Export Control for Open-Source Software and Quantum Researchers: Level 1
By Jonny Olson and Erik Chmelar at Young Basile Hanon &MacFarlane, P.C.
This guide is for researchers who want to share their work responsibly while staying compliant with U.S. export control laws. It simplifies the rules into a few clear steps so you can quickly tell whether your work is clearly exempt or whether you should pause and seek legal guidance. It is not meant to cover every possible situation but instead focuses on the typical scenarios that individual, academic, or independent researchers are most likely to encounter. It is also not intended for researchers working on behalf of companies or commercial entities who may face different rules and obligations. If you are working for a university, ensure you understand what publication restrictions (both from the university per se and from grants) apply to your work. When in doubt, assume controls apply or seek legal counsel.
- Step 1: First, ask yourself whether your research is explicitly defense-related. If it involves weapons, military systems, satellites, or other technologies on the U.S. Munitions List, or if it is funded or restricted for military purposes, then you should stop and seek a legal review because International Traffic in Arms Regulations (ITAR) controls likely apply. If not, continue to the next step.
- Step 2: If your research is not explicitly defense-related, the next question is whether you are sharing your work with anyone outside the United States (an “export”), or with a non-U.S. citizen inside the U.S. (a “deemed export”) A “non-U.S. citizen” means someone who is not a U.S. citizen, a lawful permanent resident (green card holder), or a protected individual such as a refugee or asylee. If you are sharing only with individuals physically located within the U.S. who are U.S. citizens, permanent residents, or protected individuals, then this is not considered an export or a deemed export and no controls apply. If you are sharing with anyone else, continue to the next step.
- Step 3: Consider whether your work involves encryption software or code. If it contains encryption routines, cryptographic libraries, or security-related code, then you should stop here and seek a legal review, because encryption has its own special set of rules. If the system is not specially designed for encryption but merely could be used to implement encryption, this does not trigger review. If there is no encryption functionality, continue to the next step.
- Step 4: Determine whether the work that is being exported (or deemed exported) may be excluded from U.S. export regulations. What matters here is the nature of the information being shared, not the act of export. If an exclusion applies, the export is not controlled, and you are free to share the work. If no exclusion applies, continue to the next step.
-
- Exclusion 1 – Already Published: Is the work already published and freely available without restrictions and without restrictions upon its further dissemination, such as in a journal, at a conference, on a website, or in a public repository? If so, the exclusion applies.
-
-
- Note that submissions for publication or presentation with the intent to make the material public satisfy the published exclusion. Websites requiring users to make an account to access information may still invoke the “published” exclusion so long as there are no restrictions on who can make the account; payment for access is not a factor. Repositories or websites that are private, restricted, or subject to contributor agreements limiting dissemination are not excluded. If the information you are sharing could be found publicly, even if the export itself is in a private setting, the open publication exclusion may still apply.
-
-
-
- Is Open-Source an Open Publication? Unrestricted public software repositories satisfy the published exclusion provided that the repository is publicly accessible and the software license allows free use, sharing, and redistribution. Examples of repositories that can meet this exclusion include public projects on GitHub, GitLab, SourceForge, or BitBucket, assuming they are openly accessible and freely licensed. Note that “freely” refers to restrictions on who can license, not the financial cost to license.
- Examples of free licenses:
- Apache License 2.0
- BSD Licenses (3-Clause and 2-Clause)
- GNU General Public Licenses (GPL-2 and GPL-3)
- Creative Commons Attribution 4.0 International (CC BY 4.0)
- Licenses where non-commercial use is free, commercial use is paid but unrestricted.
- Examples of licenses that wouldn’t apply:
- Licenses restricted to “non-commercial use”.
- Licenses restricting who can pay for commercial use.
- Licenses restricted to certain regions or users, e.g., prohibiting Chinese companies from use.
- Examples of free licenses:
- Is Open-Source an Open Publication? Unrestricted public software repositories satisfy the published exclusion provided that the repository is publicly accessible and the software license allows free use, sharing, and redistribution. Examples of repositories that can meet this exclusion include public projects on GitHub, GitLab, SourceForge, or BitBucket, assuming they are openly accessible and freely licensed. Note that “freely” refers to restrictions on who can license, not the financial cost to license.
-
-
- Exclusion 2 – Fundamental Research Publication: Are you planning to publish science, engineering, or mathematics research without any restrictions on dissemination? If so, the exclusion applies.
-
-
- Note that restrictions on dissemination can include restrictions from funding sources, collaborators, institutional agreements, or others to whom you have an obligation. If research results are reviewed before publication (for example, to check for patent issues or to remove a sponsor’s proprietary material), it doesn’t automatically preclude the work from being considered fundamental research. However, if a decision is made to restrict publication (such as keeping results secret, proprietary, or under nondisclosure), then the results are no longer excluded.
-
- Step 5: If you are here, then it means that: (1) your work is not related to defense or cryptography; (2) sharing your work would be considered an export (or deemed export); and (3) your work doesn’t fall under one of the exclusions to U.S. export regulation. To complete the analysis, you must determine whether the subject matter itself is identified in the Commerce Control List (CCL) of the Export Administration Regulations (EAR). If so, then it is subject to export controls. Because the EAR classifications related to quantum computing are currently in flux, we recommend seeking legal review to make this determination.