How to Export Encryption Products While Staying Compliant

By Brandon Basso

Every defense contract for the acquisition of encryption products will have an ‘export control’ section that states the following: “U.S. export law as contained in the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulation (EAR) is applicable to any controlled technical data provided under this Agreement.  Any such controlled technical data is not to be placed in the public domain, exported from the U. S., or given to any foreign person in the U.S., without the prior, specific written authorization of the Discloser and the U.S. Department of State or the U.S. Department of Commerce as applicable.”

The U.S. remains strict in its efforts to prevent exported products (with classified information) from landing in the wrong country’s hands. Thus the U.S. has enforced strict trade regulations to control access to specific types of technology and associated data.  For example, anytime a contractor sells a cyber product, specifically an encryptor, with proprietary software codes and classified markings, the contractor puts export control provisions in the contract.  Further, the buyer will not receive the product if the buyer does not agree with such provisions.

For instance, both the International Traffic In Arms (ITAR) and Export Administration Regulations (EAR) are mentioned in Export control sections of contracts for the acquisition of encryption products. Further, such regulations are mentioned to ensure that both the buyer and seller understand that the proprietary information in such products is not to be disclosed to any party outside of the contract. More specifically, ITAR controls both the export and import of defense-related articles and services on the United States Munitions List (USML) which is a list of articles, services, and related technology designated by the U.S. Federal Government for both defense and space-related acquisitions.  Encryption products, specifically TACLANE encryptors, fall under such ‘related technology’ found in the Munitions List.

Additionally, Export Administration Regulations (EAR) are for technical data that is acquired in the contract.  For example, “EAR Technical Data may take forms such as blueprints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals, and instructions written or recorded on other media or devices such as disk, tape, and read-only memories.” With that, there are some buyers who, in addition to buying a cyber product, also enter a non-disclosure agreement to see the drawings, engineering designs, and specifications of the product they’ve bought.  Thus, such buyers also need to comply with EAR.

Ultimately, the commerciality of a product determines how compliant a defense contractor has to be with ITAR and EAR.  For example, if a contractor sells a TACLANE encryptor then ITAR and EAR clauses are not as stringent in a contract because TACLANE encryptors are considered ‘commercial items’ that can be bought from an online catalogue. Thus, if the item is commercial then the proprietary information in the item is not as detailed because it can technically be easily accessed by the public.  On the other hand, if an encryptor for sale is ‘non-commercial’ then it is likely that the software codes are classified and the encryptor is being shipped to a classified location where ITAR and EAR will be in full effect because a ‘non-commercial’ encryptor cannot be shipped to rogue personnel in other countries containing  classified information.

Those contractors that do not comply with both ITAR and EAR suffer severe monetary and criminal penalties. For example, an article titled ‘ITAR compliance requirements’ found on  skyhighnetworks.com mentioned “Civil fines can run as high as $500,000 per violation, and criminal penalties can include 10 years imprisonment and fines of up to $1 million per violation. In 2014, Intersil was fined $10 million for allowing radiation-hardened semiconductors to be re-exported to China. That same year, Esterline was fined $20 million for failing to implement proper oversight and safeguards, leading to aircraft technology being improperly exported.

With that, ITAR and EAR enforcement in Export control sections of contracts is very necessary regardless if the item being shipped is commercial or non-commercial.  Further, with the elevation in increased terrorist activity it is more important to impose regulations on any encryption items being shipped to other countries. Moreover, with the changing attitudes toward the U.S., it is important to ensure that any proprietary information embedded in encryption products is heavily protected with such regulations before shipped in an internationally.

Student Bio: Brandon Basso is a staff member on the Journal of High Technology Law.  He is currently a 2L at Suffolk Law, and possesses a B.A. in Government from Georgetown University.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.

Print Friendly, PDF & Email