When you leave the United States, you need to know your responsibilities under export control regulations. In particular if you are traveling with your laptop or any other electronic devices these items along with the underlying technology, any data on your device, proprietary information, confidential records, and encryption software are all subject to export control regulations. Some foreign governments have regulations that permit the seizure of travelers’ computers and the review of their contents. U.S. Customs officials are also authorized to review the contents of travelers’ a laptops without probable cause and can be held until your return.
For these reasons it is recommended that you review the Global Support Services, International Data Security Guidance webpage prior to embarking on international travel with laptops, iPads and other electronic devices.
Taking Electronic Devices
Researchers commonly travel with commercially available electronic devices such as laptops, PDAs, iPads, cell phones, drives, and other digital storage devices. These items often come with pre-loaded encryption software which is subject to the Department of Commerce, Export Control Regulations (EAR). Many of these items can be temporarily exported under the EAR license exception “Temporary exports-Tools of the Trade” (TMP) or Baggage (BAG).
The TMP License Exception provides that when laptops, PDAs and other digital storage devices (and related technology and software) are being used for professional purposes, returned within 12 months, kept under effective control of the exporter while abroad (i.e., kept in a hotel safe or other secured space or facility) and other security precautions are taken against unauthorized release of technology (i.e., use of secure connections, password systems, and personal firewalls), then the TMP License Exception might apply. The baggage (BAG) license exception covers personal items that are owed by the researcher and intended only for their personal use. These License Exceptions do not apply to Cuba, Iran, North Korea, Sudan, or Syria. You must contact the HSPH Export Control Officer before using either of these License Exceptions, as they are subject to record-keeping requirements.
Sharing Information While Traveling
You can freely take with you and exchange with anyone the results of fundamental research conducted on the Harvard University (Cambridge and Longwood) campuses. However, if your work involves technical data controlled for defense of non-defense work a license from the Department of State may be required. Contact the HSPH Export Control Officer for more information.
Encryption – Publicly Available
Harvard-owned computers are routinely equipped with PGP (Cambridge/HMS), MacAfee Endpoint Encryption (HSPH) for PCs, or Credant (Mac Laptops*) encryption software and are subject to export control regulations under the Commerce Department’s Bureau of Industry and Security (BIS) and its Export Administration Regulations (EAR). These products have been granted either an “Encryption Commodities, Software and Technology” (ENC) or “Mass Market” license exception. EXCEPT for export to any embargoed destinations (including any company or national of Cuba, Iran, North Korea, Sudan, and Syria) this license exception allows the transport of a University-owned or personally-owned computer to any country as long as the computer remains under the traveler’s effective control. As part of PGP, MacAfee Endpoint, and Credant licenses, end users agree that they will not export the software to a prohibited country or individual.
Countries that Restrict the Import of Encryption Products
Because encryption products can be used for illegal purposes many countries may ban or severely regulate the import and export of encryption products. The import of your laptop with encryption software to certain countries could violate the import regulations of the country to which you are traveling, and could result in your laptop being confiscated, fines, or in other penalties.
Encryption – Developed at Harvard
Harvard researchers, including faculty, staff and students, who are developing encryption software need to be aware of export control implications.
In most instances, encryption code developed at Harvard falls under the Fundamental Research Exclusion (FRE) and is not subject to export control laws and regulations. However, the FRE can be eroded if restrictions on the research exist. It is important that researchers make available any encryption code developed during the course of their research on a publicly-available website as quickly as possible. Access to the code should be open and not subject to login or password requirements. Failure to make the code publicly available in a timely way may trigger the application of export control laws, including restrictions on “deemed exports” to non-U.S. citizens within the U.S.
“Strong” Dual-Use Encryption Code
While most encryption code should be posted immediately to a publicly accessible website, researchers must inform an export control officer before making software available if it falls under the definition of “strong encryption software”. Strong dual-use encryption, is defined in the Export Administration Regulations, Part 774, Commerce Control List, Category 5 (Part 2) Information Security at 5A002 (encrypted hardware) and 5D002 (encryption software).
The above content is offered as guidance to individuals. It is intended as a general overview of issues related to the export of encryption software and is not exhaustive. Questions about the application of export control regulations to specific situations should be directed to your HSPH Export Control Officer or Ellen Berkman in the Office of General Counsel.
Bureau of Industry and Security, U.S. Department of Commerce Commercial Encryption Export Controls FAQs
Bureau of Industry and Security, U.S. Department of Commerce “Is my item classified under Category 5, Part 2 of the EAR?”