The Administration's initiative will make it easier for Americans to use stronger encryption products-- whether at home or abroad-- to protect their privacy, intellectual property and other valuable information. It will support the growth of electronic commerce, increase the security of the global information, and sustain the economic competitiveness of US encryption product manufacturers during the transition to a key management infrastructure.
Under this initiative, the export of 56-bit key length encryption products will be permitted under a general license after one- time review, and contingent upon industry commitments to build and market future products that support key recovery. This policy will apply to hardware and software products. The relaxation of controls will last up to two years.
The Administration's initiative recognizes that an industry- led technology strategy will expedite market acceptance of key recovery, and that the ultimate solution must be market- driven.
Exporters of 56- bit DES or equivalent encryption products would make commitments to develop and sell products that support the key recovery system that I announced in July. That vision presumes that a trusted party (in some cases internal to the user's organization) would recover the user's confidentiality key for the user or for law enforcement officials acting under proper authority. Access to keys would be provided in accordance with destination country policies and bilateral understandings. No key length limits or algorithm restrictions will apply to exported key recovery products.
Domestic use of key recovery will be voluntary, and any American will remain free to use any encryption system domestically.
The temporary relaxation of controls is one part of a broader encryption policy effort designed to promote electronic information security and public safety. For export controls purposes, commercial encryption products will no longer be treated as munitions. After consultation with Congress, jurisdiction for commercial encryption controls will be transferred from the State Department to the Commercial Department. The Administration also will seek legislation to facilitate commercial key recovery, including providing penalties for improper release of keys, and protecting key recovery agents against liability when they properly release a key.
As I announced in July, the Administration will continue to expand the purchase of key recovery products for U.S. government use, promote key recovery arrangements in bilateral and multilateral discussions, develop federal cryptographic and key recovery standards, and stimulate the development of innovative key recovery products and services.
Under the relaxation, six-month general export licenses will be issued after one-time review, contingent on commitments from exporters to explicit benchmarks and milestones for developing and incorporating key recovery features into their products and services, and for building the supporting infrastructure internationally. Initial approval will be contingent on firms providing a plan for implementing key recovery. The Plan will explain in detail the steps the applicant will take to develop, produce, distribute, and/or market encryption products with key recovery features. The specific commitments will depend on the applicantŐs line of business.
The government will review the licenses for additional six-month periods if milestones are met. Two years from now, the export of 56-bit products that do not support key recovery will not be permitted. Currently exportable 40-bit mass market products will continue to be exportable. We will continue to support financial institutions in their efforts to assure the recovery of encrypted financial information. Longer key lengths will continue to be approved for products dedicated to the support of financial applications.
The Administration will use a formal mechanism to provide industry, users, state and local law enforcement, and other private sector representatives with the opportunity to advise on the future of key recovery. Topics will include:
- evaluating the developing global key recovery architecture
- assessing lessons learned from key recovery implementation
- advising on technical confidence issues vis-a-vis access to and release of keys
- addressing interoperability and standards issues
- identifying other technical, policy and program issues for government action.
The Administration's initiative is broadly consistent with the recent recommendations of the National Research Council. It also addresses many of the objectives of pending Congressional legislation.
Return to EPIC Key Escrow Page
Return to EPIC Crypto Pages
Return to EPIC Home Page