Tech Law Journal

Capitol Dome
News, records, and analysis of legislation, litigation, and regulation affecting the computer, internet, communications and information technology sectors

TLJ Links: Home | Calendar | Subscribe | Back Issues | Reference
Other: Thomas | USC | CFR | FR | FCC | USPTO | CO | NTIA | EDGAR

Transcript of ITAA Briefing.
Re: Administration Encryption Proposal.

Date: October 6, 1999.

Editor's Notes:
Tech Law Journal transcribed this from an audio recording.
This transcript does not include introductions by Harris Miller, and Lloyd Doggett.
This trascript does not include a lengthy address by Harris Miller, President of ITAA. (It dealt with a range of high tech issues.)
Copyright Tech Law Journal. All rights reserved.

Rep. Tom Davis. Thank you. And I just want to thank again ______ this morning. I want to thank Zoe Lofgren, who is going to come over and talk about the SAFE bill, that is still scheduled for the House floor. We have people from the administration here today.

Information security is vital, as all of you know. This information revolution, in my judgment, changes the whole paradigm of how we look at everything in this country, all of our major institutions. But from export controls on encryption, digital signatures, it is clear that the assurance of continued American global dominance in the marketplace on American technology is very dependent on creating an environment in which businesses and consumers can be 100% confident of their security of their communications.

I was an original cosponsor of the SAFE Act, that Bob Goodlatte and Zoe Lofgren have put together, which will relax export controls on encryption software. I want to congratulate the White House on their announcement last month that it would update its encryption export policy, and the process moving much closer to the goals of the SAFE Act. For this reason I look forward to hearing today from the Under Secretary of Commerce, Bill Reinsch, about the details of the administration's new encryption policy, and Representative Lofgren's reaction to their proposed legislation.

I was also an original sponsor of the E-SIGN bill. The electronic signatures bill, as you know, has cleared committee, and the Commerce Committee. It goes to the Judiciary Committee for a very brief stop over. And, you will have that on the floor of the House, probably up on suspension, in the next couple of weeks. That is also critical (?) . But right now, the individual states have electronic signature bills. And if parties agree, there is no problem. There is really no legal protections for these. More and more commerce is being done electronically. So, this is critical, as well.

So, we are moving ahead. It has been a pretty good session, I think, so far, for IT. And, I look forward to working with my friends over on the other side of the aisle, in a really bipartisan manner. These issues cut a lot of different lines and constituencies, understanding them better, _____ dialogue.

And I think at this point -- is William Reinsch here from the administration? I will turn it over to you. You can talk about the -- oh, David is here from Oregon. Dave, do you want to say something?

Rep. David Wu. Well, I want to thank Congressman Doggett and Congressman Davis for getting me involved with this group. I have been in the private practice of law in the technology area for the last ten years. And I think that in -- this is one of those unusual stories -- not too unusual -- but this is my very first public office, but, an additional unusual note.

We were probably the only campaign to have an encryption policy in place. And in essence, we developed it because of just what I saw in my professional life, which is basically that technology has swept past our legal mechanisms. And basically, we have seen a lot of folks who can download algorithms from sites overseas. And, then if they ship it back some place, they are potentially a criminal.

And, it is a regulatory, or a legal regime, that really does not make a whole lot of sense. So, from early on we took the position that what was really needed was a complete change, a sweeping away of barriers to encryption technology. And, what was needed on the other side was a change in paradigm in how law enforcement is done. And, you in law enforcement have a different way, or an additional more energetic way, so that the traditional reliance on what would be perceived as barriers created by encryption, would not be, basically, a work around on the encryption problem, through other law enforcement methods. And, with that, stake out position for me as an individual member.

William Reinsch. Thank you very much, Harris. I am glad to have this opportunity. I am a little intimidated. I see a number of people in this audience who know more this than I do. So, at least as far as the subject is concerned, I hope I can shed some light on what the administration has done.

I can say some time in the process, because, I am not sure I will need the full amount of time you have allocated me. But, I think also, we would do better in situations like this with dialogue and Q and A. I also want to hear what Ms. Lofgren has to say about this.

Let me tell you what we did, and then just leave it at that without a lot of embellishment. This is an expert audience, and you all heard some of the speech before. Some of you have heard mine before. And if you have, I apologize. It means you are going to hear it again.

Let me just say, what we announced on September 16, was a three legged stool, if you will. And, in the discussion of export controls, which admittedly was the news, because that was the most significant piece of it I think. The other two legs get forgotten. But I want to mention them briefly, even though they are not a part of my portfolio, because it really is the other two things that we did that provided the foundation that allowed us to do what we did on export controls. And it is very important that those other two legs, therefore, not be forgotten. Because if we cannot put together what we have decided to do in the other two areas, we undercut the national security rationale for the export control acts that we took.

