International Law Advisory - BIS Issues Revisions to Encryption Rules of EAR

October 3, 2008

On October 3, 2008, the US Department of Commerce Bureau of Industry and Security (“BIS”) published an interim final rule at 73 Fed. Reg. 57,495 revising the encryption-specific rules in the Export Administration Regulations (“EAR”).  The rule provides a modest liberalization of the restrictions that apply to encryption hardware, software, and technology.  The amendment also reorganizes various aspects of the encryption rules, revising thirteen different Parts of the EAR – some of them significantly.  The interim rule is effective immediately, though BIS is soliciting comments and the rule does not identify a closing date for the comment period.  This advisory focuses on the most significant changes made by the new encryption rule.

Elimination of Prior Notification Requirement – ECCNs 5A992, 5D992, 5E992

Prior to this new rule, the EAR required most hardware, software, and technology classified under Export Control Classification Numbers (ECCNs) 5A992, 5D992, and 5E992 to be notified (under specific procedures) to BIS before such items could be exported or reexported “no license required” or “NLR”.  This notification requirement applied specifically to what was generally considered “weak encryption” items in two categories – (1) mass market encryption software with key lengths up to 64-bits for symmetric algorithms and (2) encryption items (not necessarily qualifying as “mass market”) with key lengths up to 56 bits for symmetric algorithms, 512 bits for asymmetric key exchange algorithms, and 112 bits for elliptic curve algorithms.

The rule published today entirely eliminates this notification requirement.  While this change reflects a clear liberalization of the encryption controls, it is likely (based on improvements in encryption technology over the years and the current availability of more sophisticated encryption products on the market) that this liberalization will have a relatively limited practical effect, though it may be important in a small number of cases. Although the prior notification requirements described above have been removed, the rule retains the prior encryption review requirements applicable to hardware, software and technology under ECCNs 5A002, 5D002, and 5E002, including such items for which “mass market” treatment is sought.

Section 742.15 – Encryption Items

As revised section 742.15 of the EAR is now focused on setting licensing policy for EI controlled items under ECCNs 5A002, 5D002, and 5E002, it no longer sets licensing policy for items controlled under the less restrictive ECCNs 5A992, 5D992, and 5E992, and as noted above the prior notification requirements for these items have been removed.  (These “992” series items are AT controlled and can be shipped “no license required” or “NLR” to any country except Cuba, Iran, North Korea, Sudan, and Syria.)  In 740.17(a)(2), there is language further reinforcing this change by reminding exporters that once mass market encryption commodities and software have been reviewed by BIS and released from "El" and "NS" controls, they are classified under ECCN 5A992 and 5D992 respectively, and are thereafter outside the scope of section 742.15.

License Exception ENC

Measured by the amount of textual changes, most of the changes made by the new encryption rule are found in section 740.17 of the EAR, which sets out “License Exception ENC.”  This has been and still is the most commonly used License Exception applicable to exports and reexports of encryption items controlled under ECCNs 5A002, 5D002, and 5E002.  The change involves significant moving of text and revisions to specific language, but the underlying authorizations provided by the rule have changed very little – though we do identify specific substantive changes below.  The reorganization is primarily aimed at realigning the existing authorizations according to specific review requirements (whether a prior review is required, if there is a waiting period after submission of the review prior to export authority being available, if there is an “exclusion,” etc.), and does not alter the basic framework of License Exception ENC remains.  Therefore, the new rule retains the no-prior-review policy for certain exports to “US subsidiaries” or for “internal company use” exports and the availability of License Exception ENC (Restricted) and License Exception ENC (Unrestricted) in sections 740.17 (b)(2) and (b)(3) after BIS review of the encryption items.  Rather than restating the entire License Exception, this advisory focuses on key changes to it.

No Prior Review (or Reporting) Required.  A hallmark of export authority under License Exception ENC has been and remains the requirement in most cases for a prior review of the encryption items by BIS before export or reexport is authorized under License Exception ENC.  Paragraph 740.17(a) now sets out the limited cases where no prior review or post-export reporting is required.  The substance of this authority remains essentially the same – exports to “US subsidiaries” or for “internal development or production of new products” are allowed under certain conditions, including retransfer and sales restrictions.  As noted below, there are two additional “exclusions” from the review and reporting requirements that are listed in their own separate paragraph.

