22 February 2000. Thanks to Cindy Cohn and Lee Tien.
Source: Faxed hardcopy.
See Bernstein letter of inquiry: http://cryptome.org/bernstein-bxa.htm
See EFF's Bernstein case files: http://www.eff.org/bernstein/
FEB. 18, 2000 11:31AM COMMERCE DEPARTMENT
NO.666 P.2/5 to 5/5
|UNITED STATES DEPARTMENT OF COMMERCE
Bureau of Export Administration
Washington, D.C. 20230
FEB 17 2000
Cindy A. Cohn
McGlashan & Sarrail
177 Bovet Road, Sixth Floor
San Mateo, CA 94402
Dear Ms. Cohn:
I have received your letter and the list of questions it contained concerning the new encryption export regulations published by the Bureau of Export Administration (BXA) on January 14, 2000 (65 Federal Register 2492-2502). I encourage you and Professor Bernstein to review this Federal Register Notice, the other relevant sections of the Export Administration Regulations (15 C.F.R. Part 772), and BXA's Web Site (www.bxa.doc.gov), as this may help you better understand our regulations.
You ask for an advisory opinion in light of your concern that the new regulations "continue to interfere with Professor Bernstein's planned scientific activities." Your concerns are unfounded. I have sought to answer the general concerns you have asked (as they relate to Professor Bernstein) and to provide guidance which will allow Professor Bernstein to proceed with his activities.
Your letter also contained a number of comments regarding constitutionality of the government's encryption export regulations. Because the constitutionality of the regulations is the subject of litigation by your client and other persons, and because your constitutional arguments are outside the scope of this advisory opinion, I will only note that we believe our regulations have always been constitutional.
1) The General Release of Source Code and Certain Prohibitions Relating to State-Supporters of Terrorism.
As you know, encryption source code is now eligible for export under license exceptions TSU and ENC. In particular, source code with would be considered to be "publicly available" under § 734.3(b)(3) of the regulations no longer faces any requirement for prior review and does not need a license for export. We have differentiated in our regulation between "publicly available" source code which is not subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed with it, and source code which is subject to such an agreement. Publicly available encryption source code not subject to such an agreement can be exported under the provisions of license exception TSU. Professor Bernstein's activities, as you have described them, appear to fall in this category. Encryption source code which is subject to such an agreement can be exported under the provisions of license exception ENC.
In either case, the encryption source code is not subject to prior review or licensing for export. The only material difference between publicly available source code exported under TSU and publicly available source code exported under ENC is the post-export reporting requirement for foreign products developed for commercial sale, as detailed in § 740.17(g)(3). Please note that this requirement applies to the U.S. exporter; foreign manufacturers of products developed with such source code are not subject to this reporting requirement. Also, foreign products developed by bundling or compiling of source code are not subject to the reporting requirement.
You asked about the regulatory distinction between encryption "source code" and encryption "object code." As a general matter, you should consult the definitions of "encryption object code" and "encryption source code" in the Export Administration Regulations. Binary code which is compiled from TSU source code and which is itself publicly available and not subject to licensing or royalty fee can also be exported under the provisions of license exception TSU. Encryption programs written in programming languages such as PERL or LISP can be exported under license exception TSU if they meet the requirements of § 740.13 (e)(2).
The regulations take particular care to ensure that the posting of encryption source code on the Internet(e.g., FTP or World Wide Web site) where the source code may be downloaded by anyone would not establish "knowledge" of a prohibited export or reexport to a proscribed destination. Such posting also does not trigger "red flags" necessitating affirmative duty to inquire under the "Know Your Customer" guidance provided in Supplement No. 3 to Part 732 of the Export Administration Regulations. As we have indicated in the "Question and Answers" posted on our Website, liability would exist only for a direct, knowing transfer to a proscribed entity of source code subject to License Exception TSU.
The effect of this ensures that there is no obligation for Professor Bernstein to monitor the Internet addresses of those logging into his website to download his source code (or to establish automatic screening mechanisms). You state that Professor Bernstein has post-export knowledge that individuals from proscribed countries either subscribe to a newsgroup or read his web page, and that "his actions are therefore prohibited by § 740.13(e)(2)." This is not correct,and his actions, as you have described them, are not prohibited.
Your statement that the definition of Open Cryptographic Interface has the effect of sweeping all source code back under a licensing requirement is wrong. Simply because source code is modifiable does not make it an Open Cryptographic Interface (see the definition of Open Cryptographic Interface in Part 772). Source Code which would be considered publicly available can be exported under license exception even if it includes an Open Cryptographic Interface.
