BIS Changes EAR Regarding the Provision of Keys to Unlock Object Code Software
The Bureau of Industry and Security (BIS) has amended the Export Administration Regulation’s (EAR) definition of “release” so that it does not apply to the provision of access information that would unlock “object code” software, thereby causing the provision of access information to trigger license requirements in more situations. (With respect to software, the EAR’s definition of “release” continues to be limited to “source code.”)
- BIS stated that this means that transferring “access information” (e.g., a key) that would provide access to either “object code” or “source code” requires a license to the same extent as exporting the object code or source code itself would.
- The change means, for example, that the provision of keys, passwords or other access information to allow a foreign person to access object code software it legally received before an export license was required would require a license if the EAR later changed, and a license would be required to export to the foreign person the same software it already possessed.
- Companies that provide keys to unlock object code software (not just source code) will, as a result, need to ensure that their practices are in compliance with the rule. That is, if a license would be needed to export “object code” software, then providing a key to access the same object code on a server in the U.S. or a third country would require a license as well.
The “final rule; technical correction” notice the Department of Commerce’s Bureau of Industry and Security (BIS) published is short and can be read at: 2023-20128.pdf (govinfo.gov).
The context for the notice is that, with respect to software, the EAR’s definitions of deemed exports (§ 734.13(a)(2)) and deemed reexports (§ 734.14(a)(2)) are limited in scope to “source code” subject to the EAR and do not apply to the provision of object code software. Thus, for example, “releasing” controlled object code to a foreign person cannot be a deemed export or a deemed reexport, but “releasing” controlled source code to foreign person could be. These rules have not changed.
The EAR define “release” in section 734.15. With respect to software, the definition also excludes references to “object code” and is limited in scope to (i) the visual or other inspection by a foreign person that reveals “source code;” or (ii) oral or written exchanges with a foreign person of “source code” (in the United States or abroad). Until the notice BIS published, the only section of the EAR where this definition did not apply was section 734.18, which is a list of activities that are not exports, reexports or transfers. BIS’s notice adds section 734.19 to the EAR provisions where the definition of “release” in section 734.15 does not apply.
The rule also adds a note to the otherwise unchanged Section 734.19, which states that to “the extent an authorization would be required to transfer “technology” or “software,” a comparable authorization is required to transfer access information if done with “knowledge” that such transfer would result in the release of such “technology” or “software” without a required authorization.” The note states that “For purposes of this section, a release of “software” includes source code and object code.”
This means that, with respect to deemed exports and deemed reexports of software, the EAR’s definition of “release” is limited to “source code.” With respect to the EAR’s application of the word “release” (but without quotation marks) to providing keys or other access information to unlock or access software, the word applies to both “object code” and “source code.” In other words, the EAR now has two definitions of “release,” one in section 734.15 (limited to “source code” but which is not applicable in the context of sharing “access information”) and one in the note to 734.19 (applicable to both “object code” and “source code,” if in the context of sharing access information).
BIS has not changed the EAR’s generic definition of transfer (without quotation marks and as used in section 734.19) in section 772.1, which “means a shipment, transmission, or release of items subject to the EAR either within the United States or outside the United States.” (This is different from the EAR’s section 734.16 definition of “transfer (in-country),” which is a “change in end use or end user of an item within the same foreign country.”)
Thus, for example, if a company in Russia or on the Entity List legally received uncontrolled object code subject to the EAR before the imposition of sanctions or the listing, the BIS notice makes it clear that an export license would be required to send a key, password or other access information to unlock the object code software the company already possessed if the export of the same software to the same person for the same end use would now, as a result of a rule change, require a license. Another example of a potentially affected event would be the provision of a key to access – even without a download -- an updated version of controlled software that was not within the scope of a previously issued license to export the earlier version of the software.
Finally, companies that provide keys, passwords or other access information to unlock object code software for customers to remotely use the software on servers in the U.S. or third countries should review the notice and its implications to ensure compliance with the EAR.