Congressional Documents
43 400
105 th Congress
Rept. 105 108
HOUSE OF REPRESENTATIVES
1st Session
Part 4
SECURITY AND FREEDOM THROUGH ENCRYPTION (``SAFE'') ACT OF 1997
September 16, 1997.--Ordered to be printed
Mr. Goss, from the Permanent Select Committee on Intelligence, submitted
the following
R E P O R T
together with
ADDITIONAL VIEWS
[To accompany H.R. 695]
[Including cost estimate of the Congressional Budget Office]
The Permanent Select Committee on Intelligence, to whom was referred
the bill (H.R. 695) to amend title 18, United States Code, to affirm the
rights of United States persons to use and sell encryption and to relax
export controls on encryption, having considered the same, report
favorably thereon with an amendment and recommend that the bill as
amended do pass.
The amendment is as follows:
Strike out all after the enacting clause and insert in lieu thereof
the following:
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Security and Freedom
Through Encryption (`SAFE') Act of 1997''.
(b) Table of Contents.--The table of contents is as follows:
Sec. 1. Short title; table of contents.
Sec. 2. Statement of policy.
TITLE I--DOMESTIC USES OF ENCRYPTION
Sec. 101. Definitions.
Sec. 102. Lawful use of encryption.
Sec. 103. Voluntary private sector participation in key management
infrastructure.
Sec. 104. Unlawful use of encryption.
TITLE II--GOVERNMENT PROCUREMENT
Sec. 201. Federal purchases of encryption products.
Sec. 202. Encryption products purchased with Federal funds.
Sec. 203. Networks established with Federal funds.
Sec. 204. Product labels.*COM003*
Sec. 205. No private mandate.
Sec. 206. Implementation.
TITLE III--EXPORTS OF ENCRYPTION
Sec. 301. Exports of encryption.
Sec. 302. License exception for certain encryption products.
Sec. 303. License exception for telecommunications products.
Sec. 304. Review for certain institutions.
Sec. 305. Encryption industry and information security board.
TITLE IV--LIABILITY LIMITATIONS
Sec. 401. Compliance with court order.
Sec. 402. Compliance defense.
Sec. 403. Reasonable care defense.
Sec. 404. Good faith defense.
Sec. 405. Sovereign immunity.
Sec. 406. Civil action, generally.
TITLE V--INTERNATIONAL AGREEMENTS
Sec. 501. Sense of congress.
Sec. 502. Failure to negotiate.
Sec. 503. Report to congress.
TITLE VI--MISCELLANEOUS PROVISIONS
Sec. 601. Effect on law enforcement activities.
Sec. 602. Interpretation.
Sec. 603. Severability.
SEC. 2. STATEMENT OF POLICY.
It is the policy of the United States to protect public computer
networks through the use of strong encryption technology, to promote and
improve the export of encryption products developed and manufactured in
the United States, and to preserve public safety and national security.
TITLE I--DOMESTIC USES OF ENCRYPTION
SEC. 101. DEFINITIONS.
For purposes of this Act:
(1) Attorney for the government.--The term ``attorney for the
Government'' has the meaning given such term in Rule 54(c) of the
Federal Rules of Criminal Procedure, and also includes any duly
authorized attorney of a State who is authorized to prosecute criminal
offenses within such State.
(2) Certificate authority.--The term ``certificate authority'' means
a person trusted by one or more persons to create and assign public key
certificates.
(3) Communications.--The term ``communications'' means any wire
communications or electronic communications as those terms are defined
in paragraphs (1) and (12) of section 2510 of title 18, United States
Code.
(4) Court of competent jurisdiction.--The term ``court of competent
jurisdiction'' means any court of the United States organized under
Article III of the Constitution of the United States, the court
organized under the Foreign Intelligence Surveillance Act of 1978 (50
U.S.C. 1801 et seq.), or a court of general criminal jurisdiction of a
State authorized pursuant to the laws of such State to enter orders
authorizing searches and seizures.
(5) Data network service provider.--The term ``data network service
provider'' means a person offering any service to the general public
that provides the users thereof with the ability to transmit or receive
data, including communications.
(6) Decryption.--The term ``decryption'' means the retransformation
or unscrambling of encrypted data, including communications, to its
readable plaintext version. To ``decrypt'' data, including
communications, is to perform decryption.
(7) Decryption information.--The term ``decryption information''
means information or technology that enables one to readily retransform
or unscramble encrypted data from its unreadable and incomprehensible
format to its readable plaintext version.
(8) Electronic storage.--The term ``electronic storage'' has the
meaning given that term in section 2510(17) of title 18, United States
Code.
(9) Encryption.--The term ``encryption'' means the transformation or
scrambling of data, including communications, from plaintext to an
unreadable or incomprehensible format, regardless of the technique
utilized for such transformation or scrambling and irrespective of the
medium in which such data, including communications, occur or can be
found, for the purposes of protecting the content of such data,
including communications. To ``encrypt'' data, including communications,
is to perform encryption.
(10) Encryption product.--The term ``encryption product'' means any
software, technology, or mechanism, that can be used to encrypt or
decrypt, or has the capability of encrypting or decrypting any data,
including communications.
(11) Foreign availability.--The term ``foreign availability'' has
the meaning applied to foreign availability of encryption products
subject to controls under the Export Administration Regulations, as in
effect on September 1, 1997.
(12) Government.--The term ``Government'' means the Government of
the United States and any agency or instrumentality thereof, or the
government of any State.
(13) Investigative or law enforcement officer.--The term
``investigative or law enforcement officer'' has the meaning given that
term in section 2510(7) of title 18, United States Code.
(14) Key recovery agent.--The term ``key recovery agent'' means a
person trusted by another person or persons to hold and maintain
sufficient decryption information to allow for the immediate decryption
of the encrypted data or communications of another person or persons for
whom that information is held, and who holds and maintains that
information as a business or governmental practice, whether or not for
profit. The term ``key recovery agent'' includes any person who holds
his or her decryption information.
(15) National security.--The term ``national security'' means the
national defense, foreign relations, or economic interests of the United
States.
(16) Plaintext.--The term ``plaintext'' means the readable or
comprehensible format of data, including communications, prior to its
being encrypted or after it has been decrypted.
(17) Plainvoice.--The term ``plainvoice'' means communication
specific plaintext.
(18) Secretary.--The term ``Secretary'' means the Secretary of
Commerce, unless otherwise specifically identified.
(19) State.--The term ``State'' has the meaning given that term in
section 2510(3) of title 18, United States Code.
(20) Telecommunications carrier.--The term ``telecommunications
carrier'' has the meaning given that term in section 102(8) of the
Communications Assistance for Law Enforcement Act (47 U.S.C. 1001(8)).
(21) Telecommunications system.--The term ``telecommunications
system'' means any equipment, technology, or related software used in
the movement, switching, interchange, transmission, reception, or
internal signaling of data, including communications over wire, fiber
optic, radio frequency, or other medium.
(22) United states person.--The term ``United States person'' means--
(A) any citizen of the United States;
(B) any other person organized under the laws of any State; and
(C) any person organized under the laws of any foreign country who
is owned or controlled by individuals or persons described in
subparagraphs (A) and (B).
SEC. 102. LAWFUL USE OF ENCRYPTION.
Except as otherwise provided by this Act or otherwise provided by
law, it shall be lawful for any person within any State and for any
United States person to use any encryption product, regardless of
encryption algorithm selected, encryption key length chosen, or
implementation technique or medium used.
SEC. 103. VOLUNTARY PRIVATE SECTOR PARTICIPATION IN KEY
MANAGEMENT INFRASTRUCTURE.
(a) Use is Voluntary.--The use of certificate authorities or key
recovery agents is voluntary.
(b) Regulations.--The Secretary shall promulgate regulations
establishing standards for creating key management infrastructures. Such
regulations should--
(1) allow for the voluntary participation by private persons and
non-Federal entities; and
(2) promote the development of certificate authorities and key
recovery agents.
(c) Registration of Certificate Authorities and Key Recovery
Agents.--Certificate authorities and key recovery agents meeting the
standards established by the Secretary may be registered by the
Secretary if they so choose, and may identify themselves as meeting the
standards of the Secretary.
SEC. 104. UNLAWFUL USE OF ENCRYPTION.
(a) In General.--Part I of title 18, United States Code, is amended
by inserting after chapter 121 the following new chapter:
``CHAPTER 122--ENCRYPTED DATA, INCLUDING COMMUNICATIONS
``Sec.
``2801. Unlawful use of encryption in furtherance of a criminal act.
``2802. Privacy protection.
``2803. Unlawful sale of encryption.
``2804. Encryption products manufactured and intended for use in
the United States.
``2805. Injunctive relief and proceedings.
``2806. Court order access to plaintext.
``2807. Notification procedures.
``2808. Lawful use of plaintext or decryption information.
``2809. Identification of decryption information.
``2810. Unlawful export of certain encryption products.
``2811. Definitions.
``2801. Unlawful use of encryption in furtherance of a criminal act
``(a) Prohibited Acts.--Whoever knowingly uses encryption in
furtherance of the commission of a criminal offense for which the person
may be prosecuted in a district court of the United States shall--
``(1) in the case of a first offense under this section, be
imprisoned for not more than 5 years, or fined under this title, or
both; and
``(2) in the case of a second or subsequent offense under this
section, be imprisoned for not more than 10 years, or fined under this
title, or both.
