Public Comments on Interim Rule "Encryption Items" 63 FR 50516, September 22, 1998

11 January 1999
Source: http://osecnt04.osec.doc.gov/bxafoia/foia/pdfs/pubcomm/encrypt2/encrypt.pdf (4.1 MB)
Offered on the BXA Web site November 7, 1999

Public Comments on Interim Rule
"Encryption Items"
63 FR 50516, September 22, 1998

Federal Register Notice

1. William A. Root, October 6, 1998

2. Regulations and Procedures Technical Advisory Committee (RPTAC), November 2, 1998 [Not provided by BXA]

3. Microsoft, November 6, 1998

4. Investment Company Institute, November 6, 1998

5. VISA, November 6, 1998

6. Citibank, November 6, 1998

7. Steptoe & Johnson, November 13, 1998

[6 pages]


						William A. Root
						4024 Franklin Street
						Kensington MD 20895
						Tel. & FAX 301 942 6720

						October 6, 1998 

Nancy Crowe, Regulatory Policy Division 
Bureau of Export Administration, Department of Commerce 
P. O. Box 273, Washington DC 20094

Re: Encryption Regulations - Interim Rule of September 22, 1998

Dear Ms. Crowe:

The following comments are limited to anomalies or inconsistencies related to 
the subject interim rule and do not imply either concurrence or non-
concurrence with the substance of that rule. Moreover, they do not repeat 
anomalies or inconsistencies related to other aspects of encryption 
regulations brought to BXA's attention in my letters of December 2, 1996, 
January 2, 1997, February 11, 1997, August 27, 1997, or March 9, 1998.

1.    Mass market encryption software Revised 742.15(b)(1)(i), 
      742.15(b)(1)(ii) except for the last sentence, and 742 Supplement 6 
      specify conditions under which License Exception TSU for mass market 
      software is applicable to encryption software. Unchanged 740.13(d)(2), 
      which reads in its entirety: 
            This (TSU mass market software) License Exception is not available 
            for key escrow encryption software controlled by 5D002.c.1, 
      is, therefore, misleading. 742.15(b)(1) conditions for TSU eligibility 
      should be moved to 740.13(d)(2) and 742 Supplement 6 should be moved to 
      become a Supplement to part 740.

      742 Supplement 6 first paragraph refers to Office of Exporter Services 
      in Room 2705, whereas 730.8(c) and 748.2(a) refer to Exporter Counseling 
      Division in Room 1099D.

      742 Supplement 6 (a)(2)(iii) is garbled. Perhaps it should read: 
            If any combination of RC4 or RC2 is used, no data can be operated 
            on sequentially by both routines nor be multiplied by either 
            routine.

2.    License Exception KMI

a.    "And" vs. "or" The interim rule revision to 740.8(b)(2) uses "and" 
      rather than "or" to link "commodities and software" and to link "5A002 
      and 5D002," thus indicating, probably inadvertently, that KMI may be 
      used only for transactions involving both commodities and software.

b.    Wassenaar reporting 740.8(b)(2)(ii)(B) last sentence and 
      (b)(29(iii)(D) last sentence specify 743.1 Wassenaar reporting 
      requirements for KMI shipments, as does the revision to 743.1(b).
      However, CCL listings under License Requirement Notes list only License	j
      Exceptions LVS and GOV as requiring such 5A002 reporting and only GOV as	|
      requiring such 5D002 reporting.	I

      Wassenaar may have dropped the COCOM bank and financial institution 
      encryption exception inadvertently, just as the U.S. did in connection 
      with the EAR reform. In any event, it would be consistent with the 
      interim rule for the U.S. to seek a conforming Wassenaar amendment, so 
      that 743 reporting would not have to be required for such KMI exports.

c.    License Exception vs. licensing policy Unchanged 742.15(b)(2) and 
      (b)(3), new 742.15(b)(4)(i) and (b)(5), revised 742 Supplement 4, and 
      unchanged 742 Supplement 5 concern conditions for License Exception KMI 
      and, therefore, should be moved to the KMI section 740.8 and to part 740 
      Supplements, rather than be retained in licensing policy part 742.

d.    Countries eligible to receive general purpose encryption commodities and 
      software for banks and financial institutions 

New Supplement No. 3 to Part 740 creates a substantial burden on both 
exporters and the government by establishing a new country group which, for no 
reason stated in the Federal Register, differs substantially from all former 
groups. It is understood that this new country group consists of members of a 
financial action Task Force, or countries agreeing to comparable conditions, 
and that the list is not final and could be lengthened. Errors identified in 
the following anomalies should be remedied immediately and it is hoped that 
other of these anomalies will be remedied in the near future by obtaining the 
likely requisite financial action cooperation of more countries:

Four Computer Tier 1 countries are omitted, as follows:
-     Holy See (included in Italy per 744 Supplement 3; listed as Vatican City
      in the Country Chart)
-     Liechtenstein (exports to Switzerland may be reexported to Liechtenstein
      without a license per 740.16(9))
-     Mexico (NAFTA member)
-     San Marino (included in Italy per 744 Supplement 3)	f

Seventeen Computer Tier 2 countries are listed, including eleven having no 
other special cooperative relationship with the United States, whereas the 
following four long-standing cooperating countries and 88 others are omitted:
-     Czech Republic (member of NATO, Wassenaar, AG, and NSG)
-     South Korea (member of Wassenaar, AG, and NSG and cooperating country
      per 740.11(b)(3)(ii))
-     Slovakia (member of Wassenaar, AG and NSG)
-     Taiwan (cooperating country per 740.11(b)(3)(ii))
-     81 others never before singled out for special treatment of any sort and
      previously indistinguishable from 11 of the 17 listed
-     Seven which, since their removal from the nuclear non-proliferation
      special country list, were also indistinguishable from the 11 listed,
      namely: Algeria, Andorra, Angola, Comoros, Djibouti, Micronesia, and
      Vanuatu

The one Computer Tier 3 country listed, Croatia, is not otherwise a
cooperating country, whereas the following four Computer Tier 3 countries,
which do cooperate in other fora, are omitted:
-     Bulgaria (Wassenaar and NSG)
-     Romania (Wassenaar, AG, and NSG)
-     Russia (Wassenaar, MTCR, and NSG)
-     Ukraine (Wassenaar)	t

Two listed countries, Anguilla and Aruba are not named in the Country Chart
in 738 Supplement 1. They should receive the licensing treatment accorded the
United Kingdom and The Netherlands, respectively, pursuant to 738.3(b).

e.    Definition of "bank" In paragraph (a) of the new definition of "bank"
      in part 772, "Agreement corporation" makes no sense. Based on an earlier
      draft, perhaps corporation having an agreement under section 25 of the
      Federal Reserve Act (12 U.S.C. 611) is meant.

      Paragraph (c) would be easier to read if the comma before "that is" were 
      deleted.

