Encryption certification & licensing regulations Report to JSTC Peter Proebster February 2011 Shanghai, China

Encryption certification & licensing regulations Contents GAMS summary JSTC action items (JSTC minutes) Discussion on international norms and practices on encryption Back-up WSC Statement 2009 WSC Statement on Best Practices in regard to Encryption certification & licensing regulations

Encryption certification & licensing regulations GAMS summary September 2010 GAMS supported the WSC recommendation on encryption and agreed that open markets, free from government discrimination ensuring IPR protection and open to global collaboration for commercial encryption technologies, are critical to the development of secure and innovative ICT products. GAMS also underlined that it was important to prevent unnecessary restrictions on trade, and that therefore, products with cryptographic capabilities that are, or will be, widely available and deployed should, as a general rule, not be regulated. GAMS also expressed that transparency and consistency with international norms and practices are essential in how new regulations are discussed, and that it is important to assuredly put into practice these norms and practices. 3

Encryption certification & licensing regulations JSTC action items (JSTC minutes) JSTC will help make GAMS members’ policies on this topic more transparent and readily understandable by member associations, and to ensure that such standards do not act to block market access. JSTC will review the topic during the next JSTC and WSC meetings. Semiconductor Industry Association in US and Korea will provide missing updates on laws and regulations in this domain by the end of October 2010. In regard to international norms and practices: Associations will review the proposal presented by Semiconductor Industry Association in Europe and provide other proposals, if any, before the next JSTC; JSTC will discuss and seek agreement on the definition of international norms and practices during the next JSTC meeting and report to the next WSC. JSTC will continue to discuss and present encryption regulations of the regions in the context of international standards and best practices. 4

Encryption certification & licensing regulations Discussion on international norms and practices on encryption (1) International Something (a company, language or organization) international mostly means that it involves more than one nation (country). The term international as a word means involvement of, interaction between or encompassing more than one nation, or generally reaching beyond national boundaries. For example, international law, which is applied by more than one country over the world, and international language which is a language spoken by residents of more than one country. International Standards International standards are standards developed by international standards organizations, which are open to all Members of the World Trade Organization / to most countries of the world. Notable examples of international standards bodies are the International Organization for Standardization (ISO) or the International Electrotechnical Commission (IEC). International standards are one way of overcoming technical barriers in international commerce caused by differences among technical regulations and standards developed independently and separately by each nation, national standards organization, or company. Technical barriers arise when different competing and incompatible standards are applied by different economic regions, each representing a large user base. Establishing international standards is one way of preventing or overcoming this problem. 5

Discussion on international norms and practices on encryption (2) Encryption certification & licensing regulations Discussion on international norms and practices on encryption (2) According to a decision of the WTO Technical Barriers to Trade Committee “the following principles and procedures should be observed, when international standards are elaborated (...): A. TRANSPARENCY: easy access for interested parties to all essential information regarding proposals or work on standards; publication of a notice at an early appropriate stage; communication through established mechanisms (…) B. OPENNESS Proposals for new work items, technical discussion on proposals, submission of comments on drafts in order that they can be taken into account reviewing existing standards (…) should be open to relevant bodies or to all WTO members (…) C. IMPARTIALITY AND CONSENSUS Access to participation in work; submission of comments on drafts; consideration of views expressed decision-making through consensus; obtaining of information and documents; (…) D. EFFECTIVENESS AND RELEVANCE take account of relevant regulatory or market need, scientific and technological developments in the elaboration of standards; put in place procedures aimed at identifying and reviewing standards that have become obsolete,inappropriate or ineffective(…) E. COHERENCE E. DEVELOPMENT DIMENSION  *Source: Decision of the Committee on Principles for the Development of International Standards,  Guides and Recommendations with Relation to Articles 2, 5 and Annex 3 of the Agreement, Second Triennial Review of the Operation and Implementation of the Agreement on Technical Barrier to Trade, Annex 4, G/TBT/9, WTO Committee on Technical Barriers to Trade (13 November 2000).

Encryption certification & licensing regulations Discussion on international norms and practices on encryption (3) Common Criteria The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. All testing laboratories must comply with ISO 17025, and certification bodies will normally be approved against either ISO/IEC Guide 65 or BS EN 45011. Mutual recognition arrangement As well as the Common Criteria standard, there is also a sub-treaty level Common Criteria MRA (Mutual Recognition Arrangement), whereby each party thereto recognizes evaluations against the Common Criteria standard done by other parties. Originally signed in 1998 by Canada, France, Germany, the United Kingdom and the United States, Australia and New Zealand joined 1999, followed by Finland, Greece, Israel, Italy, the Netherlands, Norway and Spain in 2000. The Arrangement has since been renamed Common Criteria Recognition Arrangement (CCRA) and membership continues to expand. 7

Encryption certification & licensing regulations Discussion, Contribution Semiconductor Industry Association in US and Korea will provide missing updates on laws and regulations in this domain by the end of October 2010. In regard to international norms and practices: Associations will review the proposal presented by Semiconductor Industry Association in Europe and provide other proposals, if any, before the next JSTC; JSTC will discuss and seek agreement on the definition of international norms and practices during the next JSTC meeting and report to the next WSC. 8

Encryption certification & licensing regulations Back-up

Encryption certification & licensing regulations WSC Statement May 2009 Free and open Markets The WSC re-confirms its joint statement of 2006, that “as a founding principle, the importance of ensuring that markets be open and free from discrimination, and that the competitiveness of companies and their products be the principal determinant of industrial success and international trade. Governments and authorities should, therefore, insure full intellectual property protection, full transparency of government policies and regulations, non-discrimination for foreign products in all markets, a tariff- and barrier-free global environment for semiconductor products, an end to investment or other regulatory restrictions tied to technology transfer requirements, and removal of unreasonable burdens on world commerce.”

