U.S. policy on encryption exports began to shift on November 15, 1996, when President Clinton directed that virtually all EI controls administered by the Department of State's International Traffic in Arms Regulations ("ITAR") be transferred to the Department of Commerce. (2) It was felt that the Department of Commerce would be better suited to balance the competing issues of national security and international competition. On December 30, 1996, the BXA first amended the Export Administration Regulations (3) ("EAR"), formally transferring EI controls from the U.S. Munitions List to the Commerce Control List.(4) This amendment permitted the mass market export of weak, non-recoverable encryption products (no greater key length than 40-bit DES) and some stronger encryption products (56-bit DES) provided the exporter agreed to institute development of key recovery elements into their products. All strong encryption required a license required a license or licensing arrangement from BXA.

On September 22, 1998, the EAR was amended a second time to permit the export (under a license exception) of non-recoverable strong encryption for "financial-specific software." Financial-specific software included software that was restricted by design for financial applications to secure financial communications and transactions for end users. Examples of such software include components of the SET™ protocol introduced by Visa and MasterCard. General use non-recoverable encryption software for use by banks and financial institutions was also authorized. Last, the amendment clarified that encryption loaded onto laptops and similar devices could be exported for temporarily for business-specific and/or personal use provided the device stayed within a person's "effective control.(5)

The latest amendments represent the Administration's most recent attempt to balance the competitive and technological needs of electronic commerce with U.S. national security interests. Principally, the amendments create a host of additional exceptions for the use of stronger non-recoverable encryption for specific industry sectors: U.S. subsidiaries, medical and health care institutions, insurance companies and on-line merchants. Additionally, the threshold for the export of non-recoverable mass-market encryption items has been raised to 56-bit DES.

EI controls have a profound effect on the ability of U.S. software companies and developers to reach international markets. The controls encompass a wide class of software and technology that employs encryption for communications, authentication and data security—all important areas for the development of electronic commerce. Any company involved in these areas should have a basic understanding of how encryption export controls function and impact their ability to access foreign markets. This article broadly outlines the EI controls and highlights the recent changes.

A.  General Classifications and Restrictions Under The EAR

Export controls are administered by a host of federal agencies. These principally include: (1) BXA; (2) the Office of Foreign Asset Control ("OFAC") of the Department of Treasury, and (3) the Office of Defense Trade Controls ("ODTC") of the U.S. Department of State. BXA has the broadest coverage under its Export Administration Regulations ("EAR"). These regulations apply to virtually all types of exports and have specific limitations based on export item and the destination country. OFAC and ODTC administer regulations which are designed to implement United Nations and U.S. sanctions and embargoes on specific countries. Generally, no exports can be made to or through the "terrorist seven" or "T7 countries" of Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria.

These agencies also maintain lists of entities and persons to whom U.S. companies may not export or involve in export related transactions. Specifically, BXA maintains a Denied Parties List and an Entity List. OFAC maintains lists of Specially Designated Nationals, Terrorists, and Narcotics Traffickers. ODTC maintains the Debarred Parties List. For most encryption items, exporters generally do not need to consult OFAC's Terrorist and Narcotics Trafficker lists or ODTC's Debarred Parties List because the items are not controlled for the classes of end-users or are outside the scope of the export restrictions. The lists are available in several formats and can be downloaded directly from the appropriate agency's Web site.

Like most commercial products, encryption items are now governed by the provisions of the EAR and the Commerce Control List ("CCL"). (6) However, if the encryption item is for a specific military application, it would remain subject to ITAR and the ODTC controls. Prospective exporters must review the CCL and any applicable parts of the EAR to determine whether an item or activity is "subject to the EAR." (7) Items subject to the EAR include: (1) all items in the United States; (2) all U.S. origin items wherever located; (3) U.S. origin parts, components, materials or other commodities incorporated into foreign products including U.S. origin software commingled with foreign technology; (4) certain foreign made direct products of U.S. origin technology; and (5) certain commodities produced by any plant located outside of the United States that is a direct product of U.S. origin technology or software. (8) A controlled item will be listed on the CCL and assigned an Export Control Classification Number ("ECCN"). For each ECCN, various export restrictions apply and cross reference must be made to BXA's Country Chart, a listing of controlled countries. (9)

Encryption software generally is classified as 5D002. Items subject to the EAR but not listed on the CCL are classified as EAR99 as "uncontrolled" or "common use" items. (10) Generic software without encryption or telecommunications capabilities commonly is given this designation.

