There is a plethora of information on the internet currently that outlines bills, laws, and regulations that once existed, but it seems very difficult to find up to date information about the current status of cryptography for domestic use and export. Although in the past regulations surrounding cryptography and encryption have been draconian, the U.S. government has been relaxing its hold on the public use of encryption since 1999. Currently there are three major bills that would further decrease the regulations surrounding the use of encryption techniques. These bills are the SAFE (Security and Freedom through Encryption) Act, and the PROTECT (Promote Reliable Online Transactions To Encourage Commerce and Trade) Act. Although all of these bills intend to relax the regulations on the freedom to encrypt, none of them has made ground legislatively for a number of years. The SAFE Act has progressed the furthest and has been passed by many committees, but it is currently stalled in the house pending revision to some of the export policies. There is a fourth Bill that does relax some of government regulations, The Encryption for the National Interest Act. However, it is far different from the other three as it makes no changes the to propagation of encryption outside of the United States, and it does not give any guidance as to the whether or not there should be mandatory key escrow for the government.
In the 1990s there was very little freedom to export encryption because cryptographic techniques were considered 'munitions' and their export was regulated by ITAR (International Traffic of Arms Regulations) which meant that anything considered 'munitions' by the government was illegal to transport overseas. However, in 1999 the 9th Circuit Court of Appeals ruled in favor of Dan Bernstein (backed by the Electronic Frontier Foundation) in his case against the Federal regulations that restricted the export of cryptographic software, related devices, and technology. The case was won based on the fact that regulations violated the First Amendment on the grounds of prior restraint. Simply, the government cannot impose restraints or censorship on any form of communication unless they have a very, very compelling reason.
Since 1996 the U.S. Department of Commerce's Bureau of Industry and Security (BIS) has had the responsibility of maintaining the regulations that surround the export of cryptographic software and devices. As promised here is a summary of current U.S. Encryption Export Controls:
The Policy is based on three principles:
- Review of Encryption Products Prior to Sale (or dissemination)
- Streamlined POST export Reporting
- License review of certain exports and reexports of strong encryption to foreign governments
- All encryption products for export are eligible for a 30 day review by the BIS
- European Union Members are eligible to receive encryption products immediately without waiting for the 30 day review (However, the product must still be submitted)
- For publicly available encryption products on the internet that are updated or revised, they do not need to be reevaluated if they have already been reviewed.
- Foreign Beta Testers do not need to be identified.
- If key lengths of products are increased in a previously reviewed product an email notification is necessary.
- Certain countries are not eligible for export (Terrorist Level 7 Countries).
- Key Escrow is not mandatory.
- Encryption Source Code publicly available must be submitted to the BIS and the Encryption Request Coordinator before it is published.
- Encryption Source Code not made publicly available may not be eligible for export.
- Products that use 56-bit symmetric encryption, encryption with 512-bit asymmetric, or 112-bit elliptic curve algorithms do not require BIS review.
- Wireless products that incorporate short range encryption components need not be reviewed, but the incorporated components need to be reviewed.
Final note: It is legal for any U.S. citizen to use encryption for their own private purposes (So can, Canadians, and many other citizens in Western countries). U.S. citizens are also currently permitted to leave the country with encryption products without obtaining an export license as long as they are returning with the product and are only using it for their own personal encryption needs. (This was not true before 1996 when encryption was considered munitions). This topic has become dear to e-Liberty's heart recently because we have been developing a Personal Encryption Suite that will soon be released. More on that coming soon!