Export Controls Decision Tree: Stanford-Developed Software


Are you sharing, shipping, hand carrying, transmitting or transferring Stanford-developed, non-commercial encryption software(1) in source code or object code(2) (including travel outside the country with such software)?

YES          NO

(1) The sharing, shipping, transmission or transfer of almost all encryption software in either source code or object code is subject to US export regulations (see Encryption Export Controls for a discussion of procedural requirements associated with transmissions or transfers of Stanford-generated encryption code outside of the US).

Even most publicly available "dual-use" encryption code captured by the Export Administration Regulations (EAR) requires the availability of a License Exception. A License Exception under the EAR is an authorization based on a set of criteria, which when met, allows the exporter to circumvent export licensing requirements. The release of publicly available encryption code under the EAR is generally authorized by License Exception TSU (Technology and Software - Unrestricted) whereby the exporter provides the US Government with a "one-time" notification of the location of the publicly available encryption code prior to or at the time the code is placed in the public domain. Notification after transmission of the code outside the US is an export control violation.

In addition, US persons are prohibited without prior authorization from providing technical assistance (i.e., instruction, skills training, working knowledge, consulting services) to a foreign person with the intent to assist in the overseas development or manufacture of encryption software that is subject to US Government notification or authorization. This prohibition does NOT limit Stanford personnel from teaching or discussing general information about cryptography or developing or sharing encryption code within the United States that arises during, or results from, fundamental research.

Two License Exceptions are available for the Stanford community when the tangible export of items and software containing encryption code like laptops, PDAs, and cell phones is necessary for travel or relocation:

  • License Exception TMP (Temporary Exports) allows those departing from the US on university business to take with them as "tools of the trade" Stanford-owned or controlled, retail-level encryption items such as laptops, smartphones, and encryption software in source or object code to all countries except Cuba, as long as the items and software will remain under their "effective control" overseas and are returned to the US within 12 months or are consumed or destroyed abroad;

  • License Exception BAG (Baggage) allows individuals departing the US either temporarily (travel) or longer-term (relocation) to take with them as personal baggage family-owned retail-level encryption items including laptops, smartphones, and encryption software in source or object code. The encryption items and software must be for their personal use in private or professional activities. Citizens and permanent resident aliens of all countries except Cuba, Syria, North Korea and Iran may take with them as personal baggage non-retail "strong" encryption items and software to all locations except embargoed or otherwise restricted locations.


(2) Source code is generally understood to mean programming statements that are created by a programmer using a human-readable programming language with a text editor or a visual programming tool and then saved in a file which is later processed to run. Object code generally refers to the output, a compiled or interpreted file, which is produced when the Source Code is compiled or processed with a compiler (e.g. C, C# [to byte code], C++ or Java [to byte code]) or interpreter (e.g. a JavaScript, PHP, Powershell or Python.) The object code file contains a sequence of machine-readable instructions that is processed by the operating environment (runtime) on a computer. Operating system or application software is often in the form of compiled object code.

If you have a question about encryption software after reading this information, please submit them to exportcontrols@stanford.edu.