Easy Guide to Encryption Export Controls


Dorothy E. Denning and William E. Baugh, Jr.

September 25, 1999



Commercial encryption items are subject to export control under the Export Administration Regulations (EAR). The EAR specifies the regulations governing exports and reexports of encryption items on the Commerce Control List (CCL). The term "export" is defined in the EAR as an actual shipment or transmission of items out of the United States or transfer of software in the United States to an embassy or affiliate, or release of technology to a foreign national in the United States. The term "reexport" is defined as an actual shipment or transmission of items from one foreign country to another, or release of technology or software to a foreign national outside the United States. It includes shipments of foreign products to US subsidiaries in foreign countries. The EAR considers any release of technology to a foreign national of another country as a "deemed export" or "deemed reexport" to the home country of the foreign national. In this guide, the term "export" is generally used to include reexports.

There are three classes of encryption items on the CCL. They are defined in Supplement No. 1 to Part 774, Category 5, Part II -- Telecommunications and Information Security of the EAR. Each is designated with an Export Control Classification Number (ECCN):

5A002 -- systems, equipment, hardware components and assemblies

5D002 -- software

5E002 -- technology for the development, production, or use of equipment or software controlled by 5A002 or 5D002, including information that takes the form of technical assistance

Items that provide confidentiality protection are subject to encryption item (EI), national security (NS), and anti-terrorism (AT) controls. Items that provide authentication, access control, anti-piracy protection, and other non-confidentiality functions are not subject to EI controls, however, they are subject to AT controls.

This document describes the regulations prior to the administration's September 16, 1999 announcement of plans to liberalize export controls. Under these regulations, encryption items may be exported under one of the following:

1. A license exception TMP, BAG or GOV. No license or paper work is required.

2. A license exception ENC, KMI, or TSU. A classification request involving a one-time technical review is required.

3. An Encryption Licensing Arrangement (ELA), which allows exports to classes of end users in specified sales territories.

4. An individual license (IVL), which names specific end-users.

5. No license required (NLR), however items are subject to anti-terrorism (AT) export controls.

The table summarizes the regulations. The columns represent classes or sectors of end users and the rows classes of cryptographic items. The entries inside the table indicate the licensing conditions that apply. An "ok" means export controls do not apply.

The rows of the table are ordered, to the extent possible, from most general to most specific. Product categories further down in the table are more likely to be exportable to arbitrary sectors of commercial users under a license exception ENC, TSU, or KMI than those near the top. However, even those products at the top are exportable under a license exception to certain sectors, namely US subsidiaries, financial institutions, health and medical end-users, and on-line merchants. Indeed, US subsidiaries are eligible to receive any product under license exception ENC. Products in the lower half of the table are subject to the AT controls of the EAR, but no license is required (NLR).

In determining eligibility for export, one should look for the most favorable conditions. For example, a product whose functionality is limited to encrypting certain fields for financial services can be shipped as a financial-specific product through a license exception ENC after a one-time review by the Commerce Department.

The following describes each of the columns, rows, and entries in the table. All references are to parts and sections of the EAR. The EAR is on the Web at http://www.access.gpo.gov/bxa/.

End Users (Columns)

US or Canadian citizen. The sale and distribution of encryption items to US citizens and permanent residents in the US, the Commonwealth of Puerto Rico, or the Commonwealth of the Northern Mariana Islands or any territory, dependency, or possession of the United States is not export-controlled. Exports to Canada are also not controlled. There are no controls on the domestic use of encryption or on imports of encryption items into the US. See 734.2(b)(8) and 742.15(a).

The remaining columns all correspond to destinations outside of the US.

Personal. U.S. persons can take encryption items out of the country, for example, on a laptop computer, for personal use without a license under the license exception BAG (baggage). See 740.14.

Business. An exporter or employees of the exporter may take encryption items out of the country, for example, on a laptop for business use without a license under the license exception TMP (Temporary Imports, Exports, and Reexports). The items must remain in the exporter or employee's effective control. See 740.9.

