Congressional Documents
                                  39 006                                 
                            105 th Congress                             
                             Rept.  105 108                             
                        HOUSE OF REPRESENTATIVES                        

                               1st Session                              
                                 Part 1                                 
  


                  SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT           

                   May  22, 1997.--Ordered to be printed                 


 Mr. Coble, from the Committee on the Judiciary, submitted the following 

                               R E P O R T                               



                              together with                              



                             ADDITIONAL VIEW                             



                         [To accompany H.R. 695]                         



       [Including cost estimate of the Congressional Budget Office]      





     The Committee on the Judiciary, to whom was referred the bill (H.R.  

  695) to amend title 18, United States Code, to affirm the rights of     

  United States persons to use and sell encryption and to relax export    

  controls on encryption, having considered the same, report favorably    

  thereon with an amendment and recommend that the bill as amended do     

  pass.                                                                   



                               CONTENTS                                 

         The Amendment                                                    2

         Purpose and Summary                                              4

         Background and Need for Legislation                              5

  I.     Background                                                       5

         A. What is Encryption?                                           5

         B. Issues in the Encryption Debate                               5

         1. Arguments Relating to the Domestic Use of Encryption          6

         2. The Administration's Recent Initiative                        6

         3. Arguments Relating to Export Controls on Encryption Products  8

         4. Recent Litigation                                             9

  II.    Need for Legislation                                             9

         A. Sections 2 and 4--Domestic Use of Encryption                  9

         B. Section 3--Export Controls                                    10

         Hearings                                                         11

         Committee Consideration                                          12

         Vote of the Committee                                            12

         Committee Oversight Findings                                     12

         Committee on Government Reform and Oversight Findings            12

         New Budget Authority and Tax Expenditures                        12

         Congressional Budget Office Estimate                             12

         Constitutional Authority Statement                               14

         Section-by-Section Analysis                                      15

         Agency Views                                                     17

         Changes in Existing Law Made by the Bill, as Reported            19

         Additional Views                                                 24







                         The amendment is as follows:                      



   Strike out all after the enacting clause and insert in lieu thereof the 

                                following:                                 



                                  SECTION 1. SHORT TITLE.                         



   This Act may be cited as the ``Security and Freedom Through Encryption  

                              (SAFE) Act''.                                

                            SEC. 2. SALE AND USE OF ENCRYPTION.                   



      (a) In General.--Part I of title 18, United States Code, is amended  

   by inserting after chapter 123 the following new chapter:               

                  ``CHAPTER 125--ENCRYPTED WIRE AND ELECTRONIC INFORMATION        





      ``2801. Definitions.                                                    



      ``2802. Freedom to use encryption.                                      



      ``2803. Freedom to sell encryption.                                     



      ``2804. Prohibition on mandatory key escrow.                            



      ``2805. Unlawful use of encryption in furtherance of a criminal act.    





          ``2801. Definitions                                                     



   ``As used in this chapter--                                            



       ``(1) the terms `person', `State', `wire communication', `electronic

   communication', `investigative or law enforcement officer', and `judge  

   of competent jurisdiction' have the meanings given those terms in       

   section 2510 of this title;                                             

       ``(2) the terms `encrypt' and `encryption' refer to the scrambling  

   of wire communications, electronic communications, or electronically    

   stored information, using mathematical formulas or algorithms in order  

   to preserve the confidentiality, integrity, or authenticity of, and     

   prevent unauthorized recipients from accessing or altering, such        

   communications or information;                                          

       ``(3) the term `key' means the variable information used in a       

   mathematical formula, code, or algorithm, or any component thereof, used

   to decrypt wire communications, electronic communications, or           

   electronically stored information, that has been encrypted; and         

    ``(4) the term `United States person' means--                          



    ``(A) any United States citizen;                                       



       ``(B) any other person organized under the laws of any State, the   

   District of Columbia, or any commonwealth, territory, or possession of  

   the United States; and                                                  

       ``(C) any person organized under the laws of any foreign country who

   is owned or controlled by individuals or persons described in           

   subparagraphs (A) and (B).                                              

          ``2802. Freedom to use encryption                                       



     ``Subject to section 2805, it shall be lawful for any person within  

  any State, and for any United States person in a foreign country, to use

  any encryption, regardless of the encryption algorithm selected,        

  encryption key length chosen, or implementation technique or medium     

  used.                                                                   

          ``2803. Freedom to sell encryption                                      



     ``Subject to section 2805, it shall be lawful for any person within  

  any State to sell in interstate commerce any encryption, regardless of  

  the encryption algorithm selected, encryption key length chosen, or     

  implementation technique or medium used.                                

          ``2804. Prohibition on mandatory key escrow                             



     ``(a) Prohibition.--No person in lawful possession of a key to       

  encrypted communications or information may be required by Federal or   

  State law to relinquish to another person control of that key.          

     ``(b) Exception for Access for Law Enforcement Purposes.--Subsection 

  (a) shall not affect the authority of any investigative or law          

  enforcement officer, or any member of the intelligence community as     

  defined in section 3 of the National Security Act of 1947 (50 U.S.C.    

  401a), acting under any law in effect on the effective date of this     

  chapter, to gain access to encrypted communications or information.     

