Image files of this document (GIF) are available
UNITED STATES DEPARTMENT OF COMMERCE
The Under Secretary for Export Administration
Washington, DC 20230November 25, 1996
MEMORANDUM FOR DEPUTIES SUBGROUP ON CRYPTOGRAPHY
FROM: William A. Reinsch
SUBJECT: Non-Key Recovery Exports After Two Years
The issue before us is whether the U.S. will use new restrictions and penalties to try to force adoption of key recovery, or whether it will use incentives to reinforce market forces that are moving toward an international key management infrastructure. The October 1 Statement said we would liberalize export controls for commercial encryption products. In fact, if we announce an end to current practices after two years, the immediate effect of the new initiative will be to make export controls on encryption more restrictive, not more liberal. This will not win the support we need to build key management and will do significant damage to the U.S. economy.
The Vice President's initiative does not envision new restrictions on exports. Instead, it creates new incentives to move towards recoverable products and a temporary liberalization to help the transition to key recovery. At the end of two years, this temporary liberalization would cease. However, exports which could be approved before the liberalization would continue licensing policies will cede markets to foreign producers and damage support for our initiative. The economic cost to the U.S. of ending current export practice will be several billion dollars. The market effect of a decision to impose new restrictions after two years will be felt immediately, not just in 1999, as foreign consumers will turn away from U.S. products now if they believe we will not sell them later on (particularly when the upgrade would not improve cryptographic capabilities) or believe that U.S. producers will not be able to expand their existing customer base and create the kinds of linkages the GII will require. To avoid this, we need to answer two questions:
1) whether we should allow the current practice of licensing encryption hardware to safe end-users (e.g. foreign police departments and security services) to continue;
2) whether we should continue to permit improvements (upgrades) to already-exported systems which do not increase the strength of the encryption; and
These questions do not apply to those products which we may license under the two year interim liberalization with a company commitment. They apply to items which are exportable now.
The Deputies agree that we should continue to allow servicing of already-exported products.
Safe End Users
State currently issues approximately 2500 individual licenses and 500 bulk or distribution licenses per year for non-key recovery encryption products of more than 40 bits. These bulk or distrubution licenses allow the export of products which contain NSA-approved encryption to safe end users. Most of these exports are communications equipment to police departments, fire services, banks, other government agencies and subsidiaries of U.S. corporations totaling several hundreds of millions of dollars annually. NSA limits approvals to certain products and categories of safe end users, and requires annual reports from the exporter listing sales that have occurred. Other licenses allow for offshore manufacturing using US-made encryption products for incorporation into communications equipment -- for example
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXX. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXThe critical element for these companies is their ability to expand and capture market share. State has approved sales to "safe" customers, such as police forces. If companies cannot build on their existing customer base by selling identical products to neighboring police forces or other approved customers, they will not be able to maintain themselves as viable suppliers in the marketplace. Buyers will work around them and develop relationships with other producers' products, and foreign governments will develop separate standards to achieve competitive advantage. If U.S. firms can no longer export cellular phones (because of their encryption capabilities), the alternative for foreign purchasers would be to buy European standard GSM phones. The U.S. cellular phone industry had sales of over $19 billion last year and is expected to grow rapidly in new foreign markets like Brazil and Argentina. The market for such products is expected to grow twenty-five percent over the next several years (the market grew thirty percent last year) unless we impose new restrictions. Adoption of non-U.S. standards (and we know that at least some EU countries are contemplating using standards to restrict their markets) could effectively freeze U.S. products out of the export market.