And those two actions are, first, try to develop more attention and more resources to developing secure systems, first, in the government, and then as a model, we hope, for the private sector. Now, a lot of that is going to begin in the Defense Department. As many of you know, the Defense Department does 95% of its communications on public communications lines, and uses publicly available commercial software. So, that means that the Defense Department, among other things, is vulnerable to the same kinds of problems anybody using any commercial software is vulnerable to. They have become, because of some experiences that have had, very security conscious, and are determined to build tighter networks.

At the same time, they have the same dilemma that everybody else does, which is, if they want to stay up to date, and have the latest stuff, both hardware and software, they need to work with the civilian side. And, they need to work with commercial products. If you try to design software by ______, you will inevitably be out of date from the -- you know, even before you complete the product. And we figured that out. But, that is a factor that has gotten a lot of our work on export controls, a number of information technology related sectors (?) . But, that has made them much more interested in developing secure systems.

A lot of this has to do with authentication, digital signature, and things like that, because that is an integral part of building secure and private systems. We intend to put a lot of money into this function, and try to develop good systems, good practices, first at the Defense Department, subsequently, at in the rest of the government, and then, in process of doing that, try to set up some, some models, if you will, the private may or may not choose to pay any attention to them.

The second leg is more tools for law enforcement. And those are embodied primarily in the bill that we hope Congress will shortly consider, CESA, the Cyberspace Electronic Security Act. Now, as a non lawyer, and as someone who is not a veteran of the privacy wars, I am not going to tell you a lot of things about the bill, and I am not really in a position to go into excruciating detail, although I have been through some of those sessions, about what it does.

I think what it is designed to do are two things. One, to set up formally, authorize, and put money into the NET Center, that will help not only the FBI, but also state and local law enforcement develop the tools and expertise they need to deal more effectively with cybercrimes.

The second thing it does is tries to apply existing legal practice, the existing legal equilibrium if you will, with respect to wiretaps, and other police authorities in the surveillance area to a new technology. It is not intended to raise or lower the standard to give the FBI things it does not now have, or to take away from it things that do now have.

We are simply trying to fit a new technology into an existing pattern. That will, I suspect, be controversial. It already has been controversial in the past, and will continue to be.

It is an important element of what we are trying to do. One of the things that has allowed the law enforcement community to refocus its view of export controls has been its conclusion, ultimately, that it made more sense for them to concentrate on getting themselves better prepared, better equipped, giving themselves more tools to deal with the problems that ensue from a liberalization of export controls, than it was to try to maintain controls in ways, that, I think, if we could have, were not over the long term, going to be effective.

And that brings me to the third leg, which brings me to export controls. And what we did here was very simple. We, first of all, in principle, did what I have been saying for three years, that we have always been trying to do, which is to reflect market realities in what we have done. And there has not been, believe it or not, a lot of disagreement between us, at least between me, and many people in the private sector over the direction of the market, and the realities of the marketplace.

The disagreement has more often been often been over how fast these things are moving, and how quickly robust encryption products are actually penetrating the marketplace, in terms of their use, as well as their availability. Now, we have tended to view that as a slower process than the industry, which has tended to view it as a faster process. This is not unusual.

I have the same argument with the computer industry consistently telling me that their latest product, and their latest chip is going to be available six to twelve months before it actually is available. And we have some degree of cynicism, you know, on that point. But, what we have done, here, I hope, is to provide a, you know, from your point of view, perhaps, catch up with the marketplace, from our point of view, reflect where the marketplace has gone.

And we have essentially eliminated the, we will, when we publish the reg, eliminate the multiple categories, country lists, sector lists, and all these other things we have added to our policy over the last couple (?) years, for a much simpler approach.

We are retaining the one time technical review, which is unchanged, something that we do now. No different.

We are retaining post export reporting. The details of that are something we can consult with industry on in some detail. We intend to post export reporting consistent with two principles. One, we are not going to ask industry to report things that they are not already collecting. And we are going to make our reporting rules consistent with current business models. One of the purposes of our consultation is to find out whether or not, current business models.

Beyond that we are going to have, essentially, very few categories of exports for control purposes. First, we have conformed our policy with our multilateral obligations under the Wassenaar Arrangement. Wassenaar decontrols everything below 64 or 56 bits, depending on what kind of product it is. That is a multilateral decision, and our policy embodies that. We are simply going to decontrol below those limits. We are not going to require reporting below those limits. And they are simply going to be, more or less, off the screen.

