Skip to main content

Currently Skimming:

Export Controls
Pages 113-166

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 113...
... The discussion below focuses on U.S. export controls; Appendix G addresses foreign export control regimes on cryptography.
From page 114...
... , and a paper by Ira Rubinstein, "Export Controls on Encryption Software," in Coping with U.S. Export Controls 1994, Commercial Law & Practice Course Handbook Series No.
From page 115...
... Note that commodity jurisdiction to the CCL is generally granted for products with encryption capabilities using 40-bit keys regardless of the algorithm used, although these decisions are made on a 4The CCL is also commonly known as the Commodity Control List. 5However, encryption products intended for domestic Canadian use in general do not require export licenses.
From page 116...
... A number of sanctions are available to enforce the compliance of foreign recip ients of USML items exported from the United States. The primary sanctions avail able are the criminal and civil liabilities established by the Arms Export Control Act (AECA)
From page 117...
... In addition, the current export control regime provides for an individual case-by-case review of USML licensing applications for products that do not fall under the jurisdiction of the CCL. Under current practice, USML licenses to acquire and
From page 118...
... Department of State has broad leeway to take national security Department of Commerce may limit exports only to the extent that considerations into account in licensing decisions; indeed, they would make "a significant contribution to the military poten national security and foreign policy considerations are the tial of any other country which would prove detrimental to the driving force behind the Arms Export Control Act. national security of the United States" or "where necessary to fur ther significantly the foreign policy of the United States." The his tory of the Export Administration Act strongly suggests that its na tional security purpose is to deny dual-use items to countries of Communist Bloc nations, nations of concern with respect to prolif eration of weapons of mass destruction, and other rogue nations.
From page 119...
... EXPORT CONTROLS Foreign availability may or may not be a consideration in granting Foreign availability of items that are substantially equivalent is, by a license at the discretion of the State Department. law, a consideration in a licensing decision.
From page 120...
... . Informal Noncodified Exemptions The current export control regime provides for an individual case-by-case review of U.S.
From page 121...
... , whether U.S.-controlled or -owned or foreign-owned, are generally granted USML licenses for strong encryption for use in internal communications and communications with other banks even if these communications are not limited strictly to banking or money transactions. In September 1994, the Administration promulgated regulations that provided for U.S.
From page 122...
... In August 1995, the Administration announced a proposal to liberalize export controls on software products with encryption capabilities for confidentiality that use algorithms with a key space of 64 or fewer bits, provided that the key(s) required to decrypt messages and files are "properly escrowed"; such products would be transferred to the CCL.
From page 123...
... • In the case of products intended for use only in banking or money transactions, the exemption results from the recognition by national security authorities that the integrity of the world's financial system is worth protecting with high levels of cryptographic security. Given the primacy of the U.S.
From page 124...
... Only a small amount of Kerberos code is used to support user-invocable confidentiality. However, in order to prevent running afoul of export regulations, most sites from which Kerberos is available strip out all of the cryptographic source code, including the DES module used as the cryptographic engine to support both the authentication and the confidentiality features and every system call to the module for either authentication or confidentiality purposes.
From page 125...
... As a practical rule, the U.S. government has a specific set of Thus, export controls on confidentiality have inhibited the use of Kerberos for its intended authentication purposes.
From page 126...
... products with encryption capabilities to be used by both partners to conduct business related to such alliances without requiring a specific export licensing decision.13 In some instances, USML licenses have granted U.S. companies the authority to use strong encryption rather freely (e.g., in the case of a U.S.
From page 127...
... and as such are controlled by the USML, even though the text of the ITAR does not mention these items explicitly.14 In general, vendors and users understand this to be the practice and do not challenge it, but they dislike the fact that it is not explicit. 4.2 EFFECTIVENESS OF EXPORT CONTROLS ON CRYPTOGRAPHY One of the most contentious points in the debate over export controls on cryptography concerns their effectiveness in delaying the spread of strong cryptographic capabilities and the use of those capabilities throughout the world.
From page 128...
... are capable of providing very good cryptography that is usable by motivated foreign users. In assessing the arguments of both supporters and critics of the current export control regime, it is important to keep in mind that the ultimate goal of export controls on cryptography is to keep strong cryptography out of the hands of potential targets of signals intelligence.
From page 129...
... products clearly cannot prevent these powers from using such cryptography. Furthermore, the fact that cryptography is not being widely used abroad does not necessarily imply that export controls are effective -- or will be in the near future -- in restraining the use of cryptography by those who desire the protection it can provide.
From page 130...
... Crypto graphic algorithms, also controlled by the International Traffic in Arms Regulations as "technical data," represent pure knowledge that can be transported over national borders inside the heads of people or via letter. As is true for all other software products, software products with encryption capa bilities are infinitely reproducible at low cost and with perfect fidelity; hence, a con trolled item can be replicated at a large number of points.
