Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

presentation

advertisement 
Complying with Encryption Export Controls
Richard L. Matheny III
Jacob R. Osborn
October 30, 2014
©2014 Goodwin Procter LLP
Roadmap
I. Introduction
II. Encryption Compliance: EAR Framework
III. EAR Jurisdictional Questions
IV. Determining a Product’s ECCN
V. License Exceptions
VI. License Applications
VII. Common Mistakes
VIII.Brief Word on International Encryption Controls
Goodwin Procter LLP
2
Introduction
Why are the Encryption Regulations important?

Export of encryption items regulated as dual-use by the Commerce
Department’s Bureau of Industry & Security (BIS), under the Export
Administration Regulations (EAR).
› Why? So that NSA can know who is using what encryption items in
order to break communications when the national security requires it.

Nature of the problem:
› Encryption technology and concepts are complicated.
› Despite several rounds of reform, encryption regulations are
complicated, scattered across dozens of EAR provisions.
› Encryption itself is EVERYWHERE!
▪ Virtually all software contains, enables, leverages, makes calls to,
some form of encryption.

The Perfect Storm!
Goodwin Procter LLP
3
Introduction
Violations are common

Violation of the EAR’s encryption regulations is the single-most
common violation of the export control laws.
› E.g., inclusion of public, open-source encryption item in new enterprise
business software product does not readily suggest you are making a
“dual use” item controlled for national security reasons. But you are.
› Even well-intentioned companies struggle with compliance.
▪ Changes in law
▪ Changes in product, types of encryption, how it is used
▪ Reporting obligations, etc.

Historically, no penalty for “garden variety” violations.
› But this may be changing….
Goodwin Procter LLP
4
Introduction
Wind River Systems

Wind River Systems, Intel sub, just penalized $750k for unlicensed
exports of encryption items between 2008 and 2011.
› Embedded software solutions for security, communications, and
operating environments
› 5D002 software, “ENC restricted”
▪ 51 to foreign “government end-users” in China, Hong Kong, Russia,
Israel, South Africa, and South Korea.
▪ 4 to Entity List entities in China.
› WRS filed a voluntary self-disclosure in 2012.

First ever fine for “garden variety” violation of the encryption
regulations—i.e., no OFAC-sanctioned country or SDN.
Goodwin Procter LLP
5
Introduction
Why did BIS issue a fine?

“ENC restricted”
› Foreign-government end-users required individual validated license,
which WRS did not obtain.





Entity List end-users also involved, also require a license.
Substantial aggregate value, > $3 million
It was an Intel sub! They should know better!
BIS wanted to send a message….
Other reasons not made public?
Goodwin Procter LLP
6
Introduction
What impact from Wind River Systems case?

Is BIS really bringing down the hammer? Will BIS pursue a broader
category of violations than presented in WRS? Does it matter?

Likelihood of greater due-diligence scrutiny in context of
investments, acquisitions, and IPOs.
› No longer evident that “these types of violations” will not be penalized.
▪ WRS distinguishable from most such violations. But will that really
matter to investors and underwriters?
› Investors seek indemnity, escrow, etc.
› Diligence more expensive.
› Deals more complicated.
› Remediation and voluntary self-disclosures more common?
Goodwin Procter LLP
7
Brief Pause for Questions?
Roadmap
I. Introduction
II. Encryption Compliance: EAR Framework
III. EAR Jurisdictional Questions
IV. Determining a Product’s ECCN
V. License Exceptions
VI. License Applications
VII. Common Mistakes
VIII.Brief Word on International Encryption Controls
Goodwin Procter LLP
9
Encryption Compliance: EAR Framework
“Dual-Use” Items

EAR controls the export of “dual-use” items, which are items having
both commercial and military or proliferation applications
› This includes items such as
lasers and surreptitious listening
devices
› This also includes the broad category of software that enables or
leverages encryption functionality
Goodwin Procter LLP
10
Encryption Compliance: EAR Framework
Commerce Control List


