On January 14, 2000, the Bureau of Export Administration (BXA) published regulations implementing the Administration's September 16, 1999, announcement simplifying the export of cryptography. The United States encryption policy rests on three tenets: a review of encryption products in advance of sale, a streamlined post-export reporting system, and a license process that preserves the U.S. Government's ability to review the sale of strong encryption to foreign governments, military organizations, and nations of concern. Just as the market for information security products has grown and changed, this policy continues to evolve consistent with the national interest in areas such as electronic commerce, national security, and support to law enforcement.
Under the January 2000 regulations, any encryption commodity or software, can be exported under a license exception, after a technical review, to any non-government end-user worldwide, except for sanctioned or embargoed destinations. To ensure streamlined exports to non-government end users, companies may export products under this provision thirty days after submitting the products for technical review. Moreover, a new category of products called "retail encryption commodities and software" may now be exported after technical review to any end user, including government end users, under this same license exception. Retail encryption commodities and software are those which are generally available to the public, are easy to install, and which implement cryptography that cannot be easily changed, modified, or customized by the customer. Certain restrictions apply to telecommunications and Internet service providers, and network infrastructure products such as high-end routers and switches may not be exported under these retail provisions.
Previous liberalizations for banks, financial institutions and other approved sectors are subsumed under this license exception. The licensing of commercial encryption source code, toolkits, and technology continues to be considered on a case-by-case basis. Release of encryption technology to foreign nationals working for U.S. companies in the United States is eligible for license exception treatment as well.
Post-export reporting under this encryption license exception ensures compliance with U.S. regulations and has allowed the Administration to reduce licensing requirements for non-embargoed destinations. This streamlined export policy ensures the continuing competitiveness of U.S. companies in international markets, while maintaining a balance among national security, public safety, commercial and privacy interests.
On July 17, 2000, the Administration announced further updates to U.S. encryption export policy in order to coordinate U.S. policy with regulations adopted by the European Union. The regulation implementing these changes was published on October 19, 2000. The most significant change for U.S. companies is the ability to export encryption products and technology under license exception to any end user in the 15 nations of the European Union as well as Australia, Norway, Czech Republic, Hungary, Poland, Japan, New Zealand, and Switzerland immediately upon notifying BXA of intent to export. Companies no longer need to wait 30 days before exporting to these destinations. Highly sophisticated encryption items such as source code, general purpose toolkits, and high-end routers and switches can also be exported under these new procedures. To facilitate the development of next generation products and to allow more market flexibility, products that enable U.S. and non-U.S. sourced products to operate together may also be immediately exported. Licenses are only required for "cryptanalytic items," a specialized class of tools not normally used in commercial environments.
These new regulations include streamlined export provisions for beta test software, products which are compiled from "open" source, and products which implement short-range wireless encryption technologies such as HomeRF and Bluetooth. Post-export reporting is also streamlined under the new regulations. Reporting is no longer required for products exported by U.S.-owned overseas subsidiaries; retail operating systems; and desktop applications (such as e-mail programs and browsers) designed for, bundled with, or pre-loaded on single CPU devices such as personal computers, laptops, or handheld devices.
U.S. encryption policy reflects active participation with other nations, such as members of the Wassenaar Arrangement. In December 1998, Wassenaar Arrangement members agreed to move encryption items from the Sensitive List to the Basic List, and to make other revisions to encryption controls. This agreement was the culmination of a two-year effort to modernize and improve multilateral export controls on encryption. The January 14, 2000, U.S. regulation implements this agreement which simplifies export controls on many encryption products. For example, 64-bit mass market encryption products which previously required a review can now be exported immediately (see Section D).
