ANS FOLLOW-UP TO THE IWG MEETING ON OCTOBER 15, 1999 REGARDING THE NEW ENCRYPTION EXPORT CONTROL POLICY
November 3, 1999
The Alliance for Network Security (“ANS”) members met with the Inter-agency Working Group (“IWG”) on October 15, 1999 to discuss the White House announcement of September 16, 1999 regarding the new encryption export control policy. The ANS members are 3Com, Cisco Systems, Hewlett-Packard, Intel, Lucent Technologies, Microsoft, NetScreen, Network Associates, Nortel Networks, Novell, RedCreek, Secure Computing and Sun Microsystems. ANS looks forward to working with the Administration in the drafting of regulations implementing the new encryption export control policy in the Export Administration Regulations (“EAR”, 15 CFR Part 730 et seq.).
The purpose of this White Paper is to provide additional information to the IWG regarding several issues that were raised in the course of the meeting on October 15, 1999.
III. Specific Issues Raised by the IWG
- A. Telco/ISPs and the Definition of “Government”
The White House announcement contemplates allowing exports under License Exception of cryptographic products to Telco/ISPs for subscriber use, while retaining some control over exports to, or for use by, “foreign government and military organizations”. ANS members believe that all Telco/ISPs should be authorized to receive all cryptographic products under License Exception, and that none of them should be regarded as falling within the definition of “government”. However, a Telco/ISP would be authorized to provide service to a government only if it used “retail” products that the government could procure for its own use. In summary, this balance is best achieved by:
- Authorizing exports under License Exception to all Telco/ISPs, including Telco/ISPs that may be government agencies or government-owned;
- Authorizing Telco/ISPs to provide services to commercial firms and non-government end-users using any encryption commodity or software; and
- Authorizing Telco/ISPs to provide services to all subscribers, including foreign government and military organizations, using retail products.
We believe that points (2) and (3) above should not be controversial. The White House Fact Sheet of September 16, 1999 states:
Additionally, telecommunications and internet service providers may use any encryption software or commodity to provide services to commercial firms and non-government entities.
Additionally, telecommunications and internet service providers may use retail encryption commodities and software to provide services to any recipient.
The really important question is whether any Telco/ISPs themselves may not be authorized to receive exports of encryption products (other than retail encryption products) under License Exception, because they fall within the definition of “government” organizations. If Telco/ISPs fall within the definition of “government”, then the relief promised by the White House will prove illusory. In this regard, it is instructive to review the trend toward privatization of Telco/ISPs in world markets.
Historically, most foreign countries have provided telecommunications and internet services to their citizens through a single (monopolist) government agency or government-owned utility. We will refer to these as “incumbent” Telco/ISPs. There is a clear trend toward privatization of incumbent Telco/ISPs, by governments, worldwide. The underlying reasons are technological advances, growth in data traffic, and deregulation.
Rapid technological advances, combined with the development of decentralized network-based software (i.e., the internet), have led to substantial increases in transmission capacity at lower costs, reducing the value of the fixed networks constructed over many years by incumbent Telco/ISPs. In addition, the fixed networks that the incumbent Telco/ISPs constructed are optimized for voice, rather than data, whereas data traffic already exceeds voice traffic in many markets (like the U.S. and U.K.) and is predicted to grow much faster in the future. Finally, deregulation has resulted in the formation of alternative network and access providers, challenging the monopolies enjoyed by incumbent Telco/ISPs and reducing their profits. In Germany, for example, there are over 100 operators providing fixed telephony services today. In 1997, there was only one.
As a result of these trends, Governments perceive that holding onto their incumbent Telco/ISPs is increasingly risky. Incumbent Telco/ISPs are no longer safe, utility-type investments, let alone monopolies, as in the past. Therefore, governments are disposing of their incumbent Telco/ISPs, through issuance of stocks and bonds to the public and via strategic sales to other investors, in a process known as “privatization”.
Only a handful of incumbent Telco/ISPs have been completely privatized. The most prominent example is British Telecom. However, in some cases the government has retained only a token ownership. For example, the Government of Italy has retained only 4% of Telecom Italia. In almost all countries, there is an inexorable trend toward privatization, reflected by the debt and equity offerings and strategic sales described below. (All figures are for 1998, the last year for which statistics are available).
Some governments are privatizing their incumbent Telco/ISPs by issuing stock to the public. Altogether, incumbent Telco/ISPs raised over $45 billion through equity offerings in 1998. For example, the Swiss Government sold 34% of Swisscom in an initial public offering (“IPO”) that raised $6.4 billion. This was the largest ever equity offering in Switzerland, the largest European IPO of 1998, and the year’s largest privatization IPO. The Japanese Government completed the fourth phase of its privatization of Nippon Telephone and Telegraph, selling 6.28% of the company for $7.3 billion in 1998.