Prior Review Required.  Paragraph 740.17(b) of the EAR now is the key paragraph setting out the specific cases where strong encryption items require prior review by BIS.  This paragraph is further divided by whether a 30-day waiting period is required prior to exports and reexports.  While the review and waiting periods are the organizing principle of the revised License Exception ENC, the differences in the prior rule based on factors such as favored countries, non-favored countries, government end-users and non-government end-users are retained.  Key differences aside from organization revisions include the following.

Review Required Without Waiting Period.  In addition to items previously falling into this category (e.g., ENC Unrestricted items to Favored Countries), License Exception ENC now contains a new authorization exempting from the 30-day waiting period encryption items for which mass market eligibility is sought through a review request.  Section 742.15(b) of the EAR previously provided this authority, seeming to temporarily grant mass market treatment for commodities and software under ECCNs 5A992 or 5D992 that were pending mass market review.  BIS has determined that this approach did not make sense because this more liberal treatment may not ultimately be granted.  Accordingly, in paragraph 740.17(b)(1)(i), the new rule now includes authorization under License Exception ENC for items pending mass market review.

Additionally, in Section 740.17(b)(1)(ii), BIS has raised the threshold of items exempt from the 30-day waiting period to include encryption items with symmetric algorithms having key lengths up to 80 bits. 

Review Required With 30-Day Waiting Period.  After a 30-day waiting period, 740.17(b)(2) of License Exception ENC authorizes exports and reexports to non-government end-users that are not located in a country listed in Supplement No. 3 to Part 740 or is not one of the T5.  The new rule expands the scope of this authorization beyond its prior iteration by adding eligibility of ECCN 5B002 items (test, inspection, and production equipment). 

License Exception ENC has for years identified specific items for which export or reexport is “restricted” to government end-users in non-favored countries.  (This is sometimes referred to informally as “ENC Restricted.”)  The new rules add to the list of “restricted” network infrastructure software and commodities  "digital packet telephony/media (voice/video/data) over internet protocol.".  There also are several detailed and technical liberalizations to the technical parameters that make up the “restricted” list.  So, if one of your products was close to the line on such a technical parameter it would be worth a fresh look at the more liberal standards.  We understand that many of these revisions will have limited effect because technical parameters currently being exported to government end-users exceed these performance parameters.  However, for some companies the change may mean that your products can fit within the less restrictive ENC Unrestricted category.

Exclusions from Review Request Requirement (More). Paragraph (b)(4) of License Exception ENC now provides two additional exclusions from the review request requirement.  Given the reorganization described above, it is unclear why these new exclusions are not contained in the paragraph 7401.17(a) paragraph described above setting out other cases where no prior review or reporting is required.  (Retained in this category are short-range wireless encryption items, though incidental examples and explanatory language are added.)  Added to this review and reporting exclusion are certain "personal area network" items and certain "ancillary cryptography" commodities and software.  Both of these terms are defined in new Part 772 definitions.

The review request and reporting exclusion for items containing “ancillary cryptography” is possibly the most significant change in the new rule, though it may not be straightforward to decide if your product fits within the stated definitions and its related explanatory note.  "Ancillary cryptography" is defined (with emphasis added) as “the incorporation or application of ‘cryptography’ by items that are not primarily useful for computing (including the operation of "digital computers"), communications, networking (includes operation, administration, management and provisioning) or "information security."  The related note to this definition provides some examples of "ancillary cryptography" including items that are “specially designed and limited to”:

  •  piracy and theft prevention for software, music, etc.;
  • games and gaming;
  • household utilities and appliances;
  • printing, reproduction, imaging and video recording or playback (but not videoconferencing);
  • business process modeling and automation (e.g., supply chain management, inventory, scheduling and delivery);
  • industrial, manufacturing or mechanical systems (including robotics, other factory or heavy equipment, facilities systems controllers including fire alarms and HVAC); and
  • automotive, aviation and other transportation systems).

