98-34669. Encryption Items  

  • [Federal Register Volume 63, Number 251 (Thursday, December 31, 1998)]
    [Rules and Regulations]
    [Pages 72156-72167]
    From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
    [FR Doc No: 98-34669]
    
    
    =======================================================================
    -----------------------------------------------------------------------
    
    DEPARTMENT OF COMMERCE
    
    Bureau of Export Administration
    
    15 CFR Parts 740, 742, 743, 772 and 774
    
    [Docket No. 9809-11233-8318-02]
    RIN 0694-AB80
    
    
    Encryption Items
    
    AGENCY: Bureau of Export Administration, Commerce.
    
    ACTION: Interim rule; request for comments.
    
    -----------------------------------------------------------------------
    
    SUMMARY: This interim rule amends the Export Administration Regulations 
    (EAR) for exports and reexports of encryption commodities and software 
    to U.S. subsidiaries, insurance companies, health and medical end-
    users, on-line merchants and foreign commercial firms. This rule 
    implements the Administration's initiative to update it's encryption 
    policy, and will streamline U.S. encryption export and reexport 
    controls.
    
    DATES: This rule is effective: December 31, 1998. Comments must be 
    received on or before March 1, 1999.
    
    ADDRESSES: Written comments on this rule should be sent to Nancy Crowe, 
    Regulatory Policy Division, Bureau of Export Administration, Department 
    of Commerce, P.O. Box 273, Washington, DC 20044. Express mail address: 
    Nancy Crowe, Regulatory Policy Division, Bureau of Export 
    Administration, Department of Commerce, 14th Street and Pennsylanvia 
    Ave, N.W., Room 2705, Washington, DC 20230.
    
    FOR FURTHER INFORMATION CONTACT: James Lewis, Office of Strategic Trade 
    and Foreign Policy Controls, Bureau of Export Administration, 
    Telephone: (202) 482-0092.
    
    SUPPLEMENTARY INFORMATION: On September 16, 1998, the Administration 
    announced a series of steps to update its encryption policy in a way 
    that meets the full range of national interests. These steps will 
    promote electronic commerce, support law enforcement and national 
    security, and protect privacy. They also further streamline exports and 
    reexports of key recovery products, and other recoverable encryption 
    products, which allow for the recovery of plaintext, and permit exports 
    and reexports of encryption of any key length (with or without key 
    recovery) to several industry sectors. This interim rule amends the EAR 
    for exports and reexports of encryption commodities and software to 
    U.S. subsidiaries, insurance companies, health and medical end-users, 
    on-line merchants and foreign commercial firms. Specifically, this rule 
    amends the EAR in the following ways:
        1. In Sec. 740.8, Key Management Infrastructure, removes the key 
    recovery agent requirements for License Exception KMI eligibility for 
    exports and reexports of recovery encryption commodities and software. 
    Further, key recovery commitment plans and the six month progress 
    reviews are eliminated and exporters are no longer required to name or 
    submit to BXA additional information on a key recovery agent prior to 
    export. The products may be exported or reexported under License 
    Exception KMI after a technical review. Note also that 56-bit products 
    supported by a KMI plan that have been classified after a technical 
    review and are eligible under License Exception KMI are now eligible 
    for export and reexport under License Exception ENC (see 
    Sec. 740.17(a)(3) of the EAR).
        2. Also in Sec. 740.8, removes and adds to newly created License 
    Exception ENC the paragraphs concerning financial-specific encryption 
    commodities and software and general purpose encryption commodities and 
    software for banks and financial institutions. This transfer will 
    simplify the use of License Exceptions for encryption commodities and 
    software and creates no change in policy.
        3. In part 740, creates new License Exception ENC by adding 
    Sec. 740.17, Encryption commodities and software. This new License 
    Exception is divided into two significant parts: a global
    
    [[Page 72157]]
    
    category including the use of License Exception ENC for exports and 
    reexports of encryption commodities and software to all destinations, 
    except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria; and a 
    country specific category permitting the use of License Exception ENC 
    for exports and reexports of encryption commodities and software to 
    countries listed in Supplement No. 3 to part 740. This new License 
    Exception allows the following exports and reexports of encryption 
    commodities and software that are classified under ECCNs 5A002 and 
    5D002, after a technical review that considers the cryptographic 
    functionality of the product:
        a. Exports and reexports of encryption commodities, software and 
    technology, including source code of any key length are also eligible 
    under this license exception to U.S. subsidiaries for internal company 
    proprietary use to all destinations except Cuba, Iran, Iraq, Libya, 
    North Korea, Sudan and Syria. Encryption chips, integrated circuits, 
    toolkits, executable or linkable modules, which can modify or enhance 
    the cryptographic functionality (e.g., the confidentiality algorithm, 
    key space and key exchange mechanism) or incorporate the cryptographic 
    function in another item are eligible for license exception ENC only 
    for export to U.S. subsidiaries. Note that exports to ``strategic 
    partners'' of U.S. companies, such as subcontractors and joint 
    ventures, will be considered favorably under a license when the end-use 
    is for the protection of U.S. company proprietary information. For the 
    purposes of this regulation, consideration as a ``strategic partner,'' 
    as defined in part 772, should not be deemed to alter or affect any 
    legal relationship that might otherwise exist between the relevant 
    parties.
        b. Encryption commodities, including mass market and non-mass 
    market, and non-mass market software incorporating symmetric algorithms 
    with key lengths up to and including 56-bits, such as DES or equivalent 
    (such as RC2, RC4, RC5 and CAST) to all destinations except Cuba, Iran, 
    Iraq, Libya, North Korea, Sudan and Syria. Encryption chips, integrated 
    circuits, toolkits and executable or linkable modules are not 
    authorized for export under License Exception ENC and will require a 
    license or an Encryption Licensing Arrangement. Note that subsequent 
    bundling, updates or releases may be exported and reexported under 
    applicable provisions of the EAR without a separate technical review as 
    long as the functional encryption capacity of the originally reviewed 
    encryption commodities, including mass market and non-mass market, and 
    non-mass market software has not been modified or enhanced.
        c. Authorizes insurance companies to receive general purpose 
    encryption commodities and software of any key length that have been 
    classified after a technical review. This change corresponds with the 
    addition of insurance companies to the definition of financial 
    institutions in part 772. With this change, exports and reexports of 
    general purpose encryption commodities and software are eligible under 
    License Exception ENC to financial institutions (including insurance 
    companies) in all destinations listed in Supplement No. 3 to part 740, 
    and to branches of these entities located worldwide except countries 
    that support international terrorism (Cuba, Iran, Iraq, Libya, North 
    Korea, Sudan and Syria).
        d. Encryption commodities and software of any key length to health 
    and medical end-users in all destinations listed in Supplement No. 3 to 
    part 740. Exports and reexports of such commodities and software are 
    not eligible under License Exception ENC to non-U.S. biochemical and 
    pharmaceutical manufacturers and non-U.S. military health and medical 
    entities. Licenses for such entities will be considered on a case-by-
    case basis.
        e. Encryption commodities and software of any key length for on-
    line merchants in all destinations listed in Supplement No. 3 to part 
    740. Such commodities and software must be limited to client-server 
    applications (e.g., Secure Socket Layer (SSL) based applications) or 
    applications specially designed for on-line transactions. End-use is 
    limited to the purchase or sale of goods and software; and services 
    connected with the purchase or sale of goods and software, including 
    interactions between purchasers and sellers necessary for ordering, 
    payment and delivery of goods and software. No other end-uses or 
    customer to customer communications or transactions are allowed. 
    Foreign on-line merchants or their separate business units who are 
    engaged in the manufacturing and distribution of items or services 
    controlled on the U.S. Munitions List are excluded. Foreign government 
    end-users also are excluded from this License Exception.
        Examples of permitted end-uses under License Exception ENC for on-
    line merchants include buying and selling goods and software through an 
    electronic medium, which may involve the ordering of, and payment for 
    goods and software; placing and receiving orders; pricing, 
    configuration, validation and ordering of products; obtaining copies of 
    invoices; reviewing shipping schedules; notification of shipments or 
    changes; and placing reservations and purchasing airline tickets. It 
    allows for contract manufacturers to directly access demand and 
    inventory information; direct purchasing with trading partners; 
    approval functions for requisitions which require approval; and on-line 
    catalogue purchases, and the electronic exchange of purchase or sales 
    information by multiple trading partners. It does not include such end-
    uses as general purpose messaging, collaborative research projects 
    (e.g., collaborative engineering), data warehousing, remote computing 
    services or electronic communications services.
        4. In Supplement No. 3 to part 740, adds Czech Republic and United 
    States to the list of countries to clarify that branches of Czech 
    Republic and U.S. banks and financial institutions, located worldwide 
    except in countries that support international terrorism (Cuba, Iran, 
    Iraq, Libya, North Korea, Sudan and Syria) may receive general purpose 
    encryption commodities and software limited to secure business 
    financial communications or transactions and financial communications 
    or transactions between the bank and/or financial institution and its 
    customers. Supplement No. 3 is also amended to reflect the licensing 
    policy for exports and reexports of recoverable encryption commodities 
    and software to commercial entities located in certain countries and 
    subsidiaries of commercial entities headquartered in certain countries, 
    wherever located, except Cuba, Iran, Iraq, Libya, North Korea, Sudan 
    and Syria.
        5. In Sec. 742.15, revises the licensing policy for exports and 
    reexports of encryption items as follows:
        a. Removes the business and marketing plan requirement for exports 
    of non-recovery 56-bit DES or equivalent encryption items.
        b. Authorizes upgrades of 40-bit mass-market encryption software 
    that has already been classified after a technical review and released 
    from EI controls. Such software may be upgraded to 56-bits for the 
    confidentiality algorithm without an additional technical review.
        c. Makes certain encryption commodities eligible for mass-market 
    treatment.
        d. For exports and reexports of general purpose encryption 
    commodities and software of any key length that are not eligible under 
    License Exception ENC, insurance companies are now eligible to receive
    
