Mass Market Encryption Software Export Eased

Donate $25 for two DVDs of the Cryptome collection of files from June 1996 to the present
7 January 2010
[Federal Register: January 7, 2011 (Volume 76, Number 5)]
[Rules and Regulations]               
[Page 1059-1063]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr07ja11-1]                         


========================================================================
Rules and Regulations
                                                Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains regulatory documents 
having general applicability and legal effect, most of which are keyed 
to and codified in the Code of Federal Regulations, which is published 
under 50 titles pursuant to 44 U.S.C. 1510.

The Code of Federal Regulations is sold by the Superintendent of Documents. 
Prices of new books are listed in the first FEDERAL REGISTER issue of each 
week.

========================================================================



[[Page 1059]]



DEPARTMENT OF COMMERCE

Bureau of Industry and Security

15 CFR Parts 732, 734, 740, 772, and 774

[Docket No. 100108014-0121-01]
RIN 0694-AE82

 
Publicly Available Mass Market Encryption Software and Other 
Specified Publicly Available Encryption Software in Object Code

AGENCY: Bureau of Industry and Security, Commerce.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Bureau of Industry and Security (BIS) is removing from the 
scope of items subject to the Export Administration Regulations (EAR) 
``publicly available'' mass market encryption object code software with 
a symmetric key length greater than 64-bits, and ``publicly available'' 
encryption object code classified under Export Control Classification 
Number (ECCN) 5D002 on the Commerce Control List when the corresponding 
source code meets the criteria specified under License Exception TSU. 
This change is being made pursuant to a determination by BIS that, 
because there are no regulatory restrictions on making such software 
``publicly available,'' and because, once it is ``publicly available,'' 
by definition it is available for download by any end user without 
restriction, removing it from the jurisdiction of the EAR will have no 
effect on export control policy. This action will not result in the 
decontrol of source code classified under ECCN 5D002, but it will 
result in a simplification of the regulatory provisions for publicly 
available mass market software and specified encryption software in 
object code.

DATES: This rule is effective: January 7, 2011.

FOR FURTHER INFORMATION CONTACT: For questions of a technical nature, 
contact: the Information Technology Division, Office of National 
Security and Technology Transfer Controls at (202) 482-0707 or by e-
mail cpratt@bis.doc.gov.
    For questions of a general nature, contact: Sharron Cook, Office of 
Exporter Services, Bureau of Industry and Security, U.S. Department of 
Commerce at (202) 482-2440 or by e-mail to scook@bis.doc.gov.

SUPPLEMENTARY INFORMATION:

Background

    This rule removes from the jurisdiction of the EAR mass market 
encryption software and specified encryption object code that is 
publicly available. Publicly available software, other than encryption 
software, is not subject to the EAR. Certain publicly available 
encryption software has remained subject to the jurisdiction of the EAR 
since the mid-1990s, when commercial items incorporating encryption 
functionality were transferred to the jurisdiction of the EAR (see 
Sec.  734.3(b)(3) of the EAR). At that time, much less mass market 
software was ``publicly available'' than is the case today. Because of 
the much wider array of ``publicly available'' mass market and other 
encryption software in object code, BIS recently reviewed the 
provisions of the EAR that retained jurisdiction over such software. 
Pursuant to this review, BIS determined that there are no regulatory 
restrictions on making such software ``publicly available.'' Moreover, 
because, once it is ``publicly available,'' it is, by definition, 
available for download by any end user without restriction, removing it 
from the jurisdiction of the EAR will have no effect on export control 
policy. Removing these items from EAR jurisdiction will also result in 
a simplification of the regulatory provisions. Accordingly, BIS 
believes that its regulatory discretion should no longer be exercised 
in a manner that such encryption software remains subject to the EAR.
    During its review, BIS noted that the EAR currently provide that 
making certain encryption software ``publicly available'' by posting it 
on the Internet where it may be downloaded by anyone does not establish 
``knowledge'' of a prohibited export or reexport. Additionally, such 
activity also does not trigger any ``red flags'' that impose an 
affirmative duty to inquire under the ``Know Your Customer'' guidance 
provided in the EAR (see 67 FR 38855, 38857, June 6, 2002). Therefore, 
a person or company does not violate the EAR if it posts ``mass 
market'' encryption software on the Internet for free and anonymous 
download (i.e., makes it ``publicly available''), and the software is 
downloaded by an anonymous person from anywhere in the world. In 
addition, if the person or company ``publishes'' mass market encryption 
software by another means, the person or company does not violate the 
EAR.
    Through this rule, BIS removes two kinds of encryption software 
from the jurisdiction of the EAR: (1) Publicly available encryption 
software in object code with a symmetric key length greater than 64-
bits that has been determined to be mass market software under section 
742.15(b) of the EAR and has been reclassified under ECCN 5D992; and 
(2) publicly available encryption software in object code classified 
under ECCN 5D002 when the corresponding source code meets the criteria 
specified in section 740.13(e) of the EAR.
    Publicly available mass market encryption object code software: 
Encryption software in object code that has been reviewed by BIS and 
determined to be mass market software under the section 742.15(b)(3) 
procedure, or software that does not require review but has been self-
classified by the exporter as mass market software under section 
742.15(b)(1), is reclassified from Export Control Classification Number 
(ECCN) 5D002 to ECCN 5D992 on the Commerce Control List (CCL) 
(Supplement No. 1 to Part 774 of the EAR). ECCN 5D992 software is 
controlled for anti-terrorism reasons, and requires a license for 
export to Iran, Cuba, Syria, Sudan and North Korea (Country Group E:1 
countries; see Supplement No. 1 to Part 740). The procedure to self-
classify qualifying mass market software under ECCN 5D992 requires both 
the submission of an encryption registration to BIS in accordance with 
section 742.15(b)(7), and the submission of an annual self-
classification report in

