Introduction to Encryption Export Controls
Welcome to the Department of Commerce Bureau of Industry and Security Export Regulations Training Webinar Series. Today's topic is an "Introduction to Encryption Export Controls." In just a moment we'll be turning you over to our presenters. If you're watching live you'll have the opportunity to ask questions directly using the "Ask a question" button just below the video window. We hope you enjoy the view overlooking Connecticut Avenue and K Streets in Washington, only a couple blocks from the White House. Again, thank you for attending. Now let's turn it over to our presenters.
The Information Technology Controls Division is pleased to present this brief webinar, with an introductions to Encryption Export Controls this afternoon. The Information Technology Controls Division consists of nine licensing officers; myself, Randy Wheeler, and I'm joined today by two other licensing officer, Anita Zinzuvadia and Aaron Amundson. We're going to very quickly run through a list of topics to familiarize you with the encryption export controls and the Export Administration Regulations.
The Information Technology Controls Division is responsible for classifying and licensing items that are listed in Categories 4, 5 Part 1, and 5 Part 2 of Commerce Control list; that is, computer, communications, and information security items. And we have found that at least 95% of our workload is concerned with encryption items that are found in Category 5 Part 2 of the Commerce Control list.
Before launching into our slides, I would like to make a couple of notes. One is, again, this is a very brief webinar. We're going to run through a lot of terminology very quickly. But we hope that questions that come up, you will feel free to contact us after the webinar. We'll have our contact information at the end of the presentation, and we would be happy to talk to you and answer any further questions that you have.
Secondly, we are presenting the encryption provisions of the Export Administration Regulations as they are today, February 17th, 2016, and the regulations do change from time to time. In fact, as we speak, there is a rule making its way through to publication that will make some structural changes to Category 5 Part 2 of the Commerce Control list. We also hope that some additional provisions, encryption provisions, can be amended in the same rule. So, please, if you are looking to the encryption provisions, please make sure that you look at the current version of the Export Administration Regulations that are published on our website, as things do change.
Finally, just to note that there are a few handouts that are included in the webinar materials today. We have two charts, one on license exception ENC, and one on mass market encryption, and two lists of government end-users that I will be discussing later on in the presentation. So with that, I'd like to turn the slides over to Anita Zinzuvadia. These are the topics that we're going to touch on today very briefly, and we will start with the Category 5 Part 2 of the Commerce Control List.
Thank you, Randy. So I'm going to take a few minutes to discuss items that are subject to Category 5 Part 2. And when I start these discussions I like to kind of start off with a common base of understanding. And with that, first, I'd like to talk about some items that are not in Category 5 Part 2. First of all, encrypted data: the EAR, Export Administration Regulations, does not control encrypted data for the sake of it being encrypted. So that includes files, music, multimedia information, videos. Encrypted data is not controlled. But the hardware/software that could be used to encrypt that data could be controlled. So that's point number one there. Compression: we do not consider compression to be cryptography. There's no means for hiding information in compression, or a secret key exchange used in compression. So, some of you may be familiar with tools like WinZip. It compresses the information using certain algorithms, but the compression itself is not considered encryption. But WinZip is a tool that we know that does encryption on top of the compression. So it could be considered an encryption item for the functionality but not the compression itself.
Next, coding techniques, we outline this in the regulations under Category 5 Part 2 that we do not control fixed coding techniques. Things like CDMA is not considered cryptography. Also, parity bits are not considered with your key length in encryption in counting your -- measuring your key length.
And as I said at the beginning, there is a chart in the handout that provides another table with the different types of mass market authorization. Now we've gone through all of the different authorizations that are available for -- under license exception ENC and mass market. So that's all of the different authorizations that are available. And now I'm going to talk about once you figure out whether you need the registration, the classification, or the reporting, the mechanics of how you do that, how you submit the different forms that are required.
First is the encryption registration. And as a reminder, the encryption registration is required for all of the (b)(1), (b)(2), and (b)(3) items under both ENC and mass market. The encryption registration is a separate module in SNAPR called the "encryption registration." You fill out the encryption registration form in SNAPR and you attach the Supplement 5, the answers to the questions that are in Supplement 5 to Part 742. You attach that in SNAPR and then you submit it. And then the system will basically automatically send you back the encryption registration number, and that's it.