          ``2805. Unlawful use of encryption in furtherance of a criminal act     



     ``Any person who, in the commission of a felony under a criminal     

  statute of the United States, knowingly and willfully encrypts          

  incriminating communications or information relating to that felony with

  the intent to conceal such communications or information for the purpose

  of avoiding detection by law enforcement agencies or prosecution--      

       ``(1) in the case of a first offense under this section, shall be   

   imprisoned for not more than 5 years, or fined in the amount set forth  

   in this title, or both; and                                             

       ``(2) in the case of a second or subsequent offense under this      

   section, shall be imprisoned for not more than 10 years, or fined in the

   amount set forth in this title, or both.''.                             

     (b) Conforming Amendment.--The table of chapters for part I of title 

  18, United States Code, is amended by inserting after the item relating 

  to chapter 123 the following new item:                                  





         ``125. Encrypted wire and electronic information                       



        2801''.                                                                





          SEC. 3. EXPORTS OF ENCRYPTION.                                          



     (a) Amendment to Export Administration Act of 1979.--Section 17 of   

  the Export Administration Act of 1979 (50 U.S.C. App. 2416) is amended  

  by adding at the end thereof the following new subsection:              



   ``(g)  Computers and Related Equipment.--                              



       ``(1) General rule.--Subject to paragraphs (2), (3), and (4), the   

   Secretary shall have exclusive authority to control exports of all      

   computer hardware, software, and technology for information security    

   (including encryption), except that which is specifically designed or   

   modified for military use, including command, control, and intelligence 

   applications.                                                           

       ``(2) Items not requiring licenses.--No validated license may be    

   required, except pursuant to the Trading With The Enemy Act or the      

   International Emergency Economic Powers Act (but only to the extent that

   the authority of such Act is not exercised to extend controls imposed   

   under this Act), for the export or reexport of--                        

    ``(A) any software, including software with encryption capabilities--  



       ``(i) that is generally available, as is, and is designed for       

   installation by the purchaser; or                                       

       ``(ii) that is in the public domain for which copyright or other    

   protection is not available under title 17, United States Code, or that 

   is available to the public because it is generally accessible to the    

   interested public in any form; or                                       

       ``(B) any computing device solely because it incorporates or employs

   in any form software (including software with encryption capabilities)  

   exempted from any requirement for a validated license under subparagraph

   (A).                                                                    

       ``(3) Software with encryption capabilities.--The Secretary shall   

   authorize the export or reexport of software with encryption            

   capabilities for nonmilitary end uses in any country to which exports of

   software of similar capability are permitted for use by financial       

   institutions not controlled in fact by United States persons, unless    

   there is substantial evidence that such software will be--              

       ``(A) diverted to a military end use or an end use supporting       

   international terrorism;                                                

    ``(B) modified for military or terrorist end use; or                   



       ``(C) reexported without any authorization by the United States that

   may be required under this Act.                                         

       ``(4) Hardware with encryption capabilities.--The Secretary shall   

   authorize the export or reexport of computer hardware with encryption   

   capabilities if the Secretary determines that a product offering        

   comparable security is commercially available outside the United States 

   from a foreign supplier, without effective restrictions.                

    ``(5)  Definitions.--As used in this subsection--                      



       ``(A) the term `encryption' means the scrambling of wire or         

   electronic information using mathematical formulas or algorithms in     

   order to preserve the confidentiality, integrity, or authenticity of,   

   and prevent unauthorized recipients from accessing or altering, such    

   information;                                                            

       ``(B) the term `generally available' means, in the case of software 

   (including software with encryption capabilities), software that is     

   offered for sale, license, or transfer to any person without            

   restriction, whether or not for consideration, including, but not       

   limited to, over-the-counter retail sales, mail order transactions,     

   phone order transactions, electronic distribution, or sale on approval; 

       ``(C) the term `as is' means, in the case of software (including    

   software with encryption capabilities), a software program that is not  

   designed, developed, or tailored by the software publisher for specific 

   purchasers, except that such purchasers may supply certain installation 

   parameters needed by the software program to function properly with the 

   purchaser's system and may customize the software program by choosing   

   among options contained in the software program;                        

       ``(D) the term `is designed for installation by the purchaser'      

   means, in the case of software (including software with encryption      

   capabilities) that--                                                    

       ``(i) the software publisher intends for the purchaser (including   

   any licensee or transferee), who may not be the actual program user, to 

   install the software program on a computing device and has supplied the 

   necessary instructions to do so, except that the publisher may also     

   provide telephone help line services for software installation,         

   electronic transmission, or basic operations; and                       

       ``(ii) the software program is designed for installation by the     

   purchaser without further substantial support by the supplier;          

       ``(E) the term `computing device' means a device which incorporates 

   one or more microprocessor-based central processing units that can      

   accept, store, process, or provide output of data; and                  

       ``(F) the term `computer hardware', when used in conjunction with   

   information security, includes, but is not limited to, computer systems,

   equipment, application-specific assemblies, modules, and integrated     

   circuits.''.                                                            

     (b) Continuation of Export Administration Act.--For purposes of      

  carrying out the amendment made by subsection (a), the Export           

  Administration Act of 1979 shall be deemed to be in effect.             

          SEC. 4. EFFECT ON LAW ENFORCEMENT ACTIVITIES.                           



