IP: New Encryption Regulations

[Dave Farber <farber () cis upenn edu>]

> Date: Wed, 12 Jan 2000 19:09:14 -0500
> To: farber () cis upenn edu
> From: Alan Davidson <abd () cdt org>
> Subject: New Encryption Regulations
>
>
> The U.S. government is expected to shortly release new encryption export 
> rules representing a major change in U.S. policy. "Retail" encryption 
> products -- like browsers, email programs, or PGP -- will be widely 
> exportable to all but a few countries *regardless of key length or 
> algorithm.*  However, the complex new regulations will still make it 
> difficult for many people to freely exchange encryption products and do 
> not solve the Constitutional free speech concerns raised by encryption 
> export controls.
>
> A final draft of the regulations to be published in the Federal Register 
> is available at:
>         http://www.cdt.org/crypto/admin/000110cryptoregs.shtml
>
> Major features of the new regs include:
>
> * "Retail" encryption products will be exportable regardless of key length 
> or algorithm to all but the designated "T-7" terrorist nations. Still 
> requires a retail classification, one-time technical review, and periodic 
> reporting of who products are shipped to (but not necessarily reporting of 
> end users.)
>
> * Export of encryption products up to 64-bits in key length is completely 
> liberalized.
>
> * Non-retail products will require a license for many exports, such as to 
> foreign governments or foreign ISPs and telcos under certain circumstances.
>
> * Source code that is "not subject to an express agreement for the payment 
> of a licensing fee or royalty for commercial production or sale of any 
> product developed with the source code" is freely exportable to all but 
> the T-7 terrorist countries. Source code exporters are required to send 
> the Department of Commerce a copy of the code, or a URL, upon publication. 
> Note that posting code on a web site for anonymous download is allowed -- 
> you are not required to check that downloaders might be from one of the 
> prohibited countries.
>
>
> Basically, we are told that common products like browsers, PGP, email 
> programs, chips or personal computers will be exportable with the 
> strongest encryption almost anywhere in the world. The companies we have 
> spoken with believe they should be able to meet regulatory requirements 
> and ship a lot of strong crypto very soon. If this happens, it will be a 
> big step in the right direction for privacy online.
>
> The bad news is that the regulations remain a full employment act for 
> export control lawyers. The regulations are complicated, and a fundamental 
> flaw in US policy --  that people need to get the government's permission 
> before exchanging an essential security tool or publishing an idea -- has 
> not been solved.
>
>         -- Alan
>
> Alan Davidson, Staff Counsel                 202.637.9800 (v)
> Center for Democracy and Technology          202.637.0968 (f)
> 1634 Eye St. NW, Suite 1100                  <abd () cdt org>
> Washington, DC 20006                         http://www.cdt.org
>
>         Join Operation Opt-Out http://opt-out.cdt.org/
>  A single place to remove your name from marketing databases.