That's the entire process for getting the encryption registration. The encryption registration is really a company registration. It's not a product registration. So the regulations only require you to submit one registration per company. And the registration only needs to be updated once a year. That's a calendar year. Once per calendar year, and only if something changes in the registration. So the most you should ever have to submit an encryption registration is once a year, and then only if something changed in your registration from the previous year.
If you are not the manufacturer of an item you can rely on the manufacturer's encryption registration, if they have one. If you want to export a (b)(1) product and you don't have an encryption registration but the manufacturer had told you they have an encryption registration, then you can rely on the manufacturer's encryption registration. You wouldn't need to submit one of your own. That's the registration requirement.
The classification requirement, again, the classification is required for items in (b)(2) and (b)(3) of ENC, and mass market (b)(3). For the classification request, you fill out the same commodity classification request form in SNAPR and then you attach a data sheet or equivalent, something equivalent to the data sheet. And you provide the answers to the questions that are in Supplement 6, to part 742. Those are all the questions on the encryption functionality. And then you submit that. And once you submit the complete review request, so the review request with the data sheet and the Supplement 6 information, once you submit the review request, you can start exporting immediately to the Supplement 3 countries.
You don't have to wait to hear anything from us. You can export immediately to the Supplement 3 countries. Then, 30 days later, you can start exporting under the full authorization of license exception ENC, even if we haven't issued the classification yet. And the 30 days doesn't include days that we've put the application on hold, but if you submit a classification request and 30 days go by and you haven't heard anything from us on the classification, then you can start using license exception ENC under the authorization that you requested. Once you have a completed classification request, and we've issued the classification request, a new classification is only required if you make changes to the encryption functionality of the product. So you can make other changes to the product. You can change the name of the product. You can make other changes that don't affect the encryption, and you don't need to come in for a new classification request for that. You only need to come in for a new classification request as soon as you start making changes to the encryption functionality of the product.
And the last thing that I'll talk about, then, is the reporting requirements. Now under the license exception ENC in mass market there's two types of reporting requirements. The first is the semiannual sales report, and that's required for the (b)(2) items and the (b)(3)(iii) items, the forensic and packet inspection network analysis products. Those require a semiannual sales report. You have to basically report each transaction that you made under those provisions. The reporting for the semiannual sales report is only required for exports from the U.S. and for re-exports from Canada. So re-exports from other countries don't require any reporting, only exports from the U.S. and from Canada.
There's a few exceptions to the reporting requirements also, which you can see in 740.17(e). And for this report, the semiannual sales report, there's no specific formatting requirements that are required by the regulations. As long as you provide the information that it asks for you can put it in whatever format works for you.
The other type of reporting is the annual self-classification report. And self-classification is a little bit of a misnomer. It's not really just for products that you self-classified, it's required for all (b)(1) items that you exported under your own encryption registration number. And it's not a transaction report, it's just a report that lists the products that you have been exporting under Paragraph (b)(1). And that report has specific format requirements. It has to be in a CSV format with six specific data fields. And all the details for that are in Supplement 8 to Part 742 of the EAR. And then the last thing I'll note is that, as you can see, there's no reporting required for any of the (b)(3) items except for the (b)(3)(iii) items. But the other (b)(3) items don't have any reporting requirements that are associated with them. And with that, I'll turn it over to Randy.
Thank you. We have two quick topics to cover before we start taking questions and answers. The first topic is encryption licenses and encryption licensing arrangements. Now as we've heard from Anita and Aaron, a lot of products, a lot of transactions are eligible for either decontrol under mass market or for license exception ENC. So what we're left with, for licensing purposes, are those restricted (b)(2) products that are being exported to government end users, for the most part in non-Supplement 3 countries.
We also have encryption licensing for encryption technology for the development and manufacture of encryption products abroad and, of course, there would be licensing required for exports to the embargoed countries. Those licenses, our division doesn't handle. They are handled by the foreign policy division. As a general matter, our approval rate for export licensing is very high. There are very few end users or destinations that are problematic. In fact, the licensing is more for making sure we know what is going where, as opposed to trying to control it from going there. So, generally, we have a very high approval rate for our export licensing.