From page 131...
... By using a few commonly available programming tools (a file compare program, a "debugger" that allows the user to trace the flow of how a program executes, and a "disassembler" that turns object code into source code that can be examined) , the reviewer was able to access in less than two hours the "protected" files generated
From page 132...
... If the key is 1 to 8 characters, established software vendors in the United States do have reputations for providing relatively high quality in their products for features unrelated to security.22 Without an acceptable product certification service, most users have no reliable way of determining the quality of any given product for themselves. by four out of eight programs.
From page 133...
... Thus, large corporations and First World governments are, in general, more likely than small corporations and Third World governments to develop their own cryptographic implementations. Finally, the text of the ITAR seems to allow a number of entirely legal actions that could have results that the current export control regime is
From page 134...
... company can develop a product without encryption capabilities and then sell the source code of the product to a friendly foreign company that incorpo rates additional source code for encryption into the product for resale from that foreign country (assuming that that country has no (or weaker) export controls on cryptography)
From page 135...
... software vendor distributes its major product in modular form in such a way that the end user can assemble a system configuration in accordance with local needs. However, since the full range of USML export controls on encryption is applied to modular products into which cryptographic modules may be inserted, this vendor has not been able to find a sensible business approach to distributing the product in such a way that it would qualify for liberal export consideration.
From page 136...
... From this perspective, export controls are simply one more cost of doing business outside the United States. On the other hand, the fact that export controls are an additional cost of doing business outside the United States is not an advantage for U.S.
From page 137...
... Users are also affected by an export control regime that forces foreign and domestic parties in communication with each other to use encryption systems based on different algorithms and/or key lengths. In particular, an adversary attempting to steal information will seek out the weakest point.
From page 138...
... export controls have had a negative impact on the cryptographic strength of many integrated products with encryption capabilities available in the United States.29 Export controls tend to drive major vendors to a "lowest common denominator" cryptographic solution that will pass export review as well as sell in the United States. The committee also believes that export controls have had some impact on the availability of cryptographic authentication capabilities around the world.
From page 139...
... However, in instances in which those who are regulated do not trust the regulator, the judgments of the regulator are much more likely to be seen as arbitrary and capricious.31 This situation currently characterizes the relationship between cryptography vendors/users and national security authorities responsible for implementing the U.S. export control regime for cryptography.
From page 140...
... bank with many international branches reported that export controls affect internally developed bank software with encryption capabilities; a U.S. citizen who works on bank software with encryption capabilities in England may "taint" that software so that it falls under U.S.
From page 141...
... On the other hand, this approach would be tantamount to the development of two largely distinct products with little overlap in the work that was required to produce them. The NSA has spoken publicly about its willingness to discuss with vendors from the early stages of product design features and capabilities of proposed products with encryption capabilities for confidentiality so that the export license approval process can be facilitated, and also its willingness to abide by nondisclosure agreements to reassure vendors that their intellectual property rights will be protected.33 Nonetheless, the receipt of an export control license useful for business purposes is not guaranteed by such cooperation.
From page 142...
... To summarize, 34Although other industries also have to deal with the uncertainties of regulatory approval regarding products and services, the export control process is particularly opaque, because clear decisions and rationales for those decisions are often not forthcoming (and indeed are often classified and/or unrelated to the product per se)
From page 143...
... In response to some of these concerns, the U.S. government has undertaken a number of reforms of the export control regime (described in Section 4.1)
From page 144...
... For many years, Americans traveling abroad were required under the ITAR to obtain "temporary export licenses" for products with encryption capabilities carried overseas for their personal use.37 The complexity of the procedure for obtaining such a license was a considerable burden for U.S. businesspeople traveling abroad, and these individuals were subject to significant criminal penalties for an act that was widely recognized to be harmless and well within the intent of the export control regime.
From page 145...
... A number of information technology trade organizations have also made estimates. The Software Publishers Association cited a survey by the National Computer Security Association that quoted a figure of $160 million in aggregate known losses in 1993 because of export controls; see "Written Testimony of the Software Publishers Association to the National Research Council," Washington, D.C., July 19, 1995.
From page 146...
... The next three subsections describe some of the factors that confound the narrowing of the large range of uncertainty in any estimate of the size of the market affected by export controls. Defining a "Lost Sale" A number of vendors have pointed to specific instances of lost sales as a measure of the harm done to vendors as a result of export controls on currently at risk because of the inability of those companies to be able to sell world wide generally available software with encryption capabilities employing DES or other comparable strength algorithms"; see testimony of Ray Ozzie, president, Iris Associates, on behalf of the Business Software Alliance, "The Impact on America's Software Industry of Current U.S.
From page 147...
... These instances included a company that lost one-third of its total revenues because export controls on DES-based encryption prevented sales to a foreign firm; a company that could not sell products with encryption capability to a European company because that company resold products to clients other than financial institutions; a U.S. company whose European division estimated at 50 percent the loss of its business among European financial institutions, defense industries, telecommunications companies, and government agencies because of inadequate key sizes; and a U.S.
