EPIC: Commerce Report on Crypto Availability

Dave Banisar tc at phantom.com
Wed Jan 17 15:35:12 PST 1996


        Commerce Releases Crypto Availability Report

The US Department of Commerce today released a report on the
international market for encryption software. The report, which was
jointly produced by the Commerce Department's Bureau of Export
Administration and the National Security Agency reviews the foreign
availability of encryption products and other nations' import, export and
domestic use policies.

The report finds that there are foreign products available which "can have
an impact on US competativeness" and that US export controls "may have
discouraged US software producers from enhancing the softare features of
general purpose software to meet the anticipated growth demand by foreign
markets. It anticipated that there is a steadily increasing demand for
crypto to be included in general use software products becuase of well
publicized break-ins.

A large portion of the report has been redacted by the NSA. EPIC filed
suit under the Freedom of Information Act in December 1995 to obtain a
full copy of the report and will continue to demand its release. EPIC
believes that the US goverment should remove export controls on public
domain and commerical software that contains encryption and end the policy
of demanding that key escrow be implimented in all encryption software.

Enclosed in the Commerce Department Press Release and Executive Summary
of the report. The full report is over 100 pages. EPIC will make every
effort to make the full report available in electronic form as soon as
possible.

More information on crypto policy is available at the EPIC Web Site at
http://www.epic.org/crypto/




                UNITED STATES DEPARTMENT OF
                         COMMERCE NEWS

                    WASHINGTON DC.20230

                                               OFFICE OF THE SECRETARY


FOR IMMEDIATE RELEASE            CONTACT: Carol Hamilton
Thursday, January 11,1996                 (202) 482-4883
                                          Eugene Cottilli
                                          (202) 482-2721



DEPARTMENT OF COMMERCE RELEASES STUDY ON THE
INTERNATIONAL MARKET FOR ENCRYPTION SOFTWARE



Washington, D.C. -- The growth of an international market for encryption
software is being slowed by strong export controls, both in the United
States and other major countries. Moreover,the quality of products offered
abroad varies greatly, with some not providing the level of protection
advertised.

The study, jointly prepared by the Commerce Department's Bureau of Export
Administration (BXA) and the National Security Agency (NSA), evaluates the
current and future market for computer software with encryption, which
allows users to protect their data using codes. The study also reviews the
availability of foreign encryption software and assesses the impact that
U. S. export controls on encryption have on the competitiveness of the
software industry.

"Our study provides a clear snapshot of the international competition in
this segment that the software industry faces," said Cornmerce Secretary
Ron Brown. "Better understanding of the products and the marketplace gives
us the tools to ensure that our export control policies are appropriate,"
he added.

The study noted encryption software presently accounts for only a small
percentage of the total computer software but should grow substantially as
the U.S. and other countries deveiop and expand public networks and
electronic commerce.

The study found that the U.S. software industry still dominates world
markets. In those markets not offering strong encryption locally, U.S.
software encryption remains the dominant choice. However, the existence of
foreign products with labels indicating DES (Data Encryption Standard) or
other strong algorithms, even if they are less secure than claimed, can
nonetheless have a negative effect on U. S competitiveness. The study also
notes that the existence of strong U.S. export controls on encryption may
have discouraged U.S software producers from enhancing the security
features of general purpose software products to meet the anticipated
growth in demand by foreign markets.


page 2

All countries that are major producers of commercial encryption products
were found to control exports of the products to some extent. A few
countries (e.g., France, Russia, and Israel) control imports and domestic
use of encryption, as well.

As part of the study, NSA evaluated twenty-eight different foreign
encryption software products, finding that some were less secure than
advertised. Because customers lack a way to determine actual encryption
strength, they sometimes choose foreign products over apparently weaker
U.S. ones, giving those foreign products a competitive advantage.

