Encryption items can be used to maintain the secrecy of information, and thereby may be used by persons abroad to harm U.S. national security, foreign policy, and law enforcement interests. The U.S. Government has a critical interest in ensuring that important and sensitive information of the public and private sector is protected.
Since the transfer of dual-use encryption items from the United States Munitions List to the Commerce Control List (CCL) on December 6, 1996, export controls on encryption have evolved, consistent with electronic commerce, national security, and law enforcement concerns. The U.S. Government’s encryption policy rests on three principles: (1) a review of encryption products in advance of sale; (2) a streamlined export reporting system; and (3) a license process that preserves the U.S. Government’s ability to review the sale of strong encryption products to foreign governments, military organizations, and nations of concern.
The Department of Commerce published a rule in the Federal Register on June 17, 2003, to update the existing U.S. export controls on dual-use encryption items subject to the Export Administration Regulations (EAR). The purpose of the rule was two-fold: (1) to implement the December 2002 changes to the Wassenaar Arrangement’s “List of Dual-use Goods and Technologies”; and (2) to further clarify U.S. encryption export policy and ensure that it is consistent with the widespread use of encryption products by individuals, businesses, and governments.
The June 17, 2003, rule clarified three points: (1) when encryption commodities and software may be given de minimis treatment; (2) when short-range wireless devices incorporating encryption may be given “mass market” or retail treatment; and (3) that specially designed medical equipment and software are not controlled as encryption or “information security” items under the EAR. The rule also expanded the authorizations according to which travelers departing the United States may take encryption for their personal use, and provided additional guidance on when exporters are required to submit encryption review requests for new products that will be sold or otherwise exported for other than “personal use” overseas. Finally, the rule implemented changes to the Wassenaar Arrangement’s “List of Dual-use Goods and Technologies,” finalized in December 2002, that eliminate national security-based controls on certain types of “personalized smart cards” and equipment controlling access to copyright protected data.
The U.S. Government’s updated encryption policy continues to allow Americans to use strong encryption products to protect their privacy, intellectual property, and other valuable information at home and abroad. However, the June 17, 2003, rule did not change the license requirements or longstanding licensing policies on encryption exports to designated state sponsors of terrorism or sanctioned persons.
Encryption export controls protect U.S. national security, foreign policy, and law enforcement interests. Encryption products can, for example, be used to conceal the communications of terrorists, drug smugglers, and others intent on harming U.S. interests. Cryptographic products and software also have military and intelligence applications that, in the hands of hostile nations, could pose a threat to U.S. national security. These controls are consistent with Executive Order (E.O.) 13026 issued on November 15, 1996, and the Presidential Memorandum of the same date.
1. Likelihood of Achieving the Intended Foreign Policy Purpose. The Secretary has determined that these controls are likely to achieve the intended foreign policy purpose, in light of other factors, including the availability of encryption items from other countries and that the foreign policy purpose cannot be achieved through negotiations or other alternative means. Commensurate with the growth of electronic commerce and the Internet, the number of countries with the technology to produce highly sophisticated, dual-use encryption products continues to grow. However, since much of the world’s commercial cryptography is supplied by a core group of information technology (IT) industry leaders using standard algorithms and protocols, encryption export controls can be effective in achieving their intended foreign policy purpose. Consistent with E.O. 13026 of November 15, 1996, and the Presidential Memorandum of the same date, the Secretary has determined that the updated U.S. encryption export controls achieve the intended purpose of implementing technical review procedures for commercial encryption items and restricting the export of encryption items in situations that would be contrary to U.S. national security or foreign policy interests.
2. Compatibility with Foreign Policy Objectives. The Secretary has determined that these controls are compatible with U.S. foreign policy objectives and will not have any significant adverse foreign policy consequences with the extension of these controls. The controls are consistent with the U.S. foreign policy goal of preventing U.S. exports (and subsequent reexports) that might contribute to destabilizing military capabilities or to international terrorists or criminals aimed at the United States. Updated U.S. encryption export controls implement multilateral agreements and protect U.S. citizens overseas, as well as critical infrastructure assets at home.
