BIS has amended the EAR by implementing the agreements made by the Wassenaar Arrangement at the plenary meeting in December 2009 that pertained to “information security” items. This rule adds an overarching note that excludes particular products that use cryptography from being controlled as “information security” items. The new note focuses “information security” controls on the use of encryption for computing, communications, networking and information security. Many items in which the use of encryption is ancillary to the primary function of the item are no longer controlled under Category 5, Part 2, of the Commerce Control List (CCL).
The Adoption of a New Decontrol Note
The new note appears as Note 4 to Category 5, Part 2 of the CCL and provides as follows:
Note 4: Category 5, Part 2 does not apply to items incorporating or using “cryptography” and meeting all of the following:
a. The primary function or set of functions is not any of the following:
1. “Information security”;
2. A computer, including operating systems, parts and components therefor;
3. Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management or medical records management); or
4. Networking (includes operation, administration, management and provisioning);
b. The cryptographic functionality is limited to supporting their primary function or set of functions; and
c. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described in paragraphs a. and b. above.
Note 4 completely removes the decontrolled items from control under Category 5, Part 2 of the CCL.
Please note that certain products may be controlled under an ECCN elsewhere in the CCL even if they are no longer controlled for encryption reasons.
The Removal of the Term “Ancillary Cryptography” from the EAR and the Decontrol of Certain Items in the Note to 5A002
Previously, certain products were deemed “ancillary cryptography” and were exempted from the classification and reporting requirements. With the decontrols outlined in Note 4, the term “ancillary cryptography” is no longer necessary and has been removed from the EAR. Products that meet the requirements of Note 4 are no longer controlled under Category 5, Part 2.
In addition to decontrolling all items previously deemed to be “ancillary cryptography,”
Note 4 decontrols all items listed under former paragraphs (b), (c) and (h) of the Note in the items paragraph of ECCN 5A002.
The former regulatory language provided:
Note: 5A002 does not control any of the following. However, these items are instead controlled under 5A992:
(b) Receiving equipment for radio broadcast, pay television or similar restricted audience broadcast of the consumer type, without digital encryption except that exclusively used for sending the billing or program-related information back to the broadcast providers;
(c) Equipment where the cryptographic capability is not user-accessible and which is specially designed and limited to allow any of the following:
(1) Execution of copy-protected “software”;
(2) Access to any of the following:
(a) Copy-protected contents stored on read-only media; or
(b) Information stored in encrypted form on media (e.g., in connection with the protection of intellectual property rights) where the media is offered for sale in identical sets to the public;
(3) Copying control of copyright protected audio/video data; or
(4) Encryption and/or decryption for protection of libraries, design attributes, or associated data for the design of semiconductor devices or integrated circuits;
(h) Equipment specially designed for the servicing of portable or mobile radiotelephones and similar client wireless devices that meet all the provisions of the Cryptography Note (Note 3 in Category 5, Part 2), where the servicing equipment meets all of the following:
(1) The cryptographic functionality of the servicing equipment cannot easily be changed by the user of the equipment;
(2) The servicing equipment is designed for installation without further substantial support by the supplier; and
(3) The servicing equipment cannot change the cryptographic functionality of the device being serviced; …
The effect of the decontrol language in former paragraphs (b), (c) and (h) was to change the classification of items from ECCN 5A002 to ECCN 5A992, removing the items from the scope of “encryption item” and national security control policies. However, the decontrolled items remained classified under an ECCN in Category 5, Part 2 of the CCL. In contrast, under this rule, Note 4 completely removes the decontrolled items from control under Category 5, Part 2 of the CCL.
However, the encryption components, source code and technology used to manufacture an item that uses encryption may be controlled under Category 5, Part 2, of the CCL.
No New Items Added to Encryption Controls
No items have been added to encryption controls under Category 5, Part 2, of the CCL that were not already controlled under Category 5, Part 2, of the CCL.
Please note that although no new items have been added to Category 5, Part 2, of the CCL, the specific requirements for classification of specific items controlled under Category 5, Part 2, of the CCL may have changed.