Encryption certification & licensing regulations WSC Statement May 2009 Encryption Standards and Regulations Semiconductors are overwhelmingly used as building blocks for computers, mobile phones, handheld devices and many other widely available commercial information and communications technology (ICT) products and systems. The functionality of semiconductors constantly evolves in order to meet consumer demands, which have increasingly called for product features such as encryption that better protect security and privacy in and across a variety of ICT products and systems. The use of encryption has thus become widespread in many commercial applications. Regulations that directly or indirectly favor specific technologies, limit market access or lead to forced transfer of intellectual property stifle domestic innovation and, in the case of encryption, prevent access to the strongest available security technologies in the market place, resulting in less secure products. Both global collaboration and open markets for commercial encryption technologies should therefore be strongly encouraged as they inherently promote more secure and innovative ICT products. The WSC requests the governments and authorities participating in GAMS to continue their efforts to ensure that all WTO members observe the principles set forth above.

Encryption certification & licensing regulations WSC Statement on Best Practices in regard to Encryption certification & licensing regulations (1) The World Semiconductor Council (WSC) recognizes that it is important to insure that markets will be open and free from any discrimination. The competitiveness of companies and their products should be the principal determinant of industrial success and international trade. Governments and authorities should, therefore, insure full intellectual property protection, full transparency of government policies and regulations, non-discrimination for foreign products in all markets and removal of unreasonable burdens on world commerce. The WSC addressed encryption in its 2009 Joint Statement: “Semiconductors are overwhelmingly used as building blocks for computers, mobile phones, handheld devices and many other widely available commercial information and communications technology (ICT) products and systems. The functionality of semiconductors constantly evolves in order to meet consumer demands, which have increasingly called for product features such as encryption that better protect security and privacy in and across a variety of ICT products and systems. The use of encryption has thus become widespread in many commercial applications. 12

Encryption certification & licensing regulations WSC Statement on Best Practices in regard to Encryption certification & licensing regulations (2) Regulations that directly or indirectly favour specific technologies, limit market access or lead to forced transfer of intellectual property stifle domestic innovation and, in the case of encryption, prevent access to the strongest available security technologies in the market place, resulting in less secure products. Both global collaboration and open markets for commercial encryption technologies should therefore be strongly encouraged as they inherently promote more secure and innovative ICT products.” Encryption regulations shall not be used for the purpose of limiting market access to foreign products. The functionality of semiconductors has constantly evolved in order to meet consumer demands, which have increasingly called for product features that better protect security and privacy in and across a variety of ICT products and systems. The use of encryption thus is not limited to government and military applications but has become widespread, given its ability to help safeguard the integrity and confidentiality of information. As a result, the great majority of applications of encryption involve every day commercial products which are commonly used and traded in the global marketplace. To prevent unnecessary restrictions on trade, products with cryptographic capabilities that are, or will be, widely available and deployed -- whether as a result of sales through normal or common retail channels, OEM sales or other means of distribution -- should not be regulated as a general matter except in narrow justifiable circumstances (e.g., resulting out of international conventions such as export controls to prevent proliferation of munitions and weapons of mass destruction to targeted countries or targeted end users). 13

Encryption Standards and Regulations WSC Statement on Best Practices in regard to Encryption certification & licensing regulations (3) To the extent that encryption regulation is necessary, the WSC recommends the following best practices: Regulations should not directly or indirectly favour specific technologies, limit market access or lead to forced transfer of intellectual property to avoid stifling domestic innovation and, in the case of encryption, preventing access to the strongest available security technologies in the market place, resulting in less secure products. Any regulatory requirements must be applied on a non-discriminatory basis and in a manner no less favourable than that granted to domestic producers (consistent with Articles I and III of GATT 1994), and respect intellectual property rights (consistent with Articles 28 and 31 of TRIPS 1994). Global collaboration and open markets for commercial encryption technologies should be strongly encouraged as both inherently promote more secure and innovative ICT products. Regulatory procedures related to the notification, evaluation, approval, or licensing of goods containing encryption technology, and the process for exempting goods, should be transparent, predictable and consistent with international norms and practices. They should not impose unreasonable or burdensome requirements on such goods. JSTC shall discuss applicable international norms and practices. The WSC believes that adhering to these practices will allow innovation and the digital economy to flourish, and ensure that the strongest available security technologies will prevail and be available in all the market places to the benefits of all users of commercial products. The WSC requests the governments and authorities participating in GAMS to continue their efforts to ensure that all WTO members observe the principles set forth above.