``(b) Consecutive Sentence.--Notwithstanding any other provision of
law, the court shall not place on probation any person convicted of a
violation of this section, nor shall the term of imprisonment imposed
under this section run concurrently with any other term of imprisonment
imposed for the underlying criminal offense.
``(c) Probable Cause Not Constituted By Use of Encryption.--The use
of encryption alone shall not constitute probable cause to believe that
a crime is being or has been committed.
``2802. Privacy protection
``(a) In General.--It shall be unlawful for any person to
intentionally--
``(1) obtain or use decryption information without lawful authority
for the purpose of decrypting data, including communications;
``(2) exceed lawful authority in decrypting data, including
communications;
``(3) break the encryption code of another person without lawful
authority for the purpose of violating the privacy or security of that
person or depriving that person of any property rights;
``(4) impersonate another person for the purpose of obtaining
decryption information of that person without lawful authority;
``(5) facilitate or assist in the encryption of data, including
communications, knowing that such data, including communications, are to
be used in furtherance of a crime; or
``(6) disclose decryption information in violation of a provision of
this chapter.
``(b) Criminal Penalty.--Whoever violates this section shall be
imprisoned for not more than 10 years, or fined under this title, or
both.
``2803. Unlawful sale of encryption
``Whoever, after January 31, 2000, sells in interstate or foreign
commerce any encryption product that does not include features or
functions permitting duly authorized persons immediate access to
plaintext or immediate decryption capabilities shall be imprisoned for
not more than 5 years, fined under this title, or both.
``2804. Encryption products manufactured and intended for use
in the United States
``(a) Public Network Service Providers.--After January 31, 2000,
public network service providers offering encryption products or
encryption services shall ensure that such products or services enable
the immediate decryption or access to plaintext of the data, including
communications, encrypted by such products or services on the public
network upon receipt of a court order or warrant, pursuant to section
2806.
``(b) Manufacturers, Distributors, and Importers.--After January 31,
2000, it shall be unlawful for any person to manufacture for
distribution, distribute, or import encryption products intended for
sale or use in the United States, unless that product--
``(1) includes features or functions that provide an immediate
access to plaintext capability, through any means, mechanism, or
technological method that--
``(A) permits immediate decryption of the encrypted data, including
communications, upon the receipt of decryption information by an
authorized party in possession of a facially valid order issued by a
court of competent jurisdiction; and
``(B) allows the decryption of encrypted data, including
communications, without the knowledge or cooperation of the person being
investigated, subject to the requirements set forth in section 2806;
``(2) can be used only on systems or networks that include features
or functions that provide an immediate access to plaintext capability,
through any means, mechanism, or technological method that--
``(A) permits immediate decryption of the encrypted data, including
communications, upon the receipt of decryption information by an
authorized party in possession of a facially valid order issued by a
court of competent jurisdiction; and
``(B) allows the decryption of encrypted data, including
communications, without the knowledge or cooperation of the person being
investigated, subject to the requirements set forth in section 2806; or
``(3) otherwise meets the technical requirements and functional
criteria promulgated by the Attorney General under subsection (c).
``(c) Attorney General Criteria.--
``(1) Publication of requirements.--Within 180 days after the date
of the enactment of this chapter, the Attorney General shall publish in
the Federal Register technical requirements and functional criteria for
complying with the decryption requirements set forth in this section.
``(2) Procedures for advisory opinions.--Within 180 days after the
date of the enactment of this chapter, the Attorney General shall
promulgate procedures by which data network service providers and
encryption product manufacturers, sellers, re-sellers, distributors, and
importers may obtain advisory opinions as to whether an encryption
product intended for sale or use in the United States after January 31,
2000, meets the requirements of this section and the technical
requirements and functional criteria promulgated pursuant to paragraph
(1).
``(3) Particular methodology not required.--Nothing in this chapter
or any other provision of law shall be construed as requiring the
implementation of any particular decryption methodology in order to
satisfy the requirements of subsections (a) and (b), or the technical
requirements and functional criteria required by the Attorney General
under paragraph (1).
``(d) Use of Prior Products Lawful.--After January 31, 2000, it shall
not be unlawful to use any encryption product purchased or in use prior
to such date.
``2805. Injunctive relief and proceedings
``(a) Injunction.--Whenever it appears to the Secretary or the
Attorney General that any person is engaged in, or is about to engage
in, any act that constitutes, or would constitute, a violation of
section 2804, the Attorney General may initiate a civil action in a
district court of the United States to enjoin such violation. Upon the
filing of the complaint seeking injunctive relief by the Attorney
General, the court shall automatically issue a temporary restraining
order against the party being sued.
``(b) Burden of Proof.--In a suit brought by the Attorney General
under subsection (a), the burden shall be upon the Government to
establish by a preponderance of the evidence that the encryption product
involved does not comport with the requirements set forth by the
Attorney General pursuant to section 2804 providing for immediate access
to plaintext by Federal, State, or local authorities.
``(c) Closing of Proceedings.--(1) Upon motion of the party against
whom injunction is being sought--
``(A) any or all of the proceedings under this section shall be
closed to the public; and
``(B) public disclosure of the proceedings shall be treated as
contempt of court.
``(2) Upon a written finding by the court that public disclosure of
information relevant to the prosecution of the injunction or relevant to
a determination of the
factual or legal issues raised in the case would cause
irreparable or financial harm to the party against whom the suit is
brought, or would otherwise disclose proprietary information of any
party to the case, all proceedings shall be closed to members of the
public, except the parties to the suit, and all transcripts, motions,
and orders shall be placed under seal to protect their disclosure to the
general public.
``(d) Advisory Opinion as Defense.--It is an absolute defense to a
suit under this subsection that the party against whom suit is brought
obtained an advisory opinion from the Attorney General pursuant to
section 2804(c) and that the product at issue in the suit comports in
every aspect with the requirements announced in such advisory opinion.
``(e) Basis for Permanent Injunction.--The court shall issue a
permanent injunction against the distribution of, and any future
manufacture of, the encryption product at issue in the suit filed under
subsection (a) if the court finds by a preponderance of the evidence
that the product does not meet the requirements set forth by the
Attorney General pursuant to section 2804 providing for immediate access
to plaintext by Federal, State, or local authorities.
``(f) Appeals.--Either party may appeal, to the appellate court with
jurisdiction of the case, any adverse ruling by the district court
entered pursuant to this section. For the purposes of appeal, the
parties shall be governed by the Federal Rules of Appellate Procedure,
except that the Government shall file its notice of appeal not later
than 30 days after the entry of the final order on the docket of the
district court. The appeal of such matter shall be considered on an
expedited basis and resolved as soon as practicable.
``2806. Court order access to plaintext
``(a) Court Order.--(1) A court of competent jurisdiction shall issue
an order, ex parte, granting an investigative or law enforcement officer
immediate access to the plaintext of encrypted data, including
communications, or requiring any person in possession of decryption
information to provide such information to a duly authorized
investigative or law enforcement officer--
``(A) upon the application by an attorney for the Government that--
``(i) is made under oath or affirmation by the attorney for the
Government; and
``(ii) provides a factual basis establishing the relevance that the
plaintext or decryption information being sought has to a law
enforcement or foreign counterintelligence investigation then being
conducted pursuant to lawful authorities; and
``(B) if the court finds, in writing, that the plaintext or
decryption information being sought is relevant to an ongoing lawful law
enforcement or foreign counterintelligence investigation and the
investigative or law enforcement officer is entitled to such plaintext
or decryption information.
``(2) The order issued by the court under this section shall be
placed under seal, except that a copy may be made available to the
investigative or law enforcement officer authorized to obtain access to
the plaintext of the encrypted information, or authorized to obtain the
decryption information sought in the application. Such order shall also
be made available to the person responsible for providing the plaintext
or the decryption information, pursuant to such order, to the
investigative or law enforcement officer.
``(3) Disclosure of an application made, or order issued, under this
section, is not authorized, except as may otherwise be specifically
permitted by this section or another order of the court.
``(b) Other Orders.--An attorney for the Government may make
application to a district court of the United States for an order under
subsection (a), upon a request from a foreign country pursuant to a
Mutual Legal Assistance Treaty with such country that is in effect at
the time of the request from such country.
``(c) Record of Access Required.--(1) There shall be created an
electronic record, or similar type record, of each instance in which an
investigative or law enforcement officer, pursuant to an order under
this section, gains access to the plaintext of otherwise encrypted
information, or is provided decryption information, without the
knowledge or consent of the owner of the data, including communications,
who is the user of the encryption product involved.
``(2) The court issuing the order under this section shall require
that the electronic or similar type of record described in paragraph (1)
is maintained in a place and a manner that is not within the custody or
control of an investigative or law enforcement officer gaining the
access or provided the decryption information. The record shall be
tendered to the court, upon notice from the court.
``(3) The court receiving such electronic or similar type of record
described in paragraph (1) shall make the original and a certified copy
of the record available to the attorney for the Government making
application under this section, and to the attorney for, or directly to,
the owner of the data, including communications, who is the user of the
encryption product.
``(d) Authority To Intercept Communications Not Increased.--Nothing
in this chapter shall be construed to enlarge or modify the
circumstances or procedures under which a Government entity is entitled
to intercept or obtain oral, wire, or electronic communications or
information.
``(e) Construction.--This chapter shall be strictly construed to
apply only to a Government entity's ability to decrypt data, including
communications, for which it has previously obtained lawful authority to
intercept or obtain pursuant to other lawful authorities that would
otherwise remain encrypted.