The note also explains that “ancillary encryption” items are not limited to wireless communication and are not limited by range or key length.  This exclusion is interesting because it appears to leave the conclusion as to what qualifies as “ancillary” to the exporter without the express requirement for a prior review, although we have heard informally that BIS expects to receive review requests testing the limits of this exclusion.

The review request and reporting exclusion for "personal area network" may also help some companies.  License Exception ENC excludes wireless "personal area network" items that implement only published or commercial cryptographic standards and where the cryptographic capability is limited to a nominal operating range not exceeding 30 meters according to the manufacturer's specifications.   An encryption items is further defined in Part 772 as fitting within this category if it is a data communication system that:

  • Allows an arbitrary number of independent or interconnected 'data devices' to communicate directly with each other; and
  • Is confined to the communication between devices within the immediate vicinity of an individual person or device controller (e.g., single room, office, or automobile).

The definitional notes in Part 772 contain other detailed parameters and examples that can help an exporter determine if their product properly falls within the review and reporting exclusion.

Treatment of Foreign-Developed Encryption Items.  The revised rule modifies License Exception ENC to consolidate two disparate references to the treatment of foreign-developed products incorporating US encryption components.  The consolidation is not contained 740.17(b)(4)(ii) as part of the “exclusion” from review and reporting identified directly above.  The consolidated version of the rule now provides clearly that foreign products developed with or incorporating US-origin encryption source code, components or toolkits are eligible for the review and reporting exclusion as long as the US-origin encryption items they contain have previously been reviewed and authorized by BIS and their cryptographic functionality has not been changed.  Prior to this revision, the language of old 740.17(c) left unclear whether the US encryption components were in fact required to have undergone the prior BIS review before the exclusion applied.

Clarification on When a New Review is Required.  License Exception ENC now contains an explanatory note providing that a new product review is required only if a change is made to the cryptographic functionality (e.g., algorithms) or other technical characteristics affecting License Exception ENC eligibility (e.g., encrypted throughput) of the originally reviewed product.  It specifically provides that a new product review is not required when a change involves only the subsequent bundling, patches, upgrades or releases of a product; name changes; or changes to a previously reviewed encryption product where the change is limited to updates of encryption software components where the product is otherwise unchanged.  While this is not a change in policy, it bears highlighting as companies can reduce their review request burdens by being aware of this section.

Reporting Requirements.  The reporting requirements for License Exception ENC (contained in 740.17(e) as before) are now split into two sections – one section dealing with the semiannual reporting requirement of exports made under License Exception ENC and  another for reporting key length increases.  The last reporting requirement is not new, but has been relocated to this section to give it more visibility.  The reporting section provides new clarification that the Commodity Classification Automated Tracking System (CCATS) number is a required element of the report.  The new rules remove the requirement to report on exports of ECCN 5E002 items to be used for technical assistance that are not released by section 744.9, because (as discussed below) section 744.9 is now removed from the EAR.  The revised rule more clearly lays out what information is expected to be included in the reports for exports to distributors, individual consumers, and foreign manufacturers.

Reporting Exclusions.  Paralleling the 740.17(b)(4) review request exclusion is an explicit reporting exclusion applicable to all of the items excluded from review.  This includes a reporting exclusion for the newly created categories of wireless "personal area network" items and "ancillary cryptography" commodities and software.  In an interesting development whose importance will only play out over time, a new provision in 740.17 (e)(l)(iii)(J) provides potential exclusion from reporting requirements on a case-by-case basis at BIS’s discretion where reporting is not of interest for national security reasons.  The new rule says that exporters will be notified of this exclusion on the CCATS documents issued as part of the review.  Though the rule does not provide for it expressly, we envision a possible scenario whereby companies request such treatment as part of the initial review request process.

