EAR compliance and ECCN?
Issue #181
closed
I am wondering if this library is subject to the US Export Administration Regulations (EAR). I looked on the home page and in NOTICE.txt, but didn’t find anything. I wanted to double check though considering that this lib does crypto. Like most open source libs that do crypto, I would imagine it would be classified as ECCN 5D002. In such a case, it doesn’t seem to be subject to EAR, but, IINM, a notice may still be required. If correct, I’m wondering if such a notice has been made?
Comments (6)
-
-
reporter
Reasonable assumption, but I wouldn’t bank on it. This policy guideline from BIS may be helpful as you dig a bit deeper:
Note 2: While open source code itself may be publicly available and not subject to the EAR, an item is not considered publicly available merely because it incorporates or calls to publicly available open source code. Rather, a new item with encryption functionality has been created which would need to be evaluated as a whole under the EAR.
From this, I’d checkout Part 742.15(b) mentioned on that same page which says:
Notification requirement. You must notify BIS and the ENC Encryption Request Coordinator via email of the Internet location (e.g., URL or Internet address) of the publicly available encryption source code classified under ECCN 5D002 or provide each of them a copy of the publicly available encryption source code. If you update or modify the source code, you must also provide additional copies to each of them each time the cryptographic functionality of the source code is updated or modified. In addition, if you posted the source code on the Internet, you must notify BIS and the ENC Encryption Request Coordinator each time the Internet location is changed, but you are not required to notify them of updates or modifications made to the encryption source code at the previously notified location. In all instances, submit the notification or copy to crypt@bis.doc.gov and to enc@nsa.gov.
So, I’d drop them a note even if the crypto comes from Java. Then, at least there’s no dispute that this lib is “Publicly available” and not subject to the EAR.
-
reporter
BTW, please don’t misconstrue the above as legal advice. I am not a lawyer and am only trying to be helpful. Only a lawyer can give you legal advice.
-
repo owner
I am also not a lawyer but best I can tell from a very layman’s reading of Encryption items NOT Subject to the EAR this library is not subject.
-
repo owner
- changed status to resolved
-
repo owner
- changed status to closed
- Log in to comment
I’ve always operated under the assumption that, because the library doesn’t implement the cryptographic primitives itself but rather relies on the JCA APIs for cryptography, it wasn’t subject to export restrictions or regulations. That could well be a mistaken assumption, however, and I’ll try to look into it a bit more and see if there’s anything that needs to be done.