Faculty, staff and students, who are developing encryption software need to be aware of export control implications related to this work.

As a general rule, code developed here at the University of Vermont (UVM) is the product of non-proprietary, fundamental research. To reinforce this, and to avoid difficulties with federal export control regulations, researchers should upload UVM-generated encryption code onto a publicly-available web site as soon as possible. Access to the code must not include login requirements or other password or authentication procedures.

Researchers should also be aware that an export license may be required before providing technical assistance to foreign persons in the overseas manufacture or development of software or hardware containing strong encryption.

The rest of this page describes federal regulations that apply to encryption export controls, namely, the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR).

To understand the impact of disclosing information and technology, please review:   UVM's Export Control Policy.

Questions about the applicability of export control regulations to a particular situation, or about any of the information presented on this page, should be directed to:

      Ruth Farrell, Associate VP for Research Administration
      Ruth.Farrell@uvm.edu
      (802) 656-3360

---

A. International Traffic in Arms Regulations (ITAR)

The sharing, shipping, transmission or transfer of all encryption software in either source code or object code that is specifically designed or developed for a military, intelligence or space application is subject to the International Traffic in Arms Regulations (ITAR). ITAR-related encryption software is controlled for export and cannot be shared with a foreign person unless the code is already published or otherwise in the public domain.

See Encryption Controls and the US Munitions List (USML) for an identification of ITAR-regulated encryption by USML category.

UVM Researcher Action Required - ITAR Encryption Compliance -

UVM researchers generating ITAR-related encryption software must upload the code onto a publicly available website immediately to demonstrate that the software has been published.

 

The UVM-developed encryption software must be freely downloadable by all interested members of the scientific community at no charge and without UVM's knowledge by whom or from where the data is being downloaded. This means no login requirement or other password or other authentication procedures. The government could view a login or other authentification requirement as an access control, and such a requirement could destroy the university's ability to characterize the generated software as unrestricted fundamental research excluded from export controls.

Unlike the Export Administration Regulations (EAR) that address "dual-use" software and technology, discussed below, the munitions-specific ITAR does not require government notification before making the software publicly available.

---

   

B. Export Administration Regulations (EAR)

The sharing, shipping, transmission or transfer of almost all dual-use encryption software in either source code or object code is subject to the Export Administration Regulations. Even most of today's publicly available dual-use encryption software, which uses "strong" encryption, is captured by the EAR and requires the availability of a License Exception to exit the US. A License Exception under the EAR is an authorization based on a set of criteria, which when met, allows the exporter to circumvent what would otherwise have been a requirement to obtain an export license.

See EAR Strong Encryption Controls for a listing of encryption code that meets this definition.

UVM Researcher Action Required - EAR Strong Encryption Compliance -

UVM researchers MUST email Ruth Farrell, Associate VP for Research Administration, at Ruth.Farrell@uvm.edu with the internet location or URL of the EAR-controlled strong encryption software before making the software publicly available regardless of medium. Only after receiving an email confirmation back from UVM's Associate VP for Research Administration may the researcher upload the code onto a publicly available website.

 

The UVM-developed encryption software must be freely downloadable by all interested members of the scientific community at no charge and without UVM's knowledge by whom or from where the data is being downloaded. This means no login requirement or other password or authentication procedures. The government could view a login or other authentification requirement as an access control, and such a requirement could destroy the university's ability to characterize the generated software as in the public domain without restriction.

Publicly available dual-use encryption software that does not entail strong encryption requires neither US government notification nor review and can be freely shipped, shared, transferred or transmitted outside of the US regardless of destination.

Strong Encryption and US Person Technical Assistance: In addition to regulating the export of encryption code, the EAR also regulates US person activity with respect to strong dual-use encryption software and hardware. Without US government approval, US persons are prohibited from providing technical assistance (i.e., instruction, skills training, working knowledge, consulting services) to a foreign person with the intent to assist in the overseas development or manufacture of dual-use encryption software or hardware employing strong encryption code. This prohibition does NOT limit UVM personnel from teaching or discussing general information about cryptography or developing or sharing encryption code within the United States that arises during, or results from, UVM or other university-generated fundamental research.