If an export item is subject to the EAR, a license will be required prior to export and certain compliance procedures must be observed, unless a license exception applies. In addition, ten general export prohibitions specified by the EAR apply. (11) The first three prohibitions essentially prohibit export and reexport without a license or applicable license exception. The remaining prohibitions limit exports based on certain (1) denied parties; (2) end-use/end-user; (3) embargoed countries; (4) U.S. person proliferation activity; (5) in-transit shipments; (6) violations of any government order, terms, and conditions of a license, and (7) exporting with knowledge that a violation is to occur. (12)

Since encryption software is 5D002, the export rules require a license or license exception for export or reexport of encryption items to all destinations, except Canada. An exporter of product or software containing any encryption generally will want to submit a "classification request" to BXA. The license exceptions applicable to EI products and technologies all require a one time review by BXA which can be done at the time of the classification request. (13) Applications are reviewed on a case-by-case basis by BXA in conjunction with other government agencies, principally the National Security Agency ("NSA") to determine if export or reexport is consistent with U.S. national security and foreign policy interests. The Department of Justice and the Federal Bureau of Investigation ("FBI") also have been given authority to provide input. Once a an application is approved, exporters must observe the licensing restrictions and observe the remaining export prohibitions of BXA and OFAC.

B.  What is Encryption Software?

1.  Non-encryption Software

Non-encryption software generally includes operational software that does not contain any encryption capabilities. However, some non-encryption software actually employs limited encryption functions and is exempted from EI controls. Some of the exempted software is "authorization" software and includes, in part: (i) software for personalized smartcards that are not capable of message traffic encryption or user-supplied data and are restricted for use with equipment excluded from control; (ii) software for access control devices (such as automated teller machines and point of sale terminals) to prevent unauthorized access without encryption of text or data except as directly related to the method of authentication (password or PIN); and (iii) software for data authentication equipment that calculates a message authentication code ("hash" code) or similar result to ensure message integrity or to authenticate users, but does not allow for the encryption of any other data other than that need for authentication. (14) The latter exception generally contemplates digital signature technology. In practice, these exemptions are read very narrowly by BXA, and many types of "authentication" software are still subject to EI controls even though they do not permit much, if any, encryption for confidentiality purposes.

Depending on its capabilities, non-encryption software generally receives an ECCN of EAR99 (uncontrolled) or is listed in category 4D (electronics) or 5D (telecommunications). Although not subject to EI controls, software classified under 4D and 5D still may be subject to control for a variety of other reasons, including national security, missile technology, crime control, and anti-terrorism (15) and a license or license exception would be required for export.

2.  Encryption Software

The export of encryption software and hardware is controlled because of its "functional" capacity to encrypt information on a computer system, and not because of any informational or theoretical value that such software or hardware may reflect, contain, or represent, or that its export may convey to others abroad. In other words, it is the ability to encrypt which is governed by the export controls and not encrypted information itself. Thus, encryption software is defined as "computer programs that provide capability of encryption functions or confidentiality of information or information systems [which] includes source code, object code, applications software, or system software." (16) Unlike non-encryption software, the EAR controls generally apply to all exports and a license is required for virtually all countries except Canada.

Ironically, EI controls are so broad that they actually encompass software that does not contain any encryption. "Encryption-ready" or "crypto with a hole" software refers to software that contains no actual encryption function but nevertheless may have the capacity to support encryption. The NSA, FBI and BXA have interpreted the EAR (and its governing statute) to permit regulation of encryption-ready software as encryption items although the express language of the EAR does not reach such software. Thus, software containing sockets, hooks, or application programming interfaces (APIs) that allow for the ready insertion of end-user or distributor supplied encryption will be treated as if the encryption was present. The classification is determined on a case-by-case basis based on the type of software and its ability to use encryption.

NSA and BXA rely on the language of ECCN 5A002 and 5D002 contained in EAR § 774 Supplement No. 1 to permit the regulation of this type of export. ECCN 5A002 applies to all equipment designed or modified to use cryptography to ensure information security or perform cryptoanalytic functions. (17) Information security includes "all the means and functions ensuring the accessibility, confidentiality or integrity of information or communications." Software "specially designed or modified" for the development, production, or use of equipment or software under 5A002 is controlled, including software specially designed or modified to support information security technology. What is "specifically designed" is a nebulous term that the NSA and BXA interpret broadly. New language in the amendments confirms BXA's adherence to this interpretation.

