BIS Amends Encryption Export Rules

On October 3^rd, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) published an “interim final rule,” effective immediately, amending U.S. regulations that govern the export of hardware, software and technology containing encryption. Among other things, the amendments expand the list of items that are excluded from mandatory review by BIS prior to export, including common business and consumer products that contain only “ancillary cryptography,” as well as “personal area network” items. They also lift the waiting period for the export of encryption items, including technology, to four new countries upon registration of a review request with BIS. Overall, the amendments represent a step towards the rationalization of a complex and sometimes confusing framework for U.S. companies that export items containing encryption.

Background

Hardware, software and technology with encryption capabilities have always been treated as a special case under the U.S. Export Administration Regulations (EAR) because of their impact on national security and limits on the ability of government to control their proliferation. The EAR impose a license requirement on the export of many encryption items, but provide an exception to those requirements—known as “ENC”—so long as exporters comply with certain review, notification and reporting requirements designed to enable the U.S. government to track the development and spread of encryption capable products and technology. For certain end-uses, end-users and country destinations, BIS requires exporters using the ENC exception to submit a review request to BIS and to wait 30 days after registration of that request before export. Use of ENC also triggers a semiannual reporting requirement detailing its use for many types of exports.

In addition, the EAR encryption regulations provide for a category of encryption items—known as “mass market”—that allows for more relaxed restrictions on high strength encryption items. BIS requires exporters of mass market items using symmetric algorithms with key lengths of more than 64 bits to submit a review request to BIS. If BIS determines that an item qualifies as mass market, BIS licensing is generally only required for exports to a small number of terrorist-supporting countries.

Amendments

The stated intent of the amendments is to make the treatment of encryption items more consistent with the treatment of other items subject to the EAR, as well as to simplify and clarify the regulations. The amendments are a step towards rationalizing a complex and sometimes confusing framework for exporters, but the general approach remains in place. The following is a summary of certain major changes.

Reorganization of Regulations.

The amendments reorganize the ENC and mass market regulations. The first two ENC subsections in 15 C.F.R. § 740.17 have been rearranged and renamed, “no prior review or post export reporting required” and “prior review required.” Revised subsection 15 C.F.R. § 740.17(b) is now subdivided into four paragraphs with more user-friendly headings—

1) “review required without waiting period”
2) “review required with 30 day wait (non-‘government end-users’ only)”
3) “review required with 30 day waiting period (‘government end-users’ or non-‘government end-users’)”
4) “items excluded from review requirements.”

Expansion of Categories of Items that May be Exported Without Prior Review.

Under revised 15 C.F.R. § 740.17(b), exporters are no longer required to seek review for the following items prior to export—

• “ancillary cryptography,” described as cryptography that is not primarily useful for computers, communications, networking or information security
• “personal area network” items, defined to include particular kinds of devices that enable encrypted communication between devices in the immediate vicinity of an individual person or device controllers such as single rooms, offices or automobiles.

The new definition and carve-out for “ancillary cryptography” could significantly lighten the filing and reporting burdens on manufacturers and exporters of many encryption capable products. The explanatory note to the definition identifies a broad array of consumer and commercial commodities and software that are “specially designed and limited to” functions such as “business process modeling and automation (e.g., supply chain management, inventory, scheduling and delivery)” and “industrial, manufacturing or mechanical systems.” The qualifier “specially designed and limited to” still leaves some uncertainty in the regulations, and export compliance officers will still likely need the assistance of product designers and engineers within their firms to determine whether the carve-out is applicable to their products.

In addition, the amendments make clear that commodities, software and technology intended for use in internal development or production may be exported to many end-users without filing a review request or reporting on export activity. The regulations always authorized the export of encryption technology and commodities for internal development purposes. With the new amendments, exporters can export items related to manufacturing as well.

Finally, the amendments confirm the longstanding position of BIS that foreign subsidiaries are exempt from prior review and reporting requirements.

Relaxed Requirements for More Countries.

BIS reserves the most liberal use of the ENC license exception for exports to a subset of countries that have adopted encryption export control regimes commensurate with that of the United States. For this subset, exporters can ship or release encryption products and technology immediately upon the registered filing of a review request with BIS. For countries outside of this group, exporters must wait 30 days after registration. The amendments move Bulgaria, Iceland, Romania and Turkey into the more favorable category of countries under ENC.

Increased Thresholds for Certain Restrictions.

BIS has increased the minimum thresholds that limited the use of the ENC license exception for certain sensitive products and end-users. For example, exporters may now use ENC to export network infrastructure commodities to non-government end-users with symmetric key lengths not exceeding 80 bits. The prior threshold was 64 bits.

Exports of Mass Market Items Pending Review.

Exporters may no longer claim “no license required” (NLR) in their electronic export information filings for mass market items pending review. Rather, exporters must now identify any item undergoing review as ENC until confirmation is received from BIS that the item qualifies as mass market.

Elimination of Notification Requirements for Certain Low Strength Encryption.

The old regulations required reports to be filed with BIS by the time of export for certain low strength encryption (e.g., encryption items with key lengths not exceeding 56 bits for symmetric algorithms). The amendments eliminated that requirement.

Elimination of License Exception KMI.

BIS eliminated this license exception because it deemed the exception obsolete.

Conclusion

The amendments should be an improvement for the manufacturers, exporters and customers of many encryption capable products. However, complex licensing, review and reporting requirements are still required for exports of other encryption products for certain end-uses and to certain end-users. Moreover, open issues remain regarding the interpretation of these amendments. Careful analysis, planning and preparation will still be required to prevent export control regulations from slowing the introduction of new products to the burgeoning information security market. The amendments are effective as of October 3, and BIS stated that it welcomes comments on a continuing basis.