Encryption items can be used to maintain the secrecy of information, and thereby may be used by persons abroad to harm U.S. national security, foreign policy, and law enforcement interests. The U.S. Government has a critical interest in ensuring that important and sensitive information of the public and private sector is protected.
Since the transfer of dual-use encryption items from the United States Munitions List to the Commerce Control List (CCL) on December 6, 1996, export controls on encryption have evolved, consistent with electronic commerce, national security, and law enforcement concerns. The U.S. Government's encryption policy rests on three principles: (1) a review of encryption products in advance of sale; (2) a streamlined export reporting system; and (3) a license process that preserves the U.S. Government's ability to review the sale of strong encryption products to foreign governments, military organizations, and nations of concern. The U.S. Government's updated encryption policy makes it easier for Americans to use strong encryption products to protect their privacy, intellectual property, and other valuable information at home and abroad.
On June 6, 2002, the Department of Commerce, following extensive industry consultation and interagency review, published a rule in the Federal Register further updating export controls on cryptography. The updated policy reflects changes made to the Wassenaar Arrangement List of dual-use items, and ensures that effective multilateral controls are maintained. The rule allows "mass market" encryption products using symmetric encryption algorithms with key lengths exceeding 64 bits, classified under Export Control Classification Numbers (ECCNs) 5A992 and 5D992, to be exported and reexported to most destinations after a 30-day technical review by the Department of Commerce and the National Security Agency. There are no licensing or post-export reporting requirements related to the export or reexport to most destinations of such "mass market" encryption products, once this review is completed. The June 6, 2002 rule did not change the license requirements or licensing policy on encryption exports to designated state sponsors of terrorism or sanctioned persons.
Encryption export controls protect U.S. national security, foreign policy, and law enforcement interests. Encryption products can, for example, be used to conceal the communications of terrorists, drug smugglers, and others intent on harming U.S. interests. Cryptographic products and software also have military and intelligence applications that, in the hands of hostile nations, could pose a threat to U.S. national security. These controls are consistent with Executive Order 13026 of November 15, 1996, and the Presidential Memorandum of the same date.
1. Probability of Achieving the Intended Foreign Policy Purpose.The Secretary has determined that these controls are likely to achieve the intended foreign policy purpose. Commensurate with the growth of electronic commerce and the Internet, the number of countries with the technology to produce highly-sophisticated, dual-use encryption products continues to grow. This growth is concentrated, however, among nations and trading partners that generally share U.S. security concerns and foreign policy interests. Since much of the world's commercial cryptography is supplied by a core group of information technology (IT) industry leaders using standard algorithms and protocols, encryption export controls can be effective in achieving their intended foreign policy purpose. Consistent with E.O. 13026 of November 15, 1996, and the Presidential Memorandum of the same date, the Secretary has determined that the updated U.S. encryption export controls achieve the intended purpose of implementing technical review procedures for commercial encryption items and restricting the export of encryption items in situations that would be contrary to U.S. national security or foreign policy interests.
2. Compatibility with Foreign Policy Objectives.The Secretary has determined that these controls are compatible with U.S. foreign policy objectives. The controls are consistent with the U.S. foreign policy goal of preventing U.S. exports that might contribute to destabilizing military capabilities or to international terrorists or criminal aimed at the United States. Updated U.S. encryption export controls implement multilateral agreements and protect U.S. citizens overseas and critical infrastructure assets at home.
3. Reaction of Other Countries. The Secretary has determined that any adverse reaction to these controls is not likely to render the controls ineffective. Other allied countries, particularly those capable of producing highly-sophisticated encryption products, recognize the need to control exports of such products for national security and law enforcement reasons. The U.S. Government and its key trading and security partners recognize the desirability of securing critical infrastructures, developing new technologies and standards, preventing cybercrime, and promoting electronic commerce, while restricting goods that could compromise common security and foreign policy interests. As a result, members of the Wassenaar Arrangement and other international arrangements, such as the European Union, continue to work with the U.S. Government on encryption controls.
4. Economic Impact on U.S. Industry. The Secretary has determined that any adverse effect of these controls on the U.S. economy, including on the competitive position of the United States in the international economy, does not exceed the benefit to U.S. foreign policy objectives. The Secretary has determined that the updated encryption regulations will allow U.S. industry to maintain its leadership position in the global market for IT and information security products, while continuing to provide essential protections for national security, foreign policy interests, and public safety.
In FY 2002, the Department of Commerce processed 529 license applications for encryption items, of which 391 license applications (valued at $28.2 million) were approved. The approved licenses include "deemed exports" of encryption technology for employment of foreign nationals residing in the United States. The Department of Commerce also rejected 11 applications valued at $210,214 and returned without action (RWA) 127 applications worth $17.4 million. Many of the RWA'd applications did not require a license or the transaction was authorized under License Exception Encryption Commodities and Software (ENC).
