U.S. Department of Commerce · Bureau of Export Administration
Office of Strategic Trade & Foreign Policy Controls · Information Technology Controls DivisionCOMMERCIAL ENCRYPTION EXPORT CONTROLS
9/16/99
Update to Encryption Policy
September 1999
Questions and Answers1. Why is the Administration revising its encryption export policy?
Last year the Vice President promised that we would continue to review our encryption policy and make the necessary updates to adjust it to national security needs and the global market for information technology. This Update fulfills the Vice President's promise and puts our encryption policy on a strong footing.
2. How broad is this update? How does it change existing export controls?
The Update represents a new framework for export controls that meet the needs of industry to be competitive in a global market place, while continuing to provide essential protections for national security. Any encryption commodity or software may be exported without a license after a technical review to commercial firms and other nongovernment end users in any country except for the seven state supporters of terrorism. Telecommunication and Internet service providers may use encryption commodities and software to provide services to commercial firms and nongovernment end users. Previous liberalizations for banks, financial institutions and other approved sectors are subsumed under this Update.
3. When will regulations be published to implement this update?
We plan to publish the implementing regulations by December 15, 1999.
4. With the Administration's announcement today, is the United States' encryption policy still consistent with the multilateral controls in the Wassenaar Arrangement?
Last December, Wassenaar made a number of changes to modernize multilateral encryption controls. Today's announcement will harmonize our encryption controls with those of our Wassenaar partners. Our encryption items will still be subject to a technical review and will include reasonable post-export reporting requirements.
5. How does this compare with what other exporting countries are doing with encryption?
We took careful account of our multilateral obligations and the licensing practices of our major trade partners in designing this Update. In particular, the Update helps make our regulations consistent with those being developed in the European Union, which permits the easy transfer of encryption items between EU member countries.
6. Will you consult with U.S. Industry?
We plan on consulting with Industry for input on business models and practices for reporting requirements, as well as suggestions and comments on the changes announced today. The Administration will continue its dialogue with U.S. industry on encryption policy.
7. Will exporters be able to "grandfather" encryption products that were previously reviewed in order to take advantage of the new export privileges?
Encryption items that were previously approved under a license exception or license will be, upon publication of the implementing regulations, eligible for export under most provisions of the license exception. We anticipate that another technical review will be necessary to release "retail" products of any key length to any end user under a license exception.
8. The Update does not mention industry sectors, such as banking, which were a major feature of last year's changes. Does this mean that the export policy for those sectors has been dropped?
Last year's release to industry sectors continues to be in effect, but the specific provision for banks, on-line merchants and other sectors have been subsumed in the larger release.
9. What does the term "without a license" mean?
This term implies that after a technical review, encryption commodities or software may be exported without the need for U.S. industry to submit an actual license application. For example, for items decontrolled under Wassenaar, no license is required after a technical review. On the other hand, encryption items exported to commercial firms and other nongovernmental end users are not being decontrolled but will be eligible for export after a technical review under a license exception, i.e., an unwritten licensing mechanism.
10. Since the majority of exports will now be eligible under a license exception, how long will the technical review take?
The average time for BXA to complete a technical review is about a month. This average takes into account delays for exchanges of technical information, and discussions between the company and government. We are working to streamline this process and shorten the time, and expect to shorten the average time, but some products could still need extensive review.
11. Why is the Administration still requiring post-export reporting when the Wassenaar Arrangement does not?
Last year, at the Wassenaar Arrangement, nations agreed to remove reporting requirements to each other; however, some nations still require reporting. On the other hand, some countries may not require post-export reporting because they must apply for individual licenses. Reporting helps ensure compliance with our regulations and allows us to reduce licensing requirements. All exports of encryption products greater than 64 bits will now require some reporting on a semiannual basis, unless the export is to a U.S. subsidiary. We will take into account business models and practices followed by industry in designing these reporting requirements and will consult with industry on how best to implement this part of the Update.
12. What kind of restrictions will there be on the end use of encryption exports? Exports previously allowed only for a company's internal use can now be used for communication with other firms, supply chains and customers restrictions on internal use. Companies will be able to communicate with their business partners, suppliers and customers to conduct their transactions.
13. Will Internet Service Providers and Telecommunication companies be able to purchase U.S.-made encryption products?
U.S. manufacturers will be able to export any U.S.-made mass market or retail encryption product to foreign Internet Service Providers and telecommunications companies outside of the seven State sponsors of terrorism without a license after a technical review. U.S. manufacturers will also be able to export any encryption product to Internet Service Providers and telecommunications companies without a license after a technical review for use by commercial firms or other nongovernmental entities.
