----------------------------------------------------------------------- ----------------------------------------------------------------------- Department of Commerce regulations on export of encryption products These are the U.S. Department of Commerce's export regulations governing encryption. Officially, these are still interim regulations and (as of October 1997) a final version is still being developed. One of the sticking points is that the final regulations are supposed to permit liberal export of non-escrowed encryption for financial institutions, but there is not agreement on the definition of "financial institution". [Federal Register: December 30, 1996 (Volume 61, Number 251)] [Rules and Regulations] [Page 68572-68587] From the Federal Register Online via GPO Access [wais.access.gpo.gov] ======================================================================= DEPARTMENT OF COMMERCE Bureau of Export Administration 15 CFR Parts 730, 732, 734, 736, 738, 740, 742, 744, 748, 750, 768, 772, and 774 [Docket No. 960918265-6366-03] RIN 0694-AB09 Encryption Items Transferred From the U.S. Munitions List to the Commerce Control List AGENCY: Bureau of Export Administration, Commerce. ACTION: Interim rule. SUMMARY: This interim rule amends the Export Administration Regulations(EAR) by exercising jurisdiction over, and imposing new combinednational security and foreign policy controls on, certain encryptionitems that were on the United States Munitions List, [[Page 68573]] consistent with Executive Order 13026 and pursuant to the PresidentialMemorandum of that date, both issued by President Clinton on November15, 1996.On October 1, 1996, the Administration announced a plan to make iteasier for Americans to use stronger encryption products to protecttheir privacy, intellectual property and other valuable information.The plan envisions a worldwide key management infrastructure with theuse of key escrow and key recovery encryption items to promoteelectronic commerce and secure communications while protecting nationalsecurity and public safety. To provide for a transition period for thedevelopment of this key management infrastructure, this rule permitsthe export and reexport of 56-bit key length DES or equivalent strengthencryption items under the authority of a License Exception, if anexporter makes satisfactory commitments to build and/or marketrecoverable encryption items and to help build the supportinginternational infrastructure. This policy will apply to hardware andsoftware. DATES: Effective Date: This rule is effective December 30, 1996.Comment Date: February 13, 1997. ADDRESSES: Written comments (six copies) should be sent to: NancyCrowe, Regulatory Policy Division, Bureau of Export Administration,Department of Commerce, 14th Street and Pennsylvania Ave., N.W., Room2705, Washington, D.C. 20230. FOR FURTHER INFORMATION CONTACT: James A. Lewis, Office of StrategicTrade and Foreign Policy Controls, Telephone: (202) 482-0092. SUPPLEMENTARY INFORMATION: Background Following upon the Administration's October 1 announcement, onNovember 15, 1996, the President issued the Memorandum directing thatall encryption items controlled on the U.S. Munitions List, exceptthose specifically designed, developed, configured, adapted, ormodified for military applications, be transferred to the CommerceControl List. The Memorandum and Executive Order 13026 (November 15,1996, 61 FR 58767) also set forth certain additional provisions withrespect to controls on such encryption items to be imposed by theDepartment of Commerce. The Executive Order also provides forappropriate controls on the export and foreign dissemination ofencryption items controlled on the U.S. Munitions List that are placedon the Commerce Control List. In issuing the Memorandum the Presidentstated: Encryption products, when used outside the United States, canjeopardize our foreign policy and national security interests.Moreover, such products, when used by international criminalorganizations, can threaten the safety of U.S. citizens here andabroad, as well as the safety of the citizens of other countries.The exportation of encryption products must be controlled to furtherU.S. foreign policy objectives, and promote our national security,including the protection of the safety of U.S. citizens abroad. This initiative will support the growth of electronic commerce;increase the security of the global information infrastructure; protectprivacy, intellectual property and other valuable information; andsustain the economic competitiveness of U.S. encryption productmanufacturers during the transition to a key management infrastructure.Under this initiative, non-recoverable encryption items up to 56-bitkey length DES or equivalent strength will be permitted for export andreexport after a one-time review of the strength of the item and if theexporter makes satisfactory commitments to build and/or marketrecoverable encryption items, to support an international keymanagement infrastructure. This policy will apply to hardware andsoftware and will last through December 31, 1998.The initiative addresses important foreign policy and nationalsecurity concerns identified by the President. Export controls oncryptographic items are essential to controlling the spread abroad ofpowerful encryption products which could be harmful to critical U.S.national security, foreign policy and law enforcement interests. Thisinitiative will preserve such controls and foster the development of akey management infrastructure necessary to protect important nationalsecurity, foreign policy and law enforcement concerns.Encryption software can be used to maintain the secrecy ofinformation, and thereby may be used by persons abroad to harm nationalsecurity, foreign policy and law enforcement interests. As thePresident indicated in E.O. 13026 and in his Memorandum of November 15,1996, export of encryption software, like export of encryptionhardware, is controlled because of this functional capacity to encryptinformation on a computer system, and not because of any informationalor theoretical value that such software may reflect, contain, orrepresent, or that its export may convey to others abroad. For thisreason, export controls on encryption software are distinguished fromother software regulated under the EAR.The government recognizes that several factors, including thedevelopment of common international encryption policies, the need foran international key recovery