#ACIEAR

ACI’s EAR Boot Camp

Deciphering EAR’s Encryption Controls:

Understanding Key Requirements,

Exceptions, and Complicated Changes

Affecting Your Technology

May 23 – 24, 2016

Tweeting about this conference?

Presenters:

Ethan Crooks, Associate General Counsel – Magnetrol International

Julia Sorrentino, Counsel – Raytheon

Leigh Hansson, Partner – Reed Smith LLP

#ACIEAR

Agenda

• Framework of Encryption Controls

• Classification of Encryption Hardware, Software, and Technology

• Licensing Requirements for Encryption Items

• License Exceptions for Encryption Items

• Deemed Exports of Encryption Items

• Review, Registration and Reporting Requirements

• Encryption Export Controls Enforcement

• Encryption Export Controls Resources

2

#ACIEAR

Framework of US Encryption Export Controls

• Since 1996, most encryption products are controlled under the Export Administration Regulations

(EAR), C.F.R. Parts 730-774, administered by the US Department of Commerce

• Exports possible without license or reporting for many encryption products

• Limited encryption functionality

• Mass market products

• Weak encryption

• Based on primary function

• Strictest controls for strong encryption for confidentiality

• License exception ENC available for many confidentiality encryption items – with registration, classification,

and reporting requirements

• Higher controls on technology than on devices or software

• Some encryption specially designed or modified for military use still controlled under the

International Traffic in Arms Regulations (ITAR)3

#ACIEAR

Encryption Classification: Overview

• Category 5 Part 2 of the Commerce Control List

• Determining the proper classification of encryption products is essential to determining your obligations which may include:

• Encryption Registration Number

• Classification Request

• Semi-annual Sales Report

• Annual Self-classification Report

• Ability to Use License Exceptions

• Not all items that use encryption are subject to the Category 5 Part 2 controls

• Hardware or software specially designed for medical end use

• Encryption functionality is limited to IP or copyright protections

• Items meeting the test in Note 4 -- the “Primary Purpose Test”

4

#ACIEAR

FLOWCHART 1: Encryption items NOT subject to Cat 5 Part 2

5

Is the item designedto use cryptography or

does it contain cryptography?

Is this hardware or software specially

designed for medical end use?

Is the product described by Note 4?

Is the encryption functionality limited to intellectual property or

copyright protection functions?

THIS ITEM IS CONTROLLED UNDER CATEGORY 5, PART 2

OF THE EAR(PROCEED TO FLOW

CHART 2 TO DETERMINE WHETHER YOU CAN SELF-CLASSIFY AND EXPORT)

No Yes Yes Yes

THIS ITEM IS NOT CONTROLLEDIN CATEGORY 5, PART 2 OF THE EAR

Yes No No No

#ACIEAR

EAR Encryption ECCNs

• EAR99

• 5A992, 5D992, 5E992

• 5A002, 5D002, 5E002

• See Category 5, Part 2 of the Commerce Control List

• Often “trump” other applicable ECCNs for electronic items

6

#ACIEAR

ECCN EAR99

• EAR99 – lowest level classification in the EAR

• Paths to EAR99 for encryption items:

• No Encryption: No encryption in the item and no encryption used by, called to, activated, enabled, or supported by the software; or

• Note 4: Note 4 to Category 5, Part 2 • Removes from encryption controls where primary function is not one of

Note 4 listed functions and

• Cryptographic functionality is limited to supporting primary function.

• Note: Items may not be EAR99 if elsewhere controlled on Commerce Control List for other reasons.

7

#ACIEAR

ECCN 5A992, 5D992, 5E992

• Weak encryption

• Limited encryption functionality• Authentication / access controls

• Digital signatures

• Banking use and money transactions

• Fixed compression or encoding – see EAR definitions

• Unused / disabled encryption functionality

• Mass market• Strong encryption but available to the public, sold without restriction

8

#ACIEAR

ECCN 5A002, 5D002, 5E002

• Hardware, software, and technology using strong encryption for confidentiality purposes

• Not limited encryption functionality

• Not removed from encryption controls by Note 4

9

#ACIEAR

FLOWCHART 2: Classifying Under Category 5, Part 2

10

Is the item publicly available encryption

source code?

