US to EU: Me Too!
The United States Amends its Export
Controls on Encryption,
By Roszel C. Thomsen II and Antoinette D. Paytas*
*Roszel C. Thomsen II firstname.lastname@example.org is a Partner, and Antoinette D. Paytas email@example.com is an Associate, with the law firm of Thomsen and Burke LLP. Roz and Toni concentrate in the field of export controls, with particular emphasis on the laws and regulations governing information technology.
When the Clinton
Administration came to Washington, encryption items were controlled for export
from the United States as “munitions” under the Arms Export Control Act[i]
and the International Traffic in Arms Regulations[ii].
Most applications for licenses to export strong encryption items were
denied. Industry and public
interest groups lobbied for liberalization, and the Clinton Administration
reformed the outdated U.S. export controls on encryption items in a series of
graduated steps. Nevertheless, the
U.S. export controls on encryption items remain complex and onerous. American companies must submit
encryption items for technical reviews by the intelligence authorities prior to
export. Exports to some agencies of
foreign governments require licenses, as do exports to telecommunications and
Internet service providers wishing to provide services to some government
agencies. Finally, post-export
reporting requirements apply to many exports from the United States. Thus, U.S. encryption export controls
continue to impose a significant regulatory burden on American companies,
retarding the worldwide deployment of strong cryptography, the protection of
personal data, and the full flowering of Internet commerce.
This paper reviews the most recent changes to the U.S.
export controls on encryption items (referred to herein as the “US
Regulations”) that were published in the U.S. Federal Register on October 19,
2000[iii]. It describes how the decision by the
European Union (EU) Council of Ministers on June 22, 2000, to create a license
free zone for exports of encryption (and other) items (referred to herein as the
“EU Regulations”) provided the initial stimulus for these changes. It also describes how the US Regulations
fall short of matching the EU Regulations in some respects, while exceeding the
EU Regulations in other respects. In
addition, the authors offer recommendations for further reforms to the U.S.
encryption export control policy that might be addressed by the next
administration in Washington. They
conclude on a cautionary note, considering the possibility that the recent
reforms to U.S. encryption export control policy could be reversed in the
When it amended the encryption export control regulations
on January 14, 2000[iv], the Commerce
Department’s Bureau of Export Administration (BXA) anticipated that it might
have to make further changes, in response to developments in the EU. Specifically, BXA said:
A number of companies have expressed concern that the
European Union (EU) may implement a general authorization permitting encryption
items to be exported freely within the EU and other specified countries. If and when the EU implements such an
authorization, the Administration will take the necessary steps to ensure U.S.
exporters are not disadvantaged.[v]
On June 23, the EU
Council of Ministers adopted the new EU Regulations, designed to improve the
existing system of export controls on dual use goods and technologies, including
encryption. The EU Regulations
create a harmonized EU General License (Community General Export Authorization)
which covers the export of encryption items (except cryptanalytic items) within
the fifteen EU member states and ten of its close trading and security partners: Australia, Canada, Czech Republic,
Japan, Hungary, Norway, New Zealand, Poland, Switzerland and the United States. The text of the EU Regulation was
published in the Official Journal on June 30, 2000.[vi]
Washington responded quickly. On July 17, White House Chief of Staff John Podesta gave a speech at the National Press Club in which he proposed new measures to assure the security and trust of Americans in cyberspace. His speech emphasized the themes of updating law enforcement authorities for the Internet age, harmonizing the rules that apply to different technologies such as telephones and e-mail, and balancing important values. He proposed legislation that would give law enforcement important new tools to pursue criminals through cyberspace while also boosting citizens’ fundamental rights to privacy in the electronic age. Mr. Podesta also announced new rules that will update encryption export controls. In a contemporaneous announcement, the White House Press Office said:
Administration is updating its policy for encryption exports to the European
Union and other key trading partners, thus assuring continued competitiveness of
U.S. industry in international markets. Under the new policy, U.S. companies can
export under license exception(i.e., without a license) any encryption product
to any end user in the 15 nations of the European Union as well as Australia,
Norway, Czech Republic, Hungary, Poland, Japan, New Zealand and Switzerland. Previous distinctions between government
and non-government end users are removed for these countries. Further, U.S. exporters will be
permitted to ship their products to these nations immediately after they have
submitted a commodity classification request for their product to the Department
of Commerce. Exporters no longer
have to wait for a completed technical review or incur a 30-day delay to ship
their encryption products to customers in these nations. These updates track with recent
regulations adopted by the European Union that ease encryption exports to the
same countries. Consistent with the
Administration's January 2000 commitment, U.S. companies can continue to compete
effectively in these markets. The
steps announced today continue our policy to serve the full range of national
interests: promote electronic
commerce, support law enforcement and national security, protect privacy, and
maintain U.S. industry leadership in security technologies.[vii]
The U.S. encryption
export control policy rests on three pillars.
