§ 120.54 Activities that are not exports, reexports, retransfers, or temporary imports.
(a) The following activities are not exports, reexports, retransfers, or temporary imports:
(1) Launching a spacecraft, launch vehicle, payload, or other items into space.
(2) Transmitting or otherwise transferring technical data to a US person in the United States from a person in the United States.
(3) Transmitting or otherwise transferring within the same foreign country technical data between or among only US persons, so long as the transmission or transfer does not result in a release to a foreign person or transfer to a person prohibited from receiving the technical data.
(4) Shipping, moving or transferring defense articles between or among the United States as defined in § 120.13 of this subchapter.
(5) Sending, taking, or storing technical data that is:
(i) Unclassified;
(ii) Secured using end-to-end encryption;
(iii) Secured using cryptographic modules (hardware or software) compliant with the Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or its successors, supplemented by software implementation, cryptographic key management, and other procedures and controls that are in accordance with guidance provided in current US National Institute for Standards and Technology (NIST) publications, or by other cryptographic means that provide security strength that is at least comparable to the minimum 128 bits of security strength achieved by the Advanced Encryption Standard (AES-128);
(iv) Not intentionally sent to a person in or stored in a country proscribed in § 126.1 of this subchapter or the Russian Federation; and
Note to paragraph (a)(5)(iv): Data in-transit via the internet is not deemed to be stored.
|
§734.18 Activities that are not exports, reexports, or transfers.
(a) Activities that are not exports, reexports, or transfers. The following activities are not exports, reexports, or transfers:
(1) Launching a spacecraft, launch vehicle, payload, or other items into space.
(2) Transmitting or otherwise transferring “technology” or “software” to a person in the United States who is not a foreign person from another person in the United States.
(3) Transmitting or otherwise making a transfer (in-country) within the same foreign country of “technology” or “software” between or among only persons who are not “foreign persons,” so long as the transmission or transfer does not result in a release to a foreign person or to a person prohibited from receiving the “technology” or “software.”
(4) Shipping, moving or transferring items between or among the United States, the District of Columbia, the Commonwealth of Puerto Rico, or the Commonwealth of the Northern Mariana Islands or any territory, dependency, or possession of the United States as listed in Schedule C, Classification Codes and Descriptions for US Export Statistics, issued by the Bureau of the Census.
(5) Sending, taking, or storing “technology” or “software” that is:
(i) Unclassified;
(ii) Secured using ‘end-to-end encryption;’
(iii) Secured using cryptographic modules (hardware or “software”) compliant with Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or its successors, supplemented by “software” implementation, cryptographic key management and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology publications, or other equally or more effective cryptographic means; and
(iv) Not intentionally stored in a country listed in Country Group D:5 (see supplement no. 1 to part 740 of the EAR) or in the Russian Federation.
Note 1 to paragraph (a)(5)(iv): Data in-transit via the Internet is not deemed to be stored.
|
(b)(1) For purposes of this section, end-to-end encryption is defined as:
(i) The provision of cryptographic protection of data, such that the data is not in an unencrypted form, between an originator (or the originator's in-country security boundary) and an intended recipient (or the recipient's in-country security boundary); and
(ii) The means of decryption are not provided to any third party.
(2) The originator and the intended recipient may be the same person. The intended recipient must be the originator, a US person in the United States, or a person otherwise authorized to receive the technical data, such as by a license or other approval pursuant to this subchapter.
|
(b) Definitions. For purposes of this section, End-to-end encryption means
(i) the provision of cryptographic protection of data such that the data is not in unencrypted form between an originator (or the originator's in-country security boundary) and an intended recipient (or the recipient's in-country security boundary), and
(ii) the means of decryption are not provided to any third party. The originator and the recipient may be the same person.
|
§ 120.50Release.
(a) * * *
(3) The use of access information to cause or enable a foreign person, including yourself, to access, view, or possess unencrypted technical data; or
(4) The use of access information to cause technical data outside of the United States to be in unencrypted form.
(b) Authorization for a release of technical data to a foreign person is required to provide access information to that foreign person, if that access information can cause or enable access, viewing, or possession of the unencrypted technical data.
|
§734.15 Release.
(a) Except as set forth in §734.18, “technology” and “software” are “released” through:
(1) Visual or other inspection by a foreign person of items that reveals “technology” or source code subject to the EAR to a foreign person; or
(2) Oral or written exchanges with a foreign person of “technology” or source code in the United States or abroad.
(b) Any act causing the “release” of “technology” or “software,” through use of “access information” or otherwise, to yourself or another person requires an authorization to the same extent an authorization would be required to export or reexport such “technology” or “software” to that person.
§734.19 Transfer of access information.
To the extent an authorization would be required to transfer “technology” or “software,” a comparable authorization is required to transfer access information if done with “knowledge” that such transfer would result in the release of such “technology” or “software” without a required authorization.
|