    [[Page 72158]]
    
    such products under an Encryption Licensing Arrangement. This is 
    consistent with the addition of insurance companies to the definition 
    of financial institutions in part 772. Such encryption commodities and 
    software will receive favorable consideration when the end-use is 
    limited to secure financial communications or transactions, provided 
    that there are no concerns about the country or specific end-user.
        e. For exports and reexports of encryption commodities and software 
    of any key length not eligible under License Exception ENC, such 
    commodities and software will generally be approved under an Encryption 
    Licensing Arrangement to all health and medical end-users, except non-
    U.S. biochemical and pharmaceutical manufacturers and non-U.S. military 
    health and medical entities, in all destinations except Cuba, Iran, 
    Iraq, Libya, North Korea, Sudan and Syria.
        f. For exports and reexports of encryption commodities and software 
    of any key length not eligible under License Exception ENC, such 
    commodities and software will generally be approved under an Encryption 
    Licensing Arrangement to on-line merchants in all destinations except 
    Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. The end-use is 
    limited to the purchase or sale of goods and software; and services 
    connected with the purchase or sale of goods and software including 
    interactions between purchasers and sellers necessary for ordering, 
    payment and delivery of goods and software. No other end-uses or 
    customer-to-customer communications or transactions are allowed.
        g. Exports and reexports of recoverable encryption commodities and 
    software of any key length for use by commercial entities will 
    generally be approved under an Encryption Licensing Arrangement to 
    destinations listed in Supplement No. 3 to part 740 for the protection 
    of company proprietary information. Such encryption commodities and 
    software will also generally be approved for export and reexport to 
    worldwide foreign subsidiaries of commercial firms headquartered in 
    certain countries, except to subsidiaries located in Cuba, Iran, Iraq, 
    Libya, North Korea, Sudan and Syria.
        Note that any country or end-user prohibited in the past from 
    receiving encryption commodities and software under a specific 
    Encryption Licensing Arrangement is reviewed on a case-by-case basis, 
    and may be considered by BXA for eligibility under future Encryption 
    Licensing Arrangement requests. All other exports and reexports of 
    encryption items are reviewed on a case-by-case basis under a license 
    application.
        6. Also in Sec. 742.15, clarifies the reporting requirement for 
    exports to certain end-users.
        7. In part 772, revises the definition of financial institution to 
    include the meaning of insurance company and adds definitions for 
    business unit, health and medical end-user, on-line merchant, 
    recoverable commodities and software, strategic partner (of a U.S. 
    company), and U.S. subsidiary. Also clarifies that such definitions 
    only apply to encryption items.
        BXA will in the near future update these regulations to reflect 
    changes to encryption controls in the Wassenaar Arrangement and to 
    address public comments on the September 22, 1998 rule (63 FR 50516) 
    that implemented new licensing policies for banks and financial 
    institutions.
    
    Rulemaking Requirements
    
        1. This interim rule has been determined to be significant for 
    purposes of E.O. 12866.
        2. Notwithstanding any other provision of law, no person is 
    required to respond to, nor shall any person be subject to a penalty 
    for failure to comply with a collection of information, subject to the 
    requirements of the Paperwork Reduction Act, unless that collection of 
    information displays a currently valid Office of Management and Budget 
    Control Number. This rule contains collections of information subject 
    to the Paperwork Reduction Act of 1980 (44 U.S.C. 3501 et seq.). These 
    collections have been approved by the Office of Management and Budget 
    under control numbers 0694-0088, ``Multi-Purpose Application,'' which 
    carries a burden hour estimate of 52.5 minutes per submission; and 
    0694-0104, ``Commercial Encryption Items Transferred from the 
    Department of State to the Department of Commerce.'' The Department has 
    submitted to OMB an emergency request for approval of the changes to 
    the collection of information under OMB control number 0694-0104. 
    Comments on collection 0694-0104 will be accepted until March 1, 1999.
        It will take companies 15 minutes to complete each certification. 
    It will take companies 15 minutes to complete notifications. For 
    reporting under License Exception KMI, it will take companies 1 hour to 
    complete KMI reporting. For reporting under License Exception ENC, it 
    will take companies 4 hours to complete ENC reporting.
        3. This rule does not contain policies with Federalism implications 
    sufficient to warrant preparation of a Federalism assessment under E.O. 
    12612.
        4. The provisions of the Administrative Procedure Act (5 U.S.C. 
    553) requiring notice of proposed rulemaking, the opportunity for 
    public participation, and a delay in effective date, are inapplicable 
    because this regulation involves a military and foreign affairs 
    function of the United States (Sec. 5 U.S.C. 553(a)(1)). Further, no 
    other law requires that a notice of proposed rulemaking and an 
    opportunity for public comment be given for this interim final rule. 
    Because a notice of proposed rulemaking and an opportunity for public 
    comment are not required to be given for this rule under 5 U.S.C. or by 
    any other law, the requirements of the Regulatory Flexibility Act (5 
    U.S.C. 601 et seq. ) are not applicable.
        However, because of the importance of the issues raised by these 
    regulations, this rule is issued in interim form and comments will be 
    considered in the development of final regulations. Accordingly, the 
    Department of Commerce encourages interested persons who wish to 
    comment to do so at the earliest possible time to permit the fullest 
    consideration of their views.
        The period for submission of comments will close March 1, 1999. The 
    Department will consider all comments received before the close of the 
    comment period in developing final regulations. Comments received after 
    the end of the comment period will be considered if possible, but their 
    consideration cannot be assured. The Department will not accept public 
    comments accompanied by a request that a part or all of the material be 
    treated confidentially because of its business proprietary nature or 
    for any other reason. The Department will return such comments and 
    materials to the persons submitting the comments and will not consider 
    them in the development of final regulations. All public comments on 
    these regulations will be a matter of public record and will be 
    available for public inspection and copying. In the interest of 
    accuracy and completeness, the Department requires comments in written 
    form. Comments should be provided with 5 copies.
        Oral comments must be followed by written memoranda, which will 
    also be a matter of public record and will be available for public 
    review and copying.
        The public record concerning these regulations will be maintained 
    in the Bureau of Export Administration Freedom of Information Records
    
    [[Page 72159]]
    
    Inspection Facility, Room 4525, Department of Commerce, 14th Street and 
    Pennsylvania Avenue, N.W., Washington, D.C. 20230. Records in this 
    facility, including written public comments and memoranda summarizing 
    the substance of oral communications, may be inspected and copied in 
    accordance with regulations published in part 4 of Title 15 of the Code 
    of Federal Regulations. Information about the inspection and copying of 
    records at the facility may be obtained from Henry Gaston, Bureau of 
    Export Administration Freedom of Information Officer, at the above 
    address or by calling (202) 482-0500.
        The reporting burden for this collection is estimated to be 
    approximately 815 hours, including the time for gathering and 
    maintaining the data needed for completing and reviewing the collection 
    of information. Comments are invited on: (a) whether the collection of 
    information is necessary for the proper performance of the functions of 
    the agency, including whether the information shall have practical 
    utility; (b) the accuracy of the agency's estimate of the burden of the 
    proposed collection of information; (c) ways to enhance the quality, 
    utility, and clarity of the information to be collected; and (d) ways 
    to minimize the burden of the collection of information on respondents, 
    including through the use of automated collection techniques or other 
    forms of information technology. Comments regarding these burden 
    estimates or any other aspect of the collection of information, 
    including suggestions for reducing the burdens, should be forward to 
    Nancy Crowe, Regulatory Policy Division, Office of Exporter Services, 
    Bureau of Export Administration, Department of Commerce, P.O. Box 273, 
    Washington, D.C. 20044, and David Rostker, Office of Management and 
    Budget, OMB/OIRA, 725 17th Street, NW, NEOB Rm. 10202,Washington, D.C. 
    20503.
    
