Letter from Rep. Bob Goodlatte (R-VA) and  Rep. Zoe Lofgren (D-CA) to Bill Clinton.
Rep. Encryption export policy.

Date: November 9, 1999.
Source: Offices of Reps. Goodlatte and Lofgren.
Rep. Bob
Rep. Zoe

November 9, 1999

The Honorable William J. Clinton
The White House
Washington, D.C. 20500

Dear Mr. President,

We are writing in regards to the Administration's recent encryption policy announcement, and the regulations that will soon be issued to implement that policy.  While we are pleased with the new direction the Administration has taken in seeking to relax export controls on U.S. encryption products, we are anxious that the soon-to-be-issued regulations mirror the policy announcement, to avoid placing U.S. industry at a competitive disadvantage in the global technology marketplace.

As you know, we have introduced legislation -- H.R. 850, the Security And Freedom through Encryption (SAFE) Act of 1999 -- which prevents economic crime, promotes electronic commerce, and protects the personal privacy of all law-abiding Americans.  The SAFE Act, which has 258 bipartisan cosponsors, including an overwhelming majority of both the Republican and Democratic congressional leadership, ensures that America leads the way into the 21st Century Information Age and beyond.

Rumors circulating in high-tech circles indicate that the upcoming encryption regulations may define critical terms such as "retail", "technical review", and "government" in such a way as to substantially undermine the goals of the new policy.  We hope such fears are unfounded.

We believe that the regulations must, at a minimum, embrace the following principles:

In determining whether products are given "retail" status, the regulations should reflect market realities by adopting a "mass-market" approach for exports.  Mass-market products are inherently uncontrollable, and decontrolling mass-market products will allow U.S. companies to compete with foreign manufacturers on a level playing field.

The regulations should allow mass-market encryption products to be exported regardless of the means of distribution.  The classification of encryption products as "mass-market" must be made independently of the means by which those products are distributed.  It would be unfortunate, for example, if the Administration pursued a policy allowing products sold in computer stores to be exported, but not those sold over the Internet.

The regulations must limit the definition of "government" to governmental agencies performing core governmental functions.  In many countries, especially in Europe and Asia, governments often hold a percentage stake in private sector corporations.  This partial government ownership, however, does not transform those private companies into government agencies.  If the Administration chooses to adopt a broad definition of government in the regulations, it will severely undermine the goals of the new policy.

Regarding reporting requirements, the regulations should limit them to information about a product and the name and address of the initial recipient of the first export. Information about the initial recipient should not be required, however, where it is not reasonably collected in the ordinary course of business.  Additionally, end-user information should not be required for retail/mass-market products, which are inherently uncontrollable.

The regulations should limit the technical review of products prior to export to no more than 30 days, and should allow companies to export their products at the end of that period regardless of whether the review has been completed.  Additionally, the government should not make the determination of whether a product qualifies for retail/mass-market status in the technical review process.  Doing so would unacceptably transform the technical review process into a de facto licensing program.

On the issue of toolkits, American encryption toolkits should be eligible for license exception treatment with subsequent reporting requirements like any other encryption product, and a separate technical review of the foreign finished product should not be required.

Finally, open and community source code products should be exportable under the new policy.  Products such as UNIX, Linux, and Netscape's Internet Browser are inexpensive, reliable, and have been tested by millions of computer users.  These products, along with previously decontrolled encryption products, products conforming with the Wassenaar Arrangement's new mass-market provisions, publicly available software, and retail/mass-market products should be released from Encryption Item (EI) controls.

Mr. President, the dialogue among Congress, industry and privacy organizations, and the Administration has helped U.S. encryption policy move forward.  As the principal sponsors of encryption reform legislation in the House, it is our hope that the upcoming regulations adopt the principles outlined above, thus meeting our common goal of establishing a balanced and reasonable encryption policy.