26 February 1997
Source:
http://www.bxa.doc.gov/20-.pdf
(449K)
Public Comments on Encryption Items Transferred from
the U.S. Munitions List to the Commerce Control List
United States Council for International Business
1015 15th Street, Suite 975
Washington, D.C. 20005-2605
Telephone: (202) 371-1316
Fax: (202) 371-8249
Serving American Business as U.S. Affiliate of:
The International Chamber of Commerce
The International Organisation of Employers
The Business and Industry Advisory Committee to the OECD
The ATA Carnet System
February 12, 1997
Nancy Crowe
Regulatory Policy Division
Bureau of Export Administration
Department of Commerce
14th Street and Pennsylvania Avenue, N.W.
Room 2705
Washington, D.C. 20230
Dear Ms. Crowe:
On behalf of the U.S. Council for International Business (USCIB), I would like to present our comments on the Interim rule on Encryption Items Transferred from the U S. Munitions List to the Commerce Control List.
The U.S. Council for International Business (USCIB) believes that the government has a vital role in shaping policies for the GII, but that its role must remain limited in scope. The GII will only succeed as a market-driven system fueled by private sector investment, innovation and continual technological change. As such, the government's main role should be to implement policies that do not inhibit commercial investment in encryption technology and infrastructure development, but create a positive environment for innovation. Governments should not implement policies which favor one technology over another, as in key recovery versus non-key recovery or hardware versus software. The USCIB has long stated that we support and recognize many cryptographic systems including key recovery and non-key recovery based systems. The USCIB favors a market-driven approach where users are free to determine the type and level of encryption appropriate for their needs.
USCIB members recognize the need for robust cryptography to protect their business information or that of their customers and to protect the global information infrastructure. We also understand the concerns of law enforcement and national security. After careful review of the interim policy, measured against the USCIB's numerous trade and cryptography papers published in the past few years, many of our members feel that the Administration's interim rule does not represent the proper balance between the concerns of government and concerns for strong encryption security to support electronic commerce.
To be successful, any encryption policy should be voluntary and market driven. We were encouraged by Vice President Gore's statements on October 1, 1996 that the Administration's key recovery initiative must be "industry-led" and that the "ultimate solution must be market-driven." In its study, "Cryptography's Role in Securing the Information Society," the National Research Council (NRC) similarly stressed the importance of market-driven encryption policy to meeting users' needs and providing for user choice:
"A national cryptography policy that is aligned with market forces would emphasize the freedom of domestic users to determine cryptographic functionality, protection and implementations according to their security needs as they see fit. Innovation in technologies such as escrowed encryption would be examined by customers for their business fitness of purpose. Diverse user needs would be accommodated; some users will find it useful to adopt some form of escrowed encryption to protect their access to encrypted data, while others will find that the risks of escrowed encryption (e.g., the dangers of compromising information through a failure of the escrowing system) are not worth the benefits."
Although the Commerce regulations encourage some industry participation in the design of the key management infrastructure (KMI), the re-emergence of legislative initiatives to further liberalize export controls is a strong indication that the Administration's encryption policy is not adequately balancing the need for strong cryptography by business and the legitimate needs of law enforcement and national security.
The Administration's encryption policy and the Commerce regulations should provide for more export control relief. The NRC study found that where export controls were concerned there was a "profound gap in the perceptions of national security authorities and the private sector (including both technology vendors and users of cryptography.)" The Administration encryption policy does not bridge the profound gap between parts of the private sector and the Administration. While the interim rule has the effect of a liberalization of export controls for those manufacturers and users willing to commit to developing or implementing key recovery-based systems, it is seen as no liberalization of the policy by those manufacturers and users who wish to adopt non-key recovery-based systems, who also object to the mandatory nature of the guidelines.
Beyond the need for further export liberalization, several aspects of the regulations are unclear and in some respects, raise more questions than they answer. We have elaborated on these aspects of the Guidelines below. USCIB urges the Administration to continue its dialogue with all segments of the market to work towards streamlining and increasing the transparency of the export licensing process for cryptography. Unless the uncertainty surrounding these regulations is addressed, the regulations will not provide the relief we had hoped would accompany the shift of jurisdiction over the export of encryption items from the Department of State to the Department of Commerce.
KEY ESCROW, KEY RECOVERY AND RECOVERABLE ENCRYPTION SOFTWARE
The key escrow/key recovery escrow agent criteria in the regulations remain very similar in principle to the November 1995 NIST criteria for software key escrow, which the software industry rejected at that time and continues to criticize. Notwithstanding a government-driven key recovery policy, products that are not responsive to customer requests or requirements cannot be successfully created and marketed on an industry-wide basis.
