Note: This is an outline of the presentation given by Roszel Thomsen.
To download the entire Powerpoint presentation, Click here.

Industry demands for relief from export controls

E-commerce and privacy

Intelligence and law enforcement electronic surveillance concerns

Key escrow, recovery, management, plaintext access and other techniques

Incremental relaxation

From "munitions" to "dual-use" export controls

BXA promises to update policy if EU creates license free zone – January 14, 2000

EU Council of Ministers adopts new dual-use license free zone – June 22, 2000

White House announces that BXA will promulgate new regulations – July 17, 2000

BXA issues new regulations, effective immediately – October 19, 2000

No limitation on encryption algorithm, key length, key management, or security protocol

License free zone for EU plus 10 countries

Modest, but helpful other reforms to rules

Complex regulations

Onerous pre- and post-export review and reporting requirements

Vestigial controls remain on all products

Bad people

Bad places

Bad things

Pre-export technical review requirements for all encryption products/technologies

License requirements for exports to certain government end-users

Post-export reporting by US exporters

Filed with BXA & NSA

Commodity Classification Request Procedure

Overall product features

Cryptographic details

Eligibility for special export control treatment

"Retail"

Mass Market

De Minimis

See www.t-b.com/Cryptolist.htm

New exemption from technical review

Cellphones, mice etc. incorporating "Bluetooth" chips for personal area networks

HomeRF products for home and so/ho neworks

Not 802.11b products

Eligible for export to EU plus 10 upon acceptance of application

Eligible for export as a "non-retail" item 30 days after acceptance

Eligible for export as "retail" and de minimis only if approved by BXA and NSA (60-90 days?)

Most favorable classification available for products that encrypt for privacy

License Exception ENC, except to:

Bad people

Bad places

Bad things

Positive tests:

Sold via independent retail outlets, or

Specifically designed for individual use, or

Sold in large volume via mail order, telephone call or electronic transactions

Negative tests:

Not easily modified by the user, and

Not modified or customized to customer specifications, and

Not network infrastructure products for large volume traffic

"Encryption products which provide equivalent functionality to other encryption products classified as retail will be considered retail."

"Equivalent functionality" includes features other than encryption features

This is not a means to decontrol all products that may incorporate S/MIME, SSL and IPSec!

OS with networking and server capabilities

Non-programmable chips and chips constrained by design for retail products

SoHo networking equipment

Database management systems

Low end servers and associated clients

Products distributed free or anonymously

Electronic commerce products restricted by design to secure financial communications

Highly field formatted

Validation procedures

Not easily diverted to other end-uses

License Exception ENC available for exports to EU plus 10, and to commercial and individual end-users elsewhere

License required for export to "government end-users" outside EU plus 10

Foreign central, regional or local government department, agency or other entity performing governmental functions

Does not include utilities (including telco/ISPs), banks, transportation, entertainment, civil health, retail and wholesale firms (except firms engaged in weapons activities)

Telco/ISPs must obtain licenses to provide services specifically for governments outside the EU plus 10 using non-retail products

WAN, LAN, VPN, voice and dedicated link services

Application specific, e-commerce and PKI services

Form with supporting documents, reviewed by the Commerce, Defense and State Departments

Case-by-Case Licenses

One-off sale to known end-user/specific end-use

Encryption Licensing Arrangements

Sales to a class of end-users in a sales territory

E.g., civil government end-users/end-uses

Approval

Generally subject to riders and conditions

Denial

Opportunity to appeal is limited

De facto denial

Due to lengthy review cycle

Some civil uses are likely to receive favorable consideration:

Social or financial services

Civil justice

Social services

Pensions/retirement

Taxation

Communications between government and its citizens

New exemptions from reporting

Items incorporating components limited to short range wireless encryption (Bluetooth)

Retail OS and applications for single CPU computers, laptops or hand-held devices

Client internet appliance and client wireless LAN cards (Bluetooth, HomeRF and 802.11b)

Foreign products developed by bundling or compiling of source code

Exports to and by U.S. Foreign Subsidiaries

Under new interpretation, U.S. companies’ foreign subsidiaries are treated like distributor or other reseller

Report export to distributor

Report distributor’s end-user "if collected as part of the distribution process by the exporter"

Technology and Toolkit Exports

"when the product is made available for commercial sale, a non-proprietary technical description of the foreign products for which the component, source code or toolkit are being used (e.g., brochures, other documentation, descriptions or other identifiers of the final foreign product; the algorithm and key lengths used; general programming interfaces to the product, if known; any standards or protocols that the foreign product adheres to and source code, if available.)"