    List of Subjects
    
    15 CFR Parts 740 and 743
    
        Administrative practice and procedure, Exports, Foreign trade, 
    Reporting and recordkeeping requirements.
    
    15 CFR Parts 742, 772 and 774
    
        Exports, foreign trade.
    
        Accordingly, 15 CFR Chapter 7, Subchapter C, is amended as follows:
        1. The authority citation for 15 CFR parts 740 and 772 continues to 
    read as follows:
    
        Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
    E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; Executive Order 
    13026 (November 15, 1996, 61 FR 58767); Notice of August 17, 1998 
    (63 FR 55121, August 17, 1998).
    
        2. The authority citation for 15 CFR part 742 continues to read as 
    follows:
    
        Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
    18 U.S.C. 2510 et seq.; 22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; 
    E.O. 12058, 43 FR 20947, 3 CFR, 1978 Comp., p. 179; E.O. 12851, 3 
    CFR, 1993 Comp., p. 608; E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., 
    p. 917; E.O. 12938, 3 CFR, 1994 Comp., p. 950; E.O. 13020, 3 CFR, 
    1996 Comp. p. 219; E.O. 13026, 3 CFR, 1996 Comp., p. 228; Notice of 
    August 17, 1998 (63 FR 55121, August 17, 1998).
    
        3. The authority citation for 15 CFR part 743 continues to read as 
    follows:
    
        Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
    E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; Notice of August 
    17, 1998 (63 FR 55121, August 17, 1998).
    
        4. The authority citation for 15 CFR part 774 continues to read as 
    follows:
    
        Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
    10 U.S.C. 7420; 10 U.S.C. 7430(e); 18 U.S.C. 2510 et seq.; 22 U.S.C. 
    287c; 22 U.S.C. 3201 et seq.; 22 U.S.C. 6004; Sec. 201, Pub. L. 104-
    58, 109 Stat. 557 (30 U.S.C. 185(s)); 30 U.S.C. 185(u); 42 U.S.C. 
    2139a; 42 U.S.C. 6212; 43 U.S.C. 1354; 46 U.S.C. app. 466c; 50 
    U.S.C. app. 5; E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; 
    Executive Order 13026 (November 15, 1996, 61 FR 58767); Notice of 
    August 17, 1998 (63 FR 55121, August 17, 1998).
    
    PART 740--[AMENDED]
    
        5. Section 740.8 is amended:
        a. By revising the section title;
        b. By revising paragraph (b);
        c. By removing paragraph (d); and
        d. By redesignating paragraph (e) as paragraph (d) to read as 
    follows:
    
    
    Sec. 740.8  Key management infrastructure (KMI)
    
        (a) * * *
        (b) Eligible commodities and software. (1) Recovery encryption 
    commodities and software of any key length controlled under ECCNs 5A002 
    and 5D002 that have been classified after a technical review through a 
    classification request. Key escrow and key recovery commodities and 
    software must meet the criteria identified in Supplement No. 4 to part 
    742 of the EAR.
        (2) For such classification requests, indicate ``License Exception 
    KMI'' in block 9 on Form BXA-748P. Submit the original request to BXA 
    in accordance with Sec. 748.3 of the EAR and send a copy of the request 
    to:
    
    Attn: KMI Encryption Request Coordinator, P.O. Box 246, Annapolis 
    Junction, MD 20701-0246
    * * * * *
        6. Part 740 is amended by adding a new Sec. 740.17 to read as 
    follows:
    
    
    Sec. 740.17  Encryption commodities and software (ENC).
    
        (a) Exports and reexports of encryption commodities and software to 
    all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and 
    Syria.
        (1) Financial-specific encryption commodities and software of any 
    key length.
        (i) Scope. You may export and reexport financial-specific 
    encryption commodities and software (which are not eligible under the 
    provisions of License Exception TSU for mass market software such as 
    SET or similar protocols) of any key length that are restricted by 
    design (e.g., highly field-formatted with validation procedures, and 
    not easily diverted to other end-uses) for financial applications to 
    secure financial communications/transactions for end-uses such as 
    financial transfers, or electronic commerce.
        (ii) Eligible commodities and software. Encryption commodities and 
    software of any key length classified under ECCNs 5A002 and 5D002 after 
    a technical review (see paragraph (c) of this section). These 
    commodities and software must be specifically designed and limited for 
    use in the processing of electronic financial (commerce) transactions, 
    which implements cryptography in specifically delineated fields such as 
    merchant's identification, the customer's identification and address, 
    the merchandise purchased and the payment mechanism. It does not allow 
    for encryption of data, text or other media except as directly related 
    to these elements of the electronic transaction to support financial 
    communications/transactions. Notwithstanding the provisions of 
    paragraph (c)(2) of this section, financial-specific commodities and 
    software that were made eligible for License Exception KMI after a 
    technical review prior to December 31, 1998, are now eligible for 
    export and reexport under License Exception ENC under the provisions of 
    this paragraph (a)(1).
        (iii) Eligible destinations. Upon approval of your classification 
    request, you may export and reexport under License Exception ENC 
    financial-specific encryption commodities and software, as defined in 
    this paragraph (a)(1), of any key length to all destinations except 
    Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.
        (iv) Reporting requirements. There are no reporting requirements.
        (2) Encryption commodities and software of any key length for U.S. 
    subsidiaries. (i) Scope. You may export
    
    [[Page 72160]]
    
    and reexport encryption commodities and software of any key length 
    under License Exception ENC to U.S. subsidiaries (as defined in part 
    772 of the EAR) subject to the conditions of this paragraph (a)(2). 
    Note that distributors, resellers or other entities that are not 
    manufacturers of the encryption commodities and software are permitted 
    to use License Exception ENC for U.S. subsidiaries only in instances 
    where the export or reexport meets the terms and conditions of this 
    paragraph (a)(2).
        (ii) Eligible commodities and software. Encryption commodities, 
    software and technology of any key length classified under ECCNs 5A002, 
    5D002 and 5E002 after a technical review (see paragraph (c) of this 
    section). This includes encryption chips, integrated circuits, 
    toolkits, executable or linkable modules, source code and technology to 
    U.S. subsidiaries for internal company proprietary use, including the 
    development of new products.
        (iii) Eligible destinations; retransfers. You may export and 
    reexport under License Exception ENC encryption commodities, software 
    and technology of any key length to U.S. subsidiaries for internal 
    company proprietary use, including the development of new products, in 
    all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and 
    Syria. All items developed using U.S. encryption commodities, software 
    and technology are subject to the EAR. For exports and reexports to 
    strategic partners of U.S. companies (as defined in part 772) see 
    Sec. 742.15(b)(8) of the EAR. Retransfers to other end-users or end-
    uses are prohibited without prior authorization.
        (iv) Reporting requirements. There are no reporting requirements.
        (3) Encryption commodities, including mass market and non-mass 
    market, and non-mass market encryption software incorporating symmetric 
    algorithms with key lengths up to and including 56-bits, such as DES or 
    equivalent. (i) Scope. You may export and reexport encryption 
    commodities, including mass market and non-mass market commodities, and 
    non-mass market software with key lengths up to and including 56-bits, 
    such as DES or equivalent, under License Exception ENC subject to the 
    conditions of this paragraph (a)(3). For information concerning the 
    technical review of encryption mass market commodities and mass market 
    software refer to Sec. 742.15(b)(1) of the EAR. Note that encryption 
    mass market software remains eligible under License Exception TSU.
        (ii) Eligible commodities and software. (A) Mass market and non-
    mass market encryption commodities and non-mass market software having 
    symmetric algorithms with key lengths up to and including 56-bits, such 
    as DES or equivalent (such as RC2, RC4, RC5, and CAST) which are 
    classified as a result of a technical review (see paragraph (c) of this 
    section). The commodity or software must not allow the alteration of 
    the cryptographic functionality by the user or any other program. 
    Encryption chips, integrated circuits, toolkits and executable or 
    linkable modules are not authorized for export under the provisions of 
    paragraph (a)(3).
        (B)(1) For mass market and non-mass market encryption commodities 
    and non-mass market encryption software, exporters of 40-bit or less 
    encryption commodities and software which have been made eligible for 
    License Exception KMI or License Exception TSU or have been licensed 
    for export under an Encryption Licensing Arrangement or a license prior 
    to December 31, 1998, will be permitted to export and reexport these 
    commodities and software under license exception ENC with increased key 
    lengths up to and including 56-bits for the confidentiality algorithm, 
    with key exchange mechanisms including symmetric algorithms with the 
    same or double key length authorized for the confidentiality algorithm, 
    and asymmetric algorithms for key exchange with key space of 512, 768 
    or up to and including 1024 bits without an additional technical 
    review, provided that there is no other change in cryptographic 
    functionality. Exporters must certify to BXA that the only change to 
    the encryption is the increase in the key length for the 
    confidentiality algorithm, the asymmetric or symmetric key exchange 
    algorithms and that there is no other change in cryptographic 
    functionality. Such certifications must be in the form of a letter from 
    senior corporate management and include the original authorization 
    number issued by BXA, the date of issuance and the information 
    identified in paragraphs (a)(2) (iii) throught (v) of Supplement No. 6 
    to part 742 of the EAR. (If this information was submitted previously, 
    then only identify the modifications.) BXA must receive such 
    certification by March 31, 1999, and prior to any export of such 
    upgraded product.
        (2) The certification should be sent to:
    