Beta TestSoftware?

Encryptionusing key length

= 56 symmetric/512 asymmetric

/112 ellipticcurve?

Is the itemdescribed in Note

under 5A002?

Is the itemlimited to

authentication only? See Technical

Note under5A002 a.1.

Does the itemmeet the criteria for

Mass Market?See Note 3 to Cat. 5

Part 2

ECCN 5x002x= A (hardware), B (test equipment),D (software), or E (technology)Use License Exception ENC (740.17)•If 740.17 (a)(1), (a)(2) or (b)(4) - self-classify as 5x002 / no ERN required•If 740.17(b)(1) – self-classify as 5x002/ ERN required•If 740.17 (b)(2) or (b)(3) - submit 30 day ENC classification request / ENC required-Other license exceptions available for export of 5x002 include TMP, BAG, GOV, LVS.

Encryptionusing key length

= 64 symmetric/768 asymmetric

/128 ellipticcurve?

ECCN 5x992x= A (hardware), B (test equipment),D (software), or E (technology)Use 742.15 of EAR - Mass Market Encryption .•If 742.15 (b)(4) - self-classify as 5x992/ no ERN required•If 742.15 (b)(1) - self-classify a 5x992/ ERN required•If 742.15 (b)(3) - submit 30 day Mass Market classification request / ERN required.

The item is controlled under Category 5, Part 2 of the EARContinued from Flowchart 1

No No No No No

Yes

Self Classify as 5D002.

See License Exception TSU (740.13(e)) for

notification requirement

Self Classify as 5D002.

See License Exception TMP (740.9(c)) for notification

requirement

Self Classify as 5x992 - NLR.

No Encryption Registration

Number (ERN) required

Self Classify as 5x992 - NLR.

No ERN required

Self Classify as 5x992 - NLR.

No ERN required

Self Classify as 5x992 - NLR.

No ERN required

Yes

Yes

Yes

Yes

Yes

Yes

No

No

#ACIEAR

Encryption Classification: An Evolving Obligation

• Not a one-time activity

• Changes to security threats and requirements cause companies to continually modify their encryption offerings

• Classification needs to be considered at all stages of product design, modification or enhancement.

• Changes in the use of certain encryption capabilities can subject your product to new reporting requirements.

11

#ACIEAR

Licensing Requirements for Encryption ECCNs

• EAR99• NLR for most destinations

• License required for North Korea and Syria. Additional government restrictions may apply to other embargoed countries (e.g., Iran and Sudan).

• 5A992, 5D992, 5E992• Controlled for AT; typically NLR for most destinations

• License required for North Korea and Syria. Additional government restrictions may apply to other embargoed countries (e.g., Iran and Sudan).

• 5A002, 5D002, 5E002• Controlled for NS, AT, and EI

• EI – license required for all destinations except for Canada

• License general required unless a license exception applies

12

#ACIEAR

EAR Control Basics: What is a License Exception?

• If an export license is required based on the product’s ECCN, destination, end use, and end user, there are two ways to satisfy the license requirement:

• Obtain a license; or• Use an applicable license exception

• A license exception essentially functions like a license that is generally available for use in any transaction that meets all the license exception conditions.

• Need to follow specific requirements of license exception.• (e.g., generally not authorized for exports to E:1 countries – Iran, N. Korea,

Sudan, Syria)

13

#ACIEAR

License Exceptions for Encryption Items

• ENC – encryption items (740.17)• 740.17(a)(1) – development/production only (to companies headquartered in

Supp. 3 countries (i.e., Canada, EU, NATO, and other close U.S. allies)• 740.17(a)(2) – any internal purpose (e.g., to subsidiary of a US company)• 740.17(b)(1) – all encryption items except those in (b)(2) and (b)(3)• 740.17(b)(2) – network infrastructure, source code, designed for govt, custom or

modifiable crypto, non-standard tech., etc.• 740.17(b)(3) – encryption components (e.g., toolkits), non-standard crypto, etc.• 740.17(b)(4) – foreign developed with US encryption parts