With respect to products above that limit, there are going to be essentially two categories, and only two. One is, for lack of a better term, we will give it a term, is retail products, which means, and we have a proto-definition, in the fact sheet, which has been passed out, it was available, and I think is on our web site, that these are essentially products  don't require substantial support for installation and use, which are specifically designed for individual consumer use, and so one. That is going to be one category.

The other category is going to be everything else. It is very simple. I sometimes refer to them as customized products, or specialized products. We will have some fancy name for it, I am sure. But there is just those two categories. And keep in mind, I am talking here about hardware and software. This is not just a software decision. This is a hardware decision as well.

The only control difference is the following. Both categories, because we are obligated multilaterally to do so, remain under control, remain on our control list. We will permit their export with a license exception. Those of you who know this business know  that a license exception means that you don't have to come in one by one. If you get the license exception, it means all your products can go to the destinations that they are permitted to go to. And in these cases, that is very simple. None of these products can go to the terrorist seven countries, which I am sure comes as a surprise to no one. In fact, the SAFE Act has built in essentially the same kind of provision. Iran. Iraq. Libya. Cuba. Sudan. North Korea. And Syria. Seven. I may not be wrong. But, T7 are excluded from this.

With respect to the rest, both categories of products can go to all destinations under a license exception, without other restrictions, except for one category, specialized products, i.e., non retail, need an individual license for export to a government or military end user. Any government. Any military end user. We treat them all the same.

So that is the single category that has presently retained under an individual license. And that, you know, is it. It is really simple. I know there has been this, from previous encounters I have had up here, a frantic search for the fine print, and the catch. And, I am sure, somebody somewhere will find something that they think is catch. It wouldn't be any fun if they didn't (?) . But, from my point of view, there isn't any fine print here. We intend to have a consultation with the business community on this, these issues. It has already begun. I already have people out in California the week before last meeting with the industry groups out there. The President's Export Council Subcommittee on Encryption met last week, was, happy with this result, want very much to consult on details. We intend to do that. There are a number of other industry groups. We intend to be inclusive. We want to talk to anybody who wants to talk to us. You want to talk to us: send me an e-mail. We will see what we can do. Particular thing we want to work on are, we want you views on the definition of retail, and you can refer to the fact sheet to look at it, to tell us if you think that it is complete. And the second thing, I think where we are a little bit more amorphous, is the question of post export reporting, and how we can create requirements that are meaningful to us from a national security point of view, without being onerous to business.

In my, I'll be honest with you, in my conversations with the business community on this subject, I've had a number of them, every single one of them said, if asked, would you trade more liberalization for more reporting, every single one of them said yes, without exception, and in the first ten seconds. So, my view is that, by doing what we have done on the control front, we have solved a larger problem by far here, and the question of reporting is, to me, a tertiary problem. Which is not to say, we won't have a fight over it. And we may well. I mean, there may not be anything else left to fight about.

I think, as we do that, and have that discussion, we need to put it into perspective. What the government has done on export controls is, essentially, allow, to allow, American companies to fully compete in the marketplace. And there is a much more streamlined, more efficient system. We intend to do this via a reg that we will publish no later than December 15th. We hope to do better than that. We also hope to embody some of the changes in the decisions we are making now under the current system. That is it makes no sense to say no to something today under the current system if we are going to yes to it two months later. That's absurd. And we are trying to develop procedures within the interagency group that does this sort of thing to solve that problem. And, I will have more to say to all of you about that at a later date. Because I don't have anything else on that today.

So, that is what we have done. It is relatively simply. But, in explaining that, I want to make clear, let's not forget the other two legs of the stool, because they are, you know, an integral part of what we have done. It is our view. It is the Department of Defense's view. It is the Department of Justice's view. And they all expressed this at the roll out on September 16, that this is an approach that protects our national security, better equips us to deal with the law enforcement problems that are growing in this area. We dont want to deny that those problems are growing. No one would deny that they are growing. The question, being realistic about, we felt a better way to deal with those problems was to focus our resources on better security, more law enforcement tools, rather than put all of our eggs, if you will, in an export control mask, that was increasingly becoming more and more to administer, one, because the policy itself was the policy itself was cumbersome, and two, because of what was happening in the marketplace.

So, that is our rationale.

And, Harris -- He disappeared. No. He is back. Do you want me to do questions? You want me to sit down? What do you want me to do?

[Harris Miller asked Rep. Lofgren to speak next.]

Rep. Zoe Lofgren. Well, I will introduce myself, unless Lloyd wants to. I am Zoe Lofgren, the Democratic half of the SAFE Act, and a Member from Silicon Valley.