The requirements for key recovery agents located outside of the U.S. should be clarified. Supplement 5 of the regulations states only that the use of key recovery agents located outside the U.S. is permitted if acceptable to the Bureau of Export Administration (BXA) in consultation with the host government as appropriate. The regulations do not specify the requirements for foreign key escrow agents. Should the requirements for foreign key recovery agents be the same or very similar to the requirements for U.S. key recovery agents, the approval process will be very difficult for foreign key recovery agents. It is important that any criteria for foreign key recovery agents be clear and transparent.
In addition to requiring that agents implement a number of specific procedures to protect the security and confidentiality of the keys, the key recovery agent criteria also require that the agent provide the BXA with detailed information on every individual directly involved in the escrow of keys or other material. We are also troubled by the provision that holds manufacturers responsible for the behavior of key recovery agents.
MASS MARKET SOFTWARE
We strongly urge the Administration to commit to further liberalize export controls on cryptography to provide relief for mass market products. The current regulations do not take into account the mass market realities of software distribution. Mass market manufacturers utilize multiple distribution channels including: OEMS (i.e., manufacturers that pre-load software onto computers), value-added resellers, retail stores and the emerging channel of on-line distribution. The mass market distribution model presupposes that manufactures can ship identical or substantially similar products (localization issues) irrespective of specific customer location or characteristics.
Clarification of Supplement 5 regulations requiring specific knowledge of customers and the section 740.8(e) reporting and recording requirements for ultimate consignees and specific end users is needed. As written, these provisions are inconsistent with the mass market model. Compliance with these rules would require a substantial change in current methods of distribution and collection of downstream distribution information. Such required changes would neither be market-driven, nor economically neutral. The USCIB urges the Administration to take notice of these issues and work with manufacturers and distributors to develop a mass market exception or a transparent compliance mechanism based on current distribution models.
NON-KEY RECOVERY ENCRYPTION ITEMS
We note that the Commerce regulations are at odds with the National Research Council recommendation which called for unconditional liberalization of export controls on 56 Bit DES and stated:
"The current export regime on strong cryptography [sic] an increasing impediment to the information security efforts of U. S. firms competing and operating in world markets, developing strategic alliances internationally, and forming closer ties with foreign customers and suppliers... Consistent with the rising emphasis on the international dimensions of business (for both business operations and markets), many U. S. companies must exchange important and sensitive information with an often changing array of foreign partners, customers, and suppliers. Under such circumstances the stronger level of cryptographic protection available in the United States is not meaningful when an adversary can simply attack the protected information through foreign channels."
USCIB is also concerned with the lack of clarity on preferential treatment for exports of non-key recovery products to certain preferred end-uses or end-users. The Vice President's statement of October 1 stated that exports for certain financial uses, would continue to receive special treatment. However, the interim rule does not contain any codification of this practice. A codification of continued practice is also required for previous special treatment of use by foreign subsidiaries of U.S. companies and "special cases." We recommend that this point be clarified to ensure that these end uses/end-users are not treated less favorably under the new regulations.
Many members of the USCIB are concerned with the apparent oversight in the regulations regarding the "banking or money" exception previously found in Category XIII(b)(1)(ii) of the ITARs and old ECCN 5D13A, which as of January 31, 1997 became ECCN 5D002 ( the "banking or money exception"). As written, paragraph h. to the note at the end of new ECCN 5A002 does not track the language of the banking or money exception. The language of this important exception must be preserved. Under the banking or money exception, many financial hardware products and software applications automatically transferred to BXA without the need for a commodity jurisdiction request. Licensing policies in both the State Department and Commerce Department have been fairly liberal in this regard and we expect that will continue to be the case. The financial services industry cannot afford to lose any of this ground. At a minimum, the language in part h. of the note at the end of new ECCN 5A002 must be clarified by adding the phrase "or equipment for the encryption of interbanking transactions" at the end thereof so that it matches the previous exception under USML Category XIII(b)(1)(ii).
The USCIB notes that there is a precedent for providing financial services software with an exemption for higher level cryptographic protection. The financial services industry has a long history of cooperation with law enforcement agencies and is subject to stringent recording and reporting requirements. In light of the elevation of standard exportable encryption to 56-bit, and the near de facto adoption of stronger encryption (at least triple DES) as a standard in the financial services industry, the USCIB urges the Administration to create a stronger encryption (triple DES) exemption for products which facilitate electronic interaction and data interchange between financial institutions and end users.