Changes to Favored Countries.  Certain permissive aspects of License Exception ENC depend on whether the destination of the encryption item is to a favored country.  The list of favored countries is found at Supplement No. 3 to part 740.  The new rule revises the title of Supplement No. 3 to part 740 to read "License Exception ENC Favorable Treatment Countries."  Added to the list of favored countries are Bulgaria, Canada, Iceland, Romania, and Turkey.  Note that Canada is added for convenience since a license is not required to send encryption items to Canada and thus a License Exception is not needed.

License Exception KMI

The new rule entirely removes from section 740.8 of the EAR – “License Exception KMI” – and the related Supplement No. 4 to part 742 – “Key Escrow or Key Recovery Products Criteria.”  These sections of the EAR rarely have been used in recent years due to changes in the way encryption is used in practice.  Accordingly, for most companies, this change will have little effect.

Changes to Information Required in Review Requests

The new rule revises Supplement No. 6 to part 742 "Guidelines for Submitting Review Requests for Encryption Items."  The key changes are requirements to include:

  • a brief non-technical description of the type of product being submitted, e.g., routers, disk drives, cell phones, chips, etc.;  
  • for products with minor changes in encryption functionality, to include a cover sheet with complete reference to the previous review (CCATS#, Application Control Number (ACN), ECCN, authorization paragraph) along with a clear description of the changes;
  • a description of how encryption is used in the product and the categories of encrypted data (i.e., stored data, communications, management data, internal data, etc.);
  • for mass market reviews, a specific description of the type of parties that will be receiving the product and how the product is being marketed, as well as how this method of marketing and other relevant information (e.g., cost of product and volume of sales) correlates to the Cryptography Note (Note 3 to Category 5, Part 2);
  • information on whether any "encryption source code" is provided (shipped or bundled) as part of this offering and, if so, whether this source code is publicly available source code, unchanged from the code obtained from an open source web site, or is proprietary "encryption source code";
  • for the already required description of encryption algorithms and key lengths, additional information is required on “relevant parameters, inputs and settings"; and
  • for the required description of "cryptographic protocols and methods" (which replaces the prior phrase "encryption protocols," it is now required to describe how the protocols that are supported are used.

Section 744.9 Removed from EAR – Restrictions on Technical Assistance

The new rule removes section 744.9 of the EAR that separately required authorization from BIS for US persons to provide technical assistance (including training) to foreign persons with the intent to aid a foreign person in the development or manufacture outside the United States of encryption commodities or software that, if of US-origin, would be "EI" controlled under ECCNs 5A002 or 5D002.  BIS found that license applications rarely are submitted under this section, but are often submitted in connection with the export of ECCN 5E002 technology (including cases where license applications cover exports and reexports of technical assistance).  BIS state that the removal does not remove any license requirements for controlled encryption technology released while performing technical assistance.

Commerce Control List Changes

There were several ministerial, editorial and administrative changes not summarized in this advisory.  The following changes, however, may be of immediate interest to companies.

ECCN 5D992

Anti-virus and other anti-malicious software.  The new rules remove subsection 5D992.C – software designed or modified to protect against malicious computer damage, e.g., viruses from ECCN 5D992 and add a corresponding note to the “Related Control” note stating that 5D992 "does not control ‘software’ designed or modified to protect against malicious computer damage, e.g., viruses, where the use of ‘cryptography’ is limited to authentication, digital signature and/or the decryption of data or files."  Software meeting the criteria of this Related Control note are now decontrolled and classified as EAR99, unless the software performs functions controlled under other ECCNs (e.g., data or file encryption, including of user or system data under Secure Socket Layer (SSL) encryption, even if the cryptographic functionality is not directly user accessible.)  BIS cites certain firewall and other software for the screening of digital content and the detection and removal of viruses, spyware and unsolicited commercial email as examples of decontrolled software.

Mass market software.  The rule creates a new subsection 5D992.c clarifying that mass market software is classified under this new subsection upon completion of the encryption review process when BIS determines that the software meets the requirements for mass market treatment. Encryption software is no longer presumed eligible for mass market treatment.

If you have any questions about the new encryption rule, please contact Julia Court Ryan at 202.429.6418, Ed Krauland at 202.429.8083, or Petra Vorwig at 202.429.6417.