24 August 1997 Add link to New York
Times report on draft encryption regulations.
Note: Leads to other versions of this document, commentary or news reports
are welcomed. E-mail to
<jya@pipeline.com> Thanks, JY.
20 August 1997
Source: Anonymous remailer.
For related documents see links at the Export Administration Regulations.
From: nobody@REPLAY.COM (Anonymous)
Date: Wed, 20 Aug 1997 21:40:07 +0200 (MET DST)
Subject: July draft of EI regs
To: John Young <jya@pipeline.com>
Note: This draft of the crypto regs changes procedures for posting crypto
on the Net to require advance authorization. It may not be the latest.
July 25, 1997
DEPARTMENT OF COMMERCE
Bureau of Export Administration
15 CFR Parts 732, 734, 740, 742, 748, 750, 752, 758, 770, 772, and 774
[Docket No. ]
RIN: 0694-AB09
Encryption Items
AGENCY: Bureau of Export Administration, Commerce.
ACTION: Interim rule.
SUMMARY: This interim rule amends the Export Administration
Regulations (EAR) by clarifying controls on the export and reexport of
encryption items controlled for "EI" reasons on the Commerce Control List.
This rule incorporates public comments on an interim rule published in the
Federal Register on December 30, 1996.
EFFECTIVE DATE: This rule is effective: (DATE OF PUBLICATION).
FOR FURTHER INFORMATION CONTACT: James Lewis, Office of Strategic Trade and
Foreign Policy Controls, Bureau of Export Administration, Telephone: (202)
482-0092.
BACKGROUND:
On December 30, 1996, the Bureau of Export Administration (BXA) published
in the Federal Register (61 FR 68572) an interim rule that exercises
jurisdiction over, and imposes new combined national security and foreign
policy controls on, certain encryption items that were on the United States
Munitions List, consistent with Executive Order 13026 and pursuant to the
Presidential Memorandum of that date, both issued by President Clinton on
November 15, 1996.
BXA received comments from 45 commenters, and the comments fall into three
broad categories: general concerns and objections to the policy embodied in
the regulations; recommendations for specific changes or clarifications to
the regulations that are consistent with the broad encryption policy
implemented in the December 30 rule; and recommendations for additional
changes to encryption policy.
General Objections
Twelve commenters stated their fundamental objection to an encryption
policy based on key recovery. Five such comments were brief, stating that
the new regulations are vague and violate the writers' First and Fifth
amendment constitutional rights. Two commenters further allege that the
new regulations pose unconstitutional restraints on free speech, focusing
on the controls on the dissemination of encryption technology which are
under court challenge. One commenter also asserts that access to strong,
non-recoverable encryption is necessary to advance human rights and protect
nongovernmental human rights organizations and workers.
Six commenters provided their general opposition to the encryption policy
reflected in the December 30 rule, stating that there is no market demand
for key recovery; strong encryption products are widely available from
foreign producers; U.S. market leadership is threatened; and export
controls on encryption should be eliminated. One commenter noted that the
December 30 rule reflects that there is no longer a national security
rationale for controlling 56-bit DES products and that the interim relief
offered for such products should not be used to "coerce" industry to
support key recovery.
Suggestions for changes to clarify existing policy
A number of commenters provided specific suggestions for changes or
clarifications which are consistent with the intent of the policy and
which would streamline or improve the regulations. Many of these
suggestions are implemented in this rule, such as clarifying that the tools
of trade provisions of License Exception TMP and License Exception BAG
apply globally and clarifying that anti-virus software does not require a
license for export.
Several commenters asked Commerce to adopt exemptions to license
requirements which were available for encryption exporters under
§123.16(b)(2) and (b)(9) of the International Traffic and Arms Regulations
(ITAR), such as those which allowed the export of components to a U.S.
subsidiary or which allowed the export of spare parts and components
without a license for an already approved sale. This rule adds these new
provisions under License Exception TMP, making them applicable to
encryption controlled items as well as other items eligible for TMP
treatment.
Two commenters asked that the regulations clarify that the ITAR licensing
policy for equipment specially made for and limited to the encryption of
interbanking transactions had not changed with the transfer of jurisdiction
to Commerce of encryption products. This interim rule clarifies that this
equipment is not subject to EI controls.
Several commenters recommended a number of changes to the Key Escrow
Product and Agent criteria found in Supplement Nos. 4 and 5 part 742 of the
EAR. These recommendations were to simplify the criteria, and to modify
some of the specific prescriptions to allow for greater flexibility and
variation on the part of exporters. Many commenters found the criteria too
bureaucratic and legalistic to help advance U.S. encryption policy goals,
while others noted that the criteria were still overly focused on key
escrow and not consistent with the broader approach to key recovery found
elsewhere in the regulation. Several commenters also encouraged the
administration to make clear that it had moved beyond key escrow to key
recovery in its policy. One commenter focused on weaknesses and omissions
found in the key escrow product and agent criteria found in Supplement Nos.
4 and 5 to part 742 of the EAR, and provided suggested additions to the
criteria to make them more consistent with emerging business practices.
The criteria specified in Supplement Nos. 4 and 5 were discussed
extensively with industry prior to publication of the December 30 interim
rule, and the rule reflects these discussions. However, BXA continues to
look for ways to streamline the criteria, and will address revisions in a
future regulation.
Several commenters expressed concerns over the longer processing time
required for licenses at Commerce. Some commenters noted that the
involvement of Departments of Energy and State, the Arms Control and
Disarmament Agency and other agencies which did not review license
applications for encryption products submitted to the Department of State
added unnecessary levels of review and caused unwarranted delays. BXA is
continuing to work with other reviewing Departments and Agencies to ensure
expeditious review of encryption license applications. Many commenters
noted that the requirements for a Commerce license were substantially
greater than what was required at the Department of State. The Department
of Commerce, for example, requires an end-use certificate to be obtained
for some destinations before approving an export; the Department of State
did not and exporters question the need for this change. Other commenters
noted that the Department of State licensing system was more flexible and
faster for approvals of distribution and manufacturing arrangements. The
Department of Commerce has no equivalent licenses, but is reviewing the
possibility of such licenses. Many oral comments received since the close
of the comment period note that unlike the Department of State, the
Department of Commerce does not allow licenses to be amended, so that if an
exporter has, for example, a license which allows him to ship to thirty
countries and wishes to add one more, the Department of Commerce requires
submission of an entire new license while the Department of State was
content with a simple letter noting the requested change. BXA understands
industry concerns about the license process under the EAR, and continues to
look for ways to streamline the process.
Additional recommendation for changes to encryption policy
A number of commenters asked that the Administration revisit a number of
decisions made in the course of the development of the encryption policy as
reflected in the December 30 interim rule.
Several asked that we reconsider and liberalize the treatment of
Cryptographic Application Program Interface. Others questioned the
addition of "defense services" control similar to that contained in the
ITAR (which prohibits U.S. persons from assisting foreign entities from
developing their own indigenous encryption products). Several commenters
objected to the structure of License Exception KMI for non-recoverable 56
bit products, with its requirement for a review every six months. Other
commenters also called for a reversal of the decision to exempt transferred
encryption items from normal Department of Commerce regulatory practices.
Finally, several commenters recommended that the licensing criteria and
License Exceptions applicable to other dual-use items be fully applicable
to encryption products, such as considerations of foreign availability, the
de minimis content exclusion, public domain treatment and the use of
License Exceptions. This rule focuses on clarifications to existing
encryption policy.
Based on public comments to the December 30 interim rule, this interim rule
specifically makes the following changes:
- In §732.2, clarifies that BXA will consider acknowledgments and
assurances in electronic form provided that they are adequate to assure
legal undertakings similar to written acknowledgments and assurances.
- In §734.3, clarifies that downloading or causing the downloading of
encryption source code and object code in Canada is not controlled and does
not require a license, and clarifies that the methods used as precautions
to prevent unauthorized transfer of such code outside the United States or
Canada must be approved by BXA.
- In §740.6, clarifies that letters of assurance may be accepted in the
form of a letter or any other written communication from the importer,
including communications via facsimile.
- In §740.8, adds recovery encryption technology to the list of items
eligible for export under License Exception KMI, after a one-time review,
and adds a paragraph to authorize exporters of non-key recovery products
under License Exception KMI to service and support existing customers of
those products after the two-year transition period. This section is also
amended by adding a paragraph to authorize exporters of non-recovery
encryption products under License Exception KMI to export additional
quantities of such products to existing customers under a license after the
two-year transition period.
