The Commerce Department’s Bureau of Industry and Security (BIS) recently implemented a rule change that liberalizes the export of some publicly available mass market encryption software. Under the Export Administration Regulations (EAR) most publicly available software is not subject to export restrictions, but encryption software has been an exception to this rule. With implementation of this rule change, the BIS has recognized that applying EAR restrictions to publicly available software does not bolster export control policy, it only adds administrative delay to already publicly available software.

Background

Publicly available software is not subject to the export restrictions of the EAR. Certain publicly available encryption software has, however, remained subject to the jurisdiction of the EAR since the mid-1990s, when commercial items incorporating encryption functionality were transferred from the U.S. Munitions List and controls under the International Traffic in Arms Regulations (ITAR) to the Commerce Control List and the EAR. At that time, far less encryption software was publicly available than is today. The increase in publicly available encryption software has caused the BIS to review the provisions of the EAR that retained jurisdiction over these products.

Results of Review

The BIS determined that there are no regulatory restrictions on making certain encryption software “publicly available.” Once encryption software is publicly available, it is by definition available for download by any end-user without restriction. Its removal from jurisdiction of the EAR has no effect on export control policy, rather it helps simplify some of the regulatory provisions in the EAR.

That being said, only specific types of encryption software will be no longer subject to the EAR export restrictions. The two types of encryption software specified in the rule change are: “mass market” encryption software with a symmetric key length greater than 64-bits; and encryption software in object code classified under Export Control Classification Number 5D002 when corresponding source code meets the criteria specified under License Exception TSU (Technology and Software, Unrestricted). The applicability of certain terms such as “Publicly Available” and “Mass Market,” which are defined in the EAR, will determine whether a company’s encryption software should be regulated by the EAR. In some instances, companies must also comply with certain filing requirements prior to making encryption software publicly available.  

In its rule change, the BIS noted that encryption software is now included in the EAR rule that states that software made “publicly available,” on the internet where it may be downloaded by anyone does not establish knowledge for an exporter of a prohibited export or reexport. Also, making certain encryption software publicly available does not trigger any “red flags” that impose an affirmative duty to inquire under the “Know Your Customer” guidance provided in the EAR (see 67 FR 38855, 38857, June 6, 2002). A company, therefore, no longer violates the EAR by posting mass market encryption software to the internet for free where it can be anonymously downloaded by any person from anywhere in the world.