3.    De minimis

Interim rule revisions to 732.2(d), 732.3(e)(2), and 734.4(b)(2) clarify that 
de minimis exclusions from "subject to the EAR" do not apply to EI items 
controlled by ECCN 5E002 as well as to EI items controlled by ECCN 5A002 and E
CCN 5D002. 732.2(d) and 732.3(e)(2) state that de minimis provisions do not 
apply to these EI items, whereas 734.4(b)(2) states that certain mass market 
encryption software may become eligible for de minimis after a one-time BXA 
review per 742.15(b)(1). However, after such a positive one-time BXA review, 
software is released from control whether or not it is de minimis.

EI technology and software could be made eligible for de minimis with no loss 
of control, because, pursuant to 734 Supplement 2 (b), a one-time report to 
BXA is a pre-requisite for all de minimis technology and software.

4.    Electronic acknowledgments or assurances

The interim rule revision to 734.2(b)(9)(ii) adds the following sentence: 
      BXA will consider acknowledgments in electronic form provided that they 
      are adequate to assure legal undertakings similar to written 
      acknowledgments. 
An exporter reasonably assumes that an electronic acknowledgment is as legally 
adequate as a non-electronic written acknowledgment unless the EAR specifies 
otherwise. Neither a non-electronic nor an electronic acknowledgment could 
overcome inadequacies caused by the laws or regulations of the recipient's 
country blocking the extraterritorial reach of U.S. export controls. The EAR 
should cite any conditions which would make an electronic acknowledgment 
inadequate under U.S. laws and regulations.

The interim rule revision of 740.6(a)(3) states that the required TSR 
assurance may be in the form of any written communication from the importer 
"including communications via facsimile." Unlike 734.2(b)(9)(ii), this 
indicates that an electronic facsimile communication is a form of written 
communication. It also does not rule out the possibility that other forms of 
electronic communication, such as email, are also written communications.

If there is an intended implication that an electronic communication is 
adequate in the contexts of 740.6(a)(3) and 739.2(b)(9)(ii) only if the 
importer's signature is reproduced, this should be stated explicitly.

5.    Limited value shipments

a.    Support previous export The interim rule statement in 790.3(d)(5) that
      5A002 components or spare parts exported under License Exception LVS
      must be destined to support an item previously authorized for export is
      not repeated in the CCL listing of 5A002, where an exporter would expect
      to find a restriction applicable to only one ECCN.

b.    Spare parts vs. specially designed components The references to
      "components or spare parts" in 790.3(d)(5) and to "components and spare
      parts" in the LVS line of the CCL listing of 5A002 are inconsistent with
      the control text of 5A002, which assumes that spare parts are included
      in the expression "specially designed components."

c.    Software vs. commodities The ITAR provision on which 5A002 LVS 
      eligibility is based, 22 CFR 123.16(b)(2), applies to software as well 
      as to commodities, since ITAR defines "defense article" to include 
      "technical data," defines "technical data" to include software, and 
      defines "component" as an "item" and "part" as an "element," i.e., 
      terminology not limited to commodities. However, the new encryption LVS 
      eligibility applies only to commodities (5A002) and does not apply to 
      software (5D002).

d.    Encryption vs. other items 22 CFR 123.16(b)(2) applies generally to
      defense articles whereas the new LVS eligibility patterned on that ITAR
      provision applies only to encryption and does not apply generally to CCL
      items, or even to other CCL items which have been transferred from the
      U.S. Munitions List.

6.    Effective control and controlled-in-fact

The definition of "effective control," referred to in revised 740.9(a)(2)(i) 
concerning tools of trade and newly added to 772, is drafted so as to apply to 
this expression wherever it appears in the EAR (reference in the definition to 
its applicability to certain temporary exports and reexports does not make it 
otherwise inapplicable). However, the new definition differs from the 
definition of "effective control" contained in 772 for purposes of the Special 
Comprehensive License (SCL).

On the other hand, "effective control" does not appear in EAR provisions 
concerning the SCL. Instead, "controlled-in-fact" is used in 752.5(b)(2)(i)(B) 
(twice) and in 752 Supplement 3 Block 7(ii) item (b) and the part 772 
definition of "controlled-in-fact" for SCL purposes differs markedly from both 
of the part 772 "effective control" definitions. This situation arose because 
reg reform combined various special licenses into one SCL; the SCL picked up 
the old distribution license "controlled-in-fact" term in part 752 and its 
definition in part 772; and part 772 also picked up the old service supply 
procedure "effective control" definition even though that term was not picked 
up in part 752 (the old special chemical license different definition of 
"effective control" was not picked up in the reg reform, in either 752 or 
772). The "controlled-in-fact" definition is far clearer than any of the 
"effective control" definitions in describing whether one entity in fact 
controls another entity.

New 740.9(a)(2)(ix), like 22 CFR 123 16(b)(9) after which it was patterned, 
refers to a subsidiary, affiliate or facility that is "controlled" by a U.S. 
person, without defining "controlled "

The new 772 definition of "effective control" would logically apply to the use 
of those words in new 740.14(f)(2), which conditions encryption software 
eligible for License Exception BAG.

Terms which are defined in part 772 are normally put in quotation marks in the 
relevant parts of the EAR, e.g., "effective control" appears in quotation 
marks in 740.9(a)(2)(viii)(A)(1) concerning news media. However, "effective 
control" in the operative portion of 740.9(a)(2)(i) and in 740.14(f)(2) and 
"controlled-in-fact" in all three places where it is used in part 752 are not 
in quotation marks.

To resolve these anomalies:
-     "effective control" should be put in quotation marks the first place it
      appears in newly revised 740.9(a)(2)(i) and in 740.14(f)(2);
-     the new definition of "effective control" in part 772 should be revised
      to insert at the beginning "For purposes of the tools of trade and news
      media portions of License Exception TMP and the encryption software
      portion of License Exception BAG," and to delete at the end "Retention
      of effective control over an item is a condition of certain temporary
      exports and reexports";
-     the "effective control" definition for SCL purposes should be deleted;
-     "controlled-in-fact" as used in 752 should be put in quotation marks;
-     "controlled" in 740.9(a)(2)(ix) should be changed to "controlled-in
      fact' (in quotation marks); and
-     in the "controlled-in-fact" definition in 772 after "For purposes of the
      Special Comprehensive License (part 752 of the EAR)" the following	|
      should be inserted "and of the portion of License Exception TMP
      described in 740.9(a)(2)(ix)" (also see point 7 below, which questions	|
      inclusion of this provision in TMP).	|

7.    Temporary vs. permanent exports to subsidiaries New 740.9(a)(2'(ix) and
      the ITAR provision on which it is based, 22 CFR 123.16(b>(9), use the	|
      word "temporary"; but both provisions describe permanent exports, since
      there is no requirement ever to return qualifying items to the country
      from which they were exported. It appears that 740.9(a)(2)(ix) should be
      moved from License Exception TMP to become exceptions to the definitions
      of "export" and "reexport› in 739.2 or 772.