     (a) Collection of Information by Attorney General.--The Attorney     

  General shall compile, and maintain in classified form, data on the     

  instances in which encryption (as defined in section 2801 of title 18,  

  United States Code) has interfered with, impeded, or obstructed the     

  ability of the Department of Justice to enforce the criminal laws of the

  United States.                                                          

     (b) Availability of Information to the Congress.--The information    

  compiled under subsection (a), including an unclassified summary        

  thereof, shall be made available, upon request, to any Member of        

  Congress.                                                               



                                    PURPOSE AND SUMMARY                           



      The widespread use of strong encryption to encode digital            

   communications will prevent crime, economic espionage, and information  

   warfare. Unfortunately, our current encryption policy discourages the   

   use of encryption. H.R. 695, the ``Security And Freedom through         

   Encryption (SAFE) Act,'' makes a series of changes to U.S. encryption   

   policy which will facilitate the use of encryption.                     

      Current policy does not restrict the domestic use, sale, or import of

   encryption. Section 2 of H.R. 695 generally codifies that policy by     

   affirmatively prohibiting restrictions on the domestic use and sale of  

   encryption. It also prohibits any mandatory key escrow system, allowing 

   voluntary systems to develop in the marketplace, and provides criminal  

   penalties for the knowing and willful use of encryption to avoid        

   detection of other federal felonies.                                    

      At the same time, however, the export of strong encryption products  

   is tightly restricted under the export control laws. Section 3 of H.R.  

   695 significantly relaxes those export controls. In addition, section 4 

   requires that the Attorney General compile statistics on instances in   

   which these new policies may interfere with the enforcement of federal  

   criminal laws.                                                          

                          BACKGROUND AND NEED FOR THE LEGISLATION                 



                              I.  Background                             



           A. What is encryption?                                                  



      Encryption is the process of encoding data or communications in a    

   form that only the intended recipient can understand. Until fairly      

   recently, society generally considered encryption to be the exclusive   

   domain of national security and law enforcement agencies. However, with 

   the advent of computers and digital electronic communications,          

   encryption's importance to persons and companies in the private sector  

   has increased because they want to transmit data securely. Many people  

   feel that the Internet has not succeeded as a commercial medium as well 

   as it might because those who want to use it do not feel the data       

   transmitted is secure. For example, people do not want to transmit their

   credit card numbers when hackers may steal those numbers.               

      To understand the issues involved, one must understand some basic    

   terminology. In the digital world, data are communicated in a string of 

   ones and zeroes that computers understand, but the average person does  

   not. An encryption scheme converts ones to zeroes and zeroes to ones    

   according to an algorithm or mathematical formula. The intended         

   recipient knows the formula or ``key'' which he uses to decode the      

   encrypted data.                                                         

      The complexity and quality of an encryption scheme determines how    

   difficult it is to break the code and therefore how well the scheme     

   protects the data. One factor determining the complexity of the         

   encryption scheme is the length of the key. The length of the key is    

   usually expressed as a number known as the ``bit length.'' A bit is one 

   digit in the key. A bit length of 40 is considered relatively weak,     

   whereas a bit length of 128 is considered very strong.                  

       However, a bit length of 40 is not 3.2 times weaker than a bit      

   length of 128 because this is an exponential scale, not an arithmetic   

   one. A bit length of 40 has 2\40\ possible keys, whereas a bit length of

   128 has 2\128\ possible keys. To give some practical sense of the       

   difference, one researcher estimated that a relatively inexpensive      

   computer attempting a ``brute force'' effort to decode--i.e. simply     

   trying all the mathematical possibilities--could on average decode a    

   40-bit scheme in a few seconds, whereas a 128-bit scheme would on       

   average take millions of years. Although there is no assurance that this

   estimate is accurate, it does give a general sense of the exponential   

   differences in complexity that flow from an increase in bit length.     

           B. Issues in the encryption debate                                      



      The encryption debate encompasses two main issues. The first issue is

   whether the domestic use and sale of encryption products should be      

   restricted, and in particular, whether domestic users should be required

   to place their keys in escrow with the government or some other neutral 

   third party, e.g. an existing computer company or an entity created     

   solely for the purpose of holding keys. Current law does not have any   

   such restrictions.                                                      

      The second issue is whether the export of encryption products should 

   be restricted. As discussed in more detail below, current law regulates 

   the export of encryption products under two statutes: (1) the Arms      

   Export Control Act (``AECA''), 22 U.S.C. 2751 et seq., and its          

   accompanying International Trafficking in Arms Regulations (``ITAR''),  

   22 C.F.R. 120 et seq., and (2) the Export Administration Act (``EAA''), 

   50 U.S.C. App. 2401 et seq., and its accompanying Export Administration 

   Regulations (``EAR''), 15 C.F.R. 730 et seq. Although the EAA expired in

   1994, President Clinton kept its provisions in force by invoking his    

   powers under the International Emergency Economic Powers Act, 50 U.S.C. 

   1701 et seq. Executive Order 12924 (August 19, 1994); 59 Fed. Reg. 43437

   (August 23, 1994).                                                      

            1. Arguments relating to the domestic use of encryption                 



      Law enforcement and national security agencies believe that they need

   some form of key escrow system to maintain their ability to perform     

   legitimate wiretaps and to read computer data seized through lawful     

   means. They argue that widespread use of strong encryption without key  

   escrow would end the use of wiretapping as a tool for fighting crime.   

