A while ago someone wrote to mozilla.org staff asking “What is the ECCN for Mozilla?” For that small fraction of the world’s population who knows what an ECCN is (an “Export Control Classification Number” for U.S. encryption export control regulations) and cares about what Mozilla’s ECCN happens to be, here’s the answer I gave. Note that this is not an “official” answer, but it’s the closest thing to it you’re likely to get.

Source versions of Mozilla (including the NSS source code) as distributed by mozilla.org are subject to the [U.S. Export Administration Regulations] EAR, i.e., they are US-origin items containing encryption functionality, items which in general would require an export license based on section 742.15(1)(i) of the EAR.

Mozilla source code (including NSS source code in particular) is officially classified under ECCN 5D002.c.1. However as an open source product Mozilla (including NSS) is governed by section 740.13(e) of the EAR, “Unrestricted encryption source code,” and Mozilla source code is exportable from the US without an export license under License Exception TSU (Technology and Software - Unrestricted).

The situation for binary versions of Mozilla (object code) is a bit trickier. In the simplest case Mozilla binary versions (including NSS object code) would also be considered classified under ECCN 5D002.c.1, and would again be exportable under License Exception TSU per section 740.13(e) of the EAR. This is per 740.13(e)(2) and a clarification issued by the government (see the third paragraph under item 1).

However there’s another possibility. So-called “retail software” distributed in binary form is covered by the “cryptography note” (note 3) and after review by the government (as outlined in section 742.15(b) of the EAR) can be released from the EI controls of ECCN 5D002; at that point it is considered to be classified under ECCN 5D992 instead (ECCN 5D992.b.1 to be precise) and is exportable without a license (“no license required” or NLR).

If I recall correctly this is essentially what AOL did with Netscape 7, and I believe it would be possible to get binary versions of Mozilla treated the same way; however I’m not sure that AOL ever did this.

In summary, as I understand it Mozilla (source or binary) would normally be considered classified under ECCN 5D002.c.1 and exportable under License Exception TSU. However binary versions of Mozilla could be reclassified under ECCN 5D992.b.1 after government review and exported without a license (NLR); I’m not sure whether this was ever done or, if not, whether the Mozilla Foundation plans to do it. (Although at the moment I wouldn’t bet on it.)

UPDATE: Fixed bad links to the EAR and the Bernstein advisory letter.

UPDATE: On his Export Control Blog Scott Gearity makes the point that anyone could request BIS review for NLR export of Mozilla-related binaries if they wanted to. This might be relevant for US corporations bundling Firefox, Thunderbird, etc., with their software and/or hardware.