8.    Direct product New 740.9(a)(2)(ix) conditions the "temporary exports to 
      a U.S. subsidiary, affiliate or facility in Country Group B" portion of 
      License Exception TMP on no transfer or reexport other than to the 
      United States of the direct product of the exported components, parts, 
      tools or test equipment. However, pursuant to 736.2(b)(3), direct 
      product controls apply only to the foreign-produced direct product of 
      technology and software and only to exports and reexports to Cuba, North 
      Korea, Libya, and countries in Country Group D:l.

9.    Reexports

a.    Tools of trade The new provision in 740.9(a)(2)(i) that tools of trade
      may accompany the individual or be exported after departure of the
      individual applies only to individuals departing from the United States,
      thereby leaving in doubt whether this rule also applies to reexports,
      which are also eligible for this portion of License Exceptions TMP

b.    Subsidiaries The new provision in 740.9(a)(2)(ix) perhaps inadvertently
      omits authorization of reexports. If reexports were authorized the
      exception from the prohibition against transfers or reexports should be
      expanded to include the country from which the reexport took place.

c.    Baggage Revised 740.14 clarifies that License Exception BAG applies to
      longer-term moving but retention of the phrase "leaving the United
      States" appears, probably inadvertently, to preclude use of BAG by
      persons moving back to the United States or by any person whose travels
      or moves did not originate in the United States.

      Interim rule addition of "or other disposal" after "Not intended for
      sale" in 740.14(c)(3) is probably intended to preclude transfers not
      involving a sale. However, it would also, probably inadvertently, make 
      items intended for consumption or destruction by the traveler ineligible 
      for License Exception BAG.

10.   Encryption software eligibility for License Exception BAG Revised 
      740.14(b)(4), new last sentence of 740.14(d), new 740.19(f), and new 
      770.2(m) provide that tools of trade encryption software may be exported 
      under License Exception BAG. However, unchanged 740.14(d)(Z) states that 
      this License Exception is not available for encryption software 
      controlled for "EI" reasons under ECCN 5D002.

11.   License changes The word "submit" was inadvertently omitted from revised 
      750.7(c)(2)(i).

12.   SED exemption for baggage The new 758.1(e)(1)(i)(D) SED exemption for
      items shipped under License Exception BAG is limited to tools of trade.
      However, FTSR 30.56(a), as reproduced in 786A Supplement l dated March
      1994, records an SED exemption for other items eligible for License
      Exception BAG and 30.56(b) contains one condition on eligibility for the
      tools of trade baggage SED exemption which is not in 740.14 or
      758.1(e)(1)(i)(D), namely, "shall be in his possession at the time of or
      prior to his departure from the United States for a foreign country."

13.   Encryption software license exceptions The interim rule clarifies, in 
      parts 740, 742.15, and 770.2, the applicability to encryption software 
      of License Exceptions KMI, TMP tools of trade, GOV official use of U.S. 
      Government personnel and agencies, TSU mass market software, and BAG 
      accompanied baggage. In addition, the lack of an EI exclusion for RPL 
      servicing and replacement implies applicability of that License 
      Exception to EI software. However, the interim rule does not revise the 
      following statements in the first Note under 5D002 in part 774, which 
      provide, in effect, that all License Exceptions are inapplicable to 
      encryption software: 
            ... encryption software is treated under the EAR in the same 
            manner as a commodity ... License Exceptions for commodities are 
            not applicable.

14.   Definition of "U.S. person"

a.    Cross references The revised definition of "U.S. person" in part 772 
      adds 740.9 and 740.14 to the list where definitions of this term 
      specific to other EAR parts may be found. However, it omits a reference 
      to 744.9(b), where a definition relevant to technical assistance with 
      respect to encryption items may be found. Greater specificity would be 
      more user-friendly, i.e., by citing 740.9(a)(2)(ix)(B), 740.14(e)(1), 
      746.9(b)(3)(ii), and 760.1(b) instead of 740.9, 740.14, 746, and 760.

b.    Content It seems unlikely that so many different definitions are 
      necessary. The one in 760.1(b) is the most precise.

			      Sincerely yours, 

			      [Signature]

                              William A. Root

[4 pages]

Microsoft Corporation Tel 425 882 8080
One Microsoft Way Fax 425 936 7329
Redmond, WA 98052-6399 http://www.microsoft.com/

Microsoft

VIA FAX

November 6, 1998

Ms. Nancy Crowe
Regulatory Policy Division
Bureau of Export Administration
Department of Commerce
P O. Box 273
Washington, D.C. 20044

Re: Microsoft Comments on September 22,1998 Interim Rule on Encryption Export Controls

Dear Ms. Crowe:

On behalf of Microsoft Corporation, I hereby submit comments on the interim final rule published in 63 Fed. Reg. 50516 (Sept. 22, 1998) (hereinafter the "Rule"). As you may recall, Microsoft submitted detailed comments to your department on a draft version of this regulation dated July 1997. The final version of the regulations includes several changes and improvements based in part on these and other comments, for which we thank you. Indeed, the rule is a vast improvement on the earlier draft, which demonstrates the sensibility of BXA soliciting comments on the rule in draft form. We have several additional comments, however, which are provided in the order of the regulations for your convenience:

EAR Sec. 740.8 Sec.

740.8 describes License Exception KMI, which applies to key recovery and key escrow items. As amended by the Rule, however, this section now includes several categories of non-recoverable encryption software. We believe that this is confusing to exporters and especially to their customers, who might be misled into thinking that products exported under this provision embody a key recovery scheme, which would inhibit the marketability of non-recoverable U.S. products. This confusion will be increased as the categories of acceptable non-recovery items expand. We therefore strongly recommend that you move the non-recovery items (Sec. 740.8(b)(2)(i), (ii), and (iii)) to a new license exception, such as proposed License Exception ENC.

EAR Sec. 740.8(b)(2)(ii) and the Longstanding "Money and Banking" Exception

The EAR has long permitted exporters to self-classify commodities and software that are designed and limited for use in banking or money transactions (5A002/Related Controls (h) and by reference 5D002, which also existed as exceptions to encryption controls under the International Traffic in Arms Regulations). It is unclear at best what the difference is between items falling under these longstanding "money and banking" exceptions described in 5A002/5D002 and those falling under this new Section 740.8(b)(2)(ii) for financial-specific encryption products. Financial-specific encryption items should continue to be reviewed via Advisory Opinions as an option, not on a mandatory basis. The new License Exception KMI provision calls for mandatory one-time review of the types of products that have for years been interpreted by the Department of State and the National Security Agency as falling under the provisions of the "money and banking exception." In order to be clear and consistent, and to avoid unnecessary requests for classifications, BXA should move all non-recoverable, financial-specific items to ECCN 5A992/5D992 categories. This could be done via a new definition or a new interpretation. A new definition for ''financial-specific'' could include detailed language describing the criteria for eligibility (e.g., "highly field formatted with validation procedures and not easily diverted to other end-uses" and/or "to secure financial communications/transactions for end-uses such as financial transfers or electronic commerce"), or the classification could be clarified in a new interpretation. It would be important to make clear in the definition that the concept of "securing financial communications/transactions" includes all forms of communication, such as e-mail.

