Several federal agencies have export control authority, but the primary players are the Treasury Department, which administers trade embargoes and the, Commerce Department, which has jurisdiction over "dual use" items which have both civilian and military uses. Separate State Department export regulations govern articles and services specially designed or adapted for military purposes. Since violations of export regulations may carry severe penalties, it is important to understand and observe all applicable export requirements when providing goods, services, software, or technology to any foreign persons or entities.
Embargoes: Watch Those Internet Addresses
Treasury Department regulations prohibit most U.S. trade with Cuba, Iran, Iraq, Libya, North Korea, and Sudan. Trade with other countries, such as Serbia/Montenegro and Syria, is severely restricted. Accordingly, companies which sell software over the Internet must be careful to screen Internet addresses to avoid fulfilling download requests from embargoed countries. Likewise, companies which accept online orders for items which are then shipped conventionally may not fill orders from embargoed countries. In addition, Treasury Department regulations prohibit trade with parties known to be affiliated with embargoed countries, including the "Specially Designated Nationals" identified by the Treasury Department.
Commerce Controls: Internet Distribution Is "Exporting"
Under the Commerce Department's Export Administration Regulations ("EAR"), an "export" includes "[a]ny release of technology or software subject to the EAR in a foreign country." 15 C.F.R. § 734.2(b)(2). Thus, companies which electronically distribute technology or software to foreign countries must observe the same export restrictions which would apply if the items were shipped conventionally. Export licensing requirements vary widely depending upon the country of destination, the technical capabilities of the exported items, the activities of the end-user, and the intended end-use. Before exporting any technology or software, it is important to "classify" the item to determine whether an export license is needed. In addition, U.S. companies must screen their customers to ensure that they do not export to entities on the "Denied Persons List" or "Entity List".
An "export" may also occur through "[a]ny release of technology or source code subject to the EAR to a foreign national," even if the person is located in the United States. 15 C.F.R. § 734.2(b)(2). This "deemed export" rule does not apply to permanent resident aliens holding "green cards," but may affect foreign employees working in the U.S. under temporary visas. Notably, "object code" is excluded from this rule, meaning that foreign employees in the U.S. may use executable software applications installed on a corporate network, but may need a license to access the corresponding source code or related technical data.
Special Precautions for Electronic Distribution of Commercial Encryption Software
Commercial software and technologies which scramble ("encrypt") text or data for confidentiality are subject to special export controls which include mandatory governmental reviews, licensing requirements, and post-shipment reporting requirements. A different definition of "export" applies to encryption source code and object code software:
For purposes of the EAR, the export of encryption source code and object code software means:
- An actual shipment, transfer, or transmission out of the United States. . . ; or
- A transfer of such software in the United States to an embassy or affiliate of a foreign country.
15 C.F.R. § 734.2(b)(9)(i).
Part (A) includes "downloading, or causing the downloading of, such software to locations (including electronic bulletin boards, Internet file transfer protocol, and World Wide Web sites) outside the U.S., or making such software available outside the United States, . . . including transfers from electronic bulletin boards, Internet file transfer protocol and World Wide Web sites, unless the person making the software available takes precautions adequate to prevent unauthorized transfer of such code outside the United States." 15 C.F.R. § 734.2(b)(9)(ii).
Thus, encryption software is "exported" whenever it is electronically conveyed to foreign nationals outside the United States. Significantly, this definition does not cover the distribution of encryption software to foreign nationals in the U.S. This appears to carve out an unusual exception to the "deemed export" rule described above: non-encryption source code is considered to be "exported" when it is disclosed to foreign nationals in the U.S., but, under this definition, encryption source code may be disclosed to the same workers without constituting an "export."
As stated above, companies which distribute encryption software over the Internet are required to take certain "precautions" to avoid unauthorized electronic "exports." The Commerce Department has issued the following precautionary procedures:
- Address screening. The distributor of encryption software must utilize an access control system (either automated or manual) which "checks the address of every system requesting or receiving a transfer and verifies that such systems are located within the United States." Thus, Internet addresses must be examined prior to downloading to ensure that they do not have foreign domain names; if they do, the transaction may require a license.
- Warning notice. The distributor must provide "every requesting or receiving party with notice that the transfer includes or would include cryptographic software subject to export controls under the Export Administration Act, and that anyone receiving such a transfer cannot export the software without a license"; and
- Acknowledgement. "Every party requesting or receiving a transfer of such software must acknowledge affirmatively that he or she understands that the cryptographic software is subject to export controls under the export Administration Act, and that anyone receiving the transfer cannot export the software without a license."
