Inside The Clinton Administration

               UNITED STATES DEPARTMENT OF COMMERCE
             The Under Secretary for Export Administration
                       Washington, DC 20230

                        November 25, 1996

                                      

     MEMORANDUM FOR DEPUTIES SUBGROUP ON CRYPTOGRAPHY

     FROM: William A. Reinsch

     SUBJECT: Non-Key Recovery Exports After Two Years

     The issue before us is whether the U.S. will use new
restrictions and penalties to try to force adoption of key
recovery, or whether it will use incentives to reinforce market
forces that are moving toward an international key management
infrastructure. The October 1 Statement said we would liberalize
export controls for commercial encryption products. In fact, if
we announce an end to current practices after two years, the
immediate effect of the new initiative will be to make export
controls on encryption more restrictive, not more liberal. This
will not win the support we need to build key management and
will do significant damage to the U.S. economy.

     The Vice President's initiative does not envision new
restrictions on exports. Instead, it creates new incentives to
move towards recoverable products and a temporary liberalization
to help the transition to key recovery. At the end of two years,
this temporary liberalization would cease. However, exports
which could be approved before the liberalization would continue
licensing policies will cede markets to foreign producers and
damage support for our initiative. The economic cost to the U.S.
of ending current export practice will be several billion
dollars. The market effect of a decision to impose new
restrictions after two years will be felt immediately, not just
in 1999, as foreign consumers will turn away from U.S.  products
now if they believe we will not sell them later on (particularly
when the upgrade would not improve cryptographic capabilities)
or believe that U.S.  producers will not be able to expand their
existing customer base and create the kinds of linkages the GII
will require. To avoid this, we need to answer two questions:

          1) whether we should allow the current practice of
licensing encryption hardware to safe end-users (e.g. foreign
police departments and security services) to continue;

          2) whether we should continue to permit improvements
(upgrades) to already-exported systems which do not increase the
strength of the encryption; and

     These questions do not apply to those products which we may
license under the two year interim liberalization with a company
commitment. They apply to items which are exportable now.

     The Deputies agree that we should continue to allow
servicing of already-exported products.

     Safe End Users

     State currently issues approximately 2500 individual
licenses and 500 bulk or distribution licenses per year for
non-key recovery encryption products of more than 40 bits. These
bulk or distrubution licenses allow the export of products which
contain NSA-approved encryption to safe end users. Most of these
exports are communications equipment to police departments, fire
services, banks, other government agencies and subsidiaries of
U.S. corporations totaling several hundreds of millions of
dollars annually. NSA limits approvals to certain products and
categories of safe end users, and requires annual reports from
the exporter listing sales that have occurred. Other licenses
allow for offshore manufacturing using US-made encryption
products for incorporation into communications equipment -- for
example


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXX.
      

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

     The critical element for these companies is their ability
to expand and capture market share. State has approved sales to
"safe" customers, such as police forces. If companies cannot
build on their existing customer base by selling identical
products to neighboring police forces or other approved
customers, they will not be able to maintain themselves as
viable suppliers in the marketplace. Buyers will work around
them and develop relationships with other producers' products,
and foreign governments will develop separate standards to
achieve competitive advantage. If U.S. firms can no longer
export cellular phones (because of their encryption
capabilities), the alternative for foreign purchasers would be
to buy European standard GSM phones. The U.S. cellular phone
industry had sales of over $19 billion last year and is expected
to grow rapidly in new foreign markets like Brazil and
Argentina. The market for such products is expected to grow
twenty-five percent over the next several years (the market grew
thirty percent last year) unless we impose new restrictions.
Adoption of non-U.S. standards (and we know that at least some
EU countries are contemplating using standards to restrict their
markets) could effectively freeze U.S. products out of the
export market.

     Continuation of current licensing is consistent with the
new encryption policy. Since the exports we now allow are to
police, security forces, banks, and subsidiaries of U.S.
corporations in friendly countries, law enforcement concerns can
be addressed through other means other than export restrictions
to ensure access. NSA approves these sales because of the
friendly nature of the end user and because of exporters'
cooperation in the initial review of the product. Since we will
continue to review products before export, restrict sales to
safe end users and require regular reports, there is no risk to
law enforcement, national security risk or our encryption
policy.  These particular end users are a specialized market
where key recovery solutions may not be appropriate. Police
forces are reluctant to use "escrowed" encryption products (such
as radios in patrol cars). They are more costly and less
efficient than non-escrowed products. There can be long gaps in
reception due to the escrow features - sometimes as long as a
ten second pause. Our own police do not use recoverable
encryption products; they buy the same non-escrowable products
used by their counterparts in Europe and Japan. Other government
agencies may also reject key recovery -- for example, some U.S.
exports were to support Allied government agencies with signals
intelligence missions similar to NSA's.

