26 February 1997
Source: http://www.bxa.doc.gov/04-.pdf (212K)

Public Comments on Encryption Items Transferred from
the U.S. Munitions List to the Commerce Control List

4. Motorola

MOTOROLA
Corporate Offices
1303 Algonquin Road
Schomburg IL 60196-1065
(708) 576-5000

February 5, 1997

Nancy Crowe
Regulatory Policy Division, Rm. 2705
Bureau of Export Administration
Department of Commerce
14th Street & Pennsylvania Ave. N.W.
Washington, D.C. 20230

Subject: Encryption Items Transferred From the U.S. Munitions List to the Commerce Control List, 61 Fed. Reg. 68572 (Dec. 30, 1996)

Dear Ms. Crowe

Motorola is pleased to submit for consideration the following comments relative to the new encryption regulations published in the Federal Register on December 30, 1996. We welcome the long awaited shift in jurisdiction for commercial and dual use encryption products and we look forward to working with the well established licensing process at BXA for our future encryption licenses.

After conducting a review of the new regulations we have identified a number of issues that warrant comment. Several of the issues can be resolved by the addition of clarifying language in the regulations while several others require further revision.

In one particular case we regret that further action is not possible. The termination of license and amendment applications in process at DTC as of December 30 was unexpected, unwarranted and unnecessarily disruptive to our business. We have identified nearly two dozen pending cases, several of which had been in process for months, that will need to be resubmitted and processed yet again. At the very least DTC could have transferred any cases in process to BXA for completion. Additional issues include:

1) Part 740. A number of license exemptions that were available under the ITAR have not been transferred to the Commerce Regulations. In particular ITAR exemptions 123.16(b)(2), covering parts and spares under $500.00, and 123.16(b)(9), covering temporary exports to subsidiaries for assembly and subsequent return to the U.S. have both been lost in the transition between agencies. Both of these exemptions were used by our company on a regular basis and alleviated the need for a significant number of individual licenses.

The exemption covering parts and spares under $500 (123.16(b)(2)) could easily be reinstated under license exception LVS. The exception could be restricted, as it was under the ITAR, to apply only to parts and spares exported in support of commodities previously exported under the proper license.

The temporary export activity previously covered under ITAR exemption 123.16(b)(9) could similarly be reinstated under license exception TMP. Language allowing the temporary export of components, software, parts, tools or test equipment to a subsidiary, affiliate or facility owned or controlled by a US person if the components, software, parts, tools or test equipment are to be used for manufacture, assembly, testing, production, or modification would allow the continued use of global manufacturing strategies while still retaining a requirement for obtaining an export license for the final product.

The scope of the exemption covering the temporary export of encryption for personal use (ITAR Ref. 123.27) did not transfer to the EAR unchanged. Limitations under the 'tools of the trade' subparagraph of TMP (740.9(a)(2)(i)) restricts the countries that are eligible for use of the exception beyond restrictions that were present in the ITAR. The eligibility language of TMP must be revised in order to clarify that all countries, other than embargoed destinations, are eligible for TMP when used for the temporary export of encryption for personal use.

A number of ITAR exemptions used to cover technical data did not transfer to Commerce. The exemptions affected include 124.3 and 125.4 subparagraphs (b)(2), (b)(4), (b)(7), (b)(8), (b)(10) and (b)(13). Language must be added to the regulations in order to preserve these exemptions.

Part 740.8(d )(1)(i)(E). If a key recovery agent is part of a commodity's eligibility for license exception KMI, this paragraph sets up an everlasting reporting and certification requirement that the key recovery agent will continue to comply with the requirements of Supplement 5. Furthermore, since this is set up as a condition of the license exception, it arguably places a continuing audit responsibility on the exporter as well as a compliance responsibility on the part of the recovery/escrow agent. The exporter must submit a new classification request if there are any changes affecting a previously approved key recovery agent.

The net effect of the additional eligibility requirements contained in paragraph (d) is to convert KMI from a license exception to a special license. A product's eligibility for export under KMI should be determined using product based criteria only. Eligibility requirements for agents should be separate from a product's KMI eligibility. In fact, the requirements and responsibilities of recovery agents should stand alone as a separate authorization between the agent and the government, irrespective of a product's eligibility for KMI.

Part 740.8 (e) Reporting requirements. The use of KMI requires ("must provide") semiannual reports identifying ultimate consignee, specific end-user name and address, if available, etc. Note that this requirement is actually tougher than that of the arrangement (742.15(b)(4)(i)) for which reporting of certain information "may" be required. These requirements placed on the use of KMI appear to make the exception more restrictive than the arrangement. The language used to describe the possible reporting requirements under KMI should be written in a way that allows BXA maximum flexibility. Wording similar to that used in 742.15(b)(4)(i) to describe the reporting requirements for encryption licensing arrangements should be used for key escrow and key recovery products eligible for KMI as well. KMI eligible products which utilize recoverable encryption should not be subject to any reporting requirements.

2) Supplement 5 to Part 742. The criteria contained in this supplement includes without elaboration, a provision for a foreign customer or a foreign recovery agent to be approved. When comparing the absence of any meaningful criteria for foreign recovery agents to the level of detail provided for domestic agents one is left with the conclusion that foreign agents, in fact, will not receive serious consideration for approval.

When considering the detailed requirements contained in the supplement we noted that prospective key recovery agents must certify that their individual employees meet the qualifications specified and disclose when they no longer do so, or are replaced. The key recovery agent must also submit corporate viability and financial responsibility evidence. The most untenable aspect of the requirements listed in the supplement is described in the statement, "The requirements related to the suitability and trustworthiness, security policies, and key recovery procedures of the key recovery agent shall be made terms and conditions of the License Exception for key recovery items." If the exporter is not the key recovery agent, how can the exporter use KMI without maintaining a continual auditing requirement to assure that the key recovery agent is complying. Requirements such as those noted above seem overly restrictive, particularly in the case of foreign recovery agents, and will act as a strong disincentive for use of KMI.

As mentioned above, in section 1 of our comments, the requirements and responsibilities of a recovery agent should stand alone as a separate authorization between the agent and the government. Linking an agent's approval with a product's eligibility for export under KMI places unreasonable requirements on all exporters of encryption except those that intend to act as the sole recovery agent for a product.

3) Finally, in Part 774 and throughout, the regulations say, "EI applies only to encryption items transferred from the US Munitions List to the Commerce Control List consistent with EO 13026 of November 15, 1996,..." This description is going to quickly lose its meaning as new revised copies of the regulations are published. In addition, while this language clearly covers all existing products it does not address future products that may incorporate encryption at or below the levels which were routinely transferred from State to Commerce prior to December 30, 1996. A definition which includes a clear technical description of what is controlled for EI reasons is needed.

We hope these comments are useful in correcting some of the inevitable disconnects that occur when regulations as complex as these must be transferred between agencies. If any additional information or further explanation of our concerns is needed please contact me at (847) 538-9439.

Sincerely,

Jim Wyatt
Corporate Export Control Manager

Hypertext by DN and JYA/Urban Deadline