[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] (Fwd) BXA Press Release on New Regs




------- Forwarded message follows -------
To:             	cypherpunks@toad.com, cryptography@c2.net
Subject:        	BXA Press Release on New Regs
Date sent:      	Wed, 12 Jan 2000 15:31:52 -0800
From:           	John Gilmore <gnu@toad.com>

(This doesn't appear to be on www.bxa.doc.gov anywhere yet.  BXA's PR
people say their web team is off at a retreat somewhere...  --gnu)

Forwarded-by: David Sobel <sobel@epic.org>

FOR IMMEDIATE RELEASE
Wednesday, January 12, 2000

Contact:
Morrie Goodman 202-482-4883
Eugene Cottilli (202) 482-2721


Commerce Announces Streamlined Encryption Export Regulations

Washington, DC - The U.S. Department of Commerce Bureau of
Export Administration (BXA) today issued new encryption export
regulations which implement the new approach announced by the
Clinton Administration in September.

Today's move permits U.S. companies to export any encryption
product around the world to commercial firms, individuals and
other non-government end-users under a license exception (i.e.,
without a license). In addition, "retail" encryption products
which are widely available in the market can now be exported to
any end-user including foreign governments. In most cases, a
one-time product review by BXA continues to be required.
Post-reporting requirements are reduced to track industry
business models.

"This policy helps business and promotes e-commerce by adjusting
our regulations to marketplace realities that U.S. companies
face when they try to sell their products overseas. We've also
worked very hard to address privacy concerns and to ensure that
our law enforcement and national security concerns are met,"
said Commerce Secretary William M. Daley.

For source code, the regulation reduces controls further than
announced in September. Commercial encryption source code,
encryption toolkits and components can now be exported under
license exception to businesses and non-government end-users for
internal use and customization and for the development of new
products. In addition, the regulations relax restrictions on
publicly available encryption source code, including by posting
on the Internet.

The regulation further streamlines requirements for U.S.
companies by permitting exports of any encryption item to their
foreign subsidiaries without a prior review. Foreign employees
of U.S. companies working in the United States no longer need an
export license to work on encryption.

In addition, the guidelines also implement agreements reached by
the Wassenaar Arrangement in December 1998 by decontrolling
64-bit mass market products, 56-bit encryption items and 512-bit
key management products. Today's changes do not affect
restrictions on terrorist supporting states (Cuba, Iran, Iraq,
Libya, North Korea, Sudan, and Syria), their nationals, and
other sanctioned entities.

In developing this regulation, the Administration worked closely
with stakeholders to continue a balanced approach. The
government will review the workability of the regulation,
receiving public comments for 120 days. A final revised rule
will be issued shortly thereafter.

Attached is a comprehensive fact sheet that outlines the new
export control guidelines.



FACT SHEET

Administration Implements Updated Encryption Export Policy

Today, the Commerce Department published a regulation
implementing the Clinton Administration's update to encryption
export policy announced in September, 1999. The major components
of this regulation are as follows:

Global exports to individuals, commercial firms or other
non-government end-users

Any encryption commodity or software, including components, of
any key length can now be exported under a license exception
after a technical review to any non-government end-user in any
country except for the seven state supporters of terrorism.
Exports previously allowed only for a company's internal use can
now be used for any activity, including communication with other
firms, supply chains and customers. Previous liberalizations for
banks, financial institutions and other approved sectors are
continued and subsumed under the license exception. Exports to
government end-users may be approved under a license.

Global exports of retail products

A new category of products called "Retail encryption commodities
and software" can now be exported to any end user (except in the
seven state supporters of terrorism). Retail encryption
commodities and software are those which are widely available
and can be exported and reexported to anyone (including any
Internet and telecommunications service provider), and can be
used to provide any product or service (e.g., e-commerce,
client-server applications, or software subscriptions). BXA will
determine which products qualify as retail through a review of
their functionality, sales volume, distribution methods.
Products that are functionally equivalent to products classified
as retail will also be considered retail. Finance-specific,
56-bit non-mass market products with a key exchange greater than
512 bits and up to 1024 bits, network-based applications and
other products which are functionally equivalent to retail
products are considered retail products.

Internet and Telecommunications Service Providers

Telecommunications and Internet service providers can obtain and
use any encryption product under this license exception to
provide encryption services, including public key infrastructure
services for the general public. Provision of services specific
to governments (e.g., running a virtual private network for a
government agency) will, however, require a license

Global Exports of Unrestricted Encryption Source Code

Encryption source code which is available to the public and
which is not subject to an express agreement for the payment of
a licensing fee or royalty for commercial production or sale of
any product developed with the source code may be exported under
a license exception without a technical review. The exporter
must submit to the Bureau of Export Administration a copy of the
source code, or a written notification of its Internet location,
by the time of export. Foreign products made with the
unrestricted source code do not require review and
classification by the U.S. Government for reexport. This license
exception should apply to exports of most "open source"
software.

Global Exports of Commercial Encryption Source Code and Toolkits

Encryption source code which is available to the public and
which is subject to an express agreement for the payment of a
licensing fee or royalty for commercial production or sale of
any product developed using the source code (such as "community
source" code) may be exported under a license exception to any
end-user without a technical review. At the time of export, the
exporter must submit to the Bureau of Export Administration a
copy of the source code, or a written notification of its
Internet address. All other source code can be exported after a
technical review to any non-government end-user. U.S. exporters
may have to provide general information on foreign products
developed for commercial sale using commercial source code, but
foreign products developed using U.S.-origin source code or
toolkits do not require a technical review.

U.S. Subsidiaries

Any encryption item (including commodities, software and
technology) of any key length may be exported or reexported to
foreign subsidiaries of U.S. firms without a technical review.
Foreign nationals working in the United States no longer need an
export license to work for U.S. firms on encryption. This
extends the policy adopted in last year's update, which allowed
foreign nationals to work for foreign subsidiaries of U.S. firms
under a license exception. All items produced with encryption
commodities, software, and technology authorized under this
license exception will require a technical review.

Export Reporting

Post-export reporting is required for certain exports to a
non-U.S. entity of products above 64 bits. However, no reporting
is required if the item is a finance-specific product or is a
retail product exported to individual consumers. Additionally,
no reporting is required if the product is exported via free or
anonymous download, or is exported from a U.S. bank, financial
institution or their subsidiaries, affiliates, customers or
contractors for banking or financial use. Reporting helps ensure
compliance with our regulations and allows us to reduce
licensing requirements.

Implementation of the December 1998 Wassenaar Arrangement
Revisions

Last year, the Wassenaar Arrangement (33 countries which have
common controls on exports, including encryption) made a number
of changes to modernize multilateral encryption controls. This
regulation allows exports without a license of 56 bit DES and
equivalent products, including toolkits and chips, to all users
and destinations (except the seven state supporters of
terrorism) after a technical review. Encryption commodities and
software with key lengths of 64-bits or less which meet the mass
market requirements of Wassenaar's new cryptography note are
also eligible for export without a license after a technical
review.

------- End of forwarded message -------