    Office of Strategic Trade and Foreign Policy Controls, Bureau of 
    Export Administration, Department of Commerce, 14th Street and 
    Pennsylvania Ave., NW., Room 2705, Washington, DC 20230, Attn: 
    Encryption Upgrade
    
        (3) A copy of the certification should be sent to:
    
    Attn: ENC Encryption Request Coordinator, P.O. Box 246, Annapolis 
    Junction, MD 20701-0246
    
        (C) After March 31, 1999, any increase (upgrade) in the 
    confidentiality algorithm and the key exchange algorithm must be 
    reviewed by BXA through a classification request (see Sec. 748.3 of the 
    EAR). In Block 9 of form BXA-748P, indicate ``Key Length Upgrade.''
        (iii) Eligible destinations. License Exception ENC is available for 
    exports and reexports of encryption commodities and software with key 
    length up to and including 56-bits, such as DES or equivalent to all 
    destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and 
    Syria.
        (iv) Reporting requirements. See paragraph (d) of this section for 
    reporting requirements.
        (b) Exports and reexports of certain encryption commodities and 
    software to countries listed in Supplement No. 3 to part 740 of the 
    EAR. (1) General purpose encryption commodities and software of any key 
    length for use by banks/financial institutions. (i) Scope. You may 
    export and reexport general purpose, non-voice encryption commodities 
    and software of any key length to banks and financial institutions (as 
    defined in part 772 of the EAR) in specified destinations, subject to 
    the conditions of this paragraph (b)(1). Note that distributors, 
    resellers or other entities who are not manufacturers of the encryption 
    commodities and software are permitted to use License Exception ENC for 
    banks and financial institutions only in instances where the export or 
    reexport meets the terms and conditions of this paragraph (b)(1).
        (ii) Eligible commodities and software. General purpose, non-voice 
    encryption commodities and software of any key length classified under 
    ECCNs 5A002 and 5D002 after a technical review (see paragraph (c) of 
    this section). Note that software and commodities that have already 
    been approved under an Encryption Licensing Arrangement to banks and 
    financial institutions in specified countries may now be exported or 
    reexported to other banks and financial institutions in those countries 
    under the same Encryption Licensing Arrangement.
        (iii) Eligible destinations; retransfers. Upon approval of your 
    classification request, you may export and reexport
    
    [[Page 72161]]
    
    under License Exception ENC general purpose, non-voice encryption 
    commodities and software, as defined in this paragraph (b)(1), of any 
    key length to banks and financial institutions in all destinations 
    listed in Supplement No. 3 to this part and to branches of such banks 
    and financial institutions wherever established, except Cuba, Iran, 
    Iraq, Libya, North Korea, Sudan and Syria. End-use is limited to secure 
    business financial communications or transactions and financial 
    communications/transactions between the bank and/or financial 
    institution and its customers. No customer to customer communications 
    or transactions are allowed. Retransfers to other end-users or end-uses 
    are prohibited without prior authorization.
        (iv) Reporting requirements. There are no reporting requirements.
        (2) Health and medical end-users. (i) Scope. You may export and 
    reexport encryption commodities and software of any key length under 
    License Exception ENC to health and medical end-users (as defined in 
    part 772 of the EAR) in specified destinations, subject to the 
    conditions of this paragraph (b)(2). Note that distributors, resellers 
    or other entities who are not manufacturers of the encryption 
    commodities and software are permitted to use License Exception ENC for 
    health and medical end-users only in instances where the export or 
    reexport meets the terms and conditions of this paragraph (b)(2).
        (ii) Eligible commodities and software. Encryption commodities and 
    software of any key length classified under ECCNs 5A002 and 5D002 after 
    a technical review (see paragraph (c) of this section).
        (iii) Eligible destinations; retransfers. You may export and 
    reexport under License Exception ENC encryption commodities and 
    software of any key length to health and medical end-users in all 
    destinations listed in Supplement No. 3 to this part. Non-U.S. 
    biochemical and pharmaceutical manufacturers, and non-U.S. military 
    health and medical entities are not eligible to receive encryption 
    commodities and software under License Exception ENC (see Sec. 742.15 
    of the EAR for licensing information on these end-users, as well as 
    additional countries). End-use is limited to securing health and 
    medical transactions to health and medical end-users. No customer to 
    customer communications or transactions are allowed. Retransfers to 
    other end-users or end-uses are prohibited without prior authorization.
        (iv) Reporting requirements. See paragraph (d) of this section for 
    reporting requirements for exports under this License Exception.
        (3) Encryption commodities and software of any key length for on-
    line merchants. (i) Scope. You may export and reexport encryption 
    commodities and software of any key length under License Exception ENC 
    to on-line merchants (as defined in part 772 of the EAR) in specified 
    destinations, subject to the conditions of this paragraph (b)(3). End-
    use is limited to: the purchase or sale of goods and software; and 
    services connected with the purchase or sale of goods and software 
    including interactions between purchasers and sellers necessary for 
    ordering, payment and delivery of goods and software. No other end-uses 
    or customer to customer communications or transactions are allowed. 
    Foreign on-line merchants or their separate business units (as defined 
    in part 772 of the EAR) who are engaged in the manufacturing and 
    distribution of items or services controlled on the U.S. Munitions List 
    are excluded. Foreign government end-users are also excluded from this 
    License Exception. Note that distributors, resellers or other entities 
    who are not manufacturers of the encryption commodities and software 
    are permitted to use License Exception ENC for on-line merchants only 
    in instances where the export or reexport meets the terms and 
    conditions of this paragraph (b)(3).
        (ii) Eligible commodities and software. Encryption commodities and 
    software of any key length classified under ECCNs 5A002 and 5D002 after 
    a technical review (see paragraph (c) of this section). Such 
    commodities and software must be limited to client-server applications 
    (e.g. Secure Socket Layer (SSL) based applications) or applications 
    specially designed for on-line transactions for the purchase or sale of 
    goods and software; and services connected with the purchase or sale of 
    goods and software, including interactions between purchasers and 
    sellers necessary for ordering, payment and delivery of goods and 
    software. Notwithstanding the provisions of paragraph (c)(2) of this 
    section, commodities and software that were eligible for export to on-
    line merchants under an Encryption Licensing Arrangement or license 
    prior to December 31, 1998, are now eligible for export and reexport 
    under License Exception ENC under the provisions of this paragraph 
    (b)(3).
        (iii) Eligible destinations; retransfers. You may export and 
    reexport encryption commodities and software under License Exception 
    ENC to on-line merchants in all destinations listed in Supplement No. 3 
    to this part, except to foreign on-line merchants or their separate 
    business units who are engaged in the manufacturing and distribution of 
    items or services controlled on the U.S. Munitions List. Retransfers to 
    other end-users or end-uses are prohibited without prior authorization.
        (iv) Reporting requirements. See paragraph (d) of this section for 
    reporting requirements for exports under this License Exception.
        (c) Technical review to determine eligibility for License Exception 
    ENC. (1) You may initiate a technical review required by paragraph (a) 
    or (b) of this section by submitting a classification request for your 
    product in accordance with the provisions of Sec. 748.3(b) of the EAR. 
    Indicate ``License Exception ENC'' in Block 9: Special purpose, on form 
    BXA-748P. Submit the original request to BXA in accordance with 
    Sec. 748.3 of the EAR and send a copy of the request to:
    
    Attn: ENC Encryption Request Coordinator, P.O. Box 246, Annapolis 
    Junction, MD 20701-0246
    
        (2) Commodities and software that have been made eligible for 
    License Exception TSU or KMI or which have been approved for export 
    under an Encryption Licensing Arrangement or a license prior to 
    December 31, 1998 are eligible for export and reexport under all 
    paragraphs of License Exception ENC, except paragraphs (a)(1) and 
    (b)(3) of this section, without an additional technical review, 
    provided that the export or reexport meets all the terms and conditions 
    of this License Exception. For all other commodities and software, a 
    technical review will determine eligibility for License Exception ENC 
    by reviewing the confidentiality algorithm, key space, and key exchange 
    mechanism.
        (3) For export and reexport of encryption commodities and software 
    under paragraph (a)(3) of this section, examples of eligible key 
    exchange mechanisms include, but are not limited to, symmetric 
    algorithms with the same or double the key length authorized for the 
    confidentiality algorithm, asymmetric algorithms with key space of 512, 
    768 or up to and including 1024 bits, proprietary key exchange 
    mechanisms, or others.
        (4) For export and reexport of encryption commodities and software 
    under paragraph (b)(3) of the License Exception ENC, exporters, in 
    order to expedite review of the classification, should submit, as 
    applicable, the following types of information to support the 
    classification request:
    
