Schneier on Security
A blog covering security and security technology.
« Shoot-to-Kill Revisited |
| New Windows Vulnerability »
August 5, 2005
U.S. Crypto Export Controls
Rules on exporting cryptography outside the United States have been renewed:
President Bush this week declared a national emergency based on an "extraordinary threat to the national security."
This might sound like a code-red, call-out-the-national-guard, we-lost-a-suitcase-nuke type of alarm, but in reality it's just a bureaucratic way of ensuring that the Feds can continue to control the export of things like computer hardware and encryption products.
And it happens every year or so.
If Bush didn't sign that "national emergency" paperwork, then the Commerce Department's Bureau of Industry and Security would lose some of its regulatory power. That's because Congress never extended the Export Administration Act after it lapsed (it's complicated).
President Clinton did the same thing. Here's a longer version of his "national emergency" executive order from 1994.
As a side note, encryption export rules have been dramatically relaxed since the oppressive early days of Janet "Evil PCs" Reno, Al "Clipper Chip" Gore, and Louis "ban crypto" Freeh. But they still exist. Here's a summary.
To be honest, I don't know what the rules are these days. I think there is a blanket exemption for mass-market software products, but I'm not sure. I haven't a clue what the hardware requirements are. But certainly something is working right; we're seeing more strong encryption in more software -- and not just encryption software.
Posted on August 5, 2005 at 7:17 AM
• 26 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
These export rules (as I understandthem, which could be wrong/outdated - I would welcome clarification) have always struck me as a bit odd. I can understand why the government doesn't want to allow strong encryption out of the country (foreign embassys begin to provide messages home that the US cannot read...) but I don't think they can actualy stop it.
You can get your hands on an older version of PGP on the web in any country, and in newer ones you can just lie and say that you are in the US/Canada...
Would be nice, if they could use this in order to keep all of that dcma/copy-protection "crypto" inside the u.s. - but i guess that's not going to happen - sadly ;)
It's been four years of paranoia and fear of imminent attack. I think we have to start rewording things and call this an "ordinary threat to the national security"
As if there aren't mathematicians in China (and other countries) perfectly capable of writing strong encryption.........
Well, in the original text which Bruce quoted, "summary" was a link to a summary. He managed to get all the other links in the quotation, yet this one would have seemed to be the most important if we're to understand the limits. It linked to:
Doesnt matter - future crypto is not being developed in US anyway.
No sensible entity would trust a US crypto product from not including commercial or government backdoors. This is driving the crypto research and implementation elsewhere.
This kind of regulation only means that US products loose competitiveness overseas.
Guess I will have to be adding sources for debian non-us again. Sigh
Whats the story with open-source encryption software etc. where loads of different countries have contributed in some way? They can hardly aim to try and control the Internet?!
U.S. export controls on encryption are a joke. Anyone determined enough to get a hold of encryption software will be able to do so. And if they can't, they can write their own. This won't stop Al-Qaeda or North Korea from using encryption, only legitimate users. It's similar to the logic that holds that outlawing guns will reduce crime and make us all safer, when in reality it does just the opposite by making it harder for innocent people to protect themselves. Criminals will always find ways to bypass the law.
It's kind of hilarious that it's so easy to get anything passed in the US by simply declaring "national emergency".
The US maintains stricter administrative export controls than those detailed in the Wassenaar Arrangement, but they don't translate into much hassle. The federal government still requires license exceptions and technical reviews for export of cryptographic software and hardware, but these are seldom an obstacle unless you're exporting to one of the seven "terrorist countries." In fact, it's acceptable for exporters to ship products right after they file the commodity classification request without waiting for the results of the technical review.
Source code to cryptographic software can be exported to any end user under a license exception and without a technical review, but it is still illegal to knowingly export the same to a terrorist country. I don't believe these controls mandate prophylactic measures to prevent someone in a terrorist country from downloading Crypto source code from a website.
Any crypto can be exported to foreign subsidiaries of US firms without a technical review. Foreign nationals working in the US used to require an export license to work at US companies on encryption products, but I believe this is no longer the case.
I don't think any rational people in the government believe for a minute that export controls like this are effective against anyone who is willing to break the law. They may hope that it will provide a procedural barrier for those who are extremely careful to obey the law in all aspects, thus possibly stifling the development of new crypto in the US, and it may encourage software vendors to leave crypto out of their products due to the red-tape involved.
It seems to be a matter of ENCOURAGING the non-use of crypto rather than REQUIRING it's non-use.
"it may encourage software vendors to leave crypto out of their products due to the red-tape involved."
It would certainly seem that way at first blush, but regulatory and business contract compliance (SOX, HIPAA, GLBA, FFIEC, Visa CISP, Mastercard SDP, PCI, etc) is more and more requiring firms to adopt stronger security practices or face stiff sanctions. This is creating a forced market for products that are crypto-capable, and as nearly as I can discern, technology vendors have been gladly stepping up to the plate in droves.
"This is creating a forced market for products that are crypto-capable, and as nearly as I can discern, technology vendors have been gladly stepping up to the plate in droves."
Which vendors? Security vendors or regular software and hardware companies? I'd like to stand in your shoes for a while because my view has been completely different. It seems companies that I represent have to resort to extreme and costly measures to try and get their vendors to incorporate reasonable encryption in their products.