   For example, they argue that instances occur when law enforcement       

   agencies learn in the course of a wiretap that someone is about to      

   commit a serious crime. If strong encryption prevented a contemporaneous

   understanding of this information, the agencies would not be able to    

   prevent the crime. Likewise, if strong encryption prevented the reading 

   of lawfully seized computer data, it could unreasonably delay criminal  

   investigations. They further argue that a key escrow system would have  

   the salutary side effect of providing a backup for those users who might

   lose their keys. Although they contend that they only favor a voluntary 

   key escrow system, many believe that the use of export controls as      

   leverage to encourage the use of a key escrow system effectively amounts

   to making such a system mandatory.                                      

      The computer industry, the American business community, and privacy  

   groups vehemently oppose any mandatory key escrow system. They argue    

   that a mandatory system would unnecessarily invade the privacy of users 

   and that the market should develop any voluntary key escrow system. They

   believe that law enforcement can gain access to keys through traditional

   means for obtaining evidence and that those with criminal intent will   

   not use key escrow products, thus defeating the purpose of the          

   Administration's policy. They argue that our law and tradition do not   

   require private citizens to take positive action to assist the          

   government in surveilling them in any other instance.                   

      Moreover, they contend that private citizens should not be required  

   to give access to their most precious assets to anyone else regardless  

   of whether it is the government or a third party. In the digital age,   

   information is often the most valuable property that a company owns.    

   They further argue that the good that widespread use of encryption can  

   do in preventing crime far outweighs the harm done by the relatively few

   instances in which the use of encryption hampers law enforcement.       



            2. The administration's recent initiative                               



      Until last fall, the Administration treated encryption products as   

   munitions for export purposes. The State Department has jurisdiction    

   over the export of munitions under AECA and ITAR, and it had, as a      

   matter of practice, generally only allowed the export of encryption     

   products with bit lengths of 40 or less. The State Department treated   

   these relatively weak encryption products as non-defense products       

   subject to the jurisdiction of the Department of Commerce under the     

   Export Administration Act, 50 U.S.C. App. 2401 et seq. Beyond that      

   level, any export of encryption products required a special license.    

      On October 1, 1996, Vice President Gore announced the                

   Administration's intention to develop a new policy on the export of     

   encryption products. The Vice President's announcement stated in part:  





      Under this initiative, the export of 56-bit key length encryption    

   products will be permitted under a general license after one-time       

   review, and contingent upon industry commitments to build and market    

   future products that support key recovery. This policy will apply to    

   hardware and software products. The relaxation of controls will last up 

   to two years.                                                           

         * * * * * * *                                                           



      Exporters of 56-bit DES or equivalent encryption products would make 

   commitments to develop and sell products that support the key recovery  

   system that I announced in July. That vision presumes that a trusted    

   party (in some cases internal to the user's organization) would recover 

   the user's confidentiality key for the user or for law enforcement      

   officials acting under proper authority. Access to keys would be        

   provided in accordance with destination country policies and bilateral  

   understandings. No key length limits or algorithm restrictions will     

   apply to exported key recovery products.                                

         * * * * * * *                                                           



      Under the relaxation, six-month general export licenses will be      

   issued after one-time review, contingent on commitments from exporters  

   to explicit benchmarks and milestones for developing and incorporating  

   key recovery features into their products and services, and for building

   the supporting infrastructure internationally. Initial approval will be 

   contingent on firms providing a plan for implementing key recovery. The 

   plan will explain in detail the steps the applicant will take to        

   develop, produce, distribute, and/or market encryption products with key

   recovery features. The specific commitments will depend on the          

   applicant's line of business.                                           

      The government will renew the licenses for additional six-month      

   periods if milestones are met. Two years from now, the export of 56-bit 

   products that do not support key recovery will no longer be permitted.  

   Currently exportable 40-bit mass market software products will continue 

   to be exportable. We will continue to support financial institutions in 

   their efforts to assure the recovery of encrypted financial information.

   Longer key lengths will continue to be approved for products dedicated  

   to the support of financial applications.                               





  Statement of the Vice President dated October 1, 1996.                  



       On November 15, 1996, President Clinton issued Executive Order      

   13026, 61 Fed. Reg. 58767 (November 19, 1996), and an accompanying      

   Presidential Memorandum which began the implementation of the policy    

   outlined in the October 1 statement. Among other things, the executive  

   order and the memorandum transferred all non-military encryption        

   products to the Commerce Control List, meaning that their licensing for 

   export would be overseen by the Department of Commerce under the EAA.   

   The order and memorandum also gave the Department of Justice a          

   significant voice in such licensing decisions.                          

      On December 30, 1996, the Department of Commerce promulgated         

   regulations that implemented the new policy. 61 Fed. Reg. 68572         

   (December 30, 1996). Although the policy has only been in place for a   

   few months, much of the computer industry, particularly software        

   companies, have criticized it.                                          

            3. Arguments relating to export controls on encryption products         



      The Administration has to date opposed any lifting of export controls

   beyond that in its recent initiative. It argues that the controls are   

   still effective and that our allies would dislike the negative effect on

   law enforcement efforts if we lifted the controls. It also argues that  

   the lifting of the controls might not help business because other       

   countries would impose import controls. Finally, the Administration     

   argues that it is making efforts under its new policy to find ways to   

   relax the controls on a case by case basis.                             

