Unclassified defense technical data that is properly secured with end-to-end encryption is no longer considered an export when it is transmitted outside the U.S., as of March 25, 2020. Access to the unencrypted data by an unauthorized foreign person, however, remains an ITAR-controlled export. This change resulted from an Interim Final Rule coming into effect from the U.S. Department of State Directorate of Defense Trade Controls (DDTC) that amended the International Traffic in Arms Regulations (ITAR).

The new ITAR rule amends the definition for “activities that are not exports, reexports, retransfers, or temporary imports,” to include the transmission of unclassified defense technical data utilizing end-to-end encryption.[1] Specifically, the rule states that it is not an “export” under the ITAR to send, take, or store unclassified “technical data” – information and software required for all aspects of a defense article’s life cycle from design through operation, maintenance, and modification – if the technical data is secured using end-to-end encryption meeting the National Institute for Standards and Technology’s (NIST) Federal Information Processing Standards (FIPS) Publication 140-2, or a comparable minimum 128-bit security strength encryption algorithm. (22 CFR § 120.54(a)(5); see also § 120.54(c)).[2]

The ITAR encryption rule change releases the end-to-end encrypted data transmission from ITAR control, but the unencrypted defense technical data within that encrypted transmission remains ITAR-controlled. Thus, parties will be strictly liable if “access information” is used to “release” unencrypted technical data outside the U.S. or to a foreign person not authorized to receive the data. “Access information” is defined to include decryption keys, network access codes, and passwords. In addition to the pre-existing definitions of a “release,”[3] the new rule now also defines a “release” as the use of access information to “cause or enable a foreign person, including yourself, to access, view, or possess unencrypted technical data,” or to “cause technical data outside of the United States to be in unencrypted form”. (22 CFR § 120.50(a)(3)-(4)). DDTC cautions that the foreign person has to be authorized to receive the technical data before he or she is provided the access information that will permit accessing the data in an unencrypted state.[4]

This Interim Final Rule substantially aligns the ITAR with the analogous rule in the Export Administration Regulations (EAR), which apply to dual-use exports.[5] For instance, both this new ITAR encryption rule and the existing EAR encryption rule require that technical data crossing security boundaries remains in an encrypted state without the means of decryption being provided to a third party.[6] This alignment is welcome news for companies dealing in defense articles and defense services. It means companies that have already modernized their data storage and transmission policies for technology/technical data subject to the EAR will find they will be able to extend those policies to unclassified ITAR-controlled technical data. In other words, they will be able to streamline their internal data storage and data-sharing practices by moving ITAR-controlled unclassified technical data into the cloud,[7] potentially even with a foreign cloud provider, rather than having to store it separately and locally.

Compliance risks remain with this new ITAR encryption rule, however, such as the following:

1) Compliance with export restrictions of U.S. allies. This new end-to-end encryption standard enables a more free flow of unclassified defense technical data in compliance with U.S. regulations. Nevertheless, companies holding both U.S. and non-U.S. defense technical data must be cognizant that U.S. allies’ regulatory regimes have yet to adopt a similar standard for export of defense technical data; implementing a single cloud-based solution will remain a significant challenge. In responding to comments, DDTC stated that it is working to solve this issue in consultation with its allies.

2) Avoiding an unauthorized “release” as broadly defined by the rule. The definition of “release” in the rule is very broad, as discussed above. As commenters on the proposed rule pointed out, the new definition could result in violations whenever a foreign national unauthorized person’s user account is accidentally provided access credentials for an encrypted network drive containing unclassified defense technical data, even if that person never actually accesses the data or even knew they had been granted such access.[8] DDTC has insisted in the past “that theoretical or potential access to technical data is not a release,”[9] but companies should proceed with caution given the new broad definition of “release.”

3) Compliance with restrictions on transiting through or being stored in the Russian Federation or a list of proscribed countries. It is not a violation for end-to-end encrypted unclassified defense technical data that is in transit through the internet to be transiently and unintentionally stored in Russia or an ITAR-proscribed country[10] by virtue of being data in transit through the internet.[11] But storage in these countries or transmission of such data from these countries does constitute a violation. Such a violation carries strict liability, so even a contractual assurance from a counterparty expressly warranting that no storage will occur in Russia or a § 126.1 country is insufficient protection.[12] DDTC does note in the Interim Rule that it “will review potential violations on a case-by-case basis, subject to the totality of the facts and circumstances . . . ,”[13] in acknowledgement of the difficulty of controlling the actions of third parties such as service providers and subcontractors.

Given the rule came into force as an interim final rule, it is still possible DDTC will fine-tune the rule further. If you have questions about this encryption rule’s effect on your operations or have other ITAR or EAR export compliance questions, contact Ivan W. Bilaniuk or your Dinsmore attorney.