Draft Matrix for October 19, 2000 Encryption Regulations – 11/6/00

© 2000 by Roszel C. Thomsen II and Antoinette D. Paytas

Thomsen and Burke LLP

  

1.  Retail and Non-Retail Strong Encryption Products__ 1

2.  US Subs and EU & Partners__ 2

3.  56/1024 Retail and Beta Test__ 3

4.  Weak Encryption Products__ 4

5.  Open and Community Source Code 5

6.  Object Code From Open and Community Source Code 6

7.  Other Source Code 7

8.  Terms and Other Information 7

  

1.  Retail and Non-Retail Strong Encryption Products

Product

Encryption Bit Length

ECCN / Type

License Exception

End Use / Restrictions

License Requirement

Reporting

Strong Encryption

“Retail” Commodities, Software, or Components (chips, ICs, some toolkits, some SDKs, some software modules)

 

Note: no open cryptographic interfaces

 

740.17(b)(3)

 

Any key length

5A002

 /

5D002

Retail

ENC

Any end user

Any end use

 

Taliban controlled Afghanistan, Cuba, Iran, Iraq, Libya, North Korea,  Sudan, and Syria

Yes, if greater than 64-bits unless one of the exemptions applies. 

Encryption toolkits – include non-proprietary technical description of the products for which the toolkit is being used.

Strong Encryption

Non-Retail

Commodities, Software, General Purpose Encryption Toolkits, or Components

Note: no open cryptographic interfaces

740.17(b)(2)

Any key length

5A002

/

5D002

Non-Retail

ENC

Any end user except foreign governments

No use by Telco’s/ISP’s for services specific to governments outside EU and Partners

Taliban controlled Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria, and foreign governments

Yes, if greater than 64-bits unless one of the exemptions applies. 

Encryption toolkits – include non-proprietary technical description of the products for which the toolkit is being used.

 

2.  US Subs and EU & Partners

Product

Encryption Bit Length

ECCN / Type

License Exception

End Use / Restrictions

License Requirement

Reporting

Strong Encryption

Commodities, Software (including source code), or Technology

Open cryptographic interfaces are permitted in this entry

740.17(b)(1)

Any key length

5A002

/

5D002

 /

 5E002

Internal use

ENC

Exports to U.S. Subsidiaries for Internal use, and

 

Deemed exports to foreign nationals in the U.S. for internal use.

 

All items developed are subject to the EAR.

 

May be exported without review by BXA.

 

Taliban controlled Afghanistan, Cuba, Iran, Iraq, Libya, North Korea,  Sudan, and Syria, and foreign governments

No reporting for US subs for internal company use or if 64-bits or less

Strong Encryption

Commodities, Software, Components,  Technology, or Technical Assistance

Open cryptographic interfaces are permitted in this entry

740.17(a)

and

740.17(b)(5)(i)

Any key length

5A002

/

5D002

/

5E002

EU and Partners

ENC

Any end user

Any end use

Eligible destinations include the EU member countries and strategic trading partners

All other countries

Yes, if greater than 64-bits unless one of the exemptions applies. 

Encryption toolkits – include non-proprietary technical description of the products for which the toolkit is being used.

 

3.  56/1024 Retail and Beta Test 

Product

Encryption Bit Length

ECCN / Type

License Exception

End Use / Restrictions

License Requirement

Reporting

Weak Encryption

Non Mass-Market

56-bit Encryption with > 512-bit key exchange

Commodities, Software, or Components

Note:  no open cryptographic interfaces

740.17(b)(3)(v)

£ 56-bits encryption and > 512-bits but £ 1024-bits for key exchange

5A002

/

5D002

56-bit Retail

ENC

Any end user

Any end use

No self-classification

Taliban controlled Afghanistan, Cuba, Iran, Iraq, Libya, North Korea,  Sudan, and Syria

No

Strong Encryption

Beta Test

Software for Beta Testing

Note: no open cryptographic interfaces

740.9(c)(3)

Any key length

5D002

Beta Test SW

ENC

Any end user

Beta Testing

Must intend to market as mass-market software after Beta testing

Submit technical information prior to export

Final product must be reviewed and classified by BXA.

