Contact: Morrie
Goodman
202-482-4883
Eugene Cottilli
(202) 482-2721
Commerce Announces Streamlined Encryption Export
Regulations
Washington, DC - The U.S. Department of Commerce Bureau of
Export Administration (BXA) today issued new encryption export regulations which
implement the new approach announced by the Clinton Administration in September.
Today's move permits U.S. companies to export any encryption product around
the world to commercial firms, individuals and other non-government end-users
under a license exception (i.e., without a license). In addition,
"retail" encryption products which are widely available in the market
can now be exported to any end-user including foreign governments. In most
cases, a one-time product review by BXA continues to be required. Post-reporting
requirements are reduced to track industry business models.
"This policy helps business and promotes e-commerce by adjusting our
regulations to marketplace realities that U.S. companies face when they try to
sell their products overseas. We've also worked very hard to address privacy
concerns and to ensure that our law enforcement and national security concerns
are met," said Commerce Secretary William M. Daley.
For source code, the regulation reduces controls further than announced in
September. Commercial encryption source code, encryption toolkits and components
can now be exported under license exception to businesses and non-government
end-users for internal use and customization and for the development of new
products. In addition, the regulations relax restrictions on publicly available
encryption source code, including by posting on the Internet.
The regulation further streamlines requirements for U.S. companies by
permitting exports of any encryption item to their foreign subsidiaries without
a prior review. Foreign employees of U.S. companies working in the United States
no longer need an export license to work on encryption.
In addition, the guidelines also implement agreements reached by the
Wassenaar Arrangement in December 1998 by decontrolling 64-bit mass market
products, 56-bit encryption items and 512-bit key management products. Today's
changes do not affect restrictions on terrorist supporting states (Cuba, Iran,
Iraq, Libya, North Korea, Sudan, and Syria), their nationals, and other
sanctioned entities.
In developing this regulation, the Administration worked closely with
stakeholders to continue a balanced approach. The government will review the
workability of the regulation, receiving public comments for 120 days. A final
revised rule will be issued shortly thereafter.
Attached is a comprehensive fact sheet that outlines the new export control
guidelines.
FACT SHEET
Administration Implements Updated Encryption Export Policy
Today, the Commerce Department published a regulation implementing the
Clinton Administration's update to encryption export policy announced in
September, 1999. The major components of this regulation are as follows:
Global exports to individuals, commercial firms or other non-government
end-users
Any encryption commodity or software, including components, of any key length
can now be exported under a license exception after a technical review to any
non-government end-user in any country except for the seven state supporters of
terrorism. Exports previously allowed only for a company's internal use can now
be used for any activity, including communication with other firms, supply
chains and customers. Previous liberalizations for banks, financial institutions
and other approved sectors are continued and subsumed under the license
exception. Exports to government end-users may be approved under a license.
Global exports of retail products
A new category of products called "Retail encryption commodities and
software" can now be exported to any end user (except in the seven state
supporters of terrorism). Retail encryption commodities and software are those
which are widely available and can be exported and reexported to anyone
(including any Internet and telecommunications service provider), and can be
used to provide any product or service (e.g., e-commerce, client-server
applications, or software subscriptions). BXA will determine which products
qualify as retail through a review of their functionality, sales volume,
distribution methods. Products that are functionally equivalent to products
classified as retail will also be considered retail. Finance-specific, 56-bit
non-mass market products with a key exchange greater than 512 bits and up to
1024 bits, network-based applications and other products which are functionally
equivalent to retail products are considered retail products.
Internet and Telecommunications Service Providers
Telecommunications and Internet service providers can obtain and use any
encryption product under this license exception to provide encryption services,
including public key infrastructure services for the general public. Provision
of services specific to governments (e.g., running a virtual private network for
a government agency) will, however, require a license
Global Exports of Unrestricted Encryption Source Code
Encryption source code which is available to the public and which is not
subject to an express agreement for the payment of a licensing fee or royalty
for commercial production or sale of any product developed with the source code
may be exported under a license exception without a technical review. The
exporter must submit to the Bureau of Export Administration a copy of the source
code, or a written notification of its Internet location, by the time of export.
Foreign products made with the unrestricted source code do not require review
and classification by the U.S. Government for reexport. This license exception
should apply to exports of most "open source" software.
Global Exports of Commercial Encryption Source Code and Toolkits
Encryption source code which is available to the public and which is subject
to an express agreement for the payment of a licensing fee or royalty for
commercial production or sale of any product developed using the source code
(such as "community source" code) may be exported under a license
exception to any end-user without a technical review. At the time of export, the
exporter must submit to the Bureau of Export Administration a copy of the source
code, or a written notification of its Internet address. All other source code
can be exported after a technical review to any non-government end-user. U.S.
exporters may have to provide general information on foreign products developed
for commercial sale using commercial source code, but foreign products developed
using U.S.-origin source code or toolkits do not require a technical review.
U.S. Subsidiaries
Any encryption item (including commodities, software and technology) of any
key length may be exported or reexported to foreign subsidiaries of U.S. firms
without a technical review. Foreign nationals working in the United States no
longer need an export license to work for U.S. firms on encryption. This extends
the policy adopted in last year's update, which allowed foreign nationals to
work for foreign subsidiaries of U.S. firms under a license exception. All items
produced with encryption commodities, software, and technology authorized under
this license exception will require a technical review.
Export Reporting
Post-export reporting is required for certain exports to a non-U.S. entity of
products above 64 bits. However, no reporting is required if the item is a
finance-specific product or is a retail product exported to individual
consumers. Additionally, no reporting is required if the product is exported via
free or anonymous download, or is exported from a U.S. bank, financial
institution or their subsidiaries, affiliates, customers or contractors for
banking or financial use. Reporting helps ensure compliance with our regulations
and allows us to reduce licensing requirements.
Implementation of the December 1998 Wassenaar Arrangement Revisions
Last year, the Wassenaar Arrangement (33 countries which have common controls
on exports, including encryption) made a number of changes to modernize
multilateral encryption controls. This regulation allows exports without a
license of 56 bit DES and equivalent products, including toolkits and chips, to
all users and destinations (except the seven state supporters of terrorism)
after a technical review. Encryption commodities and software with key lengths
of 64-bits or less which meet the mass market requirements of Wassenaar's new
cryptography note are also eligible for export without a license after a
technical review.
