[Code of Federal Regulations] [Title 15, Volume 2, Parts 300 to 799] [Revised as of January 1, 1999] From the U.S. Government Printing Office via GPO Access [CITE: 15CFR742.15] [Page 206-210] DEPARTMENT OF COMMERCE PART 742--CONTROL POLICY--CCL BASED CONTROLS--Table of Contents Sec. 742.15 Encryption items. Encryption items can be used to maintain the secrecy of information, and thereby may be used by persons abroad to harm national security, foreign policy and law enforcement interests. As the President indicated in E.O. 13026 and in his Memorandum of November 15, 1996, export of encryption software, like export of encryption hardware, is controlled because of this functional capacity to encrypt information on a computer system, and not because of any informational or theoretical value that such software may reflect, contain, or represent, or that its export may convey to others abroad. For this reason, export controls on encryption software are distinguished from controls on other software regulated under the EAR. (a) Licenses are required for exports and reexports to all destinations, except Canada, for items controlled under ECCNs having an ``EI'' (for ``encryption items'') under the ``Control(s)'' paragraph. Such items include: encryption commodities controlled under ECCN 5A002; encryption software controlled under ECCN 5D002; and encryption technology controlled under ECCN 5E002. (Refer to part 772 of the EAR for the definition of ``encryption items'). For encryption items previously on the U.S. Munitions List and currently authorized for export or reexport under a State Department license, distribution arrangement or any other authority of the State Department, U.S. persons holding valid USML licenses and other approvals issued by the Department of State prior to December 30, 1996 may ship remaining balances authorized by such licenses or approvals under the authority of the EAR by filing Shippers Export Declarations (SEDs) with District Directors of Customs, citing the provisions of this section effective on December 30, 1996 and the State Department license number. Such shipments shall be in accordance with the terms and conditions, including the expiration date, existing at the time of issuance of the State license. Violations of such authorizations, terms and conditions constitute violations of the EAR. Any reports required for distribution and other types of agreements previously authorized by the Department of State, valid prior to December 30, 1996, should be henceforth submitted to BXA at the following address: Office of Strategic Trade and Foreign Policy Controls, Bureau of Export Administration, Department of Commerce, 14th Street and Pennsylvania Ave., N.W., Room 2705, Washington, D.C. 20230. (b) Licensing policy. The following licensing policies apply to items identified in paragraph (a) of this section. This section refers you to Supplement No. 4 to this part 742. For purposes of these supplements, ``products'' refers to commodities and software. Except as otherwise noted, applications will be reviewed on a case-by-case basis by BXA, in conjunction with other agencies, to determine whether the export or reexport is consistent with U.S. national security and foreign policy interests. (1) Certain mass-market encryption commodities and software. (i) Consistent with E.O. 13026 of November 15, 1996 (61 FR 58767), certain encryption software that was transferred from the U.S. Munitions List to the Commerce Control List pursuant to the Presidential Memorandum of November 15, 1996, may be released from EI controls and thereby made eligible for mass market treatment after a technical review. Further, certain encryption commodities may be released from EI controls and thereby [[Page 207]] made eligible for mass market treatment after a technical review. To determine eligibility for mass market treatment, exporters must submit a classification request to BXA. 56-bit mass market encryption commodities and software using RC2, RC4, RC5, DES or CAST, and key exchange mechanisms including, but not limited to, symmetric algorithms with the same or double the key length authorized for the confidentiality algorithm, asymmetric algorithms with key space of 512, 768 or up to and including 1024 bits, proprietary key exchange mechanisms, or others, may be eligible for a 7-day review process, and company proprietary commodities and software implementations may be eligible for 15-day processing. Refer to Supplement No. 6 to part 742 and Sec. 748.3(b)(3) of the EAR for additional information. Note that the technical review is for a determination to release encryption commodities and software in object code only unless otherwise specifically requested. Exporters requesting release of the source code should refer to paragraph (b)(3)(v)(E) of Supplement No. 6 to part 742. (ii) If, after a one-time technical review, BXA determines that the software is released from EI controls, such software is eligible for all provisions of the EAR applicable to other software, such as License Exception TSU for mass-market software. Furthermore, for such software released from EI controls, subsequent bundling, updates, or releases consisting of or incorporating this software may be exported and reexported without a separate one-time technical review, so long as the functional encryption capacity (e.g., algorithm, key modulus) of the originally reviewed mass-market encryption software has not been modified or enhanced. However, if BXA determines that the software is not released from EI controls, a license is required for export and reexport to all destinations, except Canada, and license applications will be considered on a case-by-case basis. (iii) If after a technical review, BXA determines that the encryption commodity is released from EI controls, the commodity is eligible for export under License Exception ENC and all provisions of the EAR applicable to other commodities. However, if BXA determines that the commodity is not released from EI controls, and no License Exception applies, a license is required for export and reexport to all destinations, except Canada, and license applications will be considered on a case-by-case basis. (iv) Mass-market encryption software that has already been classified after a technical review and that has been released from EI controls under the