3. Reaction of Other Countries. The Secretary has determined that the continued implementation of U.S. encryption export controls is generally accepted in the worldwide community, and that any adverse reaction to these controls is not likely to render the controls ineffective, nor are they counter-productive to the foreign policy interests of the United States. Other allied countries, particularly those capable of producing highly sophisticated encryption products, recognize the need to control exports of such products for national security and law enforcement reasons. The U.S. Government and its key trading and security partners recognize the desirability of securing critical infrastructures, developing new technologies and standards, preventing cybercrime, and promoting electronic commerce, while restricting goods that could compromise common security and foreign policy interests. As a result, members of the Wassenaar Arrangement and other international fora, such as the European Union, continue to work with the U.S. Government on encryption export controls and generally share U.S. security concerns and economic interests relative to trade in encryption.
4. Economic Impact on U.S. Industry. The Secretary has determined that any adverse effect of these controls on the U.S. economy, including on the competitive position of the United States in the international economy, does not exceed the benefit to U.S. foreign policy objectives. The Secretary has determined that the continued implementation of updated encryption regulations will allow U.S. industry to maintain its leadership position in the global market for encryption and other IT products, while ensuring that essential protections for U.S. national security and foreign policy interests, as well as the public safety, are upheld.
Throughout FY 2003, the Bureau of Industry and Security (BIS) processed
a substantial number of pre-export encryption review requests for a variety
of products with encryption features. Specifically, BIS processed review
requests concerning commodities and software for desktop and laptop computers,
wireless handheld devices, e-business applications, network security, and
telecommunications platforms. Except for high-end networking products,
source code items, and products for which the cryptography has been customized
or tailored to customer specification, commercial encryption products may
be exported and reexported to any destination outside Country Group E:1
after a one-time technical review has been conducted pursuant to either
the License Exception ENC (15 C.F.R. § 740.17) or the “mass
market” encryption (15 C.F.R.
§ 742.15(b)(2)) provisions of the EAR.
In FY 2003, BIS received over 1,400 technical review requests for 2,400 controlled encryption products, components, toolkits, and source code items. These encryption reviews comprised 34 percent of BIS’s total output of commodity classifications in FY 2003. Of the 1,759 encryption products reviewed during the fiscal year, 82 percent (or 1,444 encryption reviews) were classified as “retail” (964) or “mass market” (480) encryption items, making them eligible for export and reexport without a license to government and non-government end-users in most countries.
Additionally, during FY 2003 BIS approved 373 license applications for “non-retail” encryption items (such as high-end routers and other network infrastructure equipment) and technology (excluding so-called “deemed exports” that are eligible under License Exception ENC to most foreign national employees). These 373 licenses, valued at $71.1 million, were destined to non-sanctioned end-users outside Country Group E:1 for which licenses were required.
For other encryption license applications completed under the EAR in FY 2003, the Department of Commerce rejected two applications for encryption commodities (classified under ECCN 5A002) valued at $173,352 and returned without action (RWA) 89 applications for encryption items (classified under ECCN 5A002, 5D002 and 5E002) valued at $19.8 million. Many of the latter applications did not require a license, as the transaction was authorized under License Exception ENC.
5. Effective Enforcement of Control. The Secretary has determined the United States has the ability to effectively enforce these controls. Detection of some encryption transactions is difficult since encryption components are often incorporated into other products and encryption software can be transferred over the Internet. However, the importance and value ascribed to commercial encryption products does lead to traceable transfers and distributions. Over the course of implementing U.S. encryption export controls under the EAR, the Department of Commerce has determined that it is easier to enforce controls on proprietary encryption technology and commercial encryption commodities and software than it would be to restrict free distributions of “open source” encryption software under a license requirement.
