On October 8, 2014 BIS announced that it issued a penalty of $750,000 against Wind River Systems, a subsidiary of Intel, for the unlawful exportation of encryption software products to foreign government end-users and to organizations on the BIS Entity List. This penalty is widely believed to be the first penalty issued by BIS for the exportation of encryption software when the violation was voluntarily disclosed. This case should raise red flags for software companies as it suggests that BIS may be beginning to prioritize enforcement of 5D002 encryption software exports.
The case arose when Wind River Systems submitted a Voluntary Self-Disclosure (VSD), disclosing that they had made four exports to parties in China listed on the BIS Entity List between 2008 and 2011. Furthermore, Wind River Systems disclosed 51 unauthorized exports of software classified under 5D002 to end users in China, Hong Kong, Russia, Israel, South Africa, and South Korea.
Why are these exports in violation of the EAR?
Answering this question requires looking at the restrictions that the EAR places on exports of encryption software. Generally, all software with a threshold level of encryption capabilities is classified under 5D992 or 5D002. 5D992 scoops up many of the household name brands, which are often classified under 5D992.c as “mass market encryption software.” For example, the following popular products are classified under 5D992 by their producers:
- Mac OS X operating systems
- Microsoft Office
Software controlled under 5D992 is controlled for AT (Anti-Terrorism) reasons only, which essentially allows them to be exported anywhere, except to North Korea, Sudan, Syria, Iran, or Cuba.
Software controlled under 5D002 is a different story. In addition to being controlled for AT, 5D002 is also controlled for EI (Encryption Item) and NS (National Security), which are much more stringent controls. The result is that exports of 5D002 require a license to all destinations except Canada.
While the Wind River Systems case demonstrates the dangers of exporting such software to the wrong destinations or entities, there is another key threat to U.S. companies hidden in the details – transfers of source code to foreign nationals in the U.S. Many companies employ foreign nationals in information technology positions involving computer programming or server and data management. These foreign nationals have a high likelihood of accessing U.S. origin software or source code falling under the controls of 5D002 (not to mention, other controlled U.S. origin technology located on company servers).
Luckily, the EAR provides a very expansive license exception for U.S. companies transferring encryption source code to foreign nationals in the U.S. or exporting encryption software abroad. License exception ENC (Encryption commodities, software, and technology), in certain instances, authorizes exports of software classified under 5D002 without submitting a classification request, registering the commodity, or meeting any reporting requirements. This exemption applies to 5D002 software when the software is for internal “development,” or “production” of new products and the end-user is a “private sector end-user.” License exception ENC also allows export and re-exports of 5D002 software to U.S. subsidiaries, or to foreign nationals who are employees, contractors, or interns of a U.S. company or its subsidiaries. Again, the software must be for internal company use.
So where did Wind River Systems go wrong?
Although we have not been told much about the facts of this case, the BIS press release states that the end-users were based in China, Hong Kong, Russia, Israel, South Africa, and South Korea. Since 5D002 is controlled for EI and NS, a license would have been required to export to any of these destinations, unless the exports qualified for license exception ENC. However, the BIS press release also tells us that many of the end-users were foreign governments or entities listed on the BIS Entity List. The principal benefits of license exception ENC described above apply only to exports to “private sector end-user(s)” and certainly do not apply to entities listed on the BIS Entity List. Thus, the Wind River Systems export of 5D002 software to foreign government end-users and entities listed on the BIS Entity List is probably what resulted in the penalty.
The Wind River Systems case offers exporters a lesson on exporting 5D002 software, but it should also be viewed in the broader context of regulations and oversight over encryption technology. Edward Snowden’s revelations on cooperation between the NSA and U.S. tech companies has resulted in backlash from consumers, U.S. citizens, and foreign governments. Tech companies, such as Apple and Google, are now granting consumers access to encryption functions that will place greater protections on their personal data. Government agencies such as the FBI are forcefully lobbying both private industries as well as Congress to ensure the government has some access to data stored on people’s computers or phones. Viewed in this context, the Wind River Systems case offers an ominous picture of the future of export enforcement on encryption software and technology.