- §740.8 is also amended by adding a new paragraph to authorize, after a
one-time review, exports and reexports under License Exception KMI of
non-key recovery financial-specific encryption items of any key length that
are restricted by design (e.g., highly field-formatted with validation
procedures, and not easily diverted to other end-uses) for financial
applications to secure financial transactions, for end-uses such as intra
or inter-banking transfers and home banking. No business and marketing
plan to develop, produce, and/or market similar encryption items with
recoverable features is required. Conforming changes are also made in
§742.15.
- In §740.9, removes the reference to Country Group D:1. This clarifies
that encryption software controlled for EI reasons under ECCN 5D002 may be
pre-loaded on a laptop and exported under the tools of trade provisions of
License Exception TMP or License Exception BAG.
- In §740.14, clarifies existing provisions of License Exception BAG and
imposes a restriction on the use of BAG for exports or reexports of
EI-controlled items to terrorist supporting destinations or by other than
U.S. citizens and permanent residents.
- §742.15 is amended adding a new paragraph that authorizes exports under
an Encryption Licensing Arrangement of general purpose non-key recovery,
non-voice encryption items of any key length for use by financial
institutions (such as banks) in all destinations except Cuba, Iran, Iraq,
Libya, North Korea, Syria and Sudan. Applications will be reviewed on a
case-by-case basis, and must be supported by a satisfactory business and
marketing plan which explains in detail the steps the applicant will take
during the two year transition period beginning January 1, 1997 to develop,
produce, and/or market similar encryption items with recoverable features.
- In Supplement No. 4 to part 742, paragraph (3), revises "reasonable
frequency" to "at least once every three hours" to resolve the ambiguity on
how often the output must identify the key recovery agent and
material/information required to decrypt the ciphertext.
- In Supplement No. 4 to part 742, paragraph (6)(i), clarifies that the
U.S. government must be able to obtain the key(s) or other
material/information needed to decrypt all data, without restricting the
means by which the key recovery products allow this.
- In Supplement No. 6 to part 742, eliminates the test vector requirement
for 7-day mass-market classification requests and replaces it with a
requirement to provide a copy of the encryption subsystem source code.
- In Supplement No. 6 to part 742, adds 40-bit DES as being eligible for
consideration for mass-market eligibility, subject to the additional
criteria listed in this supplement.
- In §§ 748.9 and 748.10, clarifies a long-standing policy that no support
documentation is required for exports of technology or software, and it
removes the requirement for such support documentation for exports of
technology or software to Bulgaria, Czech Republic, Hungary, Poland,
Romania, or Slovakia. This rule also exempts from support documentation
requirements all encryption items controlled under ECCNs 5A002, 5B002,
5D002 and 5E002. This conforms with the practice under the ITAR prior to
December 30, 1996.
- In §750.7, authorizes certain specified changes to Commerce and State
Encryption Licensing Arrangements by letter.
- In §752.3, excludes encryption items controlled for EI reasons from
eligibility for a Special Comprehensive License.
- In §770.2, adds a new interpretation to clarify that encryption software
controlled for EI reasons under ECCN 5D002 may be pre-loaded on a laptop
and exported under the tools of trade provision of License Exception TMP or
the personal use exemption under License Exception BAG, subject to the
terms and conditions of such License Exceptions.
- In part 772, adds new definitions for "effective control", "encryption
licensing arrangement", "financial institution" and "recovery encryption
products".
- In Supplement No. 1 to part 774, Category 5 - Telecommunications and
Information Security is amended by revising ECCN 5A002 to authorize exports
of components and spare parts under License Exception LVS, provided the
value of each order does not exceed $500 and to clarify that equipment for
the encryption of interbanking transactions is not controlled under that
entry.
- Revises the phrase "up to 56-bit key length DES" where it appears to read
"up to or equal to 56-bit key length DES", and makes other editorial
changes.
Several commenters also noted that the exemptions found under §125.4(b) of
the ITAR should be implemented in the EAR. Most of the exemptions found in
§125.4(b) of the ITAR are already available under existing provisions of
the EAR. For example, §125.4(b)(4) of the ITAR authorizes exports without
a license of copies of technical data previously authorized for export.
The EAR has no restrictions on the number of copies sent to a consignee
authorized to receive technology under license or a License Exception.
Section 125.4(b)(5) authorizes exports without a license of technical data
in the form of basic operations, maintenance, and training information
relating to a defense article lawfully exported or authorized for export
provided the technical data is for use by the same recipient. Further,
Section 125.4(2) authorizes exports of technical data in furtherance of a
manufacturing license or technical assistance agreement. License Exception
TSU for operation technology and software (see §740.13 of the EAR)
authorizes the export and reexport of the minimum technology necessary for
the installation, operation, maintenance and repair of those products
(including software) that are lawfully exported or reexported under a
license, a License Exception, or NLR (no license required). This would
apply to licenses for hardware as well as software. Section 125.4(b)(7) of
the ITAR allows the return of technical data to the original source of
import. License Exception TMP similarly authorizes the return of any
foreign-origin item, including technology, to the country from which it was
imported if the characteristics have not been enhanced while in the United
States (see §740.9(b)(3) of the EAR).
BXA has also received many calls from exporters on the Shipper's Export
Declaration (SED). First, this rule amends the SED requirements of the EAR
to clarify that no SED is required for export control purposes under the
EAR for temporary exports of tools of trade, including laptop computers,
under License Exceptions TMP or BAG. BXA understands the importance of
ensuring that the SED provisions of the EAR conform with those of the
Foreign Trade Statistics Regulations (FTSR), and is working with the Bureau
of Census to make the appropriate revisions to the FTSR. BXA has also
received many inquiries on SED requirements for Canada. Note that the EAR
do not require exporter's to file an SED for exports of any item to Canada
for consumption in Canada, unless a license is required. Further note that
a license is not required for exports of encryption items for consumption
in Canada, including certain exports over the internet. Finally, BXA has
received many requests for clarification on SED requirements for electronic
transfers. Neither the EAR nor the FTSR provide for the filing of SEDs
for electronic transfers of items controlled by the Department of Commerce
under the EAR .
As further clarifications and changes to the encryption provisions of the
EAR are intended, in particular regarding Supplement Nos. 4 and 5 to part
742 of the EAR, BXA will publish additional interim rules in the Federal
Register.
Rulemaking Requirements
1. This interim rule has been determined to be significant for purposes of
E. O. 12866.
2. Notwithstanding any other provision of law, no person is required to
respond to, nor shall any person be subject to a penalty for failure to
comply with a collection of information, subject to the requirements of the
Paperwork Reduction Act, unless that collection of information displays a
currently valid OMB Control Number. This rule involves collections of
information subject to the Paperwork Reduction Act of 1980 (44 U.S.C. 3501
et seq.). These collections have been approved by the Office of Management
and Budget under control numbers 0694-0048, 0694-0088, and 0694-0104.
3. This rule does not contain policies with Federalism implications
sufficient to warrant preparation of a Federalism assessment under
Executive Order 12612.
4. The provisions of the Administrative Procedure Act (5 U.S.C. 553)
requiring notice of proposed rulemaking, the opportunity for public
participation, and a delay in effective date, are inapplicable because this
regulation involves a military and foreign affairs function of the United
States (Sec. 5 U.S.C. 553(a)(1)). Further, no other law requires that a
notice of proposed rulemaking and an opportunity for public comment be
given for this interim final rule. Because a notice of proposed rulemaking
and an opportunity for public comment are not required to be given for this
rule under 5 U.S.C. or by any other law, the requirements of the Regulatory
Flexibility Act (5 U.S.C. 601 et seq. ) are not applicable.
However, because of the importance of the issues raised by these
regulations, this rule is issued in interim form and comments will be
considered in the development of final regulations. Accordingly, the
Department encourages interested persons who wish to comment to do so at
the earliest possible time to permit the fullest consideration of their
views.
The period for submission of comments will close (45 DAYS AFTER DATE OF
PUBLICATION). The Department will consider all comments received before
the close of the comment period in developing final regulations. Comments
received after the end of the comment period will be considered if
possible, but their consideration cannot be assured. The Department will
not accept public comments accompanied by a request that a part or all of
the material be treated confidentially because of its business proprietary
nature or for any other reason. The Department will return such comments
and materials to the person submitting the comments and will not consider
them in the development of final regulations. All public comments on these
regulations will be a matter of public record and will be available for
public inspection and copying. In the interest of accuracy and
completeness, the Department requires comments in written form.
