Where Industry and Security Intersect
What's New | Sitemap | Search
U.S. encryption export policy continues to rest on three principles: review of encryption products prior to sale, streamlined post-export reporting, and license review of certain exports and reexports of strong encryption to foreign governments. Effective December 9, 2004, the Export Administration Regulations (EAR) have been amended in order to streamline and strengthen export and reexport controls on encryption items, in keeping with these principles.
This policy update includes the following features:
This rule simplifies the License Exception ENC technical review process by implementing a uniform 30 day period for most encryption reviews and clarifying the criteria by which the licensing requirement to certain “government end-users” is determined. Now, except for commodities and software that provide an “open cryptographic interface” or that are specified in the revised paragraph (b)(2) of License Exception ENC (§740.17(b)(2) of the EAR), all encryption products submitted for review under License Exception ENC qualify to both “government end-users” and non-“government end-users” under paragraph (b)(3) of the license exception (§740.17(b)(3)).
To strengthen this review process, this rule authorizes the Bureau of Industry and Security (BIS) to, at any time, require additional technical information about an encryption item submitted for review and, if the information is not furnished, to suspend or revoke authorization to use License Exception ENC with respect to the item for which the information is sought.
This rule expands the list (Supplement No. 3 to part 740 of the EAR) of countries to which certain encryption items may be sent immediately (i.e., without a 30 day waiting period), once a review request is submitted to the U.S. Government. This list now covers all current members of the European Union (EU) to include those countries that joined the EU on May 1, 2004. Specifically, this rule adds Cyprus, Estonia, Latvia, Lithuania, Malta, Slovakia, and Slovenia to Supplement No. 3 to part 740 because those countries were admitted to the European Union on May 1, 2004 and were previously not listed in this supplement. (Although the Czech Republic, Hungary, and Poland were also admitted to the European Union on May 1, 2004, these three countries were previously part of the EU “license-free zone” and therefore already listed in Supplement No. 3 to part 740.)
To further ensure that companies in the U.S. can effectively trade with their “license-free zone” partners, this rule allows encryption items and related technical assistance to private sector end-users headquartered in Canada or any country listed in Supplement 3 to part 740 for internal company use in the development of new products, without prior technical review. However, review is still required for new products produced or developed with an item that had been exported or reexported without review for such internal company use, before the products are transferred to others.
This rule removes the requirement to make a separate request for de minimis eligibility when submitting a review request under License Exception ENC. Except for prohibitions on de minimis treatment for encryption technology controlled under Export Control Classification Number (ECCN) 5E002 to any foreign destination, or for “network infrastructure” products and other commodities and software listed in §740.17(b)(2) of the EAR going to a destination in Country Group E:1, foreign made items incorporating U.S. origin encryption items that have met specified notification or review requirements will be treated like foreign made items that incorporate other U.S. origin items, in terms of de minimis eligibility.
For “publicly available” encryption software that has been posted to the Internet under the notification procedures of License Exception TSU (§740.13(e) of the EAR), this rule permits updates or modifications to be made to such software without additional notification, provided the Internet location of the software has not changed.
To alleviate confusion with respect to the treatment of “mass market” encryption products under §742.15(b)(2) of the EAR, this rule removes the word “retail” from License Exception ENC (except from a “grandfathering” paragraph that allows the continued export and reexport of encryption commodities and software previously classified as “retail” without additional review).
This rule removes the requirement that exporters of beta test encryption software report the names and addresses of their beta testers, and permits key lengths of products that have previously been reviewed and authorized under License Exception ENC to be increased with a simple e-mail notification procedure (instead of through a certified letter from a corporate official).