US Export Laws (Encryption Cloud Service)

Question

Okay - so I have been extensively looking into US export/import laws relating to encryption software (5D992), however I have a few questions about the laws and their applicability.

1. So, the laws obviously apply to encryption software distributed online, say through iTunes or Windows Store, however "designed for installation by the user without further substantial support by the supplier" is stated within Supplement No. 1 to Part 774 Note 3 - would that mean an applicaiton that is mearly a "iframe" (for want of a better way to descibe it) would not meet that requirement?

2. Are cloud services subject to the export laws on encryption software?

I do know if I did a standard iPhone app that used AES-256 I would need to apply for a license, however in my above situations, it becomes somewhat messy and confusing. Especially the "designed for installation by the user without further substantial support by the supplier".

(I'll provide this link for reference to the "designed for installation by the user without further substantial support by the supplier" within http://www.bis.doc.gov/encryption/ccl5pt2.pdf)

I'm basically trying to determine if my cloud service may or may not need a license for US export/import.

If you guys want more info just let me know and i'll do my best to reply.

Thanks in advance.

Answer 1

I would ask a lawyer rather than the Internet, but it was my understanding that you it is the software containing the algorithms that you can't export. As long as your cloud is running in the US and you don't use any client side encryption that falls under export control, you are probably ok, since your system is doing the encryption and the UI they get doesn't contain the algorithms, but I'd double check with a lawyer about that because I am not one.