The release of publicly available strong encryption software under the EAR is tightly regulated.
However, a License Exception TSU (Technology and Software - Unrestricted) is available for transmission
or transfer of the code outside of the US.
Strong dual-use encryption, addressed in Category 5 Part II of the EAR's
Commerce Control List (CCL)
at 5A002 (encrypted hardware) and 5D002 (encryption software), is defined as:
- Employing a symmetric algorithm with a key length in excess of 56-bits;
- Employing an asymmetric algorithm based on:
- A factorization of integers in excess of 512 bits (i.e. RSA);
- Computation of discrete logarithms in a multiplicative group of a finite field of size greater than
512 bits (i.e. Diffie-Hellman over
- Discrete logarithms in a group in excess of 112 bits (i.e. Diffie-Hellman over an elliptic curve);
- Designed or modified to perform dual-use cryptanalytic functions;
- Designed or modified to use quantum cryptography;
- Specially designed or modified to reduce the compromising emanations of information bearing signals
beyond that necessary for health, safety or electromagnetic interference;
- Using cryptographic techniques to generate the spreading code for dual-use spread spectrum systems
including the hopping code for frequency hopping systems;
- Using cryptographic techniques to generate channelizing codes, scrambling codes or network
identification codes for systems using ultra-wideband modulation techniques;
- Using cryptography in communications cable systems designed or modified to detect surreptitious
intrusion using mechanical, electrical or electronic means.
Strong dual-use encryption software is "NOT":
- Cryptographic code limited to authentication and digital signature including associated key
- Software using fixed data compression or coding techniques;
- Encryption/decryption code designed to protect libraries, design attributes or associated data
for the design of semiconductor devices or integrated circuits.
NOTE: The examples provided above are intended as general summaries and are
not authoritative. Researchers are responsible for consulting the CCL for encryption software
specifically designed or developed for applications not captured by the ITAR.
Publicly available software under the EAR, as under the ITAR, is exempt from export control.
However, before strong dual-use encryption code is made publicly available via the internet or
otherwise placed electronically in the public domain, exporters must provide the US Government
with either a copy of the strong dual-use encryption code or a one-time notification of the
internet location (URL) of the code. This must be done before making the software publicly
available. Notification after transmission or transfer of the software outside the US is
an export control violation.
Updates and Modifications: The US Government requires notification of updates or
modifications to strong encryption software already made publicly available when the original
method for notification had been submission of a copy of the encryption software. When notification
is made by email describing the internet location (URL) of the code, the government only has to be
notified of encryption updates and modifications when the internet location of the modified or
updated code has changed. So that University of Vermont (UVM) researchers do not have to concern
themselves with notifying the government of frequent modifications or updates to their encryption
code, UVM will fulfill the initial notification requirement by emailing the internet location or
URL of the posted code. UVM will not provide the government with electronic copies of the code.
The UVM-developed encryption software must be freely downloadable by all interested members of the
scientific community at no charge and without UVM's knowledge by whom or from where the data is being
downloaded. This means no login requirement or other password or authentication procedures.
The government could view a login or other authentification requirement as an access control, and
such a requirement could destroy the university's ability to characterize the generated software as
in the public domain without restriction.
Publicly available dual-use encryption software that does not entail strong encryption requires
neither US government notification nor review and can be freely shipped, shared, transferred or
transmitted outside of the US regardless of destination.
Strong Encryption and US Person Technical Assistance:
In addition to regulating the export of encryption code, the EAR also regulates US person activity
with respect to strong dual-use encryption software and hardware. Without US government approval,
US persons are prohibited from providing technical assistance (i.e., instruction, skills training,
working knowledge, consulting services) to a foreign person with the intent to assist in the overseas
development or manufacture of dual-use encryption software or hardware employing strong encryption
code. This prohibition does NOT limit UVM personnel from teaching or discussing general information
about cryptography or developing or sharing encryption code within the United States that arises
during, or results from, UVM or other university-generated fundamental research.