In a well-received “spring cleaning,” the U.S. Department of Commerce’s Bureau of Industry & Security (BIS) has decluttered the thicket of regulations governing the export of encryption software and hardware. Among the changes, a Final Rule effective March 29, 2021: (1) eliminates the e-mail notification requirement for certain “publicly available” encryption source code and beta test encryption software; (2) eliminates self-classification e-mail reporting requirements for many “mass market” encryption products; and (3) permits self-classification reporting for some mass market products that previously required a commodity classification request.
No More Open Source or Beta Software Reporting
The new rule reflects a subtle but important win for free speech. Previously, the Export Administration Regulations (EAR) required a publisher of “encryption source code” to e-mail BIS and the National Security Agency (NSA) the URL where the source code was made available before the source code could be placed outside of the jurisdiction of the EAR. “Encryption source code” is broadly defined to include source code that incorporates, includes, calls, or uses encryption functionality, even if the encryption itself is provided by a third-party (or even open-source) library or tool. This e-mail report was colloquially known as the TSU (Technology and Software — Unrestricted) or “open source” report, even though the regulatory language had been moved from the TSU section of the EAR to another section. Constitutionally suspect as an infringement on free speech, the reporting obligation was often overlooked (particularly by individual source code publishers, startups, and smaller companies) and burdened publishers to resubmit the e-mail report upon relocating source code from one URL to another.
Under the new rule, publishers are no longer required to report the URL to BIS or NSA for the source code to be exempted from the EAR, unless the source code implements “non-standard cryptography” — a narrow category that includes only proprietary or unpublished cryptographic functionality, such as encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body and have not otherwise been published. As an example, open-source code that makes calls to closed-source proprietary encryption tools would remain subject to the revised e-mail reporting obligation.
The new rule also eliminates e-mail reporting obligations in connection with certain beta test software. License Exception TMP (Temporary Imports, Exports, Reexports, and Transfers) previously authorized exports of beta test software, subject to various conditions, but required e-mail notification of technical information to BIS and NSA by the time of the export for the license exception to be available. Under the Final Rule, that e-mail notification is no longer required for the license exception unless the beta test software provides or performs non-standard cryptography (as defined above).
No More Self-Reporting for Most Mass Market Items
In another significant change, the rule eliminates the self-classification reporting requirement for most “mass market” encryption products — a broad category of encryption items classified under Export Control Classification Numbers (ECCNs) 5A992 (hardware) and 5D992 (software) that are generally available and of wide interest to the public, designed for installation by the user without further substantial support by the supplier, and contain cryptographic functionality that cannot be easily changed by the user. This category of encryption items includes everything from smart phones and tablets to mobile applications published on app stores. Such mass market items that do not require a self-classification report are also released from “EI” and “NS” controls and controlled under ECCNs 5A992.c or 5D992.c.
Self-classification reports are still required for mass market encryption “components” and their “executable software” (see below), while mass market products that implement non-standard cryptography will still require submission of a commodity classification request.
Classification Request Not Required for Certain Mass Market Items
The new rule further declutters the encryption regulations by authorizing companies to file self-classification reports for certain mass market encryption “components” (e.g., chips, chipsets, electronic assemblies, and field programmable logic devices) and their “executable software,” rather than requiring submission of commodity classification requests for such items. BIS clarified that “executable software” does not include complete binary images of software running on an end-item and that most cryptographic libraries and modules will remain subject to the commodity classification request filing requirement, because they do not meet the threshold “mass market” criteria.
The rule also implements other changes to certain categories on the Commerce Control List, affecting nearly two dozen technical changes to various ECCNs.