• TSU – publicly available encryption source code and corresponding object code (740.13(e))

• TMP – temporary exports (exhibits and demos) (740.9(a)(2)(iii))

• TMP – beta testing (740.9(c))

• LVS – $500 for components (not available for systems and equipment) (740.3)

• BAG – personal use (740.14)

14

#ACIEAR

Deemed Exports of Encryption Items

• ENC generally authorizes the transfer of encryption technology by a company in the United States to its non-U.S. national employees, contractors, or interns in the U.S. (740.17(a)(2))

• ENC would not cover employees of a Romanian firm, for example, working at a U.S. company. These individuals are not considered “employees” of the U.S. company.

• No deemed export rules for transfer of encryption source code to foreign nationals in the United States. Thus, while in the United States, non-U.S. nationals may use any type of encryption source code and object code.

• “Export” for encryption source code and object code software is defined as an “actual shipment, transfer, or transmission out of the United States” (EAR Part 734.2)

• Only deemed export authorization required for encryption relates to encryption technology and when a U.S. person intends to provide technical assistance to non-U.S. nationals using source code.

• Rare and generally not seen in the ordinary context of product development and design.

15

#ACIEAR

Encryption Review, Registration, and Reporting Requirements Prior to Exporting under ENC

Mass Market & Items Described under 740.17(b)(1) (most commercial, business, and consumer software applications)

• Encryption Registration Statement (one-time filing)

• Must receive Encryption Registration Number (ERN) from BIS

• ERN authorizes exporting under ENC

• May self-classify

• Must file annual self-classification report with BIS for (b)(1) mass market exports during the calendar year

Items Described under 740.17(b)(2) and (b)(3)

• ERN required

• Must obtain CCATS from BIS (cannot self-classify if want to use ENC)

• BIS license required for exports to government end-users outside of Supp. No. 3 countries for (b)(2)

• Must file semi-annual sales reports with BIS (only for exports from the United States or re-exports from Canada)

• Reporting also required for (b)(3)(iii)

16

#ACIEAR

Encryption Export Controls Enforcement

• An Intel subsidiary (Wind River) agreed to pay $750,000 for unauthorized encryption exports in October of 2014

• Case began with a voluntary disclosure to BIS

• Notable as first case involving a penalty for encryption export control violations – prior cases resolved with warning letters

• Between 2008 and 2011, Wind River sold encryption software (5D002 –“ENC Restricted”) to foreign government customers and entities on the BIS Entity List without licenses

• The company disclosed it made 55 exports of operating software valued at $2.9 million to various governments and end-users

• China, Hong Kong, Russia, Israel, South Africa, South Korea

17

#ACIEAR

Encryption Export Control Resources

• BIS website: http://www.bis.gov/encryption/• BIS Webinar – Introduction to Encryption Export Controls

(http://www.bis.doc.gov/index.php/about-bis/newsroom/export-control-reform-news/8-bis/33-export-control-reform-ecr) – scroll down to find Encryption Webinar

• EAR: 15 CFR 730-774

• Federal Register notices of encryption-related changes to EAR:• 65 Fed. Reg. 2,492 (Jan. 14, 2000)

• 65 Fed. Reg. 62,600 (Oct. 19, 2000)

• 67 Fed. Reg. 38,855 (June 6, 2002)

• 68 Fed. Reg. 35,783 (June 17, 2003)

• 69 Fed. Reg. 71,356 (Dec. 9, 2004)

• 72 Fed. Reg. 70,509 (Dec. 12, 2007)

• 73 Fed. Reg. 57,495 (Oct. 3, 2008)

• 75 Fed. Reg. 36,482 (June 25, 2010)

• 80 Fed. Reg. 28,853 (May 20, 2015) (proposed “surveillance” rule)

18

#ACIEAR

QUESTIONS

19