2) Scientific Publications
In response to your questions regarding the publication by Professor Bernstein in traditional scientific journals and books, the Export Administration Regulations concern the export of encryption items, not publications. Printed publications are specifically excluded from the Export Administration Regulations (see § 734.3(b)(2). Such publications are not subject to the Export Administration Regulations regardless of their content or the licensing arrangements which apply when they are used to develop commercial products.
With respect to the distinction between license exceptions TSU and ENC as the apply to publicly available encryption source code, the new regulations state that intellectual property protection (e.g., copyright, patent or trademark) will not, by itself, be construed as an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed using the source code. You are in error when you say that scientific publishers "will continue to be subject to heavy civil and criminal penalties for making encryption source code available through the Internet." Under license exception TSU or license exception ENC, a scientific publisher does not require a license or review in order to make encryption source code available to the public through the Internet. License exception ENC applies only if an exporter has in place an agreement that specifically provides for the payment of royalties where a commercial product is made using the exported source code. If a publisher, like any other exporter, were to export source code pursuant to such an agreement under license exception ENC, the only regulatory consequence would be certain post-export reporting requirements detailed in § 740.17(g)(3).
3) Notification Requirements
There is no prior reviews for exports of source code which would be considered to be publicly available. Instead, we require that exporters provide to BXA, by time of export, written notification of the Internet location (e.g., URL or Internet address) or a copy of the source code. This written notification can take the form of an e-mail. § 734.13 provide additional detail.
Responsibility for providing this notice rests on the exporter. Your hypothetical questions concerning requirements in a University setting lack sufficient detail for a response, but if a student had a personal webpage on a University-owned server and posted encryption source code to that site, the student (not the University) would be required to provide notice. Concerning the posting onto a mirror or archive site of already-posted source code, notification is required only for the initial posting. Also note the subsequent updates and bug fixes do not require additional government notification.
No post-export reporting is required for exports of encryption source code made under License Exception TSU. Post-facto reporting may be required for encryption source code exported under License Exception ENC. Please refer to § 740.17(g)(3) for further details. Note that no reporting by an exporter is required under ENC for any export made via free or anonymous Internet download. There are no reporting or review requirements for foreign products made from encryption source code exported under license exception, nor is there anything that a foreign person could do with such source code that would cause the original exporter to be liable.
4) Technical Assistance
Under license exception TSU or ENC, Professor Bernstein is not prohibited from helping a foreign person (other than a foreign person from Iran, Iraq, Libya, Cuba, the Democratic Peoples Republic of Korea, Syria or Sudan) create compiled encryption software from source code exported.
You also asked if Professor Bernstein is free to work with nationals of state sponsors of terrorism. Professor Bernstein may not knowingly export or reexport encryption source code or products developed with this source code to Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria, or work with persons in these countries without the approval of the United States (the Bureau of Export Administration for Cuba, North Korea or Syria; the Department of Treasury's Office of Foreign Asset Control for Iran, Iraq, Libya and Sudan). You should know that there are a range of laws and regulations which apply to transactions with terrorist countries which are independent of encryption regulations; these laws and regulations vary according to the country in question, so Professor Bernstein should contact the appropriate Agency for specific guidance.
5) Printed Versus Electronic Software
Your letter asks a number of questions pertaining to definitions and terms in the new regulation, including a number of scenarios where encryption source code is converted between electronic and paper form. As you know, the Export Administration Regulations distinguish between printed and electronic source code. This distinction is based on the ease of executability of the software. Source code in printed material is not subject to the Export Administration Regulations; source code in electronic form or media, however, remains subject to the Export Administration Regulations. Since publicly available encryption source code in electronic form and media can now be freely exported without review or reporting requirements under License Exception TSU, this distinction has little or no practical effect on Professor Bernstein's activities.
Viewed in its full perspective, the new regulation simply requires that concurrent notice is provided to the government of an export of encryption source code in electronic form and that such software no knowingly and directly be exported to a proscribed destination.
You ask in your letter that BXA make the response available to the public. It is not our normal practice to make advisory opinions public. Professor Bernstein is free to do so. In light of the changes in licensing and review requirements for publicly available source code, the new regulations do not interfere with his planned activities as you have described them. If you have any further questions or with additional information, please contact me at (202) 482-4196.
James A. Lewis
Office of Strategic Trade
and Foreign Policy Controls
Transcription and HTML by Cryptome.