Commerce Announces Streamlined Encryption Export Regulations

Washington, DC - The U.S. Department of Commerce Bureau of Export Administration (BXA) today issued new encryption export regulations which implement the new approach announced by the Clinton Administration in September.

Today's move permits U.S. companies to export any encryption product around the world to commercial firms, individuals and other non-government end-users under a license exception (i.e., without a license). In addition, "retail" encryption products which are widely available in the market can now be exported to any end-user including foreign governments. In most cases, a one-time product review by BXA continues to be required. Post-reporting requirements are reduced to track industry business models.

"This policy helps business and promotes e-commerce by adjusting our regulations to marketplace realities that U.S. companies face when they try to sell their products overseas. We've also worked very hard to address privacy concerns and to ensure that our law enforcement and national security concerns are met," said Commerce Secretary William M. Daley.

For source code, the regulation reduces controls further than announced in September. Commercial encryption source code, encryption toolkits and components can now be exported under license exception to businesses and non-government end-users for internal use and customization and for the development of new products. In addition, the regulations relax restrictions on publicly available encryption source code, including by posting on the Internet.

The regulation further streamlines requirements for U.S. companies by permitting exports of any encryption item to their foreign subsidiaries without a prior review. Foreign employees of U.S. companies working in the United States no longer need an export license to work on encryption.

In addition, the guidelines also implement agreements reached by the Wassenaar Arrangement in December 1998 by decontrolling 64-bit mass market products, 56-bit encryption items and 512-bit key management products. Today's changes do not affect restrictions on terrorist supporting states (Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria), their nationals, and other sanctioned entities.

In developing this regulation, the Administration worked closely with stakeholders to continue a balanced approach. The government will review the workability of the regulation, receiving public comments for 120 days. A final revised rule will be issued shortly thereafter.

Attached is a comprehensive fact sheet that outlines the new export control guidelines.

Free Speech | Data Privacy | Government Surveillance | Cryptography | Domain Names | International | Bandwidth | Security | Internet Standards, Technology and Policy Project | Terrorism | Authentication | Right to Know | Spam

Our Mission / Get Involved / Staff / Publications / Links / Search CDT / Jobs / Action! Previous Headlines | Legislative Tracking | CDT's Privacy Policy