Controlled items are listed on the “Commerce Control List” (CCL)
One can search the CCL index to find an item’s “Export Control
Classification Number” (ECCN)
Controlled
Items
Goodwin Procter LLP
ECCNs
11
Encryption Compliance: EAR Framework
Export Control Classification Numbers

EAR99 is the ECCN “catch-all” bucket for decontrolled items but are
still “subject to the EAR.”
Goodwin Procter LLP
12
Encryption Compliance: EAR Framework
Controls

After determining the ECCN, one can look up the “reasons for
control” that apply to the item
›
›
›
›
›
›
›
›
›
›
›
›
›
›
AT: Anti-Terrorism
CB: Chemical & Biological Weapons
CC: Crime Control
CW: Chemical Weapons Convention
EI: Encryption Item
FC: Firearms Control
MT: Missile Technology
NP: Nuclear Proliferation
NS: National Security
RS: Regional Stability
SI: Significant Item
SS: Short Supply
UN: United Nations
SL: Surreptitious Listening
Goodwin Procter LLP
13
Encryption Compliance: EAR Framework
Commerce Country Chart

After determining the controls, one can look on the Commerce
Country Chart to determine whether a license is required for export
An “x”
indicates
that a
license is
required
Goodwin Procter LLP
14
Encryption Compliance: EAR Framework
License Exceptions

One can also use the item’s ECCN to take advantage of License
Exceptions that permit export without a license

Examples:
› Shipments of Limited Value (LVS)
› Gift Parcels and Humanitarian Donations (GFT)
› Temporary Imports, Exports, Reexports, and Transfers (TMP)
› Technology and Software Unrestricted (TSU)
› Encryption Commodities, Software and Technology (ENC)
Important for
encryption software
Goodwin Procter LLP
15
Encryption Compliance: EAR Framework
Compliance Steps

General EAR Compliance Steps:
› 1. Determine whether there is EAR jurisdiction
› 2. Determine where item falls on CCL
› 3. Look up item’s ECCN
› 4. Determine controls placed on item
› 5. Review Commerce Country Chart to determine whether license is required
› 6. Consider applicability of License Exceptions, if necessary
› 7. If using License Exception ENC, comply with any filing requirements
› 8. If using License Exception TSU, comply with reporting requirement
› 9. Comply with any reporting and ongoing obligations, if applicable
› 10. If no license exception is available, apply for license from BIS
Goodwin Procter LLP
16
Roadmap
I. Introduction
II. Encryption Compliance: EAR Framework
III. EAR Jurisdictional Questions
IV. Determining a Product’s ECCN
V. License Exceptions
VI. License Applications
VII. Common Mistakes
VIII.Brief Word on International Encryption Controls
Goodwin Procter LLP
17
EAR Jurisdictional Questions
Step #1: Determine EAR Jurisdiction

YES
› Item located in United States and exported to another country, even if
developed/made in another country
Software
Goodwin Procter LLP
18
EAR Jurisdictional Questions
Step #1: Determine EAR Jurisdiction

YES
› Item made available for download from the United States, even if from
website or app store
Software
Goodwin Procter LLP
19
EAR Jurisdictional Questions
Step #1: Determine EAR Jurisdiction

YES
› Item passing through United States
Software
Software
Goodwin Procter LLP
20
EAR Jurisdictional Questions
Step #1: Determine EAR Jurisdiction

YES
› Reexport of item of U.S. origin
Software
Goodwin Procter LLP
Software
21
EAR Jurisdictional Questions
Step #1: Determine EAR Jurisdiction

YES
› Item developed or commingled with U.S. technology
› Complicated analysis
▪ Direct-product rule
▪ De minimis rule
Goodwin Procter LLP
22
EAR Jurisdictional Questions
Step #1: Determine EAR Jurisdiction

NO
› Items subject to the exclusive jurisdiction of another agency
Goodwin Procter LLP
23
EAR Jurisdictional Questions
Step #1: Determine EAR Jurisdiction

