End-to-End Encryption and a New Understanding of Technology and Software Export Controls

by: Matt Fogarty

On June 3, 2016, the Commerce Department’s Bureau of Industry and Security (“BIS”) and the State Department’s Directorate of Defense Trade Controls (“DDTC”) both published in the Federal Register final rules updating a number of definitions in the Export Administration Regulations (“EAR”) (81 Fed. Reg. 35,586) and the International Traffic in Arms Regulations (“ITAR”) (81 Fed. Reg. 35,611), respectively. As the most recent effort in the Obama Administration’s ongoing Export Control Reform initiative, both rules are intended to streamline and to standardize definitions across the two export control regimes. In at least one instance, however, the BIS rule offers substantially more flexibility to U.S. companies attempting to manage controlled technology and software in the cloud or via other solutions that involve offshore storage, access, and transmission of data.

Specifically, the BIS rule updates the EAR’s definition of “export” to exclude data that is encrypted end-to-end between the transmitting party and the receiving party. The new rule lays out a four-part analysis to determine whether data is protected under this end-to-end encryption carveout. Data (including technology and software) transmitted from one country to another is not considered to be exported if:

1)The data is unclassified;

2)The data is secured throughout the transmission using “end-to-end” encryption;

3)The data is secured using encryption that, at minimum, meets the standards of Federal Information Processing Standards Publication ("FIPS") 140-2 or its successors or other equally or more effective cryptographic means; and

4)The data is not intentionally stored in a Country Group D:5 country (countries subject to U.S. arms embargoes, as listed in Supplement No. 1 to 15 C.F.R. Part 740) or in the Russian Federation.

The new rule provides a definition of "end-to-end" encryption as cryptographic means that protect data such that the data is not unencrypted between the originator and the intended recipient and where the means of decryption are not provided to any third party. The rule also notes that the export of the means of access to encrypted information are captured under the EAR and subject to the same level of control as would be the controlled data or software were it not encrypted. This change is consistent with BIS’ updated definition of “release” to specify that EAR-controlled technology is only deemed to be an export if controlled technology is actually revealed to the recipient (i.e., that the controlled technology is actually cognizable to the viewer). In this respect, BIS has taken care to only control real—as opposed to theoretical—exports of controlled technology; rather than attempt to capture encrypted data and software when they exit the United States, BIS has shifted the focus of the EAR onto the point at which data and software become visible and/or usable to a person outside the United States.

In practical terms, this rule potentially exempts from the EAR's export controls data streams between, for example, a U.S. company and its offshore data storage facility; any data uploaded to a cloud server located outside the United States and then later retrieved by someone within the United States would not be considered to have been exported, provided the conditions above are met. Similarly, encrypted email bounced between data farms in foreign countries would not trigger export concerns. In short, once the revised definitions come into effect on September 1, the EAR will be substantially friendlier to cloud computing and other IT service providers, as well as to U.S. companies seeking to take advantage of overseas data solutions.

Importantly, while the BIS and DDTC rules purport to harmonize definitions across export control regimes, note that DDTC did not choose to incorporate a similar end-to-end encryption carveout in the ITAR’s definition of “export.” While the DDTC rule does not go quite as far in its definition of “release,” DDTC did clarify the definition of “release” to affirm that technical data is only exported if it is revealed to a foreign national. It remains unclear how expansively DDTC will interpret this provision and whether or not, in practice, DDTC fully embraces BIS' position that mere hypothetical access to controlled technical data does not rise to the level of an export. Nevertheless, unlike under the EAR, the transmission of ITAR-controlled data, regardless of whether it is encrypted or otherwise inaccessible, would likely still constitute an export under the ITAR. Accordingly, from a compliance perspective, while it is useful to be able to argue in, for example, a voluntary disclosure to DDTC that technical data inadvertently sent offshore was encrypted and inaccessible in plain text, companies within the U.S. defense industry must nevertheless take care to control network access, storage, and transmission of ITAR-controlled technical data.