26 February 1997
Source:
http://www.bxa.doc.gov/37-.pdf
(331K)
Public Comments on Encryption Items Transferred from
the U.S. Munitions List to the Commerce Control List
Sun Microsystems, Inc.
Legal Department
2550 Garcia Avenue, MS UPAL1-521
Mountain View, CA 94043-1100
415-960-1300
415-336-0530 Fax
February 13, 1997
Nancy Crowe
Regulatory Policy Division
Bureau of Export Administration
Department of Commerce
14th Street and Pennsylvania Avenue, N.W.
Room 2705
Washington, D.C. 20230
Re: Comments on the Interim Rule Entitled "Encryption Items Transferred from the U.S. Munitions List to the Commerce Control List" Published in the Federal Register on December 30, 1996 (61 FR 68572)
Dear Ms. Crowe:
Sun Microsystems, Inc. ("Sun") thanks the Department of Commerce for this opportunity to comment on the new encryption regulations. We appreciate the tremendous work that went into producing the interim regulations in such a timely manner.
Sun fully recognizes the legitimate role of law enforcement and our national security agencies in protecting public safety and providing for our national defense. However, we believe that the imposition by government of mandatory key recovery solutions into encryption products will not be effective to support that role and will harm both the economic and national security of the United States. The current approach will not further either public safety or our national security interests for at least two fundamental reasons: 1) There is no demonstrated market demand for key recovery products; and 2) powerful, non-key recovery encryption solutions are and will continue to be available from foreign sources. Thus, the primary result of the proposed approach will be to restrict U.S. companies from distributing non-key recovery encryption products into foreign markets resulting in significant revenue loss and threatening U.S. Leadership of this important technology and its market. The consequence of this will be that the world could standardize on non U.S. cryptography and the U.S. Government will lose both the access to leading edge commercial technology from domestic companies for its own use as well as the ability to have a one-time review of world standard cryptography products.
Because of Sun's concern about the viability of the Administration's proposal and the lack of a demonstrated market demand for products that contain key recovery solutions, Sun will not comment on any portions of the regulations relating to KMI and its license exception.
GENERAL COMMENTS ON THE INTERIM RULE:
1. The removal of the "Is Informed" provision from draft regulations and the allowance for usage of general license exceptions TMP & BAG for laptop travellers with encryption programs offers significant relief from the burdensome personal use exemption requirements under the ITAR.
2. The Interim Rule (and Executive Order 13026~ effectively eliminated four important benefits which exporters expected to obtain by transfer of jurisdiction to the Export Administration Regulations ("EAR").
3. The Interim Rule contains provisions which are vague. These provisions should be clarified in the Final Rule, in order to provide sufficient guidance for the exporting community to conduct its affairs in accordance with the requirements of the EAR.
4. The Interim Rule contains provisions which either are internally inconsistent, or effect a "rollback" vis-a-vis past practice under the EAR.
SPECIFIC COMMENTS ON THE INTERIM RULE:
1. Industry Has Been Denied the Full Benefits of a "Dual Use" Classification
In general, industry expected that the export controls on cryptography under the EAR would be similar to the controls on other dual-use products. However, several important benefits accorded to other dual-use products under the EAR do not apply to cryptographic products. Indeed, the Interim Rule (and Executive Order 13026) effectively eliminated most, if not all, of the provisions of the EAR which might have been beneficial to exporters.
A. Foreign AvailabilitySince the mid-1980's, all dual-use products subject to national security controls under the EAR have been eligible for decontrol, if exporters could demonstrate that products of comparable quality were available outside of the United States in sufficient quantities that export controls were ineffective. This is a fundamental principle under the "dual use" export control regime. However, under the Interim Rule, cryptographic products are not eligible for the Foreign Availability procedure and this greatly impacts Sun's ability to remain competitive, when comparable products are readily available outside of the United States.
B. Public Domain
Historically, exporters could make a decision to place software of any type in the Public Domain simply by giving it away free of charge or at a price which did not exceed the cost of duplication and distribution. The Interim Rule states that cryptographic software may not be placed in the Public Domain. This is not only contrary to logic, but arguably unconstitutional.
C. General Software Note
The General Software Note reflects the reality that it is altogether impossible to control the export of software which is available to the public via retail sales, telephone transactions and similar channels. Cryptographic software, like all other types of software, should be eligible for decontrol pursuant to provisions of the General Software Note.
D. De Minimis
The de minimis provisions of the EAR permit the decontrol of foreign origin products if the U.S.-origin content is 10% or less. This provision reduces the incentive for foreign developers to "design-out" U.S. products, where non-U.S. alternatives are available. The de minimis provisions should be equally applicable to cryptographic products.
2. Remove License Approval Authority From Agencies Who Have No Interest
The Interim Rule should be revised allowing government agencies who have no interest in the export of encryption to delegate their authority. Reviews by these agencies contribute to unnecessary delays in the consideration of license applications for encryption products.
REFORM OF SECTIONS WHICH ARE VAGUE:
The following sections of the EAR should be revised for purposes of clarity.
1. "Scannable" Source or Object Code
The preamble to the Interim Rule states that "the administration continues to review whether and to what extent scannable encryption source or object code in printed form should be subject to the EAR and reserves the option to impose export controls on such software for national security and foreign policy reasons."
We interpret this to mean that (1) "scannable" encryption source or object code is not subject to the EAR today, and (2) the administration would have to publish a new rule in order to make "scannable" encryption source or object code subject to the EAR. If some other meaning is intended, please be explicit. We further suggest that the administration define the term "scannable" in this context.
