Insights
New Interim Final Rule Creates End-to-End Encryption Carve-Out for ITAR Technical Data
The Department of State Directorate of Defense Trade Controls (“DDTC”) has published an interim final rule (“the Interim Final Rule”) seeking public comments and clarifying that certain transfers of encrypted technical data are not exports, reexports, or retransfers subject to the International Traffic in Arms Regulations (“ITAR”). [1] Torres Law previously published a news alert on November 18, 2019 regarding the potential publication of a new rule. The Interim Final Rule is effective on March 25, 2020, and interested parties may submit public comments by January 27, 2020.
The process to reach a final interim rule has been years in the making. On June 3, 2015, DDTC, in conjunction with the Department of Commerce Bureau of Industry and Security (“BIS”),[2] published a proposed rule (the “2015 Proposed Rule”)[3] proposing several new definitions of terms including, “export,” “reexport,” “release,” and “activities that are not exports, reexports, retransfers, or temporary imports,” among other proposed revisions, and requested public comments. On June 3, 2016, DDTC published an interim final rule,[4] revising the definitions of many of the terms subject to the 2015 Proposed Rule but leaving out a new definition for “activities that are not exports, reexports, retransfers, or temporary imports.” For its part, BIS, the agency that administers the Export Administration Regulations, did move forward with a definition of items not considered exports, reexports, or transfers (in-country) under the EAR. This new definition, portions of which are sometimes described as an “encryption carve-out,” is found at 15 C.F.R. § 734.18 and, as we will discuss in further detail later, is the blueprint for the similar revision in the ITAR.
The new definition of “activities that are not Exports, Reexports, Retransfers, or Temporary Imports, is found at 22 C.F.R. § 120.17 and reads, in its entirety, as follows:
(a) The following activities are not exports, reexports, retransfers, or temporary imports:
(1) Launching a spacecraft, launch vehicle, payload, or other item into space.
(2) Transmitting or otherwise transferring technical data to a U.S. person in the United States from a person in the United States.
(3) Transmitting or otherwise transferring within the same foreign country technical data between or among only U.S. persons, so long as the transmission or transfer does not result in a release to a foreign person or transfer to a person prohibited from receiving the technical data.
(4) Shipping, moving, or transferring defense articles between or among the United States as defined in § 120.13 of this subchapter.
(5) Sending, taking, or storing technical data that is:
(i) Unclassified;
(ii) Secured using end-to-end encryption;
(iii) Secured using cryptographic modules (hardware or software) compliant with the Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or its successors, supplemented by software implementation, cryptographic key management, and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology (NIST) publications, or by other cryptographic means that provide security strength that is at least comparable to the minimum 128 bits of security strength achieved by the Advanced Encryption Standard (AES-128);
(iv) Not intentionally sent to a person in or stored in a country proscribed in § 126.1 of this subchapter or the Russian Federation; and
(v) Not sent from a country proscribed in § 126.1 of this subchapter or the Russian Federation.
NOTE TO PARAGRAPH (a)(5)(iv): Data in-transit via the Internet is not deemed to be stored.
(b)(1) For purposes of this section, end-to-end encryption is defined as:
(i) The provision of cryptographic protection of data, such that the data is not in an unencrypted form, between an originator (or the originator’s in-country security boundary) and an intended recipient (or the recipient’s in-country security boundary); and
(ii) The means of decryption are not provided to any third party.
(2) The originator and the intended recipient may be the same person. The intended recipient must be the originator, a U.S. person in the United States, or a person otherwise authorized to receive the technical data, such as by a license or other approval pursuant to this subchapter.
(c) The ability to access technical data in encrypted form that satisfies the criteria set forth in paragraph (a)(5) of this section does not constitute the release or export of such technical data.
