Section 15CFR740.17



[Code of Federal Regulations]
[Title 15, Volume 2]
[Revised as of January 1, 2002]
From the U.S. Government Printing Office via GPO Access
[CITE: 15CFR740.17]

[Page 278-282]
 
                  TITLE 15--COMMERCE AND FOREIGN TRADE
 
  CHAPTER VII--BUREAU OF EXPORT ADMINISTRATION, DEPARTMENT OF COMMERCE
 
PART 740--LICENSE EXCEPTIONS--Table of Contents
 
Sec. 740.17  Encryption commodities and software (ENC).

    License Exception ENC authorizes the export and reexport of 
encryption items classified under ECCNs 5A002, 5D002 and 5E002. No 
encryption item(s) may be exported under this license exception to Cuba, 
Iran, Iraq, Libya, North Korea, Sudan or Syria. Reporting requirements 
apply to exports made under the authority of License Exception ENC; see 
paragraph (e) of this section for these requirements.
    (a) Exports and reexports of encryption items. Exports and reexports 
of encryption items classified under ECCNs 5A002, 5D002 and 5E002 are 
authorized to any end-user located in the countries listed in Supplement 
3 to this part 740, except for exports of cryptanalytic items (as 
defined in Part 772 of the EAR) to government end-users. These items may 
also be exported or reexported to any destination for the internal use 
of foreign subsidiaries or offices of firms, organizations and 
governments headquartered in Canada or in countries listed in Supplement 
3 to this part 740.
    (b) For all other countries, you may export and reexport encryption 
commodities, software and components (as defined in part 772 of the EAR) 
under the provisions of License Exception ENC as enumerated in this 
section. For exports and reexports of encryption items which contain an 
open cryptographic interface (as defined in part 772 of the EAR), see 
paragraph (b)(5) of this section.
    (1) Encryption items for U.S. subsidiaries. Exports and reexports of 
any encryption item classified under ECCNs 5A002, 5D002 and 5E002 of any 
key length are authorized to foreign subsidiaries of U.S. companies (as 
defined in part 772 of the EAR) without review and classification. This 
includes source code and technology for internal company use, such as 
the development of new products. License Exception ENC also authorizes 
transfers by U.S. companies of encryption technology controlled under 
5E002 to foreign nationals in the United States, (except nationals of 
Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria) for internal 
company use, including the development of new products. All items 
produced or developed by U.S. subsidiaries with encryption commodities, 
software and technology exported under this paragraph are subject to the 
EAR and require review and classification before any sale or retransfer 
outside of the U.S. company.
    (2) Encryption commodities and software. (i) Exports and reexports 
of any encryption commodity, general purpose toolkit, software and 
component are authorized after review and classification by BXA under 
ECCNs 5A002 and 5D002 to any individual, commercial firm or other non-
government end-user outside the countries (except Cuba, Iraq, Iran, 
Libya, North Korea, Sudan or Syria) listed in Supplement 3 to this part 
740. Encryption products classified under this paragraph require a 
license before export and reexport to governments (as defined in part 
772 of the EAR) outside the countries listed in Supplement 3 to this 
part 740. The restriction limiting exports or reexports to internal 
company proprietary use is removed.
    (ii) Certain restrictions apply to Internet and telecommunications 
service providers. Internet and telecommunications service providers can 
obtain and use any encryption product for their internal use and to 
provide any service under License Exception ENC. However, a license is 
required for the use of any product not classified as retail to provide 
services specific to government end-users outside the countries listed 
in Supplement 3 to this part 740, e.g., WAN, LAN, VPN, voice and 
dedicated-link services; application specific and e-commerce services 
and PKI encryption services specifically for government end-users.
    (3) Retail encryption commodities and software. Exports and 
reexports to any end-user of encryption commodities, software and 
components are authorized after review and classification by

[[Page 279]]