[[Page 1060]]

accordance with section 742.15(c). Meanwhile, for specified software 
described in section 742.15(b)(3), the procedure to obtain ``mass 
market'' classification under ECCN 5D992 requires both the submission 
of an encryption registration and a classification request to BIS, in 
accordance with section 742.15(b)(7).
    This rule amends the EAR to provide that, once the registration is 
submitted and the encryption software is properly classified as ``mass 
market'' under the relevant requirements of section 742.15(b), if the 
software is then made ``publicly available,'' it is not subject to the 
EAR. Software authorized for export and reexport under section 
742.15(b)(1) pursuant to registration and self-classification must 
still be included in the exporter's annual self-classification report 
for the calendar year during which it was self-classified as ``mass 
market'' software.
    Publicly available encryption object code corresponding to source 
code made eligible for License Exception TSU. Section 740.13(e)(1) of 
the EAR authorizes the export and reexport of encryption object code if 
both the object code and the source code from which it is compiled 
would be considered publicly available under section 734.3(b)(3) of the 
EAR, were they not classified under ECCN 5D002. Section 740.13(e)(3) 
requires that the source code or the location of the source code be 
notified to the BIS and to the ENC Encryption Request Coordinator 
before becoming eligible for License Exception TSU. As with the 
publicly available mass market encryption software, such object code 
may be exported to any destination, via anonymous download, without 
violating the EAR. For the reasons discussed above, BIS's regulatory 
discretion under the EAR should no longer be exercised in a manner that 
renders such software subject to the EAR.
    Pursuant to section 734.2(b)(9)(ii) of the EAR, publicly available 
encryption source code that is classified under ECCN 5D002 must be 
notified to BIS and the ENC Encryption Request Coordinator under the 
provisions of License Exception TSU (section 740.13(e)). This rule 
amends this provision to state that the publicly available encryption 
object code corresponding to publicly available source code eligible 
for export under section 740.13(e) is no longer subject to the EAR.
    In addition, the requirements for encryption registration and 
classification as described in section 742.15(b) pertain only to 
``publicly available'' mass market encryption software with symmetric 
key length exceeding 64 bits. ``Publicly available'' mass market 
encryption software that does not meet the criterion of ``symmetric key 
length exceeding 64 bits'' is not subject to the EAR; neither is any 
``publicly available'' encryption software that is classified under 
ECCN 5D992 for reasons other than a ``mass market'' determination. 
Moreover, several types of mass market encryption software that remain 
under the jurisdiction of the EAR--even when they are ``publicly 
available''--are no longer subject to encryption registration and 
classification requirements under section 742.15(b), including, since 
October 2008, software performing ``ancillary cryptography.'' The 
removal of the previous classification review requirement demonstrates 
that there is no regulatory interest in maintaining EAR jurisdiction 
over these products when they are ``publicly available.''
    The following specific revisions are made to the EAR:

