BXA Press Release on New Regs

[mea culpa <jericho () DIMENSIONAL COM>]

Forwarded From: John Gilmore <gnu () toad com>
Forwarded-by: David Sobel <sobel () epic org>

FOR IMMEDIATE RELEASE
Wednesday, January 12, 2000

Contact:
Morrie Goodman 202-482-4883
Eugene Cottilli (202) 482-2721


Commerce Announces Streamlined Encryption Export Regulations

Washington, DC - The U.S. Department of Commerce Bureau of Export
Administration (BXA) today issued new encryption export regulations which
implement the new approach announced by the Clinton Administration in
September.

Today's move permits U.S. companies to export any encryption product
around the world to commercial firms, individuals and other non-government
end-users under a license exception (i.e., without a license). In
addition, "retail" encryption products which are widely available in the
market can now be exported to any end-user including foreign governments.
In most cases, a one-time product review by BXA continues to be required.
Post-reporting requirements are reduced to track industry business models.

"This policy helps business and promotes e-commerce by adjusting our
regulations to marketplace realities that U.S. companies face when they
try to sell their products overseas. We've also worked very hard to
address privacy concerns and to ensure that our law enforcement and
national security concerns are met,"  said Commerce Secretary William M.
Daley.

For source code, the regulation reduces controls further than announced in
September. Commercial encryption source code, encryption toolkits and
components can now be exported under license exception to businesses and
non-government end-users for internal use and customization and for the
development of new products. In addition, the regulations relax
restrictions on publicly available encryption source code, including by
posting on the Internet.

The regulation further streamlines requirements for U.S.  companies by
permitting exports of any encryption item to their foreign subsidiaries
without a prior review. Foreign employees of U.S. companies working in the
United States no longer need an export license to work on encryption.

In addition, the guidelines also implement agreements reached by the
Wassenaar Arrangement in December 1998 by decontrolling 64-bit mass market
products, 56-bit encryption items and 512-bit key management products.
Today's changes do not affect restrictions on terrorist supporting states
(Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria), their nationals,
and other sanctioned entities.

In developing this regulation, the Administration worked closely with
stakeholders to continue a balanced approach. The government will review
the workability of the regulation, receiving public comments for 120 days.
A final revised rule will be issued shortly thereafter.

Attached is a comprehensive fact sheet that outlines the new export
control guidelines.



FACT SHEET

Administration Implements Updated Encryption Export Policy

Today, the Commerce Department published a regulation implementing the
Clinton Administration's update to encryption export policy announced in
September, 1999. The major components of this regulation are as follows:

Global exports to individuals, commercial firms or other non-government
end-users

Any encryption commodity or software, including components, of any key
length can now be exported under a license exception after a technical
review to any non-government end-user in any country except for the seven
state supporters of terrorism.  Exports previously allowed only for a
company's internal use can now be used for any activity, including
communication with other firms, supply chains and customers. Previous
liberalizations for banks, financial institutions and other approved
sectors are continued and subsumed under the license exception. Exports to
government end-users may be approved under a license.

Global exports of retail products

A new category of products called "Retail encryption commodities and
software" can now be exported to any end user (except in the seven state
supporters of terrorism). Retail encryption commodities and software are
those which are widely available and can be exported and reexported to
anyone (including any Internet and telecommunications service provider),
and can be used to provide any product or service (e.g., e-commerce,
client-server applications, or software subscriptions). BXA will determine
which products qualify as retail through a review of their functionality,
sales volume, distribution methods.  Products that are functionally
equivalent to products classified as retail will also be considered
retail. Finance-specific, 56-bit non-mass market products with a key
exchange greater than 512 bits and up to 1024 bits, network-based
applications and other products which are functionally equivalent to
retail products are considered retail products.

Internet and Telecommunications Service Providers

Telecommunications and Internet service providers can obtain and use any
encryption product under this license exception to provide encryption
services, including public key infrastructure services for the general
public. Provision of services specific to governments (e.g., running a
virtual private network for a government agency) will, however, require a
license

Global Exports of Unrestricted Encryption Source Code

Encryption source code which is available to the public and which is not
subject to an express agreement for the payment of a licensing fee or
royalty for commercial production or sale of any product developed with
the source code may be exported under a license exception without a
technical review. The exporter must submit to the Bureau of Export
Administration a copy of the source code, or a written notification of its
Internet location, by the time of export. Foreign products made with the
unrestricted source code do not require review and classification by the
U.S. Government for reexport. This license exception should apply to
exports of most "open source"  software.

Global Exports of Commercial Encryption Source Code and Toolkits

Encryption source code which is available to the public and which is
subject to an express agreement for the payment of a licensing fee or
royalty for commercial production or sale of any product developed using
the source code (such as "community source" code) may be exported under a
license exception to any end-user without a technical review. At the time
of export, the exporter must submit to the Bureau of Export Administration
a copy of the source code, or a written notification of its Internet
address. All other source code can be exported after a technical review to
any non-government end-user. U.S. exporters may have to provide general
information on foreign products developed for commercial sale using
commercial source code, but foreign products developed using U.S.-origin
source code or toolkits do not require a technical review.

U.S. Subsidiaries

Any encryption item (including commodities, software and technology) of
any key length may be exported or reexported to foreign subsidiaries of
U.S. firms without a technical review.  Foreign nationals working in the
United States no longer need an export license to work for U.S. firms on
encryption. This extends the policy adopted in last year's update, which
allowed foreign nationals to work for foreign subsidiaries of U.S. firms
under a license exception. All items produced with encryption commodities,
software, and technology authorized under this license exception will
require a technical review.

Export Reporting

Post-export reporting is required for certain exports to a non-U.S. entity
of products above 64 bits. However, no reporting is required if the item
is a finance-specific product or is a retail product exported to
individual consumers. Additionally, no reporting is required if the
product is exported via free or anonymous download, or is exported from a
U.S. bank, financial institution or their subsidiaries, affiliates,
customers or contractors for banking or financial use. Reporting helps
ensure compliance with our regulations and allows us to reduce licensing
requirements.

Implementation of the December 1998 Wassenaar Arrangement Revisions

Last year, the Wassenaar Arrangement (33 countries which have common
controls on exports, including encryption) made a number of changes to
modernize multilateral encryption controls. This regulation allows exports
without a license of 56 bit DES and equivalent products, including
toolkits and chips, to all users and destinations (except the seven state
supporters of terrorism) after a technical review. Encryption commodities
and software with key lengths of 64-bits or less which meet the mass
market requirements of Wassenaar's new cryptography note are also eligible
for export without a license after a technical review.

ISN is sponsored by Security-Focus.COM