The U.S. Department of Commerce's Bureau of Industry and Security (BIS) released an advisory opinion, dated September 11, 2009, on whether a company would be in violation of the Export Administration Regulations (EAR) if it allowed encrypted software, classified by BIS as "mass market," to be downloaded free of charge from the company's website without restriction.
In the advisory opinion, BIS stated:
Publishing "mass market" encryption software to the Internet where it may be downloaded by anyone neither establishes "knowledge" of a prohibited export or reexport nor triggers any "red flags" necessitating the affirmative duty to inquire under the "Know Your Customer" guidance provided in the EAR. Therefore a person or company would not be in violation of the EAR if it posts "mass market" encryption software on the Internet for free and anonymous download and then at a later time the software is downloaded by an anonymous person in Iran, Cuba, Syria, Sudan or North Korea.
On the issue of whether the same would apply if the user was required by the company to provide a name and email address before download occurs, BIS stated that in such a case the download of the software would not be considered anonymous; thus, allowing the download by a person in a country embargoed under the EAR (15 C.F.R. Part 746) without the necessary licenses would constitute a violation of the EAR.
However, in circumstances where the IP address of the user downloading the software is collected by the software provider at the time of the download and is stored as a "footprint" in the machine code of the software provider's data base but is not tracked or used for any purpose by the software provider, then a violation would not occur.
The advisory opinion was limited to the interpretation of the EAR; the sanctions regulations implemented by the Office of Foreign Assets Control of the U.S. Department of Treasury (OFAC) were not addressed.