5 October 1998
[October 2, 1998]
SUMMARY OF ENCRYPTION POLICY UPDATE
1. Release up to "56 bit DES and equivalent" hardware and software
Hardware and software exports of up to "56 bits DES and equivalent" products will be eligible for license exception treatment to all users and destinations (except the seven State supporters of terrorism) after a one-time technical review. No further key recovery plans or renewals of existing key recovery plans are required. This release includes up to 56 bit DES, RC2, RC4, RC5 and CAST. Products with asymmetric key sizes up to 1024 bits will be permitted. Semi-annual post-facto reporting of end users for non-mass market exports to military and government end-users will be required.
2. Relax requirements for Key Recovery products
Remove from the regulations the requirement to name and review key recovery agents for exports of key recovery products. Require post-facto reporting of key recovery agents and the end users of key recovery products (currently semi-annual). Supplement 5 (Key Recovery Agent Criteria) will be removed from regulations.
Semi-annual post-facto reporting is required within each sector.
U.S. Subsidiaries: Approve exports of any encryption with any key length, with or without key recovery, to subsidiaries of U.S. companies (defined in Commerce regulation) world-wide (except the seven state sponsors of terrorism) under license exception, for the protection of internal business operations. This policy will also extend favorable treatment, to Astrategic, partners@ under license.
Insurance Companies: Treat insurance companies like banks and securities firms by adding them to the definition of Afinancial institution.@ The result is license exception treatment to institutions headquartered in nations listed in the recent amendments to the EAR relating to banks and financial institutions (63 FR 50156).
Health/Medical: Permit the export under license exception of any encryption with any key length, with or without key recovery, to organizations in the strictly defined health and medical sectors (see attached definitions) located in the nations listed in the banking regulation. Exports outside the country list found in the banking regulation receive a policy of approval under Encryption Licensing Arrangements (ELAs), recognizing that certain destinations may be denied on foreign policy or other grounds. The EAR will exclude biochemical firms, pharmaceutical firms and military agencies from eligibility for the license exception. Exports to such end users are possible under individual license.
On-Line Merchants: The EAR will permit license exception treatment for the export of client-server applications (e.g., SSL) and applications tailored to on-line transactions, with any encryption algorithm and with any key length and with or without key recovery, to on-line merchants (see attached definitions), located in the country list found in the banking regulation . Exports would be limited to those that facilitate secure electronic transactions between merchants and their customers. Exports outside the country list found in the banking regulation receive a policy of approval under ELA, recognizing that certain destinations may be denied on foreign policy or other grounds. Foreign merchants (non-US owned and controlled) that sell items and services controlled on the U.S. munitions list are excluded from this policy. For merchants having separate business units, only those business units selling munitions items are excluded from this policy of approval and license exception.
4. Recoverable Products
Permit exports, under Export Licensing Arrangements, of recoverable products (see attached definitions) to foreign commercial firms for internal company proprietary use, only (i.e. not sold for individual use) that are located in the following countries:
1. Austria, Australia, Belgium, Canada, Denmark, Finland, France, Germany, Iceland, Ireland, Italy, Japan, Luxembourg, The Netherlands, New Zealand, Norway, Portugal, Spain, Sweden, Switzerland, and the United Kingdom.
In addition, for those commercial firms headquartered in countries listed in l above, further permit exports, ELAs, of recoverable products to their foreign subsidiaries for internal company proprietary use in all destinations except the seven countries identified as State supporters of terrorism.
For both 1 and 2 above, this policy of approval excludes those commercial firms or separate business units of commercial firms engaged in the manufacturing and distribution of products or services controlled on the U.S. Munitions List. Service providers are also excluded from this policy. Semi-annual post export reporting of end users is required. Exports to those end users and countries not listed under this policy are possible under Validated Licenses or Export Licensing Arrangements on a case-by-case basis.
Insurance company means:
a) A company organized and regulated under the laws of any of the United States and its branches and affiliates whose primary and predominant business activity is the writing of insurance or the reinsuring of risk, or
b) A company organized and regulated under the laws of a foreign country and its branches and affiliates, regulated by an insurance Commissioner or an equivalent foreign regulatory authority and whose primary and predominant business activity is the writing of insurance or the reinsuring of risks.
Any entity, the primary purpose of which is the lawful provision of "medical or other health services", not including biochemical and pharmaceutical manufacturers and military or government entities.
A seller of goods using electronic means (e.g., the Internet) to conduct commercial transactions and is defined to be a person that deals in goods of the kind involved in the transaction.
1. A stored data product containing a recovery feature that, when activated, allows recovery of the plaintext* of encrypted data without the assistance of the end user; or
2. A product or system designed such that network administrator or other authorized persons who are removed from the end user can provide law enforcement access to plaintext without the knowledge or assistance of the end user. This includes, for example, products or systems where plaintext exists and is accessible at intermediate points in a network or infrastructure system, enterprise-controlled key escrow and enterprise-controlled key recovery systems, and products which permit recovery of plaintext at the server where a system administrator controls and/or can provide recovery of plaintext across an enterprise, and so on.
* Plaintext indicates that data that is initially received by or presented to the recoverable product before encryption takes place.
BXA Home Page