B. Mass-Marketed Software--The General Software Note
The General Software Note ("GSN") in Supplement No. 2 to EAR Section 799.1 is an important element of the CCL. (Exhibit A contains the actual text of the GSN.) The GSN authorizes exports under GTDU of mass-marketed software sold through retail sources that is "generally available to the public" to all countries except Iran, Syria and the embargoed destinations. The GSN should not be confused with the longstanding and unchanged General License GTDA for software that is "publicly available."
The GSN is not based on the functionalities or performance specifications of the software except that it does not apply to software under the jurisdiction of another set of regulations such as ITAR. To determine if software satisfies the GSN criteria for being "generally available to the public," the exporter only needs to know how the software is sold. For the purposes of the GSN and the EAR in general, the word "sold" means "licensed or sold."
The first GSN criteria is that the software must be sold "without restriction" from stock from retail sources such as stores, phone order or mail order. If, for example, software X is sold through retail store Y, software X satisfies this requirement, even when the export in question is not a retail transaction and even when store Y is not the exporter. Furthermore, the retail selling points do not have to be located in the U.S. Software X is eligible under the GSN if it is sold through a retail source in Hong Kong or anywhere else in the world.
Requiring a customer to sign a license agreement prior to delivering the software is not a restriction that eliminates GSN eligibility. Software that is sold only with bundled hardware is "restricted" and is not eligible under the GSN. Software that is sold both with bundled hardware and without bundled hardware is eligible under the GSN.
The second GSN criteria is that the software must be designed for installation by the user without substantial support from the supplier. Most software distributed through retail sources satisfies this criteria. Software that is designed for user installation satisfies this criteria even if, for example, the user may call a toll-free phone number for assistance during installation.
The GSN applies to all software under the jurisdiction of the EAR and overrules the licensing requirements described in an ECCN. Any software on the CCL is eligible for export under GTDU if it satisfies the requirements of the GSN, even software in an ECCN that requires a validated license for all destinations. For example, anti-virus software is controlled under ECCN 5D13A which states "GTDR: Yes" and "GTDU: No." If the anti-virus software satisfies the requirements of the GSN, however, it is eligible for export under GTDU to all countries except Iran, Syria and the embargoed countries.
The export controls for a software product which is a combination of software packages is determined by the sales characteristics of the finished unit. The finished unit itself must satisfy the GSN criteria in order to qualify as a mass-market software package.
The GSN does not apply to software with encryption capability that is controlled by ITAR. When determining whether software is eligible for export under the GSN, exporters must confirm that the software does not have encryption capability that would cause it to be under ITAR jurisdiction. Most other countries do not restrict exports of mass-marketed software on the basis of the type of an encryption feature. This unilateral U.S. control is a competitive disadvantage for U.S. companies.
Exporters should consider three approaches when determining the requirements for an operating system. First, the "Operation Technical Data/Operation Software" provisions in EAR Section 779.4(b)(1) authorize most exports of operating systems in object code when destined for use on computers known to be legally exported or reexported (under either a validated or general license). Second, when an operating system is being exported in source code or for use on unknown computers, the exporter must identify the ECCN for the operating system to determine the licensing requirements. Finally, a mass-marketed operating system that satisfies the GSN criteria is eligible for export under GTDU regardless of the ECCN that controls it or its eligibility under the "Operation Technical Data/Operation Software" authorization.
The "Operation Technical Data/Operation Software" authorization permits exports of operating system software under GTDU provided that:
It is the minimum necessary to operate a computer that has been or will be legally exported or reexported; and
It is in object code.
When both of these conditions are met, an operating system may be exported under GTDU to all countries even if it is controlled under an ECCN (e.g., 4D01A or 4D03A) that states "GTDU: No."
When operating systems are being exported for general distribution to unknown end-users and the exporter does not know that they will be used on computers legally exported or reexported, the exporter must identify the ECCN for the operating system to determine the export licensing requirements. Similarly, when an operating system will be exported in source code, its licensing requirements will be determined by its ECCN. ECCNs 4D01A, 4D93F and 4D03A are the primary ECCNs that control operating systems and are described in more detail below.
