330 likes | 768 Views
Encryption Export Controls. Michael Pender U.S. Department of Commerce December 14, 2011. Overview. What are encryption items that require authorization to export? When is authorization required for exporting encryption items? What kinds of export authorization are available?
E N D
Encryption Export Controls Michael Pender U.S. Department of Commerce December 14, 2011
Overview • What are encryption items that require authorization to export? • When is authorization required for exporting encryption items? • What kinds of export authorization are available? • How to apply for authorization to export an encryption item • Differences between a “review request” and a ‘notification’ • Differences between ‘restricted’, ‘unrestricted’ and “mass market” encryption items
What is subject to the EAR? • Any item exported from the United States • Reexports of U.S. origin items • Foreign-made products incorporating greater than de minimis U.S. controlled content • Certain foreign-made direct product of U.S. technology
What are Encryption Items that require authorization to export?
NOT encryption item under EAR • Remote access to a system • Encrypted data • Music/video/multimedia (we control the software and equipment that encrypts/decrypts, not the content) • Compression • Coding techniques for reliable transmission (e.g. CDMA, parity bits) • Medical devices
Not Encryption items: Note 4 • Note 4 adopted by Wassenaar • Encryption used for “primary function” that is NOT computing, networking, communications, information security • Examples: • Piracy and theft prevention for software, music, etc. • Household utilities and appliances • Printing, reproduction, imaging and video recording or playback—not videoconferencing • Business process modeling and automation (e.g., supply chain management, inventory, scheduling and delivery) • Industrial, manufacturing or mechanical systems (e.g., robotics, heavy equipment, facilities systems such as fire alarm, HVAC) • Automotive, aviation, and other transportation systems
Application of Note 4 • Considerations: • General purpose vs. application specific • “Primary function” of the product • Results in an EAR99 classification or classification under a different category of the control list • Other reasons for decontrol result in classification of 5A992/5D992 (5A002 decontrol notes/ authentication only) • Use of encryption
Encryption Items –- what does it mean again? • Items that are identified in Category 5, Part 2 of the Commerce Control List • Items designed or modified to use cryptography whose primary function is: • “Information security” • Computing • Communications • Networking • Not ‘fixed’ coding or other schemes for ensuring reliable transmission of information that don’t involve hidden or obscured information
When is authorization required for exporting encryption items? • Controlled for EI, NS and AT reasons (Wassenaar): • 5A002 : hardware • 5D002 : software • 5E002 : technology • Controlled for NS and AT reasons (Wassenaar): • 5B002: test equipment • Controlled for AT reasons only (U.S. unilateral): • 5A992 : hardware • 5D992 : software • 5E992 : technology
What kinds of export authorization are available? • License exception TSU – EAR part 740.13 • Used for “publicly available” items • Required ‘notification’ • License exception ENC – EAR part 740.17 • Registration • Self-Classification • Encryption Review • Mass Market Review – EAR part 742.15 • Other license exceptions • TMP – EAR part 740.9 • GOV – EAR part 740.11 • BAG – EAR part 740.14
License Exception TSU • The source code must be available to the general public • available at no charge or • available at a charge that does not exceed the cost of reproduction and distribution • no limitations on further distribution • Required notifications • Described in 740.13(e) • email to crypt @bis.doc.gov and enc@nsa.gov
License Exception ENC • License Exception ENC • ‘restricted’ items (740.17(b)(2)) • ‘unrestricted’ items (740.17(b)(3)) • “self-classifiable” items (740.17(b)(1)) • Terms like ‘retail’ are not used anymore.
Mass Market Review • Described in EAR part 742.15(b) • Items that are not listed in 740.17(b)(2) or (b)(3)(iii) • Meets the criteria in Note 3 to Category 5, part II • Generally available to the public by being sold, without restriction, from stock at retail selling points… • The cryptographic functionality cannot be easily changed by the user; • Designed for installation without further substantial support by the supplier; and • When necessary, details are available…
Classification/self-classification • Classification by BIS/NSA Required • “Restricted” and “unrestricted” items under ENC and listed mass market items (740.17(b)(2)/(b)(3) and 742.15(b)(3)) • Self-classification Permitted • “Other” items (740.17(b)(1) and 742.15(b)(1)
Registration Requirements • Company registration required for 5A002/5D002/E002 items and mass market items • One registration per company, not per product • Exporters may rely on manufacturer’s registration/product classification…but BIS won’t provide that information
Annual Report of Exported Products (“Supplement 8 Report”) • All “other” (740.17 (b)(1) and 742.15 (b)(1)items • Submitted by email to NSA and BIS • Submitted in .cvs (comma separated values) format • Six specified data fields: name of product, model number, manufacturer, ECCN, ENC or mass market, item type (of 49 listed)
What happens when a License Exception is not available? • Individual validated licenses (IVLs) • Specific transactions involving identified parties receiving specific goods and for a specific purpose • Typically have a 2 year validity period • Encryption Licensing Arrangements (ELAs) • Generally involves unlimited sales of specific goods to government end users in a certain country or group of countries • Typically have a 4 year validity period • No License Required (NLR) transactions • Sometimes a license is still required…
Encryption Licensing Arrangements (ELAs) • Broad authorization for exports not eligible for License Exception ENC (most “restricted” items to government end users in non- “ENC favorable treatment” countries) • “Less sensitive” government end users - “worldwide” ELAs • “More sensitive” government end users – “single country” ELAs • 4-year validity • Semi-annual sales reporting
NLR items • May include self-classified items • 5A992, 5D992, 5E992 • No License Required (NLR) • Controlled to AT countries: Cuba, Sudan, Syria, North Korea and Iran • No review by BIS is required
Additional Information • BIS encryption web site:www.bis.doc.gov/encryption • EAR on the web: • www.access.gpo.gov/bis/ear_data.html • Specific questions: • Information Technology Controls Division • (202) 482-0707