      The computer industry and the privacy groups argue that the          

   Administration ought to substantially relax, if not eliminate the       

   controls. They argue that wrongdoers can easily evade them because many 

   encryption products are available to anyone over the Internet. At least 

   one study estimated that at least 500 products are available worldwide. 

   They also argue that the controls are easily evaded because as a        

   practical matter, anyone can come into the United States, buy encryption

   products, and take them out of the country with little risk of          

   detection. Because the controls are so easily evaded, they further argue

   that the controls serve only to put American companies at a competitive 

   disadvantage and to discourage investment in the development of better  

   encryption products. If the situation does not change, they believe that

   American companies will no longer dominate this field.                  

      In addition, they contend that the Administration's new policy is a  

   backdoor attempt to force the domestic use of encryption with key       

   escrow. Under the policy, a company that wants both to sell encryption  

   products here and abroad must either make two versions of its product or

   sell only a product that meets the export restrictions. They also       

   question whether the carrot and stick approach the new policy takes is a

   legitimate and logical use of export controls. Current encryption       

   products of the 56-bit strength are either safe to export or they are   

   not--a company's compliance or noncompliance with the Administration's  

   directives regarding future products will not change that.              



            4. Recent litigation                                                    



      Currently, at least two plaintiffs have ongoing lawsuits that        

   challenge the Administration's policies regarding encryption. In one    

   case, the United States District Court for the District of Columbia     

   ruled that the government's decision to designate an encryption product 

   as a munition, and therefore restrict its export, was not subject to    

   judicial review. Karn v. Department of State , 925 F.Supp. 1 (D.D.C.    

   1996) , remanded , 107 F.3d 923 (D.C. Cir. 1997). The Court further held

   that the export restriction on the product was content neutral and      

   narrowly tailored, and therefore did not violate the First Amendment.   

   The United States Court of Appeals for the District of Columbia Circuit 

   recently remanded the case for further consideration in light of the    

   Administration's new policy, and the Committee understands that the     

   Court has not made a further decision. The plaintiff in the case, Philip

   Karn, testified before the Subcommittee on Courts and Intellectual      

   Property at the March 20, 1997 hearing on H.R. 695.                     

      In the other case, the United States District Court for the Northern 

   District of California ruled that the export restrictions on encryption 

   products were unconstitutional prior restraints on free speech because  

   they did not have adequate procedural safeguards. Bernstein v.          

   Department of State , 945 F.Supp. 1279 (N.D. Cal. 1996). The Committee  

   understands that this case is still before the District Court for       

   further consideration in light of the Administration's new policy.      

                       II. Need for the Legislation                      



           A. Sections 2 and 4--domestic use of encryption                         



      The Committee believes that sections 2 and 4 of H.R. 695, as reported

   by the Committee, will significantly aid the fight against crime. Both  

   sides of the debate agree that the use of strong encryption will help   

   users to prevent crimes before they happen. As we increasingly depend on

   computers to control our national infrastructure, the danger of         

   information warfare and economic espionage also increase. The use of    

   strong encryption diminishes that terrifying prospect.                  

      The affirmative statements in new sections 2802 and 2803 that it is  

   legal for persons in the United States and for United States persons    

   abroad to use, and for persons in the United States to sell, encryption 

   will encourage the use of encryption to fight crime. These sections only

   state what the Committee understands to be existing law, and therefore  

   they should not worsen any law enforcement and national security        

   concerns. By making these affirmative statements of positive law, the   

   bill will prevent any reduction of the existing right to use or sell    

   encryption domestically by administrative action, state law, or other   

   means.                                                                  

      New section 2804 effectively prohibits the imposition of any         

   mandatory key escrow system. The Committee believes that Americans      

   should not be forced to surrender the keys to their data without proper 

   justification any more than they should be forced to surrender the keys 

   to their homes. The limited circumstances under which law enforcement   

   and national security officers may obtain access to the private spaces  

   of Americans have stood the test of time. They exist for good reasons   

   that are well understood by all. The advent of a new technology is not a

   sufficient justification for diminishing these historic protections.    

      At the same time, however, new section 2804 preserves existing       

   authorities for law enforcement and national security officers to obtain

   keys for legitimate purposes. Just as new technology should not take    

   away the longstanding rights of citizens against government, it also    

   should not take away the traditional means for legitimate law           

   enforcement and national security investigations. However, the Committee

   does not believe that the advance of technology warrants a system of    

   forcing people to deposit their keys with any third party without proper

   justification. Thus, new section 2804 prohibits any such system.        

      Despite the Committee's opposition to any mandatory key escrow       

   system, nothing in section 2804 should be construed to prevent or hinder

   the development of a voluntary key escrow system if the market demands  

   it. Such a system may have many benefits so long as users are allowed to

   choose freely whether to join. If enough users desire it, the Committee 

   believes that the market will develop it.                               