    [[Page 72162]]
    
        (i) Information describing how the product is limited to a client-
    server application or application specially designed or tailored to the 
    conditions outlined in the License Exception;
        (ii) Information describing the end-user environment to which the 
    application will be limited;
        (iii) Information explaining how the product will not permit 
    customer-to-customer communications or transactions above 56-bits;
        (iv) Information on the process by which the merchant(s) or 
    application will limit access to authorized users; or
        (v) Details of the encryption system, including how it is limited 
    to the application or cannot be diverted to other end-uses.
        (d) Reporting requirements. (1) You must provide to BXA the names 
    and addresses for exports to the following end-users:
        (i) All military and government end-users for non-mass market 
    commodities and non-mass market software exports authorized under 
    paragraph (a)(3) of this section;
        (ii) All health and medical end-users for exports authorized under 
    paragraph (b)(2) of this section, and
        (iii) All foreign on-line merchants for exports authorized under 
    paragraph (b)(3) of this section.
        (2) You must submit reports no later than February 1 and no later 
    than August 1 of any given year. Specifically, the report must identify 
    the end-user name and address and country of ultimate destination, as 
    well as the classification or other authorization number. Send the 
    report to the following address:
    
    Office of Strategic Trade and Foreign Policy Controls, Bureau of 
    Export Administration, Department of Commerce, 14th Street and 
    Pennsylvania Ave., N.W., Room 2705, Washington, D.C. 20230, Attn: 
    Encryption Reports
    
        7. Supplement No. 3 is revised to read as follows:
    Supplement No. 3 to Part 740--Countries Eligible To Receive General 
    Purpose Encryption Commodities and Software
    Anguilla*
    Antigua*
    Argentina*
    Aruba*
    Austria**
    Australia**
    Bahamas*
    Barbados*
    Belgium**
    Brazil*
    Canada**
    Croatia
    Czech Republic*
    Denmark**
    Dominica*
    Ecuador*
    Finland**
    France **
    Germany**
    Greece*
    Hong Kong
    Hungary*
    Iceland**
    Ireland**
    Italy**
    Japan**
    Kenya*
    Luxembourg**
    Monaco*
    The Netherlands**
    New Zealand**
    Norway**
    Poland*
    Portugal**
    St. Kitts & Nevis*
    St. Vincent/Grenadines*
    Seychelles*
    Singapore
    Spain**
    Sweden**
    Switzerland**
    Trinidad & Tobago*
    Turkey*
    Uruguay*
    United Kingdom**
    United States**
        *Commercial entities and their branches located in these 
    countries or any country listed in this Supplement and designated 
    with one or two asterisks are eligible to receive ``recoverable'' 
    encryption commodities and software of any key length for internal 
    company proprietary use. See Sec. 742.15(b)(7) of the EAR.
        **Commercial entities headquartered in these countries and their 
    branches wherever located (except Cuba, Iran, Iraq, Libya, North 
    Korea, Sudan and Syria) are eligible to receive ``recoverable'' 
    encryption commodities and software of any key length for internal 
    company proprietary use. See Sec. 742.15(b)(7) of the EAR.
    
    PART 742--[AMENDED]
    
        8. Section 742.15 is amended:
        a. By revising the first sentence of paragraph (a);
        b. By revising the phrase ``Supplements No. 4, No. 5 and No. 7'' in 
    the introductory paragraph (b) to read ``Supplement No. 4'';
        c. By revising the phrase ``encryption software'' in the title to 
    paragraph (b)(1) to read ``encryption commodities and software'';
        d. By revising paragraph (b)(1)(i);
        e. By adding new paragraphs (b)(1)(iii) and (b)(1)(iv);
        f. By revising paragraph (b)(2);
        g. By removing paragraph (b)(3);
        h. By redesignating paragraphs (b)(4) and (5) as (b)(3) and (4);
        i. By revising newly redesignated paragraphs (b)(3);
        j. By revising the heading of newly redesignated paragraph (b)(4);
        k. By removing the phrase ``non-recoverable'' in the first sentence 
    of newly redesignated paragraph (b)(4).
        l. By revising the phrase ``under License Exception KMI (see 
    Sec. 740.8 of the EAR)'' in newly redesignated paragraph (b)(4) to read 
    ``License Exception ENC (see Sec. 740.17(a)(1) of the EAR)'';
        m. By redesignating paragraph (b)(6) and (7) as (b)(8) and (9);
        n. By adding new paragraphs (b)(5), (6) and (7); and
        o. By adding a new paragraph (b)(8)(iii) to read as follows:
    
    
    Sec. 742.15  Encryption items.
    
    * * * * *
        (a) Licenses are required for exports and reexports to all 
    destinations, except Canada, for items controlled under ECCNs having an 
    ``EI'' (for ``encryption items'') under the ``Control(s)'' paragraph. * 
    * *
        (b) * * *
        (1) * * *
        (i) Consistent with E.O. 13026 of November 15, 1996 (61 FR 58767), 
    certain encryption software that was transferred from the U.S. 
    Munitions List to the Commerce Control List pursuant to the 
    Presidential Memorandum of November 15, 1996, may be released from EI 
    controls and thereby made eligible for mass market treatment after a 
    technical review. Further, certain encryption commodities may be 
    released from EI controls and thereby made eligible for mass market 
    treatment after a technical review. To determine eligibility for mass 
    market treatment, exporters must submit a classification request to 
    BXA. 56-bit mass market encryption commodities and software using RC2, 
    RC4, RC5, DES or CAST, and key exchange mechanisms including, but not 
    limited to, symmetric algorithms with the same or double the key length 
    authorized for the confidentiality algorithm, asymmetric algorithms 
    with key space of 512, 768 or up to and including 1024 bits, 
    proprietary key exchange mechanisms, or others, may be eligible for a 
    7-day review process, and company proprietary commodities and software 
    implementations may be eligible for 15-day processing. Refer to 
    Supplement No. 6 to part 742 and Sec. 748.3(b)(3) of the EAR for 
    additional information. Note that the technical review is for a 
    determination to release encryption commodities and software in object 
    code only unless otherwise specifically requested. Exporters requesting 
    release of the source code should refer to paragraph (b)(3)(v)(E) of 
    Supplement No. 6 to part 742.
        (ii) * * *
        (iii) If after a technical review, BXA determines that the 
    encryption commodity is released from EI controls, the commodity is 
    eligible for export under License Exception ENC and all provisions of 
    the EAR applicable to other commodities. However, if BXA determines 
    that the commodity is not released from EI controls, and no License 
    Exception applies, a license is required for export and reexport to all 
    destinations, except Canada, and license applications will be 
    considered on a case-by-case basis.
        (iv) Mass-market encryption software that has already been 
    classified after a technical review and that has been released from EI 
    controls under the provisions of this paragraph (b)(1) will be 
    permitted for export and reexport under license exception TSU with 
    increases of 56-bits for the confidentiality algorithm, the same or 
    double the key length authorized for the confidentiality algorithm for 
    symmetric
    
    [[Page 72163]]
    
    algorithms for key exchange mechanisms and with key spaces of 512, 768 
    or up to and including 1024 bits for asymmetric algorithms for key 
    exchange without an additional technical review, provided that there is 
    no other change in the cryptographic functionality. Exporters must 
    notify BXA in writing of the increase in the key length for the 
    confidentiality algorithm, the asymmetric or symmetric key exchange 
    algorithms, and include the original authorization number issued by BXA 
    and the information identified in paragraphs (a)(2)(iii) through (v) of 
    Supplement No. 6 to part 742 of the EAR (if this information was 
    submitted previously, then only identify the modifications). BXA must 
    receive such notification by March 31, 1999.
        (A) The notification should be sent to:
    
    Office of Strategic Trade and Foreign Policy Controls, Bureau of 
    Export Administration, Department of Commerce, 14th Street and 
    Pennsylvania Ave., N.W., Room 2705, Washington, D.C. 20230, Attn: 
    Encryption Upgrade
    
        (B) A copy of the certification should be sent to:
    
    Attn: ENC Encryption Request Coordinator, P.O. Box 246, Annapolis 
    Junction, MD 20701-0246
    
