For years, the U.S government strictly regulated exports of cryptographic hardware, software, components, and technology. The U.S. insisted that widely available data-scrambling technologies could endanger national security, notwithstanding the fact that comparable encryption products were readily available from foreign producers under the weaker export control policies of most other industrialized countries. Then, in September 1999, the U.S. conceded that the rules were out of step with the global but security-conscious Internet economy; a new set of export regulations was unveiled in January 2000.
U.S. Moves Toward International Consensus. Now, in a significant policy shift, the U.S. official in charge of encryption export controls says that the U.S. will relax its encryption rules yet again if, as expected, the European Union further weakens its encryption export controls. Commerce Department Undersecretary William Reinsch told a recent high-tech conference that U.S. encryption export controls will be liberalized as necessary to maintain the competitiveness of U.S. companies in the burgeoning global market for computer and network security products and services. Export officials had previously maintained that U.S. policy would not be driven by decisions of foreign governments.
Revised Rules Are More Permissive, Still Complex. For the time being, however, U.S. exporters must observe the confusing patchwork of encryption export regulations as it was reformulated in January 2000. Under these rules, most new commercial encryption products may not be exported until they are reviewed by the Commerce Department and a panel of other federal agencies. In addition, many encryption exporters are required to file post-shipment sales reports with the Commerce Department. Although encryption items are more easily exported, the regulatory system is as confusing and as peppered with narrow exceptions as it was in the past. Highlights of the January 2000 encryption export rules are summarized below. The complete rules are posted on the Commerce Department's website, and should be consulted before attempting to export any encryption item.
Non-Government End-Users. After a one-time review, encryption products of any strength are exportable to non-governmental end-users worldwide, except for the "terrorist" and embargoed countries (currently, Cuba, Iran, Iraq, Libya, North Korea, Serbia, Sudan, Syria, and Taliban-controlled areas of Afghanistan). It is generally no longer necessary to follow separate export procedures based on encryption key length, a product's "recoverability," or the type of end-user or end-use. Products which have been reviewed in the past may be exported to non-governmental foreign end-users without a new technical review, unless the prior authorization allowed exports only to subsidiaries of U.S. companies.
"Retail" Encryption Items. If the Government determines that an encryption product is a "retail" product, then it may be exported to any end-user, including foreign government end-users, except in the prohibited countries. "Retail" products are those which (1) are designed for individual consumer use; or sold through independent retailers; or sold to the public in large volume via telephone, mail order, or electronic transactions; and (2) do not require substantial technical support for installation and use; and (3) do not allow users to easily change the encryption functionality; and (4) are not customized to a customer's specifications; and (5) are not "high-volume" network infrastructure products. "Retail" certification requires a special ruling from the Commerce Department, except that previously-reviewed 56-bit products and qualifying "finance-specific" products may be considered to be "retail" encryption products without additional review.
Key Length Upgrades. Any "mass market" encryption product previously reviewed and authorized for export may be upgraded to 64-bit encryption without a new technical review, provided the exporter certifies to the Government that the encryption is unchanged except for the increased key length.
Internet Exports. Encryption software may still be "exported" when it is downloaded from the Internet. Accordingly, encryption-enabled software should not be posted on the Internet without ensuring that any required reviews and approvals have been obtained. For non-"retail" encryption software which cannot be exported to foreign governments without an export license, the regulations require online screening procedures to ensure that the requestor is not located in a prohibited country and that the intended user is not a foreign government organization.
"Deemed Exports." U.S. export controls generally apply to disclosures of controlled technologies or software to foreign persons in the U.S. (such as H-1B visa holders). Such disclosures are called "deemed exports." Special deemed export rules apply to encryption items.
- Encryption object code and source code is not considered to be "exported" when it is disclosed to a foreign person (other than a representative of a foreign government) in the U.S.
- Encryption-related technology, technical data, and know-how (as distinguished from object code or source code) may be disclosed to foreign individuals from non-prohibited countries who are working in the U.S. for U.S. companies. However, an export license is still needed prior to disclosing encryption technology to foreign employees of foreign companies who are working in the U.S.
Conclusion. The rules governing encryption exports remain in a state of transition, and exporters are expected to comply with the very latest Commerce Department instructions. Accordingly, it is important to plan ahead before exporting any encryption-enabled hardware, software, components, or technology in order to leave time for the one-time technical review which remains a prerequisite for most encryption exports. If the past is any guide, future "liberalization" of U.S. encryption export policy does not necessarily mean "simplification."
© 2000 Hale and Dorr LLP. All rights reserved.
This information is provided with the understanding that it does not constitute the rendering of legal, tax or other professional advice or services by Hale and Dorr LLP or its attorneys.