(a) For purposes of the EAR, the Export of encryption source code and object code “software” means:
(1) An actual shipment, transfer, or transmission out of the United States (see also paragraph (b) of this section); or
(2) A transfer of such “software” in the United States to an embassy or affiliate of a foreign country.
(b) The export of encryption source code and object code “software” controlled for “EI” reasons under ECCN 5D002 on the Commerce Control List (see supplement no. 1 to part 774 of the EAR) includes:
(1) Downloading, or causing the downloading of, such “software” to locations (including electronic bulletin boards, Internet file transfer protocol, and World Wide Web sites) outside the U.S., or
(2) Making such “software” available for transfer outside the United States, over wire, cable, radio, electromagnetic, photo optical, photoelectric or other comparable communications facilities accessible to persons outside the United States, including transfers from electronic bulletin boards, internet file transfer protocol and World Wide websites, unless the person making the “software” available takes precautions adequate to prevent unauthorized transfer of such code. See §742.15(b) of the EAR for additional requirements pursuant to which exports or reexports of encryption source code “software” are considered to be publicly available consistent with the provisions of §734.3(b)(3). Publicly available encryption source code “software” and corresponding object code are not subject to the EAR, when the encryption source code “software” meets the additional requirements in §742.15(b) of the EAR.
(c) Subject to the General Prohibitions described in part 736 of the EAR, such precautions for Internet transfers of products eligible for export under §740.17(b)(2) of the EAR (encryption “software” products, certain encryption source code and general purpose encryption toolkits) shall include such measures as:
(1) The access control system, either through automated means or human intervention, checks the address of every system outside of the U.S. or Canada requesting or receiving a transfer and verifies such systems do not have a domain name or Internet address of a foreign government end-user (e.g., “.gov,” “.gouv,” “.mil” or similar addresses);
(2) The access control system provides every requesting or receiving party with notice that the transfer includes or would include cryptographic “software” subject to export controls under the Export Administration Regulations, and anyone receiving such a transfer cannot export the “software” without a license or other authorization; and
(3) Every party requesting or receiving a transfer of such “software” must acknowledge affirmatively that the “software” is not intended for use by a government end user, as defined in part 772 of the EAR, and he or she understands the cryptographic “software” is subject to export controls under the Export Administration Regulations and anyone receiving the transfer cannot export the “software” without a license or other authorization. BIS will consider acknowledgments in electronic form provided they are adequate to assure legal undertakings similar to written acknowledgments.
[81 FR 35604, June 3, 2016, as amended at 81 FR 64668, Sept. 20, 2016; 86 FR 16487, Mar. 29, 2021]