Dear Microsoft Internet Explorer Customer:
RE: Microsoft Internet Explorer 3.0 128-bit Encryption Version
(FOR DISTRIBUTION IN U.S. AND CANADA ONLY)
This version of Microsoft Internet Explorer 3.0 enables 128-bit SSL encryption between Microsoft Internet Explorer and a compatible internet server. 128-bit data encryption capability exceeds the export control threshold the U.S. Government has set for the technology, therefore this product is distributed by Microsoft within the U.S. and Canada ONLY. Export of this product from the United States to any foreign destination is regulated by the International Traffic in Arms Regulations (ITAR, 22 CFR 120-130). Users should not export or re-export this product to any country, other than Canada, or to any person, entity or end user subject to U.S. export restrictions without first obtaining an export license from the U.S. State Department, Office of Defense Trade Controls.
Users are advised to consult legal counsel or the State Department to determine whether any particular use or distribution of an ITAR-restricted product might be considered an "export" under ITAR. The definition of "export" under U.S. export law may include many distribution scenarios that are not immediately obvious, such as providing a restricted product on a network server accessible to users located outside the U.S. or Canada. Since fines and penalties could be levied under U.S. export law against companies or individuals involved in any transaction that allows ITAR-restricted products outside the U.S. and Canada, we suggest that users take special care to re-distribute this product only in compliance with U.S. export law.
Can I send or carry ITAR-restricted products to Canada?
There is an exemption under ITAR for the export of ITAR-restricted products to Canada for use there by Canadian citizens (22 CFR 126.5). Shipment of an ITAR-restricted product to Canada may require filing of a Shippers Export Declaration (SED). For more information on ITAR exports to Canada consult legal counsel or the U.S. State Department, Office of Defense Trade Controls PH (703) 875-6644.
Can I carry ITAR-restricted products with me when I travel outside the U.S.?
There is an exemption under ITAR for the temporary export of cryptographic products like Microsoft Internet Explorer 3.0 128-bit Encryption Version for personal use by U.S. citizens and lawful permanent residents who have the need to temporarily export cryptographic products when leaving the U.S. for brief periods of time (22 CFR 123.27). The exemption does not require an export license or SED, however it does require that the traveller keep certain records and report instances where the product may be stolen or otherwise compromised, in addition to other requirements and restrictions. Please contact the Office of Defense Trade Controls for details.
Can I send ITAR-restricted products anywhere else?
At present the State Department may allow limited export of some ITAR-restricted products under specific export license to foreign subsidiaries of U.S.-based corporations ONLY. There are significant restrictions on such exports. Please contact the Office of Defense Trade Controls for details.
How do I know whether a Microsoft product is ITAR-restricted?
Microsoft products that are ITAR-restricted carry a special statement on their retail cartons and carrier media: "U.S. State Department license required to export this product from the United States or Canada."
Why is this an issue today?
In the past, all versions of Microsoft products used the same, exportable level of data encryption, and the ability to send U.S. versions to almost any overseas destination was seldom an export issue. In 1992, the U.S. Government fixed the data encryption export control threshold at "40-bits" and since then any product that employs encryption stronger than the 40-bit threshold is technically and legally a munitions under US export law and cannot easily be exported except to Canada. The 40-bit export threshold has not changed in 4 years, but the security requirements of our customers have. The encryption in Microsoft Internet Explorer 3.0 128-bit Encryption Version is considerably stronger than the 40-bit export control threshold. Microsoft cannot provide the stronger encryption version of this product to all users, but we can supply the strong encryption versions to most U.S. and Canadian users, who are allowed to receive them under U.S. export law.
What is Microsoft's position on export controls?
We believe that encryption key lengths must be lengthened substantially from the 40-bit level to provide our worldwide customers strong security and privacy, and to relieve the legal burdens on customers in North America who simply choose to use products with strong encryption capabilities within the U.S. or Canada. We are working actively with other companies in our industry and the Business Software Alliance
http://www.bsa.org to encourage the U.S. government to relax its restrictions on export controls.
Yours sincerely,
The Microsoft Internet Explorer Team