Export Controls: Research and Encryption

Introduction

As a general rule, code developed here at Stanford is the product of non-proprietary, fundamental research. To reinforce this, and to avoid difficulties with federal export control regulations, researchers should upload Stanford-generated encryption code onto a publicly available website as soon as possible. Access to the code must not include login requirements or other password or authentication procedures. In some cases, Stanford's Export Control Office must also be notified before dual-use "strong" encryption code is posted to the web. "Strong" dual-use encryption code is addressed in section below dealing with the Export Administration Regulations (EAR).

US person researchers should also be aware that an export license may be required before providing technical assistance to foreign persons in the overseas manufacture or development of software or hardware containing strong encryption.

The rest of this page describes federal regulations that apply to encryption export controls, namely, the International Traffic in Arms Regulations (ITAR) and EAR.

International Traffic in Arms Regulations

The sharing, shipping, transmission, or transfer of all encryption software in either source code or object code that is specially designed or developed for a military application is subject to the International Traffic in Arms Regulations (ITAR).  Many intelligence and space applications are also regulated by the ITAR.   ITAR-related encryption software is controlled for export and cannot be shared with a foreign person unless the code is already published or otherwise in the public domain.

See Encryption Controls and the US Munitions List (USML) for an identification of ITAR-regulated encryption by USML category.

ITAR Encryption Compliance

 Stanford researchers generating ITAR-related encryption software must upload the code onto a publicly available website immediately to demonstrate that the software has been published.

The Stanford-developed encryption software must be freely downloadable by all interested members of the scientific community at no charge and without Stanford's knowledge by whom or from where the data is being downloaded. This means no login requirement or other password or other authentication procedures. The government could view a login or other authentication requirement as an access control, and such a requirement could negate  the university's ability to characterize the generated software as unrestricted fundamental research excluded from export controls.

Unlike the Export Administration Regulations (EAR) that address "dual-use" software and technology, discussed below, the munitions-specific ITAR does not require government notification before making the software publicly available.

Export Administration Regulations

The sharing, shipping, transmission, or transfer of almost all dual-use encryption software in either source code or object code is subject to the Export Administration Regulations. Even most of today's publicly available dual-use encryption software, which uses "strong" encryption, is captured by the EAR and requires the availability of a License Exception to exit the US. A License Exception under the EAR is an authorization based on a set of criteria, which when met allows the exporter to circumvent what would otherwise have been a requirement to obtain an export license.

See EAR Strong Encryption Controls for a listing of encryption code that meets this definition.

EAR Strong Encryption Compliance

Stanford researchers MUST email the University Export Control Office with the internet location or URL of the EAR-controlled strong encryption software before making the software publicly available regardless of medium. Only after receiving an email confirmation from the Export Control Office may the researcher upload the code onto a publicly available website.

The Stanford-developed encryption software must be freely downloadable by all interested members of the scientific community at no charge and without Stanford's knowledge by whom or from where the data is being downloaded. This means no login requirement or other password or authentication procedures. The government could view a login or other authentication requirement as an access control, and such a requirement could destroy the university's ability to characterize the generated software as in the public domain without restriction.

Publicly available dual-use encryption software that does not entail strong encryption requires neither US government notification nor review and can be freely shipped, shared, transferred, or transmitted outside of the US regardless of destination.

Strong Encryption and US Person Technical Assistance

In addition to regulating the export of encryption code, the EAR also regulates US person activity with respect to strong dual-use encryption software and hardware. Without US government approval, US persons are prohibited from providing technical assistance (i.e., instruction, skills training, working knowledge, consulting services) to a foreign person with the intent to assist in the overseas development or manufacture of dual-use encryption software or hardware employing strong encryption code. This prohibition does NOT limit Stanford personnel from teaching or discussing general information about cryptography or developing or sharing encryption code within the United States that arises during, or results from, Stanford or other university-generated fundamental research.