We should have a lot more happy faces in this room this morning, because, after a tremendous effort, we won. For a while there I thought that Bob Goodlatte and I were Cato in the Roman Senate. You know, "dysfunctional export control shall die." And they eventually did.

I think a lot of thanks go to a number of individuals. Bob and I certainly worked very hard. Leadership on both sides of the aisle were terrific. I especially want to mention Dick Gephardt. He was just great on this.

Industry itself. I mean. And the companies who provided expertise to federal agencies were just great. I mean. I couldn't mention all of them. But, Cisco, the assistance was wonderful in terms of the expertise that they provided to federal agencies. So many others. I should stop, because I will leave someone out. The ___ of cosponsors of the SAFE Act, in the House, really made a difference. I think it was getting attention put on this bill. And finally, I think that a lot of credit needs to be given to members of the administration who managed to thread this needle. And it was not very easy to do, I don't think. Many of us know that the administration may look monolithic, but there is a diversity of opinions, like any administration. So, a continuum of concerns that have to be dealt with, and I think they were successfully dealt with in this case.

Bob and I have done the Bob and Zoe show from time to time, on the West Coast and on the East Coast, but I really want to thank him for his diligence on this issue as well as Bill Powell, who now serves as Chair of the Export Council, who was an invaluable person in coming to the right conclusion on this. And I also want to especially mention John Podesta. He was just so wonderful as Chief of Staff for the President. He was a terrific help.

Having said all of that, I am confident from all that I have heard from the administration that this is for real. I mean -- people -- you know -- it is hard to win sometimes after you have struggled for so long. But clearly, this is a major step. And, it would not have been taken if it was not meant to be real. And I have heard that from everyone I have talked to.

Clearly, we need to pay attention to details. And we certainly will. Not only in this House, but certainly all of you in industry as well. I have had numerous talks with Bill Powell, who also intends to eagle eye the regulations and the details to make sure that they turn out as we hope, and without unintended consequences that would put us in a different direction.

In terms of the bill. Is it satisfactory? I think it is. There is just one aspect that needs to be dealt with. And it is not that it ____ dealt with by December 15th. I think ultimately it will be dealt with. Which is, sale to civilian governments. I saw recently a company that lost a sale of an encryption issue, to a police department in Finland. Well, I don't, you know -- we can deal with that. It is not a major market issue. I think it will be dealt with, and certainly, it is not enough to put us off the happy smiles that should be with us this morning.

Finally, I know there has been some discussion about whether or not we should proceed with the SAFE bill. My inclination would be to hold in abeyance, because we can always move it. But, you know, my mother always said the old phrase, "there is nothing worse a poor loser," actually is not correct. There is nothing worse than a poor winner. We should be gracious in victory.

For reasons I cannot fully understand, Mr. Hamre wants to say that the SAFE Act should be vetoed. Inexplicable. But, he feels the need to say that. I think we ought to let him say that, if it is important to him.

I think we should avoid snatching defeat from the jaws of victory, and be ready to move if we need to. There are many other things that demand our attention.

Number one. The clarification of law enforcement's existing authority in the Internet world will come to the subcommittee of the Judiciary, that Bob Goodlatte and I serve on, and there are numerous issues that need to be dealt with. And I am confident that working in a bipartisan way we will deal with those issues successfully. And we certainly welcome your input and help.

We have always supported the idea of a NET Center for law enforcement. I think, Bob and I, want it back in our bill. So that is not a tough one. It is a financial issue. We may need your lobbying support. But there are so many other things that compel our interest.

We have got a digital signatures up in subcommittee tomorrow. We still have a need for the R and D tax credit to be made permanent, or at least, longstanding. There are a variety of issues we need to work on. And so, we shouldn't dwell on this. It's already been won (?).

Finally, I would be happy to answer any questions you have, if I know the answer. But, I'd like to thank so many people in this room who really were troopers, and worked with us, and helped us achieve this goal, not just for this industry, but really for our country, to be competitive internationally, and to make sure that the privacy of Americans can be fully protected through encryption. ______ [applause]

Question. If I recall from the previous debates, one of the, one of the ideas advanced, encryption software should contain some kind of a key that allowed access by law enforcement people. Now is this present administrative regulation -- this does, this veers away from concept altogether?

