ANS FOLLOW-UP TO THE IWG MEETING ON OCTOBER 15, 1999 REGARDING THE NEW
ENCRYPTION EXPORT CONTROL POLICY
November
3, 1999
I.
Background
The
Alliance for Network Security (“ANS”) members met with the Inter-agency
Working Group (“IWG”) on October 15, 1999 to discuss the White House
announcement of September 16, 1999 regarding the new encryption export control
policy. The ANS members are 3Com, Cisco Systems, Hewlett-Packard,
Intel, Lucent Technologies, Microsoft, NetScreen, Network Associates, Nortel
Networks, Novell, RedCreek, Secure Computing and Sun Microsystems.
ANS looks forward to working with the Administration in the drafting of
regulations implementing the new encryption export control policy in the Export
Administration Regulations (“EAR”, 15 CFR Part 730 et seq.).
II.
Purpose
The purpose of this White Paper is to provide
additional information to the IWG regarding several issues that were raised in
the course of the meeting on October 15, 1999.
III. Specific Issues Raised by the IWG
A. Telco/ISPs and the Definition of “Government”
The White House announcement contemplates allowing
exports under License Exception of cryptographic products to Telco/ISPs for
subscriber use, while retaining some control over exports to, or for use by,
“foreign government and military organizations”. ANS members believe that all Telco/ISPs should be authorized
to receive all cryptographic products under License Exception, and that none of
them should be regarded as falling within the definition of “government”.
However, a Telco/ISP would be authorized to provide service to a
government only if it used “retail” products that the government could
procure for its own use. In
summary, this balance is best
achieved by:
We believe that points (2) and (3) above should not
be controversial. The White House
Fact Sheet of September 16, 1999 states:
Additionally, telecommunications and internet service
providers may use any encryption software or commodity to provide services to
commercial firms and non-government entities.
Additionally, telecommunications and internet service
providers may use retail encryption commodities and software to provide services
to any recipient.
The really important question is whether any
Telco/ISPs themselves may not be authorized to receive exports of encryption
products (other than retail encryption products) under License Exception,
because they fall within the definition of “government” organizations.
If Telco/ISPs fall within the definition of “government”, then the
relief promised by the White House will prove illusory.
In this regard, it is instructive to review the trend toward
privatization of Telco/ISPs in world markets.
Historically, most foreign countries have provided
telecommunications and internet services to their citizens through a single
(monopolist) government agency or government-owned utility. We will refer to
these as “incumbent” Telco/ISPs. There is a clear trend toward privatization
of incumbent Telco/ISPs, by governments, worldwide. The underlying reasons are technological advances, growth in
data traffic, and deregulation.
Rapid technological advances, combined with the
development of decentralized network-based software (i.e., the internet), have
led to substantial increases in transmission capacity at lower costs, reducing
the value of the fixed networks constructed over many years by incumbent
Telco/ISPs. In addition, the fixed
networks that the incumbent Telco/ISPs constructed are optimized for voice,
rather than data, whereas data traffic already exceeds voice traffic in many
markets (like the U.S. and U.K.) and is predicted to grow much faster in the
future. Finally, deregulation has
resulted in the formation of alternative network and access providers,
challenging the monopolies enjoyed by incumbent Telco/ISPs and reducing their
profits. In Germany, for example,
there are over 100 operators providing fixed telephony services today.
In 1997, there was only one.
As a result of these trends, Governments perceive
that holding onto their incumbent Telco/ISPs is increasingly risky.
Incumbent Telco/ISPs are no longer safe, utility-type investments, let
alone monopolies, as in the past. Therefore,
governments are disposing of their incumbent Telco/ISPs, through issuance of
stocks and bonds to the public and via strategic sales to other investors, in a
process known as “privatization”.
Only a handful of incumbent Telco/ISPs have been
completely privatized. The most
prominent example is British Telecom. However,
in some cases the government has retained only a token ownership.
For example, the Government of Italy has retained only 4% of Telecom
Italia. In almost all countries,
there is an inexorable trend toward privatization, reflected by the debt and
equity offerings and strategic sales described below.
(All figures are for 1998, the last year for which statistics are
available).
Some governments are privatizing their incumbent
Telco/ISPs by issuing stock to the public.
Altogether, incumbent Telco/ISPs raised over $45 billion through equity
offerings in 1998. For example, the
Swiss Government sold 34% of Swisscom in an initial public offering (“IPO”)
that raised $6.4 billion. This was
the largest ever equity offering in Switzerland, the largest European IPO of
1998, and the year’s largest privatization IPO.
The Japanese Government completed the fourth phase of its privatization
of Nippon Telephone and Telegraph, selling 6.28% of the company for $7.3 billion
in 1998.