In addition to the broad definition of encryption software, the definition of "export" has been tailored to explicitly reach on-line activities. For non-encryption software items, export means (1) any release of technology or software in a foreign country or actual shipment, or (2) any release of technology or source code to a foreign national (permanent residents excluded). A release to a foreign national is deemed to be an export to the foreign national's home country. With respect to the Internet, the BXA interprets export to include any situation in which the person making the software available receives information that the software is to be downloaded to a foreign party.

For encryption software, the definition of "export" is more explicit; that is, for the export of encryption source or object code, export means (1) an actual shipment, transfer, or transmission out of the United States; (2) a transfer of such software in the United States to an embassy or affiliate of a foreign country; or (3) downloading, causing the downloading, or making such software available outside the United States, over wire, cable, radio, electromagnetic, photooptical, photoelectric or other comparable facilities accessible to persons outside the United States, including transfers from electronic bulletin boards, file transfer protocol, and World Wide Web sites. (18) A person making encryption software available does not export provided certain compliance procedures are followed which are "adequate to prevent unauthorized transfer" outside the United States.

In another ironic twist, the export of printed material containing object code is not subject to the EAR and no license is required for its export. (19) The exception is sometimes called the "T-shirt" exception since a person can wear encryption code on a T-shirt and freely move to other countries. Notwithstanding this exception, encryption source code in electronic form or media is subject to the EAR.

C.  Licenses and License Exceptions

Once an item is classified under the CCL and is subject to the EAR, a license or "license exception" will be required generally for export. Generally, a license is a one-time authorization by BXA for shipment to a particular end user in a specific country. The exporter must describe all parties to the transaction and provide a "letter of explanation" detailing the product and end-use. License exceptions applicable to each ECCN are listed in the EAR. However, certain general license exceptions, not based on particular ECCNs, may be available. These license exceptions are generic approvals for the export of items that meet the individual exception's criteria. The current licensing policy now has three license exceptions for encryption items: License Exception TSU (Mass Market), License Exception KMI (Key Management Infrastructure), and License Exception ENC (Encryption Commodities and Software).

An alternative to a license or license exception is the encryption licensing arrangement ("ELA"). ELAs are a generic "catch-all" licensing provision of the EAR for encryption exports that do not fit within other license categories. Arrangements permit individual as well as blanket world-wide export. An applicant must specify the territory of distribution and classes of end users. Holders of ELAs may be required to report to BXA certain information such as item description, quantity, value, and end-user name and address. ELA applications are negotiated on an individual basis. Like the other license provisions, exports may not be made to the embargoed countries.

Thus, exporters that believe their software may be subject to EI controls should apply first to BXA to determine if any license exception is applicable and obtain an appropriate release. If the software in question is outside the generic exceptions, an exporter will need to obtain a license for each transaction or negotiate an ELA with BXA.

1.  License Exception TSU (Mass Market Software)

License Exception TSU, among other things, permits non-encryption software to be exported as a mass-market product. Presently, License Exception TSU permits export to all countries except the T-7. (20) For software companies that want to export "weak" encryption such as 56-bit DES or equivalent (formally 40-bit DES), an exporter may obtain a release from BXA. Once released, it can use the License Exception TSU for exports and reexports and is essentially treated like any other "non-encryption" software. License Exception TSU is not available for items controlled for encryption reasons unless released by BXA after a one time review.

Non-encryption software generally qualifies for mass-market treatment under License Exception TSU if it is "generally available to the public." (21) Software is deemed to be "available to the public" by being (a) sold from stock at retail selling points, without restriction by means of over the counter transactions, mail order transactions, or telephone call transactions; and (b) designed for installation by the user without further substantial support by the supplier. This standard also applies to mass-market encryption software. Non-mass market encryption software is now governed by License Exception ENC and, once released, may be exported to all but the T-7 countries. However, additional reporting requirements apply to non-mass market encryption software.