First, the U.S. Government should have an opportunity to conduct a
technical review of all cryptographic products prior to export. Second, the U.S. Government should have
the right to restrict exports of certain cryptographic products to governments
through the export licensing process. Third,
the U.S. Government should receive post-shipment reporting with respect to some
exports of cryptographic products. The US Regulations revise each of these requirements, in
light of the EU Regulations.
Prior to publication
of the US Regulations, American exporters had to submit their products to the
Commerce Department’s Bureau of Export Administration (“BXA”) and the
National Security Agency (“NSA”) for review and approval under the Commodity
Classification Request procedure, prior to commencing of exports. They generally could commence exporting
on a limited basis thirty days after submission of a completed Commodity
Classification Request, but BXA and NSA retained the right to deny exports of
offending products if, for example, they included open cryptographic interfaces.
Under the new US
Regulations, exporters may commence international shipments of cryptographic
products promptly upon filing of a Commodity Classification Request with BXA and
NSA.[viii] Preparation of a Commodity
Classification Request is not a trivial task, as a properly completed submission
must address a host of features in a level of detail in excess of that which
customarily is disclosed in a vendor’s product literature. However, there is no time lag between
filing of the application and receipt of approval to export to the EU and its
partners. Equally importantly,
there are no features that can render a decision that a product requires a
license for export to the EU and its partners.
A checklist containing the information that must be
supplied can be found at www.t-b.com/cryptolist.htm. Additional, special rules
apply to Commodity Classification Requests for components and source code. Careful consideration must be given to
the scope of disclosure required in applications for technical review,
protection of information against unauthorized disclosure by U.S. government
employees who may review the application, and how best to expedite processing of
applications by the relevant agencies.
In addition to
technical disclosure, a properly completed Commodity Classification Request must
address whether a cryptographic product meets either the “retail” or “mass
market” criteria under the new US Regulations.
These criteria are important, because products that qualify as either
“retail” or “mass market” may be subject to less onerous restrictions
governing their export to destinations outside the EU and its partners. Careful drafting also can optimize the
likelihood of obtaining “retail” or “mass market” status.
Under the new US Regulations, some items are exempt from a technical review prior to export. Section 740.17(b)(3)(vi) states:
“Items which would be controlled only
because they incorporate components or software which provide short-range
wireless encryption functions may be exported without review and classification
by BXA and without reporting under the retail provisions of this section.”[ix]
The Preamble to the new US
Regulations provides the following additional guidance:
“In §740.17(b)(3) (Retail Encryption
Commodities and Software), License Exception ENC is revised to authorize,
without prior review and classification or reporting, those items which are
controlled only because they incorporate components providing encryption
functionality which is limited to short-range wireless encryption, such as those
based on the Bluetooth and Home Radio Frequency (HomeRF) specifications. Examples of such products include audio
devices, cameras and videos, computer accessories, handheld devices, mobile
phones and consumer appliances (e.g., refrigerators, microwaves and washing
Unlike Bluetooth and HomeRF products, products developed according to IEEE 802.11b specifications are not eligible for this exemption, which is a source of lingering concern to U.S. industry. The preamble is the only place in the new US Regulations where Bluetooth and HomeRF are specified by name. Experience with some test cases will determine the scope and effect of this new exemption.
In contrast with the new US Regulations, the EU
Regulations do not specify that cryptographic products must be submitted
for a technical review prior to export. At
the same time, they do not prevent member governments from imposing technical
review requirements in their national legislation. Some countries, notably France,
historically have implemented technical review requirements more onerous than US
Regulations. It is too soon to know
whether governments in the EU and its partners will require that cryptographic
products be submitted for a technical review prior to export. However, consistent with prior practice,
we anticipate that only a handful of countries are likely to do so.