Continuation of current licensing is consistent with the new encryption policy. Since the exports we now allow are to police, security forces, banks, and subsidiaries of U.S. corporations in friendly countries, law enforcement concerns can be addressed through other means other than export restrictions to ensure access. NSA approves these sales because of the friendly nature of the end user and because of exporters' cooperation in the initial review of the product. Since we will continue to review products before export, restrict sales to safe end users and require regular reports, there is no risk to law enforcement, national security risk or our encryption policy. These particular end users are a specialized market where key recovery solutions may not be appropriate. Police forces are reluctant to use "escrowed" encryption products (such as radios in patrol cars). They are more costly and less efficient than non-escrowed products. There can be long gaps in reception due to the escrow features - sometimes as long as a ten second pause. Our own police do not use recoverable encryption products; they buy the same non-escrowable products used by their counterparts in Europe and Japan. Other government agencies may also reject key recovery -- for example, some U.S. exports were to support Allied government agencies with signals intelligence missions similar to NSA's.
Continuing current practice is not an open ended approach. The market is moving towards key recovery products and most 56 bit products, particularly software, will be phased out by market forces without new export restrictions. Market forces are more reliable and more politically stable than new restrictions. The real question is how can we best help the market transition from non recoverable products to recoverable products in a way that preserves U.S. global leadership in information technology and in building the global information infrastructure. The best outcome for advancing our KMI initiative would be to decide to continue current practice to license, after appropriate review, these non-key recovery products to safe end users.
Non-encryption Upgrades
This concerns upgrades that do not enhance a product's encryption capabilities. For example, if a company sells a software product which includes an encryption feature and other features, such as spread sheets or word processing programs (for example, WordPerfect 5.1), Commerce would permit the export of products that upgrade the other features (i.e. WordPerfect 6.0) but which do not enhance the encryption capabilities. The same is true for accessories such as hard drives or print facilities. Justice's argument is that this would sustain a system's viability and make the end user less likely to abandon it for a key recovery product.
There are two problems with this argument. Placing a cap on a company's ability to sell upgrades tells foreign customers that the product is not viable. In the example provided, why would anyone buy WordPerfect today if they knew they would not be able to obtain the next version of it? The commercial consequences of this decision, particularly for software sales, are enormous.
Second, we do not currently control products like WordPerfect if they do not contain encryption features. Once a product containing encryption capabilities has been exported -- which our policy permits, the only way to control exports of upgraded versions of that product that did not contain encryption or change the encryption capabilities of the older product would be to impose far-reaching new controls on most mass-marketed software from producers like Microsoft and others. Such an expansion of controls would cause serious economic dislocation, legal challenges, and a political firestorm.
Servicing
There is a general agreement to allow the servicing of all previously exported systems without limitation. A decision otherwise (i.e. after two years companies could no longer service or fix what they had sold) would make U.S. products extremely unattracctive to foreign buyers.
Conclusion
New restrictions on licensing and upgrades will be broadly unpopular
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXA decision to end current practice will have an immediate market effect (not two years from now). Consumers will stop buying U.S. products now because they see our producers will be limited in their capacity to upgrade and expand their markets. Foreign manufacturers like
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXcompete with U.S. firms for non-key recovery product sales and are ready to replace us in the market. The effect will be not only to damage U.S. firms but to subsidize (by ceding market share and revenue) the foreign production of non-key recovery products, thus undercutting our efforts to win international support for key recovery.
There is also a real risk that multinational corporations will move production of these non-key recovery products offshore to avoid new U.S. restrictions.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXThe effect of this is difficult to quantify, but a decision to end current practice would help erode U.S. leadership in the information technologies industry. There is also the real risk that by encouraging the development of non-key recovery manufacturing outside of the U.S., we would see more non-key products available domestically as the new foreign producers do not face any restrictions on imports into the U.S.
Our goal is the development of a global information infrastructure that relies on key management to provide strong encryption while protecting public safety and national security. The foundation of the President's decision was to use market forces to achieve this objective, recognizing that we could not compel it. We want to create incentives to reinforce the move to key recovery, not build new restrictions that will impose real damage on U.S. economic leadership and actually delay the creation of key recovery systems globally. Permitting upgrades and expansions of existing customer bases in cases of licenses already issued will provide for a market-based transition to key recovery without sacrificing U.S. producers' global market leadership. That leadership is essential both for broader macroeconomic and national security reasons and also for achieving the key recovery objectives that are the core of our policy.
Return to the EPIC Crypto Policy Page