Unpacking the EAR: Inheriting Export Licenses
If you are exporting software that uses encryption outside of the US, to a company that is not a subsidiary of a US company, then you generally need your product to undergo review by the Bureau of Industry and Security (”BIS”). BIS references the Export Administration Regulations (”EAR”), and more specifically the Commerce Control List, to see if your software needs authorization for export.
If your software has the characteristics, or performs or simulates the functions of a product designed or modified to use encryption beyond 56-bits (for a symmetric algorithm, e.g., DES; the requirements are different for other types; see the EAR), then your software may likely be classified as “5D002.” (See the EAR Part 774, Supp. 1, Cat. 5(II)(D).) If you and the government determine your software is 5D002, then you need to be authorized by review.
The context behind this is that the government needs to know about every bit of encryption software that leaves the country so that they know if they can break into it or not. There is a list of countries where the US feels comfortable for you to export to, e.g., some EU countries; and there are countries where there is very little you can export to, e.g., the “E-1,” which currently includes Iran, Libya, Syria, North Korea, Sudan, and Cuba. Everything else falls in the middle where you want the BIS to review your software and then give you the “go ahead.”
Broadly, this process entails getting an Applicant ID Number and a PIN; filling out a BIS 784-P form and a letter of explanation; sending hardcopies per the instructions; and waiting 30 days from the day they register your application until you can ship.
A narrower question is whether the EAR allow software packages to inherit the export licenses of software bundled within.
I think the answer is “no.” Because you are bundling your software with other authorized software, the software package becomes a whole new product–new name, new general functionality, etc. The government then can track what products hold encryption–because that’s really what they’re worried about. Furthermore, for your own safety, it’s best to make sure the government knows about what bundled software you are using and letting them know what export authorization they have received.
Most companies are nervous about process–especially process involving the government. But I believe that they shouldn’t because the turn-around process is fairly fast; and as long as someone with some experience knows how to submit successful 784-Ps, then you should be good to go.
Plus, you can talk to the BIS technical department on a “no-names” basis, and they can guide you through the process.