        (2) Key escrow and key recovery encryption commodities and 
    software. Certain recovery encryption commodities and software of any 
    key length that are classified under ECCNs 5A002 and 5D002 after a 
    technical review are eligible for export and reexport under License 
    Exception KMI. See Sec. 740.8(b)(1) of the EAR for information on 
    additional eligibility requirements.
        (3) General purpose encryption commodities and software of any key 
    length for use by banks and financial institutions.
        (i) Commodities and software that were eligible for License 
    Exception TSU or KMI or have been licensed for export or reexport under 
    an Encryption Licensing Arrangement or a license prior to December 31, 
    1998, are now eligible for export and reexport under License Exception 
    ENC under the provisions of Sec. 740.17(b)(1) of the EAR.
        (ii) For exports and reexports not eligible under a License 
    Exception, exports and reexports of general purpose non-voice 
    encryption commodities and software classified under ECCNs 5A002 and 
    5D002 of any key length will generally be approved under an Encryption 
    Licensing Arrangement for use by banks and financial institutions (as 
    defined in part 772 of the EAR) in all destinations except Cuba, Iran, 
    Iraq, Libya, North Korea, Sudan and Syria. Applications for such 
    commodities and software will receive favorable consideration when the 
    end-use is limited to secure business financial communications or 
    transactions and financial communications/transactions between the bank 
    and/or financial institution and its customers provided that there are 
    no concerns about the country or end-user. No customer to customer 
    communications or transactions are allowed.
        (iii) Note that any country or end-user prohibited in the past from 
    receiving encryption commodities and software under a specific 
    Encryption Licensing Arrangement will be reviewed on a case-by-case 
    basis, and may be considered by BXA for eligibility under future 
    Encryption Licensing Arrangement requests.
        (iv) Note that distributors, resellers or other entities who are 
    not manufacturers of the encryption commodities and software are 
    permitted to use an existing Encryption Licensing Arrangement for 
    exports and reexports of these products only when Encryption Licensing 
    Arrangement has been granted to the manufacturer and the export and 
    reexport meets the terms and conditions of this paragraph (b)(3).
        (v) There are no reporting requirements for exports to banks and 
    financial institutions.
        (4) Financial-specific encryption items of any key length.* * *
        (5) Encryption commodities and software of any key length for use 
    by health and medical end-users. (i) Commodities and software that have 
    been classified after a technical review through a classification 
    request or have been licensed for export under an Encryption Licensing 
    Arrangement or a license are eligible for export and reexport under 
    License Exception ENC to health and medical end-users without an 
    additional technical review, provided that the export or reexport meets 
    all the terms and conditions of that License Exception. See Sec. 740.17 
    of the EAR. Commodities and software that were eligible for License 
    Exception TSU or KMI or have been licensed for export or reexport under 
    an Encryption Licensing Arrangement or a license prior to December 31, 
    1998, are now eligible for export and reexport under License Exception 
    ENC under the provisions of Sec. 740.17(b)(2) of the EAR.
        (ii) For exports and reexports that are not eligible under License 
    Exception ENC, exports and reexports of encryption commodities and 
    software classified under ECCNs 5A002 and 5D002 of any key length will 
    generally be approved under an Encryption Licensing Arrangement for use 
    by health and medical end-users (as defined in part 772 of the EAR) in 
    all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and 
    Syria except for non-U.S. biochemical and pharmaceutical manufacturers 
    and non-U.S. military health and medical entities. No customer to 
    customer communications or transactions are allowed.
        (iii) Note that any country or end-user prohibited in the past from 
    receiving encryption commodities and software under a specific 
    Encryption Licensing Arrangement will be reviewed on a case-by-case 
    basis, and may be considered by BXA for eligibility under future 
    Encryption Licensing Arrangement requests.
        (iv) Note that distributors, resellers or other entities who are 
    not manufacturers of the encryption commodities and software are 
    permitted to use an existing Encryption Licensing Arrangement for 
    exports and reexports of these products only when Encryption Licensing 
    Arrangement has been granted to the manufacturer and the export and 
    reexport meets the terms and conditions of this paragraph (b)(5).
        (v) You must submit to BXA the name and address of the end-user.
        (6) Encryption commodities and software of any key length for on-
    line merchants. (i) Commodities and software that were eligible for 
    export to on-line merchants under an Encryption Licensing Arrangement 
    prior to December 31, 1998, are now eligible for export and reexport 
    under License Exception ENC under the provisions of Sec. 740.17(b)(3).
        (ii) Exports and reexports of encryption commodities and software 
    classified under ECCNs 5A002 and 5D002 of any key length which are 
    limited to client-server applications (e.g., Secure Socket Layer (SSL) 
    based applications) or applications specially designed for on-line 
    transactions for the purchase or sale of goods and software will be 
    permitted under an Export Licensing Arrangement in all destinations 
    except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria for use by 
    foreign on-line merchants as defined in part 772 of the EAR. End-use is 
    limited to: the purchase or sale of goods and software; and services 
    connected with the purchase or sale of goods and software, including 
    interactions between purchasers and sellers necessary for ordering, 
    payment and delivery of goods and software. No other end-uses or 
    customer to customer communications or transactions are allowed.
        (iii) Applications for Encryption Licensing Arrangements for on-
    line
    
    [[Page 72164]]
    
    merchants will generally be approved, except for foreign on-line 
    merchants or their separate business units (as defined in part 772 of 
    the EAR) who are engaged in the manufacturing and distribution of items 
    or services controlled on the U.S. Munitions List. Such end-users will 
    be considered on a case-by-case basis.
        (iv) Note that any country or end-user prohibited in the past from 
    receiving encryption commodities and software under a specific 
    Encryption Licensing Arrangement will be reviewed on a case-by-case 
    basis, and may be considered by BXA for eligibility under future 
    Encryption Licensing Arrangement requests.
        (v) Note that distributors, resellers or other entities who are not 
    manufacturers of the encryption commodities and software are permitted 
    to use an existing Encryption Licensing Arrangement for exports and 
    reexports of these products only when Encryption Licensing Arrangement 
    has been granted to the manufacturer and the export and reexport meets 
    the terms and conditions of this paragraph (b)(6).
        (v) You must submit to BXA the name and address of the end-user.
        (7) Recoverable encryption commodities and software of any key 
    length for use by commercial entities. (i) Exports and reexports of 
    recoverable encryption commodities and software (as defined in part 772 
    of the EAR) classified under ECCNs 5A002 and 5D002 of any key length 
    will generally be approved under an Encryption Licensing Arrangement to 
    destinations designated with a ``*'' or ``**'' in Supplement No. 3 to 
    part 740 of the EAR to foreign commercial entities for internal company 
    proprietary use. Such encryption commodities and software will 
    generally be approved for export and reexport to foreign subsidiaries 
    of commercial firms headquartered in countries designated with a ``**'' 
    in Supplement No. 3 to part 740 of the EAR that are located in any 
    destination except Cuba, Iran, Iraq, Libya, North Korea, Sudan and 
    Syria. Exports and reexports to telecommunication and internet service 
    providers is permitted under this policy for internal company 
    proprietary use. Use by service providers to provide service to 
    customers is excluded from this policy, but exports may be possible 
    under a license or an Encryption Licensing Arrangement on a case-by-
    case basis. This policy of approval excludes those foreign commercial 
    firms or their separate business units (as defined in part 772 of the 
    EAR) engaged in the manufacturing and distribution of items or services 
    controlled by the U.S. Munitions List.
        (ii) Note that any country or end-user prohibited in the past from 
    receiving encryption commodities and software under a specific 
    Encryption Licensing Arrangement will be reviewed on a case-by-case 
    basis, and may be considered by BXA for eligibility under future 
    Encryption Licensing Arrangement requests.
        (iii) Note that distributors, resellers or other entities who are 
    not manufacturers of the encryption commodities and software are 
    permitted to use an existing Encryption Licensing Arrangement for 
    exports and reexports of these products only when Encryption Licensing 
    Arrangement has been granted to the manufacturer and the export and 
    reexport meets the terms and conditions of this paragraph (b)(7).
        (iv) You must submit to BXA the name and address of the end-user.
        (8) All other encryption items. * * *
        (iii) Exports and reexports of encryption commodities and software 
    of any key length to ``strategic partners'' of U.S. companies will 
    receive favorable consideration when the end-use is for the protection 
    of U.S. company proprietary information.
    * * * * *
        9. Supplement No. 4 to part 742 is amended by revising paragraph 
    (8) to read as follows:
    
    Supplement No. 4 to Part 742--Key Escrow or Key Recoverable 
    Products Criteria
    
    * * * * *
        (8) The product's cryptographic function's key(s) or other 
    material/information required to decrypt ciphertext shall be accessible 
    to government officials under proper legal authority.
        10. Part 742 is amended by removing and reserving Supplement No. 5 
    and Supplement No. 7.
        11. Supplement No. 6 to part 742 is revised to read as follows:
    
    Supplement No. 6 to Part 742--Guidelines for Submitting a 
    Classification Request for Mass Market Encryption Commodities and 
    Software
    