2.  License Exception KMI (Key Management Infrastructure)

License Exception KMI is at the heart of the Clinton Administration's encryption policy and key management infrastructure ("KMI") goals. Strong encryption commodities and software that are designed or modified to use a form of key escrow or key recovery are eligible for export after a one time review by BXA. Therefore, License Exception KMI permits the export of strong encryption provided key recovery or other methods to recover plaintext of encrypted information are in place. Prior to the amendments, License Exception KMI had explicit requirements for key recovery agents, security procedures, and key recovery procedures. Additionally, BXA was required to review and approve an export's compliance. The amendments removed these requirements but left the criteria for key recovery or recoverable products in place. (22)

Under the older version of License Exception KMI, non-recoverable encryption items up to 56-bit DES or equivalent strength were also eligible. Non-recoverable products are those products that do not permit the recovery of plaintext of encrypted data without the assistance or knowledge of the end-user. In order to be approved, exporters had to submit business plans outlining the steps to be undertaken to develop key recovery or recoverable products. The amendments have deleted these provisions entirely. The strength for export of mass-market and non-mass market encryption software has been increased to 56-bit DES under License Exceptions TSU and ENC respectively.

D.  Overview of Changes and License Exception ENC

As noted, many of the obligations associated with License Exception KMI for the export of non-recoverable encryption items have been removed or substituted by the new License Exception ENC. In most cases, the operative terms of License Exception ENC now replace all the requirements associated with any previously approved license exceptions (such as KMI and TSU), ELAs and specific end-user licenses. (23) Consequently, prior commitments to develop a key recovery plan and reporting requirements have been supplanted by License Exception ENC, and exporters should specify "ENC" instead of "KMI" on its Shipper's Export Declaration.

Generally, the new regulations permit the export of general purpose non-recoverable 56-bit encryption and strong encryption for specific sectors, namely for health and finance related applications and U.S. subsidiaries. Another exception is made for the use of strong encryption for financial-specific end-uses and on-line merchant software. BXA has summarized the EI controls in its Licensing Policy Matrix available at BXA's Web site (www.bxa.doc.gov). The more salient changes include:

• Superceding Exception: New License Exception ENC (encryption commodities and software) generally requires a one-time technical review which can be done with an export classification request. Previously granted clearances for use of License Exceptions KMI and TSU, ELAs and end-user licenses are grandfathered into the new License Exception ENC provided they satisfy the pertinent provisions (including reporting requirements).

• Upgrade to 56-bit DES: Increased key length of 56-bit DES (or equivalent) for worldwide mass market export. Toolkits, encryption ready, executable or linkable modules, etc. are NOT included and still require a license or ELA. No additional review is necessary under new 56-bit DES mass market exception if exporter has already had a one time review and been released from EI controls for a 40-bit version under the prior regulations. However, any increase to 56-bit DES requires a certification to BXA by March 31, 1999 prior to export. There are reporting requirements for non-mass market encryption software shipped to all military and government end users.

• Insurance Companies: Insurance companies are now included in the definition of "financial institutions," thereby making insurance companies eligible for export of general purpose encryption software to 45 countries under the banking/financial services regulation released on September 22, 1998. To export, end-use must be limited to secure business financial communications or transactions and financial communications or transactions between the bank and/or financial institution and its customer. No customer to customer communications or transactions are allowed. In addition, no toolkits or similar components may be exported without an end-user license. There are no reporting requirements.

• Health/Medical Entities: Authorization is given to export general purpose strong encryption to health and medical companies in 45 countries. The authorization excludes non-U.S. biomedical and pharmaceutical manufacturers and non-U.S. military health and medical entities. There are end-user reporting requirements.

• U.S. Subsidiaries: Worldwide export of strong encryption software (source code) is permitted to U.S. subsidiaries (excluding T-7 countries) for internal corporate use after a one time technical review. Toolkits, encryption ready, executable or linkable modules are included. There are no reporting requirements.

• On-Line Merchants: On-line merchant exception permits export of strong encryption (e.g., SSL²⁴) for use in most e-commerce transactions to 45 countries. Export is subject to one-time BXA review to ensure no end-to-end encryption above 56-bit DES is available. There are reporting requirements.

• ELAs: New policy is adopted for the general grant of ELAs permitting export of general purpose strong encryption for particular sectors (health, on-line merchant, and financial) that are not eligible under License Exception ENC. A general policy of denial still applies for the export of toolkits under ELAs.

On the whole, the third round of amendments goes a long way toward addressing critical areas where U.S. policy was hindering the export activities of U.S. citizens and companies. The new amendments are a welcome and significant step. However, industry and policymakers alike are still not satisfied with the changes and several initiative are still pending in Congress. Thus, the policy debate will undoubtedly continue in 1999 as lawmakers wrestle, albeit legitimately, with law enforcement's legitimate security concerns on the one hand, and the overarching competitive and personal privacy issues on the other.