EAR Sec 740.8(b)(2)(iii)

In Sec. 740.8(b)(2)(iii), License Exception KMI permits the export or re-export of general purpose non-recoverable encryption commodities or software of any key length for use by banks/financial institutions (after a one time technical review or prior issuance of a license). Such exports are subject to Wassenaar reporting. It should be permissible for an exporter of these commodities or software to engage in indirect bulk distribution via non-financial intermediate consignees, such as Systems Integrators or Value Added Resellers, and not be restricted to making individual exports directly to eligible banks and financial institutions. The typical business pattern in this area is for exporter to make bulk shipments of commodities or software to overseas distributors, who over time provide individual units from stock to eligible end-users in accordance with KMI. As with other license exceptions, the exporter and their foreign intermediate consignees are responsible for adhering to the terms and conditions of License Exception KMI. The regulation should be clarified to insure that exporters are not prohibited from export or reexport of eligible commodities or software under KMI to non-bank, non-financial intermediate consignees for re-distribution to eligible end-users. Indirect bulk distribution via non-financial intermediate consignees would appear not to impact Wassenaar reporting - the exporter would submit a Wassenaar report to BXA in accordance with Sec 743.1, giving the ECCN and paragraph reference for the software provided to the foreign intermediate consignee, number of units in the shipment, and country of ultimate destination (as known at the time of export).

EAR Sec. 740 - Supplement No. 3

The limited list of countries whose banks and financial institutions are authorized to receive exports is an unwarranted roll back of authority granted to export to banks and financial institutions in previously issued ELAs by the State as well as the Commerce Department. This puts exporters without existing ELAs at a disadvantage vis-a-vis those with ELAs, and subjects new products to tighter restrictions than older products even if the encryption used in the product is the same. We understand that this policy decision was a result of a compromise among different agencies. Nevertheless, this rollback undercuts the credibility of the Administration's liberalization of encryption policy.

At minimum, the exporting community deserves to be told in advance which countries will be excluded from Encryption Licensing Arrangements to banks and financial institutions in destinations outside said 44 countries (except the seven embargoed and terrorist supporting countries). It is inappropriate not to list countries to which the U.S. will not allow such exports due to money laundering concerns. It appears that the Administration has put diplomatic concerns of not offending countries that do not adequately restrict money laundering ahead of the needs of exporters. Even with advance notification, this rollback of authorization to export products to banks in closely allied countries such as Mexico and other Latin American and Caribbean countries is unwarranted, especially given that that banks in those countries may continue to receive products with the same encryption under existing ELAs issued to US vendors prior to these regulations.

In addition, while we understand that BXA intended to put branches of U.S. banks outside the U.S. on the same footing with branches of foreign banks, the fact that the U.S. is not included in this Supplement 3 list has created uncertainty about whether we can rely solely on the definition of "Bank" to achieve that result. We understand that Jim Lewis has given verbal advice to the effect that exporters may ship general purpose encryption items to branches of U.S. banks anywhere, as stated in Commerce Secretary Daley's press release of July 7, 1998. But this is such a fundamental omission that BXA should put this advice in writing on its web page, both the guidance as well as correct the rule by adding the U.S. to Supplement 3, thereby providing exporters greater certainty on this issue.

Part 772 - Definition of "Bank"

As drafted in the interim regulations, Subparagraph (e) of this definition appears to cover only those "affiliates" whose sole and exclusive business is providing data processing services to banks or financial institutions. In our experience, many entities that provide data processing services to banks and financial institutions also provide similar services to non-financial organizations In addition. these "affiliates" may also develop data processing services and products. Therefore, we suggest that the paragraph be revised to read: "An affiliate of any of the entities listed in paragraphs (a), (b), (c) or (d) of this definition, when it is engaged by the entity for the purpose of developing or providing data processing services or products to a bank or financial institution, or a branch of such an affiliate."

Part 772 - Definition of "Effective control"

We are concerned that identifying specific security measures, such as hotel safes, makes the definition more confusing and unnecessarily restrictive. For example, to protect sensitive business information, many business travelers take precautions to protect the software and data on laptops, such as password protecting "boot up" or encrypting the contents of the hard drive. Requiring the use of a safe or bonded warehouse is inconsistent with modern business practices and would effectively gut the laptop exemption for nearly al1 business travelers. We believe that the intent of "effective control" is to require the exporter to take positive steps to protect the items being temporarily exported or re-exported. Trying to define the many ways in which an item might be secured is probably unrealistic.

Therefore, we suggest that the definition be simplified as follows: "You maintain effective control over an item when you retain physical possession of the item or take other steps to secure the item." Alternatively, we suggest that BXA consider not defining the term at all.

Part 772 - Definition of "Financial Institution"

Comment 1: The definition should include clearing or settlement services as mentioned in subparagraph (c) of the definition of "Bank."

Comment 2: We suggest that subparagraph (f) be revised in a manner similar to the suggested revision for subparagraph (e) in the definition of "Bank."

Part 774 - CCL Categories 5A002 and 5D002

It would be extremely helpful to create different classification categories for items removed from EI controls. It is very confusing for many exporters whose systems are geared to control items by their ECCNs to discriminate between ECCN 5D002.c.1 EI controlled items that require a license to every destination and 5D002.c.1 non-EI controlled items that are eligible for export to all but seven countries under License Exception TSU. The "classification" appears meaningless. We assume that Customs has similar problems.

The following statement should be eliminated from the first note to ECCN 5D002: "License Exceptions for commodities are not applicable." This is confusing and not necessary, as many license exceptions that are generally used primarily for commodities have been considered by BXA to be applicable to encryption software (TMP, BAG, GOV, etc.)

We appreciate the opportunity to comment on these regulations. Please do not hesitate to contact the undersigned if you have questions or wish to discuss any of these comments.

