13 January 2000
(Policies expand global exports of key software) (970) Following is a fact sheet from the U.S. Commerce Department's Bureau of Export Administration (BXA) on new encryption export regulations. The regulations were announced January 12 by BXA. (begin fact sheet) [U.S. Department of Commerce Washington, D.C. January 12, 2000] FACT SHEET Administration Implements Updated Encryption Export Policy Today, the Commerce Department published a regulation implementing the Clinton Administration's update to encryption export policy announced in September, 1999. The major components of this regulation are as follows: Global exports to individuals, commercial firms or other non-government end-users Any encryption commodity or software, including components, of any key length can now be exported under a license exception after a technical review to any non-government end-user in any country except for the seven state supporters of terrorism. Exports previously allowed only for a company's internal use can now be used for any activity, including communication with other firms, supply chains and customers. Previous liberalizations for banks, financial institutions and other approved sectors are continued and subsumed under the license exception. Exports to government end-users may be approved under a license. Global exports of retail products A new category of products called "Retail encryption commodities and software" can now be exported to any end user (except in the seven state supporters of terrorism). Retail encryption commodities and software are those which are widely available and can be exported and re-exported to anyone (including any Internet and telecommunications service provider), and can be used to provide any product or service (e.g., e-commerce, client-server applications, or software subscriptions). BXA will determine which products qualify as retail through a review of their functionality, sales volume, distribution methods. Products that are functionally equivalent to products classified as retail will also be considered retail. Finance-specific, 56-bit non-mass market products with a key exchange greater than 512 bits and up to 1024 bits, network-based applications and other products which are functionally equivalent to retail products are considered retail products. Internet and Telecommunications Service Providers Telecommunications and Internet service providers can obtain and use any encryption product under this license exception to provide encryption services, including public key infrastructure services for the general public. Provision of services specific to governments (e.g., running a virtual private network for a government agency) will, however, require a license. Global Exports of Unrestricted Encryption Source Code Encryption source code which is available to the public and which is not subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed with the source code may be exported under a license exception without a technical review. The exporter must submit to the Bureau of Export Administration a copy of the source code, or a written notification of its Internet location, by the time of export. Foreign products made with the unrestricted source code do not require review and classification by the U.S. Government for re-export. This license exception should apply to exports of most "open source" software. Global Exports of Commercial Encryption Source Code and Toolkits Encryption source code which is available to the public and which is subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed using the source code (such as "community source" code) may be exported under a license exception to any end-user without a technical review. At the time of export, the exporter must submit to the Bureau of Export Administration a copy of the source code, or a written notification of its Internet address. All other source code can be exported after a technical review to any non-government end-user. U.S. exporters may have to provide general information on foreign products developed for commercial sale using commercial source code, but foreign products developed using U.S.-origin source code or toolkits do not require a technical review. U.S. Subsidiaries Any encryption item (including commodities, software and technology) of any key length may be exported or re-exported to foreign subsidiaries of U.S. firms without a technical review. Foreign nationals working in the United States no longer need an export license to work for U.S. firms on encryption. This extends the policy adopted in last year's update, which allowed foreign nationals to work for foreign subsidiaries of U.S. firms under a license exception. All items produced with encryption commodities, software, and technology authorized under this license exception will require a technical review. Export Reporting Post-export reporting is required for certain exports to a non-U.S. entity of products above 64 bits. However, no reporting is required if the item is a finance-specific product or is a retail product exported to individual consumers. Additionally, no reporting is required if the product is exported via free or anonymous download, or is exported from a U.S. bank, financial institution or their subsidiaries, affiliates, customers or contractors for banking or financial use. Reporting helps ensure compliance with our regulations and allows us to reduce licensing requirements. Implementation of the December 1998 Wassenaar Arrangement Revisions Last year, the Wassenaar Arrangement (33 countries which have common controls on exports, including encryption) made a number of changes to modernize multilateral encryption controls. This regulation allows exports without a license of 56 bit DES and equivalent products, including toolkits and chips, to all users and destinations (except the seven state supporters of terrorism) after a technical review. Encryption commodities and software with key lengths of 64-bits or less which meet the mass market requirements of Wassenaar's new cryptography note are also eligible for export without a license after a technical review. (end fact sheet) (Distributed by the Office of International Information Programs, U.S. Department of State.)