control regime on products with encryption capabilities for confidentiality is intended to serve two primary purposes:
• To delay the spread of strong cryptographic capabilities and the use of those capabilities throughout the world. Senior intelligence officials recognize that in the long run, the ability of intelligence agencies to engage in signals intelligence will inevitably diminish due to a variety of technological trends, including the greater use of cryptography.1
• To give the U.S. government a tool for monitoring and influencing the commercial development of cryptography. Since any U.S. vendor that wishes to export a product with encryption capabilities for confidentiality must approach the U.S. government for permission to do so, the export license approval process is an opportunity for the U.S. government to learn in detail about the capabilities of such products. Moreover, the results of the license approval process have influenced the cryptography that is available on the international market.
Authority to regulate imports and exports of products with cryptographic capabilities to and from the United States derives from two items of legislation: the Arms Export Control Act (AECA) of 1949 (intended to regulate munitions) and the Export Administration Act (EAA; intended to regulate so-called dual-use products3). The AECA is the legislative basis for the International Traffic in Arms Regulations (ITAR), in which the U.S. Munitions List (USML) is defined and specified. Items on the USML are regarded for purposes of import and export as munitions, and the ITAR are administered by the Department of State. The EAA is the legislative basis for the Export Administration Regulations (EAR), which
1 Although the committee came to this conclusion on its own, it is consistent with that of the Office of Technology Assessment, Information Security and Privacy in Network Environments, U.S. Government Printing Office, Washington, D.C., September 1994.
2 Two references that provide detailed descriptions of the U.S. export control regime for products with encryption capability are a memorandum by Fred Greguras of the law firm Fenwick & West (Palo Alto, Calif.), dated March 6, 1995, and titled ''Update on Current Status of U.S. Export Administration Regulations on Software" (available at http://www. batnet.com:80/oikoumene/SftwareEU.html), and a paper by Ira Rubinstein, "Export Controls on Encryption Software," in Coping with U.S. Export Controls 1994, Commercial Law & Practice Course Handbook Series No. A-733, Practicing Law Institute, October 18, 1995. The Greguras memorandum focuses primarily on the requirements of products controlled by the Commerce Control List, while the Rubinstein paper focuses primarily on how to move a product from the Munitions List to the Commerce Control List.
3 A dual-use item is one that has both military and civilian applications.