Encryption items can be used to maintain the secrecy of information, and therefore may be used by persons abroad to harm U.S. national security, foreign policy, and law enforcement interests. The U.S. Government has a critical interest in ensuring that persons opposed to the United States are not able to conceal hostile or criminal activities, and that the legitimate needs for protecting important and sensitive information of the public and private sectors are met.
Since the transfer of dual-use encryption items from the United States Munitions List to the Commerce Control List (CCL) on December 6, 1996, export controls on encryption have evolved in response to electronic commerce developments and national security and law enforcement concerns. U.S. encryption export policy continues to be directed by three fundamental principles: technical review of encryption products prior to sale, streamlined post-export reporting, and license reviews of proposed transactions involving strong encryption to certain foreign government end-users and countries of concern. U.S. encryption policy also seeks to ensure that American companies are not disadvantaged by the European Union’s “license-free zone.”
Following extensive interagency consultations and discussions with Technical Advisory Committees and industry representatives, the Department of Commerce published a rule on December 9, 2004, to simplify and strengthen the U.S. export policy for encryption items (69 FR 71356). Highlights of the changes include: simpler treatment of exports to U.S. subsidiaries and recognition of the 2004 expansion of the European Union in License Exception ENC, a reduced requirement to notify the U.S. Government of changes to source code posted on the Internet pursuant to License Exception TSU, and explicit authority for the U.S. Government to request additional information about an encryption product after it becomes eligible for License Exception ENC following a 30-day review period.
Encryption export controls protect U.S. national security, foreign policy, and law enforcement interests. Encryption products can, for example, be used to conceal the communications of terrorists, drug smugglers, and others intent on harming U.S. interests. Cryptographic products and software also have military and intelligence applications that, in the hands of hostile nations, could pose a threat to U.S. national security. These controls are consistent with Executive Order (E.O.) 13026, which was issued on November 15, 1996, and the Presidential Memorandum of the same date.
1. Probability of Achieving the Intended Foreign Policy Purpose. The Secretary has determined that these controls are likely to achieve the intended foreign policy purpose, in light of other factors, including the availability of encryption items from other countries; and that the foreign policy purpose cannot fully be achieved through negotiations with the participating states of the Wassenaar Arrangement or through alternative means. Commensurate with the growth of electronic commerce and the Internet, and the emergence of new security protocols such as for short-range wireless communications, the number of countries with the technology to produce highly sophisticated, dual-use encryption products continues to grow. However, since much of the world’s commercial cryptography is supplied by a core group of information technology (IT) industry leaders using standard algorithms and protocols, encryption export controls can be effective in achieving their intended foreign policy purpose. Consistent with E.O. 13026 of November 15, 1996, and the Presidential Memorandum of the same date, the Secretary has determined that the updated U.S. encryption export controls achieve the intended purpose of implementing technical review procedures for commercial encryption items and restricting the export of encryption items in situations that would be contrary to U.S. national security or foreign policy interests.
2. Compatibility with Foreign Policy Objectives. The Secretary has determined that these controls are compatible with U.S. foreign policy objectives, and that the extension of these controls will not have any significant adverse foreign policy consequences. The controls are consistent with the U.S. foreign policy goal of preventing U.S. exports (and subsequent reexports) that might contribute to destabilizing military capabilities, or to the capabilities of international terrorists, or criminals. In addition, foreign policy concerns and non-proliferation considerations will continue to determine licensing policy to embargoed and sanctioned destinations. Updated U.S. encryption export controls implement multilateral agreements and protect U.S. citizens overseas, as well as critical infrastructure assets at home.