BXA as retail under ECCNs 5A002 and 5D002. Encryption products exported 
or reexported under this paragraph (b)(3) can be used to provide 
services to any entity. Internet or telecommunications service providers 
can obtain retail products under License Exception ENC and use them to 
provide any service to any entity. Retail encryption commodities, 
software and components are products:
    (i) Generally available to the public by means of any of the 
following:
    (A) Sold in tangible form through retail outlets independent of the 
manufacturer;
    (B) Specifically designed for individual consumer use and sold or 
transferred through tangible or intangible means; or
    (C) Which are sold or will be sold in large volume without 
restriction through mail order transactions, electronic transactions, or 
telephone call transactions; and
    (ii) Meeting all of the following:
    (A) The cryptographic functionality cannot be easily changed by the 
user;
    (B) Substantial support is not required for installation and use;
    (C) The cryptographic functionality has not been modified or 
customized to customer specification; and
    (D) Are not network infrastructure products such as high end routers 
or switches designed for large volume communications.
    (iii) Subject to the criteria in paragraphs (b)(3)(i) and (ii) of 
this section, retail encryption products include (but are not limited 
to) general purpose operating systems and their associated user-
interface client software or general purpose operating systems with 
embedded networking and server capabilities; non-programmable encryption 
chips and chips that are constrained by design for retail products; low-
end routers, firewalls and networking or cable equipment designed for 
small office or home use; programmable database management systems and 
associated application servers; low-end servers and application-specific 
servers (including client-server applications, e.g., Secure Socket Layer 
(SSL)-based applications) that interface directly with the user; and 
encryption products distributed without charge or through free or 
anonymous downloads.
    (iv) Encryption products and network-based applications which 
provide functionality equivalent to other encryption products classified 
as retail will be considered retail.
    (v) 56-bit products with key exchange mechanisms greater than 512 
bits and up to and including 1024 bits, or equivalent products not 
classified as mass market, or finance-specific encryption commodities 
and software of any key length restricted by design (e.g., highly field-
formatted with validation procedures and not easily diverted to other 
end-uses) and used to secure financial communications such as electronic 
commerce may be exported under the retail provisions of this section 
immediately after submitting a completed classification request to BXA.
    (vi) Items which would be controlled only because they incorporate 
components or software which provide short-range wireless encryption 
functions may be exported without review and classification by BXA and 
without reporting under the retail provisions of this section.
    (4) Commercial encryption source code. Exports and reexports of 
encryption source code not released under Sec. 740.13(e) are authorized 
subject to the following provisions:
    (i) Encryption source code which would be considered publicly 
available under Sec. 734.3(b)(3) of the EAR and which is subject to an 
express agreement for the payment of a licensing fee or royalty for 
commercial production or sale of any product developed using the source 
code (or object code resulting from compiling of any encryption such 
source code which would be considered publicly available) can be 
exported or reexported using License Exception ENC to any end-user 
without review and classification provided you have submitted to BXA 
(with a copy to the ENC Encryption Request Coordinator) by the time of 
export, written notification of the Internet location (e.g. URL or 
Internet address) or a copy of the source code. You may not knowingly 
export or reexport source code, object code or products developed with 
this source code to Cuba, Iran, Iraq, Libya, North Korea, Sudan or 
Syria. Posting

[[Page 280]]