Prior to publication
of the new US Regulations, BXA divided strong cryptographic products into two
categories. So-called “retail”
products could be exported after technical review without further licensing to
governments. Products that did not
qualify as “retail” required a license for export to governments.
The new US
Regulations eliminate the distinction between “retail” and other strong
encryption products, for purposes of sales to governments in the EU and its
partners. All cryptographic
products may be exported to governments in qualifying countries without further
review or approval.[x]
In this respect, exporters in the United States and EU will compete on a
level playing field. However, the distinction between “retail” and other
strong encryption products remains important for Americans who export to
countries beyond the EU and its partners.
The new US
Regulations define “retail” strong encryption products as follows:
In order to qualify as
“retail”, a product must meet at least one of the following “positive”
(i) Sold in tangible form
through retail outlets independent of the manufacturer;
(ii) Specifically designed
for individual consumer use and sold or transferred through tangible or
intangible means; or
(iii) Which are or will be
sold in large volumes without restriction through mail order transactions,
electronic transactions, or telephone call transactions.
In addition, the product at
issue must not meet any of the following
functionality can be easily changed by the user;
(ii) Requires substantial
support for installation and use;
functionality has been modified or customized to customer specifications; and
(iv) Network infrastructure
products such as high-end routers or switches designed for high volume
The definition of “retail” bears a striking resemblance
to the definition of “mass market” in the Cryptography Note under the
Wassenaar Arrangement[xii]. However, there are two important
differences between the new definition of “retail” and the definition of
“mass market”. The first
difference is the inclusion of the words “large volume” in “positive”
test number three. This change
makes it more difficult for smaller companies to qualify their products as
“retail” than as “mass market”. The
second difference is the inclusion of the prohibition on network infrastructure
products in “negative” test number four.
This change makes it more difficult for exporters of routers, switches
and firewalls, for example to qualify their products as “retail” and to
compete on a level playing field with foreign suppliers of similar network
Inextricably intertwined in the new US Regulations are the
definition of “retail” and the definition of “government end-user”,
because products that do not qualify as “retail” require a license for
export to a “government
end-user” outside the EU and its partners.
For purposes of the new US Regulations, the definition of “government
end-user” is as follows:
Government End-user (as applied to encryption items). A government end-user is (a) any foreign
central, regional or local government department, agency, or other entity
performing governmental functions; including governmental research institutions,
governmental corporations or their separate business units …which are engaged
in the manufacture or distribution of items or services controlled on the
Wassenaar Munitions List, and international governmental organizations;
(b) this term does not include the following
public entities: utilities (including telecommunications companies and Internet
service providers); banks and financial institutions; transportation; broadcast
or entertainment; educational organizations; civil health and medical
organizations; retail or wholesale firms; and manufacturing or industrial
entities not engaged in the manufacture or distribution of items or services
controlled on the Wassenaar Munitions List.[xiii]
Screening of customers to determine whether they fall
within the definition of “government end-user” is the bane of U.S.
exporters’ existence, requiring judgment calls and careful guidance to channel
partners, so that strong encryption products are licensed properly.
In addition, telecommunications and Internet service
providers outside the EU and its partners must obtain a license prior to
providing services specific to government end-users using products that have not
been granted “retail” status.[xiv]
Covered services include wide area network, local area network, virtual
private network, voice and dedicated link services, application specific and
electronic commerce services, and public key infrastructure encryption services
specifically for government end-users only.
In comparison with the new US Regulations, EU member
governments are free to devise licensing policies and procedures governing
exports to countries outside the EU and its partners, at their national
discretion under the EU Regulation and the Wassenaar Arrangement, The United States has “bulk”
licensing mechanisms, known as License
Exception ENC and Encryption Licensing
Arrangements that have analogues in other countries, like the United
Kingdom’s Open General Export License and
Open Individual Licenses[xv]. However, it is hazardous to
speculate as to whether U.S. encryption licensing policy will be broadly similar
to the policies of the various EU member countries, because of the broad
national discretion afforded to member governments under the Wassenaar
Arrangement and the EU Regulations.
