ENCRYPTION POLICY (W/ ATTACHMENTS)

Created: 9/11/1996

OCR scan of the original document, errors are possible

THE DIRECTOR Or CENTRAL rXTETJJGZNCETCN,

6

-HZ VTCEDETJTCH

ft fogy.

hXMn3 Caf CfwrnTrifllrecovery encryptica products.

ramJ

nnounced that in Sente-ie- aWhilS public sa_'etv and'nl^bLl

use oford&ble ccnaercial eacrvot'on irfll alcnc withelectronic czm^^ZZ' industry to retain Us demist narketbynoncryption into cor^ur.icatioas, cosrput--

>, s

*cc*sswith the lit

Our goal is global adoption ofystem. Kmether countries share our public safaay concerns andsimilaa-national security concerns- Indeed, if. were co lift our export controls, "several countries,r.ce, would almost eartainly adept import restrictions ca coerzerciai encryption. Although"predicting outcomes in this rapidly moving ceeanoiogy is difficult, such restrictions could slow che dovelcprae.it or" secure international electronic commerce. Thus we believe aur allies will welecce. our leadership iniccie oC che road

solutioa-

At present, tbere are co domestic control- on encryption. Our principal lever is export controls, which can influence industry because it seeks to develop produces chat work worldwide. Thus, our proposal would ease export ccatrois in ex chance fas industryco suile key recovery products and supporting infrastructure.

This policy dees net satisfy industry, which arguestrongec^tr.clacy without key recovery is already widely available and that its use should ca eneouragee. Further, building andey recovery infrastructure will cake years. Industry wants to export stronger prcdacts now, cc preserve their-market share, the recent National Research Council encryption policy report supports industry's position.

Tha policy also does not satisfy cur law enforcement conrounity, which argues that kay recovery should be made mandatory, so that domestic and ir.cernaticncl law enforcement capability is not eroded. He have rejected the policy option ofecause we believe legislation to ban use cf encryption in. private cocancnicacicns will not he adopted her- or abroad, notably in Germany aad Japan. ave aisc rejected tha policy Option ofacausa it risks unacceptable daccntrci legislation from Congress, would encourage tha develf foreign encryption while continuing the constraint. industry, and ultimately undermine. Government's ability to Influence the development cf encryption technology.

We aaad to act now tc minimize tha risks to national security and public safety, cut short tho widespread use cf encryption that is inaccessible to law enforcement, spur the development cf key recovery, and assure. products retain their market dominanco worldwide.

As approved by ths Vice President in5 wcuic continue to expend the purchasey recovery products. government use, promote key recovery in interna tic rial discussions, and stimulate the development at innovative ksv recovery products.

If vc:ith this middle of craneridationa require year* decision:

1- Temporary relaxation of export controls.

He propose to pemit the exportbit key length Data Encryption Standard (DESJ encryption products, without fcev recovery, on the sanes we now eer-it the aroorcbit key length products. This relaxation would last two vears, renewable annually thereafter. Extort-licenses vculcfbe cantiagent on exporters' cotnmitnent and adherence to explicit benchmarks and milestones for developing and incorporating keu recovery into their products fincludinc an identified trusted" party) and building the supporting infrastructure internationally. Cnce key recovery isglohailv viable, only such products would be licensed -or export.

We would consult with industry and nonitor progress closely, using licensing regulationspecial government-industry group. Ke would suspend licenses if aiiestones vera not net.

This approach prcactes.. secure electronic commerce, increases the chance that kev recovery will spread worldwide, and lowers risk. intelligence collection and lav enforcement iron use of even stronger, foreign made encryption products. However, thereisk that this liberaliraticn coulde facto standard without key recovery that will hamper intelligence and law enforcement in the future;

State, Ccnnaerce, Defense, $ZC, NSC, and CMS support this proposal, provided that we obtain credible corraitments from industry.

Justice opposes this proposal. It believes that we cannot ensure taat industry will abide by its commitments, and that there are inadequate incentives for it to dose in the absence of legislation. Therefore, this option will result ia the prolifaracion of strong encryption for an indefinite period, justice proposes instead that this prcocsai be refashioned as

out,-

legislation chat wade: permit the exportbiz fcr two years; after two years, permit che export: op/ recovery produces; and after two years, bam theoo?* omestic manufacture, sale or distribution! cf encryption that does not have key recovery.

