Export Controls

    Before 1991, the government and large companies were the only real users of encryption technology.  Up to this date, there is still no regulation over the domestic use of encryption.  When Philip Zimmermann first released free software called Pretty Good Privacy which encodes ordinary e-mail, there were no problems. However, when the software began to appear in other countries, the Department of Justice started a three year criminal investigation of Zimmerman for international arms trafficking.  Export control policy continues to categorize many encryption items as 'munitions-related', thereby subjecting them to applicable export laws.  Currently, any encryption software that is exported using over 40-bit encryption is considered a munition.  Zimmerman's PGP used 128-bit encoding keys and highlights the problems between current U.S. policy and the rapid advancement of encryption technology.  The government eventually dropped the case, click for details and impact.

    Anyone wishing to export the strongest encryption products is required, under the Arms Export Control Act, to obtain individual licenses from the Office of Defense Trade Controls at the State Department.  In the Act, Cryptography is not even mentioned, but it empowers the President to designate which items are "defense articles" or "defense services".  To obtain a license, the manufacturer's product is subject to a lengthy review by the State Department and by the National Security Agency to determine it exportability.  Many industry executives have claimed that the approval process can take up to ten months for certain products.  In the software industry, time is of the essence and even a two week delay can cause millions of dollars in losses to a company.  Considering companies outside the U.S. do not have to face the delay of this process, this puts U.S. companies at a disadvantage.  DES-based products are already being used in encryption products manufactured in foreign countries.  The DES algorithm is also obtainable via the Internet.  Given that encryption systems are increasingly found in software programs, and not hardware, it will be even harder, if not impossible, for the government to control the use of encryption.  However, many high ranking government officials support restrictions on exporting encryption.  They believe contolling export of products using algorithm still prevents a significant number of international terrorists, criminals, and unfriendly foreighn powers from acquiring advanced encryption technology.

    The U.S. export control system is divided into two regimes:  the Department of State controls a list of munitions items under the authority of the International Traffic In Arm Regulation (ITAR) in the Arms Export Control Act, and the Department of Commerce controls a list of dual-use items, i.e., items having both military and civilian applications, under the Export Administration Act. Controls on munitions items are generally more restrictive than those on dual-use items.  Therefore, industry generally prefers to have products on the dual-use list controlled by Commerce. NSA plays a major role in determining rules for exporting U.S. products with encryption capabilities.  The scope of NSA's review is generally limited to those products and technologies whose export could affect the performance of NSA missions.  The review affects such decisions as (1) whether individual products are placed on the more restrictive State-controlled "munitions list" or the less restrictive Commerce controlled dual-use list and (2) whether particular products on the munitions list may be licensed for export. State is required to periodically review the munitions list to see if certain items can be transferred to Commerce's jurisdiction.  Any changes to the munitions list, however, must have the concurrence of the Department of Defense.  NSA plays an extensive role in this concurrence when encryption products are being considered for removal from the munitions list.  Responding to a 1990 executive order, State led an interagency review of the munitions list to identify items that could be transferred to Commerce's jurisdiction.  Mass-market software with encryption capabilities was one item reviewed.  It was not removed.  The current problems in exporting encryption software is exemplified on this site.

    To allay industry's concern that such software continues to be controlled on the munitions list, the State amended its regulation in July 1992.  It established a procedure to expeditiously transfer to the Commerce list those mass-market software products with encryption capabilities that met certain criteria.  Industry representatives continue to press for the transfer of additional mass-market software and other products with encryption capabilities to the Commerce list to improve the possibility and the predictability of export approval. In 1996, the Clinton Administration Policy relaxed its stand somewhat, declaring that encryption software would no longer be considered a munition, unless it was created specifically for militarty purposes.  The munitions list was amended to transfer encryption products designed for personal, non-military use from the Department of State's US Munitions List (USML) to the Department of Commerce's Commerce Control List (CCL).  The Commerce Department was given exclusive authority over encryption export regulation. 56 bit encryption systems (DES standard) were permitted for export by companies that make "satisfactory commitments" to develop and market key recovery products by December 1998.  Thus, this was contingent on the fact that software companies commit to developing public recovery keys for government access within two years of developing the new encryption. This is not a beneficial solution to the problem, so the battle over encryption export policy remains.  Many experts claim the current 40-bit encryption policy is very out of date and any attempt to institue a key-escrow at that level would be futile and risky.  They emphasize the need to increase the encryption limit on the export regulation or do away with it, click here to view.

Click here to become an international arms trafficker and learn more about the ITAR controversy.

Click here for other sites on Export Control Policy

Phil Karn's (Qualcomm rep.) current court case case against the constitutionality of the government's export policy

Other cases fighting the constitutionality of Export restrictions.