Q

Which email encryption products can be released internationally?

In this SearchSecurity.com Q&A, application security expert Michael Cobb explains the email encryption products that can be used outside of the United States.

What are some internationally releasable email encryption options? PGP would be nice, but it has to be used in Iraq.
Firstly, I'm not a lawyer, and I strongly recommend that you consult one if you wish to use an email encryption program in Iraq. Here's what I do know. The Bureau of Industry and Security (BIS) is responsible for implementing and enforcing the Export Administration Regulations (EAR), which regulate the export and re-export of most commercial items. Any item, including software, sent from the United States to a foreign destination is considered an export.

So what does this mean for email encryption programs? Programs that provide encryption capabilities are subject

to U.S. export controls and sanctions administered by BIS under EAR, and the Commerce Control List (CCL). Most commercial encryption products have a license exception assigned to them by the BIS. This allows vendors to export them to specified destinations without always having to go the Commerce Department for special permission.

Taking PGP as an example, all PGP-enabled products fall within three types of License Exception: Mass Market (eligible for export with no license required), ENC Restricted (eligible for export to any end user in EU member countries) and ENC Unrestricted (eligible for export to any end user). None of these categories, however, allow encryption products to be exported to the following embargoed countries: Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.

If you wish to take or send an email encryption program to Iraq, then you will have to apply for an export license from the BIS and possibly obtain authorization from other U.S. government agencies as well. The U.S. government, and vendors too, are very serious about controlling the export of encryption tools. In PGP's license agreements, for example, customers must represent that they will not export to a prohibited country or to a restricted type of user. Even the release of technology or source code to a foreign national in the United States is subject to the EAR and is deemed to be an export to the home country of the foreign national. I would contact a lawyer or PGP Corp. for further advice.

More information:

  • Use OpenPGP to verify the authenticity of email senders and receivers.
  • Learn the pros and cons of using an email encryption gateway.
  • This was first published in July 2007

    Dig deeper on Information Security Laws, Investigations and Ethics

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close