EXPORT CONTROL POLICY
Updated policy and procedures on tangible exports and acceptance of 3rd party proprietary or restricted information
To assist in determining the applicability of export controls
If you have questions about the applicability of export control regulations
to a particular situation, or about any of the information presented on this
Export Control Officer
The release of publicly available strong encryption software under the EAR is tightly regulated. However, a License Exception TSU (Technology and Software - Unrestricted) is available for transmission or transfer of the code outside of the US.
Strong dual-use encryption, addressed in Category 5 Part II of the EAR's Commerce Control List (CCL) at 5A002 (encrypted hardware) and 5D002 (encryption software), is defined as:
Strong dual-use encryption software is NOT:
NOTE: The examples provided above are intended as general summaries and are not authoritative. Researchers are responsible for consulting the CCL for encryption software specifically designed or developed for applications not captured by the ITAR.
Publicly available software under the EAR, as under the ITAR, is exempt from export control. However, before strong dual-use encryption code is made publicly available via the internet or otherwise placed electronically in the public domain, exporters must provide the US Government with either a copy of the strong dual-use encryption code or a one-time notification of the internet location (URL) of the code. This must be done before making the software publicly available. Notification after transmission or transfer of the software outside the US is an export control violation.
Updates and Modifications: The US Government requires notification of updates or modifications to strong encryption software already made publicly available when the original method for notification had been submission of a copy of the encryption software. When notification is made by email describing the internet location (URL) of the code, the government only has to be notified of encryption updates and modifications when the internet location of the modified or updated code has changed. So that Stanford researchers do not have to concern themselves with notifying the government of frequent modifications or updates to their encryption code, Stanford will fulfill the initial notification requirement by emailing the internet location or URL of the posted code. Stanford will not provide the government with electronic copies of the code.
Stanford researchers MUST email the University Export Control Officer (ECO) with the internet location or URL of the EAR-controlled strong encryption software before making the software publicly available regardless of medium. Only after receiving an email confirmation from the ECO may the researcher upload the code onto a publicly available website.
The Stanford-developed encryption software must be freely downloadable by all interested members of the scientific community at no charge and without Stanford's knowledge by whom or from where the data is being downloaded. This means no login requirement or other password or authentication procedures. The government could view a login or other authentification requirement as an access control, and such a requirement could destroy the university's ability to characterize the generated software as in the public domain without restriction.
Publicly available dual-use encryption software that does not entail strong encryption requires neither US government notification nor review and can be freely shipped, shared, transferred or transmitted outside of the US regardless of destination.
Strong Encryption and US Person Technical Assistance: In addition to regulating the export of encryption code, the EAR also regulates US person activity with respect to strong dual-use encryption software and hardware. Without US government approval, US persons are prohibited from providing technical assistance (i.e., instruction, skills training, working knowledge, consulting services) to a foreign person with the intent to assist in the overseas development or manufacture of dual-use encryption software or hardware employing strong encryption code. This prohibition does NOT limit Stanford personnel from teaching or discussing general information about cryptography or developing or sharing encryption code within the United States that arises during, or results from, Stanford or other university-generated fundamental research.