Export control laws are federal laws implemented both by the Department of Commerce through its Export Administration Regulations (EAR) and the Department of State through its International Traffic in Arms Regulations (ITAR). They prohibit the unlicensed export of certain materials or information for reasons of national security or the protection of trade. Following the events of September 11, 2001, the export control regulations became more prominent and scrutiny concerning compliance with these regulations has been heightened.
The vast majority of exports do not require a license. Only exports that the U.S. government considers "license controlled" under the EAR and ITAR require licenses. Export controlled transfers usually arise for one or more of the following reasons:
- The nature of the export has actual or potential military applications or involves economic protection issues;
- There are government concerns about the destination country, organization, or individual; and
- There are government concerns about the declared or suspected end use or the end user of the export.
Even if an item appears on one of the lists of controlled technologies, generally there is an exclusion for fundamental research (as long as there are no restrictions on publication of the research or other restrictions on dissemination of the information) or, in some cases, as long as the research or information is made public or is intended to be made public.
When an item is controlled, a license may be required before the technology can be exported. This requirement relates not only to tangible items (such as software), but also to the research results themselves. Further, the term "export" can mean not only technology leaving the United States (including transfer to a U.S. citizen abroad), but also transmitting the technology to an individual other than a U.S. citizen or permanent resident within the United States.
There are certain countries where it is the policy of the United States generally to deny licenses for the transfer of these items. These countries are currently Afghanistan, Armenia, Azerbaijan, Belarus, Cuba, Iran, Iraq, Libya, North Korea, Sudan, Syria, Tajikistan, and Vietnam.
The export regulations define an export as:
- Any oral, written, electronic or visual disclosure, shipment, transfer or transmission outside the United States to anyone, including a U.S. citizen, of any commodity, technology (information, technical data, or assistance) or software.
- Any oral, written, electronic or visual disclosure, transfer or transmission to any person or entity of a controlled commodity, technology or software with an intent to transfer it to a non-U.S. entity or individual, wherever located (including within the United States).
- Any transfer of these items or information to a foreign embassy or affiliate.
There are two agencies that control exports:
- The Department of Commerce through its Export Administration Regulations (EAR), and
- The Department of State (which controls the export of “defense articles and defense services”) under the International Traffic in Arms Regulations (ITAR).
The congressional debate over U.S. encryption policy has evolved from a time when the competing interests diverged widely concerning individual rights to privacy, the global competitiveness of U.S. companies selling encryption products, the promotion of secure electronic commerce, and law enforcement and national security needs to monitor undesirable behavior. The Clinton Administration originally supported the wide use of strong encryption as long as it had a feature called "key recovery" to allow authorized law enforcement agents to access the plaintext in a timely manner by getting access to the decryption key. This raised privacy issues. The Administration also sought to influence what type of products are available domestically by limiting exports, knowing that companies would not sell strong encryption products domestically and weak ones for export. This raised industry concerns about placing U.S. computer hardware and software companies at a competitive disadvantage because they were subject to export restraints.
In December 1996, the Clinton Administration released temporary (two-year) export regulations designed to encourage computer hardware and software manufacturers to develop and implement key recovery technologies. Although there are other factors that affect the strength of an encryption product, the number of binary digits (bits) in the key has been used as the benchmark in this debate. The larger the number of bits, the more difficult it is to break the encryption. Under the interim regulations, companies were allowed to export 56-bit encryption products if they agreed to incorporate key recovery features into the product within the two years. If they already incorporated key recovery into the product, there was no limit on the bit length that could be exported (with some exceptions for banking.) Previously, only 40-bit encryption could be legally exported.
In September 1998, the Clinton Administration announced plans to permanently reduce its restrictions on the use and export of encryption. The policy allowed the export of 56-bit encryption products without requiring provisions for key recovery, after a one-time review, to all users outside of seven "terrorist countries." The policy applied only to U.S. companies in the finance, health care, insurance, and electronic commerce industries. Export of encryption products of any strength was permitted to 42 designated countries if key recovery or access to plaintext was provided to an approved third party. The Administration also supported the FBI's technical support center to help law enforcement in keeping abreast of encryption technologies.
