Trade Law Daily is a service of Warren Communications News.
Subscriber Login

BIS Issues Advisory Opinion on Free Downloading of "Mass Market" Encrypted Software

September 23, 2009 |Top News

The Bureau of Industry and Security has issued an advisory opinion regarding whether allowing the free download of certain encrypted software reviewed and classified as "mass market" would be in violation of the Export Administration Regulations.

Sign up for a free preview to unlock the rest of this article

Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.

Start My Free Preview

Specifically, the advisory opinion requestor asked whether it would be in violation of the EAR if it allowed BIS-classified "mass market" encryption software to be downloaded free of charge to anyone from the company's Web site without restriction, including download by a person in Iran, Cuba, Syria, Sudan, or North Korea.

Anonymous Free Download, IP Address "Footprint" Do Not Violate EAR

BIS states that publishing "mass market" encryption software to the Internet where it may be downloaded by anyone neither establishes "knowledge" of a prohibited export or reexport nor triggers any "red flags" necessitating BIS' affirmative duty to inquire.

Therefore, a person or company would not be in violation of the EAR if it posts "mass market" encryption software on the Internet for free and anonymous download, and then at a later time the software is downloaded by an anonymous person in Iran, Cuba, Syria, Sudan, or North Korea.

BIS also states that a violation would not occur if the Internet Protocol (IP) address of the person downloading the software is collected by the software provider at the time of the download and stored as a "footprint" in the machine code of the software provider's data base, but is not tracked or used for any purpose by the software provider.

Registration-Required Download Would Violate EAR

BIS states that if a company or person were to require registration (i.e., provision of a name and email address) before downloading such "mass market" encryption software, the download would not be considered anonymous and therefore a download by a person in Iran, Cuba, Syria, Sudan, or North Korea without the necessary licenses would constitute a violation of the EAR.

(BIS notes that its advisory opinion is confined to interpretation of the EAR, and does not address the sanctions regulations implemented by the Office of Foreign Assets Control.)

BIS advisory opinion (dated 09/11/09) available at http://www.bis.doc.gov/policiesandregulations/advisoryopinions/encryption_internet_ao.pdf