of the source code or corresponding object code on the Internet (e.g., 
FTP or World Wide Web site) where it may be downloaded by anyone would 
not establish ``knowledge'' of a prohibited export or reexport. In 
addition, such posting would not trigger ``red flags'' necessitating the 
affirmative duty to inquire under the ``Know Your Customer'' guidance 
provided in Supplement No. 3 to part 732 of the EAR.
    (ii) Encryption source code which would not be considered publicly 
available and which does not include source code that when compiled 
provides an open cryptographic interface (see paragraph (b)(5) of this 
section), may be exported or reexported using License Exception ENC to 
any individual, commercial firm or other non-government end-user after 
submitting a complete classification request to BXA with a copy to the 
ENC Coordinator.
    (5) Cryptographic interfaces. (i) Exports or reexports of encryption 
commodities, software and components which provide an open cryptographic 
interface (as defined in part 772 of the EAR) may be exported under 
License Exception ENC to any end-user located in any country listed in 
Supplement 3 to this part 740. Exports or reexports to other 
destinations of encryption commodities, software and components which 
provide an open cryptographic interface are not eligible to use License 
Exception ENC and require a license (unless exported to a subsidiary of 
a U.S. company under paragraph (b)(1) of this section). This does not 
apply to source code that would be considered publicly available under 
Sec. 734.3(b)(3) of the EAR.
    (ii) Encryption items which are limited to allowing foreign-
developed cryptographic products to operate with U.S. products (e.g. 
signing) can be exported or reexported under License Exception ENC to 
any end-user. Such exports are subject to reporting requirements (see 
paragraph (e)(3) of this section). No review of the foreign-developed 
cryptography is required.
    (c) Reexports and Transfers. U.S. or foreign distributors, resellers 
or other entities who are not original manufacturers of encryption 
commodities and software are permitted to use License Exception ENC only 
in instances where the export or reexport meets the applicable terms and 
conditions of this section. Transfers of encryption items listed in 
paragraph (b) of this section to government end-users or end-uses within 
the same country are prohibited unless otherwise authorized by license 
or license exception. Foreign products developed with or incorporating 
U.S.-origin encryption source code, components or toolkits remain 
subject to the EAR but do not require review and classification by BXA 
and can be exported or reexported without further authorization.
    (d) Eligibility for License Exception ENC. (1) Review and 
classification. You may initiate review and classification of your 
encryption items as required by this section by submitting a 
classification request in accordance with the provisions of 
Sec. 748.3(b) and Supplement 6 to Part 742 of the EAR. Indicate 
``License Exception ENC'' in Block 9: Special purpose, on form BXA-748P. 
Submit the original request to BXA and send a copy of the request to ENC 
Encryption Request Coordinator (see paragraph (e)(5) of this section for 
mailing addresses).
    (i) Exporters may immediately export and reexport any encryption 
item except ``cryptanalytic items'' as defined in part 772 of the EAR to 
any end-user located in the countries listed in Supplement 3 to this 
part 740 provided the exporter has submitted to BXA a completed 
classification request by the time of export.
    (ii) Exporters may, thirty days after receipt of a completed 
classification request by BXA, export and reexport to any non-government 
end-user located outside the countries listed in Supplement 3 to this 
part 740 any encryption product eligible under paragraph (b)(2), (b)(3) 
or (b)(4) of this section unless otherwise notified by BXA. No exports 
to government end-users located outside of countries listed in 
Supplement 3 to this part 740 are allowed under this provision. BXA 
reserves the right to suspend eligibility to export under this provision 
while a classification is pending.
    (2) Grandfathering. Finance-specific and 56-bit products previously 
reviewed and classified by BXA can be exported and reexported to any 
end-user without

[[Page 281]]