``2807. Notification procedures
``(a) In General.--Within a reasonable time, but not later than 90
days after the filing of an application for an order under section 2806
which is granted, the court shall cause to be served, on the persons
named in the order or the application, and such other parties whose
decryption information or whose plaintext has been provided to an
investigative or law enforcement officer pursuant to this chapter as the
court may determine that is in the interest of justice, an inventory
which shall include notice of--
``(1) the fact of the entry of the order or the application;
``(2) the date of the entry of the application and issuance of the
order; and
``(3) the fact that the person's decryption information or plaintext
data, including communications, have been provided or accessed by an
investigative or law enforcement officer.
The court, upon the filing of a motion, may make available to that
person or that person's counsel, for inspection, such portions of the
plaintext, applications, and orders as the court determines to be in the
interest of justice. On an ex parte showing of good cause to a court of
competent jurisdiction, the serving of the inventory required by this
subsection may be postponed.
``(b) Admission Into Evidence.--The contents of any encrypted
information that has been obtained pursuant to this chapter or evidence
derived therefrom shall not be received in evidence or otherwise
disclosed in any trial, hearing, or other proceeding in a Federal or
State court unless each party, not less than 10 days before the trial,
hearing, or proceeding, has been furnished with a copy of the order, and
accompanying application, under which the decryption or access to
plaintext was authorized or approved. This 10-day period may be waived
by the court if the court finds that it was not possible to furnish the
party with the information described in the preceding sentence within 10
days before the trial, hearing, or proceeding and that the party will
not be prejudiced by the delay in receiving such information.
``(c) Contempt.--Any violation of the provisions of this section may
be punished by the court as a contempt thereof.
``(d) Motion To Suppress.--Any aggrieved person in any trial,
hearing, or proceeding in or before any court, department, officer,
agency, regulatory body, or other authority of the United States or a
State may move to suppress the contents of any decrypted data, including
communications, obtained pursuant to this chapter, or evidence derived
therefrom, on the grounds that--
``(1) the plaintext was unlawfully decrypted or accessed;
``(2) the order of authorization or approval under which it was
decrypted or accessed is insufficient on its face; or
``(3) the decryption was not made in conformity with the order of
authorization or approval.
Such motion shall be made before the trial, hearing, or proceeding
unless there was no opportunity to make such motion, or the person was
not aware of the grounds of the motion. If the motion is granted, the
plaintext of the decrypted data, including communications, or evidence
derived therefrom, shall be treated as having been obtained in violation
of this chapter. The court, upon the filing of such motion by the
aggrieved person, may make available to the aggrieved person or that
person's counsel for inspection such portions of the decrypted
plaintext, or evidence derived therefrom, as the court determines to be
in the interests of justice.
``(e) Appeal by United States.--In addition to any other right to
appeal, the United States shall have the right to appeal from an order
granting a motion to suppress made under subsection (d), or the denial
of an application for an order under section 2806, if the United States
attorney certifies to the court or other official granting such motion
or denying such application that the appeal is not taken for purposes of
delay. Such appeal shall be taken within 30 days after the date the
order was entered on the docket and shall be diligently prosecuted.
``(f) Civil Action for Violation.--Except as otherwise provided in
this chapter, any person described in subsection (g) may in a civil
action recover from the United States Government the actual damages
suffered by the person as a result of a violation described in that
subsection, reasonable attorney's fees, and other litigation costs
reasonably incurred in prosecuting such claim.
``(g) Covered Persons.--Subsection (f) applies to any person whose
decryption information--
``(1) is knowingly obtained without lawful authority by an
investigative or law enforcement officer;
``(2) is obtained by an investigative or law enforcement officer
with lawful authority and is knowingly used or disclosed by such officer
unlawfully; or
``(3) is obtained by an investigative or law enforcement officer
with lawful authority and whose decryption information is unlawfully
used to disclose the plaintext of the data, including communications.
``(h) Limitation.--A civil action under subsection (f) shall be
commenced not later than 2 years after the date on which the unlawful
action took place, or 2 years after the date on which the claimant first
discovers the violation, whichever is later.
``(i) Exclusive Remedies.--The remedies and sanctions described in
this chapter with respect to the decryption of data, including
communications, are the only judicial remedies and sanctions for
violations of this chapter involving such decryptions, other than
violations based on the deprivation of any rights, privileges, or
immunities secured by the Constitution.
``(j) Technical Assistance by Providers.--A provider of encryption
technology or network service that has received an order issued by a
court pursuant to this chapter shall provide to the investigative or law
enforcement officer concerned such technical assistance as is necessary
to execute the order. Such provider may, however, move the court to
modify or quash the order on the ground that its assistance with respect
to the decryption or access to plaintext cannot be performed in a timely
or reasonable fashion. The court, upon notice to the Government, shall
decide such motion expeditiously.
``(k) Reports to Congress.--In May of each year, the Attorney
General, or an Assistant Attorney General specifically designated by the
Attorney General, shall report in writing to Congress on the number of
applications made and orders entered authorizing Federal, State, and
local law enforcement access to decryption information for the purposes
of reading the plaintext of otherwise encrypted data, including
communications, pursuant to this chapter. Such reports shall be
submitted to the Committees on the Judiciary of the House of
Representatives and of the Senate, and to the Permanent Select Committee
on Intelligence for the House of Representatives and the Select
Committee on Intelligence for the Senate.
``2808. Lawful use of plaintext or decryption information
``(a) Authorized Use of Decryption Information.--
``(1) Criminal investigations.--An investigative or law enforcement
officer to whom plaintext or decryption information is provided may use
such plaintext or decryption information for the purposes of conducting
a lawful criminal investigation or foreign counterintelligence
investigation, and for the purposes of preparing for and prosecuting any
criminal violation of law.
``(2) Civil redress.--Any plaintext or decryption information
provided under this chapter to an investigative or law enforcement
officer may not be disclosed, except by court order, to any other person
for use in a civil proceeding that is unrelated to a criminal
investigation and prosecution for which the plaintext or decryption
information is authorized under paragraph (1). Such order shall only
issue upon a showing by the party seeking disclosure that there is no
alternative means of obtaining the plaintext, or decryption information,
being sought and the court also finds that the interests of justice
would not be served by nondisclosure.
``(b) Limitation.--An investigative or law enforcement officer may
not use decryption information obtained under this chapter to determine
the plaintext of any data, including communications, unless it has
obtained lawful authority to obtain such data, including communications,
under other lawful authorities.
``(c) Return of Decryption Information.--An attorney for the
Government shall, upon the issuance of an order of a court of competent
jurisdiction--
``(1)(A) return any decryption information to the person responsible
for providing it to an investigative or law enforcement officer pursuant
to this chapter; or
``(B) destroy such decryption information, if the court finds that
the interests of justice or public safety require that such decryption
information should not be returned to the provider; and
``(2) within 10 days after execution of the court's order to destroy
the decryption information--
``(A) certify to the court that the decryption information has
either been returned or destroyed consistent with the court's order; and
``(B) notify the provider of the decryption information of the
destruction of such information.
``(d) Other Disclosure of Decryption Information.--Except as
otherwise provided in section 2806, a key recovery agent may not
disclose decryption information stored with the key recovery agent by a
person unless the disclosure is--
``(1) to the person, or an authorized agent thereof;
``(2) with the consent of the person, including pursuant to a
contract entered into with the person;
``(3) pursuant to a court order upon a showing of compelling need
for the information that cannot be accommodated by any other means if--
``(A) the person who supplied the information is given reasonable
notice, by the person seeking the disclosure, of the court proceeding
relevant to the issuance of the court order; and
``(B) the person who supplied the information is afforded the
opportunity to appear in the court proceeding and contest the claim of
the person seeking the disclosure;
``(4) pursuant to a determination by a court of competent
jurisdiction that another person is lawfully entitled to hold such
decryption information, including determinations arising from legal
proceedings associated with the incapacity, death, or dissolution of any
person; or
``(5) otherwise permitted by a provision of this chapter or
otherwise permitted by law.
``2809. Identification of decryption information
``(a) Identification.--To avoid inadvertent disclosure, any person
who provides decryption information to an investigative or law
enforcement officer pursuant to this chapter shall specifically identify
that part of the material provided that discloses decryption information
as such.
``(b) Responsibility of Investigative or Law Enforcement
Officer.--The investigative or law enforcement officer receiving any
decryption information under this chapter shall maintain such
information in facilities and in a method so as to reasonably assure
that inadvertent disclosure does not occur.
``2810. Unlawful export of certain encryption products
``Whoever, after January 31, 2000, knowingly exports an encryption
product that does not include features or functions providing duly
authorized persons immediate access to plaintext or immediate decryption
capabilities, as required under law, shall be imprisoned for not more
than 5 years, fined under this title, or both.
``2811. Definitions
``The definitions set forth in section 101 of the Security and
Freedom through Encryption (`SAFE') Act of 1997 shall apply to this
chapter.''.
(b) Conforming Amendment.--The table of chapters for part I of title
18, United States Code, is amended by inserting after the item relating
to chapter 121 the following new item:
``122. Encrypted data, including communications
2801''.
TITLE II--GOVERNMENT PROCUREMENT
SEC. 201. FEDERAL PURCHASES OF ENCRYPTION PRODUCTS.
After January 1, 1999, any encryption product or service purchased or
otherwise procured by the United States Government to provide the
security service of data confidentiality for a Federal computer system
shall include a technique enabling immediate decryption by an authorized
party without the knowledge or cooperation of the person using such
encryption products or services.