US government. Encryption items of any type can be exported to US government personnel and agencies for personal or official use under license exception GOV. See 740.11.

US subsidiary. Subsidiaries of U.S. companies are eligible to receive general-purpose encryption commodities and software of any key length, including encryption chips, integrated circuits, toolkits, executable or linkable modules, technology, and source code under license exemption ENC for internal company proprietary use or for development purposes. A license is required to export products to strategic partners of US companies, such as subcontractors and joint ventures, but such entities are given favorable consideration when the end-use is for protection of US company proprietary information. All destinations are permitted except Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria. Exports to US subsidiaries under ENC do not need to be reported. See 740.17(a)(2) and 742.15(b)(8).

Financial institution. This category includes banks, security firms, brokers, credit-card companies, and insurance companies. Entities in this category are eligible to receive general-purpose, non-voice encryption commodities and software of any key length under license exception ENC. End use is limited to secure business financial communications or transactions and financial communications/transactions between the financial institution and its customers. Customer-to-customer communications are not permitted. Only destinations listed in Supplement No. 3 to Part 740 (see below) are eligible for this exception, however exports may be made worldwide to branches of banks or financial institutions headquartered in these countries. Exports that are not eligible under ENC, except to Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria, will generally be approved under an ELA. Exports to financial institutions under ENC need not be reported. See 740.17(b)(1), 740.17(d), and Part 772.

Health/medical. This category includes any organization whose primary purpose is the provision of medical or other health services. These organizations are eligible to receive encryption commodities and software of any key length under license exception ENC. End use is limited to securing health and medical transactions. Customer-to-customer communications are not permitted. Non-US biochemical and pharmaceutical manufacturers, and non-US military health and medical entities are not eligible for license exemption ENC. Only destinations listed in Supplement No. 3 to Part 740 are eligible. Exports that are not eligible under ENC, except to Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria, will generally be approved under an ELA. Recipients of encryption products exported under ENC or an ELA must be reported to BXA biannually. See 740.17(b)(2), 740.17(d), and Part 772.

On-line merchant. Any entity regularly engaged in lawful electronic commerce is eligible to receive certain encryption commodities and software of any key length under license exception ENC. Encryption items must be limited to client-server applications (e.g., SSL) or applications specially designed for on-line transactions for the purchase or sale of goods and software, and services connected with such, including interactions between purchasers and sellers necessary for ordering, payment, and delivery of goods and software. On-line merchants in destinations listed in Supplement No. 3 to Part 740 are eligible unless they are engaged in the manufacture or distribution of items or services controlled on the U.S. Munitions List. Other destinations, except Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria, may be considered under an ELA. Recipients of encryption products exported under ENC or ELA must be reported to the BXA. See 740.17(b)(3), 740.17(d), 742.15(b)(6), and Part 772.

Most firms. Any entity is eligible to receive encryption products of any key length under a license exception KMI if the product provides key recovery encryption. Products that are recoverable may be exported under an ELA to foreign commercial firms located in countries with one or two asterisks in Supplement No. 3 to Part 740. Branches of commercial entities headquartered in countries with two asterisks are eligible to receive recoverable encryption items unless located in the terrorist-supporting countries. Non-recoverable products are exportable to the sectors as noted previously and on a case-by-case basis. Highly field formatted products and products whose key sizes are limited to 56 bits are also exportable.

Other. This category includes any entity operating outside the U.S. or a foreign national inside the U.S. In general, commodities and software with key lengths greater than 56 bits are not exportable to these users without an individual license. Such persons are, however, eligible to receive products with 56-bit keys (or shorter) under license exception ENC or TSU, highly field formatted products of any key length when used for financial transactions under license exception ENC, and products of any key length that provide key recovery under license exception KMI. Exceptions are to destinations in Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria. See 740.17(a)(1,3), Supplement No. 6 to Part 742, and 740.8.

