Problems Remain with New Rules Liberalizing Export of Software Products Incorporating Encryption Functionality

The Clinton administration released new regulations on January 14, 2000 governing the export of software products incorporating encryption functionality.2 Although these rules are a major step forward, contrary to the generally favorable press the Administration's action received from mainstream media, the changes to the Export Administration Regulations ("EAR") do not decontrol even widely available encryption technology and remain enormously complicated to apply. Companies whose products provide so-called "strong" encryption technology (i.e., above 64 bit) may be disappointed to learn that in most cases they are still required to obtain either a special export license or at minimum submit their product to technical review and classification by the seemingly Orwellian, Bureau of Export Administration ("BXA"). Many products will also require exporters to make post-export reports to the Government.

The good news is that most "strong" encryption software will be exportable under a license exception to the EAR after technical review and classification by the BXA. However, most software developers and manufacturers will find these rules difficult to understand and complex to apply without the assistance of counsel experienced in handling export control issues. One organization on the vanguard of this issue, the Center for Democracy and Technology, recognized the obvious when it observed that the new regulations "may prove daunting to many individuals and . businesses." This complexity is driven in no small part by the tendency of the rules to define seemingly well-understood terms like "publicly available" and "retail encryption software" in lengthy and convoluted terminology. The detailed nature of the rules requires counsel and business people to undertake a potentially complex pre-export factual investigation and legal analysis of their products. Although the Department of Commerce offers a useful export counseling service to assist exporters, few business people will have the patience or ability to figure out these regulations or the inclination to handle follow-up reporting requirements. Those chores will likely fall to lawyers and foreign export technology specialists.

The chief difficulty with the rules is that many products with well-known encryption technology remain subject to extensive regulatory control. There can be no doubt that this fact continues to significantly disadvantage U.S. software companies that manufacture application software that provides state of the art encryption functionality. The BXA review and classification procedure that will apply in most cases is something most software companies must plan for in connection with all product launches, especially if they intend to make their products available to customers or users via the Internet. This 30 day BXA review process is designed to determine whether a product is entitled to a license exception. Unfortunately, exporters can gain little advance insight from BXA concerning those "strong" encryption technologies which already qualify for an export license exception because, "the BXA does not provide a list of products that have received license exception eligibility."3

Despite these cumbersome administrative controls and remaining legal uncertainty there can be no doubt that the new regulations are a vast improvement over the old regime. The highlights of this liberalization of the EAR allow:

• free export (i.e., decontrol) of most encryption products with less than 64 bits

• export of most "retail" products subject to BXA review, classification and reporting

• export of non-retail products subject to BXA review, classification and reporting

• export of non-proprietary source code after notice to BXA

• some export of so-called "enabling" encryption technology in which the user is not given access to the underlying source code or the ability to modify the encryption capability of the product 4

Still, the new rules evince a continuing "encryption non-proliferation" attitude by the Government, even when dealing with technology that is already widely available both domestically or abroad. The intimidating complexity of the new rules and the ever-present threat of significant sanctions serve this policy approach well. Despite the Government's hyper-technical approach, most businesses should recognize that the revised rules do in fact provide a useful exception for non-proprietary source code or products which were developed using such code. This exception allows the export of encryption technology under certain licensing exceptions requiring only written (or electronic) notice to the BXA (along with access to the source code which enables the encryption functionality of their product) simultaneously with their "export."5 Section 740.17(a)(5)(i).

To take advantage of the exception a commercial encryption product must have been: (1) developed using source code defined as "publicly available" under section 734.3(b)(3) of the EAR, and (2) subject of an express licensing, royalty or sales agreement. Generally speaking, this will allow the export of such products if the encryption methodology has been published, the source code is freely available (such as through anonymous Internet download) or the methodology is the subject of an "open" patent application. If the exception can be satisfied, you are free to export and give notice to the BXA. Note that this does require you to provide written (or electronic) notice to the BXA with either a link to the source code or a copy of the enabling code. This notice can apparently be given simultaneously with a company's commencement of its first exporting activity. The benefit of the exception is that a product avoids BXA technical review and classification prior to export, and is also free from post-export reporting requirements, that will continue to apply to most products. All other "strong" encryption products require at minimum review and classification by BXA. 6

The exception is in contrast to the rule governing products with encryption functionality developed using proprietary or non-publicly available code. Section 740.17(a)(5)(ii). Such products require review and classification by BXA prior to export. Similar treatment is mandated for those products which permit users to manipulate the cryptographic features of an application (i.e., a so-called "open cryptographic interface"). See section 740.17(f)). Software companies will frequently face difficulty separating and documenting the exceptional case from those which require BXA review and classification in many circumstances. This analysis and the documentation associated with the process should involve input from experienced counsel and a disciplined risk management approach designed to document the export decision. 7

ENDNOTES:

1. Mr. Morehous is the Chair of Thelen Reid's Technology and Intellectual Property Department. He handles a variety of matters involving technology and Internet legal issues, and also advises software and high-technology clients concerning export control issues. He can be reached at dmorehous@thelenreid.com.

2. The new regulations were issued as "interim final rules." The rules became immediately effective upon publication. The Administration's filing amends parts 734, 740, 770, 772 and 774 of the EAR. See 65 Federal Register 2492-2502 (No. 10), January 14, 2000. All references in this article are to Title 15 of the Code of Federal Regulations. The rules are subject to a public comment period which expires on May 15, 2000. The author is coordinating comments to the Department of Commerce and welcomes input from industry and legal sources.

3. See, e.g., www.bxa.doc.gov/Encryption/guidance.htm. The Office of Strategic Trade and Foreign Policy Controls purports to justify this practice by citing confidentiality provisions of the Export Administration Act. Nonetheless, while it is fairly easy to maintain the confidentiality of those specific products which have qualified for license exceptions, there is little justification for the Government's continuing failure to clearly identify those published encryption techniques and methodologies that the Government now agrees may be exported freely. This is especially true in the case of those methodologies which have been widely incorporated into proprietary commercially available software products.

4. Readers should be careful to note that this appears to be the evolving administrative practice at the Department of Commerce. The rules and administration's filing commentary do not affirmatively provide such clear cut authority or guidance.

5. By the way, don't make the mistake of concluding that merely because you are posting software on a web site you are not engaged in "exporting." You most definitely are in the Government's view of things. Section 734(b)(2)(ii).

6. The "Retail" exception is set forth in section 740.17(a)(3). Unlike the exception under section 740.17(a) for products developed using non-proprietary code, the retail exception requires exporters to make fine factual judgments about the technical capabilities of their products and users. See section 740.17(a)(3)(ii).

7. Exporters should also continue to recognize continuing requirements and restrictions on exports and re-exports to governmental end-users and "terrorist" nations. There are also technical reporting requirements for some foreign developed encryption technology.