Export Control for Open-Source Software and Quantum Researchers: Level 2

By Erik Chmelar and Jonny Olson at Young Basile Hanon &MacFarlane, P.C.

Quantum research and open-source software thrive on worldwide collaboration—and in some cases depend on it. A basic understanding of U.S. export law is therefore invaluable for researchers and developers who wish to share their work without risking legal consequences. This guide distills the most relevant U.S. export law into a few manageable steps, focusing on two key areas: (1) direct exports, meaning the transfer of controlled technology or items to any person or organization located outside the U.S.; and (2) deemed exports, meaning the release of controlled technology to a foreign national within the U.S. regardless of the foreign national’s visa or immigration status, but excluding U.S. citizens, lawful permanent residents, and protected individuals (such as refugees or asylees). U.S. export law includes the Export Administration Regulations (EAR), the International Traffic in Arms Regulations (ITAR), and occasional Rules published in the Federal Register as Interim Final Rules (IFRs) or Final Rules. The EAR and an IFR published on September 6, 2024 are the most relevant for quantum technologies, software (e.g., executable code), and source code (e.g., human-readable instructions).

1. 1. A. Export Administration Regulations (EAR)The EAR
      regulates exports, reexports (e.g., transfer of U.S.-origin technology from one foreign country to another), and deemed exports of dual-use items—products and technologies that have both commercial and potential military applications—including controlled technology, software, and source code (hereafter collectively called “technology”). Specific sections of the EAR can be easily found online, where top hits usually link to the Code of Federal Regulations at ecfr.gov. This guide provides section or part numbers and their links where the exact language of the EAR can be read. Important aspects of the EAR include a “published” exclusion, a “fundamental research publication” exclusion, and several categories of “prohibited persons” to which exports are prohibited.
      1. “Published” Exclusion
         Technology that is publicly available or published, without restrictions on further dissemination, is excluded from EAR controls under § 734.7. Open-access journal publications or library collections, public conferences or seminars, Internet posting on publicly available websites, and submissions for publication or presentation with the intent to make the material public satisfy the published exclusion. Unrestricted public software repositories may satisfy the published exclusion provided that the repository is publicly accessible and the software license allows free use, sharing, and redistribution. Repositories that are private, restricted, or subject to contributor agreements limiting dissemination do not qualify. Examples of repositories that can meet this exclusion include public projects on GitHub, GitLab, SourceForge, or BitBucket, assuming they are openly accessible and freely licensed. Most open-source software licenses, which are legal instruments that formally grant permission to distribute freely, ensure the distributed software meets the criteria for being considered published. Apache License 2.0, BSD Licenses (3-Clause and 2-Clause), GNU General Public Licenses (GPL-2 and GPL-3), and Creative Commons Attribution 4.0 International (CC BY 4.0) all qualify as published under the EAR. A critical exception to the published exclusion applies to encryption software. Even if publicly available, encryption source code and object code classified under ECCN 5D002 remain subject to the EAR under §742.15(b). However, such software is typically eligible for export without a license under License Exception ENC under EAR §740.17(b). For publicly available open-source encryption software, the main requirement of License Exception ENC is that the exporter provide a one-time email notification to the Bureau of Industry and Security (BIS), at [email protected], and the National Security Agency (NSA), at [email protected], identifying the URL of the publicly available source code. Another exception to the published exclusion is software or technology related to the production of firearms or other controlled items, even if made publicly available (see §734.7(c)). This limitation ensures that certain sensitive technologies remain controlled despite being publicly accessible (Def. Distributed v.Platkin, 697 F. Supp. 3d 241).
      2. “Fundamental Research Publication” Exclusion
