Michael Pender U.S. Department of Commerce December 14, 2011

 What are encryption items that require authorization to export?  When is authorization required for exporting encryption items?  What kinds of export authorization are available?  How to apply for authorization to export an encryption item  Differences between a “review request” and a ‘notification’  Differences between ‘restricted’, ‘unrestricted’ and “mass market” encryption items

 Any item exported from the United States  Reexports of U.S. origin items  Foreign-made products incorporating greater than de minimis U.S. controlled content  Certain foreign-made direct product of U.S. technology

 Remote access to a system  Encrypted data  Music/video/multimedia (we control the software and equipment that encrypts/decrypts, not the content)  Compression  Coding techniques for reliable transmission (e.g. CDMA, parity bits)  Medical devices

 Note 4 adopted by Wassenaar  Encryption used for “primary function” that is NOT computing, networking, communications, information security  Examples: ◦ Piracy and theft prevention for software, music, etc. ◦ Household utilities and appliances ◦ Printing, reproduction, imaging and video recording or playback—not videoconferencing ◦ Business process modeling and automation (e.g., supply chain management, inventory, scheduling and delivery) ◦ Industrial, manufacturing or mechanical systems (e.g., robotics, heavy equipment, facilities systems such as fire alarm, HVAC) ◦ Automotive, aviation, and other transportation systems

 Considerations: ◦ General purpose vs. application specific ◦ “Primary function” of the product  Results in an EAR99 classification or classification under a different category of the control list  Other reasons for decontrol result in classification of 5A992/5D992 (5A002 decontrol notes/ authentication only) ◦ Use of encryption

 Items that are identified in Category 5, Part 2 of the Commerce Control List  Items designed or modified to use cryptography whose primary function is: ◦ “Information security” ◦ Computing ◦ Communications ◦ Networking  Not ‘fixed’ coding or other schemes for ensuring reliable transmission of information that don’t involve hidden or obscured information

 Controlled for EI, NS and AT reasons (Wassenaar): ◦ 5A002 : hardware ◦ 5D002 : software ◦ 5E002 : technology  Controlled for NS and AT reasons (Wassenaar): ◦ 5B002: test equipment  Controlled for AT reasons only (U.S. unilateral): ◦ 5A992 : hardware ◦ 5D992 : software ◦ 5E992 : technology

 License exception TSU – EAR part ◦ Used for “publicly available” items ◦ Required ‘notification’  License exception ENC – EAR part ◦ Registration ◦ Self-Classification ◦ Encryption Review  Mass Market Review – EAR part  Other license exceptions ◦ TMP – EAR part ◦ GOV – EAR part ◦ BAG – EAR part

 The source code must be available to the general public ◦ available at no charge or ◦ available at a charge that does not exceed the cost of reproduction and distribution ◦ no limitations on further distribution  Required notifications ◦ Described in (e) ◦ to and

 License Exception ENC ◦ ‘restricted’ items (740.17(b)(2)) ◦ ‘unrestricted’ items (740.17(b)(3)) ◦ “self-classifiable” items (740.17(b)(1))  Terms like ‘retail’ are not used anymore.

 Described in EAR part (b) ◦ Items that are not listed in (b)(2) or (b)(3)(iii) ◦ Meets the criteria in Note 3 to Category 5, part II  Generally available to the public by being sold, without restriction, from stock at retail selling points…  The cryptographic functionality cannot be easily changed by the user;  Designed for installation without further substantial support by the supplier; and  When necessary, details are available…

 Classification by BIS/NSA Required ◦ “Restricted” and “unrestricted” items under ENC and listed mass market items (740.17(b)(2)/(b)(3) and (b)(3))  Self-classification Permitted ◦ “Other” items (740.17(b)(1) and (b)(1)

 Company registration required for 5A002/5D002/E002 items and mass market items  One registration per company, not per product  Exporters may rely on manufacturer’s registration/product classification…but BIS won’t provide that information

 All “other” ( (b)(1) and (b)(1)items  Submitted by to NSA and BIS  Submitted in.cvs (comma separated values) format  Six specified data fields: name of product, model number, manufacturer, ECCN, ENC or mass market, item type (of 49 listed)

 Individual validated licenses (IVLs) ◦ Specific transactions involving identified parties receiving specific goods and for a specific purpose ◦ Typically have a 2 year validity period  Encryption Licensing Arrangements (ELAs) ◦ Generally involves unlimited sales of specific goods to government end users in a certain country or group of countries ◦ Typically have a 4 year validity period  No License Required (NLR) transactions ◦ Sometimes a license is still required…

 Broad authorization for exports not eligible for License Exception ENC (most “restricted” items to government end users in non- “ENC favorable treatment” countries)  “Less sensitive” government end users - “worldwide” ELAs  “More sensitive” government end users – “single country” ELAs  4-year validity  Semi-annual sales reporting

 May include self-classified items  5A992, 5D992, 5E992  No License Required (NLR)  Controlled to AT countries: Cuba, Sudan, Syria, North Korea and Iran  No review by BIS is required

 BIS encryption web site:  EAR on the web: ◦  Specific questions: ◦ Information Technology Controls Division  (202)