Now, as we heard from Aaron, the license exception ENC authorization is generally to non-government end users, so the licenses are required for government end users. And we do have a definition of government end user in the regulations in Section 772.1. As a general chapeau, the definition would encompass any foreign central, regional, or local government departmental agency or other entity performing governmental functions, including research institutes, and also companies that are owned by the government that manufacture products on the Wassenaar Munitions List.
Our definition of government end user does have a number of exclusions. It wouldn't be an encryption provision if it didn't have several layers. And the exclusions include utilities, including telecommunications and internet service providers; banks, financial institution; transportation entities such as government-owned airlines, or government-owned railroads, government-owned entertainment organizations; educational organizations. But this exclusion does not include research institutions or public schools and universities. And finally, the last exclusion is for civil health and medical organizations.
So none of those are considered to be government end users, and people, exporters do have problems often, with trying to determine under this definition whether a particular foreign entity would or would not be considered a government end user under the definition. We do consider it our responsibility to make that determination, so if there's a question about an entity, please feel free to e-mail us with whatever information you have, or a website, and we'll look at it and try to decide whether we would consider it a government end user or not.
If there simply isn't enough information to make the determination, we would default to determining that it is a government end user. But in many situations we can provide our written determination that an entity is not considered a government end user under this definition; therefore the transaction would be eligible for license exception ENC.
Now because we have a large quantity of export licensing for encryption products, although we do offer the normal individual validated license, which is for a specified quantity of products to a specific end user, we also have a vehicle called an "Encryption Licensing Arrangement," which is mentioned in the regulations but isn't really discussed very thoroughly, and has sort of grown up on its own as a practical matter as opposed to a regulatory vehicle. An Encryption Licensing Arrangement is available for unlimited quantities of products, may include a long list of products, and may be for a range of end users as well.
Generally speaking, the Encryption Licensing Arrangements are for a four-year validity period, and over time we have developed two different kinds of encryption licensing arrangements. We've divided government end users into two different lists, less sensitive and more sensitive. For the less sensitive government end users we offer what we refer to as "Worldwide ELAs." They do not include authorization to the embargoed countries but to all other destinations. And this is one license that we issue for all of these destinations. The licenses, as issued, have various end users and in various countries. That's how the license reads. And for those Encryption Licensing Arrangements, the condition is usually a semiannual sales report, which is, as we know, very similar to what is available for non-government end users for (b)(2) products under license exception ENC. So the difference between a worldwide Encryption Licensing Arrangement
and licensing exception ENC authorization is very small.
We also have a list of more sensitive government end users. And to date, we've only been able to issue these for one country at a time. So we also refer to these as "Single-country ELAs." The condition on these authorizations is generally a 15-day pre-shipment notification. The notification is submitted by e-mail to both BIS and to NSA, and it doesn't mean that we all come back and say, "No, you can't ship the product." The notification is also there. It's simply a notification to say we're sending this product to this end user in this country.
So the two handouts that -- two of the handouts that were included with the materials include these lists of less sensitive and more sensitive government end users. And, to date, we have been able to place any government end user that we have run across in one of these lists. There may be a time when I can't say that, but, to date, we've been able to find a paragraph to put every government end user that we have identified. And we encourage the use of the ELAs, both to save time for exporters and to save time for us with processing license applications.
The last topic that I'll touch on for purposes of this webinar is publicly available encryption software. Anita mentioned publicly available encryption items as not being subject to the Category 5 Part 2 controls. In fact, we do retain jurisdiction for encryption source code. It does remain classified under ECCN 5D002, even if it is publicly available. And the statement of this retention of jurisdiction is set forth in Section 734.3 of the regulations.
This does not apply to publicly available encryption technology. Technology can be made available and published, and it is not subject to the EAR. But source code is, to date, still subject. However, it is not restricted and can be exported under licensing exception TSU, or Technology and Software Unrestricted, after a notification is submitted by e-mail to BIS and to the National Security Agency. That notification states where the source code is posted on the Internet, or the notification can be a copy of the source code that's posted.
Object code that's compiled from source code and made eligible for license exception TSU, and that also meets the publicly available criteria set forth in Section 734 becomes not subject to the regulations. And publicly available mass market encryption software is no longer subject to the EAR. But I included this slide because in order for a mass market encryption software to be publicly available and not subject to the EAR, the process for making it mass market to begin with has to be followed. So the process is to submit an encryption registration and to self classify the mass market software, and then to make it publicly available so it is no longer subject to the regulation.