Encryption items NOT Subject to the EAR
There are no EAR obligations associated with the item unless it is exported, reexported, or transferred. These are specially defined terms in the EAR. See Section 734 for guidance on the definition of export, reexport, and transfer.
Certain foreign made items that contain less than a de minimis amount of U.S. origin content are not subject to the EAR. See 734.4 of the EAR.
Publicly Available:
Encryption items that are publicly available as further described below are not subject to the Export Administration Regulation. Sections 734.3(b)(3) and 734.7 define what is publicly available and published. Common examples are free apps posted online or mass market software available as a free download.
Specifically:
1. Mass market encryption object code software that is made "publicly available"
•Once the mass market item is properly classified under the relevant section of 740.17(b)(1) or (b)(3) (after a classification by BIS (5D992.c) or self-classification with self-classification report), if the software is then made "publicly available" it is not subject to the EAR.
•For example, an App made for a smartphone or computer that that meets the Mass Market criteria (as described in Note 3 of Cat. 5 Part 2) that is made available free of charge would be considered "publicly available". In this case you would have to first comply with the mass market requirement under 740.17 (b)(1) or (b)(3) by self-classification as 5D992.c with self-classification report (or submitting classification request to BIS) only once. Then, if the item is made publicly available (e.g., free to download) it would be considered not subject to the EAR anymore.
"Publicly available" encryption source code is not subject to the EAR once the email notification per section 742.15(b) is sent.
•A common example would be open source encryption source code available for free online.
"Publicly available" encryption object code is not subject to the EAR when the corresponding source code is also "publicly available" and has been notified as specified under Part 742.15(b).
Note 1: Notifications made before September 2016 under License Exception TSU (740.13) remain valid under 742.15. A new notification is not required.
Note 2: While open source code itself may be publicly available and not subject to the EAR, an item is not considered publicly available merely because it incorporates or calls to publicly available open source code. Rather, a new item with encryption functionality has been created which would need to be evaluated as a whole under the EAR.
Source: bis.doc.gov/index.php/policy-guidance/encryption/1-encryption-items-not-subject-to-the-ear