Real-Time Operating Systems. ECCN 4D03A controls operating systems specially designed for real-time processing equipment which guarantees a "global interrupt latency time" of less than 20 microseconds. Such real-time operating systems are eligible for GTDR with written assurance. Based on the definition of "global interrupt latency time" and the requirement that the operating system must guarantee 20 microseconds or less, as a practical matter, few real-time operating systems may be controlled under ECCN 4D03A. "Global interrupt latency time" does not necessarily mean the same thing as the term "latency time" that certain companies may use. Furthermore, while certain operating systems may have a global interrupt latency time of less than 20 microseconds, in certain instances, the time for lower priority interrupts may exceed 20 microseconds so that the time is not guaranteed. A real-time operating system with global interrupt latency times that are greater than and less than 20 microseconds does not guarantee less than 20 microseconds. Real-time operating systems that do not guarantee less than 20 microseconds are eligible for export under GTDU unless they are controlled for other reasons by an ECCN (e.g., 4D01A) that requires GTDR.[back]
ECCN 4D93F controls operating systems for real-time processing equipment that guarantees a "global interrupt latency time" of less than 30 microseconds and greater than or equal to 20 microseconds. The same rules of interpretation apply to ECCN 4D93F as described above for ECCN 4D03A. Software controlled by ECCN 4D93F requires a validated export license for Iran, Syria and the embargoed countries (unless another GTDU authorization is available) and is eligible for GTDU for all other countries.
Other Operating Systems. ECCN 4D01A controls software "specially designed" for the use of controlled computers (e.g., computers with a Composite Theoretical Performance ("CTP") greater than 260 million theoretical operations per second). An operating system is not "specially designed" for use on a controlled computer if it will operate on both controlled and uncontrolled computers. For example, since most UNIX operating systems will operate on both uncontrolled computers (i.e., CTP less than 260) and controlled computers (i.e., CTP greater than 260), such UNIX operating systems are not controlled by ECCN 4D01A and may be exported under GTDU. On the other hand, an operating system specially designed for use on a supercomputer (i.e., CTP or 1500 or more) likely would not be designed for use on a computer with a CTP of less than 260. Thus, such an operating system would be controlled under ECCN 4D01A and is eligible for export under GTDR. ECCN 4D01A also controls most operating systems for optical computers, neural computers and systolic array computers.[back]
ECCN 4D03A controls operating system software exported in source code form for multi-data-stream processing (e.g., parallel processing) computers. When an operating system for multi-data-stream processing computers is exported in object code, it is not controlled by ECCN 4D03A and would be eligible for export under GTDU unless it is controlled by ECCN 4D01A. Thus, the ECCN for an operating system for a supercomputer that utilizes multi-data-stream processing depends on whether it is exported in source or object code form. In object code, it would be controlled under ECCN 4D01A. In source code, the supercomputer operating system would be controlled under ECCN 4D03A.
In determining the ECCN for an operating system, exporters must also determine whether it performs any telecommunications functions (e.g., dynamic adaptive routing) that are controlled under a 5Dxxx ECCN such as 5D03A. Finally, the exporter must also determine whether the operating system performs any data encryption functions that would cause it to be controlled under the ITAR or ECCN 5D13A.
Operating systems controlled by ECCNs 4D01A or 4D03A eligible for export under General License GTDR. Operating systems controlled by ECCNs 5D03A or 5Dl3A are eligible for export under GTDR and GLX. Software not controlled by ECCNs 4D01A, 4D03A, 5D03A, or 5D13A, is usually classified under bucket category ECCN 4D96G and is eligible for export under GTDU.
Over the past several years the U.S. government has relaxed the licensing requirements for certain types of software. Many types of software formerly requiring a written assurance or a validated license are now eligible for export under GTDU.
IC CAD Software. The export licensing requirements for software for the computer aided design of integrated circuits have been significantly relaxed. ECCN 3D03A controls computer aided design software for integrated circuits only if it provides any of the following:
design or circuit verification rules, or
simulation of the physically laid out circuit, or
lithographic processing simulators for design.
Software controlled by ECCN 3D03A is eligible for export under GTDR to free world countries, excluding Iran and Syria, and requires a validated license for all other countries (except Canada for which no license is required). IC CAD software not controlled by ECCN 3D03A is usually classified under ECCN 3D96G and is eligible for export under GTDU. [back]
Printed Circuit Board CAD Software. Software for the computer aided design of printed circuit boards is now usually classified under ECCN 3D96G and is eligible for export under GTDU. [back]
Other CAD Software. The CCL contains many entries that control software that is specially designed for the computer aided design of equipment that is specifically controlled in the CCL. Generally speaking, each category in the CCL has one or more software ECCNs that control software specially designed for the computer aided design of equipment and other items controlled under the same category. In most cases, such software is eligible for export under GTDR. [back]
For example, ECCN 6D01A controls software specially designed for the computer aided design of optics controlled under ECCN 6A04A, lasers controlled under ECCN 6A05A, radar controlled under ECCN 6A08A, and measurement systems controlled under ECCN 6B08A. The term "specially designed" limits the scope of the control on CAD software imposed by an ECCN such as 6D01A. For example, ECCN 6D01A would not control general purpose optics CAD software that could be used to design optics both controlled and decontrolled under 6A04A. The intent is to control software which has specific characteristics or functions that provide a unique capability to design optics controlled under 6A04A.
