THE WHITE HOUSE
16 September 1999
Today, the Clinton Administration announced a new approach to encryption policy that includes updates and simplifies export controls. The major components of this update are as follows:
Global exports to individuals, commercial firms or other non-governmental entities
Any encryption commodity or software of any key length can now be exported under a license exception (i.e., without a license) after a technical review, to commercial firms and other non-government end users in any country except for the seven state supporters of terrorism. Exports previously allowed only for a company's internal use can now be used for communication with other firms, supply chains and customers. Additionally, telecommunication and Internet service providers may use any encryption commodity or software to provide services to commercial firms and non-government end users. Previous liberalizations for banks, financial institutions and other approved sectors are subsumed under this Update. Exports to governments can be approved under a license.
Global exports of retail products
Retail encryption commodities and software of any key length may be exported under a license exception (i.e., without a license) after a technical review, to any recipient in any country except to the seven state supporters of terrorism. Retail encryption commodities and software are those products which do not require substantial support for installation and use and which are sold in tangible form through independent retail outlets, or products in tangible or intangible form, which have been specifically designed for individual consumer use. There is no restriction on the use of these products. Additionally, telecommunication and Internet service providers may use retail encryption commodities and software to provide services to any recipient.
Implementation of the December 1998 Wassenaar Arrangement Revisions
Last year, the Wassenaar Arrangement (33 countries which have common controls on exports, including encryption) made a number of changes to modernize multilateral encryption controls. As part of this update, the U.S. will allow exports without a license of 56 bits DES and equivalent products, including toolkits and chips, to all users and destinations (except the seven state supporters of terrorism) after a technical review. Encryption commodities and software with key lengths of 64-bits or less which meet the mass market requirements of Wassenaar's new cryptographic note will also be eligible for export without a license after a technical review.
Foreign nationals working in the United States no longer need an export license to work for U.S. firms on encryption. This extends the policy adopted in last year's update, which allowed foreign nationals to work for foreign subsidiaries of U.S. firms under a license exception (i.e., without a license).
Post-export reporting will now be required for any export to a non-U.S. entity of any product above 64 bits. Reporting helps ensure compliance with our regulations and allows us to reduce licensing requirements. The reporting requirements will be streamlined to reflect business models and practices, and will be based on what companies normally collect. We intend to consult with industry on how best to implement this part of the update.
Return to Encryption Issues