US restrictions on exports of cryptographic equipment and software

Journal of World Trade

Volumn 32, Issue 1, 1998, Pages

  Becker, Stephan E ^a  

^a Shaw Pittman and Trowbridge   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 11544276599     PISSN: 10116702     EISSN: None     Source Type: Journal    
DOI: 10.54648/trad1998001     Document Type: Article

References (57)

1. This article is not, and should not be used as, a substitute for legal advice. The US export control regulations are complex and subject to frequent revisions.
2. National Research Council, Cryptography's Role in Securing the Information Society, 52-54 (National Academy Press, 1996).
3. See W.A. Hodkowski, The Future of Internet Security, 13 Computer & High Tech. L.J. 217, 229-31 (February 1997).
4. J. Kerben, The Dilemma for Future Communication Technologies: How to Constitutionally Dress the Crypto-Genie, 5 CommLaw Conspectus 125, 125-26 (Winter 1997).
5. As note 2, above, at 63. Thus, for an asymmetric system to be as secure as a symmetric system, the asymmetric system must have a relatively longer key length.
6. The need for key recovery systems derives from such potential problems as individuals losing or purposely withholding keys to encrypted data.
7. See Statement of Louis J. Freeh, Director of the Federal Bureau of Investigation, Before the Permanent Select Committee on Intelligence of the House of Representatives (available at http://\vww.fbi.gov/congress/ encrypt4/encrypt4.htm).
8. The establishment of a universal system for the use of "digital signatures" for message authentication is itself considered an important subject of government policy, although the issue has not yet attracted the same level of attention in the United States as it has in Europe. See, for example, European Commission, Communication from the Commission to the European Parliament, Towards a European Framework for Digital Signatures and Encryption: Ensuring Security and Trust in Electronic Communication, COM (97) 503 (1997) (available at http://www.ispo.cec.be/eif/policy).
9. 22 U.S.C. §§271 et seq. The provisions that specifically authorize the regulation of commercial exports of defence articles and services are contained in 22 U.S.C. § 2778.
10. 22 CFR §§ 120-130.
11. 22 CFR § 121. The US Munirions List generally corresponds to the Munitions List of the Wassenaar Arrangement (the successor to the Coordinating Committee on Multilateral Export Controls, which was known as the COCOM).
12. 50 U.S.C. App. §§ 2401 et seq.
13. 15 CFR §§ 730-774.
14. The Export Administration Act actually expired in 1994, and has not yet been renewed because the Congress has been unable to agree on proposed revisions to the law. The President has extended the law by issuing executive orders pursuant to the International Emergency Economic Powers Act (IEEPA), 50 U.S.C §§ 1701 et seq., according to the theory that a lapse in export controls would be a threat to national security. As the "emergency" is the failure of Congress to enact legislation, rather than actions of a hostile foreign nation, there have been questions regarding whether the President's use of the IEEPA in this manner is appropriate. Nonetheless, especially because Congress has repeatedly acquiesced in the President's use of IEEPA to maintain the Export Administration Regulations, the current regulatory regime has withstood the challenge.
15. The Commerce Control List includes the categories contained in the Wassenaar Arrangement Dual-Use List, plus additional categories that the United States regulates unilaterally.
16. Licenses are normally issued on a transaction-by-transaction basis. Accordingly, an exporter submits an application for approval to export a specific quantity and value of specified items to one foreign purchaser. Multiple shipments can be made against the license during its validity period (usually two years).
17. 22 CFR § 122.
18. This procedure effectively establishes a presumption that the products are regulated under the ITAR, unless the State Department decides otherwise.
19. 22 CFR § 124.15.
20. Memorandum of the President on Encryption Export Policy (15 November 1996), reprinted in BNA Daily Rep. Execs., 18 November 1996 at M-1; Executive Order No. 13026 of 15 November 1996, 61 Fed. Reg. 58767 (19 November 1996).
21. The Export Administration Regulations contain a procedure by which exporters can request that the Commerce Department evaluate the foreign availability of products subject to licensing requirements. 15 CFR § 730, Supp. No. 2. The Executive Order exempted cryptographic products from this procedure.