Respectfully submitted,
[Signature]
Ira S. Rubinstein
Senior Corporate Attorney

cc: Mr. James Lewis
Ms. Patricia Sefcik

[3 pages]

INVESTMENT COMPANY INSTITUTE

1401 H STREET, NW WASHINGTON, DC 20005-2148 202/326-5800

November 6, 1998

Ms Nancy Crowe
Export Policy Analyst
Regulatory Policy Division
Bureau of Export Administration
U.S. Department of Commerce
14th & Pennsylvania Avenues, NW
Room 2705
Washington, D.C. 20230

Re: Encryption Export Regulation - Interim Rule

Dear Ms. Crowe:

The Investment Company Institute¹ (the "Institute") appreciates the opportunity to comment on the Department of Commerce's interim rule on encryption exports.² The Interim Rule would, among other things, implement new licensing policies for general purpose nonrecoverable, non-voice encryption commodities or software of any key length for distribution to banks and financial institutions in specified countries.

_________________

1 The Investment Company Institute is the national association of the American investment company industry. Its membership includes 7,335 open-end investment companies ("mutual funds"), 451 closed-end investment companies and 9 sponsors of unit investment trusts. Its mutual fund members have assets of about $4.837 trillion, accounting for approximately 95% of total industry assets, and have over 62 million individual shareholders. Many of the Institute's investment adviser members render investment advice to both investment companies and other clients. In addition, the Institute's membership includes 497 associate members that render investment management services exclusively to non-investment company clients. A substantial portion of the total assets managed by registered investment advisers are managed by these Institute members and associate members.
2 Encryption Items, Department of Commerce, Bureau of Export Administration, 63 Fed. Reg. 50516 (Sept. 22, 1998) (the "Interim Rule").

The Institute supports the Interim Rule because it should facilitate secure communications between our members' domestic offices and various overseas entities that play an integral role in the global investment management business. In particular, we are pleased that the Department has included in the definition of "financial institution" most of the key entities involved in the investment management industry, including investment companies (often referred to as "mutual funds"), investment advisers, brokers, dealers, and their branches or affiliates, which are regulated or supervised by the Securities and Exchange Commission, the Commodity Futures Trading Commission, or a foreign securities authority. Our comments below seek clarification that ie definition of "financial institution" includes mutual fund transfer agents and administrators, entities that are not specifically identified in the Interim Rule but that are just as vital to ie operation of a mutual fund as the other entities mentioned in the rule. We also seek clarification of the circumstances in which U.S. exporters may export directly to retail customers of a bank or financial institution under the Interim Rule.

Mutual Fund Transfer Agents and Administrators

As noted above, the transfer agent function is an important function for mutual fund operations. Mutual fund transfer agents maintain records of shareholder accounts, which reflect daily investor purchases, redemptions, and account balances. These transfer agents typically serve as dividend disbursing agents and their duties as such involve calculating dividends, authorizing payment by the custodian, and maintaining dividend payment records. In addition, transfer agents prepare and mail to shareholders periodic account statements, federal income tax information, and other shareholder notices. In many cases, transfer agents prepare and mail on behalf of the mutual fund and its principal underwriter statements confirming transactions and reflecting share balances. Moreover, transfer agents often maintain customer service departments that respond to telephone and mail inquiries concerning the status of shareholder accounts.

Equally important to mutual fund operations is the administrative function. A mutual fund administrator provides administrative services to a fund. These services, which often are performed by the fund's investment adviser, include overseeing the performance of other companies that provide services to the fund, as well as assuring that the fund's operations comply with applicable regulatory requirements. Administrators typically provide office space, equipment, personnel, and facilities; provide general accounting services; and help establish and maintain compliance procedures and internal controls. Often, they assume responsibility for preparing and filing various regulatory, shareholder, and other reports.

Many U.S. firms sponsor and manage funds that are organized offshore for sale to offshore residents. While the management companies for these funds often are located in the U.S., fund administration and shareholder servicing may be provided by affiliated or third- | party entities located outside the U.S. Institute members that are active in sponsoring and/or managing offshore funds have a strong interest in being able to use secure communications between their domestic offices and the overseas entities (including transfer agents and administrators) that service their offshore funds.

Although not specifically identified in the Interim Rule, mutual fund transfer agents and administrators ostensibly are included within the scope of the rule to the extent they are affiliates or branches of the entities named in the rule. It is unclear, however, whether these entities are covered when their affiliation with a mutual fund is based on a third-party, arm's length contractual relationship as opposed to, for example, when they are part of the same financial services organization as the mutual funds' investment adviser.

We believe that because of the essential functions performed by transfer agents and administrators on behalf of the mutual funds they serve, their inclusion in the Interim Rule is intended. To further clarify this intention, and to ensure the inclusion of all relevant entities that play key roles in the operation of mutual funds, we recommend that mutual fund transfer agents and administrators be specifically identified among the entities delineated in Part 772, subparagraphs (a) and (b) of the definition of "financial institution," or, alternatively, that the term "affiliate" in subparagraph (e) of that definition be defined to include entities that are under contract to an investment company or an investment adviser to provide transfer agent or administrative services. In the event that neither of these suggestions can be accommodated, we ask that this clarification be noted in the explanatory material accompanying the final rule.

Direct Exports to Retail Customers of Banks or Financial Institutions

The Institute also seeks clarification of the circumstances in which U.S. exporters may export directly to the retail customers of a bank or financial institution under the Interim Rule. As drafted, the Interim Rule appears to permit U.S. encryption exports to qualifying banks and financial institutions to secure financial communications/transactions with and between those entities and their customers. It is anomalous that U.S. exporters do not appear to have the same flexibility to export encryption to the overseas retail customers of U.S. banks and financial institutions, even when the encryption products do not permit customer-to-customer communications. To clarify the regulations in this regard, we recommend amending the Interim Rule (specifically, 15 CFR Part 740.8(2)(iii)) to permit distribution to overseas retail customers of U.S. banks and financial institutions of general-purpose unrecoverable encryption so long as the products are not useable for customer-to-customer communications/transactions.

* * * * *

The Institute appreciates the opportunity to comment on the Interim Rule. Any questions on our comments may be directed to the undersigned at (202) 326-5822 or to Barry E. Simmons at (202) 326-5923.

Sincerely,
[Signature]
Frances M. Stadler
Deputy Senior Counsel

cc: James Lewis
Director
Office of Strategic Trade and Foreign Policy Controls

[3 pages]

Broox W. Peterson
Senior Vice President &
Assistant General Counsel

VISA

WORLDWIDE PARTNER

VISA INTERNATIONAL
Post Office Box 8999
San Francisco, CA 94128-8999 U.S.A.
Phone 650 431 3161
Fax 650 432 2145
E-mail peterson@visa.com

VIA MESSENGER

November 6, 1998

Ms. Nancy Crowe
Regulatory Policy Division
Bureau of Export Administration
Department of Commerce
P.O. Box 273
Washington, DC 20044

Re: Export Administration Regulations: Interim Rule
Docket No. 980911233-8233-01

Dear Ms. Crowe:

Visa International¹ appreciates this opportunity to comment on the Department of Commerce's interim rule (the "Interim Rule") amending the Export Administration Regulations (the "EAR") to clarify the controls on the export and reexport of encryption items controlled for "EI" reasons on the Commerce Control List, published in the September 22, 1998 Federal Register (63 Fed. Reg. 50516).

