Commerce Department Releases Encryption Export Regulations

(January 13, 2000) The Commerce Department released its long awaited regulations to relax encryption export restraints on Wednesday, January 12. They provide that any encryption product of any key length can be exported under a license exception after a technical review to any non-government end-user in any country except for the seven state supporters of terrorism.

The new regulations were released by the Bureau of Export Administration (BXA), a subdivision of the Department of Commerce. These regulations create a new category of products called "Retail encryption commodities and software" which can now be exported to any end user, except in one of the T-7 nations. Retail encryption commodities and software are those which are widely available and can be exported and re-exported to anyone (including any Internet and telecommunications service provider), and can be used to provide any product or service (including e-commerce, client-server applications, or software subscriptions).

The BXA will determine which products qualify as retail. Products that are functionally equivalent to products classified as retail will also be considered retail. Finance-specific, 56-bit non-mass market products with a key exchange greater than 512 bits and up to 1024 bits, network-based applications and other products which are functionally equivalent to retail products are considered retail products.

Wm. Daley

"This policy helps business and promotes e-commerce by adjusting our regulations to marketplace realities that U.S. companies face when they try to sell their products overseas. We've also worked very hard to address privacy concerns and to ensure that our law enforcement and national security concerns are met," said Commerce Secretary William Daley in a press release.

Rep. Bob Goodlatte (R-VA) is the lead sponsor of the Security and Freedom through Encryption (SAFE) Act, HR 850. This bill had been considered by all House committees with jurisdiction, and was ready to be taken up on the House floor, when the administration announced that it would relax encryption export restraints last September.

The administration has spent the intervening time consulting and drafting the regulations to implement its new policy.

Rep. Bob

Rep. Goodlatte is pleased with the regulations. "The encryption regulations released today by the Administration are a positive step forward towards a common sense encryption policy. These changes are long overdue. I am pleased that the Administration has reacted to concerns raised by Congress, industry and privacy organizations, and the American people in proposing an encryption export policy that will protect privacy, promote our national security, and allow U.S. companies to compete with foreign encryption manufacturers."

Rep. Goodlatte continued in his prepared statement released late on January 12 that "There can be no doubt that these regulations are a direct result of the 258 bipartisan cosponsors of H.R. 850, the Security And Freedom through Encryption (SAFE) Act, and the continued commitment of the Republican leadership to move this legislation through the House of Representatives. I would also like to thank Americans for Computer Privacy, including its 40 member associations, 100 member companies, and more than 3,000 individuals, which has provided vital support for encryption reform, and the chief cosponsors of the SAFE Act, Majority Leader Dick Armey (R-TX), Rep. Zoe Lofgren (D-CA), and Rep. Sam Gejdenson (D-CT)."

"Congress will continue to be watching carefully to make sure that the regulations released today are implemented properly and in a timely manner," said Rep. Goodlatte. "To that end, the House remains ready to take up H.R. 850 if the regulations do not allow American companies to fully compete in the global marketplace. Nevertheless, I am pleased that after years of ignoring the importance of strong encryption in fighting crime and protecting our national security, the Administration has finally moved towards adopting a balanced and reasonable encryption export policy."

Americans for Computer Privacy (ACP) is an interest group that was organized to lobby for reform of encryption laws. Ed Gillespie, its Executive Director, and Jack Quinn, its Co-Chairman, issued a joint statement on January 12. They stated that ACP "is extremely gratified by the new encryption regulations."

"This is good news for America-- important not only for the high-tech industry, but for all Americans who value computer security. This new policy paves the way for our nation to retain its technological leadership, strengthen our government's ability to protect critical infrastructure, and fight crime."

However, Gillespie and Quin added that "We will be carefully watching the implementation process to make sure the new regulations do in fact allow American companies to export easily and compete fairly."

They also stated that "We also believe that the new policy structure remains unnecessarily complex, and fails to address concerns about free expression and on-line privacy. We will be working with the Administration in coming months to further improve the regulations."

The Center for Democracy and Technology had this to say: "Consumers all over the world will have better access to the strongest encryption -- regardless of key length or algorithm -- built into the programs they use every day. However, the complex new regulations will still make it difficult for many to freely exchange encryption products and does not solve the Constitutional free speech concerns raised by encryption export controls."

Recent Tech Law Journal Stories
Clinton Administration Talks Encryption, 9/17/99.
Reaction to the Clinton Administration Encryption Proposals, 9/17/99.
Administration Addresses Encryption Reform Proposal, 9/29/99.
Rep. Weldon Criticizes Administration's Encryption Proposal, 9/29/99.
Rep. Lofgren Calls for SAFE Act to be Held in Abeyance, 10/6/99.
Representatives Caution Clinton About Crypto Export Regs, 11/12/99.
Rep. Lofgren Seeks Revisions to Draft Regulations, 12/8/99.
Administration Delays Encryption Regulations, 12/14/99.