SEC. 202. ENCRYPTION PRODUCTS PURCHASED WITH FEDERAL FUNDS.
After January 1, 1999, any encryption product or service purchased
directly with Federal funds to provide the security service of data
confidentiality shall include a technique enabling immediate decryption
by an authorized party without the knowledge or cooperation of the
person using such encryption product or service unless the Secretary,
with the concurrence of the Attorney General, determines implementing
this requirement would not promote the purposes of this Act.
SEC. 203. NETWORKS ESTABLISHED WITH FEDERAL FUNDS.
After January 1, 1999, any communications network established with
the use of Federal funds shall use encryption products which include
techniques enabling immediate decryption by an authorized party without
the knowledge or cooperation of the person using such encryption
products or services unless the Secretary, with the concurrence of the
Attorney General, determines implementing this requirement would not
promote the purposes of this Act.
SEC. 204. PRODUCT LABELS.
An encryption product may be labeled to inform users that the product
is authorized for sale to or for use in transactions and communications
with the United States Government under this title.
SEC. 205. NO PRIVATE MANDATE.
The United States Government may not mandate the use of encryption
standards for the private sector other than for use with computer
systems, networks, or other systems of the United States Government, or
systems or networks created using Federal funds.
SEC. 206. IMPLEMENTATION.
(a) Exclusion.--Nothing in this title shall apply to encryption
products and services used solely for access control, authentication,
integrity, nonrepudiation, digital signatures, or other similar
purposes.
(b) Rulemaking.--The Secretary, in consultation with the Attorney
General and other affected agencies, may through rules provide for the
orderly implementation of this title and the effective use of secure
public networks.
TITLE III--EXPORTS OF ENCRYPTION
SEC. 301. EXPORTS OF ENCRYPTION.
(a) Coordination of Executive Branch Agencies Required.--The
Secretary, in close coordination with the Secretary of Defense and any
other executive branch department or agency with responsibility for
protecting the national security, shall have the authority to control
the export of encryption products not controlled on the United States
Munitions List.
(b) Decisions Not Subject to Judicial Review.--Decisions made by the
Secretary pursuant to subsection (a) with respect to exports of
encryption products under this title shall not be subject to judicial
review.
SEC. 302. LICENSE EXCEPTION FOR CERTAIN ENCRYPTION PRODUCTS.
(a) License Exception.--After January 31, 2000, encryption products,
without regard to encryption strength, shall be eligible for export
under a license exception if such encryption product--
(1) is submitted to the Secretary for a 1-time product review;
(2) does not include features or functions that would otherwise
require licensing under applicable regulations;
(3) is not destined for countries, end users, or end uses that the
Secretary, in coordination with the Secretary of Defense and other
executive branch departments or agencies with responsibility for
protecting the national security, by regulation, has determined should
be ineligible to receive such products, and is otherwise qualified for
export; and
(4)(A) includes features or functions providing an immediate access
to plaintext capability, if there is lawful authority for such immediate
access; or
(B) includes features or functions providing an immediate decryption
capability of the encrypted data, including communications, upon the
receipt of decryption information by an authorized party, and such
decryption can be accomplished without unauthorized disclosure.
(b) Enabling of Decryption Capabilities.--The features or functions
described in subsection (a)(4) need not be enabled by the manufacturer
before or at the time of export for purposes of this title. Such
features or functions may be enabled by the purchaser or end user.
(c) Responsibilities of the Secretary.--The Secretary, in close
coordination with the Secretary of Defense and other executive branch
departments or agencies with responsibility for protecting the national
security, shall--
(1) specify, by regulation, the information that must be submitted
for the 1-time review referred to in this section; and
(2) make all export determinations under this title within 30 days
following the date of submission to the Secretary of--
(A) the completed application for a license exception; and
(B) the encryption product intended for export that is to be
reviewed as required by this section.
(d) Exercise of Other Authorities.--The Secretary, and the Secretary
of Defense, may exercise the authorities they have under other
provisions of law, including the Export Administration Act of 1979, as
continued in effect under the International Emergency Economic Powers
Act, to carry out this section.
(e) Presumption in Favor of Exports.--There shall be a presumption in
favor of export of encryption products under this title.
(f) Waiver Authority.--The President may by Executive order waive any
provision of this title, or the applicability of any such provision to a
person or entity, if the President determines that the waiver is in the
interests of national security or public safety and security. The
President shall submit a report to the relevant committees of the
Congress not later than 15 days after such determination. The report
shall include the factual basis upon which such determination was made.
The report may be in classified format.
(g) Relevant Committees.--The relevant committees of the Congress
described in subsection (f) are the Committee on International
Relations, the Committee on the Judiciary, the Committee on National
Security, the Permanent Select Committee on Intelligence of the House of
Representatives, and the Committee on Foreign Relations, the Committee
on the Judiciary, the Committee on Armed Services, and the Select
Committee on Intelligence of the Senate.
SEC. 303. LICENSE EXCEPTION FOR TELECOMMUNICATIONS PRODUCTS.
After a 1-time review as described in section 302, the Secretary
shall authorize for export under a license exception voice encryption
products that do not contain decryption or access to plainvoice features
or functions otherwise required in section 302, if the Secretary, after
consultation with relevant executive branch departments or agencies,
determines that--
(1) information recovery requirements for such exports would
disadvantage United States exporters; and
(2) such exports under a license exception would not create a risk
to the foreign policy, non-proliferation, or national security of the
United States.
SEC. 304. REVIEW FOR CERTAIN INSTITUTIONS.
The Secretary, in consultation with other executive branch
departments or agencies, shall establish a procedure for expedited
review of export license applications involving encryption products for
use by qualified banks, financial institutions, subsidiaries of
companies owned or controlled by United States persons, or other users
specifically authorized by the Secretary.
SEC. 305. ENCRYPTION INDUSTRY AND INFORMATION SECURITY BOARD.
(a) Encryption Industry and Information Security Board
Established.--There is hereby established an Encryption Industry and
Information Security Board. The Board shall undertake an advisory role
for the President.
(b) Purposes.--The purposes of the Board are--
(1) to provide a forum to foster communication and coordination
between industry and the Federal Government on matters relating to the
use of encryption products;
(2) to promote the export of encryption products manufactured in the
United States;
(3) to encourage research and development of products that will
foster electronic commerce;
(4) to recommend policies enhancing the security of public networks;
(5) to promote the protection of intellectual property and privacy
rights of individuals using public networks;
(6) to enable the United States to effectively and continually
understand the benefits and risks to its national security, law
enforcement, and public safety interests by virtue of the proliferation
of strong encryption on the global market;
(7) to evaluate and make recommendations regarding the further
development and use of encryption;
(8) to advance the development of international standards regarding
interoperability and global use of encryption products; and
(9) to evaluate the foreign availability of encryption products and
their threat to United States industry.
(c) Membership.--(1) The Board shall be composed of 13 members, as
follows:
(A) The Secretary, or the Secretary's designee, who shall chair the
Board.
(B) The Attorney General, or the Director of the Federal Bureau of
Investigation, or a respective designee.
(C) The Secretary of Defense, or the Secretary's designee.
(D) the Director of Central Intelligence, or his or her designee.
(E) The Special Assistant to the President for National Security
Affairs, or his or her designee.
(F) Two private sector individuals, appointed by the President, who
have expertise in consumer and privacy interests relating to or affected
by information security technology.
(G) Six representatives from the private sector who have expertise
in the development, operation, marketing, law, or public policy relating
to information security or technology.
(2) The six private sector representatives described in paragraph
(1)(G) shall be appointed as follows:
(A) Two by the Speaker of the House of Representatives.
(B) One by the Minority Leader of the House of Representatives.
(C) Two by the Majority Leader of the Senate.
(D) One by the Minority Leader of the Senate.
(e) Meetings.--The Board shall meet at such times and in such places
as the Secretary may prescribe, but not less frequently than every four
months. The Federal Advisory Committee Act (5 U.S.C. App.) does not
apply to the Board or to meetings held by the Board under this section.
(f) Findings and Recommendations.--The chair of the Board shall
convey the findings and recommendations of the Board to the President
and to the Congress within 30 days after each meeting of the Board. The
recommendations of the Board are not binding upon the President.
(g) Foreign Availability.--The consideration of foreign availability
by the Board shall include computer software that is distributed over
the Internet or advertised for sale, license, or transfer, including
over-the-counter retail sales, mail order transactions, telephone order
transactions, electronic distribution, or sale on approval.
TITLE IV--LIABILITY LIMITATIONS
SEC. 401. COMPLIANCE WITH COURT ORDER.
(a) No Liability for Compliance.--Subject to subsection (b), no civil
or criminal liability under this Act, or under any other provision of
law, shall attach to any person for disclosing or providing--
(1) the plaintext of encrypted data, including communications;
(2) the decryption information of such encrypted data, including
communications; or
(3) technical assistance for access to the plaintext of, or
decryption information for, encrypted data, including communications.
(b) Exception.--Subsection (a) shall not apply to a person who
provides plaintext or decryption information to another and is not
authorized by court order to disclose such plaintext or decryption
information.
SEC. 402. COMPLIANCE DEFENSE.
Compliance with the provisions of sections 2806, 2807, 2808, or 2809
of title 18, United States Code, as added by section 104(a) of this Act,
or any regulations authorized thereunder, shall provide a complete
defense for any civil action for damages based upon activities covered
by this Act, other than an action founded on contract.