Oral comments must be followed by written memoranda, which will also be a
matter of public record and will be available for public review and
copying. Communications from agencies of the United States Government or
foreign governments will not be made available for public inspection.
The public record concerning these regulations will be maintained in the
Bureau of Export Administration Freedom of Information Records Inspection
Facility, Room 4525, Department of Commerce, 14th Street and Pennsylvania
Avenue, N.W., Washington, D.C. 20230. Records in this facility, including
written public comments and memoranda summarizing the substance of oral
communications, may be inspected and copied in accordance with regulations
published in Part 4 of Title 15 of the Code of Federal Regulations.
Information about the inspection and copying of records at the facility may
be obtained from Margaret Cornejo, Bureau of Export Administration Freedom
of Information Officer, at the above address or by calling (202) 482-5653.
List of Subjects
15 CFR Part 732, 740, 748, 750, 752 and 758
Administrative practice and procedure, Exports, Foreign trade, Reporting
and Recordkeeping requirements.
15 CFR Part 734
Administrative practice and procedure, Exports, Foreign trade,
15 CFR Parts 742, 770, 772 and 774
Exports, foreign trade.
1. The authority citation for 15 CFR parts 732, 740, 748, 752 and 772
continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 12924,
59 FR 43437, 3 CFR, 1994 Comp., p. 917; Executive Order 13026 (November 15,
1996, 61 FR 58767) Notice of August 15, 1995 (60 FR 42767, August 17,
1995); Notice of August 14, 1996 (61 FR 42527), 3 CFR, 1995 Comp., p. 501.
2. The authority citation for 15 CFR part 734 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O.
12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; E.O. 12938, 59 FR 59099, 3
CFR, 1994 Comp., p. 950; Executive Order 13026 (November 15, 1996, 61 FR
58767); Notice of August 15, 1995 (60 FR 42767, August 17, 1995); Notice of
August 14, 1996 (61 FR 42527), 3 CFR, 1995 Comp., p. 501.
3. The authority citation for 15 CFR part 742 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 18 U.S.C.
2510 et seq.; 22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; E.O. 12058, 43 FR
20947, 3 CFR, 1978 Comp., p. 179; E.O. 12851, 58 FR 33181, 3 CFR, 1993
Comp., p. 608; E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; E.O.
12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; Executive Order 13026
(November 15, 1996, 61 FR 58767); Notice of August 15, 1995 (60 FR 42767,
August 17, 1995); and Notice of August 14, 1996 (61 FR 42527).
4. The authority citation for 15 CFR part 750 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 12924,
59 FR 43437, 3 CFR, 1994 Comp., p. 917; Notice of August 15, 1995 (60 FR
42767, August 17, 1995); E.O. 12981, 60 FR 62981; Notice of August 14, 1996
(61 FR 42527), 3 CFR, 1995 Comp., p. 501.
5. The authority citation for 15 CFR part 770 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O.
12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; Notice of August 15, 1995
(60 FR 42767, August 17, 1995); Notice of August 14, 1996 (61 FR 42527), 3
CFR, 1995 Comp., p. 501.
6. The authority citation for 15 CFR part 774 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 10 U.S.C.
7420; 10 U.S.C. 7430(e); 18 U.S.C. 2510 et seq.; 22 U.S.C. 287c; 22 U.S.C.
3201 et seq.; 22 U.S.C. 6004; Sec. 201, Pub. L. 104-58, 109 Stat. 557 (30
U.S.C. 185(s)); 30 U.S.C. 185(u); 42 U.S.C. 2139a; 42 U.S.C. 6212; 43
U.S.C. 1354; 46 U.S.C. app. 466c; 50 U.S.C. app. 5; E.O. 12924, 59 FR
43437, 3 CFR, 1994 Comp., p. 917; Executive Order 13026 (November 15, 1996,
61 FR 58767); Notice of August 15, 1995 (60 FR 42767, August 17, 1995);
Notice of August 14, 1996 (61 FR 42527), 3 CFR, 1995 Comp., p. 501.
7. The authority citation for 15 CFR part 758 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 12924,
59 FR 43437, 3 CFR, 1994 Comp., p. 917; Notice of August 15, 1995 (60 FR
42767, August 17, 1995); and Notice of August 14, 1996 (61 FR 42527), 3
CFR, 1995 Comp., p. 501.
PART 732 - [AMENDED]
8. Section 732.2 is amended by revising the phrase "ECCN 5A002, ECCN
5D002, and ECCN 5E002" in paragraph (d) to read "ECCN 5A002 or ECCN 5D002".
9. Section 732.3 is amended by revising the phrase "ECCN 5A002, ECCN
5D002, and ECCN 5E002" in paragraph (e)(2) to read "ECCN 5A002 or ECCN
5D002".
PART 734 - [AMENDED]
10. Section 734.2 is amended by revising paragraph (b)(9)(ii) to read as
follows:
§734.2 Important EAR terms and principles.
(a) * * *
(b) * * *
(9) * * *
(ii) The export of encryption source code and object code software
controlled for EI reasons under ECCN 5D002 on the Commerce Control List
(see Supplement No. 1 to part 774 of the EAR) includes downloading, or
causing the downloading of, such software to locations (including
electronic bulletin boards, Internet file transfer protocol, and World Wide
Web sites) outside the U.S. (except Canada), or making such software
available for transfer outside the United States (except Canada), over
wire, cable, radio, electromagnetic, photo optical, photoelectric or other
comparable communications facilities accessible to persons outside the
United States (except Canada), including transfers from electronic bulletin
boards, Internet file transfer protocol and World Wide Web sites, unless
the person making the software available takes precautions adequate to
prevent unauthorized transfer of such code outside the United States or
Canada. Before you rely upon such precautions, they must be submitted to
the Bureau of Export Administration for review of their adequacy. Such
precautions shall be approved in writing through an Advisory Opinion (see
§748.3 of the EAR) by the Bureau of Export Administration to prevent
transfer of such software outside the U.S. without a license, and may
include ensuring that the facility from which the software is available
controls the access to and transfers of such software through such measures
as:
(A) The access control system either through automated means or human
intervention, checks the address of every system requesting or receiving a
transfer and verifies that such systems are located within the United
States or Canada;
(B) The access control system, provides every requesting or receiving party
with notice that the transfer includes or would include cryptographic
software subject to export controls under the Export Administration
Regulations, and that anyone receiving such a transfer cannot export the
software without a license; and
(C) Every party requesting or receiving a transfer of such software must
acknowledge affirmatively that he or she understands that the cryptographic
software is subject to export controls under the Export Administration
Regulations and that anyone receiving the transfer cannot export the
software without a license. BXA will consider acknowledgments in
electronic form provided that they are adequate to assure legal
undertakings similar to written acknowledgments.
* * * * *
11. Section 734.4 is amended by revising the phrase "ECCN, 5A002, ECCN
5D002, and 5E002" in paragraph (b)(2) to read "ECCNs 5A002, 5D002, and
5E002".
PART 740 - [AMENDED]
12. Section 740.6 is amended by revising the first sentence in paragraph
(a)(3) to read as follows:
§740.6 Technology and software under restriction (TSR).
(a) * * *
(3) Form of written assurance. The required assurance may be made in the
form of a letter or any other written communication from the importer,
including communications via facsimile, or the assurance may be
incorporated into a licensing agreement that specifically includes the
assurances. * * *
13. Section 740.8 is amended:
(a) By revising paragraph (b)(2);
(b) By adding a new paragraph (b)(3);
(c) By revising the phrase "recovery encryption software and equipment" in
paragraph (d)(1) to read "recovery encryption items";
(d) By adding a new paragraph (d)(3);
(e) By redesignating paragraph (e) as paragraph (g);
(f) By adding new paragraphs (e) and (f); and
(g) By revising the phrase "March 1 and no later than September 1" in
paragraph (g)(2) to read February 1 and no later than August 1", as follows:
§740.8 Key management infrastructure.
* * * * *
(b) * * *
(2) Non-recoverable encryption items. Eligible items are up to or equal
to 56-bit key length DES strength non-key recovery equipment and software
controlled under ECCNs 5A002 and 5D002 that are made eligible as a result
of a one-time BXA review. You may initiate this review by submitting a
classification request for your product in accordance with paragraph (d)(2)
of this section.