Section 732.2 ``Steps Regarding Scope of the EAR''

    This rule revises paragraph (b) in section 732.2 and: (1) Replaces 
the phrase ``controlled for EI reasons under ECCN 5D002'' with 
``classified under ECCN 5D002;'' (2) replaces the phrase ``shall be 
subject to the EAR'' with the phrase ``is subject to the EAR;'' (3) 
removes the phrase ``and mass market encryption software with symmetric 
key length exceeding 64-bits classified under ECCN 5D992;'' and (4) 
adds the phrase, ``except for publicly available encryption object code 
software classified under ECCN 5D002 when the corresponding source code 
meets the criteria specified in Sec.  740.13(e) of the EAR.'' This 
revision narrows the scope of publicly available software subject to 
the EAR to include only encryption source code classified under ECCN 
5D002. The sixth sentence of section 732.2 is removed by this rule, as 
it is redundant.

Part 734 ``Scope of the EAR''

    This rule removes the phrase ``and object code'' in the last 
sentence in paragraph (b)(9)(ii) and adds a new sentence at the end as 
follows: ``Publicly available encryption software in object code that 
corresponds to encryption source code made eligible for License 
Exception TSU under section 740.13(e) is not subject to the EAR.'' In 
section 734.3, this rule revises paragraph (b)(3) by replacing the 
phrase ``controlled for `EI' reasons'' with ``classified'' and removing 
the phrase ``and mass market encryption software with symmetric key 
length exceeding 64-bits controlled under ECCN 5D992.'' In addition, 
this rule adds the following sentence to the Note to paragraphs (b)(2) 
and (b)(3): ``Publicly available encryption object code software 
classified under ECCN 5D002 is not subject to the EAR when the 
corresponding source code meets the criteria specified in Sec.  
740.13(e) of the EAR.''
    In section 734.7, ``Published Information and Software,'' this rule 
revises paragraph (c) by adding the modifier ``published'' before 
``encryption software,'' replacing the word ``controlled'' with 
``classified,'' and adding a reference to ``Supplement No. 1 to part 
774 of the EAR'' for the Commerce Control List to add clarity to the 
first sentence. This rule also adds the phrase ``except publicly 
available encryption object code software classified under ECCN 5D002 
when the corresponding source code meets the criteria specified in 
Sec.  740.13(e) of the EAR,'' and removes the phrase ``and mass market 
encryption software with symmetric key length exceeding 64-bits 
controlled under ECCN 5D992'' to remove such software from being 
subject to the EAR for reasons stated in the preamble to this rule. 
This rule also replaces the word ``remain'' with the word ``remains'' 
in the first sentence of section 734.7 to maintain accurate grammar in 
the revised sentence. This rule also makes consistent changes to 
sections 734.8 (``Information resulting from fundamental research'') 
and 734.9 (``Educational information'').
    This rule amends Supplement No. 1 to part 734 ``Questions and 
Answers--Technology and Software Subject to the EAR'' by removing the 
question and answer to G(3). The question and answer indicated an 
exception to the published criteria in section 734.7. The exception 
allowed software to become not subject to the EAR based on being 
considered published, even if the cost of the software was higher than 
the cost of reproduction and distribution. The exception required the 
exporter to request this treatment via a classification request to BIS. 
As the supplement is guidance, conflicts with regulatory text and no 
known requests have come in for this treatment, BIS has decided to 
delete it.

Section 740.13 ``Technology and Software--Unrestricted (TSU)''

    Section 740.13 is amended by removing the parenthetical phrase 
``(and corresponding object code)'' from the title of paragraph (e), 
because publicly available corresponding object code is not subject to 
the EAR if the source code meets the criteria of 740.13(e) and is 
publicly available. This rule also adds a

