The sharing, shipping, transmission or transfer of almost all encryption software in either source code or object code is subject to US export regulations (see Encryption Export Controls for a discussion of procedural requirements associated with transmissions or transfers of Stanford-generated encryption code outside of the US).
Even most publicly available "dual-use" encryption code captured by the Export Administration Regulations (EAR) requires the availability of a License Exception. A License Exception under the EAR is an authorization based on a set of criteria, which when met, allows the exporter to circumvent export licensing requirements. The release of publicly available encryption code under the EAR is generally authorized by License Exception TSU (Technology and Software - Unrestricted) whereby the exporter provides the US Government with a "one-time" notification of the location of the publicly available encryption code prior to or at the time the code is placed in the public domain. Notification after transmission of the code outside the US is an export control violation.
In addition, US persons are prohibited without prior authorization from providing technical assistance (i.e., instruction, skills training, working knowledge, consulting services) to a foreign person with the intent to assist in the overseas development or manufacture of encryption software that is subject to US Government notification or authorization. This prohibition does NOT limit Stanford personnel from teaching or discussing general information about cryptography or developing or sharing encryption code within the United States that arises during, or results from, fundamental research.
Two License Exceptions are available for the Stanford community when the tangible export of items and software containing encryption code like laptops, PDAs, and cell phones is necessary for travel or relocation:
- License Exception TMP (Temporary Exports) allows those departing from the US on university business to take with them as "tools of the trade" Stanford-owned or controlled, retail-level encryption items such as laptops, smartphones, and encryption software in source or object code to all countries except Cuba, as long as the items and software will remain under their "effective control" overseas and are returned to the US within 12 months or are consumed or destroyed abroad;
- License Exception BAG (Baggage) allows individuals departing the US either temporarily (travel) or longer-term (relocation) to take with them as personal baggage family-owned retail-level encryption items including laptops, smartphones, and encryption software in source or object code. The encryption items and software must be for their personal use in private or professional activities. Citizens and permanent resident aliens of all countries except Cuba, Syria, North Korea and Iran may take with them as personal baggage non-retail "strong" encryption items and software to all locations except embargoed or otherwise restricted locations.
If you have a question about encryption software after reading this information, contact Steve Eisner.