         Technology that arises during, or results from fundamental research and is intended to be published is excluded from EAR controls (see §734.8). Fundamental research is defined as research in science, engineering, or mathematics, the results of which are ordinarily published and shared broadly within the research community, and for which the researchers have not accepted restrictions for proprietary or national security reasons (see §734.8(c)). The decision to freely publish or disclose research results is paramount to this exemption from the EAR. So long as there are no restrictions on dissemination—whether from funding sources, collaborators, or institutional agreements—the technology or software that arises during, or results from, the fundamental research are excluded from EAR jurisdiction, even if the subject matter would otherwise be controlled (e.g., would otherwise require an export license). The EAR clarifies that prepublication review (e.g., for patent filing, or to protect a sponsor’s proprietary inputs) does not, on its own, disqualify the research from fundamental research status—provided such review does not restrict the publication of the researchers’ own results (see §734.8(b)). However, once a decision is made to restrict or protect the release or publication of results (e.g., by keeping data proprietary or accepting nondisclosure restrictions), the information becomessubject to the EAR if it falls within the scope of §734.3(a).
      3. Prohibited Persons
         Exports, reexports, and deemed exports cannot be made to a prohibited person without an export license specifically authorizing that transaction. Prohibited persons include individuals and entities listed on the Entity List (EL), Denied Persons List (DPL), Unverified List (UVL), and the Military End-User List (MEU), as well as those involved in prohibited end-uses or subject to other restrictions under EAR Part 744 (see EAR Part 744—Control Policy; End-User and End-Use Based).
   2. B. September 6, 2024 Interim Final Rule (IFR)The
      September 6, 2024 Interim Final Rule (IFR) establishes new controls on the deemed exports and reexports of quantum technology and software to foreign nationals from Country Groups D:1 and D:5 (see 89 FR 72926 and Supplement No. 1 to EAR Part 740—Country Groups). The IFR also introduces a General License (GL) that authorizes certain deemed exports and reexports of quantum technology and software to eligible foreign nationals, provided the exporter complies with annual reporting requirements (89 FR 72926 II.A General License). The GL specifically covers items identified under ECCNs 3D901, 3E901, 4D906, 4E906, which relate to quantum-related software and technology (see EAR Part 774—The Commerce Control List). Eligibility under the GL is limited to foreign nationals whose most recent country of citizenship or permanent residency is in Country Group D:1 or D:5 and who are not “prohibited persons” as defined under EAR Part 744.
   3. C. International Traffic in Arms Regulations (ITAR)The ITAR governs the export, reexport, and deemed export of defense articles, technical data, and defense services listed on the U.S. Munitions List (USML) (see ITAR Part 121—The United States Munitions List). Any disclosure of defense articles or technical data to a “foreign person” requires prior authorization from the Directorate of Defense Trade Controls (DDTC). Under ITAR, “foreign persons” include individuals and entities who are not U.S. citizens, lawful permanent residents, or protected individuals (such as refugees or asylees); who are nationals of countries subject to ITAR arms embargoes or restrictions; or who appear on denial or sanctions lists, including the DDTC Debarred List and the U.S. Department of the Treasury’s Specially Designated Nationals (SDN) List. Similar to the EAR, the ITAR includes an exclusion for information that is in the “public domain.” While the definition of public domain includes certain fundamental research, it is not a broad and affirmative fundamental research exclusion like in the EAR. The ITAR excludes published information indirectly by specifying that information in the public domain (see 120.34) is not included in the definition of “technical data” (see 120.33) controlled by the ITAR. Public domain means information that is published and generally available to the public, such as at libraries, in patents, and through subscriptions that are available without restriction to any individual who desires to obtain or purchase the published information. Public domain also includes certain fundamental research inscience and engineering at accredited U.S. institutions, where the resulting information is ordinarily published and broadly shared in the scientific community. However, research is not considered fundamental—and thus not in the public domain—if the researchers or institution accept restrictions on publication or if the research is U.S. Government-funded with specific access or dissemination controls (see 120.34(a)(8)).
   4. D. Checklist for Legally Sharing Quantum Technology, Software, or Source CodeThe following checklist outlines key steps for sharing quantum technologies, software, or source code in line with the EAR (technology having both commercial and potential military applications), ITAR (technology specifically designed for military use), and the September 6, 2024 IFR (specific quantum technologies). It helps identify which rules apply, check exemptions and license requirements, screen for restricted parties, and keep proper records. Following these steps supports safe international collaboration while reducing the risk of violating U.S. export laws. If a disclosure qualifies for an exclusion or exemption under the EAR or ITAR—such as the published exclusion (§734.7), the fundamental research exclusion (§734.8), or other applicable exceptions—then many of the remaining steps in this checklist may not be necessary. These provisions remove the technology or software from U.S. export controls, meaning licensing, restricted party screening, and other compliance measures generally do not apply, provided the dissemination is truly public and unrestricted.
