26 February 1997
Source: http://www.bxa.doc.gov/39-.pdf (336K)

Public Comments on Encryption Items Transferred from
the U.S. Munitions List to the Commerce Control List

39. Hewlett Packard

Hewlett Packard Company
Corporate Export Administration
900 17th Street N.W. Suite 1100
Washington, DC 20006
202/884-7060
Telecopy 202/884-7070

February 13, 1996

Ms. Nancy Crowe
Regulatory Policy Division
Bureau of Export Administration
U.S. Department of Commerce
14th Street and Pennsylvania Avenue, N.W.
Room 2705
Washington, D.C. 20230

Subject: Comments on Interim Rule, Encryption Items Transferred from the U.S. Munitions List to the Commerce Control List, Published December 30, 1996

Dear Ms. Crowe:

Thank you for the opportunity to comment on the Encryption Items Interim Rule to amend the EAR, published on December 30, 1996. Hewlett-Packard is very supportive of the effort BXA has undergone to achieve the transfer of jurisdiction for encryption items.

Licensing Processing Times:

Before I discuss some specific areas of the new regulation I would like to direct your attention to a serious problem concerning license processing times for encryption items that HP is experiencing. We are concerned that if not rectified soon, this could undermine the painstaking efforts BXA has taken to ensure a responsive license processing system for exporters.

Under State Department jurisdiction, all reviewing agencies of munitions licenses had provided delegations of authority for license applications related to cryptography except the NSA. As a result, many license applications that were consistent with U.S. export policy were able to be approved with very short turn-around-times. Since the jurisdiction transfer to Commerce, all of our license applications for encryption items have been referred to several agencies in parallel. Equivalent applications that were being approved in as little as 5 to 10 days by the Department of State are now taking 30 to 40 days.

In light of the understanding industry has had that these new encryption regulations would not institute any rollback of prior practice, HP urges BXA to quickly escalate this matter and obtain the delegations of authority necessary to limit license application review to the NSA and Justice Department only.

Please consider the specific comments below that identify clarifications and improvements that HP believes should be addressed in the final rule.

Following are HP's general comments on the Interim Rule:

1.  The Interim Rule (and Executive Order 13026) effectively eliminated four important benefits which otherwise applies to products and technology under the jurisdiction of the Export Administration Regulations ("EAR"). These provisions should be revised in the Final Rule, as further described below.

2. The Interim Rule contains provisions which are vague. These provisions should be clarified in the Final Rule, in order to provide sufficient guidance for the exporting community to conduct its affairs in accordance with the requirements of the EAR.

3. The Interim Rule contains provisions which either are internally inconsistent, or effect a "rollback" vis-a-vis past practice under the EAR. These provisions should be modified as further described below.

Following are HP s specific comments on the Interim Rule:

1.    Important Benefits for the EAR that Should be Reinstated

In general, industry expected that the export controls on cryptography under the EAR would be similar to the controls on other dual-use products. However, several important benefits accorded to other dual-use products under the EAR do not apply to cryptographic products.

A.    Foreign Availability

Since the mid-1980 s, all dual-use products subject to national security controls under the EAR have been eligible for decontrol, if exporters could demonstrate that products of comparable quality were available outside of the United States in sufficient quantities that export controls were ineffective. Under the Interim Rule, however, cryptographic products are not eligible for the Foreign Availability procedure. Controls on cryptographic products are patently ineffective where comparable products are readily available outside of the United States. Therefore, the Foreign Availability procedure should apply equally to cryptographic products.

B.    Public Domain.

Historically, exporters could make a decision to place software of any type in the Public Domain simply by giving it away free of charge or at a price which did not exceed the cost of duplication and distribution. The Interim Rule states that cryptographic software placed in the Public Domain would still be subject to export control.

C.    General Software Note.

The General Software Note reflects the reality that it is altogether impossible to control the export of software which is available to the public via retail sales, telephone transactions and similar channels. Cryptographic software, like all other types of software, should be eligible for decontrol pursuant to provisions of the General Software Note.

D.    De Minimis

The de minimis provisions of the EAR permit the decontrol of foreign origin products if the U.S.-origin content is 10% or less. This provision reduces the incentive for foreign developers to "design-out" U.S. products, where non-U.S. alternatives are available. The de minimis provisions should be equally applicable to cryptographic products.

In summary, these four provisions have the effect of denying exporters fundamental benefits otherwise afforded dual use products and technology.

B.    Reform of Sections Which are Vague

The following sections of the EAR should be revised for purposes of clarity

1.    "Scannable" Source or Object Code.

The preamble to the Interim Rule states that "[t]he administration continues to review whether and to what extent scannable encryption source or object code in printed form should be subject to the EAR and reserves the option to impose export controls on such software for national security and foreign policy reasons."

We assume this means that (1) "scannable" encryption source or object code is not subject to the EAR today, and (2) the administration would have to publish a new rule in order to make "scannable" encryption source or object code subject to the EAR. If some other meaning is intended, please be explicit. We further suggest that the administration define the term "scannable" in this context, as scanners available in retail outlets today are capable of scanning any printed page, whether the page includes text, pictures, or any other content.

2.    Technical Assistance

Section 744.9(a) purports to govern provision of "technical assistance" to foreign persons in connection with the foreign persons development of cryptographic products which would be subject to"EI" controls under Export Control Classification Number ("ECCN") 5A002 and/or 5D002 if they were produced in the United States.

