International Trade Today is a service of Warren Communications News.
Subscriber Login

BIS Issues Advisory Opinion on Free Downloading of "Mass Market" Encrypted Software

September 23, 2009 |Top News

The Bureau of Industry and Security has issued an advisory opinion regarding whether allowing the free download of certain encrypted software reviewed and classified as "mass market" would be in violation of the Export Administration Regulations.

Sign up for a free preview to unlock the rest of this article

If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.

Start My Free Preview

Specifically, the advisory opinion requestor asked whether it would be in violation of the EAR if it allowed BIS-classified "mass market" encryption software to be downloaded free of charge to anyone from the company's Web site without restriction, including download by a person in Iran, Cuba, Syria, Sudan, or North Korea.

Anonymous Free Download, IP Address "Footprint" Do Not Violate EAR

BIS states that publishing "mass market" encryption software to the Internet where it may be downloaded by anyone neither establishes "knowledge" of a prohibited export or reexport nor triggers any "red flags" necessitating BIS' affirmative duty to inquire.

Therefore, a person or company would not be in violation of the EAR if it posts "mass market" encryption software on the Internet for free and anonymous download, and then at a later time the software is downloaded by an anonymous person in Iran, Cuba, Syria, Sudan, or North Korea.

BIS also states that a violation would not occur if the Internet Protocol (IP) address of the person downloading the software is collected by the software provider at the time of the download and stored as a "footprint" in the machine code of the software provider's data base, but is not tracked or used for any purpose by the software provider.

Registration-Required Download Would Violate EAR

BIS states that if a company or person were to require registration (i.e., provision of a name and email address) before downloading such "mass market" encryption software, the download would not be considered anonymous and therefore a download by a person in Iran, Cuba, Syria, Sudan, or North Korea without the necessary licenses would constitute a violation of the EAR.

(BIS notes that its advisory opinion is confined to interpretation of the EAR, and does not address the sanctions regulations implemented by the Office of Foreign Assets Control.)

BIS advisory opinion (dated 09/11/09) available at http://www.bis.doc.gov/policiesandregulations/advisoryopinions/encryption_internet_ao.pdf