Cryptographic Items (Rows)

General encryption products. This category includes any encryption commodity or software of any key length, including chips, integrated circuits, source code, software toolkits, and executable or linkable modules. General-purpose products can be taken out of the country by US persons for personal use under license exception BAG and for business use under license exception TMP. They can be exported to US government personnel and agencies under license exception GOV and exported to subsidiaries of US companies under license exception ENC. They may be exported to others under an ELA or IVL. Strategic partners are given favorable consideration if the encryption is used to protect US company proprietary data.

End-use encryption products. This category includes any encryption commodity or software of any key length that is a finished product, usually in object code. It excludes chips, integrated circuits, source code, software toolkits, executable or linkable modules, and other tools for creating new products or for altering the confidentiality or key exchange mechanisms. Products in this category can be exported under license exception ENC to financial institutions and health and medical end-users. Certain items (client-server or specially designed for on-line transactions) can be exported to on-line merchants for end-use related to the services offered.

Recoverable encryption. This category includes any encryption commodity or software of any key length that allows recovery of the plaintext of encrypted data without the knowledge or assistance of the end-user, for example, at a server or intermediate node in a network. Recoverable products are generally exportable under an ELA to companies operating in countries designated with a * or ** and to subsidiaries of companies in countries designated with a ** in Supplement No. 3 to Part 740. Service providers, including telecommunication companies (telcos) and Internet service providers (ISPs), are permitted to use encryption items under this arrangement only for protecting company proprietary information. Items cannot be used to provide services to customers. See 742.15(b)(7) and Part 772.

Key-recovery/escrow encryption. This category includes any encryption commodity or software of any key length that meets the key recovery criteria identified in Supplement No. 4 to Part 742. The criteria require that products be resistant to efforts to disable or circumvent the key recovery feature. Key recovery products are generally exportable under license exception KMI to end users in any destination except Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria. See 740.8.

Financial-specific encryption. This category refers to encryption that is specifically designed and limited for use in the processing of electronic financial transactions. The encryption can be used to protect such fields as a merchant's identification, a customer's identification and address, the merchandise purchased, and payment information, but cannot be used for general encryption of data. There are no limits on key length. Financial-specific encryption is exportable under license exception ENC to end users in any destination except Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria. See 740.17(a)(1).

Non-mass market (56-bit) encryption. This category covers encryption commodities and software incorporating symmetric encryption with key sizes up to and including 56 bits, such as DES or equivalent (e.g., RC2, RC4, RC5, and CAST). Products can use the same or double key size for symmetric key exchange with a symmetric algorithm, and up to and including 1024-bit keys for key exchange with an asymmetric algorithm (e.g., Diffie-Hellman or RSA). They can be hardware or software, but must not allow the alteration of the cryptographic functionality by the user or any program. They are generally exportable under the ENC license exception to any destination except Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria. Exports of non-mass market products to foreign military and government end-users must be reported. See 740.17(a)(3) and 740.17(d).

Mass market (56-bit) encryption. This category has all of the constraints as the preceding, plus the additional constraint of being classified as mass market, that is, available to the public through retail sales outlets and through phone and mail-order transactions. The software or hardware must be designed for installation by the user without further substantial support by the supplier. Items are exportable either under a TSU license exception for software or an ENC exception hardware. If the symmetric algorithm is DES, RC2, RC4, RC5, or CAST, items may be eligible for a 7-day review process. Products with other algorithms, including company proprietary algorithms, may be eligible for 15-day processing. Mass market products can be exported to any destination except Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria. There are no reporting requirements for mass market products. See 740.17(a)(3), 742.15 (b)(1)(I), and Supplement No. 6 to Part 742.

Software updates. Software updates for the purpose of correcting bugs is exportable under license exception TSU to any entity who lawfully received the original product. See 740.13(c).

Operation technology/software, sales technology. This category covers technology and software used for the installation, operation, maintenance, and repair of lawfully exported products and data supporting a prospective or actual quotation, bid, or offer, as long as it does not disclose details that the consignee could reduce to production. Items in this category are exportable under the TSU license exemption. See 740.13.