This provision is susceptible of (at least) two interpretations. One interpretation would be that "technical assistance" includes nothing more that cryptographic technology classified under ECCN 5E002. Another interpretation might be that "technical assistance" include some type of technology in addition to technology which is classified under 5E002. Which interpretation is correct? If "technical assistance" is limited to technology controlled under ECCN 5E002, then the Department of Commerce should eliminate this section. If technology in addition to that which is classified under ECCN 5E002 is included in the "technical assistance", then please provide an explicit definition of "technical assistance" in this context.

C.    Sections Which Need to Be Reformed

The following provisions of the EAR need to be reformed, in order to prevent a "'rollback" vis-a-vis prior practice, or for clarity.

1.    Rollback of Information Security Exemptions

Int the past, the following five items were not subject to Information Security controls under Category 5B on the Commerce Control List. The Interim Rule suggests that they are subject to control under ECCN 5A995 (for hardware) or ECCN 5D995 (for software):

a. "Personalized smart cards" or specially designed components therefor, with any of the following characteristics:

1. Not capable of message traffic encryption or encryption of user-supplied data or related key management functions therefor; or

2. When restricted for use in equipment or systems excluded from control under the note to 5A002.c, or under paragraphs b though h of this note.

b. Equipment containing "fixed" data compression or coding techniques.

c. Receiving equipment for radio broadcast, pay television or similar restricted audience television of the consumer type, without digital encryption and where digital decryption is limited to the vide, audio or management functions;

d. Portable or mobile radiotelephones for civil use (e.g., for use with commercial civil cellular radio communications systems) that are not capable of end-to-end encryption;

e. Decryption functions specially designed to allow the execution of copy-protected "software", provided the decryption functions are not user-accessible;

These items should be exempt from Information Security Controls, and should be classified under EAR99 on the Commerce Control List.

2.    Anti-virus Software

The Interim Rule suggests that anti-virus software is classified under ECCN 5D002, is subject to EI controls, and therefore is not eligible for export under License Exceptions TSU, TSR and CIV. If true, this would represent a rollback vis-a-vis past practice. We recommend that anti-virus software be exempt from the Information Security controls, and classified under EAR99. Failing that, then anti-virus software should be classified under ECCN 5D995. At a minimum, anti-virus software should be explicitly exempted from EI controls and explicitly made eligible for export under License Exceptions TSR and CIV, consistent with prior practice under the EAR.

In addition, the Department of Commerce might want to publish a note indicating that this provision only applies to anti-virus software, and does not govern packet filters, firewall, operating system security patches, and the similar products which have not been considered "Information Security" products in the past.

3.    Access Control, Authentication and Banking Products

There is a conflict within the EAR with respect to how the following products should be classified:

f. Access control equipment, such as automatic teller machines, self-services statement printers or point of sale terminals, that protects password or personal identification numbers (PIN) or similar data to prevent unauthorized access to facilities but does not allow for encryption of files or text, except as directly related to the password or PIN protection;

g. Data authentication equipment that calculates a Message Authentication Code (MAC) or similar result to ensure no alteration of text has taken place, or to authenticate users, but does not allow for encryption of data, text or other media other than that needed for the authentication;

h. Cryptographic equipment specially designed and limited for use in machines for banking or money transactions, such as automatic teller machines, self-service statement printers or point of sale terminals.

Specifically, it is not clear whether hardware and software products meeting these definitions are classified under ECCNs 5A002 and 5D002, respectively, but eligible for export under the applicable Advisory Notes? Or, are such products classified under ECCNs 5A995 and 5D995? The former would restore the status quo; the latter would be preferable to exporters.

D.    Other Changes

Finally, HP would like to recommend two additional changes which would help to create a "level playing field" for certain cryptographic hardware and software products controlled under the EAR.

1.    40 bit Hardware

Since 1992, 40 bit mass market software has been eligible for export under License Exception TSU (and its predecessor General License GTDU), whereas 40 bit hardware has required a license for export to all destinations. This divergence in treatment discriminates against hardware manufacturers, without advancing any conceivable national security or law enforcement interest. The same amount of computer processing power is required to perform cryptanalysis on a 40 bit problem whether the message was encrypted using hardware or software. Hardware products implementing 40 bit cryptography should be eligible for export under License Exception to all destinations except the embargoed and terrorist countries.

2.    Expansion of the Banking Exemption

The exemption from EI controls for products used in banking is dated, and should be revised to account for the proliferation of software programs under development for use in electronic commerce on the internet. As CommerceNet and others have suggested, this provision might be revised as follows:

specially designed and limited for use in machines for banking or money transactions, such as automatic teller machines, self-service statement printers or point of sale terminals, or specially designed and limited for use in the processing of electronic commerce transactions, which implements cryptography in specifically delineated fields including: (1) the merchant s identification, (2) the customer s identification and address, (3) the merchandise purchased, and (4) the payment mechanism, but which does not allow for encryption of data, text or other media except as directly related to these elements of electronic commerce transactions.

* * *

Thank you for this opportunity to comment on the Interim Rule. We look forward to seeing these changes implemented in a Final Rule, in the near future.

Sincerely,

HEWLETT-PACKARD COMPANY

Fred Mailman
Regulatory Manager

cc: Sue Eckert
Assistant Secretary, Bureau of Export Administration

Bruce McConnell
Office of Management and Budget

Ed Appel
National Security Council

Hypertext by DN and JYA/Urban Deadline