2. Technical Assistance
Remove "Technical Assistance" controls in the Interim Rule. They are redundant and the existing controls under ECCN 5E002 are sufficient to protect the Government's interest.
3. Expansion of Asymmetrical Key Length
The Interim Rule should be amended increasing the asymmetrical key length from 512 up to 1024 bit and still qualify for export under a general license exemption.
4. Eligible End-User/End-Use for"Non-Recovery" Encryption Products
The regulations should incorporate the Vice President's statement that BXA will continue giving favorable consideration to licenses for financial end-uses, communications among subsidiaries of U.S. companies, commercial transactions and other legitimate applications that were licensed under the ITAR
SECTIONS WHICH NEED TO BE REFORMED:
The following provisions of the EAR need to be reformed, in order to prevent a "rollback" vis-avis prior practice, or for clarity.
1. Rollback of Information Security Exemptions
In the past, the following (5) items were not subject to Information Security controls under Category SB on the Commerce Control List. The Interim Rule suggests that they are subject to control under ECCN 5A995 (for hardware) or ECCN 5~995 ~for software):
a. "Personalized smart cards" or specially designed components therefor, with any of the following characteristics:b. Not capable of message traffic encryption or encryption of user-supplied data or related key management functions therefor; or
c. When restricted for use in equipment or systems excluded from control under the note to 5A002.c, or under paragraphs b through h of this note.
d. Equipment containing "fixed" data compression or coding techniques;
e. Receiving equipment for radio broadcast, pay television or similar restricted audience television of the consumer type, without digital encryption and where digital decryption is limited to the video, audio or management functions;
f. Portable or mobile radiotelephones for civil use (e.g., for use with commercial civil cellular radiocommunications systems) that are not capable of end-to-end encryption;
g. Decryption functions specially designed to allow the execution of copy-protected "software", provided the decryption functions are not user-accessible;
Was classifying these products under 5A995 vs. EAR99 a drafting oversight? Nevertheless, these items should be exempt from Information Security Controls, and should be classified under EAR99 on the Commerce Control List.
2. Anti-Virus Software
The Interim Rule should clarify that anti-virus software is not classified under ECCN 5D002, is not subject to EI controls, and therefore is eligible for export under License Exceptions TSU, TSR and CIV. This type of software has always been and should remain exempt from control.
3. Access Control, Authentication and Banking Products
There is a conflict within the EAR with respect to how the following products should be classified:
a. Access control equipment, such as automatic teller machines, self-service statement printers or point of sale terminals, that protects password or personal identification numbers (PIN) or similar data to prevent unauthorized access to facilities but does not allow for encryption of files or text, except as directly related to the password or PIN protection;b. Data authentication equipment that calculates a Message Authentication Code (MAC) or similar result to ensure no alteration of text has taken place, or to authenticate users, but does not allow for encryption of data, text or other media other than that needed for the authentication:
c. Cryptographic equipment specially designed and limited for use in machines for banking or money transactions, such as automatic teller machines, self-service statement printers or point of sale terminals.
Specifically, it is not clear whether hardware and software products meeting these definitions are classified under ECCNs A5002 and 5D002, respectively, but eligible for export under the applicable Advisory Notes? Or, are such products classified under ECCNs 5A995 and 5D995? The former would restore the status quo; the latter would be preferable to exporters.
OTHER CHANGES:
Finally, Sun would like to recommend three additional changes which would help to create a "level playing field" for certain cryptographic hardware and software products controlled under the EAR.
1. Expansion of the Banking Exemption
The exemption from EI controls for products used in banking is dated, and should be revised to account for the proliferation of software programs under development for use in electronic commerce on the internet. As CommerceNet and others have suggested, this provision might be revised as follows:
Specially designed and limited for use in machines for banking or money transactions, such as automatic teller machines, self-service statement printers or point of sale terminals, or specially designed and limited for use in the processing of electronic commerce transactions, which implements cryptography in specifically delineated fields including: (1) the merchant's identification, (2) the customer's identification and address, (3) the merchandise purchased, and (4) the payment mechanism, but which does not allow for encryption of data, text or other media except as directly related to these elements of electronic commerce transactions.
2. 40 Bit Hardware
Since 1992, 40 bit mass market software has been eligible for export under License Exception TSU (and its predecessor General License GTDU), whereas 40 bit hardware has required a license for export to all destinations. This divergence in treatment discriminates against hardware manufacturers, without advancing any conceivable national security or law enforcement interest. The same amount of computer processing power is required to perform cryptanalysis on a 40 bit problem, whether the message was encrypted using hardware or software. Hardware products implementing 40 bit cryptography should be eligible for export under License Exception to all destinations except the embargoed and terrorist countries.
3. Eligibility to Export Systems with Cryptographic API's
The administration has suggested that foreign cryptographic products are inferior in quality to American products. If this is the case, the Interim Rule should be amended to allow U.S. companies to export products which incorporate cryptographic application programming interfaces containing a strength of encryption currently allowable for export.
Thank you for this opportunity to comment on the Interim Rule. We look forward to seeing these changes implemented in a Final Rule, in the near future.
Sincerely,
Hans Luemers
Manager
International Trade Services & Corporate Export Compliance
cc: Jim Lewis - BXA
Piper Cole - Sun Public Policy
Hypertext by DN and JYA/Urban Deadline