The Clinton Administration has announced sweeping changes to U.S. encryption export policies. When implemented, the new policies will allow U.S. companies to widely export encryption commodities and software regardless of the strength of the encryption features and without requiring the manufacturers to provide "key recovery" mechanisms.
For decades, the U.S. has imposed severe restrictions on encryption exports, citing concerns about national security, terrorism, and organized crime. These policies have prohibited exports of "strong" encryption which is the most difficult to decipher, while allowing exports of less secure products for certain favored end-users or end-uses.
The new policies are described in a White House Fact Sheet and in questions and answers issued by the Commerce Department.
Under the new encryption export policies, any encryption product may become exportable without an export license after a one-time technical review by a panel of Government agencies led by the Commerce Department's Bureau of Export Administration. For the first time, the new policies will eliminate restrictions on the length of the encryption keys and on the types of information which may be encrypted. This expanded "License Exception" will authorize exports to non-governmental end-users worldwide, except for Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria. A separate rule still requires export licenses for all U.S. items destined for Serbia. Export licenses may still be required for foreign governmental end-users of non-"retail" encryption items.
While pre-shipment export licensing will be reduced, post-shipment reporting will be enhanced. Exporters will be required to notify the Government of all exports of encryption items with key lengths of 64 bits or more. In contrast, the current rules require such reporting only for specified classes of end-users.
The revised rules will clarify that foreign employees of U.S. companies may work on encryption products without an export license, whether the foreign person is located in the U.S. or abroad. This will be an exception to the "deemed export" rule, which generally applies export laws to foreign persons in the U.S.
The policy announcement did not discuss "exports" of encryption know-how via the Internet, disclosures of source code, and the ban on encryption-related "technical assistance" by U.S. persons. It is not yet clear whether these areas will be affected by the new rules. In particular, the announcement did not address the free-speech concerns at issue in the continuing case of Daniel Bernstein, the university professor who recently won a federal court ruling declaring that encryption source code is "speech" that cannot be subjected to pre-export review by the Government. The Bernstein case was summarized in the August 26, 1999 Hale and Dorr Internet E-Mail Alert.
It is important to note that the new policies have not yet been implemented, and the current restrictions will remain in place until the new policies take effect. The Clinton Administration plans to implement the new policies by December 15, 1999, but that target is subject to change.
Barry J. Hurewitz
For decades, the U.S. has imposed severe restrictions on encryption exports, citing concerns about national security, terrorism, and organized crime. These policies have prohibited exports of "strong" encryption which is the most difficult to decipher, while allowing exports of less secure products for certain favored end-users or end-uses.
The new policies are described in a White House Fact Sheet and in questions and answers issued by the Commerce Department.
Under the new encryption export policies, any encryption product may become exportable without an export license after a one-time technical review by a panel of Government agencies led by the Commerce Department's Bureau of Export Administration. For the first time, the new policies will eliminate restrictions on the length of the encryption keys and on the types of information which may be encrypted. This expanded "License Exception" will authorize exports to non-governmental end-users worldwide, except for Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria. A separate rule still requires export licenses for all U.S. items destined for Serbia. Export licenses may still be required for foreign governmental end-users of non-"retail" encryption items.
While pre-shipment export licensing will be reduced, post-shipment reporting will be enhanced. Exporters will be required to notify the Government of all exports of encryption items with key lengths of 64 bits or more. In contrast, the current rules require such reporting only for specified classes of end-users.
The revised rules will clarify that foreign employees of U.S. companies may work on encryption products without an export license, whether the foreign person is located in the U.S. or abroad. This will be an exception to the "deemed export" rule, which generally applies export laws to foreign persons in the U.S.
The policy announcement did not discuss "exports" of encryption know-how via the Internet, disclosures of source code, and the ban on encryption-related "technical assistance" by U.S. persons. It is not yet clear whether these areas will be affected by the new rules. In particular, the announcement did not address the free-speech concerns at issue in the continuing case of Daniel Bernstein, the university professor who recently won a federal court ruling declaring that encryption source code is "speech" that cannot be subjected to pre-export review by the Government. The Bernstein case was summarized in the August 26, 1999 Hale and Dorr Internet E-Mail Alert.
It is important to note that the new policies have not yet been implemented, and the current restrictions will remain in place until the new policies take effect. The Clinton Administration plans to implement the new policies by December 15, 1999, but that target is subject to change.
Barry J. Hurewitz