Taliban controlled Afghanistan, Cuba, Iran, Iraq, Libya, North Korea,  Sudan, and Syria

Yes, report names and addresses.

Exception: individual consumers

 

4.  Weak Encryption Products 

Product

Encryption Bit Length

ECCN / Type

License Exception

End Use / Restrictions

License Requirement

Reporting

Weak Encryption

Mass-Market Commodity / Software

Commodities, Software, or Components

Note:  no open cryptographic interfaces

742.15(b)(1)

64 bits or less encryption

5A992

/

5D992

Mass-Market

 

Decontrolled

NLR

Any end user

Any end use

Exporters may self-classify upon submission of technical information to BXA.

Taliban controlled Afghanistan, Cuba, Iran, Iraq, Libya, North Korea,  Sudan, and Syria

No

Weak Encryption

56-bits encryption with 512-bits key exchange

Commodities, Software,  Components, and Technology

742.15(b)(1)

56-bits or less encryption and 512-bits or less for key exchange

5A992

/

5D992

/

5E992

Decontrolled

NLR

Any end user

Any end use

Exporters may self-classify upon submission of technical information to BXA.

Taliban controlled Afghanistan, Cuba, Iran, Iraq, Libya, North Korea,  Sudan, and Syria

No

Weak Encryption

Commodities / Software – key management products

742.15(b)(1)

No encryption with 512-bit or less key exchange

5A992

/

5D992

Decontrolled

NLR

Any end user

Any end use

Exporters may self-classify upon submission of technical information to BXA.

Taliban controlled Afghanistan, Cuba, Iran, Iraq, Libya, North Korea,  Sudan, and Syria

No

Weak Encryption

Published Software Source Code

Open cryptographic interfaces are permitted in this entry

734.7(c)

64-bits or less encryption and / or 512-bits or less for key exchange

Not Subject to the EAR

NLR

Must be Publicly Available

Free of Charge

Any end user

Any end use

None

No

 

5.  Open and Community Source Code 

Product

Encryption Bit Length

ECCN / Type

License Exception

End Use / Restrictions

License Requirement

Reporting

Strong Encryption

Open Source Code

Open cryptographic interfaces are permitted in this entry

740.13(e)(1) and 740.17(b)(4)(i)

Any key length

5D002

Open Source Code

Unrestricted

TSU

Must be publicly available under 734.3(b)(3) and

Must not be subject to licensing or royalty

Any end user

Any end use

Notification to BXA

Taliban controlled Afghanistan, Cuba, Iran, Iraq, Libya, North Korea,  Sudan, and Syria

No reporting requirements, just simultaneous notification to BXA.

Strong Encryption

Community Source Code

Open cryptographic interfaces are permitted in this entry

740.17(b)(4)(i)

Any key length

5D002

Community Source Code

ENC

Must be publicly available under 734.3(b)(3) and

Any end user

Any end use

New products are subject to the EAR (this includes reporting requirements) but do NOT require a one-time BXA review.

Foreign products developed by bundling or compiling of source code are not subject to reporting requirements.

Notification to BXA

Taliban controlled Afghanistan, Cuba, Iran, Iraq, Libya, North Korea,  Sudan, and Syria

Simultaneous notification to BXA and non-proprietary technical description of the products for which the source code is being (was) used.

 

6.  Object Code From Open and Community Source Code 

Product

Encryption Bit Length

ECCN / Type

License Exception

End Use / Restrictions

License Requirement

Reporting

Strong Encryption

Object Code compiled from Open Source Code or Community Source Code

(Publicly available, not subject to a fee or royalty, i.e.,  Freeware)

Note: open cryptographic interfaces are permitted in this entry.

740.13(e)(2)

 

Any key length

5D002

Unrestricted

TSU

Any end user

Any end use

No fee or payment permitted

 

Taliban controlled Afghanistan, Cuba, Iran, Iraq, Libya, North Korea,  Sudan, and Syria

No reporting requirements.

