Notification Requirements for "Publicly Available" Encryption Source Code

Question

Sourceforge requires that you state whether your OSS uses encryption:

This project DOES incorporate, access, call upon or otherwise use encryption. Posting of open source encryption is controlled under U.S. Export Control Classification Number "ECCN" 5D002 and must be simultaneously reported by email to the U.S. government. You are responsible for submitting this email report to the U.S. government in accordance with procedures described in: http://www.bis.doc.gov/encryption/PubAvailEncSourceCodeNotify.html and Section 740.13(e) of the Export Administration Regulations ("EAR") 15 C.F.R. Parts 730-772.

My software uses Java which can contain encryption and I'm planning to add features to create encrypted project files (so you can safely backup your projects in the cloud, for example).

Questions:

1. Does my project currently "incorporate, access, call upon or otherwise use encryption" or not?

2. Since I'm using the Java API and you must download the encryption code yourself from the Sun website (so Sun must have already done everything necessary to comply with US export laws), will my software fall under these terms?

3. If so, what are my option? Should I move my project from Sourceforge or do I really have to restrict access to an application which is basically a wiki editor?

Answer 1

As far as I can tell from the URL you cite, your project does not "incorporate, access, call upon or otherwise use encryption" yet. When you add your "features to create encrypted project files", then at that time your project will "call upon encryption".

Since the encryption code implementation itself is in the JVM, which you do not provide, your project does not "incorporate" encryption, and will not.

What the BIS page states is that you have to send them an email when you make your code publicly available. This is the easy path; if your code was not open-source then procedures would be heavier. I see nothing in this page which states that you must wait for an answer, so it is just a matter of taking three minutes to send the email. They want to be aware of what encryption tools are out there, but they do not want to imped OSS development by mandating complex procedures.

What Sourceforge tells is that they will not send the email for you; it is up to you to do it. Note that you do not have to do it yet, since your code does not call upon encryption yet.

Moving from Sourceforge would not help you. The BIS regulations are not meant for Sourceforge alone, but for the whole of USA (I am assuming that you are located in the USA). The legal requirement for the email notification applies to all Internet-based exports, regardless of whether the hosting site is called "Sourceforge" or otherwise; the Sourceforge maintainers are just professional and helpful, in that they inform you of the existence of the said legal requirement. Restricting access would be counterproductive: it would make your project "not publicly available", which means that procedures for export would be more complex than the simple email notification.

So just send the damn email, and be done with it.