Tab F Commerce to Scarselli August 7, 1997

5 September 1997
Source: Hardcopy from Peter Junger

Tab F

[Fax header] AUG-07-1997 15:32 OCC/BXA 202 482 0085 P.01

UNITED STATES DEPARTMENT OF COMMERCE
Bureau of Export Administration
Washington. D.C. 20230

AUG 7 1997

Gino J. Scarselli, Esq.
664 Allison Drive
Richmond Heights, Ohio 44143

Dear Mr. Scarselli:

This letter is in response to your letters of July 18 1997 and July 24, 1997, forwarded to us by Anthony Coppolino of the Department of Justice, concerning our prior response of July 3, 1997 to the three commodity classification applications you submitted on behalf of your client, Professor Peter Junger. We respond, in turn, to the issues raised by the numbered paragraphs of your July 18 letter.

1. You indicate first that you requested a classification of the "entire chapter" from "Computers and the Law" (Item No. 2 to Application 2082061; hereinafter "Item No. 2") and, specifically, that BXA did not provide a classification for an item described as a "source code in ANSI C of Paul Leyland's one time pad" in figure 1.4.

At the outset, we note that it is the requestor's responsibility to identify and describe with specificity the items and/or activities for which he seeks a determination, and you did not previously specify this software program. As reflected in our determination, Item No. 2 contains distinct items for which commodity classifications under the EAR may vary. Specifically, the EAR treats encryption software differently from other software, and from "technology" as defined in the EAR. For this reason, BXA examines and classifies specific items of software and technology separately, not as a single item consolidated by the requestor.

There are four software programs included in Item No. 2. The attachment to this letter provides classifications for each of the programs. Please note that all of the programs are classified as EAR99 and are not software controlled under ECCN 5D002.

In addition, contrary to your assertion, BXA did not classify Item No. 2 as both subject to the EAR and not subject to the EAR. Since software designated as EAR99 is not subject to the licensing restrictions for encryption software covered by ECCN 5D002, the software portion of Item No. 2 in its entirety, as submitted, is not subject to the EAR if it is made publicly available within the meaning of Section 734.3. As our previous determination also indicates, the non-software portion of Item No. 2 is not subject to the EAR if it does not meet the definition of "technology" under the EAR (e.g., discussion of export policy and the Junger lawsuit) or if it is "publicly available" within the meaning of Section 734.3 of the EAR, whether it is in electronic form or not. Accordingly, if Professor Junger makes all of Item No. 2 publicly available, there are no restrictions under the EAR on Professor Junger's ability to export Item No. 2 as submitted, including the software which it contains.

You also ask what the status of Item No. 2 would be if you modified it in the future to include the software for the RSA algorithm implemented in Perl. Again, BXA's classification is made as to the software itself and, as we previously advised you, this software program in electronic form or media is covered by ECCN 5D002. A software program subject to export licensing requirements under ECCN 5D002 of the CCL is not exempt from the EAR simply because an exporter chooses to consolidate it with items not subject to the EAR. Please note, however, that should you choose to consolidate encryption software subject to ECCN 5D002 with other items, our determination with respect to such software does not mean that the other portions of Item No. 2 discussed above would then become subject to ECCN 5D002, or would be controlled for export in the same manner as such software.

2. You next ask us to "clarify the status of posting html pages that link to encryption programs overseas." In rendering a determination or advisory opinion, BXA assesses the specific proposed export activity which the requestor describes and indicates that he proposes to undertake. In Item No. 3 of Application Z082061, you indicate that Professor Junger wishes to add a page of html links on his web server to sites outside of the United States containing encryption programs. While the use of html links by a person might, in some applications, involve an export, see Section 734.2(b) (export of encryption software includes downloading such software from Internet sites in the United States to locations outside the United States), we reiterate that the activity described by your submission is not an export activity that is subject to the EAR and would also not constitute conduct prohibited by Section 744.9 of the EAR.

You ask whether this determination is "limited to Professor Junger" or whether that same conclusion would follow for anyone else. Again, our determination applies to the activity described by the requestor. BXA cannot render an advisory opinion with respect to activities by other individuals that have not been presented to us. Obviously, however, if the identical activity is described to us by another requestor, our conclusion would be the same.

3. In your July 18 letter, you ask BXA to classify "all programs that implement a certain algorithm rather than actual programs because programs can be written in different languages, versions, and for different operating systems." This a very different question from your original classification request. In fact, BXA does evaluate specific software products that are implemented on a variety of platforms (such as Windows, OS/2, Macintosh) in a single classification request. Your original request, however, did not seek a classification for a specific software program to be implemented on different operating platforms. Rather, you asked for a classification for ''any encryption program that can be used to maintain secrecy by implementing" a certain algorithm, such as RC2 or RSA. See Item Nos. 4 and 5 to Application No. Z082062.

We reiterate that BXA cannot provide a single classification opinion for any encryption product that "implements'' a certain algorithm. One reason for this is that encryption products, including software, may have fundamentally different functions, even though they "implement" the same algorithm in hardware or software. ECCN 5D002 is directed at regulating encryption products, including software, that perform a certain function -- i.e., that have the capability of maintaining

the secrecy of information. See Section 742.15 of the EAR. Several cryptographic functions are not regulated under ECCN 5A002 and 5D002, including functions limited to access control or password verification, data authentication, and certain banking transactions. See Note to ECCN 5A002; paragraphs (f), (g), (h). Each of these functions, however, may be achieved by implementing the same algorithm in software or hardware form, such as the RSA algorithm. In addition, licensing controls on encryption software that does maintain the secrecy of information may vary depending on how an algorithm is implemented in the software. For example, certain software products classified under ECCN 5D002 that implement an algorithm such as RC4 and RC2, with a key space of no longer than 40 bits, may be eligible for mass market treatment under a license exception.

Thus, it is not possible to provide a single classification for "any program" that "implements" the same algorithm, as you originally requested If, however, you identify a specific software product, and seek a classification thereof for different operating systems, BXA will provide it in a single classification.

Sincerely,

[Signature]

James A. Lewis
Director
Office of Strategic Trade
And Foreign Policy Controls

Attachment

ATTACHMENT
ITEM NO 2 - APPLICATION Z082061
CCATS #G006703

ITEM #2: Portions of Chapter One to Computers and the Law, written by Professor Peter Junger in electronic form or media as described in the notes to paragraph (B)(2) & (B)(3) following Section 734.3 of the EAR .

a. Figure 1.2--twiddle program in UUENCODEd machine language is classified EAR99.
b. Figure 1.3--twiddle program in 8086 machine language is classified EAR 99.
c. Figure 1.4--Paul C. Leyland's Encryption Program in ANSI C is classified EAR99.
d. Section 1.1.3.2.2--twiddle program in 8086 assembly language is classified EAR99.

[The classification of the non-software portions of Item No. 2 remain unchanged from the July 3, 1997 commodity classification.]