From page 148...
... • What part of a product's value is represented by the cryptographic functionality that limits a product's sales when export controls apply? As noted in Chapter 2, stand-alone products with encryption capabilities are qualitatively different from general-purpose products integrated with encryption capabilities.
From page 149...
... To the extent that there is a latent demand for cryptography, the inclusion of cryptographic features in integrated products might well stimulate a demand for cryptography that grows out of knowledge and practice, out of learning by doing. Determining the extent of latent demand is complicated greatly by the fact that latent demand can be converted into actual demand on a relatively short time scale.
From page 150...
... Requirements for higher degrees of technical skill translate into smaller talent pools from which vendors can draw and thus fewer products available that can meet purchasers' needs for interoperability. Problems relating to interoperability and system complexity, as well as the size of the installed base, have contributed to the slow pace of demand to date for products with encryption capabilities.
From page 151...
... The longer they wait, the higher will be the percentage of companies that have already made their technol 47Many products require backward-compatibility for marketplace acceptance. Demands for backward-compatibility even affect products intended for operation in a stand-alone environment -- an institution with 2 million spreadsheet files is unlikely to be willing to switch to a product that is incompatible with its existing database unless the product provides reasonable translation facilities for migrating to the new product.
From page 152...
... Thus, the absence of a feature such as strong encryption that is desired but not easily available because of U.S. export controls counts as a distinct disadvantage for a U.S.
From page 153...
... Moreover, many of the information security measures that do not involve export controls are more difficult and costly than cryptography to implement, and so it is natural for vendors to focus their concerns on export controls on cryptography.
From page 154...
... Of course, it may well be that these estimates of loss are low, because companies are reluctant to publicize occurrences of foreign economic and industrial espionage since such publicity can adversely affect stock values, customers' confidence, and ultimately competitiveness and market share, or also because clandestine theft of information may not be detected. Furthermore, because all business trends point to greater volumes of electronically stored and communicated information in the future, it is clear that the potential for information compromises will grow -- the value of information that could be compromised through electronic channels is only going to increase.
From page 155...
... National Security Export Controls and Global Economic Competition, National Academy Press, Washington, D.C., 1987) pointed out that the emergence of strong foreign competition in a number of high-technology areas appeared in close temporal proximity to the enforcement of strong export controls in these areas for U.S.
From page 156...
... products with encryption capabilities are available to it.53 Export controls on cryptography are not the only factor influencing the future position of U.S. information technology vendors in the world market.
From page 157...
... U.S. vendors asserted that export controls had a significant negative effect on their foreign sales.
From page 158...
... of vendor outcry against the cryptography export control regime cannot be taken as vendor support for it. More specifically, the committee received input from a number of private firms on the explicit condition of confidentiality.
From page 159...
... company that makes products with strong encryption capabilities to a foreign company; • Selling products with encryption capabilities to foreign citizens on U.S. soil; • Teaching a course on cryptography that involves foreign graduate students; 54The Department of Commerce study is the most systematic attempt to date to solicit vendors' input on how they have been affected by export controls, and the solicitation received a much smaller response than expected.
From page 160...
... District Court for the District of Columbia on March 22, 1996. The issue at hand was the fact that Karn had been denied CCL jurisdiction for a set of floppy diskettes containing source code for cryptographic confidentiality identical to that contained in Bruce Schneier's book Applied Cryptography (which the State Department had determined was not subject to cryptographic export controls of any kind)
From page 161...
... Pierce, "Public Cryptography, Arms Export Controls, and the First Amendment: A Need for Legislation," Cornell International Law Journal, Volume 17(19)
From page 162...
... In such cases, NSA takes the blame for a negative decision, even when it had nothing to do with it. Critics of the present export control regime have made the argument that cryptography, as an item on the USML that is truly dual-use, should
From page 163...
... 4.8 TECHNOLOGY-POLICY MISMATCHES Two cases are often cited in the cryptography community as examples of the mismatch between the current export control regime and the current state of cryptographic technology (Box 4.11)
From page 164...
... In 1993, it was determined that Zimmermann was the target of a criminal investiga tion probing possible violations of the export control laws.2 Zimmermann was care ful to state that PGP was not to be used or downloaded outside the United States, but of course international connections to the Internet made for easy access to copies of PGP located within the United States. In January 1996, the U.S.
From page 165...
... Put differently, when the export control regime is pushed to an extreme, it appears to be manifestly ridiculous. 4.9 RECAP Current export controls on products with encryption capabilities are a compromise between (1)
From page 166...
... Partly in response to expressed concerns about export controls, the export regime has been gradually loosened since 1983. This relaxation raises the obvious question of how much farther and in what directions such loosening could go without significant damage to national security interests.


This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.