___________________

l VISA International is a membership organization comprised of financial institutions throughout the world licensed to use the Visa service marks in connection with payment systems. For purposes of this letter, the term Visa refers to Visa International.

The Visa payments system is the largest consumer payments system in the world. Visa is a joint venture comprised of more than 21,000 financial institution members from around the world that have issued over 640 million Visa payment cards, which are accepted at more than 14 million merchant locations and at over 400,000 automated teller machines worldwide. Visa - which provides transaction authorization, clearing and settlement, and risk management services to financial institution members supports more than $1 trillion in Visa-related payment transactions annually throughout the world. At peak volume, Visa systems process over 2,400 card related transactions per second.

The secure and smooth functioning of international payment systems such as the Visa system is of critical importance to financial institutions and their customers, as well as the overall world economy. Visa and its member financial institutions around the world must be able to utilize appropriate current and future technologies to secure this payments system.

Towards this end, Visa supports the provisions of Section 740.8 of the Interim Rule that permit, after a one-time technical review, the export and reexport of non-recoverable financial-specific encryption software and commodities of any key length, that are restricted by design for financial applications to secure financial transactions, for end-uses such as financial transfers or electronic commerce. Visa also supports the provisions of Section 740.8 of the Interim Rule that permit, after a one-time review, exports and reexports of general purpose non-recoverable non-voice encryption commodities or software of any key length for distribution to banks and financial institutions located in certain specified countries, provided the end-use is limited to secure business financial communications or transactions or financial communications/ transactions between the bank or financial institution and its customer.

Visa is particularly pleased that, for purposes of these provisions of Section 740.8, the definitions of the terms "bank" and "financial institution" are sufficiently broad to include Visa and its financial institution members. In particular, the definition of the term "bank" includes an entity such as Visa engaged in the business of providing clearing or settlement services, or whose members are regulated or supervised by a U.S. federal or state bank regulator or supervisor or a foreign bank regulatory or supervisory authority. This definition also would include Visa member banks, savings associations, credit unions, bank holding companies, bank or savings association service companies, Edge Act corporations, Agreement corporations, other U.S. insured depository institutions, foreign entities engaged in the business of banking which are regulated or supervised by a foreign bank regulatory or supervisory authority, and branches or affiliates of any of the foregoing regulated or supervised by a U.S. or foreign bank regulatory or supervisory authority or engaged solely in providing data processing services to a bank or financial institution. The definition of the term "financial institution" for these purposes includes U.S. entities engaged primarily in the business of issuing a general purpose charge, debit or stored value card. It is imperative that these definitions, which define the scope of Section 772, are not narrowed in any way that would preclude Visa or any of its member financial institutions from taking advantage of the provisions of Section 772 in connection with the Visa payments system.

Visa does, however, have one concern with the Interim Rule. Certain provisions of Section 772 are not available for certain Visa members located in certain specified countries. While Visa understands the rationale for excluding certain countries from Section 772, these exclusions do create potential problems for worldwide payments systems like Visa's. As discussed above, the efficiencies and other benefits of the Visa payments system for Visa financial institution members and their customers depend upon the uniform operation of the system throughout the world. One of the core strengths of the Visa system is that any Visa cardholder can use his or her Visa card at any of the over 14 million locations around the world at which Visa is accepted. To the extent that aspects of the Visa system cannot be offered in a particular country as a result of a Section 772 exclusion, the benefits of the system for Visa cardholders desiring to engage in Visa transactions in that excluded country and for Visa financial institution members in that country aRe accordingly diminished. Visa urges the Commerce Department to consider limiting the countries excluded from Section 772 to as narrow a list as possible with respect to the export and reexport of non-recoverable payment-specific encryption software and commodities of any key length that are restricted by design (e.g., highly field-formatted with validation procedures, and not easily diverted to other uses) for payment system applications.

* * * * *

Visa very much appreciates this opportunity to comment on the Interim Rule. If you have any questions concerning this letter, please do not hesitate to contact me, at (650) 432-3161.

Sincerely,
[Signature]
Broox Peterson
Senior Vice President

exportad.doc

[7 pages]

Citibank, N.A. 212/559-0142
909 Third Avenue Fax 212/793-2516
32nd Floor
New York, NY
10043

P. Michael Nugent
General Counsel for
Technology and
Intellectual Property

CITIBANK

By Facsimile

November 6, 1998

Ms. Nancy Crowe
Regulatory Policy Division
Bureau of Export Administration
Department of Commerce
P.O. Box 273
Washington, D.C. 20044

Re: Citicorp Comments on September 22,1998 Interim Rule on Financial and Other Encryption Export Controls

Dear Ms. Crowe:

On behalf of Citicorp, we hereby submit comments on the interim final rule published in 63 Fed. Reg. 50516 (Sept. 22, 1998) (hereinafter the "Rule"). The Rule adopted changes to the initial rule on Encryption Items published December 30, 1996 and implemented the Administration's liberalized policy for exports of general purpose encryption products to financial institutions, and of financial specific products, a policy first announced in May 1997 and announced in revised form July 7, 1996. As you may recall, Citicorp submitted detailed comments to your department last summer on a draft version of this regulation dated July 25, 1997. We very much appreciate the extent to which you improved the final version of the regulations based in part on our earlier comments. This rule is indeed a vast improvement on the earlier draft, which demonstrates the sensibility of BXA soliciting comments on the rule in draft form. More work still needs to be done, and we hope that the following additional suggestions will help you to make this Rule even more workable for exporters. (Please note that we are commenting on how to improve the Rule within the context of the Administration's existing policy, but this focus in these comments should not be viewed as an endorsement of said policy.)

These comments are provided in the order of the regulations for your convenience.

EAR 734.2(b)(9)(ii)(A)

We appreciate your clarifications to EAR Sec. 734.2(b)(9)(ii) (A) and in particular your continued use of regulations to authorize in a reasonably practical way the practice of making encryption software available for electronic download as long as the person verifies based on information available (addresses) that the recipient is in the United States or Canada. This is a major improvement over the original proposed rule of July 1997.

EAR 734.2(b)(9)(ii)(C)

As written, the final sentence in this paragraph seems to suggest that BXA intends to review acknowledgments in electronic form before exporters may be permitted to use them, although we do not understand that this is what is intended. BXA has not previously imposed such a requirement, and Section 740.6(a)(e), as revised, permits assurances via facsimile, which is but one form of electronic acknowledgment. The Administration has long recognized the validity of clicking on an "I accept button" for example. The final sentence of Section 734.2(b)(9)(ii)(C) should be revised as follows: "Acknowledgments in electronic form are permitted provided that they are adequate to assure legal undertakings similar to written acknowledgments." This statement more clearly expresses what we understand is the intent of this provision.