Just a few days ago I was told by a database vendor that they would get us to regulatory compliance with their "old and proprietary" (their words) encryption for stored data. Ugh. The end of 2006 was their best estimate for using a known algorithm. And before that a CRM vendor suggested that US export-grade encryption would be sufficient because anything better requires paperwork...needless to say we did not just roll-over and play dead. We fought for reasonable encryption.
I wholeheartedly agree with the comments above that the export restrictions end up dragging down US companies. Mandating sub-standard product development has a detrimental market effect. Bad trade-off.
So, after many months of Visa CISP meetings with vendors, it is hard not to get the impression that software companies (not security companies) often view encryption like sewing clothes for an emperor who will never wear them...
"Well, in the original text which Bruce quoted, "summary" was a link to a summary. He managed to get all the other links in the quotation, yet this one would have seemed to be the most important if we're to understand the limits."
Sorry. The link was there, but there was a typo in it. Fixed now.
Here's a nice experiment for you:
1. Be a non-US citizen
2. Go through immigration in an international airport
3. When asked about your occupation, state 'encryption expert'
Be ready for a lot of questions to follow. I've heard of people who got the "extended questioning" (which is my term for it) if they said they write 'security software'.
errr... immigration in a US international airport that is.
The Dept of Commerce "checklist" page is useful if you are trying to wade through the requirements for export:
"Rules governing exports and reexports of encryption are found in the Export Administration Regulations (EAR), 15 C.F.R. Parts 730-774. Sections 740.13, 740.17 and 742.15 of the EAR are the principal references for the export and reexport of encryption items. In addition, Section 748.3 provides an introduction (§748.3(a)) and basic sets of instructions regarding commodity classifications (§748.3(b)) and encryption review requests (§748.3(d)). For specific regulatory provisions for “publicly available��? source code (and corresponding object code), see §740.13(e)."
The Export Administration Regulations:
And here are the changes made in 2000:
It's a long and confusing document, but I noticed that US companies can now export most encryption products under a license exception to anyone in the fifteen EU states or eight US "trading partners". This includes export to a worldwide office of firm/organization that has headquarters in those countries. This is a change from the rule that US companies needed a "retail" classification to export their encryption to any country other than those countries declared "terrorist" states. "Retail" is defined peculiarly with some mention of "anticipated sales". And for what it's worth, "non-retail" encryption used to require a license and a 30-day review period, but now US companies can export immediately after they request a commodity classification.
I think the 'emergency' aspect for renewing the Export Administration Act (EAA) probably has more to do with some of the other controlled items. I'll give a few examples.
First, see item #0A001, i.e. "nuclear reactors" -- actually that is the very first item on the list. It is okay with me that the government requires licenses for the export of nuclear reactors.
Second, see item #0B001, i.e. a "[p]lant for the separation of isotopes of natural uranium, depleted uranium, special fissile materials, and other fissile materials ..." Once again, I don't think it is unreasonable to ask someone to fill out a form before buying equipment they can use to make enriched nuclear fuel.
Finally, see item #9A004, i.e. "[s]pace launch vehicles and spacecraft." As before, if you want to be able to buy a pre-made space launch platform it does not seem unreasonable to explain what you want it for before packing it up and sending it to another country.
The United States is an *incredibly* free society. Anyone with enough money can buy 1) a nuclear reactor, 2) equipment to make fuel for it and 3) a vehicle to launch the nuclear reactor into space.
Does anyone still think that renewing the EAA is a bad idea? I can't think of any good reason why the EAA is not a permanent law.
If you really think anyone with enough money could do any of those things, Sparx, go ahead and find someone who has.
I do indeed think renewing the EAA is a bad idea, for this reason: the United States government has no authority under the Constitution to pass any such law. The EAA is illegal.
In some cases, software may be developed by a single individual (consider shareware or freeware software, for instance). Regulations that are manageable for a large company could be a significant obstacle to such individuals.
Restricting the export of encryption software is less effective than restricting the export of nuclear reactors (the former but not the latter consists entirely of information). Normal individuals are more likely to directly use encryption software than they are to directly use a nuclear reactor. The same goes for normal individuals exporting encryption software versus exporting nuclear reactors. Maybe the rules should be changed specifically with respect to encryption software.
It's a fact that those export rules do nothing to prevent criminals using encryption (I mean, the information is already there). The only thing it'll do is to prevent law abiding citizens getting products that include strong encryption.
Ken Hagler wrote: "I do indeed think renewing the EAA is a bad idea, for this reason: the United States government has no authority under the Constitution to pass any such law. The EAA is illegal."
Actually the US Constitution expressly gives the federal government authority to regulate interstate (and international) commerce, Congress the power to establish laws, and the President the power to make treaties, etc. But maybe you meant some other constitution.
Hi all ultimatebet is the best holdem room there is. Just thought you should know
http://www.xtreemz.com thanks to all of you
The renewal of the emergency really has nothing to do with encryption or, more exactly, it has no more to do with encryption than any other particular item subject to US export controls. President Bush's action is necessary because Congress can't agree on what to do about the Export Administration Act and consequently they just haven't bothered to renew it. If Bush didn't declare this emergency, the feds would lose their authority to prevent the export of all kinds of potentially nasty dual-use stuff -- nuclear materials, chemical weapons manufacturing equipment, toxins, night vision goggles, etc. Actually, the more I think about it the less I think "emergency" is an exaggeration in these circumstances. Ideally Congress would get their act together, but meanwhile the president is doing what's necessary here.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.