(3) Non-key recovery financial-specific encryption items of any key
length. After a one-time review, non-key recovery, financial-specific
encryption items of any key length that are restricted by design (e.g.,
highly field-formatted with validation procedures, and not easily diverted
to other end-uses) for financial applications to secure financial
transactions for end-uses such as intra or inter-banking transfers and home
banking will be permitted for export and reexport under License Exception
KMI.
(c) * * *
(d) * * *
(3) Non
key recovery financial
specific encryption items. Upon approval
of your classification request for a non
key recovery financial
specific
encryption item, you will become eligible to use License Exception KMI.
This approval allows the export or reexport of encryption products
specifically designed and limited for use in the processing of electronic
financial (commerce) transactions, which implements cryptography in
specifically delineated fields such as merchant's identification, the
customer's identification and address, the merchandise purchased, and the
payment mechanism. It does not allow for encryption of data, text or
other media except as directly related to these elements of the electronic
transaction to support financial transactions. For exports under the
provisions of this paragraph (d)(3), there are no reporting requirements
and the criteria described in Supplement Nos. 4 and 5 to part 742 of the
EAR are not applicable. No business and marketing plan is required.
* * * * *
(e) Service and support of customers authorized to receive encryption
products under License Exception KMI. Exporters authorized to export
non-key recovery products under the provisions of this section in exchange
for commitments to key recovery may service and support existing customers
of those products without a license after the two-year transition period.
Support and service includes maintenance or replacement of products to
correct defects or maintain existing functionality. It also includes
upgrades that do not increase the strength of the encryption in the product.
(f) Additional exports after two-year transition period. Exporters
authorized to export 56-bit DES or equivalent strength non-key recovery
products during the interim period may also export under a license
additional quantities of those 56-bit DES or equivalent strength non-key
recovery products after the two year period to existing customers. Such
sales may be made to the customers of any exporter that was authorized to
export such products in exchange for key recovery commitments during the
two year period. The additional quantities sold may not be
disproportionate to the customer's embedded base.
* * * * *
14. Section 740.9 is amended:
a. By revising paragraph (a)(2)(i);
b By revising the reference to "§740.9(a)" in paragraph (a)(2)(ii)(C) to
read "§740.10(a)";
c. By revising the reference to "under §740.8(b)(1)" in the introductory
text of paragraph (b)(1)(iii) to read "under this paragraph (b)(1)"; and
d. By adding a new paragraph (a)(2)(ix) to read as follows
§740.9 Temporary imports, exports, and reexports.
* * * * *
(a) * * *
(2) * * *
(i) Tools of trade. Usual and reasonable kinds and quantities of tools of
trade (commodities and software) for use by employees of the exporter in a
lawful enterprise or undertaking of the exporter. Eligible tools of trade
may include, but are not limited to, such equipment and software as is
necessary to commission or service goods, provided that the equipment or
software is appropriate for this purpose and that all goods to be
commissioned or serviced are of foreign origin, or if subject to the EAR,
have been legally exported or reexported. The tools of trade must remain
under the effective control of the exporter or the exporter's employee (see
part 772 of the EAR for a definition of "effective control"). The shipment
of tools of trade may accompany the individual departing from the United
States or may be shipped unaccompanied within one month before the
individual's departure from the United States, or at any time after
departure. No tools of the trade may be taken to Country Group E:2 (see
Supplement No. 1 to part 740) or Sudan. For exports of laptop computers
under this License Exception, refer to item interpretation 12 in §770.2 of
the EAR.
* * * * *
(ix) Temporary exports to U.S. subsidiary, affiliate or facility. (A)
Components, parts, tools or test equipment exported by a U.S. person to its
subsidiary, affiliate or facility owned or controlled by the U.S. person if
the components, part, tool or test equipment is to be used for manufacture,
assembly, testing, production or modification, provided that no components,
parts, tools or test equipment or the direct product of such components,
parts, tools or test equipment are transferred or reexported to a country
other than the United States from such subsidiary, affiliate or facility
without prior authorization by the Bureau of Export Administration.
(B) For purposes of this paragraph (a)(2)(ix), U.S. person is defined as
follows: an individual who is a citizen of the United States, an
individual who is a lawful permanent resident as defined by 8 U.S.C.
1101(a)(2) or an individual who is a protected individual as defined by 8
U.S.C. 1324b(a)(3). U.S. person also means any juridical person organized
under the laws of the United States, or any jurisdiction within the United
States (e.g., corporation, business association, partnership, society,
trust, or any other entity, organization or group that is incorporated to
do business in the United States).
15. Section 740.10 is amended by revising the reference to
"§740.8(a)(2)(ii)" in paragraph (a)(2)(i) to read "§740.9(a)(2)(ii)".
16. Section 740.11 is amended by redesignating paragraph by revising
paragraph (a)(2) to read as follows:
§740.11 Governments and international organizations (GOV).
* * * * *
(a) International safeguards. * * *
(2) Exclusions. (i) No computers with a CTP greater than 10,000 MTOPS may
be exported or reexported to countries listed in Computer Tiers 3 or 4.
See §742.12 of the EAR for a complete list of the countries within Computer
Tiers 3 and 4.
(ii) No encryption items controlled for EI reasons under ECCNs 5A002,
5D002, or 5E002 may be exported under the provisions of this paragraph (a).
* * * * *
17. Section 740.14 is amended by revising paragraphs (a), (b), and (c); by
adding a sentence to the end of paragraph (d); and by adding paragraph (f)
to read as follows:
§740.14 Baggage (BAG).
(a) Scope. This License Exception authorizes individuals leaving the
United States either temporarily (i.e., traveling) or longer-term (i.e.,
moving) and crew members of exporting or reexporting carriers to take to
any destination, as personal baggage, the classes of commodities and
software described in this section.
(b) Eligibility. Individuals leaving the United States may export or
reexport any of the following commodities or software for personal use of
the individuals or members of their immediate families traveling with them
to any destination or series of destinations. Individuals leaving the
United States temporarily (i.e., traveling) must bring back items exported
and reexported under this License Exception unless they consume the items
abroad or are otherwise authorized to dispose of them under the EAR. Crew
members may export or reexport only commodities and software described in
paragraphs (b)(1) and (b)(2) of this section to any destination.
(1) Personal effects. Usual and reasonable kinds and quantities for
personal use of wearing apparel, articles of personal adornment, toilet
articles, medicinal supplies, food, souvenirs, games, and similar personal
effects, and their containers.
(2) Household effects. Usual and reasonable kinds and quantities for
personal use of furniture, household effects, household furnishings, and
their containers.
(3) Vehicles. Usual and reasonable kinds and quantities of vehicles, such
as passenger cars, station wagons, trucks, trailers, motorcycles, bicycles,
tricycles, perambulators, and their containers.
(4) Tools of trade. Usual and reasonable kinds and quantities of tools,
instruments, or equipment and their containers for use in the trade,
occupation, employment, vocation, or hobby of the traveler or members of
the household being moved. For special provisions regarding encryption
items subject to EI controls, see paragraph (f) of this section.
(c) Limits on eligibility. The export of any commodity or software is
limited or prohibited, if the kind or quantity is in excess of the limits
described in this section. In addition, the commodities or software must
be:
(1) Owned by the individuals (or by members of their immediate families)
or by crew members of exporting carriers on the dates they depart from the
United States;
(2) Intended for and necessary and appropriate for the use of the
individuals or members of their immediate families traveling with them, or
by the crew members of exporting carriers;
(3) Not intended for sale or other disposal; and
(4) Not exported under a bill of lading as cargo if exported by crew members.
(d) * * * No items controlled for EI reasons may be exported or
reexported as unaccompanied baggage.
* * * * *
(f) Special provisions: encryption software subject to EI controls. (1)
Only a U.S. citizen or permanent resident as defined by 8 U.S.C.
1101(a)(20) may export or reexport encryption items controlled for EI
reasons under this License Exception.
(2) The U.S. person or permanent resident must maintain effective control
of the encryption items controlled for EI reasons.
(3) The encryption items controlled for EI reasons may not be exported or
reexported to Country Group E:2, Iran, Iraq, Sudan, or Syria.