        Classification requests for release of certain mass market 
    encryption commodities and software from EI controls must be submitted 
    on Form BXA-748P, in accordance with Sec. 748.3 of the EAR. To expedite 
    review of the request, clearly mark the envelope ``Attn.: Mass Market 
    Encryption (Commodity) or (Software) Classification Request''. In Block 
    9: Special Purpose of the Form BXA-748P, you must insert the phrase 
    ``Mass Market Encryption (Commodity) or (Software). Failure to insert 
    this phrase will delay processing. In addition, the Bureau of Export 
    Administration recommends that such requests be delivered via courier 
    service to: Bureau of Export Administration, Office of Exporter 
    Services, Room 2705, 14th Street and Pennsylvania Ave., N.W., 
    Washington, D.C. 20230. In addition, send a copy of the request and all 
    supporting documents by Express Mail to: Attn: Mass Market Encryption 
    Request Coordinator, P.O. Box 246, Annapolis Junction, MD 20701-0246.
        (a) Requests for mass market encryption commodities and software 
    that meet the criteria in paragraph (a)(2) of this Supplement will be 
    processed in seven (7) working days from receipt of a properly 
    completed request. Those requests for mass market encryption 
    commodities and software that meet the criteria of paragraph (a)(1) of 
    this Supplement only will be processed in fifteen (15) working days 
    from receipt of a properly completed request. When additional 
    information is requested, the request will be processed within 15 
    working days of the receipt of the requested information.
        (1) A mass market product that meets the criteria established in 
    this paragraph will be processed in fifteen (15) working days from 
    receipt of the properly completed request:
        (i) The commodity or software must be mass market. Mass market 
    commodities and software that are available to the public via sales 
    from stock at retail selling points by means of over-the-counter 
    transactions, mail order transactions, or telephone call transactions;
        (ii) The commodity or software must be designed for installation by 
    the user without further substantial support by the supplier. 
    Substantial support does not include telephone (voice only) help line 
    services for installation or basic operation, or basic operation 
    training provided by the supplier; and
        (iii) The commodity or software includes encryption for data 
    confidentiality.
        (2) A mass market commodity or software product that meets all the 
    criteria established in this paragraph will be processed in seven (7) 
    working days from receipt of the properly completed request:
        (i) The commodity or software meets all the criteria established in 
    paragraph (a)(1) (i) through (iii) of this Supplement;
        (ii) The confidentiality algorithm must be RC2, RC4, RC5, DES or 
    CAST with a key space no longer than 56-bits. The RC2, RC4 and RC5 
    algorithms are proprietary to RSA Data Security, Inc. To ensure that 
    the subject commodity or
    
    [[Page 72165]]
    
    software is properly licensed and correctly implemented, contact RSA 
    Data Security, (415) 595-8782. The CAST algorithm is proprietary to 
    Entrust Technologies, Inc. To ensure that the subject software is 
    properly licensed and correctly implemented, contact Entrust 
    Technologies, Inc., (972) 994-8000;
        (iii) If any combination of RC2, RC4, RC5, DES or CAST are used in 
    the same commodity or software, their functionality must be separate. 
    That is, no data can be operated sequentially on by both routines or 
    multiply by either routine;
        (iv) The commodity or software must not allow the alteration of the 
    confidentiality mechanism and its associated key spaces by the user or 
    any other program;
        (v) The key exchange used in confidentiality must be:
        (A) A public key algorithm with a key space less than or equal to a 
    512-bit, 768-bit or up to and including 1024 bit modulus and/or;
        (B) A symmetric algorithm with a key space less than or equal to 
    112-bits; and
        (vi) The commodity or software must not allow the alteration of the 
    key management mechanism and its associated key space by the user or 
    any other program.
        (b)(1) To submit a classification request for a product that is 
    eligible for the seven-day handling, you must provide the following 
    information in a cover letter to the classification request. Send the 
    original to the Bureau of Export Administration. Send a copy of the 
    application and all supporting documentation by Express Mail to:
    
    Attn.: Mass Market Encryption Request Coordinator, P.O. Box 246, 
    Annapolis Junction, MD 20701-0246
    
        (2) Instructions for the preparation and submission of a 
    classification request that is eligible for seven day handling are as 
    follows:
        (3) If the commodity or software product meets the criteria in 
    paragraph (a)(2) of this Supplement, you must call the Department of 
    Commerce on (202) 482-0092 to obtain a test vector, or submit to BXA a 
    copy of the encryption subsystem source code. The test vector or source 
    code must be used in the classification process to confirm that the 
    software has properly implemented the approved encryption algorithms.
        (4) Upon receipt of the test vector, the applicant must encrypt the 
    test plain text input provided using the product's encryption routine 
    (RC2, RC4, RC5, DES or CAST) with the given key value. The applicant 
    should not pre-process the test vector by any compression or any other 
    routine that changes its format. Place the resultant test cipher text 
    output in hexadecimal format on an attachment to form BXA-748P.
        (5) You must provide the following information in a cover letter to 
    the classification request:
        (i) Clearly state at the top of the page ``Mass Market Encryption 
    (Commodity) (Software)--7 Day Expedited Review Requested'';
        (ii) State that you have reviewed and determined that the commodity 
    or software subject to the classification request meets the criteria of 
    paragraph (a)(2) of this Supplement;
        (iii) State the name of the single commodity or software product 
    being submitted for review. A separate classification request is 
    required for each product;
        (iv) State how the commodity or software has been written to 
    preclude user modification of the encryption algorithm, key management 
    mechanism, and key space;
        (v) Provide the following information for the commodity or software 
    product:
        (A) Whether the commodity or software uses the RC2, RC4, RC5, DES 
    or CAST algorithm and how the algorithm(s) is used. If any combination 
    of these algorithms are used in the same product, and also state how 
    the functionality of each is separated to assure that no data is 
    operated by more than one algorithm;
        (B) Pre-processing information of plaintext data before encryption 
    (e.g. the addition of clear text header information or compression of 
    the data);
        (C) Post-processing information of cipher text data after 
    encryption (e.g. the addition of clear text header information or 
    packetization of the encrypted data);
        (D) Whether a public key algorithm or a symmetric key algorithm is 
    used to encrypt keys and the applicable key space;
        (E) For classification requests regarding source code:
        (1) Reference the applicable executable product that has already 
    received a technical review;
        (2) Include whether the source code has been modified by deleting 
    the encryption algorithm, its associated key management routine(s), and 
    all calls to the algorithm from the source code, or by providing the 
    encryption algorithm and associated key management routine(s) in object 
    code with all calls to the algorithm hidden. You must provide the 
    technical details on how you have modified the source code;
        (3) Include a copy of the sections of the source code that contain 
    the encryption algorithm, key management routines, and their related 
    calls; and
        (F) Provide any additional information which you believe would 
    assist in the review process.
        (c) Instructions for the preparation and submission of a 
    classification request that is eligible for 15-day handling are as 
    follows:
        (1) If the commodity or software product meets only the criteria in 
    paragraph (a)(1) of this Supplement, you must prepare a classification 
    request. Send the original to the Bureau of Export Administration. Send 
    a copy of the application and all supporting documentation by Express 
    Mail to:
    
    Attn.: Mass Market Encryption Request Coordinator, P.O. Box 246, 
    Annapolis Junction, MD 20701-0246
    
        (2) You must provide the following information in a cover letter to 
    the classification request:
        (i) Clearly state at the top of the page ``Mass Market Encryption 
    (Commodity)(Software)--15 Day Expedited Review Requested'';
        (ii) State that you have reviewed and determined that the commodity 
    or software subject of the classification request, meets the criteria 
    of paragraph (a)(1) of this Supplement;
        (iii) State the name of the single commodity or software product 
    being submitted for review. A separate classification request is 
    required for each product;
        (iv) State that a duplicate copy, in accordance with paragraph 
    (c)(1) of this Supplement, has been sent to the 15-day Encryption 
    Request Coordinator; and
        (v) Ensure that the information provided includes brochures or 
    other documentation or specifications relating to the commodity or 
    software, as well as any additional information which you believe would 
    assist in the review process.
        (3) Contact the Bureau of Export Administration on (202) 482-0707 
    prior to submission of the classification to facilitate the submission 
    of proper documentation.
    
    PART 743--[AMENDED]
    
        12. Section 743.1 is amended:
        a. By revising the phrase ``GOV and KMI (under the provisions of 
    Sec. 740.8(b)(2)(ii) and (iii) only)'' in paragraph (b) to read 
    ``ENC''; and
        b. By removing the phrase '', 5A002, 5B002, 5D002, and 5E002'' in 
    paragraph (c)(1)(v).
    
