ANS WHITE PAPER: IMPLEMENTATION OF ENCRYPTION EXPORT POLICY ‘99
October 15, 1999
The Alliance for Network Security (“ANS”) welcomes the White House announcement of September 16, 1999 regarding the new encryption export control policy. The ANS members are 3Com, Cisco Systems, Hewlett-Packard, Intel, Lucent Technologies, Microsoft, NetScreen, Network Associates, Nortel Networks, Novell, RedCreek, Secure Computing and Sun Microsystems. ANS looks forward to working with the Administration in the drafting of regulations implementing the new encryption export control policy in the Export Administration Regulations (“EAR”, 15 CFR Part 730 et seq.).
This White Paper is to provide recommendations with respect to several important elements of the new encryption export control policy: (1) the reporting requirements, (2) the definition of “government”, (3) the definition of “retail”, and (4) technical reviews.
III. Reporting Requirements
The Statement by the Press Secretary says that the post-export reporting will reflect “industry business models and distribution channels”. Set forth below are (A) the principles upon which the reporting requirements should be based, (B) the distribution models for the different reporting requirements, and (C) several examples.
A. Principles Underlying Reporting Requirements
ANS members believe that the reporting requirements should be based upon the following principles:
- Reporting should be simplified, wherever possible,
- Reporting should vary according to method of distribution,
- Reporting should apply to exports, not to reexports,
- Reporting should not exceed product, quantity and recipient,
- Reporting should not exceed data that is collected at the time of export in the ordinary course of business,
- Reporting should not include data protected under the EU Privacy Directive and similar enactments.
B. Methods of Distribution Employed by ANS Members
ANS members distribute products using three primary methods:
- Direct sales
- Indirect sales
- Electronic sales
C. Examples of Reporting Requirements According to Method of Distribution
Applying the principles set forth above to the three methods of distribution would result in the following reporting:
- Direct Sales of Packaged Products – End-user Information
In some cases, ANS members export directly to end-users. Such sales are small in comparison with indirect sales. For some ANS members, direct sales are less than 10% of overall sales. However, exporters are required to maintain records of exports from the United States, pursuant to Section 762.1 of the EAR. These records typically take the form of Enterprise License Agreements, and/or Shipper’s Export Declarations reflecting sales of goods shipped directly to end-users. Based on these kinds of records, it may be possible to produce reports of shipments reflecting the end-user, in the case of direct sales.
- Indirect Sales of Packaged Products – “First Sale” Information
For most ANS members, indirect sales exceed direct sales, in some cases by a considerable margin. By “indirect”, we mean that (at least) one party – for example a distributor, reseller, value added reseller, etc., takes possession of and title to the product prior to delivery to the end-user. A chart reflecting the variety of indirect sales channels is set forth as Figure A. Because distribution channel partners typically do not want to provide the identity of the end-user to the manufacturer, it is not practical for exporters to report the end-user. Therefore, we recommend that reporting be limited to the name and address of the foreign distribution partner to whom products are shipped, i.e., the “First Sale”.
Figure A Examples of Direct vs. Indirect Sales Channels
- Electronic Downloads – Information Collected in the Ordinary Course of Business.
Electronic downloads are a very significant segment of the market for most ANS members. Some ANS members collect information on electronic downloads; others permit anonymous downloads. Therefore, we recommend that reporting be limited to only such information as the exporter may collect in the ordinary course of business. If a company permits anonymous downloads, then it would file a report that disclosed only the number of downloads of the product (but not the recipient), in the applicable reporting period.
- Timing of Reports
Report should be submitted 90 days after the close of the reporting period.
IV. Definition of “Government”
The Statement by the Press Secretary says that the new encryption export control policy will include a “process that permits the government to review the exports of strong encryption to foreign government and military organizations”. In order to determine when an export does not qualify under License Exception, and must go through this process, ANS members believe that the regulations should include a definition of “government” in Part 772 of the EAR. We recommend that the definition of “government” be as follows:
Government. As applied to encryption items, means any entity that is engaged in a defense, intelligence or foreign affairs function and does not include an entity engaged in a commercial, civic or other function, such as a state or local governmental entities and municipalities. For example, a national ministry of post and telecommunications, including telecommunications and internet service providers that are wholly-owned by any such entity, are not within the definition of “government”.
Statistics comparing public consumption, private consumption, and investment as a percentage of Gross Domestic Product in various countries suggest that a broad definition of “government” would significantly impact ANS member companies seeking to distribute networking products in major markets. See Figure B, below.
Figure B Components of GDP in Selected Countries
Source: Economist: World In Figures 1999 (Note: Figures do not total 100% due to trade surplus/deficits)
V. Definition of “Retail”
The Statement by the Press Secretary says that “retail” products may be exported to any end-user, including government end-users. The Fact Sheet adds: “[r]etail encryption commodities and software are those products which do not require substantial support for installation and use and which are sold in tangible form through independent retail outlets, or products in tangible or intangible form, which have been specifically designed for individual consumer use.” We recommend that the definition of “retail” be as follows:
Retail. License Exception ENC (“retail” encryption commodities and software) is available to all destinations, except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria, for the export and re-export of commodities and software that:
- Are distributed in any form through independent retail outlets or directly by the manufacturer, including over-the-counter transactions, mail order transactions, telephone call transactions, or electronic commerce transactions, including subscription services, or,
- Are distributed in any form, which have been specifically designed for individual consumer use, including networking products designed for small-office/home-office use, and
- Are designed for installation and use without further substantial support by the supplier.
One key to qualification under Part 1 seems to be the independence of the retail outlet. If the retail outlet is independent of the supplier, then whether it accepts orders over-the-counter or using the mail, telephone or internet, and whether it delivers products in tangible or intangible form, should not be disqualifying. Limiting this provision to retail stores that offer products in shrink wrapped boxes would discriminate against electronic commerce vendors who offer software as a subscription service. In addition, however, ANS notes that manufacturers who may choose to distribute products directly to their customers, bypassing middlemen, should not be discriminated against. Some encryption products, like downloadable browsers, upgrades and patches, are almost always distributed directly.
The key to qualification under Part 2 should be the intended end-user of the product, and ANS members are concerned that the term “individual consumer use” may be too limiting without further elaboration. Increasingly, networks are being deployed in personal residences, as broadband connections are deployed by telecommunications and internet service providers using cable modems and digital subscriber line broadband connections. The definition should not be interpreted to preclude distribution of products designed for smaller networks, known in the industry as “small-office/home office” products.
VI. Technical Reviews
A. Scope and Process
The scope of the technical review should be no broader than the review currently conducted for 56 bit products. The developer would be required to submit information concerning the algorithm, key length, key exchange mechanism, pre- and post-processing of data, and information supporting a determination that the product qualifies as “retail”. The exporter would be authorized to export to all entities except governments fifteen days after submission with the understanding that this authorization does not affect the applicant’s obligation to provide information that is accurate and complete. The exporter would not be authorized to export to governments until approval of the one-time review. All reviews should be completed in 30 days.
Products already approved for export under license exception or license should be “grandfathered” for exports to all entities except governments. Notification would be required for increases in key length in products previously approved for export.