[Presidential Decision Directives - PDD]

Encryption Policy
[possible] Presidential Decision Directive PDD/NSC
16 September 1998

Although this announcment does not mention the fact of the existence of a Presidential Decision Directive, the subject and scope of the policy initiative is consistent with the existence of a PDD, as it appears to revise and extend previous Directives, notably the well-documented PDD/NSC 5- Public Encryption Management [15 April 1993] as well as the possible PDD Encryption Export Policy [15 November 1996] accompanying EO 13026.


THE WHITE HOUSE

Office of the Press Secretary


For Immediate Release

September 16, 1998

STATEMENT BY THE PRESS SECRETARY

Administration Updates Encryption Policy

The Clinton Administration today announced a series of steps to update its encryption policy in a way that meets the full range of national interests: promotes electronic commerce, supports law enforcement and national security and protects privacy. These steps are a result of several months of intensive dialogue between the government and U.S. industry, the law enforcement community and privacy groups that was called for by the Vice President and supported by members of Congress.

As the Vice President stated in a letter to Senator Daschle, the Administration remains committed to assuring that the nation's law enforcement community will be able to access, under strictly defined legal procedures, the plain text of criminally related communications and stored information. The Administration intends to support FBI's establishment of a technical support center to help build the technical capacity of law enforcement - Federal, State, and local - to stay abreast of advancing communications technology.

The Administration will also strengthen its support for electronic commerce by permitting the export of strong encryption when used to protect sensitive financial, health, medical, and business proprietary information in electronic form. The updated export policy will allow U.S. companies new opportunities to sell encryption products to almost 70 percent of the world's economy, including the European Union, the Caribbean and some Asian and South American countries. These changes in export policy were based on input from industry groups while being protective of national security and law enforcement interests.

The new export guidelines will permit exports to other industries beyond financial institutions, and further streamline exports of key recovery products and other recoverable encryption products. Exports to those end users and destination countries not addressed by today's announcement will continue to be reviewed on a case-by-case basis.

Very strong encryption with any key length (with or without key recovery) will now be permitted for export under license exception, to several industry sectors. For example, U.S. companies will be able to export very strong encryption for use between their headquarters and their foreign subsidiaries worldwide except the seven terrorist countries (Iran, Iraq, Libya, Syria, Sudan, North Korea and Cuba) to protect their sensitive company proprietary information.

On-line merchants in 45 countries will be able to use robust U.S. encryption products to protect their on-line electronic commerce transactions with their customers over the Internet.

Insurance companies as well as the health and medical sectors in those same 45 countries will be able to purchase and use robust U.S. encryption products to secure health and insurance data among legitimate users such as hospitals, health care professionals, patients, insurers and their customers.

The new guidelines also allow encryption hardware and software products with encryption strength up to 56-bit DES or equivalent to be exported without a license, after a one time technical review, to all users outside the seven terrorist countries. Currently, streamlined exports of DES products are permitted for those companies that have filed key recovery business plans. However, with the new guidelines, key recovery business plans will no longer be required.

The Administration will continue to promote the development of key recovery products by easing regulatory requirements. For the more than 60 companies which have submitted plans to develop and market key recovery encryption products, the six month progress reviews will no longer be required. Once the products are ready for market they can be exported, with any bit length -- without a license -- world-wide (except to terrorist nations) after a one-time review. Furthermore, exporters will no longer need to name or submit additional information on a key recovery agent prior to export. These requirements will be removed from the regulations.

Finally, industry has identified other so-called "recoverable" products and techniques that allow for the recovery of plaintext by a system or network administrator and that can also assist law enforcement access,subject to strict procedures. The administration will permit their export for use within most foreign commercial firms, and their wholly-owned subsidiaries, in large markets, including Western Europe, Japan and Australia, to protect their internal business proprietary communications.

The Administration welcomes a continued dialogue with U.S. industry and intends to review its policy in one year to determine if additional updates may be necessary to continue a balanced approach that protects the public safety and national security, ensures privacy, enables continued technology leadership by U.S. industry and promotes electronic commerce.

###