SEC. 403. REASONABLE CARE DEFENSE.
The participation by person in the key management infrastructure
established by regulation for United States Government information
security operations under section 103 shall be treated as evidence of
reasonable care or due diligence in any proceeding where the
reasonableness of one's actions is an element of the claim at issue.
SEC. 404. GOOD FAITH DEFENSE.
An objectively reasonable reliance on the legal authority provided by
this Act and the amendments made by this Act, requiring or authorizing
access to the plaintext of otherwise encrypted data, including
communications, or to the decryption information that will allow the
immediate decryption of data, including communications, that is
otherwise encrypted, shall be a complete defense to any criminal or
civil action that may be brought under the laws of the United States or
any State.
SEC. 405. SOVEREIGN IMMUNITY.
Except as otherwise specifically provided otherwise, nothing in this
Act or the amendments made by this Act, or any regulations promulgated
thereunder, modifies or amends the sovereign immunity of the United
States.
SEC. 406. CIVIL ACTION, GENERALLY.
A civil action may be brought against any person who, regardless of
that person's participation in the key management infrastructure to be
established by regulations promulgated by the Secretary pursuant to
section 103, violates or acts in a manner that is inconsistent with or
violates the provisions or intent of this Act or the amendments made by
this Act.
TITLE V--INTERNATIONAL AGREEMENTS
SEC. 501. SENSE OF CONGRESS.
It is the sense of Congress that--
(1) the President should conduct negotiations with foreign
governments for the purposes of mutual recognition of any key management
infrastructures, and their component parts, that exist or are developed;
and
(2) such mutual recognition agreements will safeguard the privacy of
the citizens of the United States, prevent economic espionage, and
enhance the information security needs of the United States.
SEC. 502. FAILURE TO NEGOTIATE.
The President may consider a government's refusal to negotiate mutual
recognition agreements described in section 501 when considering the
participation of the United States in any cooperation or assistance
program with that country.
SEC. 503. REPORT TO CONGRESS.
(a) Report to Congress.--The President shall report annually to the
Congress on the status of the international effort outlined by section
501.
(b) First Report.--The first report required under subsection (a)
shall be submitted in unclassified form no later than December 15, 1998.
TITLE VI--MISCELLANEOUS PROVISIONS
SEC. 601. EFFECT ON LAW ENFORCEMENT ACTIVITIES.
(a) Collection of Information by Attorney General.--The Attorney
General shall compile, and maintain in classified form, data on the
instances in which encryption has interfered with, impeded, or
obstructed the ability of the Department of Justice to enforce the
criminal laws of the United States.
(b) Availability of Information to the Congress.--The information
compiled under subsection (a), including an unclassified summary
thereof, shall be made available, upon request, to any Member of
Congress.
SEC. 602. INTERPRETATION.
Nothing contained in this Act or the amendments made by this Act
shall be deemed to--
(1) preempt or otherwise affect the application of the Arms Export
Control Act (22 U.S.C. 2751 et seq.), the Export Administration Act of
1979 (50 U.S.C. App. 2401 et seq.), or the International Emergency
Economic Powers Act (50 U.S.C. 1701 et seq.) or any regulations
promulgated thereunder;
(2) affect foreign intelligence activities of the United States; or
(3) negate or diminish any intellectual property protections under
the laws of the United States or of any State.
SEC. 603. SEVERABILITY.
If any provision of this Act or the amendments made by this Act, or
the application thereof, to any person or circumstances is held invalid
by a court of the United States, the remainder of this Act or such
amendments, and the application thereof, to other persons or
circumstances shall not be affected thereby.
PURPOSE
Americans expect their phone calls, electronic mail, personal
documents, and electronic commercial activities to be secure and
private. The rapid expansion of communication and computer technology
has created vulnerabilities that leave many personal communications and
commercial transactions potentially exposed to fraud and misuse. The
development and use of strong encryption is essential to a thriving
electronic communications capability, and necessary to help safeguard
privacy and protect ourselves from crime. H.R. 695 promotes the
development and distribution of strong encryption technologies that are
intended to provide a heightened level of security and freedom to engage
in electronic commerce.
Chief among the government's obligations to its people is the duty to
protect them from threats of harm to their persons or property.
Similarly, in order to establish and maintain a government that serves
the common good and provides for the common defense, which the Framers
acknowledged was essential to a free society, national security
interests must be carefully weighed against the people's inalienable
rights of life, liberty, and property. With this interest in maintaining
the balance between individual rights and our nation's security, the
Permanent Select Committee on Intelligence sought and obtained referral
of the bill, H.R. 695. The Committee's consideration of H.R. 695 brought
to light that the bill as introduced and reported by the Committee on
the Judiciary, though certainly well-intentioned, left our intelligence
and intelligence-related capabilities at considerable risk. Likewise,
enacted without amendment, it might jeopardize the nation's (including
our state and local law enforcement agencies) ability to investigate,
apprehend, and prosecute criminals of the most serious stripe.
The Committee received evidence that strong encryption has already
been used to facilitate drug trafficking, protect child pornographers,
shield terrorist plots and communications, and hide evidence of credit
card fraud, among other notable crimes. Furthermore, the Committee is of
the view that such a law enforcement and national security risk should
not be left to the forces of the marketplace. Doing so abdicates the
responsibility of the government to protect its people from enemies,
both foreign and domestic.
Thus, the amendment in the nature of a substitute to H.R. 695,
reported favorably by the Committee, seeks simply to ensure that the
critical national security and law enforcement concerns at issue in this
debate over the nature and direction of encryption policy for the United
States will be seriously addressed.
SUMMARY
section-by-section
Section 1.--Short title
This section provides the title of the bill as the ``Security and
Freedom through Encryption (``SAFE'') Act of 1997.''
Section 2.--Statement of policy
This section sets forth the policy of the United States with respect
to encryption technology.
TITLE I--DOMESTIC USES OF ENCRYPTION
Section 101.--Definitions
This section establishes the definitions of specific terms used
throughout the bill.
Section 102.--Lawful use of encryption
This section makes clear that, except as otherwise provided, it is
lawful to use encryption products, regardless of algorithm length
selected, encryption key length chosen, or implementation technique or
medium used.
Section 103.--Voluntary private sector participation in key
management infrastructure
Subsection (a) clarifies that the use of certificate authorities or
key recovery agents is completely voluntary.
Subsection (b) provides the Secretary of Commerce with regulatory
authority to establish standards for creating voluntary key management
infrastructures. The Committee believes that the development of key
management infrastructures is important to the interoperability that is
necessary for the further development of safe and secure electronic
commerce. Any regulations promulgated should allow the voluntary
participation of private persons and non-federal entities. These
regulations should also encourage the development of certificate
authorities and key recovery agents.
Subsection (c) will permit key recovery agents or certificate
authorities to register themselves with the Commerce Department. In
addition, such entities will be allowed, if they choose, to identify
themselves as meeting the standards established by the Secretary.
Section 104.--Unlawful use of encryption
This section amends Title 18, United States Code, by new sections
2801 through 2811 within a new chapter 122, which bears the heading,
``Chapter 122-Encrypted Data, Including Communications.''
New section 2801 of title 18, United States Code, would make it a
criminal offense to use encryption in furtherance of the commission of a
federal crime. The penalties attached to such crimes would be in
addition to any sentence imposed for the underlying offense. For first
time offenders, the potential penalties are not more than 5 years in
prison, a fine under Title 18, United States Code,\1\
or both. For repeat offenders of this provision, the jail time is
potentially no more than an additional 10 years. This section would
apply equally to any investigative or law enforcement officer who is
found to have violated these provisions.
\1\Title 18, United States Code, Section 3571 establishes the fine
schedule for all Title 18 criminal violations. For an individual
convicted of a felony, the fine would, generally, be $250,000. For an
organization convicted of a felony, the fine would, generally, be
$500,000. Some specific criminal provisions may specify higher fine
amounts. Any criminal provision authorizing a lower fine amount is
nullified by enactment of subsection (e) of section 3571 of Title 18,
United States Code.
New section 2801 creates several new crimes. First, it makes it
illegal to intentionally obtain or use decryption information without
lawful authority in order to decrypt data, including information. Next,
it makes it a criminal offense to exceed lawful authority in decrypting
data, including communications. This new section would make the breaking
of the encryption code of another without lawful authority and with the
purpose of violating that person's privacy or security, or for the
purpose of depriving that person of his or her property a criminal
violation of law. Likewise, it would be illegal to impersonate another
for the purpose of obtaining that person's decryption information
without lawful authority. Importantly, it also makes it unlawful to
facilitate or assist in the encryption of data, including
communications, that are to be used in furtherance of a crime. Finally,
it makes it illegal to otherwise disclose decryption information in
violation of the provisions of new chapter 122 of Title 18, United
States Code. Each of these criminal violations is subject to a potential
penalty of not more than 10 years in prison, a fine under Title 18,
United States Code, or both. This section would apply equally to any
investigative or law enforcement officer who is found to have violated
these provisions.
New section 2803 will make it unlawful after January 31, 2000, to
sell in interstate or foreign commerce any encryption product that does
not provide duly authorized persons an immediate access to plaintext
capability, or immediate decryption capability. Under this new chapter
of Title 18, United States Code, such duly authorized persons only
include those presenting an order from a court of competent jurisdiction
requiring that such access or provision of decryption information be
made. This section would apply equally to any investigative or law
enforcement officer who is found to have violated these provisions.