Reinsch. Well, not exactly. I think we, a long time ago, decided that we were not going to do anything that would force that outcome. We don't support, and have never supported, mandatory controls, and mandatory ____ requirements, or whatever. We believe that a key recovery technologies, writ large, because there are a number of different ones, are good things. We think they are helpful for law enforcement. We would like to see them grow in the marketplace. It has been our experience that they are growing in the marketplace, not because anybody wants to be nice to the FBI, but because employers like them for their own purposes, vis--vis their own employees. And we found a strong and growing demand for some of these products, not equal across the entire spectrum products. And we think that is good. But we stop there. Now, the bill, the Cyberspace Electronic Security Act, sets up some rules with respect to access to keys by law enforcement officials for people that are participating in key infrastructures were there aren't keys. But, you don't have to do that. So, you don't have to do that. So that remains an option on the part of anybody in the private sector to do it any way they want. But if you do do it, you provide __________ some additional ______ and some rules for those who participate in their infrastructures.

In that sense, our policy has not changed. I think what has changed is that our export control policy does not explicitly promote one type of product technically at the expense of another type of product. That is gone.

Robert MacMillan (Newsbytes).  I just had a quick question for Congressman Davis or Congressman Lofgren. What you said about the SAFE Act before, as far as not snatching defeat from the jaws of victory. Should we interpret that then as saying that the SAFE Act isn't going to get any floor action? Does that mean that Congressman Goodlatte, at least the last time I spoke with him, still seemed to be intent on bringing that to the floor. And I wanted to know whether this was actually going to happen, or whether it is --

Davis. It is still scheduled for the floor. Now whether we end up going ahead. In discussions, we have been ___________. It is still scheduled for later this month.

MacMillan. And so the administration's final word is going to be the decision?

Davis. No. The leadership will make the decision on that.

Reinsch. That would be nice. [laughter] We have never found our word to be final on anything else.

Lofgren. If I could just clarify. As you have noticed, the Republicans are in the majority in the House, and will make the decision on what bill is brought forward. But, it is my viewpoint, as one of the sponsors, that it would be smarter to hold it in abeyance. We can always move it. But there is varying degrees of knowledge about encryption in the House. Some Members are right on top of it. And others are still out in "What is it?" And some of the latter are cosponsors. And the reasons that I said, are mysterious but observed. Mr. Hamre is threatening veto. And I just wonder why should we have this fight. Some of the Members may be _________.

Davis.  The question is have we won it, and, you know, what are the details to follow, et cetera. And so, its clearly going to hold -- not want to cancel. But that decision has yet to be made.

Question. In the Armed Services committee hearing this year Dr. Hamre quoted, "If SAFE passes people will die." ____ like that. Have things changed? Has Congress pretty much talked to him and said that things have changed? Or, is the Commerce, the administration proposal, is that much different than, say, that Dr. Hamre feels more at ease. Can you give us some insight on that?

Reinsch. Well, the first thing I was going to say is the one thing that Ms. Lofgren said that I would disagree with is the suggestion that there are differences of view within the administration. As you all know, that, this speaks with one voice on everything. [laughter] On this particular issue, I don't think I was there that day. So I don't remember if he said that or not. I think. Let me answer it or not. The administration is not just John Hamre. The administration opposes the SAFE Act. The SAFE Act has a lot of things in it. And I don't think that we need to have a debate about it, because we have done, I think, the biggest thing that I think it was intended to do. But, there are a lot of other things in the SAFE Act that we think would not be helpful or constructive. And, we oppose it. Some of them have have nothing to do with export controls. Some of them do. As somebody who has been doing export controls, for better or worse, in one kind or another, for twenty odd years, I don't think it is helpful to legislate in this area anyway. Particularly when you have a fast moving sector. Anything you say in legislation about an export control is going to be out of date by the time you pass the bill. And then you can't change it, even if we all want to change it, until you relegislate, which, as you know, is a complicated process. The legislative process is slow. That is a good thing for democracy. But in some cases, and Congress generally acknowledges in the export control area, there are, because of the fluidity of knowledge in what we do, it is sometimes better to leave what we do to the executive branch, on a day to day basis, and if we royally mess it up, then you come in and redirect us from policy point of view. I don't think that the SAFE Act would be a constructive or helpful thing to do. And in that sense, I agree with Dr. Hamre. Whether he has changed his particular view or not about the whole thing, I think is a question that you would have to ask him.

[A question to Reinsch regarding whether issuance of the export regulation is contingent on passage of CESA, and Reinsch's response (it is not), are not transcribed.]

[The final question and answer, pertaining to appropriations, are not transcribed.]

[Harris Miller's address is not transcribed.]


Subscriptions | FAQ | Notices & Disclaimers | Privacy Policy
Copyright 1998-2008 David Carney, dba Tech Law Journal. All rights reserved.
Phone: 202-364-8882. P.O. Box 4851, Washington DC, 20008.