OSTP also opposes che recoaaendation, arguing that che iiheraiiratior. will be difficult to retract, especially if foreign companies are selling similarST? would makebit liberalization permanenc (except for companies that fail to meet theirnd focus instead or. promoting key recovery forac. stronger er.crvncion nrroducts" the market will demand.

Proponents' response to Justice: ffe have adoiaistrative authority to implement the first two parts of the Justica proposal. Seeking this legislation would cause unacceptabia delay and create unpredictable outcomes. Proponents* resoor.se to CSTP: The Cwo-year cap is needed to signal our seriousness about key recovery.

If you acraa, we willtatement like that at Tab A. An orove

Disaoorove

2. Transfer encryption. State to Commerce.

The export of encryption is currentlytate under the Arms Export Control Act. industry believes control by Ccmaerce under che Export Acninistraci.cn Act is .more consistent with encryption's dual-use nature. Industry also views the Ccsasree licensing process as nore predictable, timely and export friendly. The transfer is thus anarrot to convince industry co promote key recovery.

He would accomplish the transferw Executive Order, which would remedy previsions in the SAA which are inappropriate for encryption,residential directive. Justice would be included in licensing decisions (currently limited to Commerce, State, Defense, Energy end ACDAJ . He would also insist that theeing considered by Congress contain crocecticns for encryption {in particular limiting judicial revdew of export decisions;. Jurisdiction would be transferred back to State if the new EAA did noc contain such protections.

Ail agencies and EC? offices support the tracsimz oC Jurisdiction, as reflected in the craft E0 anc POO anad

Approve

D

3. Key recovery le<t* *'a. tier..

We are drafting proposed legislation that will facilitate the developmentarket for key recovery prccucts and kev management infrastructure, hy authorizing:

Tha Secretary of Commerce torecovery agents;

Legal conditions fcr keys to ha released to law enf or cement.-

" Crixinai charges for misuse of another's keys;

Protection of key recovery agents from liability for ccmpiving with legal orders to produce keys; and.

Criminal charges for using encryption ir. committing

cri^e.

you agree, we will refer draft legislation to CMS fcr interagency review acd forwarding to Congress.

Approve

Disapprove

Attachments

Tab A Oraft Encryption Policy Statement Tab a Craft Presidential Decision Directive Tab C Draft Executive Order

ACacoracar A

WkLFT Statement on Encryption Initiative

pmidedort icass aarte products satuseicRCl and *C4 dacrtoT

of ornA^f"omrairracnts to wppcrt the devdopmcat'tnd sale

Thai rxanac^d: pernor* aexvpiion users voluntary tooare encrypt key arted pnvatc scctcrparty wfa0 wooid provide ie kev to then cmersency. or to law rafctcameat officials acting oader proper authority.

Peon ry rrcoverv. fcocrtfcrcaafflC^aireduces will be transferred from the?Department. Tne Adrnirastratiou also will seek recovery. Al announced by thence

Z govcr:inieac th= purchase of key

stamnlate the development ot umovative key recovery produces.

fbe issued contingent on consents

2bcerportting key

C^and aconaxzssoc, ft will suspend licenses if nulestones are notkey recovery ,such products will be Ucensed

FOR OFTICIALXY

SpcuiScaiiy, Snnsto export 5tf-btt DES products will be required toata recovery product development plan curing tie licensing prccsss. Tec pbra wiL":

address such elements as research and development, testing, preencdoo,rtnketing;

mc:cde an assessraent of tee overall taarjeet potential for data recovery products and services;

be updatederai-annual progress report; and.

noc be publicly releasabte to protect business

Iq addition, industry representatives will be invited to pardcinateoint Diiciic-prfrate Data Recovery InamstroctQie Commission. Tie nmchoos of the Commission will include:

developing altercadvc approach eglobal data recovery architecture; advising the Secretary of Commerce on licensing policy based on progress towardslobal msastmcnire and Icssoos-lcamed trom key recovery iople-aeatarioc;

advising the Attorney General oq technical ccnnccncc issuesis access to escrowed keys.

identifying other technical, policy, and program issues for governmental action. The goveratnent will reevaluate me reiaxaticn policy at the end of the two year

period.

Questions and Answers about the Encryption Liberalization Initiative

ill the US stop ths exports of noa-kcy-tecovery encryption orocucts at the cad of two years?

