The U.S. government today issued new encryption export regulations allowing U.S. companies to export any encryption product to commercial firms, individuals and other non-government end-users without a license.
The new regulations implement a new approach to the export of encryption products announced by the Clinton administration in September, a change that came after years of pressure by U.S. software companies that considered the government's export controls needlessly restrictive.
The regulations say U.S. companies can now export any encryption software after a technical review to individuals, commercial firms or other non-government end-users in any country, the Department of Commerce said in a release. The new regulations do not change restrictions on exports to Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria, which the U.S. classifies as state supporters of terrorism.
Exports to government end-users still will require a license, the Commerce Department release said.
Under a new category of "retail" encryption products, the regulations permit the export of encryption products widely available in the market to any end user, including those in government. In most cases, however, the U.S. Commerce Department's Bureau of Export Administration will review the product before it can be exported, the release said.
The Commerce Department's Bureau of Export Administration will determine which products qualify as retail through a review of their functionality, sales volume and distribution methods, the release said.
Commerce Secretary William Daley said in a statement that the policy helps business and promotes e-commerce by adjusting U.S. regulations to marketplace realities that companies face when they try to sell their products overseas.
The department worked hard to address privacy concerns and to ensure that U.S. law enforcement and national security concerns are met, Daley added.
The regulations appear to meet the hopes of industry and congressional officials who were upset by an early draft of the regulations circulated last month. [See "Hope Prevails for Revision of Draft Crypto Rules," Dec. 12, 1999] The Information Technology Industry Council (ITI) welcomed the regulations, calling them a key ingredient for the continued growth of the IT industry.
Rhett Dawson, president of the ITI, said in a statement the new rules will help maintain the United States' technological leadership around the world and make electronic commerce safer.
Americans for Computer Privacy, a group that advocates use of encryption free of government intrusion, also welcomed the proposal saying in a statement, "They are more in step with the economic realities of the Information Age, while protecting our nation's vital security and law enforcement needs. And, they strike a balance between security and America's commercial interests."
Under the rules, companies also now are allowed to export commercial encryption source code, encryption toolkits and components without a license to businesses and non-government end-users for internal use and customization and for the development of new products. In addition the regulations relax restrictions on publicly available encryption source code, including its posting on the Internet.
The policy permits U.S. companies to export any encryption item to their foreign subsidiaries without a prior review by the department. Foreign employees of U.S. companies working in the United States no longer need an export license to work on encryption under the new regulations, the release said.
In issuing the regulations the government also solicited public comment over the next 120 days. After that it will review the regulation and issue a final revised rule.