      In addition to the preservation of existing law enforcement          

   authorities to obtain keys for legitimate purposes in new section 2804, 

   new section 2805 further aids law enforcement and national security by  

   making it a crime to avoid detection of another federal felony through  

   the knowing and willful use of encryption. This section gives the       

   government another tool with which to fight the misuse of encryption.   

      Section 4 requires the Attorney General to compile and make available

   to Congress information on instances in which encryption interferes with

   the enforcement of the federal criminal law. This requirement will      

   assist the Committee in determining whether to make any further changes 

   to encryption policy. It will also foster a continuing dialogue between 

   the Congress and the executive branch on these matters. Through all of  

   these means, the Committee believes that it has carefully balanced the  

   needs of law abiding citizens against those of the law enforcement and  

   national security agencies as to the matters within its jurisdiction.   

           B. Section 3--export controls                                           



      Section 3 of H.R. 695 significantly relaxes existing export controls 

   on encryption products. Because Section 3 amends the Export             

   Administration Act of 1979, it falls within the                         



                    jurisdiction of the House Committee on International          

          Relations. The International Relations Committee has been given a       

          secondary referral of H.R. 695 for consideration of Section 3.          

      For that reason, the Committee on the Judiciary did not address      

   Section 3 during its consideration of H.R. 695. However, the Committee  

   realizes that export controls must be addressed as part of any          

   comprehensive national encryption policy. The Committee believes that it

   has carefully balanced the interests involved in the matters under its  

   jurisdiction. It stands ready to work with the Committee on             

   International Relations, the Administration, and all other interested   

   parties in an effort to develop a similar, but more comprehensive,      

   balancing of all the interests, including those relating to export      

   controls, as this legislation moves forward.                            

                                          HEARINGS                                



      The Committee's Subcommittee on Courts and Intellectual Property held

   one day of hearings on H.R. 695 on March 20, 1997. The Subcommittee     

   received testimony from the following twelve witnesses: Hon. William    

   Reinsch, Under Secretary, Bureau of Export Administration, Department of

   Commerce, Washington, D.C.; Hon. William Crowell, Deputy Director,      

   National Security Agency, Fort Meade, Maryland; Hon. Robert Litt, Deputy

   Assistant Attorney General, Criminal Division, United States Department 

   of Justice, Washington, D.C.; Mrs. Phyllis Schlafly, President, Eagle   

   Forum, St. Louis, Missouri; Mr. Ira Rubinstein, Senior Corporate        

   Attorney, Microsoft Corporation, on behalf of the Business Software     

   Alliance; Ms. Roberta Katz, Senior Vice-President, General Counsel, and 

   Secretary, Netscape Communications Corporation, Mountain View,          

   California, on behalf of the Information Technology Association of      

   America and the Software Publishers Association; Mr. Jonathan Seybold,  

   Chairman of the Executive Committee and Director, Pretty Good Privacy,  

   Inc., San Mateo, California; Mr. Tom Morehouse, President and Chief     

   Executive Officer, SourceFile, Inc., Oakland, California; Mr. Grover    

   Norquist, President, Americans for Tax Reform, Washington, D.C.; Mr.    

   Philip Karn, Staff Engineer, Qualcomm, Inc., San Diego, California; Mr. 

   Marc Rotenberg, Director, Electronic Privacy Information Center,        

   Washington, D.C.; and Mr. Jerry Berman, Executive Director, Center for  

   Democracy and Technology, Washington, D.C. Two organizations submitted  

   additional material for the record.                                     

      In addition, Congressman Goodlatte introduced identical legislation, 

   H.R. 3011, in the 104th Congress. The full Committee held one day of    

   hearings on H.R. 3011 on September 25, 1996 (Serial No. 100). The       

   Committee received testimony from the following eight witnesses: Hon.   

   Bob Goodlatte, United States Representative, 6th District of Virginia;  

   Hon. Jamie Gorelick, Deputy Attorney General, United States Department  

   of Justice, Washington, D.C.; Hon. William Crowell, Deputy Director,    

   National Security Agency, Fort Meade, Maryland; Hon. William Reinsch,   

   Under Secretary, Bureau of Export Administration, Department of         

   Commerce, Washington, D.C.; Ms. Melinda Brown, Vice-President and       

   General Counsel, Lotus Development Corporation, Cambridge,              

   Massachusetts, on behalf of the Business Software Alliance; Ms. Roberta 

   Katz, Senior Vice-President, General Counsel, and Secretary, Netscape   

   Communications Corporation, Mountain View, California, on behalf of the 

   Information Technology Association of America and the Software          

   Publishers Association; Ms. Patricia Ripley, Managing Director, Bear    

   Stearns & Company, Inc., New York, New York; and Dr. Charles Deneka,    

   Senior Vice-President and Chief Technology Officer, Corning, Inc.,      

   Corning, New York, on behalf of the National Association of             

   Manufacturers. Two organizations submitted additional material for the  

   record.                                                                 

                                  COMMITTEE CONSIDERATION                         



      On April 30, 1997, the Subcommittee on Courts and Intellectual       

   Property met in open session and ordered reported the bill H.R. 695     

   without amendment, by a voice vote, a quorum being present. On May 14,  

   1997, the Committee met in open session and ordered reported favorably  

   the bill H.R. 695 with a single amendment in the nature of a substitute,

   by a voice vote, a quorum being present.                                