NO
› Publicly available source code
▪ Provided reporting obligations of License Exception TSU are met
Goodwin Procter LLP
24
Brief Pause for Questions?
Roadmap
I. Introduction
II. Encryption Compliance: EAR Framework
III. EAR Jurisdictional Questions
IV. Determining a Product’s ECCN
V. License Exceptions
VI. License Applications
VII. Common Mistakes
VIII.Brief Word on International Encryption Controls
Goodwin Procter LLP
26
Determining a Product’s ECCN
Steps #2-4: Classify the Software

Most Common ECCN’s for Encryption Software
› 5D002
▪ (b)(1)
▪ (b)(2) or (b)(3)
▪ (b)(4)
› 5D992
▪ Mass market
▪ Authentication or copy-protection
› EAR99
▪ Note 4
▪ Banking or medical use
Goodwin Procter LLP
27
Determining a Product’s ECCN
Steps #2-4: Classify the Software

Common Categories for Encryption Software
› Category 5
▪ Part 1 – Telecommunication
▪ Part 2 – Information Security
• “information security”: all the means and functions ensuring the
accessibility, confidentiality or integrity of information or
communications, excluding the means and functions intended
to safeguard against malfunctions. This includes
“cryptography”, “cryptographic activation”, “cryptanalysis”,
protection against compromising emanations and computer
security.
Goodwin Procter LLP
28
Determining a Product’s ECCN
Steps #2-4: Classify the Software

Very Common ECCN: 5D002
› “Software” having the characteristics, or performing or simulating the functions of
equipment controlled by 5A002
› 5A002: “Information security” systems, equipment and “components” therefor,
as follows:
▪ a. Systems, equipment, application specific “electronic assemblies,”
modules and integrated circuits for “information security,” as follows, and
“components” therefor “specially designed” for “information security”:
• a.1. Designed or modified to use “cryptography” employing digital
techniques performing any cryptographic function other than
authentication, digital signature, or execution of copy-protected
“software,” and having any of the following:
› a.1.a. A “symmetric algorithm” employing a key length in excess
of 56-bits; or
› a.1.b. An “asymmetric algorithm” where the security of the
algorithm is based on any of the following:…factorization of
integers in excess of 512 bits (e.g., RSA)…
Goodwin Procter LLP
29
Determining a Product’s ECCN
Steps #2-4: Classify the Software
NS controls
AT controls
EI controls
Goodwin Procter LLP
30
Determining a Product’s ECCN
Steps #2-4: Classify the Software
NS controls
Goodwin Procter LLP
AT controls
31
Determining a Product’s ECCN
Steps #2-4: Classify the Software

5D002 exceptions
› Authentication-only encryption
› Digital Signature
› Copy protection software
› Weak encryption
▪ Less than 56-bit symmetric
or 512-bit asymmetric
If not 5D002:
Goodwin Procter LLP
32
Determining a Product’s ECCN
Steps #2-4: Classify the Software

AT Controls affect:
› Cuba
› Iran
› North Korea
› Sudan
› Syria

Same countries against which the U.S. maintains comprehensive
economic sanctions
Goodwin Procter LLP
33
Determining a Product’s ECCN
Steps #2-4: Classify the Software

Common ECCN: 5D992 “mass market”
› Requirements:
▪ (1) Generally available to the public by being sold,
without restriction, from stock at retail selling points
by means of (a) over-the-counter transactions; (b)
mail order transactions; (c) electronic transactions; or
(d) telephone call transactions.
▪ (2) Cryptographic functionality cannot be easily
changed by the user.
▪ (3) Designed for installation by the user without
further substantial support by the supplier.
▪ (4) When necessary, details of the item are
accessible and will be provided, upon request, to the
appropriate authority in the exporter’s country.
Goodwin Procter LLP
34
Determining a Product’s ECCN
Steps #2-4: Classify the Software

