John,
I buttonholed William Reinsch, Commerce Dept undersecretary, outside the
White House briefing room a few minutes ago. I happened to ask him the same
question you bring up here: What's up with that one-time technical review?
Things were crowded and noisy, but here's what I learned. (The BXA regs are
still being drafted and are supposed to be published in the Federal
Register no later than December 15.)
Products <64 bit or equivalent are generally decontrolled except for:
1. Can't export to Cuba, Iran, Iraq, Libya, N.Korea, Sudan, Syria, and
2. A one-time technical review is STILL REQUIRED. That process is supposed
to take not more than a few months. According to Reinsch, such a review is
closest to your:
>or: * BEFORE you post it, you have to send a copy to NSA -- AND THEN WAIT
> until they say you can export it?
It's unclear to me whether they'll require source. DoD's Hamre simply said
it would have to be a "meaningful" review and said providing a product
brochure just isn't good enough.
Also, the regs differentiate between "retail" and "custom" products.
Reinsch: "There are differences in the way it will be treated." When asked
whether, say, shrinkwrapped software available at CompUSA would be
automatically treated as retail, Reinsch replied, "It's more complicated
than that."
Products >64bit or equivalent are still controlled under EAR but can be
exported through a license exception under these circumstances:
1. Feds get one-time technical review, and
2. You must file post-export reports with Commerce Dept, and
3. Can't export to Cuba, Iran, Iraq, Libya, N.Korea, Sudan, Syria, and
If the destination is a permissible foreign government or a state entity
such as a telecom firm, I believe you must also satisfy these conditions:
4. Product must not "require substantial support" (think technical
support), and
5. Product must be "sold in tangible form or have been specifically
designed for individual consumer use"
For each version of a new product (I gave Reinsch example of PGP 10.0.0.0
and 10.0.0.1), you have to submit it and wait for a new "one-time"
technical review.
Also, I asked Reinsch if "end users" include distributors such as computer
stores in foreign countries. He said yes, and that they're not trying to
pull a fast one.
What I found most interesting was what Attorney General Reno said about the
government's cryptanalysis abilities. When asked if she can break strong,
>64 bit equivalent crypto, she said, "We have carefully looked at this and
think it's possible," and declined to add details.
DoD's Hamre said that there would be a big chunk assigned to cryptanalysis
R&D in DoD's requested FY2001 budget but added "some of the parts you may
be interested [in] I can't discuss." (I wouldn't necessarily read much into
this. It could simply be a face-saving move.)
Finally, Reno indicated that this kind of cryptanalysis may not be enough
-- and legal requirements such as mandatory key escrow may be necessary.
She said:
"This legislation does not provide any new authority for law enforcement to
be able to obtain usable evidence from criminals. We will continue to
operate under our existing authorities and attempt to meet the threat of
the criminal use of encryption. We are hopeful that these existing
authorities will prove sufficient."
Here's hoping...
-Declan
More:
http://www.wired.com/news/news/politics/story/21790.html
http://www.wired.com/news/news/politics/story/21786.html