14. What are "retail" encryption products?
These are product which do not require substantial support for installation and use, and which are sold in tangible form through independent retail outlets or products in tangible or intangible form, which have been specifically designed for individual consumer use. Retail encryption commodities and software of any key length may be exported without a license, after a technical review, to any end user located globally except the seven state supporters of terrorism. Our intent here is not to limit control of those encryption products that are sold in retail outlets. Telecommunication and Internet service providers may use retail encryption commodities and software to provide services to any recipient.
15. Are there restrictions on "retail" encryption products sold over the Internet?
Retail encryption products sold in electronic form, i.e., over the Internet, will be treated the same as the identical products sold at retail outlets.
16. Are there any re-export control restrictions on products above 64-bits?
License exceptions will allow exports as well as re-exports; however, there are some restrictions which will be identified in the new regulation, such as no resale, transfer or reexport to the seven state supporters of terrorism. Broad restrictions and prohibitions will also continue to apply.
17. How do the new reporting requirements affect previously issued licenses which did not require any reporting?
This update supersedes previous licensing policy. For example, if you were issued a license or an encryption licensing arrangement to foreign banks without the reporting requirement, the new implementing regulations will now require you to report on this class of end users for all shipments exported effective the date of the published regulation. The reporting requirements will be streamlined.
18. Can you provide a few examples where a license will still be required?
Licenses will still be required for exports of encryption technology, technical assistance, cryptographic application programming interfaces (CAPIs), source code and exports destined to foreign government and military end users.
19. Why are governments treated differently?
Under the new policy, exports to governments can be approved under a license. We wanted to retain this licensing requirement to ensure that foreign policy considerations are fully reflected in any export decision.
Technical Questions
1. Does this update have any special product restrictions on any type of end user, such as the previous on-line merchant restriction?
No. This update eliminates all product-end user restrictions that were previously adopted in last year's update (e.g., recoverable products or on-line merchants). Now, any general purpose encryption product such as routers, firewalls, and other middleware products can be exported to any nongovernment end user.
2. Will there be any restrictions on the export of certain algorithms?
No. There will be no restrictions on the export of any algorithm, key space or key exchange mechanism.
3. Once I receive approval to export chips, toolkits, or executable or linkable modules, under a license exception, will the foreign finished product need a separate review?
No. We do not intend to impose a requirement to subject the foreign finished product to a technical review; however, there will be minimal requirements associated with certain exports of these products.
4. Will "retail" encryption products still be subject to "EI" controls or are they being decontrolled?
Encryption commodities and software of any key length that are determined to be "retail" after a technical review will be controlled for "EI" reasons as these products continue to be controlled in the Wassenaar Arrangement.
5. What about foreign nationals working in the United States?
Foreign nationals working in the United States no longer need an export license to work on encryption for U.S. firms. This extends the policy adopted in last year's update, which allowed foreign nationals to work for foreign subsidiaries of U.S. firms under a license exception after a technical review.
6. Will Encryption Licensing Arrangements (ELAs) be eliminated?
This update minimizes the need for U.S. industry to obtain ELAs; however, we will continue to allow industry to submit such licenses for a case-by-case review of any specific transaction.
7. How does the update to encryption policy affect the export of cryptographic application programming interfaces (CAPIs)?
Cryptographic interfaces are divided into two classes: Open Cryptographic Interfaces (OCI) and Closed Cryptographic Interfaces (CCI). OCI's are considered crypto-with-a-hole because they permit a customer or other party to insert cryptography into an encryption item. OCI's will continue to be reviewed on a case-by-case basis through the licensing process.
CCI's contain a mechanism (such as a digital signing key) that prevents a customer or other party from inserting cryptography into an encryption item. After a technical review of the binding mechanism, these products will be eligible for export under a license exception. If destined to a commercial enduser, the additional signing can take place under a license exception after a technical review. If destined to a foreign government or military entity, the additional signing requires a license.
We intend to discuss this issue with industry as we consult on the implementation of this regulation.
8. Is source code allowed to be exported under a license exception or does this policy only authorize the export of encryption object code?
Source code will continue to be reviewed under a case-by-case basis. This update will allow the global export of object code encryption software under a license exception.
Return to the EPIC Crypto Policy Archive