10:35 The Information Technology Division's analyst Joseph Young begins with an overview...
10:37 ITCD completed 2301 reviews and classifications last year, 18% mass market encryption, 69% License Exception ENC, the balance a grab bag. Also, 837 licenses, the vast majority crypto IVLs.
10:45 On to encryption...don't forget about Category 5, Part II's see-through rule, which captures items with cryptographic capabilities regardless of whether or not data confidentiality is their main function.
10:50 ITCD analyst Mike Pender: "policy continues to evolve" even though the regulations have been reasonably static lately.
10:56 A few important issues in encryption reviews
- Bundling: Should never involve something new, but rather two (or more) previously classified/reviewed items. For example, a program using the (very common) OpenSSL library is a new product from the BIS point of view, potentially requiring notification or review, and is not a bundle. Bottom line -- and I've seen clients struggle with this often enough myself -- it doesn't matter where the crypto comes from, just that it's being used in some manner. Pender suggests listing parts/components of an item separately on a classification request, along with the bundle or combined product. (See Part 770.2(m) for more)
- Open Source: Open source and publicly available are NOT synonymous.
- Crypto aware: Hooks and calls to third party encryption can still make your product subject to encryption rules even in the absence of innate crypto functionality.
- Dormant crypto: A product exported w/encryption features disabled is still considered an encryption item requiring review. Consider listing enabled/disabled separately on classification request. BIS wants to know:
- Is there an interface to install new software?
- Is the missing SW available for download?
- Just waiting for activation key?
- Can another product's key be used?
- Enhances performance of other products?
11:03 There's a bit of irony in the ITCD explaining the EAR's encryption controls by comparison to the ITAR's see-through rule since DDTC isn't hot on that term.
11:07 Pender is refreshingly frank about the limits and failings of the encryption regs.
11:15 Longtime BIS encryption analyst Judith Currie discusses the benefits the nirvana state of encryption controls -- mass market status -- with the help of a pleasant Cinderella analogy warning off you envious corporate step-sisters who don't meet the mass market criteria.
11:21 Currie: don't bury changes to a previously-reviewed product. Put them up front and save us all some time. And don't regurgitate the mass market criteria, explain how the hardware of software meets them.
11:27 Aaron Amundson discusses the once quite popular Encryption Licensing Arrangements (ELAs), which have largely gone by the wayside with the invention of License Exception ENC several years ago. But Aaron wants you to consider applying for an ELA whenever an IVL is required. And he's got a point -- if you're going to have to go through the bother of getting a license for an export to one customer, why not at least attempt to get permission to export a range of products to a range of customers in a number of destinations?
11:36 Amundson's colleague C. Lauren Jackson makes a plea for good, by which she means well-written, applications and also offers a tip that the BIS IT environment cuts out the model number from SNAP applications, so include that in the technical specs block. And focus on a full description of what the product is and does, not things like IRS tax statements or dozens of pages of marginally relevant technical details. (In my experience, if BIS wants that kind of detail -- and they rarely do -- they'll ask for it.)
11:42 Q: Will ENC reporting requirement be eliminated in the near future: A: No.
11:43 Q: Will BIS clarify the regs to emphasize that encryption controls can capture products outside Cat. 5 Part II? A: We're always trying to improve.
11:44 Q: For short range wireless >64-bits do you need a review to use 5A002? A: There's a carve-out for short range wireless that's not essentially an encryption product, but just an item w/short-range wireless added (e.g. wireless toaster).
11:45 Q: When can you self-classify? A: Password only authentication, copy protection, items w/certain banking-specific fields, etc.
11:46 Q: Will there be any guidance on civilian government end-user definition for ELAs? A: Not planned, but excludes military and law enforcement.
11:47 Q: Where does EAR say to use most conservative classification? A: It's common-sense.
11:50 Q: Does the ENC provision for exports to US subsidiaries (wo/reporting or review) work for subs of other companies? A: Yes, it's not just for your own sub. (Don't confuse with related provision for exports to other countries -- mainly the EU -- which are limited to use for internal development.)
11:53 Q: If we install 5D002 software on a 4A994 computer is another review required? A: Not necessarily, but it's your option if you're concerned US Customs might be confused that there's no "G number" for the hardware.
11:56 Q: What's the purpose of reporting under ENC and ELAs? A: It's intended to lessen the burden on exporters, to allow use of license exceptions, we do keep a database. (Not a very satisfying answer IMHO, given that this is a substantial burden on US exporters that their foreign competitors do not face.)
11:58 Q: How do we know if someone else's software has been reviewed? A: You've got to ask the manufacturer. (My own tip -- check out the right hand column of this blog for links to corporate websites that may well tell you.)