Export Compliance Daily is a Warren News publication.

Exporters Should Be 'Very Careful' of Misusing New End-to-End Encryption Carve-Out in ITAR, Experts Say

Companies should ensure their data is fully encrypted with no access by third parties before using the new encryption carve-out in the upcoming amendments to the International Traffic in Arms Regulations, according to a cybersecurity compliance expert and a trade lawyer. Although they lauded the ITAR for recognizing that some technology, such as encryption, can protect transfers of export controlled data, both said complying fully with the carve-out may be complicated. “There is a wrong way to do the end-to-end encryption, so you need to be very careful when applying it,” said Alex Major, a cybersecurity and trade lawyer with McCarter & English, speaking during a Feb. 27 webinar hosted by the Massachusetts Export Center.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

The carve-out, which takes effect March 25, is part of an interim final rule recently issued by the State Department that provides definitions for activities that are not exports, re-exports, retransfers or temporary imports (see 1912230052). The rule makes significant changes to reduce compliance burdens surrounding encrypted data to help better facilitate international data storage and transfers (see 1912300024).

But companies using the carve-out to export data need to ensure they are correctly encrypting data, said Ryan Heidorn, a cybersecurity compliance expert with Steel Root, an information technology services company. Certain encryptions could lead to misuses of the rule and violations of the ITAR. “It’s super important and probably more difficult than you'd think to implement true end-to-end encryption,” Heidorn said.

Heidorn stressed that true end-to-end encryption occurs only when the parties responsible for the data “could potentially decrypt that data.” That means companies should exclude third parties, including certain encryption apps, which may perform some encryption services but may not meet ITAR’s standards. “End-to-end encryption is when you, as an organization, hold the decryption keys,” Heidorn said. “Meaning that you could be using a commercial service like Google Mail or Office 365, and even if there's encryption in place, if those other entities hold the decryption key, that is not end-to-end encryption.”

Major said compliance with the carve-out ultimately depends on “key management,” or how secure companies make the encryption key for their exported data. There are companies that perform strong end-to-end encryption, such as PreVeil, Major said, but others may not fully comply with ITAR. “You need to make sure you're talking to people who know what they're talking about when it comes to the key management,” Major said. “If you give that key to a third party … you lose the protection of the carve-out. It’s very important.”

Although encryption can be complex, both Major and Heidorn said that the carve-out can be a significant tool for exporting controlled data. “I consider this a win for the ITAR to recognize that technology can protect export controlled data across networks,” Heidorn said.