PART 742 - [AMENDED]
18. Section 742.15 is amended:
a. By revising the phrase "by December 31, 1998" in paragraph (b)(2) to
read "by December 31, 1997";
b. By revising the phrase "up to 56-bit key length DES" to read "up to or
equal to 56-bit key length DES" in paragraph (b)(3) - title; paragraph
(b)(3)(i) - 3 references; and paragraph (b)(3)(ii) - one reference;
c. By revising the title of paragraph (b)(3);
d. By revising the phrase "The use of License Exception KMI" in the
seventh sentence of paragraph (b)(3)(i) to read "Authorization to use
License Exception KMI";
e. By adding a new paragraphs (b)(3)(iii) and (iv); and
f. By revising paragraphs (b)(1) and (b)(4)(i) to read as follows:
§742.15 Encryption items.
* * * * *
(b) * * *
(1) Certain mass-market encryption software. Consistent with E.O. 13026
of November 15, 1996 (61 FR 58767), certain encryption software that was
transferred from the U.S. Munitions List to the Commerce Control List
pursuant to the Presidential Memorandum of November 15, 1996 may be
released from EI controls and thereby made eligible for mass market
treatment after a one-time review. To determine eligibility for mass
market treatment, exporters must submit a classification request to BXA.
40-bit mass market encryption software using RC2 or RC4 may be eligible for
a 7-day review process, and company proprietary software or 40-bit DES
implementations may be eligible for 15-day processing. Refer to Supplement
No. 6 to part 742 and §748.3(b)(3) of the EAR for additional information.
Note that the one-time review is for a determination to release encryption
software in object code only unless otherwise specifically requested.
Exporters requesting release of the source code should refer to paragraph
(b)(3)(v)(E) of Supplement No. 6 to part 742. If, after a one-time review,
BXA determines that the software is released from EI controls, such
software is eligible for all provisions of the EAR applicable to other
software, such as License Exception TSU for mass-market software. If BXA
determines that the software is not released from EI controls, a license is
required for export and reexport to all destinations, except Canada, and
license applications will be considered on a case-by-case basis.
(3) Non-key recovery encryption items supported by a satisfactory business
and marketing plan for exporting recoverable items and services.
(i) * * *
(ii) * * *
(iii) General purpose Non-key recovery encryption items of any key length
for use by financial institutions. Exports of general purpose non-key
recovery, non-voice encryption items of any key length will be permitted
under an Encryption Licensing Arrangement for distribution to financial
institutions (such as banks) in all destinations except Cuba, Iran, Iraq,
Libya, North Korea, Syria and Sudan. Applications will be reviewed on a
case-by-case basis. Only products accompanied by a satisfactory business
and marketing plan will be allowed for export. This plan shall be
submitted by the manufacturer pursuant to Supplement No. 7 of this part,
which explains in detail the steps the applicant will take during the two
year transition period beginning January 1, 1997 to develop, produce,
and/or market similar encryption items with recoverable features.
(iv) Non-key recovery financial-specific encryption items of any key
length. After a one-time review via a classification request, non-key
recovery financial-specific encryption items of any key length that are
restricted by design (e.g. highly field-formatted and validation
procedures, and not easily diverted to other end-uses) for financial
applications will be permitted for export and reexport under License
Exception KMI. No business and marketing plan as referred to in paragraph
(b)(3)(i) is required.
(4) All other encryption items.
(i) Encryption licensing arrangement. Applicants may submit license
applications for exports and reexports of certain encryption commodities
and software in unlimited quantities for all destinations except, Cuba,
Iran, Iraq, Libya, North Korea, Syria, and Sudan. Applications will be
reviewed on a case-by-case basis. If approved, encryption licensing
arrangements may be valid for extended periods as requested by the
applicant in block #24 on Form BXA-748P. In addition, the applicant must
specify the sales territory (and class(es) of end-user(s), if applicable).
Such licenses may require the license holder to report to BXA certain
information such as item description, quantity, value, and end-user name
and address.
* * * * *
19. Part 742 is amended by revising Supplement Nos. 4, 5, and 6 to read
as follows:
SUPPLEMENT NO. 4 TO PART 742 - KEY ESCROW OR KEY RECOVERY PRODUCTS CRITERIA
Key Recovery Feature
(1) The key(s) or other material/information required to decrypt
ciphertext shall be accessible through a key recovery feature.
(2) The product's cryptographic functions (greater than 40-bit DES
strength) shall be inoperable until the key(s) or other
material/information required to decrypt ciphertext is recoverable by
government officials under proper legal authority and without the
cooperation or knowledge of the user.
(3) The output of the product shall automatically include, in an accessible
format and with a frequency of at least once every three hours, the
identity of the key recovery agent(s) and information sufficient for the
key recovery agent(s) to identify the key(s) or other material/information
required to decrypt the ciphertext.
(4) The product's key recovery functions shall allow access to the key(s)
or other material/information needed to decrypt the ciphertext regardless
of whether the product generated or received the ciphertext.
(5) The product's key recovery functions shall allow for the recovery of
all required decryption key(s) or other material/information required to
decrypt ciphertext during a period of authorized access without requiring
repeated presentations of access authorization to the key recovery agent(s).
Interoperability Feature
(6) The product's cryptographic functions may:
(i) Interoperate with other key recovery products that meet these
criteria, and shall not interoperate with products whose key recovery
feature has been altered, bypassed, disabled, or otherwise rendered
inoperative;
(ii) Send information to non-key recovery products only when assured
access is permitted to the key(s) or other material/information needed to
decrypt ciphertext generated by the key recovery product. Otherwise, key
length is restricted to less than or equal to 40-bits.
(iii) Receive information from non-key recovery products with a key length
restricted to less than or equal to 40 bits.
Design, Implementation and Operational Assurance
(7) The product shall be resistant to efforts to disable or circumvent the
attributes described in criteria one through six.
(8) The product's cryptographic function's key(s) or other
material/information required to decrypt ciphertext shall be escrowed with
a key recovery agent(s) (who may be a key recovery agent(s) internal to the
user's organization) acceptable to BXA, pursuant to the criteria in
Supplement No. 5 to Part 742. Since the establishment of a key management
infrastructure and key recovery agents may take some time, BXA will, while
the infrastructure is being built, consider exports of key recovery
encryption products which facilitate establishment of the key management
infrastructure before a key recovery agent is named. Exporters of products
described in this Supplement No. 4 to part 742 are required to furnish the
name of an agent no later than December 31, 1997.
SUPPLEMENT NO. 5 TO PART 742 - KEY ESCROW OR KEY RECOVERY AGENT CRITERIA,
SECURITY POLICIES, AND KEY ESCROW OR KEY RECOVERY PROCEDURES
KEY ESCROW OR KEY RECOVERY AGENT REQUIREMENTS; SECURITY POLICIES; KEY
ESCROW OR KEY RECOVERY PROCEDURES
This Supplement sets forth criteria that the Department of Commerce will
use to approve key recovery agents to support approval of the export or
reexport of key recovery encryption items controlled for EI reasons under
ECCNs 5A002 and 5D002. Any arrangements between the exporter or
reexporter and the key recovery agent must reflect the provisions contained
in this Supplement in a manner satisfactory to BXA. This Supplement
outlines the criteria for employing key recovery agent personnel for key
recovery procedures. An applicant for eligibility to export or reexport
key recovery items shall provide, or cause the proposed key recovery agent
to provide, to BXA sufficient information concerning any proposed key
recovery agent arrangements to permit BXA's evaluation of the key recovery
agent's security policies, key recovery procedures, and suitability and
trustworthiness to maintain the confidentiality of the key(s) or other
material/information required to decrypt ciphertext. The key recovery
agent, who must be approved by BXA, may be the applicant for the
classification request. When there is no key recovery agent involved, or
the end-user will self-escrow abroad (see paragraph I.8. of this
Supplement), with or without a legal obligation to the exporter, the
end-user must be approved by BXA under the provisions of this Supplement.
BXA retains the right, in addition to any other remedies, to revoke
eligibility for License Exception KMI if BXA determines that a key recovery
agent no longer meets these criteria. The requirements related to the
suitability and trustworthiness, security policies, and key recovery
procedures of the key recovery agent shall be made terms and conditions of
the License Exception for key recovery items. BXA shall require the key
recovery agent to provide a representation that it will comply with such
terms and conditions.
Note: Use of key recovery agents located outside the U.S. is permitted if
acceptable to BXA in consultation with the host government, as appropriate.