EAR 740.6(a)(3)

We also suggest that you revise this section to clarify that all forms of electronic assurances are permitted, which we understand to be the current interpretation: "The required assurance may be made in the form of a letter or any other written communication from the importer) including electronic forms such as facsimile, e-mail or clicking on an "I Accept Button". The assurances may also be incorporated into a licensing agreement, a service agreement, or other contract."

EAR 740.8

It is confusing to exporters and to their customers to include non-recoverable items under License Exception KMI, which has until now has been used solely for recoverable items. Customers think that exports under this provision embody a key recovery scheme, a perception that inhibits marketability of non-recoverable U.S products. This confusion will be increased as the categories of acceptable non-recovery items expands. We therefore strongly recommend that you move the non-recovery items (Sec. 740.8(b)(2)(i), (ii), and (iii)) to a new license exception, such as License Exception ENC which has been proposed following the September 16, 1998 announcement by Vice President Gore of further changes to encryption policy. The redundant portions of this paragraph (e.g., subparagraphs (ii)(A)(2) and (iii)(A)(2)) could be stated at the beginning of the new License Exception entry.

EAR 740.8(b)(2)(ii) aud the Long-Standing "Money and Banking" Exception

Exporters have long been permitted to self-classify commodities and software which are designed and limited for use in banking or money transactions (5A002/Related Controls (h) and by reference 5D002, which also existed as exceptions to encryption controls under the International Traffic in Arms Regulations). It is unclear at best what the difference is between items falling under these long-standing "money and banking" exceptions described in 5A002/5D002 and those falling under this new Section 740.8(b)(2)(ii) for financial specific encryption products. Financial-specific encryption items should continue to be reviewed via Advisory Opinions as an option, not on a mandatory basis. The new License Exception KMI provision calls for mandatory one-time review of the types of products that have for years been interpreted by the Department of State and the National Security Agency as falling under the provisions of the "money and banking exception." In order to be clear and consistent, and to avoid unnecessary requests for classifications, BXA should move all non-recoverable, financial specific items to ECCN 5A992/5D992 categories. This could be done via a new definition or a new interpretation. A new definition for "financial-specific'' could include detailed language describing the criteria for eligibility (e.g., "highly field formatted with validation procedures and not easily diverted to other end-uses," "to secure financial communications/transactions for end-uses such as financial transfers or electronic commerce"), or the classification could be clarified in a new interpretation. It would be important to make clear in the definition that the concept of "securing financial communications/transactions" includes all forms of communication, such as e-mail.

EAR 740.8(b)(ii)(B and C)

We simply want to thank you for grandfathering prior products that have been reviewed for future exports under License Exception KMI to banks and financial institutions and under Encryption Licensing Arrangements. Such provisions to minimize needless applications arc appreciated. Wc propose below that you expand this concept to clarify that future modifications that do not change the encryption functions materially do not require subsequent review, which we understand to be BXA's current interpretation but which is only now provided clearly for mass market software.

EAR 740.9 (a)(2)(ix)

We understand that this part was included because a similar provision was included in the ITAR. Because, under ITAR, software was considered part of hardware, we believe that software should be included here as well. The addition of software would also harmonize this subparagraph (ix) with Tools of the Trade (subparagraph (i)).

EAR 740 - Supplement No. 3

The limited list of countries whose banks and financial institutions are authorized to receive exports is an unwarranted roll back of authority that has been granted in the past for exports to banks and financial institutions in previously issued ELAs by the State as well as the Commerce Department. This puts exporters without existing ELAs at a disadvantage vis-a-vis those with ELAs, and subjects new products to tighter restrictions than older products even if the encryption used in the product is the same. We understand that this policy decision was a result of a compromise among different agencies. Nevertheless, this rollback undercuts the credibility of the Administration's already fragile encryption policy.

At minimum, the exporting community deserves to be told in advance which counties will be excluded from Encryption Licensing Arrangements to banks and financial institutions in destinations outside said 44 countries (except the seven embargoed and terrorist supporting counties). It is inappropriate not to list countries to which the U.S. will not allow such exports due to money laundering concerns. It appears that the Administration has put diplomatic concerns of not offending countries that do not adequately restrict money laundering ahead of the needs of exporters. Even with advance notification, this rollback of authorization to export products to banks in closely allied countries such as Mexico and other Latin American and Caribbean countries is unwarranted.

In addition, while we understand it was the intention to put branches of U. S . banks outside the U.S. on the same footing as branches of foreign banks, the fact that the U.S. is not included in this Supplement 3 list has led some of us to question whether we can rely solely on the definition of "Bank" to achieve that result. We appreciate Jim Lewis' verbal advice to those who ask that exporters may ship general purpose encryption items to branches of U.S. banks anywhere as was expressed in Commerce Secretary Daley's press release of July 7, 1998. but this is such a fundamental omission that BXA should put this advice in writing on its web guidance as well as correcting the rule to put such exports on a more sound legal basis. Including the "United States" on the list would provide exporters greater certainty on this issue.

EAR 742.15(b)(1) - Broaden Approval of Updating with Same Encryption

We very much appreciate the following clarification:

Furthermore, for such software released from EI controls, subsequent bundling, updates, or releases consisting of or incorporating this software may be exported and reexported without a separate one-time technical review, so long as the functional encryption capacity (e.g., algorithm, key modulus) of the originally reviewed mass-market encryption software has not been modified or enhanced.

This concept has been applied to other provisions and should not be limited to the mass marketing context. We recommend that you add it to the provisions for general purpose encryption products for banks and financial institutions, the financial specific provisions, and to others being developed . It wouLd be better to place this provision in a more generally applicable interpretation section at the beginning or the end of EAR Part 742.14 and/or 740.8 so that exporters will clearly know that subsequent versions of products are still covered by a one time review unless the encryption functions have changed materially. This has long been BXA's interpretation.

EAR 742 - Supplement 4

We recommend that BXA add the following phrase after the word "inoperative" at the end of Paragraph (6)(i) of this Supplement: " . . . unless the operable key recovery product produces the key recovery information for all transactions between it and the product with inoperative key recovery features."

EAR Part 772 - Definition of "Bank"

As drafted in the interim regulations, Subparagraph (e) of this definition appears to cover only those "affiliates" whose sole and exclusive business is providing data processing services to banks or financial institutions. In our experience, many entities that provide data processing services to banks and financial institutions also provide similar services to non-financial organizations. In addition, these "affiliates" may also develop data processing services and products. Therefore, we suggest that the paragraph be revised to read. "An affiliate of any of the entities listed in paragraphs (a), (b), (c) or (d) of this definition, when it is engaged by the entity for the purpose of developing or providing data processing services or products to a bank or financial institution, or a branch of such an affiliate."