reporting requirements in the new US Regulations do not have an analogue under
the EU Regulations. In general,
U.S. exporters must file a biannual report including the name and address of the
recipient of every cryptographic product (and the end-user, if known) unless one
of the following exemptions applies:
(i) any encryption to U.S. subsidiaries for internal company use;
(ii) finance-specific products;
(iii) encryption commodities or software with a symmetric key length not
exceeding 64 bits or otherwise classified as qualifying for mass market
products exported to individual consumers;
(v) Items exported
via free or anonymous download;
items from or to a U.S. bank, financial institution or their subsidiaries,
affiliates, customers or contractors for banking or financial operations;
(vii) Items which
incorporate components limited to providing short-range wireless encryption
operating systems, or desktop applications (e.g. e-mail, browsers, games, word
processing, data base, financial applications or utilities) designed for,
bundled with, or pre-loaded on single CPU computers, laptops or hand-held
Internet appliance and client wireless LAN cards;
(x) Foreign products developed by bundling or
compiling of source code.[xvi]
Recognizing that the
reporting requirements are burdensome on U.S. exporters, the Clinton
Administration introduced several new exemptions in the new US Regulations.
which governs “short range wireless” functions, is new and notable. Intended initially to remove reporting
from products that implement so-called Bluetooth
standard with a range of 30 meters or less, it probably also probably exempts
products based upon the HomeRF standard.
Exemption (viii) is an important victory for American
exporters, as it exempts from reporting most shrink wrap software. However, it
is also problematic, as it is limited to software designed for “single CPU
computers”. This language may
exclude operating systems like UNIX, designed for multiple CPU computers, as
well as shrink wrap software for server applications.
Exemption (ix) is a modest victory for makers of wireless
networking products implementing the IEEE 802.11b standard, exempting NIC cards
and PC cards, but not access points, from reporting. Note that products implementing the IEEE 802.11b standard are
not exempt under (vii) above.
Exemption (x) appears on the surface to be attractive to
persons outside the United States who may incorporate U.S.-origin source code in
their products. However, it is
really just a clarification, rather than an extension, of the prior practice
under regulations in effect before October 19, 2000.
Looking at the exemption for short range wireless products
and software for single CPU computers, laptops and hand-held devices, NICs and
PC cards it appears that the regulators are searching for a clean way of
describing “consumer” products that should be exempt from reporting. Further efforts in this regard are
In addition, BXA issued an important clarification in the
US Regulations governing reporting by subsidiaries of U.S. companies located
outside the United States. Previously,
U.S. companies reported exports from the United States, and subsidiaries abroad
reported their exports and reexports. This
requirement made it difficult to collect information for consolidated filing of
reports and placed subsidiaries abroad at a disadvantage vis-à-vis local
distributors who did not have to report. BXA
has clarified the situation in the new US Regulations, so that U.S. companies
are required to report exports from the United States, but they are not required
to collect information from their subsidiaries abroad, nor are the subsidiaries
required to file separate reports.
BXA also eliminated a particularly onerous reporting
requirement that applied only to a handful of companies exporting network
infrastructure equipment. Under the
old regulations, exporters had to file contemporaneous reports describing
network infrastructure equipment sold to telecommunications and internet service
providers outside the United States. These
reporting requirements were eliminated in the new US Regulations.
At the request of various industry trade associations, BXA
also made a number of changes that, although not directly responsive to the
EU’s initiative, should improve the competitiveness of American companies. These changes involve the regulations
governing cryptographic application programming interfaces (APIs), source code,
beta test software, technical assistance, the so-called de minimis rule, and rules governing weak cryptography.
Under the prior
regulations, products incorporating “open” cryptographic APIs generally were
not eligible for export, except under license.
“Open” cryptographic APIs allow a third party to substitute
cryptographic libraries of their choosing for the libraries supplied by the
vendor. The rationale for
restricting exports of products incorporating “open” cryptographic APIs was
that BXA and NSA could not conduct a thorough technical review of products, if
the recipient was able to insert the cryptographic library of preference and
replace the cryptographic provider supplied initially by the developer.
As a result of this restriction on exports of products with open cryptographic APIs, American companies resorted to various mechanisms to restrict the ability of third parties to replace the cryptographic service provider supplied with the product. Most of these mechanisms involved some kind of digital signature mechanism, so that only cryptographic providers approved and signed by the developer would interoperate with the developer’s cryptographic infrastructure. These products were referred to as having “closed” cryptographic APIs.