Technical assistance to developers. A license is required to provide technical assistance to foreign persons with the intent to aid in the development and manufacture of export-controlled encryption commodities and software. Licenses are reviewed on a case-by-case basis to determine whether the activity is consistent with US national security and foreign policy interests. See 744.9.

Technical assistance to end users. No license is required to provide technical assistance to end users for the purpose of aiding in the selection, installation, operation, and use of encryption items. See 740.13

Encryption source code (public) in print. Source code that is printed in books or other print media and is made publicly available is not export-controlled. See 734.3(b)(2).

Educational encryption information. Information released by instruction in catalog courses and associated teaching laboratories of academic institutions is not subject to the EAR. See 734.9.

Anti-piracy decryption. Products with a decryption function that can be used only to receive radio broadcasts and pay television or to allow the execution of copy-protected software are controlled for anti-terrorism (AT) reasons and classified as 5A992 or 5D992. See Part 774, Category 5, Part II, "related controls" under ECCNs 5A002 and 5D002.

Anti-viral/malicious code. Software with cryptographic functions that are used to protect against malicious computer damage, e.g., viruses, is subject to AT controls and classified under 5D992. See Part 774, Category 5, Part II, "related controls" under ECCN 5D002.

Digital compression. Equipment and software providing fixed data compression or coding techniques is subject to AT controls and classified under 5A992 or 5D992. See Part 774, Category 5, Part II, "related controls" under ECCNs 5A002 and 5D002.

Mobile phones with link encryption. Portable mobile phones for civil use that are not capable of end-to-end encryption is subject to AT controls and classified under 5A992. See Part 774, Category 5, Part II, "related controls" under ECCN 5A002.

ATMs, point-of-sale terminals. Cryptographic equipment specially designed and limited for use in machines for banking or money transactions, such as automatic teller machines, self-service statement printers, and point-of-sale terminals is subject to AT controls and classified under 5A992. See Part 774, Category 5, Part II, "related controls" under ECCN 5A002.

Smart cards without user encryption. Personalized smart cards or other components that do not allow for user message encryption is subject to AT controls and classified under 5A992. See Part 774, Category 5, Part II, "related controls" under ECCNs 5A002.

Authentication only. Equipment and software that computes a message authentication code, digital signature, or similar result for the purpose of ensuring source and data authenticity is subject to AT controls and classified under 5A992 or 5D992 if the items do not allow for encryption except as needed for authentication. See Part 774, Category 5, Part II, "related controls" under ECCNs 5A002 and 5D002.

Access control only. Devices and software that protect passwords, PINs, and similar data which is used to control access to facilities and systems is subject to AT controls and classified under 5A992 or 5D992 if the items do not allow for encryption except as related to password or PIN protection. See Part 774, Category 5, Part II, "related controls" under ECCNs 5A002 and 5D002.

Export Conditions and Licenses (Table Entries)

ok. Export controls do not apply.

BAG. Items are exportable under license exception BAG (baggage). This exception allows US citizens and permanent residents to take encryption items out of the country as part of personal baggage either temporarily (i.e., traveling) or longer-term (i.e., moving). No application or paper work is required. All destinations are allowed except Cuba, Iran, Iraq, Libya, North Korea, Sudan, Syria, Serbia and Montenegro. See 740.14 and Country Group E:2 (UN Unilateral Embargo list).

ELA. Items are exportable to classes of end users in a specified sales territory under an Encryption Licensing Arrangement. ELAs can be used to export recoverable encryption products of any key length to companies operating in countries designated with a * or ** and to subsidiaries of companies in countries designated with a ** in Supplement No. 3 to Part 740. They can also be used to export commodities and software of any key length to banks and financial institutions (including insurance companies), health and medical end-users, and on-line merchants in other destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria. For exports to health and medical end-users and on-line merchants, the names and address of end-users must be submitted to BXA. See 742.15.

