Accessibility links

Breaking News

East/West: U.S. Relaxes Export Controls On Computer Encryption Technology

Washington, 20 November 1998 (RFE/RL) -- The latest liberalization of U.S. controls on the export of computer encryption technology is expected to take effect in December, allowing insurance companies, health and medical organizations and on-line merchants to join banks and other financial institutions in freely exporting the technology anywhere except to seven nations listed as supporting terrorism.

U.S. Vice President Al Gore announced the new liberalization in September, telling a White House press conference that it was a further step in a delicate balancing act between ensuring that sensitive financial and business transactions be 100 percent safe in cyberspace and making sure that technology does not create "new and sophisticated criminal and terrorist activity which leaves law enforcement outmatched."

Encryption is the ability to put information into code so that only the intended recipient can read it.

Officials of the U.S. Commerce Department's Bureau of Export Administration say encryption was only a military and national security concern until the advent of powerful desk-top computers and the global interconnection, known as the Internet, made it a personal and commercial matter.

At first, U.S. export control officials tried to keep most of the technology that does the encryption from being exported. They bowed to the concerns of law enforcement and defense officials who said they would lose their ability to "tap" -- secretly listen into or read the messages of criminals and spies. Telephone lines could always be "tapped," with a court order, and even commercially available scrambling devices could be outwitted.

But while many computer encryption programs had keys available to unlock the codes, similar to a locksmith's master keys, law officials said there were too many for anyone to keep track of. More importantly, they said, most encryption programs had no keys.

By the summer of 1996, officials say that technology advances and the expansion of the Internet forced the issue. The U.S. then announced a policy to move control of the technology out of the Defense Department (encryption had been listed as a weapon) and into the Commerce Department.

The U.S. also relaxed the restrictions to allow the export of encryption technology of up to 40-bits (a measure of encryption sophistication) -- the normal commercial level then available -- with an easily-obtained export license.

For those companies that used an encryption program with a key available to law enforcement, the U.S. agreed they could export technology of up to 65-bits, after clearing the program with Washington.

But by the time the Commerce Department actually published the new regulation in March, 1997, it was already outdated by technical advancements and the wider availability of even more powerful computers and Internet connections.

So, two months later, the U.S. began approving licenses for the export of 65-bit technology with or without keys to break the code. At the same time, U.S. officials announced agreement with the financial industry to allow them to export unlimited strength encryption technology without keys for use in specified financial transactions, such as money wiring.

Officials said they thought that was relatively safe because banks and financial institutions have a "fairly strong track record" of working with law enforcement. And, the export control officials said, they still required a license. The officials did say, however, that they had a "predisposition to approve" licenses for well-established banks and financial institutions.

Even then, say the officials, it was clear that technology was quickly outpacing the controls. In July, 1998, U.S. Commerce Secretary Richard Daley announced that financial institutions -- banks, brokerage houses, stock traders and savings and loan institutions, but not insurance companies -- in the U.S. and 45 other countries would be allowed to export unlimited strength encryption technology for their own use with no export license required.

The list of 45 countries was drawn up by a committee from the U.S. Department's of Treasury, Justice, State, Defense and Commerce. The committee devised a long list of criteria for the list, but a chief one was active participation in statutes and treaties to control money laundering. Of the 45 listed, Hungary and Poland were the only nations from Central and Eastern Europe.

The U.S. said that the new rule did not limit the export of the high encryption technology to these 45 countries, but said that for companies based in other nations, an export license was required.

The financial institutions allowed to export U.S. encryption technology did not have to be American. They could be from any of the 45 listed countries. They could use the technology in non-listed countries as well, without any further approval, so long as it remained in the firm's possession.

Thus, a Bern-based Swiss bank could use the technology in its branch in Prague, but anyone selling the same encryption technology to a Czech bank would be required to get a license for the sale.

Under-Secretary of Commerce for Export Administration, William Reinsch says this was not a problem. He told a U.S. congressional committee recently that in the first eight months of the current regulations, the department received more than 1,000 applications for export licenses and none was rejected.

In September, Vice President Gore announced that using the same basic list of 45 countries, the regulations were being relaxed to add insurance companies, on-line marketing companies (to protect credit cards), and medical and health care institutions (to protect private medical records) to the financial companies allowed to freely export unlimited encryption technology.

Reinsch said the only requirement is that a company allow the U.S. government to review the computer technology program once to make sure the product is in fact what is claimed. There is no further review.

The official regulation actually implementing the latest relaxation is expected to be issued later next month, according to Export Bureau officials.

U.S. officials say there is "absolutely no" slight or insult intended for those countries not on the list -- including Mexico, America's next-door neighbor and fourth largest trading partner.

They say dozens of countries not on the list are buying the technology every day.

The only restrictions which have remained firmly in place are those preventing the export of any computer technology to the countries the U.S. lists as sponsoring terrorism -- Iran, Iraq, Libya, Syria, Sudan, North Korea and Cuba.