Encryption

This is an issue that has largely become a non-issue.  In September 1999, the U.S. government announced a new U.S. encryption policy that lifts most export controls on software and hardware containing encryption capabilities.  This policy was implemented in regulations that were issued on January 14, 2000.  This is the latest in a series of "liberalizations" to U.S. policy that have been announced over the past several years.  Here's a little background:

Encryption is a means of putting a message in code. Encryption allows people to transform a message or data into a form that can't be understood -- decrypted -- without the proper "key."  The use of encryption technologies has becoming increasingly important as more and more individuals and organizations are relying on computers and information technologies to collect, process, store and transmit valuable or sensitive data. 

Encryption can be used to ensure the confidentiality, authenticity and integrity of messages or data. The most well-known use of encryption is provide confidentiality, thereby enabling users to communicate privately. Individuals may not want a neighbor reading their mail, or may not want businesses to have access to their personal data. Businesses need to preserve the confidentiality of proprietary information, since safeguarding information (e.g., business plans or intellectual property) is vital to commercial success. In addition to protecting communications, encryption can be used to secure stored data on, for example, a computer's hard drive. Thus, if a notebook computer is lost or stolen, the encrypted files cannot be read without the key.

While encryption has many useful and beneficial purposes (including the prevention of crime by, for example, protecting intellectual property and personal data from theft), some governments have expressed concern with the widespread availability of strong encryption.  The primary fear is that criminals, terrorists and hostile states will use encryption to thwart traditional investigative and intelligence gathering techniques (such as wiretaps, seizures of computers and storage media, and various methods used by intelligence agencies).

Rather than controlling the import or domestic use of encryption, United States encryption policy has focused on controlling and monitoring the export of strong encryption.  This policy has evolved from case-by-case licensing of individual encryption exports, to policies designed to encourage "key escrow" or "key recovery" encryption systems, to broad approvals for exports to certain preferred industry sectors, and finally to nearly free exportability with after-the-fact reporting.

Prior to December 30, 1996, most encryption products were on the U.S. State Department's Munitions List.  Thus, the State Department, under the authority of the Arms Export Control Act and the International Traffic in Arms Regulations (ITAR), regulated most encryption exports from the U.S.

Pursuant to an Executive order, the U.S. Commerce Department issued new regulations at the end of 1996 transferring jurisdiction over commercial encryption products from the State Department to the Commerce Department. Thereafter, the Commerce Department, under the authority of the Export Administration Act and Export Administration Regulations (EAR), regulated the export of all encryption products except those specifically designed or modified for military use (which remained at State).

This first set of Commerce Department regulations created a separate category of controls ("EI") for encryption items. The regulations divided these encryption items into several subcategories and created different licensing schemes for each. 

• Certain mass-market encryption software products with an encryption key length of 40 bits or less were eligible for release from normal EI controls, after a one-time review, making them freely exportable except the seven countries subject to U.S. embargoes. 
• Encryption items with key lengths up to 56-bits were eligible for a license exception for all non-embargoed destinations during a two-year transition period, after an initial review of the item and the submission by the applicant of a satisfactory key recovery plan demonstrating a commitment to develop key recovery products and services.
• "Recovery" encryption software and equipment could be released from EI controls and made eligible for a license exception for all non-embargoed destinations. This category included "key escrow" or "key recovery" products in which the keys or other information required to decrypt a message or stored data are kept by a key recovery agent and are accessible to government officials under proper legal authority.
• All other encryption items (i.e. non-recovery encryption with a key length greater than 40 or 56 bits -- depending upon whether the exporter has submitted an acceptable key recovery plan) could only be exported pursuant to a specific Commerce Department export license.
• An export license was also required to release technology or software subject to the EAR to a foreign national, whether in the United States or abroad; or to provide any technical assistance for a foreign person, whether in the United States or abroad, with the intent to aid in the development of foreign encryption.

In September 1998, another set of new Commerce Department regulations were published.  These regulations permitted the export of strong encryption products to banks and certain other financial institutions. 

Three months later, in December 1998, additional regulations were published that expanded the export treatment given to banks and financial institutions to include insurance companies, certain health and medical organizations, foreign branches and subsidiaries of US multinationals, and "online merchants" engaged in e-commerce with the public at large. These regulations also raised the maximum key length for encryption that is freely exportable to other end-users from 40-bits to 56-bits, and expanded the exportability of products classified as "recoverable" encryption (a broader category that the earlier "key recovery" or "key escrow").

Most U.S. companies have found that the past "liberalizations" offered little real benefit.  The exceptions were so narrow, and the regulatory burdens so great that it was difficult, and in most cases impossible, to compete with the many foreign suppliers of encryption.  But the latest set of regulations finally afforded U.S. exporters of encryption products meaningful relief from export controls.  The rules are still needlessly complex, and there are still some bureaucratic hurdles that exporters need to deal with (and hopefully these will eventually be eliminated), but the current policy is clearly a huge improvement that allows most US companies to provide the security capabilities that are demanded by their customers.

Last Updated 24 July 2005
Copyright 1999