New section 2804 establishes manufacturing and service requirements
on encryption products intended for distribution and use after January
31, 2000. Subsection (a) requires all public network service providers
to offer encryption products or services that ensure an immediate
decryption capability or an immediate access to plaintext capability.
Subsection (b) requires any person who manufactures for distribution,
distributes, or imports encryption products intended for sale or use in
the United States to include in such products features or functions that
provide an immediate access to plaintext capability. These features or
functions must permit the immediate decryption of data, including
communications, without the knowledge or cooperation of the person being
investigated, but only upon the presentation of a facially valid order
issued by a court of competent jurisdiction. Alternatively, encryption
products may be manufactured for distribution, distributed, or imported
even if they do not meet the requirements set forth above, so long as
they can be used only on systems or networks that include features or
functions that otherwise provide the immediate access to plaintext
capability previously discussed. Finally, persons are free to
manufacture encryption products that do not comport with any of the
requirements set forth here, so long as they otherwise meet the
technical requirements and functional criteria established by the
Attorney General, pursuant to subsection (c).
Subsection (c) provides the Attorney General with regulatory
authority to promulgate technical requirements and functional criteria
for encryption products that will allow for an immediate access to
plaintext capability, or otherwise enable the immediate decryption of
the otherwise encrypted data, including communications. This subsection
provides industry with an opportunity to seek an advisory opinion from
the Attorney General as to a particular product intended for
manufacturer or distribution. Such advisory opinions serve an important
function in that they will provide the industry with clear guidance on
products intended for sale. This procedure will hopefully alleviate the
need for lawsuits to enjoin the distribution or manufacture of
encryption products. This subsection specifically provides that the
Attorney General cannot require a particular methodology to be used in
meeting her technical requirements or functional criteria.
Subsection (d) authorizes the use, even after January 31, 2000, of
encryption products purchased or in use prior to that date. This
alleviates any ex post facto problem. The Committee also recognizes that
industry will need to develop new product lines to comply with the
provisions of this amendment. Thus, in order to allow those
manufacturers an opportunity to recoup some of their research and
development investment this provision allows them to continue to sell
their current product line for the next two-plus years.
New section 2805 sets forth procedures whereby the onus is on the
government to prohibit the manufacture or distribution of an encryption
product, after January 31, 2000, that she or the Secretary of Commerce
believes does not meet the technical requirements or functional criteria
established by the Attorney General. The Committee believes that it is
appropriate for the Attorney General to bear the burden, in a court of
law, before an independent arbiter of the facts, of keeping a particular
encryption product out of the market place. The provision allows for the
closure of such proceedings to protect the proprietary interest in any
information that might be disclosed through a public proceeding.
Furthermore, the provision will provide those who obtained an advisory
opinion with an absolute defense to the lawsuit as long as the product
at issue comports in every aspect with the requirements announced in the
Attorney General's advisory opinion.
New section 2806 sets forth the standards and procedures for the
issuance of a court order granting an investigative or law enforcement
officer access to the plaintext of otherwise encrypted data, including
communications, or compelling the provision of decryption information to
an investigative or law enforcement officer. The application for such
order must be made by an attorney for the government. That application
must establish facts supporting the finding that the plaintext or
decryption information is relevant to an on-going and legitimate law
enforcement or foreign counterintelligence investigation. The
application and any order issued thereon may be made ex parte and placed
under seal. Disclosure of the application or order is not authorized by
anyone, except as otherwise permitted by this section, or another order
of the court. This section also comports with any obligation the United
States may have to any foreign government under any effective Mutual
Legal Assistance Treaties
This section also requires that the court granting access to
plaintext or the disclosure of decryption information, shall also ensure
that a verifiable audit trail of any access to plaintext or decryption
information be maintained. This record shall not be maintained in a
place or in a manner under the custody or control of the investigative
or law enforcement officer gaining the access under this section. The
record will then be tendered to the court upon an order of the court.
Subsection (d) clarifies that nothing in this new chapter shall be
read to expand or modify any other constitutional or statutory
requirement under which a government entity is entitled to intercept or
obtain oral, wire, or electronic communications, or information.
Subsection (e) mandates a strict construction of this new chapter so
that it is read only to apply to a government entity's ability to
decrypt or otherwise gain access to the plaintext of data, including
communications, for which it previously obtained lawful authority to
intercept or obtain.
New section 2807 provides the users of encryption products with a
statutory right to be notified when their decryption information is
provided to law enforcement, or when law enforcement is granted access
to the plaintext of their data, including communications. This section
does provide for a delayed notification to the user so as not to
jeopardize the integrity of the on-going criminal investigation or
foreign counter-intelligence investigation. Basically, the user must be
notified within 90 days after the filing of an application for the
decryption information, or for access to the plaintext, unless the judge
finds good cause warranting the delay. Specifically, however, none of
the decrypted contents of the encrypted information that has been
obtained, nor any evidence derived therefrom may be used in any
proceeding unless the user has been furnished with a copy of the order,
application, and the data, including communications. The user may move
to suppress the use of any of the plaintext or evidence derived
therefrom in any proceeding on the grounds that the plaintext or the
decryption information was unlawfully obtained. This section also
provides aggrieved persons with a civil cause of action for any
violations of this new chapter.
New section 2808 limits the lawful uses of any plaintext or
decryption information may be put. It may be used for the purposes of
conducting a lawful criminal or foreign counterintelligence
investigation, and for the purposes of preparing for and prosecuting any
criminal violation of law. It may not be disclosed to any party to a
civil suit that does not arise from the criminal investigation or
prosecution, unless a court finds that there is no alternative means of
obtaining the plaintext, or decryption information and that the
interests of justice would not be served by nondisclosure. This section
further clarifies that decryption information may not be used to
determine the plaintext unless the officer possesses other lawful
authority to the plaintext.
This section also outlines the procedures for returning or destroying
any decryption information upon the conclusion of the investigation,
trial, or proceeding.
This section also places limitations upon any person acting as a key
recovery agent. It specifies to whom and under what circumstances
decryption information may be provided to another person by a key
recovery agent.
New section 2809 requires those who are providing decryption
information to an investigative or law enforcement officer to so
identify that information in order to avoid any inadvertent disclosure.
The officer is responsible for maintaining the decryption information in
such a manner so as to reasonably assure against inadvertent disclosure.
New section 2810 makes it a crime to knowingly export an encryption
product after January 31, 2000 that does not include an immediate access
to plaintext capability, or that does not provide an immediate
decryption capability. This criminal provision carries a potential
prison term of not more than 5 years.
New section 2811 incorporates the definitions set forth at section
101 of this Act as the definitions to be utilized for new chapter 122 of
Title 18, United States Code.
TITLE II--GOVERNMENT PROCUREMENT
Section 201.--Federal purchases of encryption products
This section requires the United States Government, after January 1,
1999, to purchase only those encryption products enabling the immediate
decryption by an authorized party, without the knowledge or cooperation
of the person using the encryption product. This requirement only
applies to those products or services obtained for providing security
service for a federal computer system.
Section 202.--Encryption products purchased with Federal funds
This section requires that any encryption product or service
purchased directly with federal funds after January 1, 1999, shall
enable the immediate decryption by an authorized party, without the
knowledge or cooperation of the person using the encryption product. The
Committee does not intend that this provision applies to any product
purchased by institutions receiving federal grants or other funding, if
such institution does not require interoperability with the United
States government, such as universities or public libraries.
Section 203.--Networks established with Federal funds
This section requires that any communications network that is
established directly with federal funds after January 1, 1999, must use
encryption products that include techniques enabling the immediate
decryption of data, including communications, without the knowledge or
cooperation of the person using the encryption product or service. It is
not intended that private communications networks that might benefit
from federal grants satisfy this requirement. Rather, the Committee
intends that this provision apply solely to those communication networks
established for the purpose of communication with the United States
government, either on a contractual basis, or as an element of the
government.
Section 204.--Product labels
This section allows for the labeling of encryption products so that
purchasers and users are aware that the product is authorized for sale
to, or for use in transactions with, the United States government.
Section 205.--No private mandate
This section articulates the policy that the United States government
shall not require the use of particular encryption standards for the
private sector.
Section 206.--Implementation
This section specifically states that encryption products used solely
for access control, authentication, integrity, nonrepudiation, or
digital signatures are not covered by the provisions of this title.
Moreover, this section grants the Secretary of Commerce regulatory
authority to effectuate the provisions of this title.
TITLE III--EXPORTS OF ENCRYPTION
Section 301.--Exports of encryption
Subsection (a) establishes that the Secretary of Commerce, acting in
close coordination with the Secretary of Defense, and other executive
branch agencies with responsibility for protecting the national
security, has the authority to exercise control over the export of
encryption products.
Subsection (b) clarifies that export control decisions made by the
Secretary are not subject to judicial review.
Section 302.--License exception for certain encryption products
Subsection (a) sets criteria for export license exceptions of
encryption products after January 31, 2000. Specifically, products
eligible for exemptions must: be submitted to the Secretary of Commerce
for a 1-time product review; not include features that would require
licensing under other applicable regulations; not be destined for
countries that are determined ineligible on national security grounds.
In addition, the product must include a means of obtaining immediate
access to plaintext capability if there is lawful authority for such
access.
Subsection (b) clarifies that the immediate access to plaintext
capability need not be enabled by the manufacturer before or at the time
of export.