Under current policy, most encryption products require a one-time technical review and classification prior to export. In FY 2002, the Department of Commerce received 915 requests for technical reviews covering 1,538 controlled encryption items. Of the products reviewed, nearly 75 percent were classified as "retail" encryption items, making the items broadly eligible for export without a license to government and non-government end-users. This compares with 890 applications for 1,405 encryption items classified in FY 2001. Eighty percent of the encryption items reviewed in FY 2001 were determined to be "retail" items.
In FY 2002, the Department of Commerce also received 277 classification requests that resulted in 529 encryption items being classified under ECCNs 5A992 and 5D992, which are subject to anti-terrorism controls. Of these items, 95 were granted export and reexport authority under the new provisions for mass market encryption, without key length restriction. The Department of Commerce also received 242 notifications of encryption source code (and corresponding object code) that would be considered publicly available (e.g., posted to the Internet for free download), eligible for export pursuant to License Exception Technology and Software - Unrestricted (TSU) or License Exception ENC.
5. Effective Enforcement of Control. The Secretary has determined the United States has the ability to effectively enforce these controls. Detection of some encryption transactions is difficult since encryption components are often incorporated into other products and encryption software can be transferred over the Internet. However, the importance and value ascribed to commercial encryption products does lead to transfers and distributions that leave a trail that can be followed. In FY 2002, the Department of Commerce fined companies a total of $230,000 for export violations that involved controlled encryption items. It is easier to enforce controls on proprietary encryption technology and commercial encryption commodities and software than it is to restrict free distributions of "open source" encryption.
The U.S. Government continually consults with U.S. industry regarding encryption policy. The objective of these consultations is to develop updated policy solutions to assist law enforcement, protect national security, ensure continued U.S. technological leadership, and promote the privacy and security of U.S. firms and citizens engaged in electronic commerce in an increasingly networked world. Such consultations have proven successful, as evidenced by the increasing number of encryption items submitted for technical review, constructive industry input on matters of regulations and policy, and continued industry commitment to assist law enforcement to better understand current and future encryption technologies.
The Department of Commerce worked closely with industry groups such as the Regulations and Procedures Technical Advisory Committee (RPTAC), the Information Systems Technical Advisory Committee (ISTAC), the Alliance for Network Security (ANS), and the American Electronics Association (AeA) during the drafting phase of the updated rule for encryption policy that was published on June 6, 2002. Industry provided valuable input on its business models and practices for reporting purposes and other issues.
Previously, the President's Export Council Subcommittee on Encryption (PECSENC) advised on matters relevant to encryption policy. However, the PECSENC fulfilled its mission and its charter expired on September 30, 2001.
On September 27, 2002, the Department of Commerce, via the Federal Register and the Bureau of Industry and Security's Web page, solicited comments from industry on the effectiveness of foreign policy-based export controls. The comment period closed on November 29, 2002. A detailed review of the comments received is available in Appendix I.
The U.S. Government has taken the lead in global efforts to prevent international criminals, terrorists, and rogue states from acquiring sophisticated encryption products, and urged other supplier nations to adopt export controls comparable to those of the United States. As a result, the major industrial partners of the U.S. Government maintain export controls on encryption equipment and technology. U.S. encryption policy reflects active consultation with other nations, such as members of the Wassenaar Arrangement and the European Union. In this manner, the U.S. Government and the other participants in the Wassenaar Arrangement have established multilateral controls for dual use encryption items.
In December 1998, Wassenaar Arrangement members agreed to move encryption items from the Sensitive List to the Basic List. In addition, a Cryptography Note replaced the General Software Note (GSN) as the basis for evaluating "mass market" encryption items covered by the Wassenaar control list. In December 2000, Wassenaar member countries agreed to delete the 64-bit key length restriction in the Cryptography Note. Accordingly, all mass market encryption products, regardless of key length, are decontrolled under the Wassenaar Arrangement and licensing requirements for other encryption items have been eased.
The U.S. Government has undertaken a range of diplomatic efforts, both bilateral and multilateral, to encourage other nations to adopt appropriate restrictions on the export of encryption products. Through cooperation with law enforcement officials in friendly countries, the U.S. Government also has sought to keep encryption products out of the hands of terrorists and criminals. These efforts can only supplement, but not replace, the effectiveness of actual export controls.
The United States recognizes the spread and growing use of encryption overseas, and the continued development of foreign-made encryption hardware and software. The U.S. Government has updated its encryption framework in response to international marketplace and policy developments so that U.S. companies can maintain technological leadership in a manner that safeguards U.S. national security and public safety interests.