     Continuing current practice is not an open ended approach.
The market is moving towards key recovery products and most 56
bit products, particularly software, will be phased out by
market forces without new export restrictions. Market forces are
more reliable and more politically stable than new restrictions.
The real question is how can we best help the market transition
from non recoverable products to recoverable products in a way
that preserves U.S. global leadership in information technology
and in building the global information infrastructure. The best
outcome for advancing our KMI initiative would be to decide to
continue current practice to license, after appropriate review,
these non-key recovery products to safe end users.

     Non-encryption Upgrades

     This concerns upgrades that do not enhance a product's
encryption capabilities. For example, if a company sells a
software product which includes an encryption feature and other
features, such as spread sheets or word processing programs (for
example, WordPerfect 5.1), Commerce would permit the export of
products that upgrade the other features (i.e. WordPerfect 6.0)
but which do not enhance the encryption capabilities. The same
is true for accessories such as hard drives or print facilities.
Justice's argument is that this would sustain a system's
viability and make the end user less likely to abandon it for a
key recovery product.

     There are two problems with this argument. Placing a cap on
a company's ability to sell upgrades tells foreign customers
that the product is not viable. In the example provided, why
would anyone buy WordPerfect today if they knew they would not
be able to obtain the next version of it? The commercial
consequences of this decision, particularly for software sales,
are enormous.

     Second, we do not currently control products like
WordPerfect if they do not contain encryption features. Once a
product containing encryption capabilities has been exported --
which our policy permits, the only way to control exports of
upgraded versions of that product that did not contain
encryption or change the encryption capabilities of the older
product would be to impose far-reaching new controls on most
mass-marketed software from producers like Microsoft and others.
Such an expansion of controls would cause serious economic
dislocation, legal challenges, and a political firestorm.

     Servicing

     There is a general agreement to allow the servicing of all
previously exported systems without limitation. A decision
otherwise (i.e. after two years companies could no longer
service or fix what they had sold) would make U.S. products
extremely unattracctive to foreign buyers.

     Conclusion

     New restrictions on licensing and upgrades will be broadly
unpopular


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXX

     A decision to end current practice will have an immediate
market effect (not two years from now). Consumers will stop
buying U.S. products now because they see our producers will be
limited in their capacity to upgrade and expand their markets.
Foreign manufacturers like


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

     compete with U.S. firms for non-key recovery product sales
and are ready to replace us in the market. The effect will be
not only to damage U.S. firms but to subsidize (by ceding market
share and revenue) the foreign production of non-key recovery
products, thus undercutting our efforts to win international
support for key recovery.

     There is also a real risk that multinational corporations
will move production of these non-key recovery products offshore
to avoid new U.S. restrictions.


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

     The effect of this is difficult to quantify, but a decision
to end current practice would help erode U.S. leadership in the
information technologies industry. There is also the real risk
that by encouraging the development of non-key recovery
manufacturing outside of the U.S., we would see more non-key
products available domestically as the new foreign producers do
not face any restrictions on imports into the U.S.

     Our goal is the development of a global information
infrastructure that relies on key management to provide strong
encryption while protecting public safety and national security.
The foundation of the President's decision was to use market
forces to achieve this objective, recognizing that we could not
compel it. We want to create incentives to reinforce the move to
key recovery, not build new restrictions that will impose real
damage on U.S. economic leadership and actually delay the
creation of key recovery systems globally. Permitting upgrades
and expansions of existing customer bases in cases of licenses
already issued will provide for a market-based transition to key
recovery without sacrificing U.S. producers' global market
leadership. That leadership is essential both for broader
macroeconomic and national security reasons and also for
achieving the key recovery objectives that are the core of our
policy.

All content COPYRIGHT SOFTWAR (C) 2000. Any reproduction or use of content herein must be approved by SOFTWAR.