[Cryptography] Export controls [was: Re: NSA's FAQs Demystify the Demise of Suite B]

Sun Feb 14 11:41:00 EST 2016

>
> IOW, any app that connects to a secure REST service must declare that use
> and then secure the above EAR99. Facebook apps or enterprise apps? It
> doesn’t matter; they must register with BIS. Any app that follows Apple’s
> guidelines and uses secure URLs (https://) in a web view must also
> register. All of the above applies to Android devices too.
>

Note that if the source code for the software is publicly available,
License Exception TSU might apply, but that still requires notification to
the BIS and the NSA.  See Code of Federal Regulations, Title 15, Part
740.13(e) at http://www.ecfr.gov/ which reads:

(e) Publicly available encryption source code—

 (1) Scope and eligibility. Subject to the notification requirements of
paragraph (e)(3) of this section, this paragraph (e) authorizes exports and
reexports of publicly available encryption source code classified under
ECCN 5D002 that is subject to the EAR (see §734.3(b)(3) of the EAR). Such
source code is eligible for License Exception TSU under this paragraph (e)
even if it is subject to an express agreement for the payment of a
licensing fee or royalty for commercial production or sale of any product
developed using the source code.

 (2) Restrictions. This paragraph (e) does not authorize:

    (i) Export or reexport of any encryption software classified under ECCN
5D002 that does not meet the requirements of paragraph (e)(1), even if the
software incorporates or is specially designed to use other encryption
software that meets the requirements of paragraph (e)(1) of this section; or

    (ii) Any knowing export or reexport to a country listed in Country
Group E:1 in supplement no. 1 to part 740 of the EAR.

 (3) Notification requirement. You must notify BIS and the ENC Encryption
Request Coordinator via e-mail of the Internet location (e.g., URL or
Internet address) of the publicly available encryption source code or
provide each of them a copy of the publicly available encryption source
code. If you update or modify the source code, you must also provide
additional copies to each of them each time the cryptographic functionality
of the source code is updated or modified. In addition, if you posted the
source code on the Internet, you must notify BIS and the ENC Encryption
Request Coordinator each time the Internet location is changed, but you are
not required to notify them of updates or modifications made to the
encryption source code at the previously notified location. In all
instances, submit the notification or copy to crypt at bis.doc.gov and to
enc at nsa.gov.

Note to paragraph (e): Posting encryption source code on the Internet
(e.g., FTP or World Wide Web site) where it may be downloaded by anyone
neither establishes “knowledge” of a prohibited export or reexport for
purposes of this paragraph, nor triggers any “red flags” imposing a duty to
inquire under the “Know Your Customer” guidance provided in supplement no.
3 to part 732 of the EAR. Publicly available encryption object code
software classified under ECCN 5D002 is not subject to the EAR when the
corresponding source code meets the criteria specified in this paragraph
(e), see §734.3(b)(3) of the EAR.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160214/8726c39e/attachment.html>