Other governments are privatizing their incumbent Telco/ISPs by issuing debt securities that are convertible into stock. For example, French Government raised $2.2 billion through the issuance of debt convertible into shares of France Telecom, and the Singapore Government raised $1 billion in debt convertible into debt of Singapore Telecom, in 1998.
In addition, some governments are privatizing their incumbent Telco/ISPs through strategic sales. The Brazilian Government completed the largest Latin American privatization ever, when it sold 12 units of its incumbent, Telebras, for $19 billion to consortia led by Telefonica de Espana, Telecom Italia and Portugal Telecom in 1998. Telecom Italia also purchased a 25% stake in Telecom Austria for $2.4 billion, the largest ever privatization in Austria in 1998.
Total privatizations of incumbent Telco/ISPs in 1998 amounted to approximately $50 billion. In addition to the large deals described above, incumbent Telco/ISPs in Egypt, Israel, the Czech Republic, Tunisia, Malta, Poland, Qatar, Finland and Greece completed equity offerings in 1998. The Governments of Lithuania, El Salvador, Guatemala and Romania completed strategic sales in 1998. Also, in a second phase of privatization, Bell Atlantic issued a bond exchangeable into its previously acquired 25% of Telecom Corporation of New Zealand in 1998.
In summary, the paths toward privatization in different countries are varied, and the pace may be slower or faster, but the trend is consistent throughout Europe, Asia and Latin America. Governments are privatizing their incumbent Telco/ISPs, and allowing new companies to compete with them, throughout the world. Moreover, there is no clear distinction between an incumbent Telco and ISP that remains government-owned, or one that has been privatized, in the equipment it must acquire or the services it seeks to provide. Therefore, we conclude that all Telco/ISPs should be authorized to receive cryptographic products under License Exception, and that none of them should be regarded as falling within the definition of “government”. U.S. authorities should take comfort in the fact that Telco/ISPs are not authorized to provide services to governments, unless they use only retail products.
Not only Telco/ISPs, but also, by extension, other state-owned enterprises also should be regarded as falling outside the definition of “government” if they are engaged in a commercial function. For example, state-owned airlines, banks, educational institutions and other entities that are not engaged in a core governmental function should not fall within the definition of “government” for purposes of the EAR. State and local governments also should be exempted. This is very important, because a broad definition of government could undermine the benefits of the new policy.
- Reporting of End-users in Connection with Indirect Sales
IWG members asked whether ANS members could report information regarding end-users in connection with indirect sales, for example, if the end-user has a support contract with the manufacturer.
ANS members believe it may be possible to supply end-user information, for the some of their largest customers. However, much of this kind of information is in various forms and locations, and maintained for limited periods. Therefore, it may be difficult or impossible to capture and report all such data. ANS members would be willing to supply information which is collected in the ordinary course of business and is readily available to headquarters in the U.S., consistent with the underlying principle that reporting should not require changes in business practice in particular companies.
- Export Compliance and Anonymous Electronic Downloads
IWG members asked how ANS members ensure compliance with the General Prohibitions prohibiting exports to denied parties and embargoed countries in connection with anonymous electronic downloads.
ANS members use a variety of techniques to ensure compliance with the EAR. For example, some companies use “pop-up” screens that advise the person requesting the download regarding export control compliance. Other companies include export control compliance language in their software license agreements. Companies also may reverse-resolve the incoming IP address in order to verify that it is not associated with a host in one of the embargoed/terrorist countries.
Notwithstanding these precautions, ANS members believe that there is no perfect screening device, and with anonymous downloads there is no information to screen against a denied parties list. There are two partial solutions available. First, ANS members believe that the exclusion from the “publicly available” definition for cryptography should be removed. Additionally, Section 734.2(b)(9)(ii) should be amended to reflect the new policy, such that making encryption software available for electronic download is not within the definition of “export”, so long as there is an access control system that checks the IP address of every system requesting or receiving a transfer and blocks any transfer that appears to originate in an embargoed destination.
- Small Office / Home Office Networking Products
The definition of “retail” is problematic. ANS members understand that the narrow definition of “retail” is intended to exclude certain networking products. However, the scope of products excluded by the definition of “retail” and the underlying rationale are not clear. For example, are cable modems, which today are leased from service providers and not available over-the-counter, excluded from the definition of “retail”?
ANS members would prefer that the Administration identify those products that create concern, rather than casting a “broad net” in order to control what may be a fairly small number of products. ANS members would be pleased to review and provide comments, if the Administration were to propose such a list. However, we do not feel that we are in a position at this point to propose such a list, because we do not understand the scope of items that are of particular concern to the Administration.