Other governments are privatizing their incumbent
Telco/ISPs by issuing debt securities that are convertible into stock. For
example, French Government raised $2.2 billion through the issuance of debt
convertible into shares of France Telecom, and the Singapore Government raised
$1 billion in debt convertible into debt of Singapore Telecom, in 1998.
In addition, some governments are privatizing their
incumbent Telco/ISPs through strategic sales.
The Brazilian Government completed the largest Latin American
privatization ever, when it sold 12 units of its incumbent, Telebras, for $19
billion to consortia led by Telefonica de Espana, Telecom Italia and Portugal
Telecom in 1998. Telecom Italia
also purchased a 25% stake in Telecom Austria for $2.4 billion, the largest ever
privatization in Austria in 1998.
Total privatizations of incumbent Telco/ISPs in 1998
amounted to approximately $50 billion. In
addition to the large deals described above, incumbent Telco/ISPs in Egypt,
Israel, the Czech Republic, Tunisia, Malta, Poland, Qatar, Finland and Greece
completed equity offerings in 1998. The
Governments of Lithuania, El Salvador, Guatemala and Romania completed strategic
sales in 1998. Also, in a second
phase of privatization, Bell Atlantic issued a bond exchangeable into its
previously acquired 25% of Telecom Corporation of New Zealand in 1998.
In summary, the paths toward privatization in
different countries are varied, and the pace may be slower or faster, but the
trend is consistent throughout Europe, Asia and Latin America.
Governments are privatizing their incumbent Telco/ISPs, and allowing new
companies to compete with them, throughout the world.
Moreover, there is no clear distinction between an incumbent Telco and
ISP that remains government-owned, or one that has been privatized, in the
equipment it must acquire or the services it seeks to provide.
Therefore, we conclude that all Telco/ISPs should be authorized to
receive cryptographic products under License Exception, and that none of them
should be regarded as falling within the definition of “government”.
U.S. authorities should take comfort in the fact that Telco/ISPs are not
authorized to provide services to governments, unless they use only retail
products.
Not only Telco/ISPs, but also, by extension,
other state-owned enterprises also should be regarded as falling outside the
definition of “government” if they are engaged in a commercial function.
For example, state-owned airlines, banks, educational institutions and
other entities that are not engaged in a core governmental function should not
fall within the definition of “government” for purposes of the EAR.
State and local governments also should be exempted.
This is very important, because a broad definition of government could
undermine the benefits of the new policy.
B. Reporting of End-users in Connection with Indirect Sales
IWG members asked whether ANS
members could report information regarding end-users in connection with indirect
sales, for example, if the end-user has a support contract with the
manufacturer.
ANS members believe it may be possible to supply
end-user information, for the some of their largest customers.
However, much of this kind of information is in various forms and
locations, and maintained for limited periods.
Therefore, it may be difficult or impossible to capture and report all
such data. ANS members would be
willing to supply information which is collected in the ordinary course of
business and is readily available to headquarters in the U.S., consistent with
the underlying principle that reporting should not require changes in business
practice in particular companies.
C. Export Compliance and Anonymous Electronic Downloads
IWG members asked how ANS members ensure
compliance with the General Prohibitions prohibiting exports to denied parties
and embargoed countries in connection with anonymous electronic downloads.
ANS members use a variety of techniques to
ensure compliance with the EAR. For
example, some companies use “pop-up” screens that advise the person
requesting the download regarding export control compliance.
Other companies include export control compliance language in their
software license agreements. Companies
also may reverse-resolve the incoming IP address in order to verify that it is
not associated with a host in one of the embargoed/terrorist countries.
Notwithstanding these precautions, ANS members
believe that there is no perfect screening device, and with anonymous downloads
there is no information to screen against a denied parties list.
There are two partial solutions available.
First, ANS members believe that the exclusion from the “publicly
available” definition for cryptography should be removed.
Additionally, Section
734.2(b)(9)(ii) should be amended to reflect the new policy, such that making
encryption software available for electronic download is not within the
definition of “export”, so long as there is an access control system that
checks the IP address of every system requesting or receiving a transfer and
blocks any transfer that appears to originate in an embargoed destination.
D. Small Office / Home Office Networking Products
The definition of “retail” is problematic.
ANS members understand that the narrow definition of “retail” is
intended to exclude certain networking products.
However, the scope of products excluded by the definition of “retail”
and the underlying rationale are not clear.
For example, are cable modems, which today are leased from service
providers and not available over-the-counter, excluded from the definition of
“retail”?
ANS members would prefer that the Administration
identify those products that create concern, rather than casting a “broad
net” in order to control what may be a fairly small number of products.
ANS members would be pleased to review and provide comments, if the
Administration were to propose such a list.
However, we do not feel that we are in a position at this point to
propose such a list, because we do not understand the scope of items that are of
particular concern to the Administration.
