News

USIS Washington File

13 January 2000

Text: Clinton Administration Streamlines Encryption Rules

(New export regulations enhance electronic commerce) (700)

The Clinton administration has issued new encryption export
regulations which permit U.S. companies to export any encryption
software abroad to other businesses, individuals and other
non-government users without a license, the U.S. Commerce Department's
Bureau of Export Administration (BXA) says.

Commerce Secretary William Daley said January 12 the change "helps
business and promotes e-commerce (electronic commerce) by adjusting
our regulations to marketplace realities that U.S. companies face when
they try to sell their products overseas."

Daley said the new regulations also reflect efforts by the United
States government to protect privacy and ensure that law enforcement
and national security issues are being met. However, sales to foreign
governments will still require an export license, BXA said.

Under the new regulations, which differ from earlier regulations
issued in September 1999, nearly any software program sold in the
United States that encrypts data can be sold abroad after a one-time
review for an exemption from export license, BXA said. The source code
for encryption programs also can be exported without license.

Nations restricted from the commercial sale of encryption software are
those on the Department of State's terrorist list, including Cuba,
Iran, Iraq, Libya, Sudan, Syria and North Korea, BXA said.

And, foreign employees of U.S. computer companies working in the
United States no longer need an export license to work on encryption,
BXA said.

Finally, the new guidelines implement agreements reached by the
Wassenaar Arrangement in December 1998 by decontrolling 64-bit mass
market products, 56-bit encryption items and 512-bit key management
products, the BXA announcement said.

The new regulations will be published January 14, 2000 in the Federal
Register and will be subject to a 120-day public comment period before
becoming final, BXA said.

Following is the text of the BXA announcement:

(begin text)

[U.S. Department of Commerce
Washington, D.C.
January 12, 2000]

Commerce Announces Streamlined Encryption Export Regulations

Washington -- The U.S. Department of Commerce Bureau of Export
Administration (BXA) today issued new encryption export regulations,
which implement the new approach announced by the Clinton
Administration in September.

Today's move permits U.S. companies to export any encryption product
around the world to commercial firms, individuals and other
non-government end-users under a license exception (i.e., without a
license). In addition, "retail" encryption products, which are widely
available in the market, can now be exported to any end-user including
foreign governments. In most cases, a one-time product review by BXA
continues to be required. Post-reporting requirements are reduced to
track industry business models.

"This policy helps business and promotes e-commerce by adjusting our
regulations to marketplace realities that U.S. companies face when
they try to sell their products overseas. We've also worked very hard
to address privacy concerns and to ensure that our law enforcement and
national security concerns are met," said Commerce Secretary William
M. Daley.

For source code, the regulation reduces controls further than
announced in September. Commercial encryption source code, encryption
toolkits and components can now be exported under license exception to
businesses and non-government end-users for internal use and
customization and for the development of new products. In addition,
the regulations relax restrictions on publicly available encryption
source code, including by posting on the Internet.

The regulation further streamlines requirements for U.S. companies by
permitting exports of any encryption item to their foreign
subsidiaries without a prior review. Foreign employees of U.S.
companies working in the United States no longer need an export
license to work on encryption.

In addition, the guidelines also implement agreements reached by the
Wassenaar Arrangement in December 1998 by decontrolling 64-bit mass
market products, 56-bit encryption items and 512-bit key management
products. Today's changes do not affect restrictions on terrorist
supporting states (Cuba, Iran, Iraq, Libya, North Korea, Sudan, and
Syria), their nationals, and other sanctioned entities.

In developing this regulation, the Administration worked closely with
stakeholders to continue a balanced approach. The government will
review the workability of the regulation, receiving public comments
for 120 days. A final revised rule will be issued shortly thereafter.

(end text)

(Distributed by the Office of International Information Programs, U.S.
Department of State.)