EAR Part 772 - Definition of "Effective control"

We are concerned that identifying specific security measures, such as hotel safes, makes the definition more confusing and unnecessarily restrictive. For example, to protect sensitive business information, many business travelers take precautions to protect the software and data on laptops, such as password protecting "boot up" or encrypting the contents of the hard drive. Requiring the use of a safe or bonded warehouse is inconsistent with modern business practices and would effectively gut the laptop exemption for some business travelers. We believe that the intent of "effective control" is to require the exporter to take positive steps to protect the items being temporarily exported or re-exported. Trying to define the many ways in which an item might be secured is probably unrealistic.

Therefore, we suggest that the definition be simplified as follows: "You maintain effective control over an item when you retain physical possession of the item or take other steps to secure the item." Alternatively we suggest that BXA consider not defining the term at all.

EAR Part 772 - Definition of "Financial Institution"

Comment 1: The definition should include clearing or settlement services as mentioned in subparagraph (c) of the definition of "Bank."

Comment 2: We suggest that subparagraph (f) be revised in a manner similar to the suggested revision for subparagraph (c) in the definition of "Bank."

EAR Part 774 - CCL Categories 5A002 and 5D002

It would be extremely helpful to create different classification categories for items removed from EI controls. lt is very confusing for many exporters whose systems are geared to control items by their ECCNs to discriminate between ECCN 5D002.c.1 EI controlled items that require a license to every destination and 5D002.c.1 non-EI controlled items that are eligible for export to all but seven countries under License Exception TSU. The "classification" appears meaningless. We assume that Customs has similar problems.

We appreciate the opportunity to comment on these regulations. Please do not hesitate to contact either of the undersigned or Ben Flowe of Berliner, Corcoran & Rowe, L.L.P. (202-293-6117) if you have questions or wish to discuss any of these comments.

Respectfully submitted,
[Signature]
Michael Nugent
General Counsel for Technology and Intellectual Property
[Signature]
Steve Katz
Vice President & Chief Information Security Officer

cc: James Lewis
Ms. Patricia Sefcik

[3 pages]

STEPTOE & JOHNSON LLP

1330 Connecticut Avenue, NW
Washington, DC 20036-1795
Telephone 202.429.3000
Facsimile 202.429.3902
http://www.steptoe.com

R. N. "Fritz" Fielding
202.429.6468
rfieldin@steptoe.com

November 6, 1998

Ms. Nancy Crowe
Regulatory Policy Division
P.O. Box 273
Department of Commerce
Washington, D.C. 20044

Re: Interim Rule Promulgated on September 22, 1998 (63 Fed. Reg. 50516)

Dear Ms. Crowe:

The Interim Rule published in September 1998, 63 Fed. Reg. 50516, clarified many of the provisions of the EAR that relate to encryption items. The Interim Rule, however, did not address technical assistance. Since the Department of Commerce assumed responsibility for commercial encryption exports, it has become apparent that the scope of the technical assistance provision (15 C.F.R. 744.9) needs clarification. We urge you to provide such clarity as soon as possible.

As you know, the technical assistance provision is unique to the encryption control regime. It requires an export license if a U.S. person is providing technical assistance to a foreign national with the intent of aiding in the development or manufacture of encryption commodities or software that would be controlled for EI reasons by the U.S. The difficulty with this language is that a literal reading, uninformed by policy, could lead to the mistaken impression that the provision covers any assistance regardless of whether the assistance relates to encryption. Since we doubt that the Commerce Department intends such results, we recommend revising the language to bring into accord with policy.

By way of illustration, consider the situation in which a U.S. engineer is asked to assist a foreign person to debug a radio or software program that includes Triple DES, general-purpose data encryption. Let's assume that the assistance does not relate to the encryption features of the radio or software. Would the U.S. require an export license before the engineer provided such assistance? As noted above, a literal reading of the language of the technical assistance provision would suggest a "yes" answer. The U.S. engineer is providing what would appear in lay terms to be technical assistance. The assistance is provided to a foreign person. The assistance is provided with the intent of aiding the foreign person in the manufacture of a radio or software program that includes encryption the U.S. would control for EI reasons.

Consider another scenario. A U.S. company produces widgets with encryption. The widget with the encryption is controlled for EI reasons. (Without the encryption it would not be controlled.) Because the U.S. company wants the world to standardize on its technology, it develops a protocol document that it proposes to distribute to interested parties around the world. The protocol provides a technical description of how the various features of the widget operate, including the encryption feature. In the encryption portion of the protocol, the U.S. company merely identifies the encryption algorithm as well as how the encryption is keyed and a high level description of how the encryption will interface with the rest of the widget. However, it does not provide the encryption or key management algorithms, much less the cryptographic API or other code that would make the encryption functional.

The protocol documents are technology, but not likely controlled technology as they do not include the encryption or the details of the interface. But does provision of the protocol constitute controlled technical assistance? Again, a literal reading of the regulations would seem to suggest a "yes" answer. The protocols are technical data and providing them would certainly assist the recipient. Moreover, by the terms of this scenario, the protocols are provided to a foreign person with the intent that such person can produce the widget with encryption, albeit once they obtain the raw materials and the encryption.

Whether intended or not, it is easy to see how such a literal reading of this provision could have a chilling effect on legitimate commercial activities. Companies either forego the opportunity to provide assistance or they incur the costs and delays inherent in obtaining a license (or an opinion that a license is not required). This chilling effect is particularly troubling where, as in the second scenario, the assistance takes the form of the provision of technology. Arguably, technology is speech protected by the First Amendment.

The Government is addressing the First Amendment implications of technology controls in the context of ongoing litigation challenging its regulation of encryption software and source code exports. The Government's position in that litigation is that the controls are proper because, in contrast to other types of software, encryption software/source code provides the very functionality that gives rise to the national security interest in encryption. Even if encryption software or source code is considered protected speech, the Government's controls have only an incidental impact on that speech and are no more restrictive than necessary to achieve legitimate national security interests.

The Constitutional merits of the Government's arguments remain to be seen. However, the Government is to be commended for staking out a position that tries to limit the impact of the regulations by focusing on the principle interest at stake, i.e., controlling the export of functional encryption capabilities. Unfortunately, the broad impact that a literal reading of the technical assistance provision permits is inconsistent with the position the Government has taken in the litigation and serves to aggravate the chilling effect noted above. Therefore, we urge the Commerce Department to take quick action to clarify that the scope of the technical assistance provision is not intended to restrict activities other than those required to achieve encryption functionality. We specifically recommend using the term "required" in the clarification. It is a defined term in the Export Administration Regulations (EAR) that exporters have worked with over the years. This history will aid exporters in understanding when technical encryption assistance requires an export license.

If you have any question, please call me.

Sincerely,
[Signature]
R.N. Fielding

RNF:jb

[End comments]

Conversion to HTML by JYA/Urban Deadline.