5

I'm in charge of a product security in our US based startup and I plan to use NaCl for encryption (well, Sodium, actually).

I'm trying to navigate the labyrinth of US export regualtions - something I never dealt with before.

By now I'm aware that encryption export from the United States is governed by the EAR and BIS. This latter classifies software containing encryption, and assigns each product to an ECCN (export classification control number) category.

I'm not asking for a legal advice here, just how would you tackle it? Does one really need a laywer to categorize the product that uses an opensource crypto library?

UPDATE: Apache Foundation matrix classifies all their software as ECCN 5D002 and exports it under TSU exception in EAR 740.13(e). The OpenSSL Software Foundation went the same route.

That said, I now have to figure out whether a closed source software, that uses an open source crypto library, can as well be exported under the EAR 740.13(e) exception or there is another exception, that applies.

Thank you in advance.

portnoy
  • 81
  • 5
  • Afaik public domain is exempt from export regulation. Nacl is in the public domain. – CodesInChaos Aug 21 '13 at 15:32
  • But most likely your product which uses NaCl needs permission. Luckily the process has become much simpler over the last few years. It's little more than an online questionaire nowadays. – CodesInChaos Aug 21 '13 at 16:27

1 Answers1

1

I believe that Sodium, as an open source project, qualifies for section (e) of the TSU exemption to export controls: http://www.gpo.gov/fdsys/pkg/CFR-2006-title15-vol2/xml/CFR-2006-title15-vol2-sec740-13.xml

(I'm not a lawyer, but this is what is used by the Apache foundation for cryptography-related code, as I understand it.)

David
  • 15,814
  • 3
  • 48
  • 73
  • What I remember is that open source requires notification to some institution and public domain doesn`t even require that. – CodesInChaos Aug 21 '13 at 15:35
  • Thank you. I'm going to update my question with what I've discoved so far based on your Apache lead. – portnoy Aug 22 '13 at 02:55
  • I'd also like to leave the link to the recent [§734.3 document](http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&sid=0b0afc51fe92782c861a262037482799&rgn=div8&view=text&node=15:2.1.3.4.22.0.1.3&idno=15) here – portnoy Aug 22 '13 at 03:24