      1. Determine Applicability of EAR and ITAR:
         • a. Verify whether the quantum technology is listed under the Commerce Control List (CCL) of the EAR or the U.S. Munitions List (USML) of the ITAR.
         • b. Assess whether the disclosure constitutes a deemed export (disclosure to foreign national physically located in the U.S.) or export (release to a foreign national abroad).
      2. Evaluate Published Exclusion:
         • a. Determine whether the disclosure qualifies for exclusion as “published” information under EAR §734.7, meaning it is open to the public without restrictions upon its further dissemination, such as by publicly posting on a website, online forum, or public repository.
      3. Evaluate Fundamental Research Exclusion:
         • a. Determine whether the disclosure qualifies for exemption as “fundamental research” under EAR
           §734.8, meaning it is intended for open publication and not subject to proprietary, contractual, or national security restrictions.
         • b. Restrictions on access, use, or dissemination imposed by sponsoring entities or agreements may negate this exclusion.
      4. Check Licensing Requirements for Deemed Exports under the EAR or ITAR:
         • a. For deemed exports under EAR, verify the foreign national’s most recent country of citizenship or permanent residency, and confirm eligibility under the applicable General License (GL) or other license exception.
         • b. For ITAR-controlled items, ensure that any disclosure of technical data or defense services to foreign nationals complies with applicable licensing requirements from the Directorate of Defense Trade Controls (DDTC), such as a Technical Assistance Agreement (TAA), which authorizes furnishing defense services or disclosing technical data to foreign persons, a Manufacturing License Agreement (MLA), which authorizes manufacturing defense articles abroad, or a Distribution Agreement (WDA), which authorizes a warehouse or distribution point abroad for defense articles.
      5. Verify General License (GL) Eligibility:
         • a. Confirm the quantum technology falls under a covered ECCNs (3D901, 3E901, 4D906, 4E906).
         • b. Ensure the foreign national is from an eligible country (Country Group D:1 or D:5) and is not subject to restrictions under EAR Part 744 (e.g., Entity List (EL), Denied Persons List (DPL), Unverified List (UVL), Military End-User List (MEU)).
      6. Ensure Compliance with Reporting Requirements:
         • a. Submit annual reports for transactions conducted under the GL for deemed exports of quantum technology, as required by BIS.
         • b. Maintain detailed records of the foreign national’s identity and the disclosed technology.
         • c. For ITAR-controlled items, ensure compliance with recordkeeping and reporting obligations under ITAR Part 122 and Part 123.
      7. Address Exclusions to EAR and ITAR:
         • a. Confirm whether the quantum technology is already published or otherwise made publicly available (e.g., through journals, websites, or public conferences) under EAR §734.7,which may exempt it from export controls.
         • b. Check whether the exclusion for publicly available software and technology under EAR §734.3(b) applies, or whether the License Exception ENC (Encryption Commodities, Software and Technology) under EAR §740.17 applies for encryption-related exports.
      8. Conduct Restricted Party Screening:
         • a. Before any disclosure or export, screen foreign nationals, entities, and end-users against all applicable restricted party lists under EAR and ITAR (e.g., Entity List (EL), Denied Persons List (DPL), Unverified List (UVL), Military End-User List (MEU)), as well as Treasury’s OFAC SDN List.
      9. Review End-Use and End-User Restrictions:
         • a. Verify that the intended use and end-user of the quantum technology do not trigger additional controls or prohibitions under EAR Part 744 or ITAR regulations.
      10. Monitor ITAR-to-EAR Transitions:
          • a. For items transitioning from ITAR to EAR, ensure compliance with EAR provisions while ITAR restrictions remain in effect during the transition period. All regulatory changes, including transitions from the U.S. Munitions List (USML) to the Commerce Control List (CCL), are published in the Federal Register.
          • b. Submit voluntary self-disclosures to both the Bureau of Industry and Security (BIS) (e.g., via email to [email protected]) and the Directorate of Defense Trade Controls (DDTC) (e.g., via email to [email protected]) if a potential violation of either EAR or ITAR is discovered.

Click here to download this article.

Top Page | Level 0 | Level 1