Encryption export controls are in place to protect U.S. national security, foreign policy and law enforcement interests, particularly as they relate to the safety of U.S. citizens at home and abroad. Encryption can be used to conceal the communications of terrorists, drug smugglers and other individuals intent on taking actions harmful to U.S. facilities, personnel or security interests. Use of cryptographic products by criminals and terrorists makes it more difficult for law enforcement agencies to uncover and prevent hostile acts before they occur. Cryptographic products and software also have military and intelligence applications that, in the hands of hostile nations, could pose a threat to U.S. national security. These controls are consistent with Executive Order 13026 of November 15, 1996, and a Presidential Memorandum of the same date.(1)
1. Probability of Achieving the Intended Foreign Policy Purpose. Commensurate with the growth of electronic commerce in the world's most developed nations, the number of countries with the technology to produce highly sophisticated encryption products is growing. This growth is concentrated, however, among nations and trading partners that generally share U.S. security concerns and foreign policy interests. Also, since much of the world's cryptography is supplied by a core group of information security industry leaders, encryption export controls can be very effective in achieving their intended foreign policy purpose. Consistent with Executive Order 13026 of November 15, 1996, and a Presidential Memorandum of the same date, the Secretary has determined that these controls achieve the intended purpose of restricting the export of commercial encryption items, in situations in which their export would be contrary to U.S. national security or foreign policy interests.
2. Compatibility with Foreign Policy Objectives. The Secretary has determined that the controls are compatible with the foreign policy objectives of the United States. The controls are consistent with the U.S. foreign policy goal of preventing U.S. exports that might contribute to destabilizing military capabilities or to international terrorist or criminal activities against the United States and its citizens. The controls also contribute to public safety by promoting the protection of U.S. citizens overseas.
3. Reaction of Other Countries. The Secretary has determined that the reaction of other countries to this control has not rendered the control ineffective in achieving its intended foreign policy purpose nor counterproductive to U.S. foreign policy interests. Other allied countries, particularly those with the capability to produce highly sophisticated encryption products, recognize the need to control exports of encryption products for national security and law enforcement reasons. The United States and its key trading and security partners recognize the desirability of securing critical infrastructures, developing new technologies and standards, thwarting cybercrime, and promoting electronic commerce, while restricting goods that could compromise our common security and foreign policy interests. As a result, members of the Wassenaar Arrangement and other international arrangements, such as the European Union, continue to track the U.S. position and implement the multilateral agreements.
4. Economic Impact on United States Industry. The Secretary has determined that the Administration's updated framework for encryption export controls meets the need of U.S. industry to remain the leader in the global market for information security products, while continuing to provide essential protections for national security reasons.
In FY 2000, the United States processed 1,094 license applications for encryption items. The United States approved 842 applications valued at approximately $1.9 billion, denied 9 applications valued at approximately $3 million, and returned without action (RWA'd) 243 applications valued at approximately $160 million. Thirty-seven percent fewer license applications were processed in FY 2000 than in the previous fiscal year, due in large part to the increased availability of the encryption license exception in the new regulations. From January 14, 2000, until the end of the fiscal year, 680 requests for technical review and classification of items with "strong" encryption (greater than 64-bits of key) were processed. Of the 1,077 items reviewed in these applications, 65 percent were made eligible for export through the retail export provisions of the new regulation.
5. Enforcement of Control. Detection of some encryption transactions is difficult since encryption capability is often incorporated into other products and encryption software can be transferred over the Internet. Conversely, the importance and value of the capability to encrypt data leads to transfers that leave a commercial trail that can be followed. It is easer to enforce controls on proprietary encryption than on "open source" encryption.
Since March 1998, and continuing throughout 2000, the Administration has engaged in an intensive dialogue with U.S. industry on encryption policy. The participants in this dialogue have sought to find cooperative solutions that would assist law enforcement, protect national security, ensure continued U.S. technological leadership, and promote the privacy and security of U.S. firms and citizens engaged in electronic commerce. This dialogue has proven successful, as evidenced by the ever-increasing number of encryption items submitted for export review and classification, along with continued industry commitment to assist law enforcement in better understanding current and future technologies.
U.S. firms have overwhelmingly supported the Administration's new export controls framework. Industry provided valuable input on its business models and practices for reporting purposes and other issues during the drafting phase of the regulations. Encryption policy and other information security topics are regularly discussed at conferences, seminars, and meetings with industry.