¹   63 Fed. Reg. 72165 (Dec. 31, 1998), available at BXA's home page.

²   Memorandum and Order 13026, 61 Fed. Reg. 58767 (Nov. 15, 1996).

³   15 C.F.R. Parts 730-772.

⁴   Encryption Items Transferred From the U.S. Munitions List to the Commerce Control List, 61 Fed. Reg. 68572 (Dec. 30, 1996).

⁵   63 Fed. Reg. 50516 (Sept. 22, 1998).

⁶   The EAR and its accompanying general prohibitions were promulgated pursuant to the Export Administration Act ("EAA"), 50 U.S.C. Appx. §§ 2401 et seq. (1994), and the International Emergency Economic Powers Act ("IEEPA"), 50 U.S.C. §§ 1701 et seq. (1994). Section 2419 of the EAA provides that the act shall terminate on August 20, 1994. However, such lapses in the EAA have been declared national emergencies and the President has issued Executive Orders authorizing the continuation of the export controls under the authority of the IEEPA. The present EAA is in effect under such an order.

⁷   The CCL is divided into 10 export categories and contains a list of Export Control Classification Numbers ("ECCNs"). Each category therefore contains a variety of classifications corresponding to activities subject to the EAR. For each export classification, the CCL specifies a licensing requirement which identifies all possible reasons for control and country destinations that require an export license.

⁸   EAR § 734.3(a); see also EAR § 734.2(a).

⁹   See EAR §§ 738, 740 Supp. No. 1.

¹⁰   EAR99 software may be shipped as "no license required" or "NLR" to virtually any country other than the T7 countries, and the NLR designation should be used on any Shipper's Export Declaration form.

¹¹   EAR § 736.

¹²   EAR § 736.2.

¹³   Exporters may "self-classify" but they run the risk that their determination is incorrect. EAR § 748.3.

¹⁴   See 15 C.F.R. § 774, Supp. 1 (note 5A002). The exemption also applies to certain antivirus software, copy-protected software that decrypts only, cellular phones that are not capable of end-to-end encryption, and software for facsimile equipment.

¹⁵   "Reasons for Control" under the EAR are discussed in detail under Part 742 of the EAR.

¹⁶   EAR § 772

¹⁷   Specifically ECCN 5A002 applies to "all systems, equipment, application specific electronic assemblies, modules or integrated circuits for information security, and specially designed components." EAR § 774, Supp. No. 1.

¹⁸   15 C.F.R. § 734.2(b)(9).

¹⁹   15 C.F.R. § 734.3(b)(2). Courts have been critical of this seemingly inconsistent policy. See Bernstein v. Department of State, 974 F. Supp. 1288 (N.D. Cal. 1997).

²⁰   EAR § 740.13(d)(3)(i).

²¹   EAR § 740.13; see also EAR § 774, Supp. No. 2, General Technology and Software Note.

²²   EAR § 740.8.

²³   See 15 C.F.R. §§ 740.17(a)(1), (b)(3), (c)(2); see also 15 C.F.R. §§ 742.15(3)(i), (5)(i), (6)(i).

²⁴   The SSL protocol creates an encrypted "pipe" through which the server-client can communicate securely across an open public network such as the Internet. Depending on the strength of the encryption key, it may be virtually impossible to decipher the communication in the event it is intercepted while in transit. Software companies such as Microsoft and Netscape presently supports two encryption key lengths for their SSL protocols, 40-bit and 128-bit. Since each bit doubles the number of possible sequences in the encrypted software key, the 128-bit version is roughly 3.09x10²⁶ times harder to break than a 40-bit key.

²⁵   L.E.=License Exception, ELA=Encryption Licensing Arrangement, IL=Individual License

²⁶   Reporting:

w=report the quantity and ECCN for Non-Wassenaar countries only
F=report the information required by EAR Section 742.15.
M=in addition to "W" reporting, include name and address of all military and government end users in all destinations

²⁷   Restrictions:

a=One time technical review.
b=Enduse within sector, no customer-to-customer.
c=Excludes biochemical/pharmaceutical firms and military agencies under license exception.
d=Excludes foreign merchants or separate business units that sell items and services on the USML under license exception.
e=Excludes Telecom or Internet Service providers under the current ELA country scope.
f=Excludes firms or separate business units engaged in the manufacturing and distribution of products or services on the USML.
g=For internal company proprietary use only.
h=case-by-case review.