Wiggin
Find a Person
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z View All

Publications

Home 9 Publication 9 E-commerce: U.S. Enforces Encryption Export Rules

E-commerce: U.S. Enforces Encryption Export Rules

May 19, 2002

3

 

On February 21, 2002, the Bureau of Export Administration (“BXA”) of the U.S. Department of Commerce imposed a $95,000 civil penalty on Neopoint, Inc., for illegal exports of encryption technology to South Korea. The action underscores the Bush Administration’s commitment to national security aspects of technology policy. In this heightened period of security, companies should make certain that they are in compliance with current U.S. law on the export of encryption technology.

On October 19, 2000, the Bureau of Export Administration announced revisions to the encryption export rules intended to streamline the export and re-export of encryption products to the 15 members of the European Union (“EU”) and 8 U.S. trading partners (“EU+8”). 15 C.F.R. Parts 732, 740, 742, 744, 748, 770, 772 and 774 (2000). The new rules were designed to mirror the EU’s recent liberalization of export rules for encryption products and ensure the competitiveness of U.S. companies in international markets.

Under current law, U.S. companies can export most encryption products under a license exception to any end-user in the EU+8 as well as worldwide offices of firms and organizations with headquarters in those countries. Previously, U.S. companies were allowed to export “retail” encryption products to any country except for those countries labeled terrorist. However, U.S. companies were required to get a license before exporting “non-retail” encryption products. Now, U.S. companies can export the products immediately after submitting a commodity classification request to the BXA. Companies no longer have to wait for the 30-day review to be completed. The revisions also changed the treatment of products incorporating short-range wireless technologies, open cryptographic interfaces, beta test software, encryption source code and U.S. content requirements. In addition, current regulations allow exporters to self-classify unilateral controlled encryption products that fall under Export Control Classification Numbers (“ECCN”) 5A992, 5D992 and 5E992. Although the rules were streamlined, their enforcement activity has increased. Exports by U.S. companies to the terrorist supporting states are still banned.

 

Important Aspects of Current Regulations

 

DeMinimis U.S. Content. Software controlled under ECCN 5D002, which is eligible for export under the “retail” or “source code” provisions of the license exception ENC, and parts and components under ECCN 5A002, may be eligible for de-minimis treatment after (1) review and (2) classification by the BXA. As such, certain U.S. origin encryption items incorporated into foreign products may qualify for de-minimis treatment. Exporters applying for de-minimis eligibility must submit a classification request and explain why the component qualifies for de-minimis treatment.

 

Temporary Imports, Exports & Re-exports (collectively, “TMP)”. TMP includes encryption software controlled for “EI” reasons under ECCN 5D002 to be allowed under the beta test provisions of the license exception TMP. At the time of export, the U.S. company must provide the BXA and the ENC Encryption Request Coordinator with the information delineated in Supplement 6 to Part 742 of the regulation. Any final resulting product will require review and classification. In addition, names and addresses of the testers, except for individual consumers, and the name and version of beta software must be reported every six months. Note that encryption software falling under ECCN 5D992 is suitable for beta test provisions.

 

Technology and Software Unrestricted (TSU). Object code compiled from source code eligible for License Exception TSU can be exported globally under License Exception TSU if the requirements of Section 740.13 are met and no fee is required for object code. Object code, for which there is a fee, can be exported under Section 740.17(b)(4)(i) using License Exception ENC to any end-user without review or classification. The exporter must submit written notification of the Internet location or a copy of the source code to BXA and the ENC Encryption Request Coordinator. Exporters are encouraged to notify the BXA electronically at [email protected].

 

Encryption Commodities and Software (ENC). Encryption items, except for cryptanalytic products (as specified in ECCN 5A002.a.2) and software and technology related to these cryptanalytic products, can be exported immediately to the EU+8 under License Exception ENC. The exporter must submit a completed classification request to the BXA by the time of export. Exports and re-exports of encryption items for internal use to foreign subsidiaries or offices of firms, organizations and governments headquartered in Canada or in any of the EU+8 are eligible under this provision.

 

Encryption Items to U.S. Subsidiaries. Foreign nationals, except those from the T-7 nations, who may not be permanent employees and are working for U.S. companies, are eligible to receive technology controlled under ECCN 5E002 in the U.S. under License Exception ENC.

 

Encryption Commodities and Software. Any encryption commodity, general purpose toolkit, software and component, can be exported or re-exported to individuals, commercial firms or non-government end-users located outside the EU+8 under License Exception ENC, after review and classification by the BXA under ECCN 5A002 and 5D002. Note that internet and telecommunication service providers may use encryption products for internal use and to provide services under License Exception ENC.

 

Retail Encryption Commodities. Under the License Exception ENC, items which are controlled only because they contain components providing encryption functionality, which is limited to short-range wireless encryption, can be exported without prior review, classification or reporting. In addition, U.S. companies can now export and re-export finance-specific encryption products and 56-bit products with key exchange mechanism greater than 512 bits and up to and including 1024 bits immediately after submitting a classification request to BXA. Finally, the definition of “retail” now includes anticipated sales.

 

Commercial Encryption Source Code. Object code derived from source code that would be considered publicly available and eligible for export under License Exception TSU and ENC, can also be exported and re-exported under License Exception ENC if the requirements of Section 740.17(b)(4)(1) are met. Exporters must submit written notification of the Internet location or a copy of the source code to the BXA and the ENC Encryption Request Coordinator by the time of export. Additionally, commercial encryption source code, which would not be considered publicly available, may now be exported or re-exported to any non-government end-user immediately after submitting a completed classification request.