[[Page 1061]]

phrase to the first sentence of paragraph (e)(1) that reads ``subject 
to the notification requirements of paragraph (e)(3) of this section'' 
to link the notification requirement with the authorization. This rule 
removes the phrase ``without review'' in the first sentence of (e)(1), 
because it is not necessary and may be confusing to state what actions 
are not required to be eligible for this license exception. The first 
sentence of (e)(1) is further amended by adding the descriptor 
``publicly available'' in front of ``encryption source code,'' to be 
more specific about what type of source code is eligible for this 
license exception. In addition, this rule replaces the phrase ``if not 
controlled by ECCN 5D002, would be considered publicly available under 
Sec.  734.3(b)(3)'' with ``is subject to the EAR pursuant to Sec.  
734.3(b)(3)'' to simplify the first sentence in paragraph (e)(1). For 
consistency with the change making specified object code not subject to 
the EAR, this rule removes the last sentence in paragraph (e)(1), which 
stated ``This paragraph also authorizes the export and reexport of the 
corresponding object code (i.e., that which is compiled from source 
code that is authorized for export and reexport under this paragraph) 
if both the object code and the source code from which it is compiled 
would be considered publicly available under Sec.  734.3(b)(3) of the 
EAR, if they were not controlled under ECCN 5D002.''

Section 772.1 ``Definitions of Terms as Used in the EAR''

    In section 772.1, the definition of the term ``commodity'' is 
amended by removing the last two sentences, because they do not 
contribute to defining the term ``commodity,'' and the concepts 
concerning publicly available encryption software can be found in more 
appropriate parts of the EAR, e.g., Part 734.

ECCN 5D002 ``Information Security--Software''

    In Supplement No. 1 to Part 774 (the Commerce Control List), 
Category 5 Telecommunications and ``Information Security,'' Part 2 
Information Security, ECCN 5D002 is amended by revising the last note 
in the License Requirement section by replacing the word ``software'' 
with the words ``source code,'' and removing the parenthetical phrase 
``(and corresponding object code).'' This amendment is made to conform 
the text of the Note to the revisions made by this rule.
    Since August 21, 2001, the Export Administration Act has been in 
lapse. However, the President, through Executive Order 13222 of August 
17, 2001 (3 CFR, 2001 Comp. 783 (2002)), which has been extended by 
successive Presidential Notices, the most recent being that of August 
12, 2010, 75 FR 50681 (August 16, 2010), has continued the Regulations 
in effect under the International Emergency Economic Powers Act (50 
U.S.C. 1701 et seq.).

Rulemaking Requirements

    1. This final rule has been determined to be significant for 
purposes of Executive Order 12866.
    2. Notwithstanding any other provision of law, no person is 
required to respond to, nor shall any person be subject to a penalty 
for failure to comply with a collection of information subject to the 
requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et 
seq.) (PRA), unless that collection of information displays a currently 
valid Office of Management and Budget (OMB) Control Number. This rule 
involves two collections of information subject to the PRA. One of the 
collections has been approved by OMB under control number 0694-0088, 
``Multi Purpose Application,'' and carries a burden hour estimate of 58 
minutes for a manual or electronic submission. The other collection has 
been approved by OMB under control number 0694-0106, ``Reporting and 
Recordkeeping Requirements under the Wassenaar Arrangement,'' and 
carries a burden hour estimate of 21 minutes for a manual or electronic 
submission. Send comments regarding these burden estimates or any other 
aspect of these collections of information, including suggestions for 
reducing the burden, to OMB Desk Officer, New Executive Office 
Building, Washington, DC 20503; and to Jasmeet Seehra, OMB Desk 
Officer, by e-mail at Jasmeet_K._Seehra@omb.eop.gov or by fax to 
(202) 395-7285; and to the Office of Administration, Bureau of Industry 
and Security, Department of Commerce, 14th and Pennsylvania Avenue, NW, 
Room 6622, Washington, DC 20230.
    3. This rule does not contain policies with Federalism implications 
as that term is defined under Executive Order 13132.
    4. The Department has determined that there is good cause under 5 
U.S.C. 553(b)(B) to waive the provisions of the Administrative 
Procedure Act requiring notice and the opportunity for public comment 
when such notice and comment is contrary to the public interest. This 
rule simplifies the regulatory provisions for publicly available mass 
market software and specified encryption software in object code by 
removing them from the jurisdiction of the EAR. BIS recognized that 
there are no regulatory restrictions in making such software ``publicly 
available,'' and once ``publicly available,'' such software is 
available for download by any end user without restriction. Thus, 
removing such ``publicly available'' items from the jurisdiction of the 
EAR has no effect on export control policy and clarifies the scope of 
existing BIS controls. The greater clarity that this rule provides will 
encourage the exchange of publicly available mass market encryption 
object code software and certain publicly available encryption object 
code by the exporting community. In effect, this rule removes any 
remaining uncertainty in the minds of exporters as to whether their 
actions constitute violations of U.S. export control law. Thus, 
delaying the effectiveness of this rule is contrary to the public 
interest.
    For the reasons listed above, good cause exists to waive the 30-day 
delay in effectiveness otherwise required by the APA. Further, no other 
law requires that a notice of proposed rulemaking and an opportunity 
for public comment be given for this direct final rule. Accordingly, no 
regulatory flexibility analysis is required and none has been prepared. 
Although notice and opportunity for comment are not required, BIS is 
issuing this rule in interim final form and is seeking public comments 
on these revisions.
    Further, no other law requires that a notice of proposed rulemaking 
and an opportunity for public comment be given for this final rule. 
Because a notice of proposed rulemaking and an opportunity for public 
comment are not required to be given for this rule under the 
Administrative Procedure Act or by any other law, the analytical 
requirements of the Regulatory Flexibility Act (5 U.S.C. 601 et seq.) 
are not applicable. Therefore, this regulation is issued in final form. 
Although there is no formal comment period, public comments on this 
regulation are welcome on a continuing basis. Comments should be 
submitted to Sharron Cook, Office of Exporter Services, Bureau of 
Industry and Security, Department of Commerce, 14th and Pennsylvania 
Ave., NW., Room 2705, Washington, DC 20230.