“Mass market” examples
› Retail software purchased over-the-counter
› Apps purchased from an App Store
› Software made widely available via website download
Goodwin Procter LLP
35
Determining a Product’s ECCN
Steps #2-4: Classify the Software

Common ECCN: EAR99 “Note 4” treatment (former “ancillary”
encryption item)
› Requirements:
▪ (1) Primary function or set of function is not any of: (a) “information
security”; (b) a computer, including operating system, parts and
components therefor; (c) sending, receiving or storing information
(except in support of entertainment, mass commercial broadcasts,
digital rights management or medical records management); or (d)
networking (includes operation administration, management and
provisioning).
▪ (2) The cryptographic functionality is limited to supporting their
primary function or set of functions.
▪ (3) When necessary, details of the items are accessible and will be
provided, upon request, to the appropriate authority in the exporter’s
country.
Goodwin Procter LLP
36
Determining a Product’s ECCN
Steps #2-4: Classify the Software

EAR99 “Note 4” Examples
› Games and gaming software
› Software for household utilities and appliances
› Industrial, manufacturing or mechanical systems
› Scientific visualization and simulation software
› Business process automation software – process planning and
scheduling, supply chain management, inventory and delivery
Goodwin Procter LLP
37
Determining a Product’s ECCN
Steps #2-4: Classify the Software

Common ECCN: EAR99 “Specially designed” for medical end-use
› Requirements:
▪ Commodities and software “specially designed” for medical end-use
that incorporate an item in Category 5, part 2 are not classified in
any ECCN in Category 5, part 2.
Goodwin Procter LLP
38
Determining a Product’s ECCN
Steps #2-4: Classify the Software

Common ECCN: EAR99 cryptographic equipment “specially
designed” and limited for banking use or ‘money transactions’
Goodwin Procter LLP
39
Roadmap
I. Introduction
II. Encryption Compliance: EAR Framework
III. EAR Jurisdictional Questions
IV. Determining a Product’s ECCN
V. License Exceptions
VI. License Applications
VII. Common Mistakes
VIII.Brief Word on International Encryption Controls
Goodwin Procter LLP
40
License Exceptions
Step #5: Consider Applicability of License Exceptions

Most Common License Exceptions
› If EAR99, unnecessary to rely on a license exception
› ENC
▪ (a)(1) or (a)(2)
▪ (b)(1)
▪ (b)(2) or (b)(3)
▪ (b)(4)
▪ mass market
› TSU
Goodwin Procter LLP
41
License Exceptions
Step #5: Consider Applicability of License Exceptions

Technology and Software Unrestricted (TSU)
› Entire product source code must be open, not just developed using open-source
encryption tools
› Reporting obligation outlined in 15 C.F.R. § 740.13
Goodwin Procter LLP
42
License Exceptions
Step #5: Consider Applicability of License Exceptions

Encryption Commodities, Software and Technology (ENC)
› (a)(1): internal development exception
▪ Product must have ECCN of 5A002 or 5D002
▪ Private sector end users, wherever located, that are headquartered in a
country listed in Supplement 3
▪ Product must be used for internal development or production of new
products by that user
› (a)(2): exports to U.S. subsidiaries
▪ Product must have ECCN of 5A002 or 5D002
▪ Export must be made to a U.S. subsidiary, or foreign nationals who are
employees, contractors, or interns of a U.S. company or its subsidiaries
▪ Must be for internal company use, including development or production of
new products
Goodwin Procter LLP
43
License Exceptions
Step #5: Consider Applicability of License Exceptions

Encryption Commodities, Software and Technology (ENC)
›
(b)(1)
▪ Almost everything
›
(b)(2) and (b)(3)
▪ Network infrastructure software
▪ Encryption source code
▪ Crypto is customized for government end users
▪ Quantum crypto
▪ Penetration capabilities
▪ Cryptanalytic items
▪ Cryptographic APIs
▪ Non-standard cryptography
▪ Network forensics
›
(b)(4)
▪ Short-range wireless encryption; foreign products
Goodwin Procter LLP
44
License Exceptions
Step #6: Filing Requirements to take advantage of License Exceptions

