Letter from Rep. Zoe Lofgren to President Clinton.
Re: Draft Encryption Regulations.

Date: December 6, 1999.
Source: Rep. Zoe Lofgren.

December 6, 1999

The Honorable William J. Clinton
The White House
Washington, D.C. 20500

Dear Mr. President,

As we discussed in San Francisco, I'm of the view that the one good thing I can say about the draft regulations on encryption is that they are draft regulations.

They favor some domestic firms over others but the only reason for discriminating between these firms is the marketing distribution system some prefer.  In other words, under these draft regulations, one may sell an encryption product at a "retail" outlet, but not on the web.  That makes no sense.  There is no valid national security or law enforcement objective advanced by this artificial distinction.

An unfortunate consequence of this policy, however, is to give the advantage to a bricks and mortar retail store distribution system at the expense of e-commerce on the Internet.  It is ironic that we would even consider an encryption export control regimen that frustrated the sale of encryption on-line, on the Internet, the very medium encryption was designed to secure -- so that e-commerce could prosper and individual privacy be guaranteed.

The draft regulations do allow for some encryption sales on the Internet, but these sales are limited to products "specifically designed for individual consumer use which are sold directly by the manufacturer."  This means a retail store may sell software for a manufacturer but no third party may sell on-line for a manufacturer; only the manufacturer may sell the product on-line.  Nor may anyone sell a product on-line that is designed for a Local Area Network (LAN), that is, any database, scheduling, or writing program that enables more than the "individual consumer" to collaborate on a project.  Since the product must be "sold" instead of "distributed," it may not be given away free, as many software products are given away free including the general purpose toolkit distributed with encryption products.  Another example is the new "star office" recently announced by Sun microsystems.  The Netscape web browser is still another example.  And there are more.

This retail/non-retail dichotomy is therefore not well-suited to the legitimate purpose of export controls.  We should be looking at a definition of mass market.  We should consider whether the encryption product at issue is "widely available" -- as this is a test that bears directly on the security questions we purport to be addressing by these regulations, whether the encryption product is available independent of whether we export it or not.  That is the approach we followed in the SAFE Act, HR 850, when we considered among other indicia, whether the encryption products were "generally available."

I'm quite concerned as well about the proposed prohibition against selling these encryption products to "foreign government entit[ies]".  Unquestionably, we must bar the export of these products to "terrorist nations" including Cuba, Iran, Libya, North Korea, Sudan and Syria.  We must, however, insure that any export policy involving other governments advance some national security objective.

 As the draft regulations are written presently, the definition of a government entity is vague and complex including not only "government corporations, [but also] quasi government agencies and State enterprises."  Telecom Italia is owned in part (4%) by the Italian government.  Is Telecom Italia a "quasi-government agency" or "state enterprise"?  What percentage ownership would make it a "foreign government entity"?  Are any of the other Telecommunications companies or Internet Service Providers (ISPs), partially owned by foreign governments, to be treated as "foreign entities"?  If the Administration intends that Telecom companies and ISPs should be included, then I most respectfully disagree. We should not be making a distinction between Telecommunications companies and Internet Service Providers based on whether they are privately or publicly owned.  If these regulations are unchanged, we will create winners and losers among companies based upon stock ownership patterns.  I cannot see how the national interest of our country
would be advanced by such an export control scheme.

In conclusion, I remain distressed that we've strayed from our original worthy purpose, our legitimate security concerns, and we are now in danger of compromising the ability of US firms to compete with off-shore companies that are distributing robust encryption.  I'm hoping that this correspondence, as well as the earlier correspondence I forwarded with Congressman Bob Goodlatte, and those other comments the Administration is no doubt receiving will get this effort back on track.