                                   VOTE OF THE COMMITTEE                          



      During their consideration of H.R. 695, the Committee and the        

   Subcommittee took no roll call votes.                                   

                                COMMITTEE OVERSIGHT FINDINGS                      



      In compliance with clause 2(l)(3)(A) of rule XI of the Rules of the  

   House of Representatives, the Committee reports that the findings and   

   recommendations of the Committee, based on oversight activities under   

   clause 2(b)(1) of rule X of the Rules of the House of Representatives,  

   are incorporated in the descriptive portions of this report.            

                   COMMITTEE ON GOVERNMENT REFORM AND OVERSIGHT FINDINGS          



      No findings or recommendations of the Committee on Government Reform 

   and Oversight were received as referred to in clause 2(l)(3)(D) of rule 

   XI of the Rules of the House of Representatives.                        

                         NEW BUDGET AUTHORITY AND TAX EXPENDITURES                



      Clause 2(l)(3)(B) of House rule XI does not apply because this       

   legislation does not provide new budgetary authority or increased tax   

   expenditures.                                                           

                         CONGRESSIONAL BUDGET OFFICE COST ESTIMATE                



      In compliance with clause 2(l)(3)(C) of rule XI of the Rules of the  

   House of Representatives, the Committee sets forth, with respect to the 

   bill, H.R. 695, the following estimate and comparison prepared by the   

   Director of the Congressional Budget Office under section 403 of the    

   Congressional Budget Act of 1974:                                       





       U.S. Congress,                                                          



       Congressional Budget Office,                                            



       Washington, DC, May 21, 1997.                                           







          Hon.  Henry J. Hyde,           Chairman, Committee on the Judiciary,



       House of Representatives, Washington, DC.                               



       Dear Mr. Chairman: The Congressional Budget Office has prepared the 

   enclosed cost estimate for H.R. 695, the Security and Freedom Through   

   Encryption (SAFE) Act.                                                  

      If you wish further details on this estimate, we will be pleased to  

   provide them. The CBO staff contacts are Rachel Forward (for federal    

   costs); Stephanie Weiner (for revenues); and Leo Lex (for the state and 

   local impact).                                                          

   Sincerely,                                                              



        James L. Blum                                                           



         (For June E. O'Neill, Director).                                       



   Enclosure.                                                              



           H.R. 695--Security and Freedom Through Encryption (SAFE) Act            



      Summary: H.R. 695 would allow individuals in the United States to use

   and sell any form of encryption and would prohibit states or the federal

   government from requiring individuals to relinquish the key to          

   encryption technologies to any third party. The bill also would prevent 

   the Bureau of Export Administration (BXA) in the Department of Commerce 

   from restricting the export of most nonmilitary encryption products.    

   H.R. 695 would establish criminal penalties and fines for the use of    

   encryption technologies to conceal incriminating information relating to

   a felony from law enforcement officials. Finally, the bill would require

   the Attorney General to maintain data on the instances in which         

   encryption impedes or obstructs the ability of the Department of Justice

   (DOJ) to enforce the criminal laws.                                     

      Assuming appropriation of the necessary amounts, CBO estimates that  

   enacting this bill would result in additional discretionary spending of 

   between $1 million and $3 million over the 1998 2002 period of BXA and  

   DOJ. Spending by BXA and DOJ for activities required by H.R. 695 would  

   total between $5 million and $7 million over the next five years. By    

   comparison, CBO estimates that--under current policies--spending by BXA 

   for reviewing the export of nonmilitary encryption products would total 

   about $4.5 million over the same period. (Spending related to encryption

   exports by DOJ is negligible under current law.) Enacting H.R. 695 also 

   would affect direct spending and receipts beginning in fiscal year 1998 

   through the imposition of criminal fines and the resulting spending from

   the Crime Victims Fund. Therefore, pay-as-you-go procedures would apply.

   CBO estimates, however, that the amounts of additional direct spending  

   or receipts would not be significant.                                   

      H.R. 695 contains no private-sector mandates as defined in the       

   Unfunded Mandates Reform Act of 1995 (UMRA). The bill would prohibit    

   states from requiring persons to make encryption keys available to      

   another person or entity. This prohibition would be an                  



                    intergovernmental mandate as defined in UMRA. However, states 

          would bear no costs as a result of the mandate because none currently   

          require the registration or availability of such keys.                  

      Estimated cost to the Federal Government: Under current policy, BXA  

   would likely spend about $900,000 a year reviewing exports of encryption

   products. Assuming appropriation of the necessary amounts, CBO estimates

   that enacting H.R. 695 would lower BXA's encryption-related costs to    

   about $500,000 a year. In November 1996, the Administration issued an   

   executive order and memorandum that authorized BXA to control the export

   of all nonmilitary encryption products. If H.R. 695 were enacted, BXA   

   would still be required to review requests to export most computer      

   hardware with encryption capabilities but would not be required to      

   review most requests to export computer software with encryption        

   capabilities. Thus, enacting H.R. 695 would reduce the costs to BXA to  

   control the exports of nonmilitary encryption products.                 