                                  -30-



                                  A STUDY OF
                            THE INTERNATIONAL MARKET
                             FOR COMPUTER SOFTWARE
                                WITH ENCRYPTION




[Note: This is a redacted copy of the ogigional secret decoment. Brackets
[] accompanied by the origional classifications have been used to indicate
location and size of excised classified text]


                                  Prepared by
                     the U.S. Department of Commerce and
                        the National Security Agency
                                   for the
                           Interagency Working Group on
                     Encryption and Telecommunications Policy



EXECUTIVE SUMMARY


BACKGROVND

In late 1994, the President's National Security Advisor directed that an
interagency report be prepared assessing the current and future
international market for software products containing encryption and the
impact of export controls on the U.S. software industry. The report was to
include an assessment ofthe impact of U.S. encryption export controls on
the international competitiveness of the U.S. computer software industry
and a review of the types, quality, and market penetration of
foreign-produced encryption software products. This paper presents the
joint efforts of the Department of Commerce/Bureau of Export
Administration and the National Security Agency to complete this tasking.
(U)

EXPORT CONTROLS

All countries that are major producers of commercial encryption products
control exports of those products to some extent. Control methodologies
and licensing practices vary, however, and a few countries, most notably
France, Russia and Israel also control imports and/or domestic use of
encryption. There is a significant amount of international cooperation in
controlling encryption exports. (U)

Some European and other countries apparently treat exports to the United
States of DES- based software more liberally than the United States treats
DES exports to those countries. Some countries have stated that they
generally restrict DES exports to financial end-uses. In general, no
independent verification of these licensing practices was obtained.
However, in some cases the U.S. was able to obtain DES products from them
for non-financial end-uses. It is possible that some countries may allow
these exports based on their political/economic/military relationship with
the destination country (e.g., within the European Comrnunity, or former
COCOM), for end uses that are considered legitimate commercial
applications of the technology, or, in the case of exports to the United
States, because DES is a national standard. (U)

As the technology and the marketplace have evolved, the USG export control
authorities have relaxed licensing constraints on cryptographic products
several times over the past 10 years. These changes have usually been made
after industry pressures and internal debate to balance national security
and economic concerns. (U)


DOMESTIC AND INTERNATIONAL MARXETS

While presently encryption software accounts for only a small percentage
of the total software market (1-3%), according to numerous information
security experts contacted in the course of the study, the future growth
trend for this sector is expected to be great.

The market for encryption in distributed computation, databases, and
electronic mail is beginning to expand exponentially as the U.S. and other
countries develop and popularize electronic commerce, public networks, and
distributed processing. (U)

Encryption in these environments will often be implemented in software, as
opposed to hardware, because it is generally less expensive and simpler to
install and upgrade. Absent changes in government standards, for the next
ten years, encryption software will primarily use DES and RSA-licensed
encryption algorithms. Other non-standard and company proprietary
algorithrns will be used primarily for security-specific products for
small niche markets. (U)

Certain developments are promoting greater use by the general public of
software-based network security features, including encryption, throughout
the industrialized world. They include ever increasing use, fueled by well
publicized "break-ins," of distributed databases, popular acceptance and
usage of global networks, and the development and use of electronic
commerce. (U)

These developments are ongoing at one stage or another in practically all
of the countries surveyed for this assessment. Less technologically
advanced countries, where demand for encryption software is reportedly
negligible, will soon undergo widespread development and computerization
leading to increased demand for encryption so~ware within the next 10
years. (U)

The overwhelming majority (75%) of general-purpose software products
(e.g., word processors, spread sheet programs, and database programs)
available on foreign markets today are of U.S. origin. Cornmerce
Department analyses indicate that the U.S. has few viable foreign
competitors for such products, and of those general-purpose products with
encryption features, all were found to be of U.S. origin. (U)

In the security specific software market, however, U. S. manufacturers
face competition in several foreign markets from such encryption exporting
countries as the United Kingdom, Germany, and Israel. To a large extent,
markets for these products tend to be "national. " Not only do export
controls affect sales, but local vendors of security-specific products are
at a competitive advantage in that they are better situated to work
closely with end- users and develop encryption solutions tailored to meet
the conditions of the local environment. (U)

NSA confirmed the existence of a significant number of foreign
security-specific software products with encryption features,
predominantly from Western European suppliers. Security-specific products
are usually not available on the shelf at retail stores either in the U.S.
or abroad, but can be purchased through direct contact with the
manufacturer. (U)