I. Key Recovery Agent Requirements
(1)(a) A key recovery agent must identify by name, date and place of birth,
and social security number (if overseas, other similar personal
identification number), individual(s) who:
(i) Is/are directly involved in the escrowing of key(s) or other
material/information required to decrypt ciphertext; or
(ii) Have access to key(s) or other material/information required to
decrypt ciphertext, or
(iii) Have access to information concerning requests for key(s) or other
material/information required to decrypt ciphertext; or
(iv) Respond to requests for key(s) or other material/information
required to decrypt ciphertext; or
(v) Is/are in control of the key recovery agent and have access or
authority to obtain key(s) or other material/information required to
decrypt ciphertext, and
(b) Must certify that such individual(s) meet the requirements of the
following paragraphs (b)(i) or (b)(ii). BXA reserves the right to
determine at any time the suitability and trustworthiness of such
individual(s). Evidence of an individual's suitability and trustworthiness
shall include:
(i) Information indicating that the individual(s):
(A) Has no criminal convictions of any kind or pending criminal charges of
any kind;
(B) Has not breached fiduciary responsibilities (e.g., has not violated
any surety or performance bonds); and
(C) Has favorable results of a credit check; or,
(ii) Information that the individual(s) has an active U.S. government
security clearance of Secret or higher issued or updated within the last
five years.
(2) The key recovery agent shall timely disclose to BXA when an
individual no longer meets the requirements of paragraphs I.(1)(b)(i) or
(ii) of this Supplement.
(3) To remain eligible for License Exception KMI, a key recovery agent
must identify to BXA by name, date and place of birth, and social security
number (if overseas, other similar personal identification number) of any
new individual(s) who will assume the responsibilities set forth in
paragraph I.(1)(a) of this Supplement. Before that individual(s) assumes
such responsibilities, the key recovery agent must certify to BXA that the
individual(s) meets the criteria set forth in subparagraphs I.(1)(b)(i) or
(b)(ii) of this Supplement. BXA reserves the right to determine at any
time the suitability and trustworthiness of such personnel.
(4) If ownership or control of a key recovery agent is transferred, no
export may take place under previously issued approvals until the successor
key recovery agent complies with the criteria of this Supplement.
(5) Key recovery agents shall submit suitable evidence of the key
recovery agent's corporate viability and financial responsibility (e.g., a
certificate of good standing from the state of incorporation, credit
reports, and errors/omissions insurance).
(6) Key recovery agents shall disclose to BXA any of the following
which have occurred within the ten years prior to the application:
(a) Federal or state felony convictions of the business;
(b) Material adverse civil fraud judgments or settlements; and
(c) Debarments from federal, state, or local government contracting.
The applicant shall also timely disclose to BXA the occurrence of any of
the foregoing during the use of License Exception KMI.
(7) Key recovery agent(s) shall designate an individual(s) to be the
security and operations officer(s).
(8) Self-Escrow by organizations. A key recovery agent may be internal to
a user's organization and may consist of one or more individuals. BXA may
approve such key recovery agents if sufficient information is provided to
demonstrate that appropriate safeguards will be employed in handling key
recovery requests from government entities. These safeguards should ensure
the key recovery agent's structural independence from the rest of the
organization; security; and confidentiality.
II. Security Policies
(1) Key recovery agents must implement security policies that assure
the confidentiality, integrity, and availability of the key(s) or other
material/information required for decryption of the ciphertext.
(a) Procedures to assure confidentiality shall include:
(i) Encrypting all key(s) or other material/information required to
decrypt ciphertext while in storage, transmission, or transfer; or
(ii) Applying reasonable measures to limit access to the database (e.g.
using keyed or combination locks on the entrances to escrow facilities and
limiting the personnel with knowledge of or access to the
keys/combinations).
(b) Procedures to assure the integrity of the database (i.e. assuring
the key(s) and other material/information required to decrypt ciphertext
are protected against unauthorized changes) shall include the use of access
controls such as database password controls, digital signatures, system
auditing, and physical access restrictions.
(c) Procedures to assure the availability of the database (i.e.
assuring that key(s) and other material/information required to decrypt
ciphertext are retrievable at any time) shall include system redundance,
physical security, and the use of cryptography to control access.
(2) Policies and procedures shall be designed and operated so that a
failure by a single person, procedure, or mechanism does not compromise the
confidentiality, integrity and availability of key(s)or other
material/information required to decrypt ciphertext. Security policies and
procedures may include, but are not limited to, multi-person control of
access to recoverable keys, split keys, and back-up capabilities.
(3) Key recovery agents shall implement policies that protect against
unauthorized disclosure of information regarding whose encryption material
is stored, the fact that key(s) or other material/information required to
decrypt ciphertext was requested or provided, and the identity of a
requester. Procedures to assure the confidentiality of this information
shall include those described in paragraph II.(1)(a) of this supplement.
(4) Key recovery agents shall provide to BXA prompt notice of a
compromise of a security policy or of the confidentiality of key(s) or
other material/information required to decrypt ciphertext.
(5) Key recovery agents shall keep auditable records of legal access requests.
III. Key Recovery Procedures
(1) Key recovery agents shall maintain the ability to make the key(s)
or other material/information required to decrypt ciphertext available
until notified otherwise by BXA. Key recovery agents shall make requested
key(s) or other material/information required to decrypt ciphertext
available, to the extent required by the request, within two hours from the
time they receive a request from a government agency acting under
appropriate legal authority.
(2) Key recovery agents shall maintain data regarding key recovery
requests received, release of key(s) or other material/information required
to decrypt ciphertext, database changes, system administration access, and
dates of such events for purposes of audits by BXA.
(3) The key recovery agent must transfer all key recovery equipment,
key(s) and/or other material/information required to decrypt ciphertext,
key recovery database, and all administrative information necessary to its
key recovery operations to another key recovery agent approved by BXA in
the event that:
(a) The key recovery agent dissolves or otherwise terminates escrowing
operations, or
(b) BXA determines that there is a risk of such dissolution or termination, or
(c) BXA determines that the key recovery agent is no longer suitable or
trustworthy.
SUPPLEMENT NO. 6 TO PART 742 - GUIDELINES FOR SUBMITTING A CLASSIFICATION
REQUEST FOR A MASS MARKET SOFTWARE PRODUCT THAT CONTAINS ENCRYPTION
Classification requests for release of certain mass market encryption
software from EI controls must be submitted on Form BXA-748P, in accordance
with §748.3 of the EAR. To expedite review of the request, clearly mark
the envelope "Attn.: Mass Market Encryption Software Classification
Request". In Block 9: Special Purpose of the Form BXA-748P, you must
insert the phrase "Mass Market Encryption Software. Failure to insert this
phrase will delay processing. In addition, the Bureau of Export
Administration recommends that such requests be delivered via courier
service to:
Bureau of Export Administration
Office of Exporter Services
Room 2705
14th Street and Pennsylvania Ave., N.W.
Washington, D.C. 20230
(a) Requests for mass market encryption software that meet the criteria in
paragraph (a)(2) of this Supplement will be processed in seven (7) working
days from receipt of a properly completed request. Those requests for mass
market encryption software that meet the criteria of paragraph (a)(1) of
this Supplement only will be processed in fifteen (15) working days from
receipt of a properly completed request. When additional information is
requested, the request will be processed within 15 working days of the
receipt of the requested information.
(1) A mass market software product that meets all the criteria
established in this paragraph will be processed in fifteen (15) working
days from receipt of the properly completed request:
(i) The commodity must be mass market software. Mass market software is
computer software that is available to the public via sales from stock at
retail selling points by means of over-the-counter transactions, mail order
transactions, or telephone call transactions;
(ii) The software must be designed for installation by the user without
further substantial support by the supplier. Substantial support does not
include telephone (voice only) help line services for installation or basic
operation, or basic operation training provided by the supplier; and
(iii) The software includes encryption for data confidentiality.
(2) A mass market software product that meets all the criteria established
in this paragraph will be processed in seven working days from receipt of
the properly completed request:
(i) The software meets all the criteria established in paragraph (a)(1)(i)
through (iii) of this supplement;
(ii) The data encryption algorithm must be RC4 or RC2 with a key space no
longer than 40 bits. The RC4 and RC2 algorithms are proprietary to RSA
Data Security, Inc. To ensure that the subject software is properly
licensed and correctly implemented, contact RSA Data Security,
(415)595-8782;
(iii) If any combination of RC4 or RC2 are used in the same software,
their functionality must be separate. That is, no data can be operated
sequentially on by both routines or multiply by either routine;
(iv) The software must not allow the alteration of the data encryption
mechanism and its associated key spaces by the user or any other program;
(v) The key exchange used in data encryption must be:
(A) A public key algorithm with a key space less than or equal to a 512 bit
modulus and/or;
(B) A symmetrical algorithm with a key space less than or equal to 64 bits;
and
(vi) The software must not allow the alteration of the key management
mechanism and its associated key space by the user or any other program.
