International Law Advisory - BIS Issues New Encryption Rule

June 28, 2010

On June 25, 2010, the Commerce Department’s Bureau of Industry and Security (“BIS”) revised its encryption rules contained in the Export Administration Regulations (“EAR”).  The new rule is effective immediately and changes conditions and procedures under which certain encryption hardware, software and technology can be exported.  The preamble to the rule describes this as a “first step in the President’s effort to reform U.S. encryption export controls.”  Thus, in addition to the President’s broader export control reform, it appears we can anticipate changes to the encryption rules will be forthcoming.  While the rule represents a liberalization in some respects, it also imposes significant new administrative requirements on exporters of encryption items.  The complexity of the new rule will likely pose a challenge to many producers and exporters of encryption products.  BIS is accepting comments on the rule through August 24, 2010. 

New Self-Classification Options in Exchange for New Registration and Reporting Requirements

One aspect of the encryption rules that has frustrated many companies over the years has been the requirement for submission of an encryption review to BIS, followed by a 30 day waiting period before an exporter could export under the mass market provisions and certain License Exception ENC provisions.  The June 25 rule removes this review requirement for certain encryption items – specifically, “mass market” and certain other “less sensitive” unrestricted encryption items – and allows exporters “immediate authorization” for these items (essentially self-classification) under certain conditions.  To qualify for the no-review option, exporters must submit a company-specific registration to BIS (and receive an “encryption registration number” or “ERN”).  Once the registration has been made, mass market and less sensitive encryption items can be self-classified and exported to all end users in all destinations except for Cuba, Iran, North Korea, Sudan, and Syria (the “T5”).  However, the rule introduces a new requirement that exporters must submit annual reports of all self-classified items exported during each calendar year, using a specific format.  The registration and reporting formats are set out in new supplements to Part 740 of the EAR.  Note also that the rule suggests the potential for a delayed implementation (until August 24, 2010) for the registration requirement, but this aspect is not clearly drafted and appears to conflict with other elements of the new regulation.  BIS has confirmed informally that it plans to issue a technical correction removing the suggestion of a delayed implementation. 

Certain “restricted” and “sensitive” encryption items must still comply with the review requirement (now called an “encryption classification request” rather than an “encryption review”) and the 30 day waiting period.  (Note that registration and issuance of an ERN are also now prerequisites for the filing of an encryption classification request.)  Included among those items requiring a prior encryption classification are those items considered “restricted” under prior encryption rules.  This restricted list has been slightly modified, and exporters should pay close attention to the revised language.  Also requiring a prior encryption classification are other sensitive items including (1) “encryption components,” (2) items that provide or perform “non-standard cryptography” (essentially proprietary encryption), (3) certain items that perform vulnerability analysis, network forensics or computer forensics, and (4) commodities and software that “enable” cryptography that otherwise would remain “disabled.”  Immediately upon submission of a classification request, items covered by the request – except for “cryptanalytic” (code-breaking) items – may be exported immediately to the 35 favored countries listed in Supplement 3 to Part 740 of the EAR.  In addition, upon submission of an encryption classification request certain encryption source code may be exported to “non-government” end users in any country except the T5, and cryptanalytic items may be exported to “non-government” end-users located or headquartered in a favored country. 

For less sensitive items not requiring the prior encryption classification, the annual report replaces transaction-specific post-export reporting requirements under License Exception ENC.  Such reporting is retained, however, for many encryption items that remain subject to the prior encryption classification requirement. 

Encryption Technology Exports Are Liberalized in Part

Before the June 25 rule, ECCN 5E002 encryption technology (i.e., that encryption technology subject to the most restrictive controls) required a license to all destinations except certain favored countries, and exports to those favored countries required prior submission of an encryption review request.  Most types of ECCN 5E002 encryption technology remain exportable to favored countries immediately on submission of an encryption classification request.  In addition, most types of ECCN 5E002 encryption technology now will be exportable to “non-government” end users in a broader range of countries after 30 days (all but “E:1” and “D:1” countries, which are countries that pose greater national security concerns).  Certain ECCN 5E002 encryption technology is subject to different, more restrictive rules – including “non-standard cryptography” technology, “open cryptographic interface” technology and “cryptanalytic” (code-breaking) technology.

“Ancillary Cryptography” is Redefined and Decontrolled

In October 2008, BIS revised its rules to make encryption items that fit the definition “ancillary cryptography” eligible for export without submission of a prior encryption review.  Subsequently, in December 2009, the member countries of the multi-lateral export organization known as the Wassenaar Arrangement agreed to decontrol items meeting a slightly different definition of “ancillary cryptography.” BIS has now removed its October 2008 ancillary cryptography language and has implemented the Wassenaar approach.  Like the Wassenaar control list, BIS has now added a new “Note 4” in Category 5 (Part 2) of the Commerce Control List (“CCL”).  (Category 5 (Part 2) sets out those item subject to export controls for encryption or “information security” reasons.)  Encryption items meeting the criteria of the new Note 4 are now excluded from the Category 5 encryption controls.  If such items do not fit within another category on the CCL, then such items will be “EAR99” (which is a category of items subject to the fewest export controls). 

Under Note 4, items are outside Category 5 (Part 2) if their primary function or set of functions is not 1) information security, 2) that of a computer, including operating systems, parts and components, 3) sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management or medical records management), or 4) networking (including operation, administration, management and provisioning).  Note 4 requires that the cryptographic functionality be limited to supporting the item’s primary function or set of functions.  On its face Note 4 appears narrower than the prior definition of ancillary cryptography.  The preamble to the June 25 rule states, however, that “[t]he scope of Note 4 is coextensive with the scope of the ‘ancillary cryptography’ provisions that were added to the EAR on October 3, 2008.”  BIS also notes in the preamble that items that were self-classified or classified by BIS as “ancillary cryptography” items under the October 3, 2008 rule are now outside of Category 5 (Part 2) and are either properly reclassified under other categories of the CCL or designated as EAR99.  Finally, the preamble also references a long list of items that BIS considered to be within Note 4.  This list combines both items from the prior ancillary cryptography definition along with other items that BIS reviewed and classified as ancillary cryptography under the prior definition.

*  *  *  *  *

Companies that produce and/or export products that use encryption will need to pay close attention to the changes set out in the June 25 rule.  The new administrative aspects of the rule will require more attention to record-keeping and changes to current systems.  If you have any questions about the scope or the meaning of the rule or are interested in commenting to BIS on any aspect of the rule, please contact Julia Court Ryan at 202.429.6418, Michael Vatis at 212.506.3927, Maury Shenk at +44 (0) 20.7367.8000, or Michael Gershberg at 202.429.6208.