Subsection (c) requires the Secretary, in close coordination with the
Secretary of Defense and other relevant executive branch agency heads,
to promulgate regulations for the 1-time review process; and sets a time
limit of 30 days for that review process. This subsection establishes
that the 30-day time clock starts when the Secretary has received a
completed application for license exception and the encryption product
intended for export.
Subsection (d) clarifies that the Secretary of Commerce and the
Secretary of Defense still maintain any authorities they currently
possess under any other provisions of law, including the Export
Administration Act of 1979, as continued in effect under the
International Emergency Economic Powers Act.
Subsection (e) establishes a presumption in favor of exporting
products submitted to the Secretary under this section. The burden will
be on the Secretary of Commerce to deny export.
Subsection (f) provides the President with the authority to waive any
portion of this title for national security purposes. Requires the
President to report to the relevant committees of Congress within 15
days after this authority is used.
Subsection (g) lists the committees in the House and Senate that
would receive a report under the previous subsection.
Section 303.--License exception for telecommunications products
This section provides a specific exemption for certain voice
encryption products. Products will be eligible for this exemption if,
after a 1-time review, the Secretary of Commerce determines that the
inclusion of information recovery capability would disadvantage U.S.
exporters; and the export of the voice encryption product would not pose
a risk to foreign policy, nonproliferation, or national security.
Section 304.--Review for certain institutions
This section requires the Secretary of Commerce to establish an
expedited export license exception review process for encryption
products to be used by qualified banks, financial institutions, U.S.
businesses, and other users specifically authorized by the Secretary.
Section 305.--Encryption Industry and Information Security Board
This section establishes an Encryption Industry and Information
Security Board (``EIISB'') to advise the President on future encryption
policy and technological advancements that would serve to alter the
United States policy on encryption products. This section also defines
the purposes of the board. It further specifies that the Board shall be
composed of 13 members, and how those members shall be appointed. In
addition to the Secretaries of Commerce and Defense, the Attorney
General or the FBI Director, the Director of Central Intelligence, and
the National Security Advisor to the President, or their designees will
sit on the EIIS Board. The board shall include two individuals appointed
by the President who should have no ties to the industry, but who can
represent the interests of consumer groups and civil liberties advocacy
groups. There will also be appointed six representatives from the
private sector who together have expertise in the many facets of
information security, including the technical and legal issues
surrounding the use of information security technology. The Board will
report to the President and Congress, and their recommendations are not
binding.
TITLE IV--LIABILITY LIMITATIONS
Section 401.--Compliance with court order
This section states that a person shall not be held civilly or
criminally liable under this Act, or under any other provision of law,
for acting in compliance with a court order compelling the disclosure of
plaintext or decryption information.
Section 402.--Compliance defense
This section provides a complete defense for any non-contract action
for damages based upon activities covered by the Act as long as the
person complies with the provisions of sections 2806, 2807, 2808, or
2809 of title 18, United States Code, as added by section 104(a) of this
Act, or any regulations authorized thereunder.
Section 403.--Reasonable care defense
This provision encourages the participation in a key management
infrastructure that meets the standards suggested by the Secretary of
Commerce under section 103 of this Act. This section authorizes the use
of one's participation in such key management infrastructure as evidence
of reasonable care in a case where the reasonableness of one's actions
is at issue.
Section 404.--Good faith defense
This section provides anyone who relies on the legal authority
provided under this Act as the basis for providing an investigative or
law enforcement officer with access to the plaintext of otherwise
encrypted data, including communications, or for providing such officer
with decryption information, with a complete defense to any criminal or
civil action arising therefrom.
Section 405.--Sovereign immunity
This section clarifies that nothing in this Act modifies or amends
the sovereign immunity of the United States.
Section 406.--Civil action, generally
This section allows a civil action to be brought against any person
who violates or acts in a way that is inconsistent with the provisions
or intent of this Act.
TITLE V--INTERNATIONAL AGREEMENTS
Section 501.--Sense of Congress
This section expresses the Sense of Congress that the President
should negotiate with foreign governments to establish mutual
recognition of key management infrastructures.
Section 502.--Failure to negotiate
This section permits the President to take a country's refusal to
negotiate into consideration when making decisions about U.S.
participation in any cooperation or assistance program with that
country.
Section 503.--Report to Congress
This section requires an annual report to Congress on the status of
the negotiations, with the first report due December 15, 1998.
TITLE VI--MISCELLANEOUS PROVISIONS
Section 601.--Effect on law enforcement activities
This section requires the Attorney General to compile, and maintain
in classified form, information on those instances where encryption has
posed problems in the enforcement of federal laws. This information will
be available to any Member of Congress upon request.
Section 602.--Interpretation
This section clarifies the relationship of the bill to the
interpretation of certain laws: the bill does not preempt the
application of other important export control acts, including: the Arms
Export Control Act, the Export Administration Act, or the International
Emergency Economic Powers Act; it does not affect foreign intelligence
activities of the United States; nor does it diminish US or State
intellectual property protections.
Section 603.--Severability
This section permits any court reviewing this Act to sever any
provision from the remainder of the Act, so as not to find the Act
invalid in its entirety.
BACKGROUND AND NEED FOR LEGISLATION
H.R. 695, as amended by the Committee on the Judiciary, has broad
implications on the intelligence and intelligence-related activities of
the United States. The Intelligence Committee has jurisdiction over
legislation relating to the intelligence and intelligence-related
capabilities of the United States, including the FBI's domestic
counter-intelligence and counter-terrorism functions. Thus, upon the
Chairman's request, the Speaker referred the bill to the Committee for
its consideration.
Primary among the Committee's concerns was how the development of
strong and unbreakable encryption technology would affect the national
security of the United States. The Defense Department's need for
information security technology is essential to its force protection and
war fighting functions. Likewise, information security is critical to
the President and his advisors. It is necessary to the Department of
State in its development of sound foreign policy. Encryption technology
that does not provide for access points to plaintext, or the re-capture
of communications and data, puts these needs at considerable risk.
The development of encryption technologies that does not take into
consideration society's desire to prevent, investigate, and prosecute
crimes, is of no sizable benefit to society. Such encryption technology
would allow criminals to act with impunity, without concern that their
actions might be subject to exposure by lawful authorities. The FBI, the
agency primarily responsible for counter-terrorism and domestic
counter-espionage efforts, and the investigation of child pornography
and kidnapping, could find itself especially handicapped in these areas.
Likewise, the Drug Enforcement Administration, which is responsible to
the nation for counter-narcotics operations, could be negatively
affected by H.R. 695. Similarly, the Committee was greatly concerned
that State and local law enforcement agencies' ability to provide their
citizenry with a free and peaceful place to live and work would be
seriously jeopardized.
As considered by the Permanent Select Committee on Intelligence, H.R.
695 left the public's safety and our nation's security to the forces of
the marketplace. The ``SAFE'' Act provided no mechanism or technological
capability for law enforcement or national security to access the
plaintext of data, including communications. It would ultimately have
rendered meaningless any other law, including the Fourth Amendment,
entitling law enforcement to such evidence. It would have
negated our intelligence collectors' abilities to perform their vital
national security functions. The Committee found that, to the detriment
of the national security and law enforcement equities of the United
States, H.R. 695 encouraged the development of unbreakable encryption
technologies, seeming based upon an absolutist's view of the First
Amendment and one's ``right of privacy.''
H.R. 695 did nothing to encourage the development of systems or
software that would meet the crucial needs of national security or law
enforcement. The bill placed the determination of whether a particular
export of encryption technology affected the national security interests
of the United States solely in the hands of the Secretary of Commerce,
with no role whatsoever for the national security apparatus of the
United States government. This, despite the proponents acknowledgment of
the national security benefit that encryption technology can provide to
the government.
The proponents of H.R. 695 argue that the legislation enhances the
needs of law enforcement. They contend that strong encryption software,
widely available to the public, will secure our computer networks,
defeat fraud, and instill trust in the already booming Internet. This
trust, they assert, is necessary to release the opportunities available
through electronic commerce.
None of this is disputed.
Congress has on many occasions accepted the premise that the use of
electronic surveillance is a tool of utmost importance in many criminal
investigations, especially those involving serious and violent crime,
terrorism, espionage, organized crime, drug-trafficking, corruption, and
fraud. There have been numerous cases where law enforcement, through the
use of electronic surveillance, has not only solved and successfully
prosecuted serious crimes and dangerous criminals, but has also been
able to prevent serious and life-threatening criminal acts. For example,
terrorists in New York were plotting to bomb the United Nations
building, the Lincoln and Holland tunnels, and 26 Federal Plaza as well
as conduct assassinations of political figures. Court-authorized
electronic surveillance enabled the FBI to disrupt the plot as
explosives were being mixed. Ultimately, the evidence obtained was used
to convict the conspirators. In another example, electronic surveillance
was used to prevent and then convict two men who intended to kidnap,
molest and then kill a male child.
The supporters of the bill insist that the problem for law
enforcement is a narrow problem, only affecting approximately 1,100
wiretaps per year, while encryption provides great security benefits to
the electronic marketplace.\2\
The Committee is concerned that the problems posed by H.R. 695 are not
as narrow as the bill's supporters claim. The problem that some see as
``narrow'' is in fact the entirety of the problem. Were the 1,100 or so
wiretaps conducted by federal, state, and local law enforcement agencies
across the country in the last year protected with unbreakable
encryption, the scores of drug traffickers, child pornographers,
kidnappers, Mafiosi, terrorists, and spies that were identified,
investigated, and prosecuted, through the use of those wiretaps, would
still be at large.