List of Subjects

15 CFR Part 732

    Administrative practice and procedure, Exports, Reporting and 
recordkeeping requirements.

[[Page 1062]]

15 CFR Part 734

    Administrative practice and procedure, Exports, Inventions and 
patents, Research science and technology.

15 CFR Part 740

    Administrative practice and procedure, Exports, Reporting and 
recordkeeping requirements.

15 CFR Part 772

    Exports.

15 CFR Part 774

    Exports, Reporting and recordkeeping requirements.


0
Accordingly, Parts 732, 734, 740, 772, and 774 of the Export 
Administration Regulations (15 CFR Parts 730 through 774) are amended 
as follows:

PART 732--[AMENDED]

0
1. The authority citations for Part 732 continue to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 
FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of August 12, 2010, 75 
FR 50681 (August 16, 2010).


0
2. Section 732.2 is amended by revising paragraph (b) to read as 
follows:


Sec.  732.2  Steps Regarding Scope of the EAR.

* * * * *
    (b) Step 2: Publicly available technology and software. This step 
is relevant for both exports and reexports. Determine if your 
technology or software is publicly available as defined and explained 
at part 734 of the EAR. Supplement No. 1 to part 734 of the EAR 
contains several practical examples describing publicly available 
technology and software that are outside the scope of the EAR. The 
examples are illustrative, not comprehensive. Note that encryption 
software classified under ECCN 5D002 on the Commerce Control List 
(refer to Supplement No.1 to Part 774 of the EAR) is subject to the EAR 
even if publicly available, except for publicly available encryption 
object code software classified under ECCN 5D002 when the corresponding 
source code meets the criteria specified in Sec.  740.13(e) of the EAR.
* * * * *

PART 734--[AMENDED]

0
3. The authority citations for Part 734 continue to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13020, 61 
FR 54079, 3 CFR, 1996 Comp., p. 219; E.O. 13026, 61 FR 58767, 3 CFR, 
1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 
783; Notice of August 12, 2010, 75 FR 50681 (August 16, 2010); 
Notice of November 4, 2010, 75 FR 68673 (November 8, 2010).


0
4. Section 734.2 is amended in the last sentence of paragraph 
(b)(9)(ii) by removing the phrase ``and object code'' and adding a new 
sentence at the end to read as follows:


Sec.  734.2  Important EAR terms and principles.

* * * * *
    (b) * * *
    (9) * * *
    (ii) * * * Publicly available encryption software in object code 
that corresponds to encryption source code made eligible for License 
Exception TSU under section 740.13(e) is not subject to the EAR.

0
5. Section 734.3 is amended by:
0
a. Revising paragraph (b)(3) introductory text;
0
b. Adding a new sentence to the end of the Note to paragraphs (b)(2) 
and (b)(3) to read as follows:


Sec.  734.3  Items Subject to the EAR.

