On December 26, 2019, the US State Department’s Directorate of Defense Trade Controls (DDTC) published a long-awaited Interim Final Rule (the “Interim Rule”) revising a number of definitions in the International Traffic in Arms Regulations (ITAR). While DDTC was accepting comments until January 27, unless a new or revised rule is published, the Interim Rule will go into effect on March 25, 2020. These changes will permit companies storing and transmitting ITAR technical data to benefit from cloud computing and email services that utilize global platforms.
In 2015, DDTC and the US Commerce Department’s Bureau of Industry and Security (BIS) proposed rules revising a number of definitions of, respectively, the ITAR and the Export Administration Regulations (EAR) (our blog post on the proposed rules is available here). In 2016, BIS published its final rule on these issues (our blog post on the “BIS Final Rule” is available here), and DDTC published an interim final rule, subsequently replaced by a final rule. Unlike the BIS Final Rule, DDTC’s final rule in 2016 did not adopt all of the amendments proposed in 2015, which resulted in certain differences between comparable EAR and ITAR provisions. DDTC’s Interim Rule seeks to align the relevant EAR and ITAR provisions, but important differences do remain.
Most notable features of the Interim Rule are as follows:
- End-to-end encrypted technical data has been carved out from “exports, reexports, retransfers, or temporary imports” which means that transmission and storage of properly encrypted technical data:
- would not require authorization from DDTC, and
- would be allowed in most foreign countries (except those specifically excluded by the Interim Rule) so long as the technical data remains continuously encrypted while outside of the United States or until decrypted by an authorized intended recipient.
- The “end-to-end encryption” criteria have been defined to align with the EAR.
- The ITAR definitions of “export” and “release” have been updated, and the definition of “access information” has been added, to clarify that the use of decryption keys, network access codes, and passwords that results in the “release” of (including the ability to access) previously encrypted technical data in unencrypted form to a foreign person or outside the United States, constitutes an “export.
While the Interim Rule and the guidance provided by DDTC in the supplemental information thereto clarify a number of definitions, companies should still use a high degree of care in transferring and storing ITAR-controlled technical data to remain in compliance and note that there remain certain differences between the EAR and the ITAR treatment of the same activities. Below we provide more detail on the developments summarized above.
Carve-out of end-to-end encrypted technical data from exports, reexports, retransfers and temporary imports (new 22 CFR § 120.54(a)(5))
Sending, taking, or storing ITAR-controlled technical data does not constitute an export (22 CFR § 120.54(a)) as long as such data is:
- Secured using “end-to-end” encryption;
- Secured using cryptographic modules (hardware or software) compliant with Federal Information Processing Standards Publication 140–2 (FIPS 140–2) or its successors, supplemented by software implementation, cryptographic key management and other procedures and controls that are in accordance with guidance provided in current US National Institute for Standards and Technology (NIST) publications, or by other cryptographic means that provide security strength that is at least comparable to the minimum 128 bits of security strength achieved by the Advanced Encryption Standard (AES-128);
- Not intentionally sent to a person in or stored in a country proscribed in 22 CFR § 126.1, i.e., countries subject to US arms embargoes or the Russian Federation (the “Excluded Countries”); and
- Not sent from any Excluded Country.
Divergence from the EAR. While the new section is virtually identical to its counterpart in the EAR (15 CFR § 734.18), two important distinctions to note are as follows:
- The description of “end-to-end encryption” in the Interim Rule provides for less flexibility than that in the EAR with respect to the type of encryption used (the Interim Rule contemplates that companies may use NIST-certified FIPS 140-2 compliance modules or other cryptographic means that meet or exceed a 128-bit security strength, while the EAR does not set out minimum security strength for “other equally or more effective cryptographic means”); and
- Intentional sending of encrypted technical data to persons in the Excluded Countries as well as storage of such data in such countries would constitute “export” of such data under the Interim Rule, in contrast to the EAR provision that only refers to storage in the Excluded Countries.
“End-to-end encryption” definition (new section 22 CFR § 120.54(b))
In order to qualify for the carve-out described above, the encryption must meet certain standards as follows:
- Cryptographic protection must be applied prior to the data being sent outside of the originator’s security boundary and remain encrypted until it arrives within the security boundary of the intended recipient (whether by means of encrypting on sender’s computer in case of individuals or by encrypting the data before it leaves the secure network, in case of entities),
- The means of decryption must not be provided to any third party, and
- The data must not have the cryptographic protection removed at any point in transit.
Definitions of “Export,” “Release,” and “Access Information” (new 22 CFR § 120.50(b), 22 CFR § 120.50(a)(3) and (4), and 22 CFR § 120.55)
- The definitions of “export” and “release” were updated to clarify that, in addition to currently contemplated visual or other inspections and oral or written exchanges of technical data, the release of previously encrypted technical data by using access information that allows access to unencrypted technical data by foreign persons or in a foreign country (including by US persons abroad) constitutes an export.
- “Access information” is a new definition capturing the information that allows access to encrypted technical data in an unencrypted form, such as decryption keys, network access codes, and passwords.
Divergence with the EAR. Under the EAR, an authorization is required to transfer access information if done with “knowledge” that such transfer would result in the release of technology or software without an authorization (15 CFR § 734.19). In contrast, DDTC’s Interim Rule does not contain a knowledge requirement and points out that an existing authorization for release of ITAR-controlled technical data to a foreign person must be in place prior to provision of access to such person or outside the United States. In other words, the release of previously encrypted technical data in unencrypted form through the provision of access information requires an authorization to the same extent as the export of the technical data unsecured by encryption.
Other “activities that are not exports, reexports, retransfers, or temporary imports” under the ITAR
Similar to the EAR, the Interim Rule lists four other activities that are not considered exports or other “controlled events” that would otherwise require a license or approval. These four activities are:
- Launching a spacecraft, launch vehicle, payload or other item into space.
- Transmitting or otherwise transferring technical data to a US person in the United States from a person in the United States.
- Shipping, moving, or transferring defense articles between or among the United States (as defined in the ITAR).
- Transmitting or otherwise transferring within the same foreign country technical data between or among only US persons, so long as the transmission or transfer does not result in a release to a foreign person or transfer to a person prohibited from receiving the technical data.
The first three activities are already treated by the ITAR as activities that are not exports, reexports or retransfers (e.g., launching a spacecraft is already excluded from the definition of an export in 22 CFR § 120.17(a)(6)), and the Interim Rule simply consolidates the relevant provisions and clarifies the language. However, the fourth activity is a clear change to the current treatment of “retransfer” by the ITAR (22 CFR § 120.51).
Further practical guidance. Supplemental information in the Interim Rule provides that:
- While intentional storage in the Excluded Countries constitutes a controlled event, transient storage (as opposed to long-term storage) that is incidental to sending information via the Internet does not. It is the responsibility of the exporters to ensure, prior to transfer, that the intended recipient or remote storage provider does not store their information in the Excluded Countries.
- Obtaining contractual assurances that the data would not be stored in the Excluded Countries would not provide a safe harbor for the cloud customers. While it can be difficult to control the actions of the third parties, State Department intends to review potential violations on a case-by-case basis, subject to the totality of the facts and circumstances comprising the issue.
- The carve-out for encrypted technology is not limited to electronic transmissions and covers shipment of technical data in a physical medium so long as all of the conditions are met.
- DDTC considers “tokenization” to be a process different from “encryption,” and thus the Interim Rule does not carve out technical data that has been tokenized from the definition of “exports, reexports, retransfers, and temporary imports” under the ITAR.