provisions of this paragraph (b)(1) will be permitted for export and reexport under license exception TSU with increases of 56-bits for the confidentiality algorithm, the same or double the key length authorized for the confidentiality algorithm for symmetric algorithms for key exchange mechanisms and with key spaces of 512, 768 or up to and including 1024 bits for asymmetric algorithms for key exchange without an additional technical review, provided that there is no other change in the cryptographic functionality. Exporters must notify BXA in writing of the increase in the key length for the confidentiality algorithm, the asymmetric or symmetric key exchange algorithms, and include the original authorization number issued by BXA and the information identified in paragraphs (a)(2)(iii) through (v) of Supplement No. 6 to part 742 of the EAR (if this information was submitted previously, then only identify the modifications). BXA must receive such notification by March 31, 1999. (A) The notification should be sent to: Office of Strategic Trade and Foreign Policy Controls, Bureau of Export Administration, Department of Commerce, 14th Street and Pennsylvania Ave., N.W., Room 2705, Washington, D.C. 20230, Attn: Encryption Upgrade (B) A copy of the certification should be sent to: Attn: ENC Encryption Request Coordinator, P.O. Box 246, Annapolis Junction, MD 20701-0246 (2) Key escrow and key recovery encryption commodities and software. Certain recovery encryption commodities and software of any key length that are classified under ECCNs 5A002 [[Page 208]] and 5D002 after a technical review are eligible for export and reexport under License Exception KMI. See Sec. 740.8(b)(1) of the EAR for information on additional eligibility requirements. (3) General purpose encryption commodities and software of any key length for use by banks and financial institutions. (i) Commodities and software that were eligible for License Exception TSU or KMI or have been licensed for export or reexport under an Encryption Licensing Arrangement or a license prior to December 31, 1998, are now eligible for export and reexport under License Exception ENC under the provisions of Sec. 740.17(b)(1) of the EAR. (ii) For exports and reexports not eligible under a License Exception, exports and reexports of general purpose non-voice encryption commodities and software classified under ECCNs 5A002 and 5D002 of any key length will generally be approved under an Encryption Licensing Arrangement for use by banks and financial institutions (as defined in part 772 of the EAR) in all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. Applications for such commodities and software will receive favorable consideration when the end-use is limited to secure business financial communications or transactions and financial communications/transactions between the bank and/or financial institution and its customers provided that there are no concerns about the country or end-user. No customer to customer communications or transactions are allowed. (iii) Note that any country or end-user prohibited in the past from receiving encryption commodities and software under a specific Encryption Licensing Arrangement will be reviewed on a case-by-case basis, and may be considered by BXA for eligibility under future Encryption Licensing Arrangement requests. (iv) Note that distributors, resellers or other entities who are not manufacturers of the encryption commodities and software are permitted to use an existing Encryption Licensing Arrangement for exports and reexports of these products only when Encryption Licensing Arrangement has been granted to the manufacturer and the export and reexport meets the terms and conditions of this paragraph (b)(3). (v) There are no reporting requirements for exports to banks and financial institutions. (4) Financial-specific encryption items of any key length. After a one-time technical review via a classification request, financial- specific encryption items of any key length that are restricted by design (e.g. highly field-formatted and validation procedures, and not easily diverted to other end-uses) for financial applications will be permitted for export and reexport under License Exception ENC (see Sec. 740.17(a)(1) of the EAR). No business and marketing plan is required. (5) Encryption commodities and software of any key length for use by health and medical end-users. (i) Commodities and software that have been classified after a technical review through a classification request or have been licensed for export under an Encryption Licensing Arrangement or a license are eligible for export and reexport under License Exception ENC to health and medical end-users without an additional technical review, provided that the export or reexport meets all the terms and conditions of that License Exception. See Sec. 740.17 of the EAR. Commodities and software that were eligible for License Exception TSU or KMI or have been licensed for export or reexport under an Encryption Licensing Arrangement or a license prior to December 31, 1998, are now eligible for export and reexport under License Exception ENC under the provisions of Sec. 740.17(b)(2) of the EAR. (ii) For exports and reexports that are not eligible under License Exception ENC, exports and reexports of encryption commodities and software classified under ECCNs 5A002 and 5D002 of any key length will generally be approved under an Encryption Licensing Arrangement for use by health and medical end-users (as defined in part 772 of the EAR) in all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria except for non-U.S. biochemical and pharmaceutical manufacturers and non-U.S. military health and medical entities. No customer to customer communications or transactions are allowed. [[Page 209]] (iii) Note that any country or end-user prohibited in the past from receiving encryption commodities and software under a specific Encryption Licensing Arrangement will be reviewed on a case-by-case basis, and may be considered by BXA for eligibility under future Encryption Licensing Arrangement requests. (iv) Note that distributors, resellers or other entities who are not manufacturers of the encryption commodities and software are permitted to use an existing Encryption Licensing Arrangement for exports and reexports of these products only