Steps Required to Take Advantage of ENC
›
“mass market” 5D992
▪ Encryption Registration
▪ Annual self-classification reporting
›
(a)(1) & (a)(2) – internal development & use
▪ Nothing
›
(b)(1) – “catch-all” 5D002 bucket
▪ Encryption Registration
▪ Annual self-classification reporting
›
(b)(2) & (b)(3) – strongly controlled software
▪ Encryption Registration
▪ Classification Request
▪ Semi-annual export reporting (depends)
›
(b)(4) – short-range wireless encryption & foreign products
▪ Nothing
Goodwin Procter LLP
45
License Exceptions
Step #6: Filing Requirements to take advantage of License Exceptions

30 Days After Classification Request is Filed
Goodwin Procter LLP
46
Brief Pause for Questions?
Roadmap
I. Introduction
II. Encryption Compliance: EAR Framework
III. EAR Jurisdictional Questions
IV. Determining a Product’s ECCN
V. License Exceptions
VI. License Applications
VII. Common Mistakes
VIII.Brief Word on International Encryption Controls
Goodwin Procter LLP
48
License Applications
License Application Process

No License Exception Available
› Submit License Application on SNAP-R
Goodwin Procter LLP
49
Roadmap
I. Introduction
II. Encryption Compliance: EAR Framework
III. EAR Jurisdictional Questions
IV. Determining a Product’s ECCN
V. License Exceptions
VI. License Applications
VII. Common Mistakes
VIII.Brief Word on International Encryption Controls
Goodwin Procter LLP
50
Common Mistakes
Examples






Unaware of regulations altogether
Assume because using open-source crypto tools, not regulated
Unaware that export of software is occurring
Multiple products, but only classified a subset of products
Wrong classification
Changes to product’s encryption functionality
Goodwin Procter LLP
51
Roadmap
I. Introduction
II. Encryption Compliance: EAR Framework
III. EAR Jurisdictional Questions
IV. Determining a Product’s ECCN
V. License Exceptions
VI. License Applications
VII. Common Mistakes
VIII.Brief Word on International Encryption Controls
Goodwin Procter LLP
52
Brief Word on International Encryption Controls
Jurisdictions

Concepts
› “Import” vs. “use” controls designates who is responsible for licenses

Most aggressively regulating encryption imports:
› China, France, Hong Kong, Israel, and Russia
› France tightly controls encryption import and supply to third-parties, but not use;
applications must be in French and local counsel is recommended

Many others do not actively enforce restrictions
› E.g., South Africa

Some have simple licensing process
› E.g., Israel restricts import and use of encryption hardware, software, and
technology but licensing is simple process and typically takes < 30 days

Some have similar arrangements to U.S.
› E.g., Hong Kong has “mass market” and “authentication only” category similar to
U.S. although it is not Wassenaar signatory
Goodwin Procter LLP
53
Brief Word on International Encryption Controls
Resources

Crypto Law Survey
› http://www.cryptolaw.org
› Not authoritative
Goodwin Procter LLP
54
Questions?
Thank You
Richard L. Matheny III
(rmatheny@goodwinprocter.com)
Jacob R. Osborn
(josborn@goodwinprocter.com)
Related documents
Procter & Gamble Presentation
Procter & Gamble Presentation
Goals - APIM
Goals - APIM
Export Administration Regulations (EAR) process
Export Administration Regulations (EAR) process
WRITING FOR THE EYE AND EAR
WRITING FOR THE EYE AND EAR
You Raise Me Up 你鼓舞了我 Brendan Graham / Rolf Lovland
You Raise Me Up 你鼓舞了我 Brendan Graham / Rolf Lovland
Country-by-country reporting
Country-by-country reporting
Download
advertisement