 

Cryptographic Interfaces. U.S. companies can now export and re-export immediately encryption commodities, software and components which provide open cryptographic interface to any end-user located in the EU+8 under License Exception ENC. Exports and re-exports to other countries, except to U.S. subsidiaries for internal use, require a license. Also, encryption products that enable foreign products to operate with U.S. products can be exported to any eligible end-user under the License Exception ENC. BXA does not have to review the foreign enable product but limited reporting is required.

 

Reporting Requirements. The new rules eliminate reporting requirements for consumer products incorporating short-range wireless encryption, client Internet appliance and wireless LAN cards, and retail operating systems or desktop applications designed for, bundled with or preloaded on single CPU computers, laptops or handheld devices. Additionally, the regulation abolishes reporting requirements for foreign products developed by compiling source code. Further, when exporting technology to the EU+8, semi-annual reports must include (1) the name and address of the manufacturer using the technology to develop products for sale and (2) a non-proprietary technical description of the product. Finally, U.S. companies no longer need to report exports to Internet and telecommunications service providers.

 

Eligibility for License Exception ENC. U.S. companies should submit a commodity classification request (Form BXA-748P) along with supporting documents to BXA in accordance with Section 748.3(b) and Supplement 6 to Part 742 of the regulation to initiate a review and classification of encryption items. Also, exporters should write “License Exception ENC” in Block 9: Special Purpose of the request form. Further, a copy of the request and supporting documents should be sent to the ENC Encryption Request Coordinator.

 

Grandfathering. A grandfathering clause in the revised regulation allows companies to export most encryption products previously reviewed under a License, Encryption License Arrangement or classified under License Exception ENC to any end-user in the EU+8 and any non-government end-user outside the EU+8. Additionally, any finance-specific or 56-bit product previously reviewed and classified by BXA can be exported to any end-user without further review.

 

Key Length Increases. U.S. companies can increase the key lengths of previously classified products and continue to export them without another review. However, no other change in cryptographic functionality is allowed. Products previously classified as ECCN 5A002 or 5D002 can, with any upgrade to the key length used for confidentiality or key exchange algorithms, be exported or re-exported without additional review. Exporters must certify in a letter from a corporate official that the change to the encryption is to the key length used for confidentiality or key exchange algorithms. BXA must get the original certification and a copy must be sent to the ENC Encryption Request Coordinator before export.

 

Encryption Items. The new rules permit U.S. companies to self-classify items with key length up to and including 56 bits with an asymmetric key exchange algorithm not exceeding 512 bits, mass market encryption commodities and software with key lengths not exceeding 64 bits, and key management products under ECCN 5A992, 5D992 or 5E992. The exporter must submit to BXA and the ENC Encryption Request Coordinator the information described in Supplement 6 to Part 742 of the regulation. After submitting the information, the items may be exported and re-exported “NLR” No License Required.

 

For further information contact:
Mark W. Heaphy

 

Resources

IP Advisory Spring 02 WIG_1489.IP.pdf

Firm Highlights

News

Recognized for Excellence: Wiggin and Dana Named Law Firm of the Year, Attorney of the Year, and Earns 8 Additional Honors at the 2025 New England Legal Awards

Wiggin and Dana is proud to announce an extraordinary achievement at The American Lawyer’s 2025 New England Legal Awards, where the firm earned 10 top honors and was recognized as a finalist in additional categories. These awards celebrate excellence across the legal profession, and this year’s results underscore Wiggin and Dana’s commitment to delivering exceptional […]
Read More
News

Wiggin and Dana Celebrates Top Honors in Benchmark Litigation’s 2026 Rankings

Wiggin and Dana is proud to announce that Benchmark Litigation has once again recognized the firm’s excellence in litigation, naming 13 attorneys as “Litigation Stars” and three attorneys as “Future Stars” in its 2026 edition. The firm also earned Benchmark’s highest distinction, being ranked as a “Highly Recommended” firm. Benchmark Litigation praised Wiggin and Dana […]
Read More
News

The National Law Journal Shortlists Wiggin and Dana for Litigation Departments of the Year – White Collar

Wiggin and Dana is proud to announce that its White Collar Defense, Investigations, and Corporate Compliance Practice Group has been selected by The National Law Journal as a finalist for Litigation Departments of the Year, White Collar. The firm’s White Collar Defense, Investigations, and Corporate Compliance Practice Group includes former federal prosecutors from the U.S. […]
Read More
News

Benchmark Litigation Names Wiggin and Dana Partners to the 2025 “40 & Under List”

Wiggin and Dana Litigation Partners, Laura Ann K. Froning, Robyn E. Gallagher, and David Norman-Schiff were named to Benchmark Litigation’s 2025 “40 & Under List”. The Benchmark Litigation team bestows this distinction upon the nation’s most accomplished litigators aged 40 and younger who are considered the top emerging talent in litigation. The list is compiled based […]
Read More
News

Wiggin and Dana Expands Real Estate Practice with Addition of Vasiliki Yiannoulis-Riva

Wiggin and Dana LLP is pleased to announce that Vasiliki (Vasi) Yiannoulis-Riva has joined the firm as a Partner in the Real Estate, Environmental, Construction and Facilities Department, based in both the Stamford, CT and New York, NY offices. Vasi brings more than a decade of experience advising clients on commercial real estate transactions, leasing, […]
Read More
News

Chambers High Net Worth 2025 Honors Wiggin and Dana Lawyers and Private Client Services Practice

Wiggin and Dana is pleased to announce that the firm’s Private Client Services practice and its partners, Michael T. Clear, Daniel L. Daniels, Jevera K. Hennessey, Leonard Leader, Vanessa L. Maczko, Steven B. Malech, and Carolyn A. Reers, have been ranked in the ninth edition of the annual Chambers High Net Worth (HNW) 2025 Guide. Additionally, Jonathan […]
Read More