Whether the Administration chooses to propose a list,
or to publish a definition of “retail”, we recommend that products
designed for small office or home office use (i.e., products that are not
exclusively designed for, and marketed to, enterprise customers) should be
eligible for export to all customers, including governments, under License
Exception.
E. Export Controls on Open Source Software
The basic concept of “open source” software (and
its cousin, “community source”) is that when programmers on the Internet can
read, redistribute, and modify software source code, it evolves, rapidly.
Programmers around the world can improve, adapt and fix bugs in the
software more quickly and cost-effectively than any single company could.
The business case for open source software is made eloquently in Eric
Raymond’s The Cathedral and The Bazaar (http://www.tuxedo.org/~esr/writings/cathedral-bazaar/cathedral-bazaar.html).
When cryptographic software is developed as
“open source” there are two distinct benefits.
Not only are bug fixes and enhancements made quickly, but also a higher
level of confidence develops among users that the software does not incorporate
“backdoors” or other vulnerabilities that could compromise the user’s
data, because the community of developers at large can examine, expose and fix
any such vulnerabilities.
Generally, open source software is transferred under
license agreements that impose minimal restrictions on the redistribution and
modification of the software. The
General Public License for the Linux operating system can be found at ftp://prep.ai.mit.edu/pub/GNU/COPYING.
The License Agreement for the popular Apache HTTP Server can be found at http://www.apache.org/foundation/records/minutes/1999/board_minutes_1999_09_16.txt.
The Mozilla Public License for the
ubiquitous Netscape Communicator browser can be found at http://www.mozilla.org/MPL/.
ANS members, including Hewlett-Packard and Sun
Microsystems, are making important software platforms available as “open
source” or “community source”. ANS
members propose that open source software should be eligible for unrestricted
export, because it is “publicly available”.
Retaining Encryption Item controls on open source software restricts
Americans and American companies from participating fully in one of the most
exciting and innovative software development “bazaars” of modern time.
F. Controls on Toolkits and Linkable Modules in Executable (Object Code) Form
ANS members believe that toolkits and linkable
modules in executable (object code) form should be eligible for export under
License Exception after a one-time technical review. The rationale is that toolkits and linkable modules in
executable (object code) form contain a defined set of cryptographic features
that are fixed, and therefore are susceptible of a one-time technical review,
just as chips contain a defined set of cryptographic features that are fixed.
G. Information Collection -- Toolkits and Linkable Modules in Executable Form
ANS members understand that the government
may be interested in knowing what foreign-made original equipment manufacturer
(“OEM”) products might incorporate U.S.-origin toolkits and linkable modules
in executable form, just as it has expressed interest in knowing what
foreign-made products might incorporate U.S.-origin chips.
Therefore, we recommend that exporters provide non-proprietary
information regarding OEM products incorporating their toolkits and linkable
modules, such as publicly available data sheets and marketing brochures, to the
extent that such information may be collected by the exporter in the ordinary
course of business. On the other hand, exporters would not be required to provide
information if the toolkit or linkable module is exported to a customer for
implementation in the customer’s proprietary application.
H. Scope and Effect of EU Data Privacy Directive on Reporting.
The EU Data Privacy Directive and similar laws that
exist around the world regulate the collection and use of Personal data (which
includes a person’s name, contact information such as address or telephone
number, and any other "information relating to an identified or
identifiable natural person"). Entities
collecting personal data must disclose several things to the persons from whom
the data is collected. These mandatory disclosures include: the purposes
for which the data is collected and used; who will receive, use or process the
data; and the consequences (if any) of failing to provide the information.
Once the data has been obtained, these laws require that it be used and stored
only for the purposes for which it was collected.
Unfortunately, these restrictions on use of the data can be interpreted in different ways. A broad interpretation would be that as long as the data collector gives notice of all uses of the data, the individual implicitly consents to those uses by proceeding with the transaction. However, a narrow interpretation would mean that, absent explicit consent, the data can only be used for the primary purposes for which it was collected - which is equivalent to the reason why the individual provided the data. For example if a name and address were collected by a mail-order software retailer so that a product could be shipped to the purchaser, the primary purpose that the person supplied the data was to permit the retail to ship the product. Any other use beyond that (such as supplying the data to the US government to satisfy reporting requirements) would require the specific consent of the individual, and the individual would have the right to opt out of such secondary uses.
Because the EU Directive merely instructs the EU
member countries to implement conforming national legislation, the
interpretations can vary from country to country. Plus, the many other
countries that have laws modeled on the EU Directive may also have differing
interpretations. What is clear is that there will be at least some
national privacy laws that will interfere with US companies' ability to freely
pass along names and addresses of individual customers.
IV.
Conclusion
ANS members look forward to working with the Administration on these and other aspects of the new encryption policy.