The new US Regulations change the rules with respect
to both “open” and “closed” cryptographic APIs. Products with “open” cryptographic
APIs may be exported to all destinations in the EU and its partners, like other
In addition, vendors of products with “closed” cryptographic APIs are
permitted to “sign” cryptographic providers developed by third parties
outside the United States, without prior review by BXA or NSA.[xviii]
The EU Regulations do not contain special rules governing
exports of products with “open” cryptographic APIs. U.S. industry had urged that the restrictions on
cryptographic APIs be removed entirely in the new US Regulations. One can anticipate that such requests will be renewed, when
the next administration comes to Washington.
Cryptographic source code controls fall into three
categories: (a) open source, (b)
community source, and (c) proprietary source.
The rules governing exports of each type of source code are different,
and the have been amended in important respects in the new US Regulations.
Open source refers to software that is available to the
public without restriction free of charge, under a GNU-style license agreement. Linux is an instructive example of open
source. The old regulations allowed
the export of open source to any end-user without a technical review, provided
that the person making the open source available filed a contemporaneous
notification with BXA and NSA. However,
the prior regulations were silent with respect to restrictions (if any) on the
export of compiled executable software derived from open source. Under the new US Regulations, compiled
executable software derived from open source is eligible for export under the
same conditions as the open source itself, provided that the compiled executable
is available without restriction and free of charge.[xix] Unfortunately, if you include the
compiled executable software into a product that you distribute for a fee, then
the resulting product must be submitted for a one-time technical review,
Community source refers to software that is available to
the public free of charge for non-commercial use but that contains further
restrictions on commercial use. Community
source may be exported under essentially the same conditions as open source, but
community source remains subject to more detailed reporting requirements.[xx]
refers to all source code that is neither “open” nor “community” source. Exporters may provide proprietary source
code to any end-user in the EU and its partners, and to any non-government
end-user in other countries, promptly upon filing of a technical review with BXA
and NSA.[xxi] The same reporting requirements
applicable to community source also apply to proprietary source.
The new US
Regulations revise the export controls applicable to beta test software in
several important respects. Strong
encryption software is eligible for export without prior technical review and
classification, provided that the exporter submits a pre-export notification to
BXA and NSA describing the cryptographic features and provides a post-export
report of the names and addresses of the recipients (except individual
The regulators deliberated at length regarding the scope of
products that should be eligible for export under the beta test software
provisions. In the end, they
determined that only products meeting the Wassenaar Cryptography Note or Mass
Market Note should be eligible. The
next Administration in Washington will face pressure to extend the beta testing
authorization to additional classes of cryptographic products.
When the State Department transferred the jurisdiction to
control exports of encryption items to the Commerce Department on December 30,
1996, BXA essentially replicated an especially controversial aspect of the State
Department’s regulations purporting to require a license for the transfer of
“technical assistance” to parties outside the United States with the intent
to assist such parties in the design and development of encryption products. This provision was controversial,
because it purported to control such transfers, even if all of the information
transferred were in the public domain or otherwise generally available. Whether such a provision would survive
free speech protections of the First Amendment to the United States Constitution
is problematic, and the issue has never been litigated to a final judgment by a
court of competent jurisdiction. In order to remove sources of potential challenge, BXA has
amended this provision, so that it does not
apply to participation in standards development, such as efforts by the Internet
Engineering Task Force and other, similar groups.[xxiii] BXA also has exempted all transfers to
the EU and its partners from the license requirement.
One of the more controversial aspects of the new US Regulations is the so-called de minimis rule. In order to understand the de minimis rule and changes thereto, one first must recognize that the United States asserts jurisdiction extraterritorially with respect to products and technologies that are of U.S.-origin. For example, Germany may take the position that it controls the export of products from Germany to Singapore, but only the government of Singapore has jurisdiction to license the re-export of the same product from Singapore to India. By comparison, the United States takes the position that it has jurisdiction to control not only the export of products from the United States to Singapore, but also the re-export from Singapore to India. The same rules apply where a U.S.-origin part or component is incorporated into a foreign end-product. One can easily understand that many governments view the U.S. extraterritorial assertion of controls beyond its borders as overreaching!
