These are the comments on the proposed draft regulations related to encryption export. I am the national legislative chair of the Association of Information Technology Professionals (AITP), which was formerly known as the Data Processing Management Association (DPMA).

In September the administration promised liberalized rules. The devil, as usual, is in the details, which are not as clear as we would like them to be. We would suggest that an appropriate sign of good faith on the part of the Department of Commerce would be to withdraw your defense in both the Junger and Bernstein cases, since truly liberalized rules would make those cases moot. In particular, your language related to source code export would seem to destroy the heart of your defense in the Bernstein case.

Your definition of retail product seems to require that the product be sold. The version of PGP which I have on my home machine, for instance, is freeware. It seems illogical to have one standard for a product which I pay one dollar for, and a separate more restrictive standard for the same product if I obtained it for free. Netscape Communicator, Microsoft Internet Explorer, and the Juno E-Mail program are a few of the many examples of other consumer products provided for free which contain strong encryption yet are not 'sold' and therefor don't seem to meet your definition of a retail product. A clarification is indicated there.

The technical review process spelled out in the regulations is defective. Standards for the review, the timing of the review, and the process by which applicants would appeal an unfavorable review are all missing and would seem to run afoul of the same fourth amendment due process concerns that the previous rules gave rise to. The judge in the Karn case took particular exception to the lack of clarity in the existing rules in this area. We believe his view of the new rules will be similar.

We hope that the final rules will address the criticisms raised here and by others.