News

USIS Washington File

13 January 2000

Fact Sheet: U.S. Implements Updated Encryption Export Policy

(Policies expand global exports of key software) (970)

Following is a fact sheet from the U.S. Commerce Department's Bureau
of Export Administration (BXA) on new encryption export regulations.
The regulations were announced January 12 by BXA.

(begin fact sheet)

[U.S. Department of Commerce
Washington, D.C.
January 12, 2000]

FACT SHEET

Administration Implements Updated Encryption Export Policy

Today, the Commerce Department published a regulation implementing the
Clinton Administration's update to encryption export policy announced
in September, 1999. The major components of this regulation are as
follows:

Global exports to individuals, commercial firms or other
non-government end-users

Any encryption commodity or software, including components, of any key
length can now be exported under a license exception after a technical
review to any non-government end-user in any country except for the
seven state supporters of terrorism. Exports previously allowed only
for a company's internal use can now be used for any activity,
including communication with other firms, supply chains and customers.
Previous liberalizations for banks, financial institutions and other
approved sectors are continued and subsumed under the license
exception. Exports to government end-users may be approved under a
license.

Global exports of retail products

A new category of products called "Retail encryption commodities and
software" can now be exported to any end user (except in the seven
state supporters of terrorism). Retail encryption commodities and
software are those which are widely available and can be exported and
re-exported to anyone (including any Internet and telecommunications
service provider), and can be used to provide any product or service
(e.g., e-commerce, client-server applications, or software
subscriptions). BXA will determine which products qualify as retail
through a review of their functionality, sales volume, distribution
methods. Products that are functionally equivalent to products
classified as retail will also be considered retail. Finance-specific,
56-bit non-mass market products with a key exchange greater than 512
bits and up to 1024 bits, network-based applications and other
products which are functionally equivalent to retail products are
considered retail products.

Internet and Telecommunications Service Providers

Telecommunications and Internet service providers can obtain and use
any encryption product under this license exception to provide
encryption services, including public key infrastructure services for
the general public. Provision of services specific to governments
(e.g., running a virtual private network for a government agency)
will, however, require a license.

Global Exports of Unrestricted Encryption Source Code

Encryption source code which is available to the public and which is
not subject to an express agreement for the payment of a licensing fee
or royalty for commercial production or sale of any product developed
with the source code may be exported under a license exception without
a technical review. The exporter must submit to the Bureau of Export
Administration a copy of the source code, or a written notification of
its Internet location, by the time of export. Foreign products made
with the unrestricted source code do not require review and
classification by the U.S. Government for re-export. This license
exception should apply to exports of most "open source" software.

Global Exports of Commercial Encryption Source Code and Toolkits

Encryption source code which is available to the public and which is
subject to an express agreement for the payment of a licensing fee or
royalty for commercial production or sale of any product developed
using the source code (such as "community source" code) may be
exported under a license exception to any end-user without a technical
review. At the time of export, the exporter must submit to the Bureau
of Export Administration a copy of the source code, or a written
notification of its Internet address. All other source code can be
exported after a technical review to any non-government end-user. U.S.
exporters may have to provide general information on foreign products
developed for commercial sale using commercial source code, but
foreign products developed using U.S.-origin source code or toolkits
do not require a technical review.

U.S. Subsidiaries

Any encryption item (including commodities, software and technology)
of any key length may be exported or re-exported to foreign
subsidiaries of U.S. firms without a technical review. Foreign
nationals working in the United States no longer need an export
license to work for U.S. firms on encryption. This extends the policy
adopted in last year's update, which allowed foreign nationals to work
for foreign subsidiaries of U.S. firms under a license exception. All
items produced with encryption commodities, software, and technology
authorized under this license exception will require a technical
review.

Export Reporting

Post-export reporting is required for certain exports to a non-U.S.
entity of products above 64 bits. However, no reporting is required if
the item is a finance-specific product or is a retail product exported
to individual consumers. Additionally, no reporting is required if the
product is exported via free or anonymous download, or is exported
from a U.S. bank, financial institution or their subsidiaries,
affiliates, customers or contractors for banking or financial use.
Reporting helps ensure compliance with our regulations and allows us
to reduce licensing requirements.

Implementation of the December 1998 Wassenaar Arrangement Revisions

Last year, the Wassenaar Arrangement (33 countries which have common
controls on exports, including encryption) made a number of changes to
modernize multilateral encryption controls. This regulation allows
exports without a license of 56 bit DES and equivalent products,
including toolkits and chips, to all users and destinations (except
the seven state supporters of terrorism) after a technical review.
Encryption commodities and software with key lengths of 64-bits or
less which meet the mass market requirements of Wassenaar's new
cryptography note are also eligible for export without a license after
a technical review.

(end fact sheet)

(Distributed by the Office of International Information Programs, U.S.
Department of State.)