The USCIB also suggests that the interim rules be clarified to specifically exempt devices and related technology designed for decrypt-only copy protection schemes designed for the protection of commercial intellectual property rights.
APPLICATION OF THE REGULATIONS INTO THE FUTURE
The regulations do not give a clear indication of how non-key recovery encryption items of 56 Bit DES or equivalent strength will be treated once the KMI License Exception expires on January 1, 1999. Clarification is needed to assure that once the two year window of opportunity expires, business will be able to continue to service and support its customers abroad using 56 bit non-key recovery products. Equally important the regulations must be clarified to affirmatively allow for interoperability between key recovery and non-key recovery products.
In light of the recent breach of 40-bit cryptography the USCIB urges the Administration to consult with industry to determine whether the current 56-bit standard provides an effective level of cryptographic protection. For developers and users to adopt development and implementation plans of cryptographic systems, they must be assured that the standards they develop will at least meet near-term security needs. Beyond the two year horizon there is no clear indication of how the Administration will treat continuing technological advances in cryptography.
HARDWARE AND SOFTWARE PARITY
USCIB urges the Administration to establish parity between the export treatment of software and hardware products. The regulations should create a hardware exception equivalent to the software mass market exception.
TRADITIONAL COMMERCE DEPARTMENT RELIEF
The USCIB supports the relocation of export control of cryptography from State to Commerce, but believes that products with cryptography should be subject to traditional Commerce Department review and relief. De minimis rules, foreign availability assessments, and public availability provisions apply to all other technologies under Commerce jurisdiction and should be extended to cryptography products. Not allowing for foreign availability determinations undermines a fundamental and long-standing principle under the "dual use" export control regime. The major benefits of moving encryption export control to the Department of Commerce are specifically in these review and appeal provisions.
PERSONAL USE EXEMPTION
We are pleased to see that the personal use exemption which allows U.S. citizens and permanent residents to take controlled encryption products abroad for personal use, has been maintained under the Commerce Department regulations and that the regulations appear to reduce the record keeping requirements for personal use. We recommend that the regulations clarify the application of the personal use exemption for non-U.S. employees and in group D:1 restricted countries.
INTERNET DOWNLOADS
USCIB is concerned about the guidelines regarding encryption software made available for download on the Internet. These guidelines require an access control system that: "checks the address of every system requesting or receiving a transfer and verifies that such systems are located within the United States," must provide a notice that the software is export controlled, and requires the party wishing to receive the software acknowledge that they understand that the software is export controlled. Alternatively, precautions differing from those set out in the regulations can be approved by BXA if they are adequate to "prevent transfer of such software outside the U.S. without a license."
Strict interpretation of these provisions could prevent virtually all Internet transfers of encryption software. Checking a domain name alone cannot usually verify the location and requesting a mailing address and phone number similarly cannot "verify" where the download is actually taking place. At a minimum, the regulations should clarify whether or not the types of safeguards previously approved by the State Department would be acceptable.
LICENSING
The requirements for 6 month renewable licenses are considered burdensome and intrusive by many USCIB members. These requirements may create so much uncertainty over whether vendors can deliver 56-bit products as promised, that they may serve as a disincentive to software vendors who might otherwise be interested in developing key recovery products.
The Commerce Department must also not tolerate any increase in license turn-around time from what exporters have been experiencing under State Department licensing. Initial indications are that license applications that were being turned around by the Department of State in as little as five days are now taking thirty to forty days to approve.
The USCIB urges the Department of Commerce to continue its dialogue with industry to promote the widespread use of cryptographic tools to protect the National and Global Information Infrastructure from compromise or attack. As in previous statements on cryptography, the USCIB continues to support the development of voluntary, market-driven technology neutral policies to address government interests of law enforcement access and national security. The USCIB urges the Administration to review its current policy relating to the sufficiency of 56-bit encryption and applicability of the interim rule to the financial services industry and mass market software. The USCIB also urges the Administration to restore traditional Commerce review and relief powers and to assure that license application and review is both streamlined and expedited.
Thank you for the opportunity to present our views on the Interim Rule. We look forward to working with the Department of Commerce as it endeavors to resolve these issues.
Sincerely,
Edward J. Regan
Chairman
Information Policy Committee
Hypertext by DN and JYA/Urban Deadline