further review. Other encryption commodities, software or components 
previously approved for export can be exported and reexported without 
further review to any end-user in countries listed in Supplement 3 to 
this part 740 countries and to any non-government end-user outside of 
the countries listed in Supplement 3 to this part 740. This includes 
products approved under a license, an Encryption Licensing Arrangement, 
or classified as eligible to use License Exception ENC (except for those 
products which were only authorized for export to U.S. subsidiaries). 
Exports of products not classified by BXA as ``retail'' to governments 
of countries not listed in Supplement 3 to this part 740 require a 
license.
    (3) Key length increases. Exporters can increase the key lengths of 
previously classified products and continue to export without another 
review. No other change in the cryptographic functionality is allowed.
    (i) Any product previously classified as 5A002 or 5D002 can, with 
any upgrade to the key length used for confidentiality or key exchange 
algorithms, be exported or reexported under provisions of License 
Exception ENC to any non-government end-user without an additional 
review. Another classification is necessary to determine eligibility as 
a ``retail'' product under paragraph (b)(3) of this section.
    (ii) Exporters must certify to BXA in a letter from a corporate 
official that the only change to the encryption product is the key 
length for confidentiality or key exchange algorithms and there is no 
other change in cryptographic functionality. Certifications must include 
the original authorization number issued by BXA and the date of 
issuance. BXA must receive this certification prior to any export of an 
upgraded product. The certification should be sent to BXA, with a copy 
sent to the ENC Encryption Request Coordinator (see paragraph (e)(5) of 
this section for mailing addresses).
    (e) Reporting requirements. (1) No reporting is required for exports 
of:
    (i) Any encryption to U.S. subsidiaries for internal company use;
    (ii) Finance-specific products;
    (iii) Encryption commodities or software with a symmetric key length 
not exceeding 64 bits or otherwise classified as qualifying for mass 
market treatment;
    (iv) Retail products exported to individual consumers;
    (v) Items exported via free or anonymous download;
    (vi) Encryption items from or to a U.S. bank, financial institution 
or their subsidiaries, affiliates, customers or contractors for banking 
or financial operations;
    (vii) Items which incorporate components limited to providing short-
range wireless encryption functions;
    (viii) Retail operating systems, or desktop applications (e.g. e-
mail, browsers, games, word processing, data base, financial 
applications or utilities) designed for, bundled with, or pre-loaded on 
single CPU computers, laptops or hand-held devices;
    (ix) Client Internet appliance and client wireless LAN cards;
    (x) Foreign products developed by bundling or compiling of source 
code.
    (2) Exporters must provide all available information as follows:
    (i) For items exported to a distributor or other reseller, including 
subsidiaries of U.S. firms, the name and address of the distributor or 
reseller, the item and the quantity exported and, if collected as part 
of the distribution process by the exporter, the end-user's name and 
address;
    (ii) For items exported through direct sale, the name and address of 
the recipient, the item, and the quantity exported (except for retail 
products if the end-user is an individual consumer); and
    (iii) For exports of 5E002 items to be used for technical assistance 
and which are not released by Sec. 744.9 of the EAR, the name and 
address of the end-user.
    (3) For direct sales or transfers of encryption components, 
commercial source code described under paragraph (b)(4) of this section, 
technology or general purpose encryption toolkits to foreign 
manufacturers when intended for use in foreign products developed for 
commercial sale, you must submit the names and addresses of the 
manufacturers using these items and, when

[[Page 282]]

the product is made available for commercial sale, a non-proprietary 
technical description of the foreign products for which the component, 
source code or toolkit are being used (e.g., brochures, other 
documentation, descriptions or other identifiers of the final foreign 
product; the algorithm and key lengths used; general programming 
interfaces to the product, if known; any standards or protocols that the 
foreign product adheres to; and source code, if available.).
    (4) Exporters of encryption commodities, software and components 
which were previously classified under License Exception ENC, or which 
have been licensed for export under an Encryption Licensing Arrangement, 
must comply with the reporting requirements of this section.
    (5) You must submit reports required under this section semi-
annually to BXA, unless otherwise provided in this paragraph (e)(5). For 
exports occurring between January 1 and June 30, a report is due no 
later than August 1 of that year. For exports occurring between July 1 
and December 31, a report is due no later than February 1 the following 
year. Reports must include the classification or other authorization 
number. These reports must be provided in electronic form to BXA; 
suggested file formats for electronic submission include spreadsheets, 
tabular text or structured text. Exporters may request other reporting 
arrangements with BXA to better reflect their business models. Reports 
should be sent electronically to crypt@bxa.doc.gov, or disks and CDs can 
be mailed to the following addresses:
    (i) Department of Commerce, Bureau of Export Administration, Office 
of Strategic Trade and Foreign Policy Controls, 14th Street and 
Pennsylvania Ave., N.W., Room 2705, Washington, D.C. 20230, Attn: 
Encryption Reports.
    (ii) A copy of the report should be sent to: Attn: ENC Encryption 
Request Coordinator, 9800 Savage Road, Suite 6131, Ft. Meade, MD 20755-
6000.

[65 FR 62605, Oct. 19, 2000]