Export Controls on Encryption Technologies

Of all current issues stemming from changes brought about by the information revolution, that of export controls on encryption technologies is one of the most problematic—and perhaps interesting—because it incorporates a wide range of other issues, including civil liberties concerns and First Amendment rights, law enforcement, the functions of the intelligence community in the post-Cold War world, and the need for protection of financial transactions and proprietary data across national boundaries. Indeed, the wider issues related to providing security for information infrastructures on both a global and national scale are becoming increasingly important. It is a thorny area, not only because there are a number of competing interests, on both national and international levels, but because much information on encryption, including much of the US government’s information, analyses, and policy in this area, are enshrouded in secrecy.

Until very recently, sophisticated encryption—the science of coding and decoding messages—was the almost exclusive purview of those concerned with military, diplomacy, and espionage. Since the time of Julius Caesar, communications regarding military operations have been encrypted. Sensitive diplomatic communications between diplomats posted abroad and their governments at home have also been encrypted; not only to make possible candid exchanges, but to enable governments to achieve their objectives in negotiations or other diplomatic activities. The world of intelligence, including analytical work based on espionage is by its very nature one of great secrecy. Virtually all communications, including those concerning the most prosaic of intelligence matters, must be kept secret if sources, methods and effectiveness are not to be destroyed. For hundreds of years, communications of intelligence services have been accorded the highest degree of secrecy possible, through use of the most sophisticated encryption techniques available. Advantage in the world of intelligence, particularly military intelligence, has been sought through “cracking” or otherwise penetrating the secrecy of an adversary. The most famous historical example was the Allies’ decoding of the German “Enigma” cryptography during World War II.

The development of computer links and networks and the increasing reliance on electronic communications for modern business transactions —financial transfers, communications, decentralization of business functions, joint ventures and other cooperative activities, and sharing of proprietary data—have brought with them a need for both security in communications (including message integrity) and message sender authentication. The needs for security and authentication have made encryption critically important. One prominent group noted succinctly a few years ago: “Technological progress has moved encryption from the realm of national security into the public and commercial spheres.” ¹

Over the past few years the market for data encryption has grown significantly and continues to do so, with an estimated US market of $384 million in 1991 to a projected $946 million market in 1996. Worldwide totals are estimated at $695 million for 1991 to $1.8 billion in 1996. ² With the proliferation of computer-linked networks and the increasing importance of communication links in general, computer and network security is becoming a crucial issue. Encryption, the most important means of providing security in networked environments, has become, as noted by the OECD, “pivotal.”

Administration of Controls

It is easy to become lost in the thickets of the legal language governing export controls—particularly the somewhat arcane law, regulation, and procedures with respect to licensing jurisdiction—but they do have a direct impact on licensing outcomes and how we deal with encryption. Export licensing on encryption technologies must be part of a larger debate on issues emerging from new technologies and new uses of technologies.

Current law concerning export controls on encryption technologies still reflects Cold War and pre-Information Age thinking. Having long been viewed as essentially military and intelligence service technologies, exports on virtually all encryption technologies, (including hardware, software, and the mathematical algorithms on which cryptography is based) remain controlled under the Arms Export Control Act (AECA) of 1976 (22 USC 2778) and the implementing International Trade in Arms Regulations (ITAR, revised 1992). The ITAR include listings of those commodities —mostly weaponry and military equipment—known commonly as the “munitions list.” Category XIII, “Auxiliary Military Equipment,” some of which is...