\2\Mr. Jerry Berman, Executive Director of the Center for Technology and
Democracy before the House Judiciary Committee, March 20, 1997.
The Committee notes, with considerable concern, that the threat such
encryption creates is not limited to the FBI alone.
From a national security perspective, this is not a problem that will
begin sometime in the future; we are already encountering the effects of
encryption today. For example:
Convicted spy Aldrich Ames was told by the Russian intelligence
service to encrypt computer file information that was to be passed to
them;
An international terrorist was plotting to blow up 11 U.S.-owned
commercial airliners in the far east. His laptop computer which was
seized during his arrest in Manila contained encrypted files concerning
this terrorist plot; and
A major international drug trafficking subject recently used a
telephone encryption device to frustrate court-approved electronic
surveillance.
H.R. 695 did little to facilitate or promote technological
development of access points for interception, or provide for an
immediate decryption capability, through a court order process. The
Committee is of the view that these requirements can be fashioned in a
way that does not undermine a citizen's right against unreasonable
searches and seizures or unnecessarily abridge his or her freedom of
speech. There is considerable precedent in statute for a regime that
balances privacy, law enforcement concerns, and national security.\3\
\3\Title III of the Omnibus Crime Control Act of 1968 codified the
government's authority to require service providers to supply technical
assistance to enable law enforcement (Federal, state, and local) to
intercept oral, electronic, and wire communications, upon the
presentment of a court order. That Act balanced the competing rights of
the individual and the government under the 4th Amendment by setting out
in the statute judicial oversight, minimization, and delayed
notification procedures that have met the test of time. That Act
established the constitutionality of a government mandate upon
technology for the societal benefit of public safety and national
security.
The benefit that strong encryption, without access to plaintext
capabilities, provides to the individual encryption user is equally
provided to the person with criminal intent. The child pornographer will
be able to operate with impunity. If there is no mechanism, no
technological way of decrypting his files without his permission, there
will be no way for the law to break his code, to access his computer
files, to develop evidence of his criminal acts and bring him to
justice. This is the world without a statutory requirement for access to
plaintext capability for stored data, or communications.
Likewise, without access to plaintext capability for our intelligence
collectors, international terrorists communicating across the Internet,
or through digital communications, sending encrypted messages to their
comrades discussing their plans to attack United States interests, can
rest assured that their conspiracy will not be discovered, penetrated,
frustrated, nor prosecuted by law enforcement authorities.
To be sure, as envisioned by the authors of the Bill of Rights, the
Fourth Amendment stands as a bulwark against unreasonable government
intrusion into the lives of its citizens. That freedom is jealously
guarded by the people, through the power and authority of the Judicial
Branch of our governmental structure. Certainly, the use of encryption
technology to protect electronic data and communication accesses the
same right to privacy as the use of a safe to protect paper documents.
Nothing in our constitutional framework, however, provides for
absolutes. There is no absolute freedom of expression. There is no
absolute freedom from search and seizure. Nothing about computer
technology alters this constitutional truism. The Bill of Rights
delicately balances the competing interests of the people and the
nation. The Constitution recognizes that the freedoms embodied in the
Bill of Rights are joined with responsibilities. The people are
responsible for acting within the bounds of the law. The government, on
the other hand, is responsible for acting reasonably. When a citizen
violates the law, the Constitution permits reasonable government action
to discover and expose that criminal activity. This is the essence of
the Fourth Amendment. The Committee notes with concern that encryption
technology, which will have enormous benefits, can also threaten the
underpinnings of the Constitutional balance struck in the text of the
Fourth Amendment if the technology is allowed to develop unchecked and
without regard to one's civic responsibilities.
The privacy interests of encryption users should not be minimized,
nor given absolute value. A balance must be established. It is true that
access to decryption information could give the government an
opportunity for mischief. Statutory safeguards against the impermissible
use of decryption information can be employed to adequately deter such
violations of privacy. Additionally, users of encryption should be
notified that their decryption information has been accessed. But, the
timing of this notification, like that permitted by the wiretap statute,
is very important to the integrity of any criminal or
counter-intelligence investigation.
With respect to export controls over encryption products, including
software, hardware, and technology, it is important to the country's
security interests to permit the export only of those encryption
products that fulfill the goals of promoting and securing information
systems of American citizens, while at the same time enabling the
intelligence community to continue to support our policy makers,
deployed forces, and U.S. interests at home and overseas.
Currently, the Administration regulates the export of encryption
products and requires a license prior to export. On October 1, 1996, the
Vice President announced for the Administration that it would begin
allowing 56-bit DES encryption products, or its equivalent, under a
general license upon the presentment of the product for a one-time
review so long as the exporting company committed to building and
marketing future products that were supportive of key recovery. On
November 1, 1996, President Clinton issued Executive Order 13026, 61
Fed. Reg. 58767 (November 19, 1996) implementing the policy outlined by
the Vice President the month before. The Administration, through
Ambassador Aaron, the U.S. Special Envoy for Encryption Policy, is also
currently engaged in a multi-lateral effort to reach agreement in the
international community on export standards supportive of key recovery
products.
Proponents of H.R. 695 argue that export barriers need to be removed
to enhance and improve the already superior position of American
encryption manufacturers in foreign markets. They contend that our
software industry will in a matter of years, under the current
regulatory regime, suffer substantial losses in terms of jobs and
profits. They argue that there are encryption products already widely
available in foreign countries and on the Internet that are competing
with U.S. manufactured encryption products and in the near term could
strip U.S. industry of its preeminence in this field.
Foreign availability is an issue that is repeatedly raised in the
encryption debate. Industry claims that encryption products are widely
available overseas, that other countries do not control their export,
and that American firms are suffering significant losses. A study of
this issue found that claims of widespread foreign availability of
encryption products were not entirely accurate. According to industry
experts, widespread use of foreign encryption has not become manifest,
although the pace of change and the market for information technology is
rapid and a growing number of strong encryption products exist.
Only a few countries, other than the United States, produce
encryption products at this time. Some, like Switzerland, produce only
specialized products for a small segment of the market. Others, like
Japan, produce primarily hardware products. These countries all have
export controls on encryption. As noted, Ambassador Aaron is engaged in
regular discussions with them. The Committee believes that the issue of
foreign availability is one which the Administration must closely
monitor as we move toward a permanent policy on encryption.
The Committee shares the concern that American encryption products
could be replaced by foreign competitors. It notes, however, that the
American grip on the market is remarkable, not just for its share of the
market, but for its longevity. American technology manufacturers control
no less than 75% of the global market, despite what many consider to be
a ``restrictive'' policy on encryption products. It is acknowledged on
both sides of this issue that American encryption technology is the best
in the world. There is no desire to undermine that position, nor
diminish the U.S. preeminence in this regard.
CONCLUSION
The encryption policy of the United States requires a comprehensive
approach that takes into account the equities and prerogatives of the
intelligence community; federal, state, and local law enforcement;
industry; and the citizens of the United States. The Committee's
amendment in the nature of a substitute to the bill as reported by the
Committee on the Judiciary, which is further explained in the
section-by-section analysis, makes an effort at balancing the important
national security, public safety, and privacy interests that are at
stake in this debate.
COMMITTEE PROCEEDINGS
The Committee was briefed on the subject of encryption on May 6, 1997
by the Hon. William Reinsch, Under Secretary, Bureau of Export
Administration, Department of Commerce; Hon. William Crowell, Deputy
Director, National Security Agency; and Hon. Robert Litt, Deputy
Assistant Attorney General, Criminal Division, United States Department
of Justice.
The Committee held a hearing on September 9, 1997 in which it heard
testimony from: the Hon. Bob Goodlatte, United States Representative,
6th District of Virginia; Hon. Zoe Lofgren, United States
Representative, 16th District of California; Hon. Louis J. Freeh,
Director, Federal Bureau of Investigation; Hon. William Reinsch, Under
Secretary, Bureau of Export Administration, Department of Commerce; and
Hon. William Crowell, Deputy Director, National Security Agency.
The Committee extensively reviewed additional testimony and written
materials relating to encryption policy in general and H.R. 695 in
particular, including: ``Terrorism in the Next Millennium: Enter the
Cyberterrorist,'' by George R. Barth, National Counterintelligence
Center; ``Deciphering the Cryptography Debate,'' by Kenneth Flamm, The
Brookings Institution; Hon. Michelle Van Cleave, Assistant Director for
National Security, White House Office of Science and Technology Policy,
remarks before AFCEA Convention, June 25, 1992; Hon. Janet Reno, United
States Attorney General, letter to Members of Congress, July 18, 1997;
Hon. Louis J. Freeh, Director, Federal Bureau of Investigation,
testimony before the United States Senate Committee on Commerce, Science
and Transportation, March 19, 1997; Hon. Louis J. Freeh, testimony
before the United States Senate Committee on the Judiciary, June 25,
1997; Hon. John Kyl, United States Senator, Arizona, remarks before the
Heritage Foundation, July 28, 1997;
Testimony before the United States Senate Judiciary Subcommittee on
Technology, Terrorism and Government Information, September 3, 1997:
Hon. Louis J. Freeh, Director, Federal Bureau of Investigation; Dorothy
E. Denning, Georgetown University; Jeffery A. Herig, Special Agent,
Florida Department of Law Enforcement; Robert R. Burke, Director of
Corporate Services and Security, Monsanto Company, and Chairman of the