The five new provisions in paragraph (a) are equivalent to the revisions BIS made to the EAR in a final rule published on June 3, 2016.[5] Those intimately familiar with the ITAR may notice that not all of the provisions of the new definition at § 120.54 are necessarily new regulations. Specifically, the provision at § 120.54(a)(1) excluding the launching of items into space was previously found in the ITAR at § 120.17(a)(6). The second provision of the new § 120.54 at (a)(2) makes clear what is already understood by most of industry and excludes from being a “controlled event”[6] transmitting technical data to a U.S. person in the United States from a person in the United States. In the Interim Final Rule, DDTC clarified that a transfer of technical data to a foreign person in the United States remains a controlled event.
Section 120.54(a)(3) was not included in the 2015 Proposed Rule but was added by DDTC in response to public comments to the 2015 Proposed Rule. This provision provides that DDTC will not treat as a controlled event the retransfer of technical data within a foreign country of technical data from one U.S. person to another U.S person. This provision does not exclude such retransfers that result in a release to a foreign person, or a person that is ineligible to receive technical data, like a debarred party. The fourth provision, at subparagraph (a)(4) clarifies what has long been understood to not be a controlled event, which is the shipping moving or transferring of defense articles between or among the United States. Importantly, the ITAR defines United States at § 120.13, so parties should check the specific definition in this provision to address sometimes confusing issues related to U.S. territories (e.g., Guam, American Samoa, etc.).
Saving the best for last, DDTC created subparagraph (a)(5) to essentially harmonize the ITAR with the EAR encryption carve-out, with a few differences. Subparagraphs (a)(5)(i) and (a)(5)(ii) are identical to the equivalent EAR provision at 15 C.F.R. § 734.18. Subparagraph (a)(5)(ii) is slightly different than the similar provision in the EAR. Whereas the EAR provision requires “cryptographic key management and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology publications (“NIST”), or other equally or more effective cryptographic means,” the new ITAR provision requires “cryptographic key management, and other procedures and controls that are in accordance with guidance provided in current NIST publications, or by other cryptographic means that provide security strength that is at least comparable to the minimum 128 bits of security strength achieved by the Advanced Encryption Standard (AES-128).” Here, DDTC is providing more specific guidance than BIS as to what will be considered by the agency as acceptable procedures and controls in lieu of FIPS 140-2 compliant modules. DDTC clarifies in the Interim Final Rule that, currently, such other acceptable means are expressed in “Table 2: Comparable strengths” of NIST Special Publication 800-57 Part 1, Revision 4.
Subparagraph (a)(5)(iv) specifically excludes from the encryption carve-out the intentional sending to a person in or storing in a country proscribed in § 126.1 or the Russian Federation. (The equivalent EAR provision only explicitly excludes storing in a D:5 Country or the Russian Federation.) Finally, adding a provision that is not in the equivalent EAR rule, DDTC added subparagraph (a)(5)(v), which excludes sending from a § 126.1 proscribed country or the Russian Federation.
Subparagraph (b) of the new definition defines “end-to-end encryption” and expands its explanation further than the equivalent provision in the EAR to specifically clarify that, “The intended recipient must be the originator, a U.S. person in the United States, or a person otherwise authorized to receive the technical data, such as by a license or other approval pursuant to this subchapter.” Lastly, subparagraph (c) clarifies that “the ability to access” technical data in encrypted form does not constitute the release or export of such technical data, if the encrypted technical data meets the criteria of subparagraph (a)(5).
In further explaining the revisions regarding end-to-end encryption in the Interim Final Rule, DDTC states that “a controlled event does not occur when technical data is encrypted prior to leaving the sender’s facilities and remains encrypted until decrypted by the intended authorized recipient or retrieved by the sender, as in the case of remote storage” (e.g., storage in the cloud). Instead, a controlled event occurs when the technical data is “released” as defined at § 120.50.
DDTC received several public comments in response to the end-to-end encryption portion of the 2015 Proposed Rule and disagrees with most of these comments, leading to an Interim Final Rule that is quite similar in most ways to the proposed revised definition at § 120.54 in the 2015 Proposed Rule.