The U.S. Government continually consults with U.S. industry regarding encryption policy. The objective of these consultations is to develop updated policy solutions to assist law enforcement, protect U.S. national security, ensure continued U.S. technological leadership, and promote the privacy and security of U.S. firms and citizens engaged in electronic commerce in an increasingly networked world. Such consultations have proven successful, as evidenced by the increasing number of encryption items submitted for technical review, constructive industry input on matters of regulations and policy, and continued industry commitment to assist law enforcement to better understand current and future encryption technologies.
In reviewing and examining U.S. encryption policy during FY 2003, the Department of Commerce worked closely with the BIS Technical Advisory Committees (TACs), such as the Regulations and Procedures Technical Advisory Committee (RPTAC) and the Information Systems Technical Advisory Committee (ISTAC), and industry groups such as the Alliance for Network Security (ANS) and the exporting community. Leading up to the publication of updated encryption regulations on June 17, 2003, U.S. industry provided valuable input on its business models and practices for making encryption classification decisions, creating “mass market” products, and seeking de minimis determinations.
In an October 21, 2003, Federal Register notice, the Department of Commerce solicited comments from industry on the effectiveness of U.S. foreign policy-based export controls. Comments were solicited from all six of the Department’s TACs which advise BIS, as well as from the President’s Export Council Subcommittee on Export Administration. Comments were also solicited from the public via the BIS webpage. The comment period closed on November 21, 2003, and eight comments were received.
While none of its comments specifically addressed encryption controls, the Industry Coalition on Technology Transfer (ICOTT) provided general comments about all foreign policy-based export controls, stating that these controls are unilateral and largely ineffective. ICOTT recommended that unilateral controls should only be used when the symbolism of the act of imposing controls outweighs the injury to American workers and businesses. In addition, ICOTT suggested that if unilateral controls are to be imposed while the United States negotiates with its trading partners to seek multilateral support, those unilateral controls should be of limited duration. A detailed review of all comments received can be found in Appendix I.
The U.S. Government has taken the lead in global efforts to prevent international criminals, terrorists, and designated state sponsors of terrorism from acquiring sophisticated encryption products, and urged other supplier nations to adopt export controls comparable to those of the United States. As a result, the major industrial partners of the U.S. Government maintain export controls on encryption equipment and technology. U.S. encryption policy reflects active consultation with other nations, such as members of the Wassenaar Arrangement and the European Union. In this manner, the U.S. Government and the other participants in the Wassenaar Arrangement have established multilateral controls for dual-use encryption items.
In December 1998, Wassenaar Arrangement members agreed to move encryption items from the Sensitive List to the Basic List of dual-use goods and technologies. In addition, a Cryptography Note replaced the General Software Note (GSN) as the basis for evaluating “mass market” encryption items covered by the Wassenaar control list. In December 2000, Wassenaar member countries agreed to remove the 64-bit key length restriction from the Cryptography Note. Accordingly, all “mass market” encryption products, regardless of key length, are decontrolled under the Wassenaar Arrangement and licensing requirements for other encryption items have been eased. In December 2002 (and subsequently implemented by the United States in the June 17, 2003, encryption rule), certain limited types of “personalized smart cards” and “copy protection” items were removed from national security-based controls under the Wassenaar Arrangement control list.
The U.S. Government has undertaken a range of diplomatic efforts, both bilateral (with the Government of Israel, for example) and multilateral (in the Wassenaar Arrangement), to encourage other nations to adopt appropriate restrictions on the export of encryption products. Through cooperation with law enforcement officials in friendly countries, the U.S. Government also has sought to keep encryption products out of the hands of terrorists and criminals. These alternative efforts can only supplement, but not replace, the effectiveness of actual export controls.
The United States recognizes the ongoing adoption and widespread use of encryption overseas, and the continued development of foreign-made encryption hardware and software. The U.S. Government continues to monitor global IT marketplace and encryption policy developments, so that updated U.S. regulations will enable American companies to maintain technological leadership in a manner that safeguards U.S. national security and public safety interests. The U.S. Government does consult with other governments to secure cooperation in controlling the foreign availability of encryption items. However, the U.S. Government’s foreign policy concerns override the impact of foreign availability.