Whether the Administration chooses to propose a list, or to publish a definition of “retail”, we recommend that products designed for small office or home office use (i.e., products that are not exclusively designed for, and marketed to, enterprise customers) should be eligible for export to all customers, including governments, under License Exception.
- Export Controls on Open Source Software
The basic concept of “open source” software (and its cousin, “community source”) is that when programmers on the Internet can read, redistribute, and modify software source code, it evolves, rapidly. Programmers around the world can improve, adapt and fix bugs in the software more quickly and cost-effectively than any single company could. The business case for open source software is made eloquently in Eric Raymond’s The Cathedral and The Bazaar (http://www.tuxedo.org/~esr/writings/cathedral-bazaar/cathedral-bazaar.html).
When cryptographic software is developed as “open source” there are two distinct benefits. Not only are bug fixes and enhancements made quickly, but also a higher level of confidence develops among users that the software does not incorporate “backdoors” or other vulnerabilities that could compromise the user’s data, because the community of developers at large can examine, expose and fix any such vulnerabilities.
Generally, open source software is transferred under license agreements that impose minimal restrictions on the redistribution and modification of the software. The General Public License for the Linux operating system can be found at ftp://prep.ai.mit.edu/pub/GNU/COPYING. The License Agreement for the popular Apache HTTP Server can be found at http://www.apache.org/foundation/records/minutes/1999/board_minutes_1999_09_16.txt. The Mozilla Public License for the ubiquitous Netscape Communicator browser can be found at http://www.mozilla.org/MPL/.
ANS members, including Hewlett-Packard and Sun Microsystems, are making important software platforms available as “open source” or “community source”. ANS members propose that open source software should be eligible for unrestricted export, because it is “publicly available”. Retaining Encryption Item controls on open source software restricts Americans and American companies from participating fully in one of the most exciting and innovative software development “bazaars” of modern time.
- Controls on Toolkits and Linkable Modules in Executable (Object Code) Form
ANS members believe that toolkits and linkable modules in executable (object code) form should be eligible for export under License Exception after a one-time technical review. The rationale is that toolkits and linkable modules in executable (object code) form contain a defined set of cryptographic features that are fixed, and therefore are susceptible of a one-time technical review, just as chips contain a defined set of cryptographic features that are fixed.
- Information Collection — Toolkits and Linkable Modules in Executable Form
ANS members understand that the government may be interested in knowing what foreign-made original equipment manufacturer (“OEM”) products might incorporate U.S.-origin toolkits and linkable modules in executable form, just as it has expressed interest in knowing what foreign-made products might incorporate U.S.-origin chips. Therefore, we recommend that exporters provide non-proprietary information regarding OEM products incorporating their toolkits and linkable modules, such as publicly available data sheets and marketing brochures, to the extent that such information may be collected by the exporter in the ordinary course of business. On the other hand, exporters would not be required to provide information if the toolkit or linkable module is exported to a customer for implementation in the customer’s proprietary application.
- Scope and Effect of EU Data Privacy Directive on Reporting.
The EU Data Privacy Directive and similar laws that exist around the world regulate the collection and use of Personal data (which includes a person’s name, contact information such as address or telephone number, and any other “information relating to an identified or identifiable natural person”). Entities collecting personal data must disclose several things to the persons from whom the data is collected. These mandatory disclosures include: the purposes for which the data is collected and used; who will receive, use or process the data; and the consequences (if any) of failing to provide the information. Once the data has been obtained, these laws require that it be used and stored only for the purposes for which it was collected.
Unfortunately, these restrictions on use of the data can be interpreted in different ways. A broad interpretation would be that as long as the data collector gives notice of all uses of the data, the individual implicitly consents to those uses by proceeding with the transaction. However, a narrow interpretation would mean that, absent explicit consent, the data can only be used for the primary purposes for which it was collected – which is equivalent to the reason why the individual provided the data. For example if a name and address were collected by a mail-order software retailer so that a product could be shipped to the purchaser, the primary purpose that the person supplied the data was to permit the retail to ship the product. Any other use beyond that (such as supplying the data to the US government to satisfy reporting requirements) would require the specific consent of the individual, and the individual would have the right to opt out of such secondary uses.
Because the EU Directive merely instructs the EU member countries to implement conforming national legislation, the interpretations can vary from country to country. Plus, the many other countries that have laws modeled on the EU Directive may also have differing interpretations. What is clear is that there will be at least some national privacy laws that will interfere with US companies’ ability to freely pass along names and addresses of individual customers.
ANS members look forward to working with the Administration on these and other aspects of the new encryption policy.