(b) To submit a classification request for a product that is eligible for
the seven day handling, you must provide the following information in a
cover letter to the classification request. Send the original to the
Bureau of Export Administration. Send a copy of the application and all
supporting documentation by Express Mail to:
Attn.: Mass Market Encryption Request Coordinator
P.O. Box 246
Annapolis Junction, MD 20701-0246
(1) Clearly state at the top of the page "Mass Market Encryption Software -
7 Day Expedited Review Requested";
(2) State that you have reviewed and determined that the software subject
to the classification request meets the criteria of paragraph (a)(2) of
this Supplement;
(3) State the name of the single software product being submitted for
review. A separate classification request is required for each product;
(4) State how the software has been written to preclude user modification
of the encryption algorithm, key management mechanism, and key space;
(5) Provide a copy of the encryption subsystem source code;
(6) Provide the following information for the software product:
(A) Whether the software uses the RC2 or RC4 algorithm and how the
algorithm(s) is used. If any combination of these algorithms are used in
the same product, also state how the functionality of each is separated to
assure that no data is operated by more than one algorithm;
(B) Pre-processing information of plain text data before encryption (e.g.
the addition of clear text header information or compression of the data);
(C) Post-processing information of cipher text data after encryption (e.g.
the addition of clear text header information or packetization of the
encrypted data);
(D) Whether a public key algorithm or a symmetric key algorithm is used to
encrypt keys and the applicable key space;
(E) For classification requests regarding source code:
(1) Reference the applicable executable product that has already received a
one-time review;
(2) Include whether the source code has been modified by deleting the
encryption algorithm, its associated key management routine(s), and all
calls to the algorithm from the source code, or by providing the encryption
algorithm and associated key management routine(s) in object code with all
calls to the algorithm hidden. You must provide the technical details on
how you have modified the source code;
(3) Include a copy of the sections of the source code that contain the
encryption algorithm, key management routines, and their related calls; and
(F) Provide any additional information which you believe would assist in
the review process.
(c) Instructions for the preparation and submission of a classification
request that is eligible for 15 day handling are as follows:
(1) If the software product meets only the criteria in paragraph
(a)(1) of this supplement, you must prepare a classification request. Send
the original to the Bureau of Export Administration. Send a copy of the
application and all supporting documentation by Express Mail to:
Attn.: Mass Market Encryption Request Coordinator
P.O. Box 246
Annapolis Junction, MD 20701-0246
(2) You must provide the following information in a cover letter to the
classification request:
(i) Clearly state at the top of the page "Mass Market Software and
Encryption - 15 Day Expedited Review Requested";
(ii) State that you have reviewed and determined that the software subject
of the classification request, meets the criteria of paragraph (a)(1) of
this Supplement;
(iii) State the name of the single software product being submitted for
review. A separate classification request is required for each product;
(iv) State that a duplicate copy, in accordance with paragraph (c)(1) of
this Supplement, has been sent to the 15 day Encryption Request
Coordinator; and
(v) Ensure that the information provided includes brochures or other
documentation or specifications relating to the software, as well as any
additional information which you believe would assist in the review process.
(3) Contact the Bureau of Export Administration on (202) 482-0092 prior to
submission of the classification to facilitate the submission of proper
documentation.
PART 748 -[ AMENDED]
20. Section 748.9 is amended by revising paragraph (a)(7) and by adding
new paragraph (a)(8) to read as follows:
§748.9 Support documents for license applications.
(a) * * *
(7) The license application is submitted to export or reexport software or
technology.
(8) The license application is submitted to export or reexport encryption
items controlled under ECCNs 5A002, 5B002, 5D002 and 5E002.
21. Section 748.10 is amended by revising paragraph (b)(1) to read as follows:
§748.10 Import and End-User Certificates
* * * * *
(b) * * *
(1) Any commodities on your license application are controlled for national
security (NS) reasons, except for items controlled under ECCN 5A002 or
5B002;
* * * * *
PART 750 - [AMENDED]
22. Section 750.3 is amended by amending paragraph (b)(2)(i) to read as
follows:
§750.3 Review of license applications by BXA and other government agencies
and departments.
* * * * *
(b) * * *
(2) * * *
(i) The Department of Defense is concerned primarily with items controlled
for national security and regional stability reasons and with controls
related to encryption items;
* * * * *
23. Section 750.7 is amended:
a. By redesignating paragraphs (c)(1) through (5) as (c)(1)(i) through (v);
b. By redesignating paragraphs (c)(6)(i) through (v) as (c)(1)(vi)(A)
through (E);
c. By redesignating paragraphs (c)(7) and (8) as (c)(7)(vii) and (viii); and
d. By adding a new paragraph (c)(2) to read as follows:
§750.7 Issuance of licenses.
* * * * *
(c) * * *
(2) Changes to encryption licensing arrangements. (i) For encryption
licensing arrangements issued by BXA for exports and reexports of items
controlled under ECCN 5A002, 5B002, 5D002 and 5E002, and for encryption
items previously on the U.S. munitions List and currently authorized for
export or reexport under a State Department license, distribution
arrangement or any other authority of the State Department, the following
changes may be requested by letter to BXA:
(A) Additional sales territory or country of destination; and
(B) Additional quantity.
(ii) Letters requesting changes pursuant to paragraph (c)(2)(i) of this
section should be made by the license holder on company letterhead, clearly
identifying the original license number and the requested change. In
addition, requests for changes to State licenses or other authorizations
must be accompanied by a copy of the original State license or
authorization. Send requests for changes to the following address:
Office of Strategic Trade
Bureau of Export Administration
U.S. Department of Commerce
Room 2705
14th Street and Pennsylvania Ave., N.W.
Washington, DC 20230
(C) Additional products.
PART 752 - [AMENDED]
24. Section 752.3 is amended by redesignating paragraphs (a)(5) through
(a)(10) as (a)(6) through (a)(11) and adding a new paragraph (a)(5) to read
as follows:
§752.3 Eligible items.
(a) * * *
(5) Items controlled for EI reasons on the CCL;
* * * * *
PART 758 - [AMENDED]
25. Section 758.1 is amended by adding a new paragraph (e)(1)(i)(D) to
read as follows:
§758.1 Export Clearance Requirements.
* * * * *
(e) * * *
(1) * * *
(ii) * * *
(D) Exports of tools of trade under License Exception TMP or BAG.
PART 770 -[AMENDED]
26. Section 770.2 is amended by revising the section title and adding a
new paragraph (l) to read as follows:
§770.2 Item interpretations.
* * * * *
(l) Interpretation 12: Encryption software controlled for EI reasons.
Encryption software controlled for EI reasons under ECCN 5D002 may be
pre-loaded on a laptop and exported under the tools of trade provision of
License Exception TMP or License Exception BAG, subject to the terms and
conditions of such License Exceptions. This provision replaces the
personal use exemption of the International Traffic and Arms Regulations
that existed for such software prior to December 30, 1996. Neither License
Exception TMP nor License Exception BAG contains a reporting requirement.
PART 772 - [AMENDED]
27. Part 772 is amended by adding, in alphabetical order, new definitions
"Banks and Financial Institutions", "Effective control", "Encryption
licensing arrangement", and "Recovery encryption products" to read as
follows:
Banks and Financial Institutions. For purposes of this part, "banks and
financial institutions" means:
a) a bank or savings association, as defined in section 3 of the Federal
Deposit Insurance Act (12 U.S.C. 1813 (a) or (b)); a credit union, as
defined in section 101 of the Federal Credit Union Act (12 U.S.C. 1752);
b) a subsidiary, holding company, branch located outside the United States,
of the entities described in paragraph (a);
c) a bank service company as defined in section 1 of the Bank Service
Company Act (12 U.S.C. 1861); or a service corporation under section 5 of
the Home Owners' Loan Act (12 U.S.C. 1464(c)(4)(B)); a corporation charted
under section 25A of the Federal Reserve Act (12 U.S.C. 611), including any
branch thereof; or a corporation having an agreement or undertaking with
the Board of Governors of the Federal Reserve System under section 25 of
the Federal Reserve Act (12 U.S.C. 611), including any branch or subsidiary
thereof;
d) a company organized under the laws of a foreign country which engages in
the business of banking, including, without limitation, foreign commercial
banks, foreign merchant banks and other foreign institutions that engage in
banking activities usual in connection with the business of banking in the
countries where such foreign institutions are organized or operating,
including any branch or subsidiary thereof;
e) a interbank clearing system that is, or whose members are subject to
state or national regulation or supervision;
f) a broker or dealer in securities registered with the Securities and
Exchange Commission; a foreign broker or dealer in securities subject to
governmental supervision or regulation by a foreign securities authority;
an investment company, registered with the Securities and Exchange
Commission; an investment adviser, as defined in § 2(20) of the Investment
Company Act of 1940 (15 U.S.C. 80a-2), that is registered with the
Securities and Exchange Commission and is engaged solely in the business of
advising one or more investment companies; a foreign investment company; or
a securities, commodity, futures, or option exchange or other financial
market that is subject to governmental supervision or regulation;
g) an issuer of a general purpose charge, credit or debit card; or
h) a company engaged in the electronic transmission of money, credit or
financial instruments between a financial institution (as defined in this
section) and a customer or other financial institutions.
