Recent Changes in US Crypto Export Rules
January 21, 2011 1 Comment
On January 7, 2011, the US Government published a final export rule that relaxed export rules on publically available encryption code. Previously, mass market, encryption object code software was subject to US export controls. Under the new rule, issued by the Bureau of Industry and Security (BIS), publicly available, mass market, encryption object code software with a symmetric key length greater than 64-bits is no longer subject to the export control rules. Although the change will not have a limited direct impact on Mozilla because our code already falls under the TSU source code exception, the change is good because it simplifies and reduces the number of rules that might restrict distribution of publicly available, mass market, encryption object code software outside the US.
BIS reasoned that because there are no regulatory restrictions on making such software publicly available, and because, once it is publicly available, by definition it is available for download by any end user without restriction, removing it from the jurisdiction of the Export Administration Regulations (EAR) will have no effect on export control policy. Such policy is merely clarified and confirmed by this final rule.
This rule change follows the guidance of government and export law attorneys like Dan Minutillo (he also represents Mozilla) who argued in a recent California International Law Journal article that the Government should remove publicly available encryption code from the scope of items subject to the EAR based on the interpretation of a September 11, 2009 Advisory Opinion by the Director of Information Technology Controls Division, Office of National Security and Technology Transfer Controls, US Government. It seems this 2009 Advisory Opinion can be interpreted to relate directly to a Voluntary Self Disclosure filed by Minutillo on behalf of Mozilla regarding the exchange of code that resulted in a “No Violation Letter” from the US government in Mozilla’s favor.
Minutillo’s article takes the September 11, 2009 Advisory Opinion to its logical conclusion which appears to relate to the January 7, 2011, Final Rule mentioned above. Minutillo’s article states in pertinent part:
“Where does that leave us regarding the [September 11, 2009] Advisory Opinion? Relying on the second and fourth full paragraphs [of the Advisory Opinion] and using the above [meaning early parts of the Minutillo article] analysis, it appears that mass market encryption code, whether open or closed source, and other code which can be downloaded, meeting all the criteria discussed above, should be exportable by download without a violation of the EAR anywhere in the world without an export license, so long as the requisite footprint is kept in machine readable code in the provider’s data base and is not tracked or used for any purpose by the provider without having to rely on the TSU exception. The Advisory Opinion should be clarified to provide that non-encryption software provided for cost should be exportable, subject to the same standards as software without encryption (footprint so no restriction). Moreover, it appears that the United States Government should reconsider why merely collecting an email address and name of a downloader without more should reasonably trigger “knowledge” for purposes of the export regulations”.