3. Reaction of Other Countries. The Secretary has determined that the continued implementation of U.S. encryption export controls is generally accepted in the international community, and that any adverse reaction to these controls is not likely to render the controls ineffective, nor are they counter-productive to the foreign policy interests of the United States. Other countries, particularly those capable of producing highly sophisticated encryption products, recognize the need to control exports of such products for national security and law enforcement reasons. The U.S. Government and its key trading and security partners recognize the desirability of securing critical infrastructures, developing new technologies and standards, preventing cybercrime, and promoting electronic commerce, while restricting goods that could compromise common security and foreign policy interests. As a result, participating states of the Wassenaar Arrangement and other multilateral fora, such as the European Union, continue to work with the U.S. Government on encryption export controls and generally share U.S. security concerns and economic interests relative to trade in encryption.
4. Economic Impact on U.S. Industry. The Secretary has determined that any adverse effect of these controls on the U.S. economy, including on the competitive position of the United States in the international economy, does not exceed the benefit to U.S. foreign policy objectives. The Secretary has determined that the continued implementation of the encryption regulations will allow U.S. industry to maintain its leadership position in the global market for encryption and other IT products, while ensuring that essential protections for U.S. national security and foreign policy interests, as well as the public safety, are upheld.
Throughout FY 2004, the Department of Commerce processed a substantial number of pre-export encryption review requests for a variety of products with encryption features. Specifically, the Department processed review requests concerning commodities and software for desktop and laptop computers, wireless handheld devices, e-business applications, network security, and telecommunications platforms. Except for high-end networking products, source code items, and products for which the cryptography has been customized or tailored to customer specification, commercial encryption products may be exported and reexported to any destination outside Country Group E:1 after a one-time technical review has been conducted pursuant to either the License Exception ENC (15 C.F.R. § 740.17) or the “mass market” encryption provisions of the EAR (15 C.F.R. § 742.15(b)(2)). Reflecting the growing trade in encryption items, the Department processed approximately 20 percent more encryption review requests and license applications in FY 2004 than in FY 2003, which reflects growing trade in encryption items.
During the reporting period, the Department received over 1,520 technical review requests for 2,500 controlled encryption products, components, toolkits, and source code items. These encryption reviews comprised 31 percent of the Department’s total output of commodity classifications in FY 2004. Of the 2,079 encryption products reviewed during the fiscal year, we classified 84 percent (or 1,737 encryption reviews) as “retail” (1048) or “mass market” (689) encryption items, making them eligible for export and reexport without a license to government and non-government end-users in most countries.
Additionally, during FY 2004, the Department approved 462 license applications for “non-retail” encryption items (such as high-end routers and other network infrastructure equipment) and technology (excluding so-called “deemed exports” that are eligible under License Exception ENC to most foreign national employees). These 462 licenses for “non-retail encryption items,” valued at $16.3 million, were destined to non-sanctioned end-users outside Country Group E:1 for which licenses were required.
In FY 2004, the Department of Commerce rejected two applications for encryption commodities and software classified under ECCNs 5A002 and 5D002, valued at $465,700. The Department also returned without action (RWA) 68 applications for encryption items classified under ECCNs 5A002, 5D002 and 5E002, valued at $17.7 million. Many of the RWA applications did not require a license, as the transaction was authorized under License Exception ENC.
5. Effective Enforcement of Controls. The Secretary has determined the United States has the ability to effectively enforce these controls. Detection of some encryption transactions is difficult since encryption components are often incorporated into other products and encryption software can be transferred over the Internet. However, the importance and value ascribed to commercial encryption products does lead to traceable transfers and distributions. Over the course of implementing U.S. encryption export controls under the EAR, the Department of Commerce has determined that it is easier to enforce controls on proprietary encryption technology and commercial encryption commodities and software than it would be to restrict free distributions of “open source” encryption software under a license requirement.
The U.S. Government continually consults with U.S. industry regarding encryption policy. The objective of these consultations is to develop updated policy solutions to assist law enforcement, protect U.S. national security, ensure continued U.S. technological leadership, and promote the privacy and security of U.S. firms and citizens engaged in electronic commerce in an increasingly networked world. Such consultations have proven successful, as evidenced by the increasing number of encryption items submitted for technical review, constructive industry input on matters of regulations and policy, and continued industry commitment to assist law enforcement to better understand current and future encryption technologies.
