Strong Encryption Export Controls


Export Administration Regulations (EAR)

The release of publicly available strong encryption software under the EAR is tightly regulated. However, a License Exception TSU (Technology and Software - Unrestricted) is available for transmission or transfer of the code outside of the US.

Strong dual-use encryption, addressed in Category 5 Part II of the EAR's Commerce Control List (CCL) at 5A002 (encrypted hardware) and 5D002 (encryption software), is defined as:

  • Employing a symmetric algorithm with a key length in excess of 56-bits;
  • Employing an asymmetric algorithm based on:
    • A factorization of integers in excess of 512 bits (i.e. RSA);
    • Computation of discrete logarithms in a multiplicative group of a finite field of size greater than 512 bits (i.e. Diffie-Hellman over Z/pZ);
    • Discrete logarithms in a group in excess of 112 bits (i.e. Diffie-Hellman over an elliptic curve);
  • Designed or modified to perform dual-use cryptanalytic functions;
  • Designed or modified to use quantum cryptography;
  • Specially designed or modified to reduce the compromising emanations of information bearing signals beyond that necessary for health, safety or electromagnetic interference;
  • Using cryptographic techniques to generate the spreading code for dual-use spread spectrum systems including the hopping code for frequency hopping systems;
  • Using cryptographic techniques to generate channelizing codes, scrambling codes or network identification codes for systems using ultra-wideband modulation techniques;
  • Using cryptography in communications cable systems designed or modified to detect surreptitious intrusion using mechanical, electrical or electronic means.

Strong dual-use encryption software is NOT:

  • Cryptographic code limited to authentication and digital signature including associated key management functions;
  • Software using fixed data compression or coding techniques;
  • Encryption/decryption code designed to protect libraries, design attributes or associated data for the design of semiconductor devices or integrated circuits.

NOTE: The examples provided above are intended as general summaries and are not authoritative. Researchers are responsible for consulting the CCL for encryption software specifically designed or developed for applications not captured by the ITAR.

Publicly available software under the EAR, as under the ITAR, is exempt from export control. However, before strong dual-use encryption code is made publicly available via the internet or otherwise placed electronically in the public domain, exporters must provide the US Government with either a copy of the strong dual-use encryption code or a one-time notification of the internet location (URL) of the code. This must be done before making the software publicly available. Notification after transmission or transfer of the software outside the US is an export control violation.

Updates and Modifications: The US Government requires notification of updates or modifications to strong encryption software already made publicly available when the original method for notification had been submission of a copy of the encryption software. When notification is made by email describing the internet location (URL) of the code, the government only has to be notified of encryption updates and modifications when the internet location of the modified or updated code has changed. So that Stanford researchers do not have to concern themselves with notifying the government of frequent modifications or updates to their encryption code, Stanford will fulfill the initial notification requirement by emailing the internet location or URL of the posted code. Stanford will not provide the government with electronic copies of the code.

Stanford Researcher Action Required: EAR Strong Encryption Compliance

Stanford researchers MUST email the University Export Control Office with the internet location or URL of the EAR-controlled strong encryption software before making the software publicly available regardless of medium. Only after receiving an email confirmation from the ECO may the researcher upload the code onto a publicly available website.

The Stanford-developed encryption software must be freely downloadable by all interested members of the scientific community at no charge and without Stanford's knowledge by whom or from where the data is being downloaded. This means no login requirement or other password or authentication procedures. The government could view a login or other authentification requirement as an access control, and such a requirement could destroy the university's ability to characterize the generated software as in the public domain without restriction.

Publicly available dual-use encryption software that does not entail strong encryption requires neither US government notification nor review and can be freely shipped, shared, transferred or transmitted outside of the US regardless of destination.

Strong Encryption and US Person Technical Assistance: In addition to regulating the export of encryption code, the EAR also regulates US person activity with respect to strong dual-use encryption software and hardware. Without US government approval, US persons are prohibited from providing technical assistance (i.e., instruction, skills training, working knowledge, consulting services) to a foreign person with the intent to assist in the overseas development or manufacture of dual-use encryption software or hardware employing strong encryption code. This prohibition does NOT limit Stanford personnel from teaching or discussing general information about cryptography or developing or sharing encryption code within the United States that arises during, or results from, Stanford or other university-generated fundamental research.