ENC. Items are exportable after a one-time product review under a license exception ENC (encryption commodities and software). This exception is used to export encryption commodities and software of any key length to financial institutions, health and medical end-users, and on-line merchants in destinations listed in Supplement No. 3 to Part 740 It is also used to export financial-specific (highly field formatted items) encryption products of any key length, and to export mass market commodities and non-mass market commodities and software with key sizes limited to 56 bits, provided the products do not allow the alteration of the cryptographic functionality by the user or any program. Additionally, ENC is used to export encryption commodities, software (including toolkits and chips), and technology to US subsidiaries in any country except Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria. Applicants must submit a classification request. In addition, exporters must submit reports for exports to health and medical end-users and on-line merchants giving the names and addresses of end-users. For non-mass market commodities and software with key lengths limited to 56 bits, exporters must report exports to government and military end-users. See 740.17.

GOV. Items are exportable under a license exception GOV. This exception authorizes exports of encryption items for personal and official use by personnel and agencies of the US government. There are no reporting requirements. See 740.11.

IVL. Items are exportable under an individual license. Individual licenses are required to export general encryption products of any key length except for personal or business use by US citizens or US exporters and employees of the US exporter or for use by US government personnel and agencies, US subsidiaries, banks, financial institutions, health and medical end users, and online merchants. They are also required in order to provide technical assistance to foreign developers of encryption products, for exports to strategic partners of US firms to protect US intellectual property, or to export technology other than to a US subsidiary. License applications must identify the end users and their address. They are reviewed on a case-by-case basis. See 744.9.

KMI. Items are exportable after a one-time product review under a license exception KMI (key management infrastructure). This exception allows exports of encryption commodities and software of any key length with an acceptable key recovery function. Products must be resistant to efforts to disable or circumvent the key recovery feature and must not interoperate with products whose key recovery features have been rendered inoperative. All destinations are eligible except Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria. Applicant must submit a classification request and semiannual reports giving the names and addresses of the ultimate consignees and, if available, specific end-users. See 740.8 and Supplement No. 4 to Part 742.

NLR. Items are controlled for anti-terrorism (AT) reasons and classified under 5A992 or 5D992. No license is required (NLR), but exporters may submit a classification request to confirm product status. Products cannot be exported to the terrorist-supporting countries. See 748.3(c).

TMP. Items are exportable under license exception TMP (Temporary Imports, Exports, and Reexports). This exception allows exporters or employees of exporters to take encryption items (i.e., tools of the trade) for business use. The items must remain in the exporter or employee's effective control. TMP also allows exhibition and demonstration of encryption items in countries located in Country Group B for no more than 120 days in one location. The products must be returned to the US in one year unless BXA grants permission for additional time. See 740.9.

TSU. Items are exportable under a license exemption TSU (technology and software -- unrestricted). This exception allows for exports of technology and software used for the installation, operation, maintenance, and repair of lawfully exported products and data supporting a prospective or actual quotation, bid, or offer. Operation software must be in object code. It also allows for exports of mass market software with key sizes limited to 56 bits (after a one-time technical review) -- applicant must submit a classification request. There are no reporting requirements. See 740.13 and Supplement No. 6 to Part 742.

Classification Requests and License Applications

Classification requests and applications for licenses and licensing arrangements are made with the Bureau of Export Administration (BXA) on form BXA-748P. The forms can be obtained from any U.S. Department of Commerce District Office or the following (see 748.2 for additional addresses):

Export Counseling Division, U.S. Department of Commerce
14th Street and Pennsylvania Ave., N.W., Room H1099D
Washington, DC 20230, Ph: 202-482-4811, Fax: 202-482-3617
The completed forms are sent to:
Bureau of Export Administration, U.S. Department of Commerce
14th Street and Pennsylvania Ave., N.W., Room 2705
Washington, DC 20044
Attn: Application Enclosed
For classification requests, an additional copy is sent to:
Attn. Mass Market or ENC Encryption Request Coordinator
P.O. Box 246
Annapolis Junction, MD 20701-0246
Applications can also be made via the Internet through SNAP. See BXA's homepage at www.bxa.doc.gov. Applicants must first get an Applicant ID and PIN.