A; Yes. The plan is to Step experts of any product that does not support key recovery unless unavoidable circumstances delay the erection of the key recovery icfimsnrucrure so that It is impractical to sell such products baiernationally. The government wQl be advised on this rratter bv the Data Recover/ Infrastructure Conunission.

FOR OFFICIAL USE OPfLV

i/as 'ii

ocs the two years begin from the dun cf is new rerrtiarion or from the dale of ae approved export?

A; Toe wo yearsays after ihe ecArtive date of the final regulation. The delay will permit exporters to file acpuciticns before th- beginning of rue two vear period

ear does fc mean toey recovery prodece? Is it suScieat to make the product but tot spend rates advertising and msrieringtie Drognnn?

A: Data recovery product development plansaddress such elements as research and development, testing, production, and marketing. We arc looking for geatnee commitments, comcicusurafe with the size of Dae nuukrt involved, Tne government ^ill suspend licenses if milestones are not met

After two years, willcommirmmt rccuirerm cop damsels, sales of products mat do net support key recovery?

A: The gevernment has no plans to control the domestic sale of encryption products.

a producerusiness decisioa that ii cannot afford to enter the marketthat support key recovery, is it fair to step them from competing for exports onplaying fieldarger competitor exporting the same encryption productlarger competitor has given theommrrrsent toroduct?

A: We will require all Grms toey recovery product deveiopeenc oka earring the export U'ceosingprocess. While we will rake into tcsouat m= business situation of the individual Snns, we believe they wffl need n> incorporate key recovery into their business plans in order to remain competitive.

a reseller or end-user is rise exporter, how will the process provide forfor the product producer to give the accessary cooiaaiunrnt? If thedees giveommitment, may ether parties export coa escrow products?

A; All exporters willeymct der/rlopmen: planart of me export licensing process. Ifisroduce producer, the proposal should cirhcr reftccr the use of products thai are airetdy tppcmd for export, or address plans for marketing and disiriburion related to products thar support key recovery.

FOR OFFICIAL CSX OP<XY

ATTACHMENT S

EsecrtiffK Order Vo XXSXX

Adhrla-Straaop of Scxrrt Control* on Ercrvrricn Prr^ipr^

By the authority vesatd in mc as rresiceat by tbe Consthrtiou. aad the laws of the United Suss of America, including but cot firahed to too ha=rnahocai Emergency Eccnocaic Powers1 etn order to take auartionat steps with resoect to the national emergency described and declared ia executive Orderf4 and connxned on5 aad onttUAM I. CLINTON, President of -Jc Unfed States or" Ac erica, find that it is necessary that the provinces set forth below shall apply to admrrastratioa of the export eanrrol system aahniined bv the Export AdciiauaaricQ Regalauocs, IS CFRtthecconamg'ly, 'A is heretrv ordered as toEOws:

PFPnciit Of EiKPpeoan order to provide tor apprcotiate controls on the export and forage disserrJnancn of encryption prcduos, exDott corjtrcls of eacrypaoo products Chat are or would be, on tins due, desiyinrrd as defease articles designatedin Category XHX of tbe United Stana Mirma'oas List and. regokteri by the United States Department of State pnrsnant to the Arms Export Control Act,3 ctheut that subsequently are placed oo the Commerce Control List in the EAR, dull be subject to the following conditions:

ave detecaacra that the export of eocr/pdoo predacts described ia tins section ma? namn cariorrtl security and foreign policy hu-resn even where comparable products are or appear to be available &oe sodtccs outside the United States, and that facts and quesdous COTcernjcg the foreign availability of such eocxyptiba prodnets caaoot be subject to oublie disciosare or judicial review without levcaEag or bepf-ririflg classified hifotmahoa that'coald bacn United States national security and rcre'gu poccy interests. Accordingly,)tbe Erport Aflminiffnrnn Act of0c)s amended and as continued hi erxecr by Erecntive Order1 ofnd by Notices of5 andE other analogous provisions of the EAA telatiag to foreignnd the raguktiorri in the EAR relating co such EAA provisions, shall not be appucable with respect co export controls on scch eaaryptioa erodects. Namtimsnu-drng mis, the Secreary may, in bis discretion, consider the foreign, avauabuicy of comparable eiicryption products in csasrauning whetherarticular case or to remove controls on particular products, bet is cat recuired to issue Sceases tit partiadar cases or to remove controls on particular products based on such consfdeiatioa;

