|Believe it or not, encryption is considered a type of munitions, and that's why there are controls in place for exported encrypted software; seller beware.|
Anything you sell on the Internet may be considered an export item. This applies to orders
that require fulfillment by shipping and orders that are satisfied with downloads. Anyone
can download an item from the Internet, including individuals in "Group E" outlawed countries
(i.e., North Korea, Cuba, Iran, Sudan, and Syria). As a supplier, you must be aware of these
countries, and certain other countries as well, because trade restrictions may apply.
Software, whether standalone for the desktop or designed to run some hardware item, is a critical export item to examine, because software may include encryption.
There was a time when all encryption was handled by the U.S. Department of Defense, but that changed under the Clinton Administration, which mandated that commercial items be passed to the U.S. Department of Commerce.
Regardless of the switch, encryption has always been seen as a dual-use item, and it is referred to as munitions simply for the fact that any commercial item could be incorporated into a military arsenal. Dual-use means that it can be used by civilians as well as by the military, but there is a separate U.S. Munitions List specifically for military-related items that should not come into play for most companies.
For software developers today, any software that uses encryption in any phase of the application's operation must be classified for export. That includes any mass-market or retail commercial items that are offered on the Internet for download, either paid or free.
For any company dealing with the Internet, export regulations must be learned, if only because every country must be dealt with differently under U.S. law. What this means is that some countries require a license for a certain item, but other countries may not. In other words, if your country of export carries a particular code, you'll need a license to ship there. AT, for example, is the code for anti-terrorism, and NS stands for national security. There is a "control" in effect for certain codes, and specific requirements must be met.
Under the U.S. Code of Federal Regulations (Title 15 - Commerce and Foreign Trade), export items must be classified through the Bureau of Industry and Security (BIS). These classifications vary because of the wide array of exports, but there should be a classification available for your item.
These classifications are made because of the requirements for licensing, although most exports in the retail arena do not need a license. Nevertheless, you must still notify the BIS of an export item's existence and export status.
In general, there are three licensing categories concerning encryption and your software: NLR (no license required), license exception, and license required.
If you believe that your product does not need a license, you will still have to answer all of the questions provided for you in Sec. Supplement No. 6 to Part 742 - Guidelines for Submitting Review Requests for Encryption Items (Submission Specifics). Your answers must be submitted in a notification to the BIS in order to be granted a classification of NLR export.
You will also be responsible for Sec. Supplement No. 5 to Part 742 - Checklist on Encryption and Other "Information Security" Functions (Specific Coding). In this portion, your product and encryption must be described.
To pass the fundamental NLR test, you must at least satisfy the purpose clause (in the next paragraph), demonstrating the retail mass-market aspects of your product. You need to state that your purpose is entirely commercial.
In accordance with the Cryptography Note [Note 3 of Category 5, Part 2, of the Commerce Control List (Supplement No. 1 to Part 774 of the EAR)], the product must meet the several terms of definition of mass-market software, as follows: "a. Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following: 1. Over-the-counter transactions; 2. Mail order transactions; 3. Electronic transactions; or 4. Telephone call transactions; b. The cryptographic functionality cannot be easily changed by the user; c. Designed for installation by the user without further substantial support by the supplier; and d. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter's country in order to ascertain compliance with conditions described in paragraphs (a) through (c) of this note."
According to the BIS website, you must notify the BIS for any "mass market encryption commodities and software with key lengths not exceeding 64 bits," even if no license is required.
Weak encryption is usually referred to as 40 bits or lower, and much encryption is done at 128 bits. Generally speaking, software encrypted at less than 64 bits doesn't need a license, but notification is still mandatory.
Even if your software uses encryption only for password-protected documents, you must at least notify the BIS, answer all of the questions in the supplements provided, and disclose the bit rate for encryption before the classification of NLR may be bestowed. As a matter of fact, the BIS recommends that instead of simply notifying them, you request a formal classification from them on your export item.
How Necessary Is Your Encryption?
Encryption is used for a multitude of things in software, including password-protected documents, login pages, email programs, and databases. For some developers, the only encryption used is to validate their own software to prevent piracy from others. Validation ensures that the customer bought the item from the correct provider, and that the customer opening the software on the desktop is the same one who bought it. This is very different from preventing copying.
To prevent piracy, one must ensure that, unless they have your permission, anyone who buys the product legitimately cannot turn around and sell quantities of it as if they were a franchise. A valid copy must have a valid ID number issued along with a valid username. Usually encryption is the mode for this, and if it is used, BIS must be notified.
There are ways to validate your software, however, without encryption, in which case you could bypass the BIS. (See Table 1 below.)
For a company that produces numerous items, or one that does a lot of volume, notifying the BIS and filing the proper paperwork every time can easily become time-consuming. At the time of this writing, there is no way to get around that. You must file with two separate examiners, although there is an opportunity to file with one of them online by uploading documents. For a small developer, or one that uses encryption only for basic validation, the opportunity to manage this without encryption promises some relief.
This decision is a difficult one for many because the U.S. Code of Federal Regulations is quite specific concerning exports and encryption and demands that notice is given for all encryption software - this means every software that uses encryption, not just some.
To find out about licensing basics, visit www.bis.doc.gov/licensing.
Summary of Steps to Process Your Export
1. Ensure that your export is under U.S. Department of Commerce jurisdiction.
2. Classify your item by reviewing the Commerce Control List.
3. If your item is classified by an Export Control Classification Number (ECCN), identify the Reasons for Control on the Commerce Control List.
4. Cross-reference the ECCN Controls against the Commerce Country Chart to see if a license is required. If yes, determine if a License Exception is available before applying for a license.
5. Ensure that no proscribed end users or end uses are involved with your export transaction. If proscribed end users or end uses are involved, determine if you can proceed with the transaction or must apply for a license.
6. Export your item using the correct ECCN and the appropriate symbol (e.g., NLR, license exception, or license number and expiration date) on your export documentation (e.g., Shipper's Export Declaration).
END OF ARTICLE
Mr. J.V. Presogna is a published writer, composer, and artist, with a background in science and mathematics. He has produced numerous software programs in C#, Java, C, and C++.