* * * * *
Effective control. You maintain effective control over an item when you
either retain physical possession of the item, or secure the item in such
an environment as a hotel safe, a bonded warehouse, or a locked or guarded
exhibition facility. Retention of effective control over an item is a
condition of certain temporary exports and reexports.
Encryption licensing arrangement. A license that allows the export of
specified products to specified destinations in unlimited quantities. In
certain cases, exports are limited to specified end-users for specified
end-uses. Generally, reporting of all sales of the specified products is
required at six month intervals. This includes sales made under
distribution arrangements and distribution and warehousing agreements that
were previously issued by the Department of State for encryption items.
* * * * *
Recovery encryption products. Encryption products (including software)
that allow government officials to obtain under proper legal authority and
without the cooperation or knowledge of the user, the plaintext of
encrypted data and communications.
* * * * *
PART 774 - [AMENDED]
28. In Supplement No. 1 to part 774, Category 5 - Telecommunications and
Information Security is amended by revising ECCNs 5A002 and 5D002 to read
as follows:
5A002 Systems, equipment, application specific "assemblies", modules or
integrated circuits for "information security", and specially designed
components therefor.
License Requirements
Reason for Control: NS, AT, EI
Control(s) Country Chart
NS applies to entire entry NS Column 1
AT applies to entire entry AT Column 1
EI applies to encryption items transferred from the U.S. Munitions List to
the Commerce Control List consistent with E.O. 13026 of November 15, 1996
(61 FR 58767) and pursuant to the Presidential Memorandum of that date.
Refer to §742.15 of this subchapter.
License Requirement Notes: See §743.1 of the EAR for reporting
requirements for exports of commodities controlled under 5A002 and exported
under License Exceptions LVS, or GOV.
License Exceptions
LVS: Yes: $500 for components and spare parts only. N/A for equipment.
GBS: N/A
CIV: N/A
List of Items Controlled
Unit: $ value
Related Controls: For the control of global navigation satellite systems
receiving equipment containing or employing decryption (i.e., GPS or
GLONASS see 7A005). This entry does not control: a.) "Personalized smart
cards" or specially designed components therefor, with any of the following
characteristics: 1.) Not capable of message traffic encryption or
encryption of user-supplied data or related key management functions
therefor; or 2.) When restricted for use in equipment or systems excluded
from control under the note to 5A002.c, or under paragraphs b through h of
this note. b.) Equipment containing "fixed" data compression or coding
techniques; c.) Receiving equipment for radio broadcast, pay television or
similar restricted audience television of the consumer type, without
digital encryption and where digital decryption is limited to the video,
audio or management functions; d.) Portable or mobile radiotelephones for
civil use (e.g., for use with commercial civil cellular radiocommunications
systems) that are not capable of end-to-end encryption; e.) Decryption
functions specially designed to allow the execution of copy-protected
"software", provided the decryption functions are not user-accessible; f.)
Access control equipment, such as automatic teller machines, self-service
statement printers or point of sale terminals, that protect password or
personal identification numbers (PIN) or similar data to prevent
unauthorized access to facilities but do not allow for encryption of files
or text, except as directly related to the password or PIN protection; g.)
Data authentication equipment that calculates a Message Authentication Code
(MAC) or similar result to ensure no alteration of text has taken place, or
to authenticate users, but does not allow for encryption of data, text or
other media other than that needed for the authentication; h.)
Cryptographic equipment specially designed, developed or modified for use
in machines for banking or money transactions, as restricted to use only in
such transactions. Machines for banking and money transactions include
automatic teller machines, self-service statement printers, point of sale
terminals or equipment for the encryption of interbanking transactions.
Related Definitions: N/A
Items:
a. Designed or modified to use "cryptography" employing digital techniques
to ensure "information security";
b. Designed or modified to perform cryptoanalytic functions;
c. Designed or modified to use "cryptography" employing analog techniques
to ensure "information security";
Note: 5A002.c does not control the following:
1. Equipment using "fixed" band scrambling not exceeding 8 bands and in
which the transpositions change not more frequently than once every second;
2. Equipment using "fixed" band scrambling exceeding 8 bands and in which
the transpositions change not more frequently than once every ten seconds;
3. Equipment using "fixed" frequency inversion and in which the
transpositions change not more frequently than once every second;
4. Facsimile equipment;
5. Restricted audience broadcast equipment; and
6. Civil television equipment;
d. Designed or modified to suppress the compromising emanations of
information
bearing signals;
Note: 5A002.d does not control equipment specially designed to suppress
emanations for reasons of health and safety.
e. Designed or modified to use cryptographic techniques to generate the
spreading code for "spread spectrum" or hopping code for "frequency
agility" systems;
f. Designed or modified to provide certified or certifiable "multilevel
security" or user isolation at a level exceeding Class B2 of the Trusted
Computer System Evaluation Criteria (TCSEC) or equivalent;
g. Communications cable systems designed or modified using mechanical,
electrical or electronic means to detect surreptitious intrusion.
* * * * *
5D002 Information Security - "Software".
License Requirements
Reason for Control: NS, AT, EI
Control(s) Country Chart
NS applies to entire entry NS Column 1
AT applies to entire entry AT Column 1
EI applies to encryption items transferred from the U.S. Munitions List to
the Commerce Control List consistent with E.O. 13026 of November 15, 1996
(61 FR 58767) and pursuant to the Presidential Memorandum of that date.
Refer to §742.15 of the EAR.
Note: Encryption software is controlled because of its functional
capacity, and not because of any informational value of such software; such
software is not accorded the same treatment under the EAR as other
"software"; and for the export licensing purposes encryption software is
treated under the EAR in the same manner as a commodity included in ECCN
5A002. License Exceptions for commodities are not applicable.
Note: Encryption software controlled for EI reasons under this entry
remains subject to the EAR even when made publicly available in accordance
with part 734 of the EAR, and it is not eligible for the General Software
Note ("mass market" treatment under License Exception TSU for mass market
software). After a one-time BXA review, certain encryption software may be
released from EI controls and made eligible for the General Software Note
treatment as well as other provisions of the EAR applicable to software.
Refer to §742.15(b)(1) of the EAR, and Supplement No. 6 to part 742 of the
EAR.
License Requirement Notes: See §743.1 of the EAR for reporting
requirements for exports of software controlled under 5D002 and exported
under License Exceptions TSU or GOV.
License Exceptions
CIV: N/A
TSR: N/A
List of Items Controlled
Unit: $ value
Related Controls: 5D002.a controls "software" designed or modified to use
"cryptography" employing digital or analog techniques to ensure
"information security".
Related Definitions: N/A
Items:
a. "Software" specially designed or modified for the
"development", "production" or "use" of equipment or "software" controlled
by 5A002, 5B002 or 5D002.
b. "Software" specially designed or modified to support
"technology" controlled by 5E002.
c. Specific "software" as follows:
c.1. "Software" having the characteristics, or performing or simulating
the functions of the equipment controlled by 5A002 or 5B002;
c.2. "Software" to certify "software" controlled by 5D002.c.1.
Note: 5D002 does not control:
a. "Software" "required" for the "use" of equipment excluded from control
under the Note to 5A002;
b. "Software" providing any of the functions of equipment excluded from
control under the Note to 5A002.
Dated:
Iain S. Baird
Acting Assistant Secretary for
Export Administration