A set of proposed revisions to US export control regulations would remove certain export control obligations for US companies transferring or storing data, technology, or software with cloud and application service providers, but would create a new “end-to-end encryption” requirement for such situations.
As part of the US Government’s Export Control Reform Initiative, the Department of Commerce’s Bureau of Industry and Security (BIS) and the Department of State’s Directorate of Defense Trade Controls (DDTC) released proposed rules on June 3 revising important definitions in the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR).
The primary objectives of the proposed rules are to reduce “unnecessary regulatory burdens” and to provide “structural harmonization” for certain definitions between the EAR and the ITAR. Although the proposed revisions generally do not increase or decrease the scope of the regulations, one proposed change would have both a regulatory and commercial impact on the transfer and storage of technology, software, and technical data.
The New Export Carve-Out and Encryption Requirement
The proposed rule for the EAR (with a similar proposal for the ITAR) states that the following activities are not exports, reexports, or transfers:
“(4) Sending, taking, or storing “technology” or “software” that is:
(i) Unclassified; (ii) Secured using ‘end-to-end encryption;’ (iii) Secured using cryptographic modules (hardware or “software”) compliant with Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or its successors, supplemented by software implementation, cryptographic key management and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology publications, or other similarly effective cryptographic means; and (iv) Not stored in a country listed in Country Group D:5 . . . or in the Russian Federation.”
One notable difference in the proposal for the ITAR is the exclusion of “or other similarly effective cryptographic means” from subsection (iii), creating a somewhat stricter encryption requirement.
The proposed rule then defines “end-to-end encryption” as “the provision of uninterrupted cryptographic protection of data between an originator and an intended recipient, including between an individual and himself or herself. It involves encrypting data by the originating party and keeping that data encrypted except by the intended recipient, where the means to access the data in unencrypted form is not given to any third party, including to any Internet service provider, application service provider or cloud service provider.”
What does this mean?
In a nutshell, the proposed rules would eliminate export control obligations for US companies in the above situations when the encryption requirements are satisfied. However, the rules would require stricter encryption obligations for companies and service providers to comply with when transferring and storing technology, software, and technical data.
In the supplemental information section of the proposed rule, BIS explained its thinking behind the new encryption requirements. It stated that “the intent of this requirement is that relevant technology or software is encrypted by the originator and remains encrypted (and thus not readable) until it is decrypted by its intended recipient.” BIS recognizes that end-to-end encryption is typically not used in all commercial situations, particularly when encryption is provided by cloud and email service providers. However, BIS found that situations where technology, software, and data are encrypted and decrypted many times before reaching the intended recipient create an “unacceptable risk” of vulnerability, thus leading to the end-to-end requirement.
If these rules go into effect, service providers in this space may need to enhance their encryption practices to comply with these new encryption requirements in order to avoid subjecting certain technology transfers and storage services to export control obligations.
The comment period for the proposed rules closes on August 3. A handy comparison chart between the proposed EAR and ITAR rules is also available for review.