    PART 772--[AMENDED]
    
        13. Part 772 is amended by revising the definition of ``Financial 
    Institution'' and adding, in alphabetical order, new definitions for 
    ``Business Unit'',
    
    [[Page 72166]]
    
    ``Health/medical end-user'', ``On-line merchant'', ``Recoverable 
    commodities and software'', ``Strategic partner,'' and ``U.S. 
    subsidiary''.
    * * * * *
        Business Unit. As applied to encryption items, means a unit of a 
    business which, whether or not separately incorporated, has:
        (a) A distinct organizational structure which does not overlap with 
    other business units of the same business;
        (b) A distinct set of accounts; and
        (c) Separate facilities for purchase, sale, delivery, and 
    production of goods and services.
    * * * * *
        Financial Institution. As applied to encryption items, means any of 
    the following:
        (a) A broker, dealer, government securities broker or dealer, self-
    regulatory organization, investment company or investment adviser, 
    which is regulated or supervised by the Securities and Exchange 
    Commission or a self-regulatory organization that is registered with 
    the Securities and Exchange Commission; or
        (b) A broker, dealer, government securities broker or dealer, 
    investment company, investment adviser, or entity that engages in 
    securities activities that, if conducted in the United States, would be 
    described by the definition of the term ``self-regulatory 
    organization'' in the Securities Exchange Act of 1934, which is 
    organized under the laws of a foreign country and regulated or 
    supervised by a foreign securities authority; or
        (c) A U.S. board of trade that is designated as a contract market 
    by the Commodity Futures Trading Commission or a futures commission 
    merchant that is regulated or supervised by the Commodity Futures 
    Trading Commission; or
        (d) A U.S. entity engaged primarily in the business of issuing a 
    general purpose charge, debit, or stored value card, or a branch of, or 
    affiliate controlled by, such an entity; or
        (e) A branch or affiliate of any of the entities listed in 
    paragraphs (a), (b), or (c) of this definition regulated or supervised 
    by the Securities and Exchange Commission, the Commodity Futures 
    Trading Commission, or a foreign securities authority; or
        (f) An affiliate of any of the entities listed in paragraph (a), 
    (b), (c), or (e), of this definition engaged solely in the business of 
    providing data processing services to one or more bank or financial 
    institutions, or a branch of such an affiliate; or
        (g) A company organized and regulated under the laws of any of the 
    United States and its branches and affiliates whose primary and 
    predominant business activity is the writing of insurance or the 
    reinsuring of risks; or a company organized and regulated under the 
    laws of a foreign country and its branches and affiliates whose primary 
    and predominant business activity is the writing of insurance or the 
    reinsuring of risks.
    * * * * *
        Health/medical end-user. As applied to encryption items, means any 
    entity, including civilian government agencies, the primary purpose of 
    which is the provision of medical or other health services. The term 
    medical or other health services includes the following items or 
    services:
        (a) Physicians' services and services and supplies furnished as an 
    incident to a physician's professional service (such as laboratory 
    services), of kinds which are commonly furnished in physicians' 
    offices; services provided by a physician assistant or by a nurse 
    practitioner; including services which would be physicians' services if 
    furnished by a physician and which are performed by a physician 
    assistant under the supervision of a physician, or services which would 
    be physicians' services if furnished by a physician and which are 
    performed by a nurse practitioner or clinical nurse specialist in 
    collaboration with a physician; certified nurse-midwife services or 
    services of a certified registered nurse anesthetist;
        (b) Hospital services incident to physicians services rendered to 
    outpatients and hospitalization services incident to such services; 
    ambulance services;
        (c) Psychologist services or clinical social worker services; or
        (d) Health cost reimbursers (e.g., health insurers, HMOs).
    * * * * *
        On-line merchant. As applied to encryption items, means an entity 
    regularly engaged in lawful commerce that uses means of electronic 
    communications (e.g., the Internet) to conduct commercial transactions.
    * * * * *
        Recoverable commodities and software. As applied to encryption 
    items, means any of the following:
        (a) A stored data product containing a recovery feature that, when 
    activated, allows recovery of the plaintext of encrypted data without 
    the assistance of the end-user; or
        (b) A product or system designed such that a network administrator 
    or other authorized persons who are removed from the end-user can 
    provide law enforcement access to plaintext without the knowledge or 
    assistance of the end-user. This includes, for example, products or 
    systems where plaintext exists and is accessible at intermediate points 
    in a network or infrastructure system, enterprise-controlled recovery 
    systems, and products which permit recovery of plaintext at the server 
    where a system administrator controls or can provide recovery of 
    plaintext across an enterprise.
    
        Note to this definition: ``Plaintext'' indicates that data that 
    is initially received by or presented to the recoverable product 
    before encryption takes place.
    * * * * *
        Strategic partner (of a U.S. company). As applied to encryption 
    items, means a foreign-based entity that:
        (a) Has a business need to share the proprietary information with 
    one or more U.S. companies; and
        (b) Is contractually bound to the U.S. company (e.g., has an 
    established pattern of continuing or recurring contractual relations).
    * * * * *
        U.S. subsidiary. As applied to encryption items, means
        (a) A foreign branch of a U.S. company; or
        (b) A foreign subsidiary or entity of a U.S. entity in which:
        (1) The U.S. entity beneficially owns or controls (whether directly 
    or indirectly) 25 percent or more of the voting securities of the 
    foreign subsidiary or entity, if no other persons owns or controls 
    (whether directly or indirectly) an equal or larger percentage; or
        (2) The foreign entity is operated by the U.S. entity pursuant to 
    the provisions of an exclusive management contract; or
        (3) A majority of the members of the board of directors of the 
    foreign subsidiary or entity also are members of the comparable 
    governing body of the U.S. entity; or
        (4) The U.S. entity has the authority to appoint the majority of 
    the members of the board of directors of the foreign subsidiary or 
    entity; or
        (5) The U.S. entity has the authority to appoint the chief 
    operating officer of the foreign subsidiary or entity.
    
    PART 774--[AMENDED]
    
        14. In Supplement No. 1 to part 774, Category 5--Telecommunications 
    and Information Security is amended by revising the License 
    Requirements section of ECCNs 5A002 and 5D002 to read as follows:
    
        5A002 Systems, equipment, application specific ``assemblies'', 
    modules or integrated circuits for ``information security'', and 
    specially designed components therefor.
    
    [[Page 72167]]
    
    License Requirements
    
                         Reason for Control: NS, AT, EI
    ------------------------------------------------------------------------
                  Control(s)                         Country chart
    ------------------------------------------------------------------------
    NS applies to entire entry...........  NS Column 1.
    AT applies to entire entry...........  AT Column 1.
    ------------------------------------------------------------------------
    
        EI applies to encryption items transferred from the U.S. 
    Munitions List to the Commerce Control List consistent with E.O. 
    13026 of November 15, 1996 (61 FR 58767) and pursuant to the 
    Presidential Memorandum of that date. Refer to Sec. 742.15 of this 
    subchapter.
    * * * * *
        5D002 Information Security--``Software''.
    
    License Requirements
    
                         Reason for Control: NS, AT, EI
    ------------------------------------------------------------------------
                  Control(s)                         Country chart
    ------------------------------------------------------------------------
    NS applies to entire entry...........  NS Column 1.
    AT applies to entire entry...........  AT Column 1.
    ------------------------------------------------------------------------
    
        EI applies to encryption items transferred from the U.S. 
    Munitions List to the Commerce Control List consistent with E.O. 
    13026 of November 15, 1996 (61 FR 58767) and pursuant to the 
    Presidential Memorandum of that date. Refer to Sec. 742.15 of the 
    EAR.
    
        Note: Encryption software is controlled because of its 
    functional capacity, and not because of any informational value of 
    such software; such software is not accorded the same treatment 
    under the EAR as other ``software''; and for export licensing 
    purposes, encryption software is treated under the EAR in the same 
    manner as a commodity included in ECCN 5A002. License Exceptions for 
    commodities are not applicable.
    
        Note: Encryption software controlled for EI reasons under this 
    entry remains subject to the EAR even when made publicly available 
    in accordance with part 734 of the EAR, and it is not eligible for 
    the General Software Note (``mass market'' treatment under License 
    Exception TSU for mass market software). After a technical review, 
    certain encryption software may be released from EI controls and 
    made eligible for the General Software Note treatment as well as 
    other provisions of the EAR applicable to software. Refer to 
    Sec. 742.15(b)(1) of the EAR, and Supplement No. 6 to part 742 of 
    the EAR.
    * * * * *
        Dated: December 23, 1998.
    R. Roger Majak,
    Assistant Secretary for Export Administration.
    [FR Doc. 98-34669 Filed 12-30-98; 8:45 am]
    BILLING CODE 3510-33-P
    
    
    

Document Information

Effective Date:
12/31/1998
Published:
12/31/1998
Department:
Export Administration Bureau
Entry Type:
Rule
Action:
Interim rule; request for comments.
Document Number:
98-34669
Dates:
This rule is effective: December 31, 1998. Comments must be received on or before March 1, 1999.
Pages:
72156-72167 (12 pages)
Docket Numbers:
Docket No. 9809-11233-8318-02
RINs:
0694-AB80: Encryption Items
RIN Links:
https://www.federalregister.gov/regulations/0694-AB80/encryption-items
PDF File:
98-34669.pdf
CFR: (8)
15 CFR 742.15(b)(8)
15 CFR 742.15(b)(1)
15 CFR 740.8(b)(2)(ii)
15 CFR 740.8
15 CFR 740.17
More ...