See 15 C.F.R. § 734.2(b)(9)(ii)(A).
The Commerce Department may authorize alternative safeguards on a case-by-case basis.
Encryption Export Policies Balance E-commerce and Law Enforcement
If a U.S. company plans to distribute encryption software internationally, it must comply with a complex export control regime which seeks to promote electronic commerce while preserving the ability of law enforcement agencies to obtain access to encrypted messages.
Under the current U.S. encryption export regime, which took effect on December 31, 1998, export restrictions depend upon the strength of the encryption algorithm, whether the system is amenable to "key recovery" by authorized governmental agencies, the business of the intended end-user, and the nature of the intended end-use.
Weak encryption. Encryption products which utilize encryption "keys" of 56 bits or less are eligible for export to all non-embargoed countries after a one-time technical review by the Commerce Department. Semi-annual post-export sales reports must be submitted. 15 C.F.R. § 740.17(a)(3). Encryption which is limited to the protection of user passwords is usually exempt from most administrative and licensing requirements.
Key recovery.Encryption products which allow authorized government agencies to unscramble encrypted messages without the knowledge or assistance of the end-user may be exported freely to non-embargoed countries after a one-time technical review. 15 C.F.R. § 740.8. Products which are "recoverable" with the assistance of a network or system administrator may be exported to commercial entities in certain countries under a Government-approved "Encryption Licensing Arrangement." 15 C.F.R. § 742.15(b)(7).
Online merchants. Encryption products designed specifically for electronic commerce are eligible for expanded export authorizations. An "online merchant" means "an entity regularly engaged in lawful commerce that uses means of electronic communications (e.g., the Internet) to conduct commercial transactions." 15 C.F.R. § 772. Qualifying end-users in 45 specified foreign countries may obtain certain encryption software specially designed for online transactions. This authorization is available only for client-server applications such as Secure Socket Layer ("SSL") applications or other applications designed specifically for electronic commerce. The software may be used only for the purchase or sale of goods or software or related services, including business interactions necessary for ordering, payment, and delivery. Customer-to-customer communications are not authorized. This authorization is available after a one-time technical review, and post-export sales reports must be submitted. 15 C.F.R. § 740.17(b)(3).
Permitted end-uses under this authorization include buying and selling goods and software through an electronic medium, which may involve activities such as the ordering of and payment for goods and services; placing, pricing and receiving orders; obtaining copies of invoices; reviewing shipping schedules; sending notification of shipments or changes in shipping arrangements; and placing reservations and purchasing airline tickets. This authorization allows contract manufacturers to directly access demand and inventory information; direct purchasing from trading partners; approval functions for requisitions which require approval; and online catalogue transactions. However, this authorization does not permit general-purpose messaging, collaborative research, data warehousing, remote computing services, or other electronic telecommunications services. See 63 Fed. Reg. 72156-57 (Dec. 31, 1998).
Other authorized sectors. Encryption software may be exported to certain other favored industry "sectors" subject to limitations defined in the Commerce Department regulations.
Financial-specific applications. Non-recovery encryption products of any key length may be widely exported if they are "restricted by design" to financial applications intended to secure financial communications and transactions. The encryption must be restricted to "specific delineated fields" relating to a financial transaction. 15 C.F.R. § 740.17(a)(1).
Subsidiaries of U.S. companies. General-purpose, non-recovery encryption software of any key length may be exported to non-embargoed countries after a one-time technical review to foreign subsidiaries of U.S. companies. 15 C.F.R. § 740.17(a)(2).
Banks and financial institutions. General-purpose, non-recovery encryption software of any key length may be exported after a one-time technical review to banks and financial institutions, including insurance companies based in the 45 specified foreign countries. Customer-to-institution and institution-to-institution communications are authorized; customer-to-customer communications are not allowed. 15 C.F.R. § 740.17(b)(1).
Health and medical organizations. Non-recovery encryption software of any key length may be exported after a one-time technical review to certain health and medical organizations in the 45 specified foreign countries, for protecting exchanges of health and medical information only. Semi-annual post-export sales reports are required. 15 C.F.R. § 740.17(b)(2).
The Internet makes it easier than ever for U.S. companies to expand into foreign markets by taking orders and distributing software and technology electronically. Such transactions may constitute "exports" for purposes of U.S. export controls. Although different definitions and regulatory requirements apply to encryption and non-encryption items, Internet businesses should always ensure that all international transactions are properly authorized.
This article first appeared in Global eCommerce Law and Business Report, World Trade Executive, Inc., June 1999, Vol. 1, Number 1