On September 16, 1999, the Administration again announced changes to its encryption policy, making encryption products of any key length, after a technical review, exportable without a license to users in any country except seven "terrorist countries". Exporters must report to the government on where the encryption product is exported, reflecting industry business models and distribution channels. In addition, the President proposed legislation that would ensure that law enforcement agencies maintain their ability to access decryption information stored with third parties, and allow information on techniques used in decryption to be withheld in court. The bill would have authorized $80 million over four years for the FBI Technical Support Center, to serve as a technical resource in responding to the use of encryption by criminals. No Member introduced that legislation.
The regulations implementing the Administration's new encryption export policy were issued by the Department of Commerce's Bureau of Export Administration (BXA) on January 14, 2000. According to the rules, retail encryption commodities and software of any key length can be exported without a license to any non-government end user in any country except the seven state supporters of terrorism, and can be re-exported to anyone (including Internet and telecommunications service providers). Exports previously allowed only for a company's internal use can now be used for communication with other firms, supply chains, and customers. Exports to most government end users still require a license, but, on July 17, 2000, the Administration updated its policy to enable exports without a license to European Union and certain other governments. Exporters must report to BXA where the encryption product is exported, and BXA will determine whether products qualify as retail by reviewing their functionality, sales volume, and distribution methods. While the computer industry was satisfied with these rules, some privacy rights groups argue that ambiguities in the rules make them overly cumbersome for individuals. Because the regulations could be reversed by a future Administration, some still advocate the passage of legislation to codify the changes in U.S. encryption policy. Based on the decrease in congressional activity on the issue, however, these rules may have struck a balance among competing interests regarding U.S. encryption policy.
Fundamental research, as used in the export control regulations, includes basic or applied research in science and/or engineering at an accredited institution of higher learning in the United States where the resulting information, in some cases, is ordinarily published and shared broadly in the scientific community and, in other cases, where the resulting information has been or is about to be published.
Fundamental research is distinguished from research that results in information that is restricted for proprietary reasons or pursuant to specific U.S. government access and dissemination controls. University research will not be deemed to qualify as fundamental research if (1) the university or research institution accepts any restrictions on the publication of the information resulting from the research, other than limited prepublication reviews by research sponsors to prevent inadvertent divulging of proprietary information provided to the researcher by the sponsor or to insure that publication will not compromise patent rights of the sponsor; or (2) the research is federally funded and specific access or dissemination controls regarding the resulting information have been accepted by the university or the researcher.
The EAR and the ITAR approach the issue of publication differently. For the EAR, the requirement is that the information has been, is about to be, or is ordinarily published. The ITAR requirement is that the information has been published.
Information becomes “published” or considered as “ordinarily published” when it is generally accessible to the interested public through a variety of ways. Publication in periodicals, books, print, electronic or any other media available for general distribution to any member of the public or to those that would be interested in the material in a scientific or engineering discipline.
Published or ordinarily published material also include the following: readily available at libraries open to the public; issued patents; and releases at an open conference, meeting, seminar, trade show, or other open gathering. A conference is considered “open” if all technically qualified members of the public are eligible to attend and attendees are permitted to take notes or otherwise make a personal record (but not necessarily a recording) of the proceedings and presentations. In all cases, access to the information must be free or for a fee that does not exceed the cost to produce and distribute the material or hold the conference (including a reasonable profit).
Public domain is the term used for “information that is published and generally accessible or available to the public” through a variety of mechanisms. Publicly available software or technology is that which already is, or will be, published. To fall under this exclusion, there are a number of conditions which demonstrate public availability which are enumerated in the EAR.
- See 15 C.F.R. 774, Supplement 1 (EAR) and 22 C.F.R. 121.1 (ITAR).
- 15 C.F.R. §§730-774 of the Code of Federal Regulations. For a list of controlled technologies, see 15 C.F.R. 774, Supplement I.
- 22 C.F.R. 120-130. For a list of controlled technologies, see 22 C.F.R. 121.1.