Deliver Us from Evil Restrictions, Lawmakers Say of Encryption Regs

By Anne Gallagher, Contributing WriterThe Clinton administration's plan to release its new encryption policy next month has some lawmakers worried that the final details may not measure up to what has been promised.The White House, which announced Sept. 16 its intent to relax regulations governing the export of encryption hardware and software, plans to release more details on the policy Dec. 15.But talk circulating among high-tech industry officials indicates the regulations may define critical terms such as "retail," "technical review" and "government" in a way that some lawmakers think would undermine the goals of the new policy and hinder U.S. high-tech companies in the global market. This talk has prompted several lawmakers to warn the White House to live up to its word on easing controls on exports of products that keep networks, databases and files private and secure."While we are pleased with the new direction the administration has taken in seeking to relax export controls on U.S. encryption products, we are anxious that the soon-to-be issued regulations mirror the policy announcement to avoid placing U.S. industry at a competitive disadvantage in the global technology marketplace," Reps. Zoe Lofgren, D-Calif., and Bob Goodlatte, R-Va., said in a Nov. 9 letter to President Clinton.Anticipating the administration's new policy, Congress has held back in pushing through its own Security and Freedom through Encryption, or SAFE, bill. The White House said it would veto the SAFE legislation because it goes too far in relaxing export controls. With the new regulations, members of Congress and the White House hope to reach some sort of middle ground. But if lawmakers are not satisfied with the content of the administration's policy, the SAFE bill is certain to resurface early next year. Further complicating the dispute is that many congressional committees have a hand in the encryption control legislation, including the defense and intelligence committees that want to ensure national security interests are not jeopardized.The new regulations, at a minimum, should reflect a "mass market" approach for exports, Lofgren and Goodlatte said in their letter. "Mass market products are inherently uncontrollable, and decontrolling mass market products will allow U.S. companies to compete with foreign manufacturers on a level playing field."The new regulations also should allow mass-market encryption products to be exported regardless of the means by which they are distributed, the two lawmakers said. "It would be unfortunate, for example, if the administration pursued a policy allowing products sold in computer stores to be exported, but not those sold over the Internet," they said.There also is a push among Lofgren, Goodlatte, and the House Republican leadership to get open and community source code products exportable under the new policy."Products such as Unix, Linux and Netscape's Internet Browser are inexpensive, reliable and have been tested by millions on computer users," senior GOP lawmakers said in a separate Nov. 8 letter to the Clinton administration.These products should be decontrolled just as other products that have been decontrolled: publicly available software and retail mass-market products, they added. The letter's authors, Majority Leader Dick Armey, R-Texas, and Majority Whip Tom DeLay, R-Texas, also told the White House they will be watching to see that regulations match the policy. "If the regulations in December fail to meet the rhetoric from September, the confidence of U.S. industry, American computer users or Congress in the administration's ability to establish a balanced and reasonable encryption policy would be severely shaken," they said in their letter. "We sincerely hope this will not be the case." The new regulations are expected to permit any encryption product or software with a key length of up to 64 bits to be exported under a license exception to commercial firms and other non-governmental end-users in any country except for the seven identified state supporters of terrorism, Commerce Secretary William Daley said in a Sept. 16 briefing in Washington. The new regulations also will implement the nation's international commitments for encryption controls, Daley said. Last year, the Wassenaar arrangement, involving 33 countries with common controls on exports including encryption, made a number of changes to modernize multilateral encryption controls.There also could be some debate between the Congress and White House regarding the time frame for review of export approval and how long it would take a company to get a green light to export its products.Lawmakers are recommending the regulations limit the technical review of products before export to no more than 30 days, and say companies should be allowed to export their products at the end of that period regardless of whether the review has been completed. Also, the government should not try to determine if a product qualifies for retail or mass-market status during the technical review process, Lofgren and Goodlatte said."Doing so would unacceptably transform the technical review process into a de facto licensing program," they said.