Download
encryption export controls n.
Skip this Video
Loading SlideShow in 5 Seconds..
Encryption Export Controls PowerPoint Presentation
Download Presentation
Encryption Export Controls

Encryption Export Controls

316 Vues Download Presentation
Télécharger la présentation

Encryption Export Controls

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Encryption Export Controls Michael Pender U.S. Department of Commerce December 14, 2011

  2. Overview • What are encryption items that require authorization to export? • When is authorization required for exporting encryption items? • What kinds of export authorization are available? • How to apply for authorization to export an encryption item • Differences between a “review request” and a ‘notification’ • Differences between ‘restricted’, ‘unrestricted’ and “mass market” encryption items

  3. What is subject to the EAR? • Any item exported from the United States • Reexports of U.S. origin items • Foreign-made products incorporating greater than de minimis U.S. controlled content • Certain foreign-made direct product of U.S. technology

  4. What are Encryption Items that require authorization to export?

  5. NOT encryption item under EAR • Remote access to a system • Encrypted data • Music/video/multimedia (we control the software and equipment that encrypts/decrypts, not the content) • Compression • Coding techniques for reliable transmission (e.g. CDMA, parity bits) • Medical devices

  6. Not Encryption items: Note 4 • Note 4 adopted by Wassenaar • Encryption used for “primary function” that is NOT computing, networking, communications, information security • Examples: • Piracy and theft prevention for software, music, etc. • Household utilities and appliances • Printing, reproduction, imaging and video recording or playback—not videoconferencing • Business process modeling and automation (e.g., supply chain management, inventory, scheduling and delivery) • Industrial, manufacturing or mechanical systems (e.g., robotics, heavy equipment, facilities systems such as fire alarm, HVAC) • Automotive, aviation, and other transportation systems

  7. Application of Note 4 • Considerations: • General purpose vs. application specific • “Primary function” of the product • Results in an EAR99 classification or classification under a different category of the control list • Other reasons for decontrol result in classification of 5A992/5D992 (5A002 decontrol notes/ authentication only) • Use of encryption

  8. Encryption Items –- what does it mean again? • Items that are identified in Category 5, Part 2 of the Commerce Control List • Items designed or modified to use cryptography whose primary function is: • “Information security” • Computing • Communications • Networking • Not ‘fixed’ coding or other schemes for ensuring reliable transmission of information that don’t involve hidden or obscured information

  9. When is authorization required for exporting encryption items? • Controlled for EI, NS and AT reasons (Wassenaar): • 5A002 : hardware • 5D002 : software • 5E002 : technology • Controlled for NS and AT reasons (Wassenaar): • 5B002: test equipment • Controlled for AT reasons only (U.S. unilateral): • 5A992 : hardware • 5D992 : software • 5E992 : technology

  10. What kinds of export authorization are available? • License exception TSU – EAR part 740.13 • Used for “publicly available” items • Required ‘notification’ • License exception ENC – EAR part 740.17 • Registration • Self-Classification • Encryption Review • Mass Market Review – EAR part 742.15 • Other license exceptions • TMP – EAR part 740.9 • GOV – EAR part 740.11 • BAG – EAR part 740.14

  11. License Exception TSU • The source code must be available to the general public • available at no charge or • available at a charge that does not exceed the cost of reproduction and distribution • no limitations on further distribution • Required notifications • Described in 740.13(e) • email to crypt @bis.doc.gov and enc@nsa.gov

  12. License Exception ENC • License Exception ENC • ‘restricted’ items (740.17(b)(2)) • ‘unrestricted’ items (740.17(b)(3)) • “self-classifiable” items (740.17(b)(1)) • Terms like ‘retail’ are not used anymore.

  13. Mass Market Review • Described in EAR part 742.15(b) • Items that are not listed in 740.17(b)(2) or (b)(3)(iii) • Meets the criteria in Note 3 to Category 5, part II • Generally available to the public by being sold, without restriction, from stock at retail selling points… • The cryptographic functionality cannot be easily changed by the user; • Designed for installation without further substantial support by the supplier; and • When necessary, details are available…

  14. Classification/self-classification • Classification by BIS/NSA Required • “Restricted” and “unrestricted” items under ENC and listed mass market items (740.17(b)(2)/(b)(3) and 742.15(b)(3)) • Self-classification Permitted • “Other” items (740.17(b)(1) and 742.15(b)(1)

  15. Registration Requirements • Company registration required for 5A002/5D002/E002 items and mass market items • One registration per company, not per product • Exporters may rely on manufacturer’s registration/product classification…but BIS won’t provide that information

  16. Annual Report of Exported Products (“Supplement 8 Report”) • All “other” (740.17 (b)(1) and 742.15 (b)(1)items • Submitted by email to NSA and BIS • Submitted in .cvs (comma separated values) format • Six specified data fields: name of product, model number, manufacturer, ECCN, ENC or mass market, item type (of 49 listed)

  17. What happens when a License Exception is not available? • Individual validated licenses (IVLs) • Specific transactions involving identified parties receiving specific goods and for a specific purpose • Typically have a 2 year validity period • Encryption Licensing Arrangements (ELAs) • Generally involves unlimited sales of specific goods to government end users in a certain country or group of countries • Typically have a 4 year validity period • No License Required (NLR) transactions • Sometimes a license is still required…

  18. Encryption Licensing Arrangements (ELAs) • Broad authorization for exports not eligible for License Exception ENC (most “restricted” items to government end users in non- “ENC favorable treatment” countries) • “Less sensitive” government end users - “worldwide” ELAs • “More sensitive” government end users – “single country” ELAs • 4-year validity • Semi-annual sales reporting

  19. NLR items • May include self-classified items • 5A992, 5D992, 5E992 • No License Required (NLR) • Controlled to AT countries: Cuba, Sudan, Syria, North Korea and Iran • No review by BIS is required

  20. Additional Information • BIS encryption web site:www.bis.doc.gov/encryption • EAR on the web: • www.access.gpo.gov/bis/ear_data.html • Specific questions: • Information Technology Controls Division • (202) 482-0707