                                   ES-2

BXA attempted to quantify U.S. competitiveness and market share in 31
foreign countries where encryption is thought to have significant demand.
While sources in the countries surveyed had limited access to import
statistics or market literature on encryption software and encountered
nwnerous difficulties in evaluating this complex market, definite
conclusions may be drawn from the responses. (U)

Sources in 14 countries indicated that U.S. export controls limit U.S.
market share in their countries. Sources in seven countries indicated that
export controls have either no impact or no major impact. (U)

Sources in most countries indicated that the U.S. market share is keeping
pace with overall demand despite the impact of U.S. export controls, which
may promote indigenous production or reduce U. S. market penetration. In
all known cases, the U.S. holds the majority of the general-purpose
encryption software market. (U)

Three exceptions are Switzerland (where the U.S. market share reportedly
declined in 1994, while the market shares of other European countries
rose), Denmark and the United Kingdom, which reported unspecified declines
from previous years. Sources in all three countries attribute the decline
to U.S. export controls, which they claim promote the development and sale
of indigenous encryption products. (U)

In many countries surveyed, exportable U. S. encryption products are
perceived to be of unsatisfactory quality. (U)


ANALYSIS OF FOREIGN PRODUCTS

NSA used various methods to procure encryption software products from a
variety of countries and companies, as reflected in the TIS database and
other sources. Altogether, 28 products from 22 foreign producers in 10
countries were acquired for the purposes of this study. Of these, 21
purportedly use the DES algorithm, while the remaining 7 use proprietary
algorithms. (U)

[




                                           ] (S)





                                    ES-3

ECONOMIC IMPACT

In the absence of significant foreign competition, the impact of U.S.
export controls on the international market shares of general-purpose
products is probably negligible. Customers are often unaware of the
encryption features in these products and primarily base purchases on the
features implementing the primary function of the product (e.g., word
processing or database). (U)

[



                   ] (S)

BXA attempted to quantify the economic impact of export controls on the
U.S. software industry by forwarding a detailed voluntary questionnaire to
206 software vendors and other interested parties. Thirty six encryption
software manufacturers provided completed surveys out of the 71 returned.
By and large, the companies were unable or unwilling to quantify the costs
of export controls, but did provide substantive explanations of how and
why they believe they are adversely affected. (U)

Some general-purpose software companies claim that export controls have
affected their plans to expand security features to meet anticipated
growing demand. These companies believe that they could expand their
domestic and international customer base with such features. (U)

The export licensing process itself is not a major obstacle to U. S.
competitiveness. Only seven survey respondents use the Department of State
licensing system. While they continue to have some complaints about the
administrative burdens and time delays associated with State's process,
several noted that there had been improvements in recent years. Only two
of the survey respondents had been denied licenses by the Department of
State. (U)

Numerous survey respondents indicated that they avoided applying for
export licenses from the Department of State altogether. Some larger
companies whose products tended to be general-purpose in nature either
developed two ~fersions of so~ware, or incorporated an encryption
algorithm they knew would qualify for Commerce general licenses. (U)

Many smaller, security-specific software firms, on the other hand, elected
to limit their sales to the domestic market only. These companies
indicated a high level of foreign interest in purchasing their products,
and therefore lost potential sales. While it is difficult for them to
quantify their potential market, they believe it to be sizeable. They
claim their small size limited their ability to develop two versions of
their products, and the fact that their products were for secunty purposes


                                  ES-4

specifically requires them to incorporate strong encryption. Only one
company was able to provide specific examples where a foreign competitor
o~ta ned a sale due to an export license denied by U.S. authorities. (U)

There is little evidence that U.S. export controls have had a negative
effect on the availability of products in the U.S. marketplace. A broad
range of products with secure algorithms exist in the U. S. market and
availability of products is based principally on the level of customer
demand. Export controls may have hindered incorporation of strong
encryption algorithms in some domestic mass-market, general-purpose
products, since some companies find developing and maintaining two
versions of a product infeasible. (U)

The existence of foreign products with labels indicating DES or other
strong encryption algorithms, even if they are less secure than claimed,
can nonetheless have a negative effect on U.S. competitiveness. Most
encryption users base their purchasing decisions on the advertised product
features, along with price, company reputation, etc. (U)








More information about the cypherpunks-legacy mailing list