Supplement No. 3 to Part 740. Countries eligible to receive general-purpose encryption commodities and software.

Anguilla*
Antigua*
Argentina*
Aruba*
Austria**
Australia**
Bahamas*
Barbados*
Belgium**
Brazil*
Canada**
Croatia
Czech Republic*
Denmark**
Dominica*
Ecuador*
Finland**
France **
Germany**
Greece*
Hong Kong
Hungary*
Iceland**
Ireland**
Italy**
Japan**
Kenya*
Luxembourg**
Monaco*
The Netherlands**
New Zealand**
Norway**
Poland*
Portugal**
St. Kitts & Nevis*
St. Vincent/Grenadines*
Seychelles*
Singapore
Spain**
Sweden**
Switzerland**
Trinidad & Tobago*
Turkey*
Uruguay*
United Kingdom**
United States**

* Commercial entities and their branches located in these countries or any country listed in this Supplement and designated with one or two asterisks are eligible to receive "recoverable" encryption commodities and software of any key length for internal company proprietary use. See 742.15(b)(7).

**Commercial entities headquartered in these countries and their branches wherever located (except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria) are eligible to receive "recoverable" encryption commodities and software of any key length for internal company proprietary use. See 742.15(b)(7).

Export Control Questions

1. Can a US citizen exit and enter the US with greater than 56-bit encryption installed on a personal laptop?

Yes. Any US citizen or permanent resident can do this as long as the laptop is effectively controlled while traveling or residing outside the US. No license is needed except when traveling to embargoed or terrorist countries (see the provisions of license exceptions TMP and BAG for details). No paperwork is required.

2. Is it ok for a US citizen to use greater than 56-bit encryption when communicating with someone outside the US?

Yes. The use of encryption is not regulated. In order to communicate, however, the two people must use encryption technologies that interoperate. If they use compatible products made in their respective countries, no licenses are needed. But if they both want to use a US product, a license is needed to export it to the foreign party. There are no applicable license exceptions for exporting products with greater than 56-bit keys to individuals for personal use. Alternatively, the two people might each import and use a product made in a foreign country that imposes fewer export restrictions, but the US person cannot import the product and ship it to the foreign party, as this constitutes an export, which is controlled. As international standards are adopted, interoperability will be easier to achieve across vendors.

3. Can a multi-national corporation communicate from the US to its subsidiaries using greater than 56-bit data or voice encryption?

Yes. An encryption product can be exported to the subsidiaries of a US company to protect company proprietary data under license exception ENC after the vendor (or US parent company) submits the product for a technical review. Under the ENC exception, the product can be shipped to US subsidiaries without any additional paperwork or reporting requirements.

4. Can a multi-national corporation communicate from the US to joint venture partners outside the US using greater that 56-bit encryption?

Yes, but not under license exception ENC. If the product provides key recovery and the vendor has obtained a license exception KMI, it can be shipped under the KMI exception without a license, although the vendor must report the names and addresses of end-users. Alternatively, if the vendor has an encryption licensing arrangement (ELA) to ship a product with recoverable encryption, it may be shipped if the ELA encompasses that particular sales territory and class of end-users. As a third possibility, the US company can apply for individual licenses for its strategic partners. Such partners are given favorable treatment when the end-use is for protection of US company proprietary information.

5. Can a US company buy foreign encryption products with greater than 56-bit encryption and have them sent into the US?

Yes. There are no regulations on imports specific to encryption. However, there may be import restrictions applicable to certain countries, such as Iran on the basis of an embargo administered by the Treasury Department's Office of Foreign Assets Controls.

6. Can a US company buy encryption products with greater than 56-bit encryption outside the US, have them sent to a foreign office, and then use the products for communications between the US and foreign offices? Example: Boston company orders 256-bit encryption product from Irish encryption company, to be delivered to San Paulo, Brazil office, and then use between that office and US.

