26 February 1997
Source: http://www.bxa.doc.gov/15-.pdf (229K)

Public Comments on Encryption Items Transferred from
the U.S. Munitions List to the Commerce Control List

15. Steptoe & Johnson LLP

STEPTOE &JOHNSON LLP
Attorneys At Law
1330 Connecticut Avenue, N.W.
Washington, D.D. 20036-1795
(202) 429-3000
Facsimile: (202) 429-3902
Telex: 89-2503
Stewart A. Baker
(202) 429-6413

February 13, 1997

Ms. Nancy Crowe
Regulatory Policy Division
Bureau of Export Administration
Department of Commerce
14th Street & Pennsylvania Ave. N.W.
Room 2705 Washington, D.C. 20230

Re Comments of Steptoe & Johnson LLP on the Commerce Department Regulations on the Export of Encryption

Dear Ms. Crowe:

This letter constitutes the comments of Steptoe & Johnson LLP on the new regulations on the export of encryption published in the Federal Register on December 30, 1996. 61 Fed. Reg. 68572.

Part I -- Key Recovery Agent Criteria

Supplement 5 to Part 742 of the EAR sets out the requirements for key recovery agents. We believe that certain of these requirements may be more burdensome on exporters, key recovery agents and self escrowing customers than is necessary, and have suggested certain changes intended to ease these burdens.

A. Criteria for Key Recovery Agents

The regulations allow for self escrow by customers, but are unclear as to what requirements self escrowing companies must meet. If the requirements are too onerous, customers will be discouraged from buying key recovery products. Similarly, the regulations also allow for foreign escrow agents, but again are unclear as to what requirements apply. The regulations could be read as subjecting such agents to two different sets of requirements (those of BXA and their own government), even where the U.S. government has reached an agreement with the host government as to the necessary requirements. To address these issues, we suggest the following proposals.

First, to address the problem of customer resistance to the key recovery agent criteria, BXA should clarify that self escrowing customers need not necessarily comply with the requirements for independent key recovery agents Rather, as long as a customer has "appropriate safeguards" to ensure that its internal agent will respond to government requests independently of the rest of the organization and that there are adequate safeguards to ensure security and confidentiality, this will be sufficient. Rather than having a fixed set of standards for self escrowing organizations, individual customers should be able to obtain agreements from BXA on procedures that are better fitted to the particular key management practices of the customer.

Second, to address the problem of duplicative U.S. and foreign requirements, BXA should deem it sufficient that a key recovery agent or customer complies with the local law of a country with which the U.S. government has an agreement concerning key recovery requirements. If the U.S government is satisfied with the country's requirements for key recovery agents or self escrowing companies, it should not require the agent or company to comply with two different sets of rules.

B. Monitoring Obligation of Exporters

A continuing monitoring obligation on the part of exporters is implied by two parts of the EAR. Supplement 5 to Part 742 of the EAR states:

The requirements related to the suitability and trustworthiness, security policies, and key recovery procedures of the key recovery agent shall be made terms and conditions of the License Exception for key recovery items.

Additionally, section 740.8(d)(1)(E), part of the section that governs eligibility for license exception KMI, states:

The exporter or reexporter, whether that person in the key recovery agent or not, must submit a new classification request to BXA if there are any changes (e.g. termination, replacement, additions) to the previously approved key recovery agent.

This language effectively places an obligation on the exporter to monitor approved key recovery agents (presumably including self escrowing customers) and report to BXA any relevant developments.

The problems created by a continuing monitoring requirement are especially serious where customers are self escrowing rather than relying on third party escrow agents. Customers may not want to buy a product that will require that they submit to continual or periodic monitoring by the seller or by BXA. Exporters will undoubtedly find it quite difficult and burdensome to adequately monitor every customer that is self escrowing -- more so than it would be to keep track of a limited number of approved external key escrow agents.

If the effect of the regulations is to impose upon exporters of key recovery products a continuing requirement to monitor their self escrowing customers (as well as external key recovery agents), there are a number of possible solutions that could reduce the burden upon exporters.

First, the regulations could be clarified to state that the exporter must obtain an assurance from the key recovery agent (and/or customer) that it will inform the exporter if circumstances change that would affect its compliance with the BXA criteria. The exporter would then be entitled to rely on this assurance for future exports without the need to monitor compliance.

Second, as an addition to the first option, BXA could also require that for future exports, the exporter would send a copy to the agent or customer of the commitments made in order to obtain KMI eligibility, and obtain assurances from the agent or customer that it is still complying with these requirements. Such a requirement would remind the customer of its obligations, and could serve as a periodic (but relatively non-intrusive) certification of the customer's continuing compliance.

Third, the initial agreement with a key recovery agent could specify that the agent will make annual or semi-annual reports directly to BXA in order to maintain BXA approval. A legitimate agent may be willing to do this since BXA approval will likely be crucial to maintaining its business. However7 customers would likely view this approach as too burdensome, and this should not be required of self escrowing customers.

Fourth, BXA could send out annual or semi-annual questionnaires to all approved agents (and self escrowing companies) asking about any changed circumstances. If an agent does not return the questionnaire, BXA could initiate a more thorough investigation into its continuing compliance with the criteria. In either case, the burden will be on the agent and/or on BXA rather than on the exporter. This option, however, will not be very attractive to self escrowing customers, who will likely view it as "buying a BXA audit"; it therefore should not be required of customers.

Part II -- Mass Market Hardware

Under the current regulations, certain mass market encryption software may be released, after a one-time review, from normal EI controls and made eligible for mass market treatment (which includes eligibility for all the provisions of the Export Administration Regulations applicable to other software). In order to qualify as mass market software, the product must be available to the public at retail selling points and be designed for installation by the user without further substantial support by the supplier. If the product uses only RC2 and/or RC4 with a key length no longer than 40 bits, and meets a few other technical requirements, the classification request will be processed in seven working days. Otherwise, it will be processed in fifteen working days.

There is, however, no equivalent treatment for mass market hardware that uses the same or similar algorithms and key lengths. Such hardware should be eligible for at least as favorable treatment as mass market software. Often, encryption hardware is nothing more than software "burned" into a ROM chip. If the software on a floppy disk is eligible for mass market treatment, the same or similar "software" contained in a chip should also be eligible.

Moreover, encryption contained in hardware is generally much more tamper resistant and is easier to control than encryption contained in software. Unlike software, it is not easy to make unauthorized copies of encryption hardware and encryption hardware cannot be posted on the Internet or otherwise distributed electronically. In sum, we do not see a basis for treating hardware less favorably than software.

Thus, the regulations should be modified to make certain encryption hardware eligible for mass market treatment. The limits that apply to mass market software in terms of algorithms and key lengths could also be applied to hardware, and the same time limits for the "commodity classification" procedure should apply.

We recognize that it may be more difficult to apply a standard approach to mass market hardware than to mass market software. If BXA decides not to adopt the approach suggested above, we suggest that the regulations should at least be modified to indicate that favorable consideration will be given for requests to make certain encryption hardware eligible for release from EI controls. We note that in contrast to the situation when EI items were regulated by the State Department, BXA would retain jurisdiction over such items even if released from EI controls.

* * *

We hope that these comments are helpful in improving the regulations concerning encryption exports. Please feel free to call me, Peter Lichtenbaum, or Michael Hintze to discuss any of these suggestions.

Very truly yours,

Stewart A Baker

Hypertext by DN and JYA/Urban Deadline