22. As note 20, above.
23. 61 Fed. Reg. 68, 572 (30 December 1996).
24. 15 CFR § 774, Supp. No. 1, ECCNS 5A002 and 5D002.
25. Those countries are Cuba, Iran, Iraq, Libya, North Korea, Syria and Sudan. See 15 CFR §§ 742.8, 742.9, 742.10 and 746. Even if a cryptographic product is not otherwise controlled or qualifies for export to other countries under a License Exception, exports and re-export to these countries are regulated in most cases.
26. 15 CFR § 740.13(d)(3).
27. 15 CFR § 742, Supp. No. 6.
28. DES is the Data Encryption Standard, a symmetrical cryptographic algorithm that was published as a US government standard in 1977. As note 2, above, at 417-18.
29. 15 CFR § 742.15(b)(3).
30. As of November 1996, at least 37 companies had submitted key recovery development and marketing plans to the Commerce Department.
31. 15 CFR § 742, Supp. Nos. 4, 5 and 7.
32. 15 CFR § 742.15(b)(4).
33. The Commerce Department has proposed, but has not yet implemented, the creation of another category of license exception for cryptographic software dedicated for use in financial transactions. After a one-time review, such software could be exported without restriction regardless of its encryption strength. Commerce Department Press Release, 8 May 1997 (available at http://www.bxa.doc.gov/banks2.htm).
34. S. Liebs, The Secret Sharer - Why Powerful Encryption Software Has Made Phil Zimmerman an Enemy of the State, Netguide (1 May 1995) at 65; U.S. Drops Probe Boulder Code King Escapes Prosecution, Denver Post, 12 January 1996, at E-01.
35. S. Liebs, The Secret Sharer - Why Powerful Encryption Software Has Made Phil Zimmerman an Enemy of the State, Netguide (1 May 1995) at 65; U.S. Drops Probe Boulder Code King Escapes Prosecution, Denver Post, 12 January 1996, at E-01.
36. 925 F. Supp. 1 (D.D.c. 1996).
37. The ITAR do not apply to "information" that is in the "public domain". 22 CFR § 125.1. "Public domain" means "information which is published and which is generally accessible or available to the public". 22 CFR § 120.11. Books are usually considered information that is in the public domain.
38. " "Source code" is computer programming expressed in a "high level" language. Source code must be translated into "object code" (a binary system of 0s and 1s) to be useable by a computer. Programs contained on diskettes or hard drives are in object code.
39. 925 F. Supp. at 5.
40. The Fifth Amendment provides, inter alia, that no person "shall be deprived of life, liberty, or property without due process of law...".
41. 925 F. Supp. at 13.
42. The First Amendment provides, inter alia, that "Congress shall make no law... abridging the freedom of speech".
43. 925 F. Supp. at 9.
44. This test for restraints on speech was established by the Supreme Court's ruling in United States v. O'Brien, 391 U.S. 367 (1968).
45. 925 F. Supp. at 11-12.
46. 922 F. Supp. 1426 (N.D. Cal. 1996); 945 F. Supp. 1279 (N.D. Cal. 1996); and 974 F. Supp. 1288 (N.D. Cal. 1997).
47. Perhaps significantly, Snuffle was a not a finished software product and the parties disagreed as to whether it was actually "software" at all. Although the court asserted that its ruling applied to all forms of cryptographic software, it is not clear that the breadth of the court's decision was necessary or appropriate.
48. 922 F. Supp. at 1435.
49. 945 F. Supp. at 1289-90.
50. 974 F. Supp. at 1309-10.
51. Security and Freedom Through Encryption (SAFE) Act, H.R. 695, H. Rep. 105-108, 105th Cong., 1st Sess. (22 May 1997).
52. Amendment in the Nature of a Substitute to H.R. 695 (11 September 1997).
53. The United States currently does not have any restrictions on the domestic use of cryptography.
54. S. 909 (introduced on 16 June 1997).
55. See United States v. The Progressive, 467 F. Supp. 990 (W.D. Wis. 1979), a case in which the government obtained a preliminary injunction preventing the publication of an article that allegedly explained how to build a hydrogen bomb. Later, after an unrelated newspaper published the same information, the government dropped the case. A Case Not Closed, Newsweek, 1 October 1979, at 45.
56. Current pilot projects are focused on key recovery for stored data, rather than electronic communications in transit. Government Pursues Encryption Policy with Showcase of Key Recovery Products, BNA, Daily Rep. for Execs., 6 November 1997, at A-I1.
57. A system that allowed the US government access to encrypted data without the knowledge or approval of the user will obviously not be attractive to a foreign customer.