Yes, as long as the product is not of US origin or developed with US-controlled technology or through technical assistance by US persons. However, if the Boston company receives the product for evaluation and then sends it to its San Paulo office, the encryption product is subject to US regulations. If the product entered the U.S. territory, the shipment out of the US is considered to be an export, so a license exception (e.g., ENC or KMI), licensing arrangement, or individual license is required. If the foreign vendor, through a US representative, has obtained an ENC or KMI exception or licensing arrangement for its product, the US company does not need to apply for a license or license exception. With the ENC license exception to US subsidiaries, the vendor need not report the names and addresses of end-users.

7. Is it a violation of providing "technical assistance" for representatives of the US company to travel to San Paulo to install the 256-bit encryption they purchased from the Irish company? Can they then use it to communicate from there to the US?

No, it is not a violation to help end users purchase, install, and use foreign encryption products (please see 744.9 for more information). Such products can be used to communicate with anyone in the US or elsewhere who is using the same or compatible products.

8. Is source code in electronic form exportable?

Yes, it is exportable under license or it may be eligible for license exceptions ENC, TSU, and KMI. However, it is not exportable (except to US subsidiaries) under a license exception if it can be readily modified. For example, it should not be easy to alter a mass market product that uses 56-bit DES or RC4 so that it uses longer keys.

Dorothy E. Denning is professor of Computer Science at Georgetown University. She is author of Information Warfare and Security, Addison Wesley, 1999 and a member of the President's Export Council Subcommittee on Encryption. E-mail: denning@cs.georgetown.edu. Web: www.cs.georgetown.edu/~denning.

William E. Baugh, Jr. is vice president, Science Applications International Corporation, and general manager, Advanced Network Technologies and Security Operations. He is former assistant director, Federal Bureau of Investigation. E-mail: William.E.Baugh.Jr@cpmx.saic.com.
 
 
 

 
 

Cryptographic Item

US or Canada Outside US and Canada
Personal

use

Business

use

US

gov

US subsidiary Financial institution Health/ medical On-line merchant Most 

firms

Other
General encryption products ok BAG TMP GOV ENC ELA ELA ELA IVL IVL
End-use encryption products ok BAG TMP GOV ENC ENC ENC ENC IVL IVL
Recoverable encryption ok BAG TMP GOV ELA ELA ELA ELA ELA IVL
Key recovery/escrow enc ok BAG TMP GOV KMI KMI KMI KMI KMI KMI
Financial-specific encryption ok BAG TMP GOV ENC ENC ENC ENC ENC ENC
Limited key size (56-bit) enc ok BAG TMP GOV ENC ENC ENC ENC ENC ENC
Mass market (56-bit) enc ok BAG TMP GOV TSU TSU TSU TSU TSU TSU
Software updates ok BAG TSU GOV TSU TSU TSU TSU TSU TSU
Operation tech/soft, sales tech ok BAG TSU GOV TSU TSU TSU TSU TSU TSU
Tech assist to developers ok - - GOV IVL IVL IVL IVL IVL IVL
Tech assist to end users ok - - TSU TSU TSU TSU TSU TSU TSU
Enc source code (pub) in print ok ok ok ok ok ok ok ok ok ok
Educational encryption info ok ok ok ok ok ok ok ok ok ok
Anti-piracy decryption ok NLR NLR NLR NLR NLR NLR NLR NLR NLR
Anti-viral/malicious code ok NLR NLR NLR NLR NLR NLR NLR NLR NLR
Digital compression ok NLR NLR NLR NLR NLR NLR NLR NLR NLR
Mobile phones with link enc  ok NLR NLR NLR NLR NLR NLR NLR NLR NLR
ATMs, point-of-sale terminals ok NLR NLR NLR NLR NLR NLR NLR NLR NLR
Smart cards w/out user enc ok NLR NLR NLR NLR NLR NLR NLR NLR NLR
Authentication only ok NLR NLR NLR NLR NLR NLR NLR NLR NLR
Access control only ok NLR NLR NLR NLR NLR NLR NLR NLR NLR