• OESRC Home
• Office of the Vice President for Research
• Office of Research Compliance
•  
• News and Events
• Frequently Asked Questions
• Policies
• Training Sign-Up
•  
• ITAR
• EAR
• OFAC Regulations
•  
• Travel
• Shipping
• Hand-Carry Tools
• Encryption
• Privacy and Data Security
• Forms

Encryption

Exporting Encryption Software

Sharing, shipping, transmission or transfer (exporting) of almost all encryption software in either source code or object code is subject to US export regulations. Even most publicly available "dual-use" encryption code requires a license or License Exception to ship outside the U.S.

A License Exception under the EAR is an authorization based on a set of criteria, which when met, allows the exporter to circumvent export licensing requirements. The release of publicly available encryption code under the EAR is generally authorized by License Exception TSU (Technology and Software - Unrestricted) whereby the exporter provides the US Government with a "one-time" notification of the location of the publicly available encryption code prior to or at the time the code is placed in the public domain. Notification after transmission of the code outside the US is an export control violation.

In addition, US persons are prohibited, without prior authorization, from providing technical assistance (i.e., providing instruction, skills training, a working knowledge,  and consulting services) to a foreign national with the intent to assist in the overseas development or manufacture of encryption software that is subject to U.S. Government notification or authorization. This prohibition does NOT limit university personnel from teaching or discussing general information about cryptography or developing or sharing encryption code within the United States that arises during, or results from, fundamental research.

Export License Exceptions

Three license exceptions are available for the university when the tangible export of items and software containing encryption code is necessary for travel or relocation:

1. License Exception TMP (Temporary Exports) allows university employees departing from the US on university business to take with them as "tools of trade" Virginia Tech-owned or controlled, retail-level encryption items such as laptops, personal digital assistants (PDAs), and cell phones and encryption software in source or object code to all countries except Cuba, Iran, North Korea, Sudan, and Syria, as long as the items and software will remain under their "effective control" overseas and are returned to the US within 12 months or are consumed or destroyed abroad;
2. License Exception BAG (Baggage) allows university employees departing the US either temporarily (travel) or longer-term (relocation) to take with them as personal baggage family-owned retail-level encryption items including laptops, personal digital assistants (PDAs), and cell phones and encryption software in source or object code. The encryption items and software must be for their personal use in private or professional activities. Citizens and permanent resident aliens of all countries except Cuba, Iran, North Korea, Sudan, and Syria, may take with them as personal baggage non-retail "strong" encryption items and software to all locations except embargoed or sanctioned countries or entities;
3. License Exception ENC(Encryption) permits the export of non-mass market “weak crypto” software  without Commerce Department review (e.g., employing a symmetric algorithm that uses less than an 64 bit key length or 80 bit key length for some countries.) It also permits “strong crypto” products to be sold worldwide. In conjunction with License Exception TMP, ENC allows university employees to temporarily export as “tools of trade” weak non-mass market (non-commercial) or strong commercial crypto products. 

Reporting Requirements

There are reporting requirements to the Commerce Department related to the export of strong crypto products, and there may be a 30 day delay required. Contact the Office of Export and Secure Research Compliance if you have questions or need further information. 

Source Code 

Source code is a convenient expression of one or more processes that may be turned by a programming system into equipment executable form (“object code” (or object language)).  A computer program's source code is the collection of files needed to convert from human-readable form to some kind of computer-executable form. The source code may be converted into an executable file by a compiler, or executed on the fly from the human readable form with the aid of an interpreter.

Object Code

Object code (or object language) is an equipment executable form of a convenient expression of one or more processes (“source code” (or source language)) that has been converted by a programming system. In other words, object code is the representation of code that a compiler or assembler generates by processing a source code file. The object code file contains a sequence of machine-readable instructions that is processed by the CPU in a computer. Operating system or application software is usually in the form of compiled object code.

 

---

This material is adapted from the basic design and content of Stanford University's Export Controls page.
We appreciate Stanford University in granting us permission to use their content.