Bi-annual

January-June: Aug. 1

July-December: Feb. 1

Electronic format

E.g., spreadsheet

Transmission

Electronic or postal

Note: Must file a report, even if you don’t have a reportable export!

 

Source code rules

Components

De Minimis rule

Weak Crypto

Foreign nationals

Beta test software

Crypto-with-a-hole

Technical assistance

 

Publicly available without restriction

E.g., Open Source

Publicly available with restrictions

E.g., Community Source

All other proprietary source code

Must be available free of charge under GNU-style license agreement

Concurrent notice to government required, in lieu of technical review

Eligible for export under License Exception TSU

As source code

New: compiled executable

Only if distributed as freeware

Must be free of charge for commercial use, restricted for commercial use only

Concurrent notice to government required, in lieu of technical review

Eligible for export under License Exception ENC

As source code

As compiled executable

But note reporting requirements for executable

Technical review required prior to initial export

License Exception ENC immediately available

Any end-user in EU plus 10

Any commercial or individual (non-government) end-user elsewhere

Special reporting required for foreign end-items

Technical review required prior to initial export

License Exception ENC

Either "retail" or non-retail, depending on distribution

Report general description of foreign products intended for resale

Special exemption from classification & reporting for items incorporating short range wireless

De Minimis Eligibility

Foreign-made items may be released from U.S. controls, if:

Less than 10% by value U.S. content, and

U.S. content has been authorized as eligible

E.g., retail operating systems & applications for PCs, laptops and hand-held devices

Eligible for export under NLR as of filing of Commodity Classification Request

64 bit mass market

5A/D/E992 & NLR

56/512 bit non-mass market

5A/D/E992 & NLR

Beware: 56/1024 bit non-mass market may be 5A/D002 and "retail"

Sales to governments

Incorporation into foreign end-products

Exempt from de minimis exclusion

Third country import and use restrictions

Exempt from reporting

Better performance

Shhhhh….

No license or technical review for intra-company transfers

Employees, contractors and temporary workers

Subsidiaries controlled by US parent company

Exception: employees from embargoed countries

Eligible for export without technical review, provided:

Will qualify as "mass market" at conclusion of beta testing

Concurrent notification provided to BXA

General reporting requirements are met

Permitted in open and community source and freeware

But not permitted in commercial products incorporating open and community source

Permitted for all other exports to EU plus 10

Prohibited for exports outside EU plus 10

APIs that include a digital signature or similar mechanism

Microsoft’s CAPI

Intel’s CDSA

New: U.S. developers may sign foreign plug-ins without review or approval

A license is required to provide non-crypto assistance to developer of a crypto product outside the U.S.

New exemptions:

End-users in EU plus 10

Assistance provided in connection with the development of international standards

Long term: reduce complexity and delays associated with technical reviews and licensing

Short term: fix immediate problems, including:

Eligibility of 802.11b as "short range wireless"

Create exemption for management crypto

Exempt software on servers from reporting

In some cases, specific procedures are required under the regulations

E.g., electronic exports and post-export reports

In other cases, due diligence is prudent

E.g., education/training employees and field

Statement of policy

Notification, classification and licensing procedures

Customer and transaction screening

Post-export reporting

Education and training

Audit & compliance

Open/Community source

Notification of posting

Retail products

Blocking embargoed countries

Bad people, if collected

Non-retail products

Notice, acceptance and blocking .gov, .mil and similar domains

 

Civil

$ 10,000 per violation

Administrative

Denial of export privileges

Criminal

10 years in jail

5 times value of export or $ 1 million

IBM

Largest criminal penalty

$ 8.5 million

Illegal exports to Russia

Compaq/Digital

Largest civil penalty

$ 2.1 million

Illegal exports to various countries

 

Every company has some kind of an export management system

Real issue is whether your company manages exports:

By design, or

By default

Journal article: www.t-b.com/cryptoarticle.htm

Filing checklist: www.t-b.com/cryptolist.htm

License matrix: www.t-b.com/cryptomatrix.htm

October 19 Regulations

Text format: www.t-b.com/cryptoregs.htm

PDF format: www.t-b.com/cryptoregs.pdf