* * * * *
    (b) * * *
    (3) Publicly available technology and software, except software 
classified under ECCN 5D002 on the Commerce Control List, that:
* * * * *
    Note to paragraphs (b)(2) and (b)(3) of this section: * * * 
Publicly available encryption object code software classified under 
ECCN 5D002 is not subject to the EAR when the corresponding source code 
meets the criteria specified in Sec.  740.13(e) of the EAR.
* * * * *

0
6. Section 734.7 is amended by revising paragraph (c) to read as 
follows:


Sec.  734.7  Published information and software.

* * * * *
    (c) Notwithstanding paragraphs (a) and (b) of this section, note 
that published encryption software classified under ECCN 5D002 on the 
Commerce Control List (Supplement No. 1 to part 774 of the EAR) remains 
subject to the EAR, except publicly available encryption object code 
software classified under ECCN 5D002 when the corresponding source code 
meets the criteria specified in Sec.  740.13(e) of the EAR. See Sec.  
740.13(e) of the EAR for eligibility requirements for exports and 
reexports of publicly available encryption source code under License 
Exception TSU.

0
7. Section 734.8 is amended by revising the last two sentences in 
paragraph (a) to read as follows:


Sec.  734.8  Information resulting from fundamental research.

    (a) * * * Note that the provisions of this section do not apply to 
encryption software classified under ECCN 5D002 on the Commerce Control 
List (Supplement No. 1 to part 774 of the EAR), except publicly 
available encryption object code software classified under ECCN 5D002 
when the corresponding source code meets the criteria specified in 
Sec.  740.13(e) of the EAR. See Sec.  740.13(e) of the EAR for 
eligibility requirements for exports and reexports of publicly 
available encryption source code under License Exception TSU.
* * * * *

0
8. Section 734.9 is amended by revising the last two sentences to read 
as follows:


Sec.  734.9  Educational information.

    * * * Note that the provisions of this section do not apply to 
encryption software classified under ECCN 5D002 on the Commerce Control 
List, except publicly available encryption object code software 
classified under ECCN 5D002 when the corresponding source code meets 
the criteria specified in Sec.  740.13(e) of the EAR. See Sec.  
740.13(e) of the EAR for eligibility requirements for exports and 
reexports of publicly available encryption source code under License 
Exception TSU.

Supplement No. 1 to Part 734 [Amended]

0
8. Supplement No. 1 to part 734 is amended by removing Question G(3) 
and the answer to G(3).

PART 740--[AMENDED]

0
9. The authority citation for part 740 continues to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
22 U.S.C. 7201 et seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., 
p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice 
of August 12, 2010, 75 FR 50681 (August 16, 2010).


0
10. Section 740.13 is amended by revising paragraph (e) to read as 
follows:


Sec.  740.13  Technology and software--unrestricted (TSU).

* * * * *
    (e) Publicly available encryption source code. (1) Scope and 
eligibility. Subject to the notification requirements of paragraph 
(e)(3) of this section, this paragraph (e) authorizes exports and 
reexports of publicly available encryption source code classified under

[[Page 1063]]

ECCN 5D002 that is subject to the EAR (see Sec.  734.3(b)(3) of the 
EAR). Such source code is eligible for License Exception TSU under this 
paragraph (e) even if it is subject to an express agreement for the 
payment of a licensing fee or royalty for commercial production or sale 
of any product developed using the source code.
    (2) Restrictions. This paragraph (e) does not authorize:
    (i) Export or reexport of any encryption software classified under 
ECCN 5D002 that does not meet the requirements of paragraph (e)(1), 
even if the software incorporates or is specially designed to use other 
encryption software that meets the requirements of paragraph (e)(1) of 
this section; or
    (ii) Any knowing export or reexport to a country listed in Country 
Group E:1 in Supplement No. 1 to part 740 of the EAR.
    (3) Notification requirement. You must notify BIS and the ENC 
Encryption Request Coordinator via e-mail of the Internet location 
(e.g., URL or Internet address) of the publicly available encryption 
source code or provide each of them a copy of the publicly available 
encryption source code. If you update or modify the source code, you 
must also provide additional copies to each of them each time the 
cryptographic functionality of the source code is updated or modified. 
In addition, if you posted the source code on the Internet, you must 
notify BIS and the ENC Encryption Request Coordinator each time the 
Internet location is changed, but you are not required to notify them 
of updates or modifications made to the encryption source code at the 
previously notified location. In all instances, submit the notification 
or copy to crypt@bis.doc.gov and to enc@nsa.gov.
    Note to paragraph (e): Posting encryption source code on the 
Internet (e.g., FTP or World Wide Web site) where it may be downloaded 
by anyone neither establishes ``knowledge'' of a prohibited export or 
reexport for purposes of this paragraph, nor triggers any ``red flags'' 
imposing a duty to inquire under the ``Know Your Customer'' guidance 
provided in Supplement No. 3 to part 732 of the EAR. Publicly available 
encryption object code software classified under ECCN 5D002 is not 
subject to the EAR when the corresponding source code meets the 
criteria specified in this paragraph (e), see Sec.  734.3(b)(3) of the 
EAR.
* * * * *

