Statement by Commerce Secretary William Daley.
Re: Administration encryption policy.

Date: September 16, 1999.
Source: Department of Commerce.


Remarks by Secretary of Commerce William M. Daley
White House Press Room
September 16, 1999
Washington, DC
[As Prepared For Delivery]

We can all welcome today's update of our encryption policy. It is a good example of a government process that worked.

The agencies involved, from national security, law enforcement and Commerce, had a common objective -- to provide the tools to keep our nation safe while taking technological advances and market changes into account.

This may have taken longer than some would have liked, but the outcome is a sound one. This new update continues to provide the balanced encryption policy the President wants. It is a policy that will continue to protect national security while letting us take advantage of the substantial promise of electronic commerce.

In saying that, I want to be clear that the Commerce Department supports all three parts of this program. The export control liberalization is balanced by the additional tools for law enforcement and the additional resources being devoted to improving the privacy and security of government information systems.

The result will be a government with more secure systems, a law enforcement community better equipped to deal with the increased use of encryption by criminals and terrorists, and an industry able to compete effectively in the global marketplace.

We have said from the beginning our policy is intended to reflect market realities -- and there are few sectors where that reality is changing faster than computer hardware and software.

As electronic commerce grows in importance, the ability to conduct it securely and privately becomes more critical. For example, analysts estimate fraudulent Internet and e-commerce transactions now account for as much as half of all credit-card fraud. One study suggests privacy concerns among online shoppers could cut $18 billion off a projected $40 billion in total e-commerce revenues by 2002.

This is clearly not only an American problem. E-commerce totals in the U.S. will account for only 54 percent of the world's e-commerce spending by 2003, according to a report from International Data. The report also found that by the end of this year, 60 percent of all Web users will live outside the U.S.

Obviously, exports will be a key factor in our industry's ability to maintain its lead. Exporters should welcome today's announcement for precisely that reason.

At the same time, however, I want to make clear, the fundamental reason for this change is our national security. We are taking steps needed to allow us to continue to protect vital national security functions and meet the defense requirements of the next century.

Today's update continues the three fundamental principles of our encryption export control policy:

First, the new regulations will permit any encryption product or software with a key length over 64 bits to be exported under a license exception to commercial firms and other nongovernment end users in any country except for the seven state supporters of terrorism. This means that exporters will be able to ship freely once Commerce has reviewed their products and classified them.

The seven state supporters of terrorism are Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria. We've decided that encryption exports which we previously allowed only for a company's internal use can now be used for external purposes such as communication with other firms, supply chains and customers. This step will be very helpful in building electronic commerce.

Additionally, telecommunication and Internet service providers will now be able to use any encryption commodity or software to provide services to commercial firms and nongovernment end users.

Second, retail products with key lengths over 64 bits -- those that do not require substantial support, are sold in tangible form or have been specifically designed for individual consumer use -- may be exported under a license exception to all end users, including governments, except in the seven state supporters of terrorism.

These regulatory changes basically open the entire commercial sector as a market for strong U.S. encryption products. Exports to governments can be approved under a license.

Third, the new regulations will also implement our international commitments for encryption controls. Last year, the Wassenaar Arrangement -- thirty three countries which have common controls on exports, including encryption -- made a number of changes to modernize multilateral encryption controls.

Among these changes, the U.S. will decontrol exports of 56 bits DES and equivalent products, including toolkits and chips, to all users and destinations except the seven state supporters of terrorism after a technical review.

In addition, exports with key lengths of 64 bits or less, including chips, that fall under the Wassenaar Arrangement's definition of mass market will also be decontrolled.

As I have mentioned, post-export reporting is a fundamental part of our new export policy. Reporting will now be required for any export to a non-U.S. entity of any product above 64 bits.

Reporting helps ensure compliance with our regulations and allows us to reduce licensing requirements. When we draft our regulations, we intend to consult with industry to ensure that the reporting requirements will be streamlined to reflect business models and practices, and will be based on what companies normally collect.

We hope to have the implementing regulations published in the Federal Register before December 15. This approach will provide the framework for U.S. industry to help construct a new global network for electronic commerce while maintaining reasonable national security safeguards.


Clinton Administration
Encryption Policy Update
September 1999


Summary

1. Global exports to individuals, commercial firms or other nongovernmental entities
Any encryption commodity or software of any key length can now be exported under a license exception (i.e., without a license) after a technical review, to commercial firms and other nongovernment end users in any country except for the seven state supporters of terrorism. Exports previously allowed only for a company's internal use can now be used for communication with other firms, supply chains and customers. Additionally, telecommunication and Internet service providers may use any encryption commodity or software to provide services to commercial firms and nongovernment end users. Previous liberalizations for banks, financial institutions and other approved sectors are subsumed under this Update. Exports to governments can be approved under a license.

2. Global exports of retail products
Retail encryption commodities and software of any key length may be exported under a license exception (i.e., without a license) after a technical review, to any recipient in any country except to the seven state supporters of terrorism. Retail encryption commodities and software are those products which do not require substantial support for installation and use and which are sold in tangible form through independent retail outlets, or products in tangible or intangible form, which have been specifically designed for individual consumer use. There is no restriction on the use of these products. Additionally, telecommunication and Internet service providers may use retail encryption commodities and software to provide services to any recipient.

3. Implementation of the December 1998 Wassenaar Arrangement Revisions
Last year, the Wassenaar Arrangement (thirty three countries which have common controls on exports, including encryption) made a number of changes to modernize multilateral encryption controls. As part of this Update, the U.S. will allow exports without a license of 56 bits DES and equivalent products, including toolkits and chips, to all users and destinations (except the seven state supporters of terrorism) after a technical review. Mass market encryption commodities and software with key lengths of 64-bits or less which meet the requirements of Wassenaar's new cryptographic note will also be eligible for export without a license after a technical review.

4. U.S. Subsidiaries
Foreign nationals working in the United States no longer need an export license to work for U.S. firms on encryption. This extends the policy adopted in last year's update, which allowed foreign nationals to work for foreign subsidiaries of U.S. firms under a license exception (i.e., without a license).

5. Export Reporting
Post-export reporting will now be required for any export to a non-U.S. entity of any product above 64 bits. Reporting helps ensure compliance with our regulations and allows us to reduce licensing requirements. The reporting requirements will be streamlined to reflect business models and practices, and will be based on what companies normally collect. We intend to consult with industry on how best to implement this part of the Update.