At an ABA Export Controls and Sanctions Committee Brown Bag lunch on May 6, 2010, Assistant Secretary for Export Administration, Bureau of Industry and Security (BIS), Department of Commerce, Kevin Wolf introduced the subject of export control reform and Director of the Information Technology Controls Division, BIS, Randy Pratt outlined three significant changes to US export control regulations coming soon. We describe below the encryption regulation changes that will be coming soon:
1) A new regulation on "publicly available" encryption software and technology: On September 11, 2009, BIS published an advisory opinion (see here) that clarified that a company would not be in violation of the Export Administration Regulations (EAR) if it were to post software containing encryption functionality on the web for free download and that software, unbeknownst to the company, were downloaded in an embargoed country. This proposed regulation will go one step further by removing encryption software and technology that are “publicly available” as defined in the Export Administration Regulations (EAR) from being subject to the EAR altogether. This change should also make “publicly available” encryption software and technology meet the “informational materials” exception to the Office of Foreign Assets Control's (OFAC) asset control regulations, thereby hopefully clarifying this issue under both BIS and most OFAC regulations.
2) A Decontrol of Items Meeting the “Ancillary Cryptography” exception: Currently hardware and software in which the encryption is “ancillary” do not need to undergo a one-time review by BIS and the National Security Agency (NSA), and are not subject to the semi-annual export reporting requirements. However, unless the hardware and software separately meet the “mass market” criteria, they remain controlled under 5A002 or 5D002, license exception ENC unrestricted.
At the Wassenaar Arrangement meeting in December 2009, the Wassenaar members agreed on a new note 4 to decontrol from encryption controls altogether items meeting the “ancillary cryptography” criteria. A new regulation (to be combined with the new review procedures regulation discussed in 3 below) will add this Wassenaar Note as note 4 (below the mass market note) to Category 5, part 2, of the Commerce Control List.
As a result of this development, ancillary cryptography items will be classified as EAR99, not 5A992 or 5D992. If someone has had their item classified as 5X002 ancillary by BIS, he will have three options to update this classification once the new regulation is effective:
- he can self-classify the items as EAR99, if he is sure that the item meets “ancillary cryptography” criteria;
- he can email the Information Technology Controls Division, referencing the prior classification determination (with the CCATS number) and request information written confirmation that the item meets “ancillary cryptography;” or
- he can file a formal classification request, which does not have to be filed with NSA as well as BIS.
3) Streamlined review and reporting requirements: On March 11, 2010, President Obama announced that the Administration was working to replace the current review-and-wait process for encryption items with a more efficient one-time notification notification-and-ship process which may eliminate up to 85 percent of all the technical reviews of these products (about 2,800). Ms. Pratt described the new regulation that will implement President Obama's decision.
In the current regulations, there are two baskets of reviewed items: (1) a basket containing encryption items that are restricted for export even after review to government end-users in many countries — under 15 CFR 740.17(b)(2) (license exception ENC restricted); and (2) a basket containing encryption items that are not restricted for export after review and can be exported pursuant to license exception ENC to all but embargoed countries, prohibited end-users and prohibited end-uses — under 15 CFR 740.17(b)(3) (license exception ENC unrestricted).
The new rules remove most of the 740.17(b)(3) items — with two important exceptions — into a new 740.17(b)(1) category (license exception ENC unrestricted) where no prior review is required provided the company making the self-classification does two things:
- it registers with BIS, providing basic information such as name and address, but not the sort of detailed information contained in, for example, an ITAR registration; and
- annually it informs BIS of the products it has self-classified in license exception ENC unrestricted (b)(1) including the model number, the kind of equipment (e.g. modem, network storage) and the self-classification ECCNs.
Companies that will register with BIS will have an “R” number . Non-manufacturing exporters can register.
Some items will still require a one-time review by BIS and NSA , however, namely:
- all items that fall under 15 CFR 740.17(b)(2) (license exception ENC restricted);
- encryption parts and components; and
- items using non-standard encryption.
Semi-annual reporting will continue to be required for these items, but will not be required for (b)(1) items. It is anticipated that most mass market items will fall in the (b)(1) self-classification category and can be self- classified by registered exporters as 5X992.
These last two changes (ancillary cryptography and the new review procedures) will be published in a single regulation as an interim final rule soon (hopefully within the next month or two).
In response to a question, Ms. Pratt stated that there is also a plan to decontrol 5E002 technology after a 30 day one - time review so that it can be exported outside the EU and other major US allies via license exception ENC unrestricted.
Many of the questions from the group centered around the definition of “ancillary cryptography” and how to determine when the primary focus of an item is computing (or communication or information security) such that the cryptography no longer meets the “ancillary” cryptography standard. To qualify as “ancillary cryptography” under the EAR the items must not be “primarily useful for computing (including the operation of “digital computers”), communications, networking (includes operation, administration, management and provisioning) or “information security”. Ms. Pratt stressed that the ancillary cryptography test was necessarily administered on a case by case basis, but indicated that two examples provided by the audience likely qualified as “ancillary”:
a) A security system uses encryption to protect the information signaled from various outposts, but it all hooks into encryption contained in a controller which could at least theoretically be used for computing purposes . Because the controller is running a security system, although it is a computer, in its role in the system, the encryption is still ancillary to the main purpose — providing security; and
b) Equipment in an aircraft that can connect to the internet or that can permit communications. Ms. Pratt indicated that where the items would ordinarily fall under a different entry on the Commerce Control List (here category 9 for aircraft parts and components) it is typically easier to claim that the encryption is ancillary.
Ms. Pratt also pointed out that after the new note 4 re ancillary cryptography is published, it will be possible to get a formal opinion from BIS simply by filing a standard classification request (no additional NSA filing will be required).