PART 742--[AMENDED]

0
11. The authority citation for part 742 continues to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; 22 U.S.C. 7201 et seq.; 22 
U.S.C. 7210; Sec 1503, Pub. L. 108-11, 117 Stat. 559; E.O. 12058, 43 
FR 20947, 3 CFR, 1978 Comp., p. 179; E.O. 12851, 58 FR 33181, 3 CFR, 
1993 Comp., p. 608; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 
950; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 
66 FR 44025, 3 CFR, 2001 Comp., p. 783; Presidential Determination 
2003-23 of May 7, 2003, 68 FR 26459, May 16, 2003; Notice of August 
12, 2010, 75 FR 50681 (August 16, 2010); Notice of November 4, 2010, 
75 FR 68673 (November 8, 2010).


0
11. Section 742.15 is amended:
0
a. By revising the fourth sentence of paragraph (b) introductory text; 
and
0
b. By adding a note to paragraph (b) introductory text to read as 
follows:
* * * * *
    (b) * * * Exports and reexports authorized under paragraphs (b)(1) 
and (b)(3) of this section (including of mass market encryption 
software that would be considered publicly available under Sec.  
734.3(b)(3) of the EAR) must be supported by an encryption registration 
in accordance with paragraph (b)(7) of this section and the specific 
instructions of paragraph (r)(1) of Supplement No. 2 to part 748 of the 
EAR. * * *

    Note to introductory text of paragraph (b): Mass market 
encryption software that would be considered publicly available 
under Sec.  734.3(b)(3) of the EAR, and is authorized for export and 
reexport under this paragraph (b), remains subject to the EAR until 
the encryption registration and all applicable classification or 
self-classification requirements set forth in this section are 
fulfilled.

* * * * *

PART 772--[AMENDED]

0
11. The authority citation for part 772 continue to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of August 
12, 2010, 75 FR 50681 (August 16, 2010).


Sec.  772.1  [Amended]

0
12. In Sec.  772.1, the definition of the term ``commodity'' is amended 
by removing the last two sentences of the definition.

PART 774--[AMENDED]

0
13. The authority citation for part 774 continues to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
10 U.S.C. 7420; 10 U.S.C. 7430(e); 22 U.S.C. 287c, 22 U.S.C. 3201 et 
seq., 22 U.S.C. 6004; 30 U.S.C. 185(s), 185(u); 42 U.S.C. 2139a; 42 
U.S.C. 6212; 43 U.S.C. 1354; 15 U.S.C. 1824a; 50 U.S.C. app. 5; 22 
U.S.C. 7201 et seq.; 22 U.S.C. 7210; E.O. 13026, 61 FR 58767, 3 CFR, 
1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 
783; Notice of August 12, 2010, 75 FR 50681 (August 16, 2010).


0
14. In Supplement No. 1 to part 774 (the Commerce Control List), 
Category 5, Part 2, Export Control Classification Number (ECCN) 5D002 
is amended by adding the heading ``License Requirements'' after the 
ECCN heading and revising the last note in the License Requirements 
section to read as follows:

Supplement No. 1 to Part 774

* * * * *

5D002 Information Security--``Software as follows (see List of Items 
Controlled).''

License Requirements

* * * * *

    Note: Encryption source code classified under this entry remains 
subject to the EAR even when made publicly available in accordance 
with part 734 of the EAR. However, publicly available encryption 
object code software classified under ECCN 5D002 is not subject to 
the EAR when the corresponding source code meets the criteria 
specified in Sec.  740.13(e), see also Sec.  734.3(b)(3) of the EAR.

* * * * *

    Dated: December 20, 2010.
Kevin J. Wolf,
Assistant Secretary for Export Administration.
[FR Doc. 2010-32803 Filed 1-6-11; 8:45 am]
BILLING CODE 3510-33-P