Other Software that Formerly Required a Written Assurance or Validated License. Many of the types of software that formerly required a written assurance or a validated license have been decontrolled to GTDU status. ECCN 4D03A, however, continues to require a written assurance or, for countries not eligible under GTDR, a validated export license for these types of software:
Operating system software, software development tools, and compilers specially designed for multi data stream processing equipment, in source code;
Expert systems or software for expert systems inference engines providing both:
- Time dependent rules; and
- Primitives to handle the time characteristics of the rules and the facts.
Certain types of software have been decontrolled to the GTDU level for most countries but continue to require a validated license for Iran, Syria and the embargoed countries. These types of software include:
Program proof and validation software; and
Software for the automatic generation of source code from external sensors.
[back]LAN, WAN, and Telecommunications Software. Over the past several years there have been important relaxations in the controls on LAN/WAN software. The primary ECCNs for controlled telecommunications software are ECCNs 5D01A, 5D02A, and 5D03A. Generally speaking, ECCN 5D03A is the most of important of these because it covers a larger portion of software that is actually exported. 5D03A controls software that performs advanced routing functions such as datagram, fast select, dynamic adaptive routing and software for extremely high speed data transmission. The export controls on LAN, WAN, and telecommunications software are rarely a problem because software controlled by ECCNs 4D01A, 4D02A, 5D03A, is eligible for export under GTDR and GLX. Such software requires a validated license only for Iran, Syria and the embargoed countries.
Data encryption is another important consideration for both LAN and WAN software. A wide range of LAN and WAN software provide encryption capability--either to ensure the security of data resident on a network or to ensure the security of data transmitted over a network. Encryption capabilities may subject the software to stricter export licensing requirements under either the EAR or ITAR. An analysis of the export licensing requirements for software with encryption capability is described below. [back]
Multimedia Products. Multimedia titles, authoring tools and other products which are mass-market products are eligible for export under GTDU pursuant to the GSN. Titles which are primarily reference works, mass-market or otherwise, will almost always be eligible for export under GTDU or even GTDA in some instances. [back]
E. Software with Encryption Capability[back]
There is a growing demand in today's security conscious business world to ensure the security and integrity of data. Because of this demand, an increasing number of commercial software packages are now using a wide range of encryption functions.
Encryption is a means for transforming data in order to hide its information content, prevent its undetected modification, or prevent its unauthorized use. Encryption is defined as the transformation of information using one or more secret parameters (e.g., crypto variables) and/or associated key management. Importantly, encryption does not include functions limited to "fixed" data compression or coding techniques. The term "fixed" means that the coding or compression algorithm cannot accept externally supplied parameters (e.g., cryptographic or key variables) and cannot be modified by the user. For example, software that compresses data to reduce the disk space required for its storage is not encryption.
Two issues must be considered in evaluating the export licensing requirements for any software that performs any data encryption or decryption functions. The first issue is to determine whether the software is under the jurisdiction of the EAR or ITAR. Thereafter, the licensing requirements must be determined under the appropriate regulations.
EAR vs. ITAR Jurisdiction. As a starting point, an exporter of software with an encryption feature should presume that its software is controlled by ITAR. ITAR has jurisdiction over all software with data encryption capability except commercial software with encryption limited to these functions:
(A) Decryption-only capability for encrypted proprietary software, fonts or other computer-related proprietary information for the purpose of maintaining vendor control over such information;
(B) Restricted to calculating a Message Authentication Code (MAC) or similar result to assure no alteration of text has taken place, or to authenticate users, but does not allow for encryption of data, text or other media other than that needed for authentication;
(C) Restricted to protecting passwords and personal identification numbers ("PIN") or similar data to prevent unauthorized access to computing facilities, but does not allow for encryption of files or text, except as directly related to the password and PIN protection;
(D) Specifically designed and limited to the issuance of cash or traveler's checks, acceptance of deposits, account balance reporting and similar financial functions; and
(E) Software for personalized smart cards restricted for uses described in paragraphs (A) through (D) above.
