that receive favorable treatment under License Exception ENC and adding new exclusions to the reporting and review requirements. The chart on page 6 provides a summary of License Exception ENC as revised by last year’s interim rule.
Self-Classification as 5x992 and Using License Exception ENC
Prior to analyzing whether License Exception ENC is applicable to one’s export, one should first analyze whether a self-classification exclusion applies. The following encryption items can be self-classified (i.e., without review) as 5A992, 5D992 or 5E992 and exported under the designation of No License Required (NLR): (1) items with limited cryptographic functionality1; (2) items with key lengths not exceeding 56, 512 or 112 bits for symmetric, asymmetric and elliptic curve algorithms, respectively2; or (3) mass market items with a symmetric key length that does not exceed 64 bits3. The interim rule eliminated the notification requirements for exports classified as 5A992, 5D992 or 5E992.
Exporters may also be able to rely on another license exception rather than using License Exception ENC, such as one of the following: LVS for shipments of limited value (§ 740.3); TMP for certain temporary exports (§ 740.9); RPL for replacement parts (§ 740.10); GOV for US government use (§ 740.11); TSU for unrestricted technology and software (§ 740.13); and BAG for temporary exports used in travel (§ 740.14). Some of these license exceptions may be less restrictive than License Exception ENC (e.g., immediate authorization of an export rather than a 30-day waiting period or the avoidance of License Exception ENC’s reporting requirements).
However, if the product cannot be self-classified under one of the three criteria discussed above, the exporter may still be able to rely on one of the self-classification provisions of License Exception ENC, which are set forth in the chart on page 6. An exporter may also rely on the “internal development or production of new products” or “US subsidiaries” provisions to avoid filing a review. If none of these authorizations applies, then the exporter will have to file an encryption review request for mass market encryption or License Exception ENC and rely on the license exceptions contained in § 740.17(b) of the EAR. Under the new regulations, exports pending mass market review may no be longer exported as 5A992, 5B992 or 5D992. Rather they must be exported as 5A002, 5B002 or 5D002 using License Exception ENC.
Modifications to Previously Reviewed Encryption Items
The interim rule moves language from the interpretation section in Part 770 of the EAR to a new note in § 740.17(b) and also into the text of § 742.15(b) in order to highlight that a new product review may be required when a change has occurred in the encryption product. These sections point out that any change made to “the cryptographic functionality (e.g., algorithms) or other technical characteristics affecting mass market eligibility (e.g., performance enhancements to provide network infrastructure services, or customizations to end-user specifications) of the originally reviewed product” will cause the modified product to be treated as a new product for the purpose of the regulations and thus will require a new review request. However, if the change involves only a name change, an update of the encryption software components (e.g., an update to a third-party encryption library) where the product is otherwise unchanged, or the subsequent bundling, patches, upgrades or releases of a product, the modified product will not require a new review.
If the only modification to a previously reviewed product is a key length increase, then a new review is not required. Key length increases require the exporter only to file (prior to exporting the product) a notification of the key length increase, a certification that no other change to the encryption functionality was made and the CCATS number for the originally reviewed product. However, key length increases to items not previously reviewed but exported under another exclusion (e.g., a mass market item with 64 bits or less symmetric encryption) may require a review request if the increase exceeds a certain key length threshold (e.g., symmetric encryption increased from 64 to 128 bits).
New Regulations in Practice – Ancillary Cryptography
BIS added a new review requirement exclusion for items performing ancillary cryptography, which was apparently intended to reduce the volume of requests, that has broad appeal to exporters but has created some uncertainty in its application.
Ancillary cryptography is the use of cryptography by items that are “not primarily useful for” computing, communications, networking or information security. Examples of items that perform ancillary cryptography include commodities and software that are “specially designed and limited to”: piracy and theft prevention for software and music; video games; household utilities and appliances; printing, reproduction, imaging and video recording; business process modeling and automation; industrial manufacturing or mechanical systems; and automotive, aviation and other transportation systems.
Exporters may self-classify items they deem to perform ancillary cryptography. However, determining whether a product performs ancillary cryptography is not always clear. For example, an industrial computer specially designed for industrial manufacturing systems may also be used in other areas not explicitly identified in the regulations, such as power distribution or the control of wastewater systems. The qualifier “specially designed and limited to” provides uncertainty as to whether an industrial computer must be limited to use only in an industrial manufacturing system or whether it may be used in other industrial applications. Moreover, the regulations do not establish whether the list of examples of ancillary cryptography items is exhaustive or provide any guidance as to what other types of items perform ancillary cryptography.
In order to achieve certainty, many manufacturers and exporters have decided to forgo self-classification and file encryption reviews that formally request BIS to determine whether the ancillary cryptography exclusion applies to their product. Other manufacturers have ignored the ancillary cryptography exclusion altogether, finding it easier to submit a traditional mass market review request.
Despite the October 3, 2008 revisions’ improvements with respect to the structure and readability of the encryption regulations, the application of the rules retains its complexity.