1 / 20

Encryption Export Controls

Encryption Export Controls. Michael Pender U.S. Department of Commerce December 14, 2011. Overview. What are encryption items that require authorization to export? When is authorization required for exporting encryption items? What kinds of export authorization are available?

glenda
Download Presentation

Encryption Export Controls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Encryption Export Controls Michael Pender U.S. Department of Commerce December 14, 2011

  2. Overview • What are encryption items that require authorization to export? • When is authorization required for exporting encryption items? • What kinds of export authorization are available? • How to apply for authorization to export an encryption item • Differences between a “review request” and a ‘notification’ • Differences between ‘restricted’, ‘unrestricted’ and “mass market” encryption items

  3. What is subject to the EAR? • Any item exported from the United States • Reexports of U.S. origin items • Foreign-made products incorporating greater than de minimis U.S. controlled content • Certain foreign-made direct product of U.S. technology

  4. What are Encryption Items that require authorization to export?

  5. NOT encryption item under EAR • Remote access to a system • Encrypted data • Music/video/multimedia (we control the software and equipment that encrypts/decrypts, not the content) • Compression • Coding techniques for reliable transmission (e.g. CDMA, parity bits) • Medical devices

  6. Not Encryption items: Note 4 • Note 4 adopted by Wassenaar • Encryption used for “primary function” that is NOT computing, networking, communications, information security • Examples: • Piracy and theft prevention for software, music, etc. • Household utilities and appliances • Printing, reproduction, imaging and video recording or playback—not videoconferencing • Business process modeling and automation (e.g., supply chain management, inventory, scheduling and delivery) • Industrial, manufacturing or mechanical systems (e.g., robotics, heavy equipment, facilities systems such as fire alarm, HVAC) • Automotive, aviation, and other transportation systems

  7. Application of Note 4 • Considerations: • General purpose vs. application specific • “Primary function” of the product • Results in an EAR99 classification or classification under a different category of the control list • Other reasons for decontrol result in classification of 5A992/5D992 (5A002 decontrol notes/ authentication only) • Use of encryption

  8. Encryption Items –- what does it mean again? • Items that are identified in Category 5, Part 2 of the Commerce Control List • Items designed or modified to use cryptography whose primary function is: • “Information security” • Computing • Communications • Networking • Not ‘fixed’ coding or other schemes for ensuring reliable transmission of information that don’t involve hidden or obscured information

  9. When is authorization required for exporting encryption items? • Controlled for EI, NS and AT reasons (Wassenaar): • 5A002 : hardware • 5D002 : software • 5E002 : technology • Controlled for NS and AT reasons (Wassenaar): • 5B002: test equipment • Controlled for AT reasons only (U.S. unilateral): • 5A992 : hardware • 5D992 : software • 5E992 : technology

  10. What kinds of export authorization are available? • License exception TSU – EAR part 740.13 • Used for “publicly available” items • Required ‘notification’ • License exception ENC – EAR part 740.17 • Registration • Self-Classification • Encryption Review • Mass Market Review – EAR part 742.15 • Other license exceptions • TMP – EAR part 740.9 • GOV – EAR part 740.11 • BAG – EAR part 740.14

  11. License Exception TSU • The source code must be available to the general public • available at no charge or • available at a charge that does not exceed the cost of reproduction and distribution • no limitations on further distribution • Required notifications • Described in 740.13(e) • email to crypt @bis.doc.gov and enc@nsa.gov

  12. License Exception ENC • License Exception ENC • ‘restricted’ items (740.17(b)(2)) • ‘unrestricted’ items (740.17(b)(3)) • “self-classifiable” items (740.17(b)(1)) • Terms like ‘retail’ are not used anymore.

  13. Mass Market Review • Described in EAR part 742.15(b) • Items that are not listed in 740.17(b)(2) or (b)(3)(iii) • Meets the criteria in Note 3 to Category 5, part II • Generally available to the public by being sold, without restriction, from stock at retail selling points… • The cryptographic functionality cannot be easily changed by the user; • Designed for installation without further substantial support by the supplier; and • When necessary, details are available…

  14. Classification/self-classification • Classification by BIS/NSA Required • “Restricted” and “unrestricted” items under ENC and listed mass market items (740.17(b)(2)/(b)(3) and 742.15(b)(3)) • Self-classification Permitted • “Other” items (740.17(b)(1) and 742.15(b)(1)

  15. Registration Requirements • Company registration required for 5A002/5D002/E002 items and mass market items • One registration per company, not per product • Exporters may rely on manufacturer’s registration/product classification…but BIS won’t provide that information

  16. Annual Report of Exported Products (“Supplement 8 Report”) • All “other” (740.17 (b)(1) and 742.15 (b)(1)items • Submitted by email to NSA and BIS • Submitted in .cvs (comma separated values) format • Six specified data fields: name of product, model number, manufacturer, ECCN, ENC or mass market, item type (of 49 listed)

  17. What happens when a License Exception is not available? • Individual validated licenses (IVLs) • Specific transactions involving identified parties receiving specific goods and for a specific purpose • Typically have a 2 year validity period • Encryption Licensing Arrangements (ELAs) • Generally involves unlimited sales of specific goods to government end users in a certain country or group of countries • Typically have a 4 year validity period • No License Required (NLR) transactions • Sometimes a license is still required…

  18. Encryption Licensing Arrangements (ELAs) • Broad authorization for exports not eligible for License Exception ENC (most “restricted” items to government end users in non- “ENC favorable treatment” countries) • “Less sensitive” government end users - “worldwide” ELAs • “More sensitive” government end users – “single country” ELAs • 4-year validity • Semi-annual sales reporting

  19. NLR items • May include self-classified items • 5A992, 5D992, 5E992 • No License Required (NLR) • Controlled to AT countries: Cuba, Sudan, Syria, North Korea and Iran • No review by BIS is required

  20. Additional Information • BIS encryption web site:www.bis.doc.gov/encryption • EAR on the web: • www.access.gpo.gov/bis/ear_data.html • Specific questions: • Information Technology Controls Division • (202) 482-0707

More Related