In reviewing and examining U.S. encryption policy during FY 2004, the Department of Commerce worked closely with the BIS Technical Advisory Committees (TACs), such as the Regulations and Procedures Technical Advisory Committee (RPTAC) and the Information Systems Technical Advisory Committee (ISTAC), and industry groups such as the Alliance for Network Security (ANS) and the exporting community. In discussions leading to the development of simplified encryption regulations, which was published on December 9, 2004 (69 FR 71356), U.S. industry provided valuable input on business models and practices for making encryption classification decisions, creating “mass market” products, and seeking de minimis determinations.
In a September 28, 2004, Federal Register notice, the Department of Commerce solicited comments from industry on the effectiveness of U.S. foreign policy-based export controls. Comments were solicited from all six of the Department’s Technical Advisory Committees, which advise the Department, as well as from the President’s Export Council Subcommittee on Export Administration. Comments also were solicited from the public via the BIS Web page. The review period closed on November 19, and 12 comments were received. None of the comments related to encryption controls. A detailed review of all comments received can be found in Appendix I.
The U.S. Government has taken the lead in global efforts to prevent international criminals, terrorists, and designated state sponsors of terrorism from acquiring sophisticated encryption products, and urged other supplier nations to adopt export controls comparable to those of the United States. As a result, the major industrial partners of the U.S. Government maintain export controls on encryption equipment and technology. U.S. encryption policy reflects continual consultation with other nations, such as participating states of the Wassenaar Arrangement and members of the European Union. In this manner, the U.S. Government and the other participants in the Wassenaar Arrangement have established multilateral controls for dual-use encryption items.
In December 1998, Wassenaar Arrangement participating states agreed to move encryption items from the Sensitive List to the Basic List of dual-use goods and technologies. In addition, a Cryptography Note replaced the General Software Note (GSN) as the basis for evaluating “mass market” encryption items covered by the Wassenaar control list. In December 2000, Wassenaar countries agreed to remove the 64-bit key length restriction from the Cryptography Note. Accordingly, all “mass market” encryption products, regardless of key length, were decontrolled under the Wassenaar Arrangement and licensing requirements for other encryption items were eased. In December 2002 (and subsequently implemented by the United States in the June 17, 2003, encryption rule), certain limited types of “personalized smart cards” and “copy protection” items were removed from national security-based controls under the Wassenaar Arrangement control list. Most recently, in December 2003 (and implemented by the United States in an April 2004 amendment to the EAR) an outmoded set of controls on “certified or certifiable ‘multi-level security’ or ‘user isolation’ security features” were also removed from national security-based controls by the members of the Wassenaar Arrangement.
On December 9, 2004, the United States acknowledged the addition of new European Union members by making the following countries eligible for the encryption license-free zone: Cyprus, Estonia, Latvia, Lithuania, Malta, Slovakia, and Slovenia.17
The U.S. Government has undertaken a range of diplomatic efforts, both bilateral and multilateral, to encourage other nations to adopt appropriate restrictions on the export of encryption products. Through cooperation with law enforcement officials in friendly countries, the U.S. Government also has sought to keep encryption products out of the hands of terrorists and other criminals. These alternative efforts can only supplement, but not replace, the effectiveness of export controls.
The United States recognizes the ongoing adoption and widespread use of encryption overseas, and the continued development of foreign-made encryption hardware and software. The U.S. Government continues to monitor global IT marketplace and encryption policy developments so that updated U.S. regulations will enable American companies to maintain technological leadership in a manner that safeguards U.S. national security and public safety interests. The U.S. Government does consult with other governments to secure cooperation in controlling the unfettered availability of encryption items. However, the U.S. Government’s foreign policy concerns override the impact of foreign availability.