Commercial software with encryption capability limited to the above five functions has been transferred to EAR jurisdiction. Software that performs encryption functions other than those listed in (A) through (E) is presumed to be under the jurisdiction of ITAR. Software that performs one of the functions in (A) through (E) above as well as additional encryption functions would be under the jurisdiction of ITAR. For example, a software package that encrypts passwords as well as data files on a hard disk would be presumed to be under ITAR jurisdiction.
In addition, the State Department has established a policy under which it will consider transferring to EAR jurisdiction mass-market software which satisfies both of these criteria:
The software uses RSA Data Security, Inc.'s RC2 or RC4 algorithms with a key size fixed at 40 bits; and
Encryption is not the primary function of the software.
On a product-by-product basis, the State Department will consider written requests to transfer specific products that satisfy these two criteria to EAR jurisdiction through a procedure known as a commodity jurisdiction determination. Commodity jurisdiction determinations are normally initiated by an exporter who is seeking to convince the State Department to transfer software to EAR jurisdiction.
Finally, the State Department, which has the sole authority to determine the export licensing jurisdiction of a product, controls all software in source code form with encryption capability under ITAR jurisdiction even if the encryption functions are limited to those identified in (A) through (E) above or it is mass market software using the RC2 or RC4 algorithms.[back]
State Department Licensing Policy. All encryption software under ITAR jurisdiction requires a validated export license for all countries except Canada. ITAR does not authorize general license exports. Furthermore, such encryption software requires a validated license even if it is mass-marketed software available through retail sources or available at no cost over Internet. The State Department imposes stricter controls on exports of Data Encryption Standard ("DES") based software than on non-DES based encryption.
DES-Based Encryption. The State Department will approve individual licenses for exports of DES based encryption only to financial institutions and subsidiaries of U.S. companies. All end-users must be specifically identified on the license application. In certain instances, however, the State Department will approve limited distribution agreements that authorize resale/reexport to unidentified end-users in a pre-specified sales territory. The distributor must report all sales to the State Department after they occur. [back]
Non-DES Based Encryption. The State Department will approve individual licenses for exports only to acceptable end-users (as determined by the State Department) specifically identified on the license application and located in acceptable countries. In certain instances, the State Department will approve distribution agreements authorizing resales or reexports to acceptable countries specified on the license application. The distributor must report sales after they occur.
The State Department policy of severely limiting distribution of DES based software for the encryption of data files hinders the establishment of international distribution networks. The less restrictive controls on non-DES based software have caused some exporters to use a non-DES encryption algorithm so that their software will benefit from a more lenient export licensing policy. [back]
EAR Requirements. Software with limited encryption functions under EAR jurisdiction is, in most cases, classified under ECCN 5D13A. ECCN 5D13A does not control software that provides these two (and no other) encryption functions:
Decryption functions specially designed to allow the execution of copy-protected software, provided the decryption functions are not user-accessible; and
Certain encryption functions in certain personalized smart cards.
Such software is controlled by either ECCN 5D95F or another more restrictive ECCN in the CCL based on the other functions of the software.
When software performs functions that are controlled under another ECCN on the CCL, in addition to encryption functions controlled under ECCN 5D13A, such software is classified under ECCN 5D13A. For example, an operating system for a supercomputer would normally be classified under ECCN 4D01A. If, however, that supercomputer operating system also encrypts passwords, it would be classified under ECCN 5D13A.
Software controlled by ECCN 5D13A is eligible for export under General License GTDR to Country Groups T and V excluding the PRC, Iran, Iraq, Syria and Yugoslavia, and under General License GLX to the PRC and Country Groups Q, W and Y. ECCN 5D13A software requires a validated license for all other countries (except Canada for which no license is required).
Importantly, however, encryption software controlled under ECCN 5D13A is eligible for export under GTDU if it is mass-marketed software that satisfies the GSN requirements. As indicated, most other countries do not restrict exports of mass-marketed software on the basis of the type of encryption feature. This is a competitive disadvantage for U.S. companies. [back]
Sandy Jane Wong, M.P.A.
Write Wavelength
"Conveying the pragmatics of electronic networks"
Ph: 415-851-7233
EMail: sandy@oikoumene.batnet.com
| Virtual School | Middle of Nowhere | Brad Cox |
|---|
| Modification date: March 07, 2004 | © Copyright 2004 by Brad Cox |