The de minimis rule states that if the
U.S.-origin content in a foreign-origin end-product falls below a specified
threshold, then the foreign-origin end-product is exempt from U.S. export
controls. The new US Regulations
provide that encryption items may be eligible for de minimis
treatment if approved under the
technical review process.[xxiv]
The preamble to the new US Regulations provide only limited guidance with
respect to what products may be eligible, nor does it provide any
“grandfathering” for products that already have been through the technical
review process, despite repeated requests from industry. As a result, BXA will have to re-review
a number of products that already have been through the one-time technical
review, causing a significant backlog to develop at BXA and NSA.
The new US Regulations revise the controls on weak
encryption items, permitting their export immediately upon submission of a
notification that describes the relevant cryptographic features. The information that applicants must
submit is substantially similar to that which is required for Commodity
Classification Requests for strong encryption products.[xxv]
The Clinton Administration implemented significant changes
in the export controls on encryption items incrementally and reluctantly, only
after its attempts to influence the market to adopt key escrow failed. Over the years, its ability to convince
the Congress to support stringent export controls ebbed away, to the point where
a majority of Members of the House of Representatives supported legislation to
remove the export controls in the form of the Security and Freedom through
Encryption (SAFE) Act[xxvi].
It lost a crucial First Amendment challenge to the validity of the export
controls on cryptographic source code, Bernstein
vs. United States[xxvii]
at both the trial court and the initial appellate review. Driven by the EU’s decision to create
a license free zone for encryption products, the Clinton Administration once
again revised its encryption export control policy, only weeks before the
The authors have pointed out that there are areas where further revisions may be warranted. Nevertheless, it is worth considering the possibility that the pendulum, which has swung in the direction of liberalization for almost a decade, might swing back in the direction of further tightening of the export controls on encryption items. An instructive example is the U.S. export controls on commercial satellites.
As in the case of encryption, reacting to pressure from the affected industry, the Clinton Administration transferred jurisdiction with respect to export controls on commercial satellites from the Department of State to the Department of Commerce[xxviii]. However, the Congress, responding to incidents featured in the so-called Cox Report, passed legislation transferring jurisdiction back to the Department of State[xxix], resulting in an enormous loss of market share on the part of American satellite manufacturers, according to industry representatives.
It is not difficult to anticipate possible events that could trigger a reconsideration of the trend toward liberalization of encryption export controls. A domestic terrorist incident or other heinous crime in which cryptography was employed by the perpetrators could serve as the catalyst. An international incident caused by the inability to decrypt signals intelligence in a timely manner likewise could trigger a reassessment of the current export controls on cryptographic products. The debate over the appropriate export controls on encryption in the United States likely will enter an hiatus during the next six months or so, until after the elections, but it is not over.
[i] 22 U.S.C. 2778.
[ii] 22 C.F.R. 120 et. seq.
[iii] 65 Fed. Reg. 62600 (2000).
[iv] 65 Fed. Reg. 2492 (2000).
[vi] 2000 O.J. (L 159) 1.
[vii] See < http://www.pub.whitehouse.gov/uri-res/I2R?urn:pdi://oma.eop.gov.us/2000/7/17/16.text.1>
[viii] 15 C.F.R. § 740.17(d)(1)(i).
[ix] Id. at § 740.17(b)(3)(vi).
[x] Id. at § 740.17(a).
[xi] Id. at § 740.17(b)(3).
[xii] See <http://www.wassenaar.org>
[xiii] Id. at § 772.
[xiv] Id. at § 740.17(b)(2)(ii).
[xv] See <http://www.dti.gov.uk/export.control/>
[xvi] Id. at § 740.17(e)(1).
[xvii] Id. at § 740.17(a)(5)(i).
[xviii] Id. at § 740.17(a)(5)(ii).
[xix] Id. at § 740.13(e)(2).
[xx] Id. at § 740.17(b)(4)(i).
[xxi] Id. at § 740.17(b)(4)(ii).
[xxii] Id. at §740.9(c)(3).
[xxiii] Id. at § 744.9(a).
[xxiv] Id. at § 734.4(b).
[xxv] Id. at § 742.15(b)(1).
[xxvi] H.R. 850.
[xxvii] See <http://www.epic.org/crypto/export_controls/bernstein_decision_9_cir.html>
[xxviii] 61 Fed. Reg. 56894 (1996).
[xxix] Pub. L. 105-261.