Encryption, Bad Guys, and You. A Summary of Export Laws for Technology Companies.


If you distribute products, services, or any data outside of the United States or disclose information within the United States to a national of a country other than the U.S., then you are exporting.  Which means there are certain rules you need to follow in your distribution. This post is geared towards technology companies who are not providing weapons or space technology. As always, this is intended to be educational and is not intended to be legal advice for your particular situation. If you have been exporting for any amount of time and have not been taking steps similar to the below contact an export attorney before proceeding any further.

What is an export?

An export can be a tangible item, an e-mail, software download, instant message, or information provided over the phone to someone or something outside of the United States.  An export also includes providing information to a national of another country while that person is within the United States. This is called a deemed export. More information on deemed exports can be found in the Deemed Export FAQS section on the BIS Site.  If a national of another country attends a training class or presentation at a trade show within the United States the information disclosed in the presentation or class is a deemed export.  If you export to a channel partner outside the United States and they then distribute that product to another country this is called a reexport. In all instances you are exporting and are responsible for taking steps to ensure the export is compliant with regulations.

Why do you care?

As you can imagine violating any export law could result in fines. The high end of the potential fines are hefty and not always based on the value of what is exported.  Fines can be up to $250,000.00 per violation. For example, say you provide two free software downloads and send one support related e-mail to a person or company in violation of the export regulations. That could potentially run you up to $750,000.00.  Also, exporting in violation of regulations could result in more than just civil violations. It may also result in criminal charges and penalties.  The penalties could go up to $1 million.  And it’s not just having to shut the doors and turn out the lights due to penalties you have to be concerned about. There is personal criminal liability.  Violate export regulations and you run the risk of going to jail.  So you care.

 Countries with Comprehensive Embargoes

The No No Not Ever List

If you take nothing else away from this blog take away this. Never ever do business with companies located in, incorporated in, or nationals of Cuba, Iran, Syria, Northern Sudan, and North Korea. These are countries that the U.S. government has imposed a comprehensive embargo on due to the countries having policies counter to U.S. interest.  There are some exceptions for exporting humanitarian relief items such as food and medicine, but this is not you.  Just don’t do it.

The Burden

The Bureau of Industry and Security (BIS) requires that every company which exports be familiar with and comply with the steps set forth in the Export Administration Regulations (EAR). There is an affirmative obligation on companies to take certain steps. These steps can be found in these two links Developing an Export Compliance Program and Manual  and Know Your Customer Guidance. The manual on developing a compliance program is comprehensive so rather than regurgitate what is in there I’ll just provide a few tips further in this blog about implementing under these guidelines.


In every single situation but one if you distribute outside of the U.S. you are obligated to screen everyone you do business with or export to against the denied persons list, denied entities list, unverified persons list. The comprehensively embargoed countries will probably be relatively easy for you to implement processes to screen against, but the denied lists consist of thousands of persons and entities and change at least daily. To screen against those you are going to have to license some export compliance software.  It will pay for itself if it prevents even a single prohibited export a year.  An example of software that can do this is the Visual Compliance Software from eCustoms.

Publicly Available Encryption Source Code

With respect to most publicly available encryption source code which may be downloaded by anyone and for which the location of the person downloading is not made available to you are not required to screen.  See 740.13 (e) for more detail.  Note both the exceptions in 740.13 (e) (2) (i) and (ii) and the notification requirement to BIS and the ENC Encryption Request coordinator in 740 (e) (3).  If you have knowledge of an export or reexport to a prohibited country (for example, if you require that persons create a user account prior to downloading and you require they provide their location or they send you an email or other communication asking for assistance in downloading and mention their location or nationality) then you must prevent that export if the export is prohibited due to being an embargoed country or otherwise prohibited by the lists linked above.  Strictly with respect to publicly available encryption source code this does not mean you must affirmatively ask their location prior to assisting, but only that you must screen if you have knowledge of their location.

Everything Else

You have to screen.

 Implementing the No No Not Ever List

Some ways to implement screening against the comprehensively embargoed list include: IP address checks, drop down country lists in website account creation or product registration, blocking telephone calls going to or coming from an embargoed country calling code, and training employees to be aware of the embargoed countries and developing department specific procedures to prevent exporting to embargoed countries (for example, in a support call asking for the location of the customer and the location of the installation they need assistance with), providing clear instructions to your partners in their contracts regarding their obligation not to export to the embargoed countries and knowing your partners’ sales territories.

Remember, whatever location information you collect you MUST screen. If you collect point of sale information or addresses of training or conference attendees then you must screen those.

Making It Easy to Say No

Make sure your employees know how to handle a conversation if they discover there is an embargoed country situation.  Let them know they must terminate the conversation upon discovering the issue and that if the person asks why they may provide them with links to the Lists of Parties of Concern and to the Embargoed List http://www.bis.doc.gov/index.php/forms-documents/doc_download/746-746 (this second link downloads a pdf) and then end the conversation. Let them know they are in fact obligated to end the conversation after doing so and that while there is no reason to be rude about it they are within their rights  to refuse to speak any further after providing the links.

Product/Service Classification

Another requirement of export compliance is properly classifying your products and services prior to export. Generally your products/services fall under one or the other of the following two sets of regulations.

The State Dept. enforces the International Traffic In Arms Regulations (ITAR).  ITAR restricts Military items, dual use items, chemical biological weapons, and space technologies. ITAR has very restrictive rules regarding where and what you may export.

The Commerce Dept. enforces the Export Administration Regulations (EAR). EAR governs commercial (civilian) commodities, commercial (civilian) technology, “dual use” products and technology. Dual use means your product or service has both civil and military application but that it is predominantly civilian, and parts and components may be used interchangeably in a defense or civilian item. EAR is much less restrictive than ITAR though of course the No No Not Ever List always applies no matter what.

Classifying your products

Most (though not all) mass market encryption products can be exported under License Exception ENC (Encryption Commodities, Software, and Technology) as EAR99 without a license, except…. say it with me now….to the No No Not Ever Lists.

A definition of mass market encryption products/services and guidance on how to determine if you need a license, or if it falls under an exception, if you can self-classify or if need to submit a commodity classification request, and reporting requirements can be found on the ECCN page of the BIS Site and the BIS Classification Site .  Show your engineering department the links to determine if you need to contact an export attorney for help with classifications.  The license or exception you fall under is important is some are more restrictive than others, particularly with regard to whether or not you can export to a government end user.  Make sure that prior to exporting outside of the United States, regardless of whether you are being paid for the export or not, that you have classified your product and determined if you need a license or fall under an exception.  I’d recommend building a step into your product development checklist that requires an ECCN (Export Commodity Classification Number) be obtained before your product/service can get a part number.


My final bit of export compliance information pertains to boycotts. U.S. companies may not participate in foreign boycotts which are contrary to U.S. Policy.  Boycott language can appear in purchase orders, letters of credit, or invoices. Train your accounting and sales team to consult legal if they ever see the word “boycott” on any documentation provided to them. Never agree to cooperate with a boycott and always notify BIS and the IRS that you have received a boycott request. More information can be found on the Office of Anti-boycott Compliance (OAC) website.

 In closing

Cuba, Iran, Syria, Northern Sudan, and North Korea. No No Not Ever.




Leave a Reply

Your email address will not be published. Required fields are marked *