? ^Uc=:iSi teview descaced inf Executive Orderf Deoaaberith respect to exparr eonrrols of encryption productshis secaon,arnaenrs of Sate, Defense, Energy and Justice aad the Arms Control and

Duoxmament Agency each shall have me or^rtmhy to review nv export license appiicatioo submitted to the Department of Commerce. The Decor-meat of Justice shall, wfth respect to

such products,oting member of tbe Export Adrninisaution Review Beard established in

) of executive Orderf Decembernd of ihc Advisory CotamiOse on Export Policy established in) of thai order, 2nd shalliill member oi" the Operating GomcaiCre esrabushed in) of thac order, and of anv ether ccmtm'rtses aad cousuicuicn groups reviewing: such export corrrrcis;

Because the export of encryption software, uke me export of other cacrjDCon products described in this section, must be controlled becanse of such sortwaie's ftuvm^orru capactry, rather than because cf my possible iiiiuuiatiooai value of such software, such software shall not be considered or treated ass that terra is denned in sectionf -hepp., and in the EAR;

Wrrfc respect to encryptica produces described hisection, the Secrcrarv of Coaunercc shall take such acticcs, rhcladrag the promulgation of raXes, refutations, and amendments thereto, as may be necessary to eonrrol the error; of assisrancs (including irrruhmg) toersons in the same manner and to the same.ixxear as the export of such assistance is controlled under the AECA (as amended byf Pabiic Lawad

(c) Regulation of encryption precocts described in this sectica shall be subjectuch further conditio as as the President may direer.

See,ffective Dare. The provisions described inhall take effect as soon as any encryption products described inre placed en the Commerce Cocrrc! List in the EAR.

SsS-ndicia? Review. This order is inrrnoed only to improve the mr-rrnj rnanagemeat of the executive braoca and to ensure the implementation of appropriacs controls oa the export and foreign dlsseeojratioa of ettrrrpticn prodects. It is cot intended to, and does cot, create any tights to .Vuiubu-givc or jcalctal review, cr any other right or benefit or trust respoosmiliry, subsantive or prrxedural, eaicrceablearty agsiasr the United Sates, itsor mstrurcena fTties, is otEcsrs or enrptoyees, or anyperson.

THElinton

Sepietaber 6

ATTACHMENT C

'entjaJbrtcfiTt

Eacrypooo produces, when used ccrtide the Ucrted States, can jeopardize ocr foreign policy andsacanry icuurss. Moreover, such products, when used by iofjeoaattonalor^aaizaoons, ihfim lbs safety cr" citizens of tbe Untied States bere ;m' abroad, as well as tbe safety of toe drirerxs of otber eouraries. Toe exrxwcitioa ofodoca acconaagiy roast be ceorroUed lo runner Untied States foreign policy objectives, and proaca our nanbeal security, irxaucmg tbe pmtectica of the safety of United States cMrbs abroad. Nocetaeless, hecause ofrmisrogly wicespxeacuseof ericryptioa products fee tbe legirbucu: precscticc of tbe privacy of dan sad cctnmar, irarioas ia ccrzralitrjy contests; because cf tbe bcpcrciace to United States economic interests of tbe market for encrypcoa prrxiucts; ad

because, paxsnani to tbe terms set form in Execarive Order No. XXXXX of

ommercecontrols of tbe export cf such deal-use encryption products can be accomplished without compxomishig Unmtd States foreign policy objectives and national securityarmiaed at this hats cot to canhnac co designate such encryption products as defease articles on the Cohed States imninoos list.

Acco.-tiir.giy. on tier the powers vested hi rae by "ihe Coasrmicba and the laws of me Unitedirect ttac

l Eocryptioa orcducrs thai presecrry arc cr would be aemrcated ia Category XHI of the Ussred States Mnrutioos List and ragehueti byUnited Smci Department of Saue parsuact to tbe Arms Export Cccrrc!hall behe Commerce Control List, and regulated byaxrmeat of Chmouerce ender theonfemed in Executive Orderf* (as continued onxecutive Orderf Docetnbcrnd executive OrderCCC. of

xcept ahat rocrypcicn prodcecs sr^clflcaDy designed, developed,

cootignxed, adapted or amdificd for military applications (mciudiog cemmand, control and mteQjgeceehall continue to be ri-*ionnrM as darrnse articles, shall remain on the United States Mamticas List, aad shall cootmuc to be controlled armer tho Anns Export Control Act. The transfer described in this paragraph shall be effective mon the issuance oc final regulatiocs (tbe Teal Regularities') uxmlmueatiag the safoguarus specified ia this Directive and in eaeeative Order No. xxxxx.

