Export of cryptography from the United States
This article possibly contains original research. (November 2022) |
The export of cryptography from the
History
Cold War era
In the early days of the
Two types of technology were protected: technology associated only with weapons of war ("munitions") and dual use technology, which also had commercial applications. In the U.S., dual use technology export was controlled by the
By the 1960s, however, financial organizations were beginning to require strong commercial encryption on the rapidly growing field of wired money transfer. The U.S. Government's introduction of the Data Encryption Standard in 1975 meant that commercial uses of high quality encryption would become common, and serious problems of export control began to arise. Generally these were dealt with through case-by-case export license request proceedings brought by computer manufacturers, such as IBM, and by their large corporate customers.
PC era
Encryption export controls became a matter of public concern with the introduction of the
In 1989, non-encryption use of cryptography (such as access control and message authentication) was removed from export control with a Commodity Jurisdiction. [1] In 1992, an exception was formally added in the USML for non-encryption use of cryptography (and satellite TV descramblers) and a deal between NSA and the
encryption easily exportable using a Commodity Jurisdiction with special "7-day" and "15-day" review processes (which transferred control from the State Department to the Commerce Department). At this stage Western governments had, in practice, a split personality when it came to encryption; policy was made by the military cryptanalysts, who were solely concerned with preventing their 'enemies' acquiring secrets, but that policy was then communicated to commerce by officials whose job was to support industry.Shortly afterward,
Current status
As of 2009[update], non-military cryptography exports from the U.S. are controlled by the Department of Commerce's
U.S. export rules
U.S. non-military exports are controlled by Export Administration Regulations (EAR), a short name for the U.S. Code of Federal Regulations (CFR) Title 15 chapter VII, subchapter C.
Encryption items specifically designed, developed, configured, adapted or modified for military applications (including command, control and intelligence applications) are controlled by the
Terminology
Encryption export terminology is defined in EAR part 772.1.[14] In particular:
- Encryption Component is an encryption commodity or software (but not the source code), including encryption chips, integrated circuits etc.
- Encryption items include non-military encryption commodities, software, and technology.
- Open cryptographic interface is a mechanism which is designed to allow a customer or other party to insert cryptographic functionality without the intervention, help or assistance of the manufacturer or its agents.
- Ancillary cryptography items are the ones primarily used not for computing and communications, but for automotive, aviationand other transportation systems.
Export destinations are classified by the EAR Supplement No. 1 to Part 740 into four country groups (A, B, D, E) with further subdivisions;[15] a country can belong to more than one group. For the purposes of encryption, groups B, D:1, and E:1 are important:
- B is a large list of countries that are subject to relaxed encryption export rules
- D:1 is a short list of countries that are subject to stricter export control. Notable countries on this list include China and Russia
- E:1 is a very short list of "terrorist-supporting" countries (as of 2009, includes five countries; previously contained six countries and was also called "terrorist 6" or T-6)
The EAR Supplement No. 1 to Part 738 (Commerce Country Chart) contains the table with country restrictions.[16] If a line of table that corresponds to the country contains an X in the reason for control column, the export of a controlled item requires a license, unless an exception can be applied. For the purposes of encryption, the following three reasons for control are important:
- NS1 National Security Column 1
- AT1 Anti-Terrorism Column 1
- EI Encryption Items is currently same as NS1
Classification
For export purposes each item is classified with the
- 5A002 Systems, equipment, electronic assemblies, and integrated circuits for "information security. Reasons for Control: NS1, AT1.
- 5A992 "Mass market" encryption commodities and other equipment not controlled by 5A002. Reason for Control: AT1.
- 5B002 Equipment for development or production of items classified as 5A002, 5B002, 5D002 or 5E002. Reasons for Control: NS1, AT1.
- 5D002 Encryption software. Reasons for control: NS1, AT1.
- used to develop, produce, or use items classified as 5A002, 5B002, 5D002
- supporting technology controlled by 5E002
- modeling the functions of equipment controlled by 5A002 or 5B002
- used to certify software controlled by 5D002
- 5D992 Encryption software not controlled by 5D002. Reasons for control: AT1.
