Interesting People mailing list archives
IP: New Encryption Regulations
From: Dave Farber <farber () cis upenn edu>
Date: Wed, 12 Jan 2000 21:41:21 -0500
Date: Wed, 12 Jan 2000 19:09:14 -0500 To: farber () cis upenn edu From: Alan Davidson <abd () cdt org> Subject: New Encryption Regulations The U.S. government is expected to shortly release new encryption export rules representing a major change in U.S. policy. "Retail" encryption products -- like browsers, email programs, or PGP -- will be widely exportable to all but a few countries *regardless of key length or algorithm.* However, the complex new regulations will still make it difficult for many people to freely exchange encryption products and do not solve the Constitutional free speech concerns raised by encryption export controls. A final draft of the regulations to be published in the Federal Register is available at: http://www.cdt.org/crypto/admin/000110cryptoregs.shtml Major features of the new regs include: * "Retail" encryption products will be exportable regardless of key length or algorithm to all but the designated "T-7" terrorist nations. Still requires a retail classification, one-time technical review, and periodic reporting of who products are shipped to (but not necessarily reporting of end users.) * Export of encryption products up to 64-bits in key length is completely liberalized. * Non-retail products will require a license for many exports, such as to foreign governments or foreign ISPs and telcos under certain circumstances. * Source code that is "not subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed with the source code" is freely exportable to all but the T-7 terrorist countries. Source code exporters are required to send the Department of Commerce a copy of the code, or a URL, upon publication. Note that posting code on a web site for anonymous download is allowed -- you are not required to check that downloaders might be from one of the prohibited countries. Basically, we are told that common products like browsers, PGP, email programs, chips or personal computers will be exportable with the strongest encryption almost anywhere in the world. The companies we have spoken with believe they should be able to meet regulatory requirements and ship a lot of strong crypto very soon. If this happens, it will be a big step in the right direction for privacy online. The bad news is that the regulations remain a full employment act for export control lawyers. The regulations are complicated, and a fundamental flaw in US policy -- that people need to get the government's permission before exchanging an essential security tool or publishing an idea -- has not been solved. -- Alan Alan Davidson, Staff Counsel 202.637.9800 (v) Center for Democracy and Technology 202.637.0968 (f) 1634 Eye St. NW, Suite 1100 <abd () cdt org> Washington, DC 20006 http://www.cdt.org Join Operation Opt-Out http://opt-out.cdt.org/ A single place to remove your name from marketing databases.
Current thread:
- IP: New Encryption Regulations Dave Farber (Jan 12)