As global trading explodes, U.S. software companies are expanding their sales and product development internationally. Whether it’s a small company beginning to sell internationally or a sophisticated company looking to outsource product development, one issue often overlooked or misunderstood is how encryption functionally can impact, and in some cases restrict, international activities. These restrictions arise from the U.S. government’s concern that exporting encryption capabilities could impede its ability to secure communications and gather intelligence from others. Due to these concerns, the U.S. government has placed limits on the export of encryption.
These issues can surface in many ways. They can arise when selling to customers outside the United States, or when customers request information relating to the export control status of products. They also can arise when a company shifts its production or development practices, or changes its supply chain or product components. Further, they can appear during due diligence when a software company is the target of an acquisition. We routinely hear statements illustrating common misconceptions regarding U.S. encryption export controls, and here are six of those misconceptions:
- “Our products do not contain or use encryption.” Almost all software products contain encryption of some sort. Software may be controlled for encryption, even if the encryption is actually performed by the operating system, an external library, a third-party product, or a cryptographic processor. Further, if a product includes encryption functionality, even if that functionality is not used, the U.S. government evaluates the product based on the included encryption functionality. Such functionality may be there simply for copyright protection, in which case the product may not be subject to export controls. Functionality also may be present due to licensing requirements of third-party components, which could cause the product to be subject to export controls. One of the first steps to correcting this misconception is to ensure that companies appreciate that many, if not most, software products contain encryption and understand why such functionality exists.
- “The government doesn’t care about this type of product.” The government’s interest isn’t limited to the main purpose of the product; it also is interested in the product’s components, libraries and capabilities. Commercial software products are subject to export controls based on their respective classification under the Export Administration Regulations (EAR). To assess the applicable controls, it is necessary to determine the classification of the software in two ways: first, based on the product’s functional characteristics, and second, based on the encryption functionality.Most of the software we have reviewed are not subject to stringent export controls based on their functional characteristics. For example, it is unlikely that a spreadsheet product would be controlled based on functionality. It is possible, however, that it would be subject to export controls based on its encryption functionality.
- “I got this product from a major software developer, and they must have already done everything to make sure it’s okay to export it.” This misconception suffers from two flaws. First, it is important to confirm with a supplier whether the company has evaluated the export control status of its product and, if so, whether all regulatory requirements have been satisfied. Second, even if the U.S. government previously reviewed and classified an encryption software product, additional regulatory requirements may apply if the encryption functionality or other technical characteristics are altered in connection with incorporation into another software product. For example, if a U.S. software company purchases an encryption product that qualifies for mass-market treatment under the EAR and incorporates it into another product, it would be necessary to evaluate the export control status of the final product, especially if changes could impact the mass-market characteristics of it.
- “We only utilize foreign-made encryption products.” The U.S. export controls apply not only to U.S.-origin products, but also foreign-made products that come into the United States. Accordingly, if a U.S. software company procures a foreign-made encryption product, and brings it into the U.S. for incorporation into its own product, it is possible that the final product would be subject to export controls based on the encryption functionality exhibited by the foreign-made encryption product.
- “We registered with the U.S. government, so we’re okay.” Even companies that have classified their encryption products under the EAR can make mistakes in connection with exporting their products. For example, software companies often mistakenly believe that obtaining an encryption registration number allows them to export their products around the world without restriction. However, additional requirements, such as submitting classification requests prior to exporting, periodic reporting of exports, and restrictions on eligible customers also may apply to those products.
- “We classified our products a while ago, so we’re good.” This statement has two problems. First, software products regularly undergo updates for a variety of reasons. When updates alter the encryption functionality of a product, the export control status of the product should be re-evaluated. For example, if additional or stronger encryption functionality was incorporated as part of an update, it is possible that the product could be subject to more stringent export controls. Second, in June 2010, the U.S. encryption export control regulations underwent a substantial overhaul. Software companies that evaluated the export control status of their products prior to June 2010 should consider re-evaluating those products under the amended regulations to determine whether the products remain subject to export controls.
U.S. software companies engaging in international sales or development should evaluate the export control status of their products. This often requires reviewing the applicable regulations and determining whether the products are subject to export controls. Once that review is completed, a company must assess the nature and extent of any applicable requirements and ensure compliance with them.