- 5E002 Technology for the development, production or use of equipment controlled by 5A002 or 5B002 or software controlled by 5D002. Reasons for control: NS1, AT1.
- 5E992 Technology for the 5x992 items. Reasons for control: AT1.
An item can be either self-classified, or a classification ("review") requested from the BIS. A BIS review is required for typical items to get the 5A992 or 5D992 classification.
See also
- Bernstein v. United States
- Denied trade screening
- Export control
- Junger v. Daley
- Restrictions on the import of cryptography
- FREAK
- Crypto wars
References
- ^ "Munitions T-shirt".
- ISBN 978-0-444-51608-4, retrieved 2023-08-12
- ^ "Fortify for Netscape". www.fortify.net. Retrieved 1 Dec 2017.
- ^ "January 25, 1999 archive of the Netscape Communicator 4.61 download page showing a more difficult path to download 128-bit version". Archived from the original on September 16, 1999. Retrieved 2017-03-26.
{{cite web}}
: CS1 maint: bot: original URL status unknown (link) - ^ "Revised U.S. Encryption Export Control Regulations". EPIC copy of document from U.S. Department of Commerce. January 2000. Retrieved 2014-01-06.
- ^ a b c d e Commerce Control List Supplement No. 1 to Part 774 Category 5 Part 2 - Info. Security
- ^ "CCL5 PT2" (PDF). www.bis.doc.gov. Retrieved 2022-10-10.
- ^ "U. S. Bureau of Industry and Security - Notification Requirements for "Publicly Available" Encryption Source Code". Bis.doc.gov. 2004-12-09. Archived from the original on 2002-09-21. Retrieved 2009-11-08.
- ^ Participating States Archived 2012-05-27 at archive.today The Wassenaar Arrangement
- ^ Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies: Guidelines & Procedures, including the Initial Elements The Wassenaar Arrangement, December 2009
- ^ Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies Public Documents Volume IV Background Documents and Plenary-related and Other Statements Archived on 2024-02-09. Wassenaar Arrangement December 2019
- ^ Encryption and Export Administration Regulations (EAR)Archived 2024-02-09 at archive.today
- ^ Export Administration Regulations: Implementation of Wassenaar Arrangement 2019 Plenary Decisions Archived Page 16482 Federal Register Archived Implementation of Wassenaar Arrangement 2019 Plenary Decisions. Archived on 2024-02-09
- ^ "15 CFR § 772.1 - Definitions of terms as used in the Export Administration Regulations (EAR)". LII / Legal Information Institute. Retrieved 2021-09-30.
- ^ "EAR Supplement No. 1 to Part 740" (PDF). Archived from the original (PDF) on 2009-06-18. Retrieved 2009-06-27.
- ^ "EAR Supplement No. 1 to Part 738" (PDF). Archived from the original (PDF) on 2009-05-09. Retrieved 2009-06-27.
External links
- Crypto law survey
- Bureau of Industry and Security — An overview of the US export regulations can be found in the licensing basics page.
- Whitfield Diffie and Susan Landau, The Export of Cryptography in the 20th and the 21st Centuries. In Karl de Leeuw, Jan Bergstra, ed. The history of information security. A comprehensive handbook. Elsevier, 2007. p. 725
- Encryption Export Controls. CRS Report for Congress RL30273. Congressional Research Service, The Library of Congress. 2001 Archived 2019-02-28 at the Wayback Machine
- The encryption debate: Intelligence aspects. CRS Report for Congress 98-905 F. Congressional Research Service, The Library of Congress. 1998
- Encryption Technology: Congressional Issues CRS Issue Brief for Congress IB96039. Congressional Research Service, The Library of Congress. 2000
- Cryptography and Liberty 2000. An International Survey of Encryption Policy. Electronic Privacy Information Center. Washington, DC. 2000
- National Research Council, Cryptography's Role in Securing the Information Society. National Academy Press, Washington, D.C. 1996 (full text link is available on the page).
- The Evolution of US Government Restrictions on Using and Exporting Encryption Technologies (U) Archived 2016-05-09 at the Wayback Machine, Micheal Schwartzbeck, Encryption Technologies, circa 1997, formerly Top Secret, approved for release by NSA with redactions September 10, 2014, C06122418