'be Flcal Pxgrilaiiocs shall specify cut the eocryptioa product; srxsaned inaaH be placed or. tbe Consacrceist adrainisicred by the rvepaztmeat of Ccmmerce, TheDeuxuuecxof Couuuc;ceae ex^rg pcunioed by law, ycarirri'^er-.be export of such encryption prophets, mrfrdira sua yptica software, pcrsuaat to the requirements off the former, aad the regulations thereunder, as cootioced in effect by Eaecarivc Ciderf4 (ccutiaued on5 and oo,uw=-wise indieucd ia or rnodiSed by Executive Ottier No. XXXXX ofxecutive Orderf Decembernd any executive orders and Laws cited therein.

LI, Id

Final Regulations shaft provide dial encryption products described in secricnbe licensed for expert only if tne reccireaiesri cf tne controls of bothnd 6former5, and inc rcuTuatiDCS mezeunder. as

mctiJnctiby Executive Order Xo. xxxzzx ofETaecrjve Order

ofnd any executive orders and Uws cited trxreirj. areonsistent) of tee current Export Acurutiisrracoc Regulations, tne Final Regrilatioas shall ensureicense forroduct win be issued only if an application can be and is approved under bothnd sectionoe controls on seen procrnrs will apply to ail desrmaEcns. Except for those products transte:;eti to the. Commerce Control T'q prior to the effective date of the Final Regulations, exports and reexports of encryption products shall initially be subject to case-by-cascnsnre that export tfr-wf would be censisteut with United Stales foreign pouey oqectivja and national security interests, including the safety cf United States citizens. Conticeraticn shall be gfvea to mere Ccerafczed Licensing treatment rbr each such mdividuai prncrrr after mterageacy review is completed. The Final Regulations shall also efreeteatt ail otherobjectives and dnxctives set forth in this Du^rrivel

Because encryption source cede can easily and rcechanically be transformed hna object code, and because expert of snch source cede is controlled because of the code's functional capacity, rather than because of any "uifcnnaticn* such code mi girt ccuvev, the Final Regulations shall specify that encrypticn soorce cede shall besriore deer, and not as rft-hnint tiara or technology, for export Ucensmg purposes.

AH provisions ha Che Final Regulations regarding "ds minimis*content cf items shall not apply with respect to the encryption procures described in paragraph I.

The Furtl Regulations shall,anner consistent withf the HAA,, provideul eoosticxe an export of encryption source cede cc object code softwareerson to make such sortware avaftable for rransfer occtide toe United Sates, over radio, decrroraasmeric, phctcoptiral, or phomeleerric cocnmrrricaticcs raciuties accessible to persons outside the Urtitsd antes, mdudiag transferdectronic bulletin beards and Internee fUe rransfer protccol sites, aeless the parry making the software available takes precautioDS adequate to prevent the nnrrmoared rannsfer of such code curside the Uoited States.

Until the Final Regulations are issued, the Department of Sate shaft continue to have authority to arlnirister die expert of encryption products described ins defense articles designated in Category XIEt cf the United States Stlnnitions list, pursuant to the Arms Export Central Act.

Upon enactment of any legislation reanrhcrxtiog the adnauusunnbo. of espcrt ocotrcis, use Secretary of Derense, the Secreerry of State, and the Artcracy General ihail reexamine whether adequate, controls on encryption products can be ciararaiaed under the provisions of the new gam re, Jnd advise the SccrccrrT cf 'C!cmrcerce of their conclusions as well as any reccrnmeadatiens for action. Ef adeotraie controls on encrypticn products cannot be nviTrtranrvtew sranrce, then such produce; shall, where coosistecr with law, be

303

designated or redcsxgsacd as defense articles under, fo be placed en the United Sates Monzrioss list and controlled pursuant to the terms of the Arms Export Control Act and ihe IntrrtiatJottal Trafnc in Arms Regnhmons. Any disputes regarding tbe decision to" so ccagnaie or redesignate shall be resolved by the

Original document.

Comment about this article or add new information about this topic:

CAPTCHA