As a matter of housekeeping, DDTC also revised the definitions of “export,” “temporary import,” “reexport,” and “retransfer”[7] to exclude from those definitions activities identified in § 120.54. DDTC also added a new definition at § 120.55 for “Access Information.” Access Information is defined as “information that allows access to encrypted technical data subject to this subchapter in an unencrypted form. Examples include decryption keys, network access codes, and passwords.” This definition is similar to the EAR companion provision at 15 C.F.R. § 734.19 regarding transfer of access information, but DDTC refused to add language from the EAR provision that required “knowledge that such transfer would result in a release of the technology without a required authorization,” stating that “an existing authorization for the release of technical data to the foreign person must be in place prior to the provision of access information to the foreign person that will allow the transition of the encrypted technical data to an unencrypted state.”
Finally, the Interim Final Rule revises the definition of “release” at § 120.50 to clarify “what constitutes a release of technical data, a controlled event requiring authorization from the [DDTC], and the provision of access information that may result in the release of technical data.” To that end, DDTC added two new subparagraphs to § 120.50(a) and the new subparagraph (b). The new portions of the “release” definition read as follows:
Technical data is released through:
[. . .]
(3) The use of access information to cause or enable a foreign person, including yourself, to access, view, or possess unencrypted technical data; or
(4) The use of access information to cause technical data outside of the United States to be in unencrypted form.
(b) Authorization for a release of technical data to a foreign person is required to provide access information to that foreign person, if that access information can cause or enable access, viewing, or possession of the unencrypted technical data.
The revisions to the ITAR “release” definition are analogous to EAR’s definition of “access information” and the use of that term at 15 C.F.R. § 734.19 related to the “transfer of access information. DDTC states in the Interim Final Rule, “In the absence of an authorization for the release of technical data in such circumstances, the provision of access information to a foreign person is a violation of ITAR.”
The publication of the Interim Final Rule is a significant step in harmonizing the ITAR with the EAR and an important change for companies that deal with ITAR technical data, particularly those companies that would like to store data, including ITAR technical data, in the cloud. Some cloud storage providers have servers located in foreign countries, which presented a barrier to storage of technical data. For companies that have amended their technology transfer and storage procedures to align with the EAR end-to-end encryption carve-out, the new ITAR revisions will not be unfamiliar. However, it is important for companies to carefully review the specific provisions of the new definitions to make sure they stay compliant with all the requirements. Because the Interim Final Rule seeks additional public comments, a final rule with further revisions may be published at a later date. If you have any questions about the Interim Final Rule, do not hesitate to contact the attorneys at Torres Law.
[1] Creation of Definition of Activities That Are Not Exports, Reexports, Retransfers, or Temporary Imports; Creation of Definition of Access Information; Revisions to Definitions of Export, Reexport, Retransfer, Temporary Import, and Release, 84 Fed. Reg. 70,887 (Dec. 26, 2019), available at https://www.pmddtc.state.gov/sys_attachment.do?sysparm_referring_url=tear_off&view=true&sys_id=1d508454db82c8505c3070808c961968.
[2] Revisions to Definitions in the Export Administration Regulations, 80 Fed. Reg. 31,505 (June 3, 2015).
[3] International Traffic in Arms: Revisions to Definitions of Defense Services, Technical Data, and Public Domain; Definition of Product of Fundamental Research; Electronic Transmission and Storage of Technical Data; and Related Definitions, 80 Fed. Reg. 31,525 (June 3, 2015).
[4] International Traffic in Arms: Revisions to Definition of Export and Related Definitions, 81 Fed. Reg. 35,611 (June 3, 2016). DDTC subsequently reviewed the public comments on this interim final rule and published a final rule on September 8, 2016. International Traffic in Arms: Revisions to Definition of Export and Related Definitions, 81 Fed. Reg. 62,004 (Sep. 8, 2016).
[5] Revisions to Definitions in the Export Administration Regulations, 80 Fed. Reg. 35,586 (June 3, 2016).
[6] We will hereafter adopt the language used in the interim final rule and collectively describe exports, reexports, retransfers, and temporary imports as “controlled events.”
[7] 22 C.F.R. § 120.17(a), 22 C.F.R. § 120.18, 22 C.F.R. § 120.19(a), and 22 C.F.R. § 120.51(a), respectively.