Strong Encryption

Object Code compiled from Open Source Code or Community Source Code

(Publicly available, but subject to a licensing fee or royalty)

Note: no open cryptographic interfaces

740.17(b)(4)(i)

Any key length

5D002

Unrestricted

ENC

Any end user

Any end use

One-time review by BXA

 

Taliban controlled Afghanistan, Cuba, Iran, Iraq, Libya, North Korea,  Sudan, and Syria

Yes, if greater than 64-bits unless one of the exemptions applies. 

Encryption toolkits – include non-proprietary technical description of the products for which the toolkit is being used.

                       

 7.  Other Source Code 

Product

Encryption Bit Length

ECCN / Type

License Exception

End Use / Restrictions

License Requirement

Reporting

Strong Encryption

Other Source Code

Note: No open cryptographic interfaces when compiled

740.17(b)(4)(ii)

Any key length

5D002

Commercial Source Code

ENC

Any end user, except foreign governments

Any end use

New products are subject to the EAR (this includes reporting requirements) but do NOT require a one-time BXA review.

Foreign products developed by bundling or compiling of source code are not subject to reporting requirements.

Notification to BXA

Taliban controlled Afghanistan, Cuba, Iran, Iraq, Libya, North Korea,  Sudan, and Syria, and foreign governments

Simultaneous notification to BXA and non-proprietary technical description of the products for which the source code is being (was) used.

 

8.  Terms and Other Information

 Retail Test.

(i) Generally available to the public by means of any of the following:

(A)   Sold in tangible form through retail outlets independent of the manufacturer;

(B)    Specifically designed for individual consumer use and sold or transferred through tangible or intangible means; or

(C)    Which are sold or will be sold in large volume without restriction through mail order transactions, electronic transactions, or telephone call transactions; and

 (ii) Meeting all of the following:

(A)   The cryptographic functionality cannot be easily changed by the user;

(B)    Substantial support is not required for installation and use;

(C)    The cryptographic functionality has not been modified or customized to customer specification; and

(D)    Are not network infrastructure products such as high end routers or switches designed for large volume communications.

 

Reporting Exemptions.  In general, U.S. exporters must file a biannual report including the name and address of the recipient of every cryptographic product (and the end-user, if known) unless one of the following exemptions applies:

(i) any encryption to U.S. subsidiaries for internal company use;

(ii) finance-specific products;

(iii) encryption commodities or software with a symmetric key length not exceeding 64 bits or otherwise classified as qualifying for mass market treatment;

(iv) Retail products exported to individual consumers;

(v) Items exported via free or anonymous download;

(vi) Encryption items from or to a U.S. bank, financial institution or their subsidiaries, affiliates, customers or contractors for banking or financial operations;

(vii) Items which incorporate components limited to providing short-range wireless encryption functions;

(viii) Retail operating systems, or desktop applications (e.g. e-mail, browsers, games, word processing, data base, financial applications or utilities) designed for, bundled with, or pre-loaded on single CPU computers, laptops or hand-held devices; 

(ix) Client Internet appliance and client wireless LAN cards; or

(x) Foreign products developed by bundling or compiling of source code.

 

EU and Partners. Eligible destinations: Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, Netherlands, Portugal, Spain, Sweden, United Kingdom Australia, Czech Republic, Hungary, Japan, New Zealand, Norway, Poland and Switzerland.  These items may also be exported or reexported to any destination for the internal use of foreign subsidiaries or offices of firms, organizations and governments headquartered in Canada or in the countries listed above.

 

Foreign Governments.  For purposes of the US Regulations, the definition of “government” is as follows:

 Government End-user (as applied to encryption items).  A government end-user is (a) any foreign central, regional or local government department, agency, or other entity performing governmental functions; including governmental research institutions, governmental corporations or their separate business units which are engaged in the manufacture or distribution of items or services controlled on the Wassenaar Munitions List, and international governmental organizations;

 

(b) this term does not include the following public entities: utilities (including telecommunications companies and Internet service providers); banks and financial institutions; transportation; broadcast or entertainment; educational organizations; civil health and medical organizations; retail or wholesale firms; and manufacturing or industrial entities not engaged in the manufacture or distribution of items or services controlled on the Wassenaar Munitions List.

 

Back to Top