The President's Export Council Subcommittee on Encryption (PECSENC), met throughout the year to advise the President, through the President's Export Council and the Secretary of Commerce, on matters pertinent to implementing an encryption policy that will support the growth of electronic commerce while protecting public safety, and promoting foreign policy and national security interests. U.S. policy and regulations also reflect consultation with groups such as the Regulations and Procedures Technical Advisory Committee (RPTAC), Alliance for Network Security (ANS), Americans for Computer Privacy (ACP), and the Computer Systems Policy Project (CSPP).
On November 6, 2000, the Department of Commerce, via the Federal Register and via BXA's web page, solicited comments from industry on the effectiveness of foreign policy-based export controls. A more detailed review of the comments is available in Appendix I. A letter received from BMC Engineering provided comments on encryption technology controls. BMC stated that when an encryption product is sold over the Internet the control is unenforceable since there is no way to verify end user information.
The United States has taken the lead in efforts to prevent international criminals, terrorists and rogue states from acquiring sophisticated encryption products, urging other supplier nations to adopt export controls comparable to those of the United States. As a result, the major industrial partners of the United States maintain their own export controls on encryption equipment and technology. In addition, the United States and the other participants in the Wassenaar Arrangement have established multilateral controls for these items.
The January 14, 2000, U.S. regulations reflect the December 1998 agreement made by Wassenaar members to move encryption items from the Sensitive List to the Basic List, and to make other revisions to encryption controls. This agreement simplified export controls on many encryption products. For example, it created a positive list of controlled encryption products. In the past, the Wassenaar Arrangement required participating countries to control all encryption products without regard to encryption strength. Now, the new list clearly states that products with an encryption key length of 56 bits or less are no longer controlled.
Wassenaar member countries also agreed in 1998 that the General Software Note (GSN) should not apply to encryption. It was replaced with a new cryptography note. The GSN allowed countries to export mass-market encryption software without limits on the key length. The December 3, 1998, modification was essential to close loopholes that permitted the uncontrolled export of encryption with unlimited key length; accordingly, the agreement set the key length threshold for mass-market products at 64 bits or less. The agreement also extended liberalized mass-market treatment to hardware encryption products. Previously, only mass-market software enjoyed this liberalized treatment. The December 1998 agreement also eliminated requirements to report exports of encryption products, and removed controls on certain consumer electronic items such as DVD products, personal computer-based media players, and cordless telephone systems designed for home or office use.
The United States has undertaken a range of diplomatic means, both bilateral and multilateral, to encourage other nations to adopt appropriate restrictions on the export of encryption products. Through cooperation with law enforcement officials in friendly countries, the United States has also sought to keep encryption products out of the hands of terrorists and criminals. However, these efforts can only supplement, not replace, the effectiveness of actual export controls.
The United States recognizes the growing use of encryption overseas, and the continued development of foreign-made encryption hardware and software. The Administration's new encryption framework responds to international marketplace developments to guarantee that U.S. industry can maintain its technological leadership in information security products in a manner that safeguards our national security and public safety interests.
The President's Executive Order of November 15, 1996, addressed the issue of foreign availability as it relates to encryption items transferred from the U.S. Munitions List (USML) to the Commerce Control List (CCL) with the following statement:
"I have determined that the export of encryption products could harm national security and foreign policy interests even where comparable products are or appear to be available from sources outside the United States, and that facts and questions concerning the foreign availability of such encryption products cannot be made subject to public disclosure or judicial review without revealing or implicating classified information that could harm United States national security and foreign policy interests.
Accordingly, sections 4(c) and 6(h)(2)-(4) of the Export Administration Act of 1979, 50 U.S.C. App. 2403(c) and 2405(h)(2)-(4), as amended and as continued in effect by Executive Order 12924 of August 19, 1994, and by notices of August 15, 1995, and August 14, 1996, all other analogous provisions of the EAA relating to foreign availability, and the regulations in the EAR relating to such EAA provisions, shall not be applicable with respect to export controls on such encryption products. Notwithstanding this, the Secretary of Commerce may, in his discretion, consider the foreign availability of comparable encryption products in determining whether to issue a license in a particular case or to remove controls on particular products, but is not required to issue licenses in particular cases or to remove controls on particular products based on such consideration."