when Encryption Licensing Arrangement has been granted to the manufacturer and the export and reexport meets the terms and conditions of this paragraph (b)(5). (v) You must submit to BXA the name and address of the end-user. (6) Encryption commodities and software of any key length for on- line merchants. (i) Commodities and software that were eligible for export to on-line merchants under an Encryption Licensing Arrangement prior to December 31, 1998, are now eligible for export and reexport under License Exception ENC under the provisions of Sec. 740.17(b)(3). (ii) Exports and reexports of encryption commodities and software classified under ECCNs 5A002 and 5D002 of any key length which are limited to client-server applications (e.g., Secure Socket Layer (SSL) based applications) or applications specially designed for on-line transactions for the purchase or sale of goods and software will be permitted under an Export Licensing Arrangement in all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria for use by foreign on-line merchants as defined in part 772 of the EAR. End-use is limited to: the purchase or sale of goods and software; and services connected with the purchase or sale of goods and software, including interactions between purchasers and sellers necessary for ordering, payment and delivery of goods and software. No other end-uses or customer to customer communications or transactions are allowed. (iii) Applications for Encryption Licensing Arrangements for on-line merchants will generally be approved, except for foreign on-line merchants or their separate business units (as defined in part 772 of the EAR) who are engaged in the manufacturing and distribution of items or services controlled on the U.S. Munitions List. Such end-users will be considered on a case-by-case basis. (iv) Note that any country or end-user prohibited in the past from receiving encryption commodities and software under a specific Encryption Licensing Arrangement will be reviewed on a case-by-case basis, and may be considered by BXA for eligibility under future Encryption Licensing Arrangement requests. (v) Note that distributors, resellers or other entities who are not manufacturers of the encryption commodities and software are permitted to use an existing Encryption Licensing Arrangement for exports and reexports of these products only when Encryption Licensing Arrangement has been granted to the manufacturer and the export and reexport meets the terms and conditions of this paragraph (b)(6). (v) You must submit to BXA the name and address of the end-user. (7) Recoverable encryption commodities and software of any key length for use by commercial entities. (i) Exports and reexports of recoverable encryption commodities and software (as defined in part 772 of the EAR) classified under ECCNs 5A002 and 5D002 of any key length will generally be approved under an Encryption Licensing Arrangement to destinations designated with a ``*'' or ``**'' in Supplement No. 3 to part 740 of the EAR to foreign commercial entities for internal company proprietary use. Such encryption commodities and software will generally be approved for export and reexport to foreign subsidiaries of commercial firms headquartered in countries designated with a ``**'' in Supplement No. 3 to part 740 of the EAR that are located in any destination except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. Exports and reexports to telecommunication and internet service providers is permitted under this policy for internal company proprietary use. Use by service providers to provide service to customers is excluded from this policy, [[Page 210]] but exports may be possible under a license or an Encryption Licensing Arrangement on a case-by-case basis. This policy of approval excludes those foreign commercial firms or their separate business units (as defined in part 772 of the EAR) engaged in the manufacturing and distribution of items or services controlled by the U.S. Munitions List. (ii) Note that any country or end-user prohibited in the past from receiving encryption commodities and software under a specific Encryption Licensing Arrangement will be reviewed on a case-by-case basis, and may be considered by BXA for eligibility under future Encryption Licensing Arrangement requests. (iii) Note that distributors, resellers or other entities who are not manufacturers of the encryption commodities and software are permitted to use an existing Encryption Licensing Arrangement for exports and reexports of these products only when Encryption Licensing Arrangement has been granted to the manufacturer and the export and reexport meets the terms and conditions of this paragraph (b)(7). (iv) You must submit to BXA the name and address of the end-user. (8) All other encryption items. (i) Encryption licensing arrangement. Applicants may submit license applications for exports and reexports of certain encryption commodities and software in unlimited quantities for all destinations except Cuba, Iran, Iraq, Libya, North Korea, Syria, and Sudan. Applications will be reviewed on a case-by-case basis. If approved, encryption licensing arrangements may be valid for extended periods as requested by the applicant in block #24 on Form BXA- 748P. In addition, the applicant must specify the sales territory and class(es) of end-user(s). Such licenses may require the license holder to report to BXA certain information such as ECCN, item description, quantity, and end-user name and address. (ii) Applications for encryption items not authorized under an encryption licensing arrangement. Applications for the export and reexport of all other encryption items will be considered on a case-by- case basis. (iii) Exports and reexports of encryption commodities and software of any key length to ``strategic partners'' of U.S. companies will receive favorable consideration when the end-use is for the protection of U.S. company proprietary information. (9) Applications for encryption technology. Applications for the export and reexport of encryption technology will be considered on a case-by-case basis. (c) Contract sanctity. Contract sanctity provisions are not available for license applications reviewed under this section. (d) [Reserved] [61 FR 68580, Dec. 30, 1996, as amended at 63 FR 50522, Sept. 22, 1998; 63 FR 72162, Dec. 31, 1998]