      According to the DOJ, maintaining data on the instances in which     

   encryption impedes or obstructs the ability of the Department of Justice

   to enforce the criminal laws could cost $1 million or more per year. The

   cost of maintaining the data is difficult to ascertain because DOJ      

   believes that if H.R. 695 were enacted such instances would be numerous.

   But the agency is uncertain as to how much it would cost to track such  

   classified information nationwide. For the purposes of this estimate,   

   CBO projects that maintaining the data would cost DOJ between $500,000  

   and $1 million a year, assuming appropriation of the necessary amounts. 

      CBO estimates that the collections of criminal fines for the use of  

   encryption technologies to conceal incriminating information relating to

   a felony from law enforcement officials would not be significant.       

      The costs of this legislation fall within budget functions 370       

   (commerce and housing credit) and 750 (administration of justice).      

      Pay-as-you-go considerations: Section 25 of the Balanced Budget and  

   Deficit Control Act of 1985 sets up pay-as-you-go procedures for        

   legislation affecting direct spending or receipts through 1998. Enacting

   H.R. 695 would affect direct spending and receipts through the          

   imposition of criminal fines for encrypting incriminating information   

   related to a felony. Collections from such fines are likely to be       

   negligible, however, because the federal government would probably not  

   pursue many cases under the bill. Any such collections would be recorded

   in the budget as governmental receipts, or revenues. They would be      

   deposited in the Crime Victims Fund and spent the following year.       

   Because the increase in direct spending would be the same amount as the 

   amount of fines collected with a one-year lag, the additional direct    

   spending would also be negligible.                                      

      Estimated impact on State, local, and tribal governments: H.R. 695   

   would prohibit states from requiring persons to make encryption keys    

   available to another person or entity. This prohibition would be an     

   intergovernmental mandate as defined in UMRA. However, states would bear

   no costs as the result of the mandate because none currently require the

   registration or availability of such keys.                              

      Estimated impact on the private sector: The bill would impose no new 

   private-sector mandates as defined in UMRA.                             

      Estimate prepared by: Federal Costs: Rachel Forward--Revenues:       

   Stephanie Weiner--Impact on State, Local, and Tribal Governments: Leo   

   Lex.                                                                    

      Estimate approved by: Robert A. Sunshine, Deputy Assistant Director  

   for Budget Analysis.                                                    



                             CONSTITUTIONAL AUTHORITY STATEMENT                   



      Pursuant to rule XI, clause 2(l)(4) of the Rules of the House of     

   Representatives, the Committee finds the authority for this legislation 

   in Article I, section 8 of the Constitution.                            

                                SECTION-BY-SECTION ANALYSIS                       



       Section 1. Short Title. Section 1 provides that H.R. 695 may be     

   cited as the ``Security And Freedom through Encryption (SAFE) Act.''    

       Section 2. Sale and Use of Encryption. Subsection 2(a) of H.R. 695  

   creates a new chapter 122 in Title 18 of the United States Code. This   

   chapter 122 would include new sections 2801 05.                         

      New section 2801 provides for definitions of terms to be used in the 

   chapter. Many of the definitions used are explicitly taken from the     

   definitions in the existing federal wiretap statute, 18 U.S.C. 2510 et  

   seq. During the Committee markup, Mr. Delahunt offered an amendment     

   making technical changes to these definitions to conform them more      

   closely with the existing definitions. The Delahunt amendment passed on 

   a voice vote.                                                           

      New section 2802 affirmatively states that it is legal for any person

   in the United States, or any United States person in a foreign country, 

   to use any form of encryption regardless of the algorithm, key length,  

   or technique used in the encryption. New section 2803 affirmatively     

   states that it is legal for any person in the United States to sell in  

   interstate commerce encryption products using any form of encryption    

   regardless of the algorithm, key length, or technique used. Some        

   business groups have expressed concern that new sections 2802 and 2803  

   might be construed to override their lawful policies for employee use of

   their computer systems. The Committee does not intend for these sections

   to be so read. The Committee intends that these sections should be read 

   as limitations on government power. They should not be read as          

   overriding otherwise lawful employer policies concerning employee use of

   the employer's computer systems, nor as limiting the employer's         

   otherwise lawful means for remedying violations of those policies.      

      Thus, even though employees cannot be prosecuted for an offense of   

   unlawful encryption under Section 2802, employees may be prosecuted for 

   failing to return business property, unlawful appropriation, or         

   conversion. Consider, for example, the case in which an employer's      

   information management policy calls for company-wide deployment of key  

   recovery encryption, and a given employee refuses to comply, encrypting 

   instead without key recovery using some other system. In that instance, 

   the employer remains within his rights, under state statutory or common 

   law, to sue to obtain the needed key to recover the business            

   property--plans, designs, texts, databases, and the like--contained in  

   the computer or computers under the employee's control.                 

      New section 2804 specifically prohibits requiring any person in      

   lawful possession of an encryption key to turn that key over to another 

   person. This section effectively prevents any form of mandatory key     

   escrow system. As introduced, this section provided an exception for law

   enforcement personnel acting under any law in effect on the date of     

   enactment. At the Committee markup, Mr. McCollum offered an amendment   

   that expands the exception to include members of the intelligence       

   community as defined in section 3 of the National Security Act of 1947  

   (50 U.S.C. 401a). The McCollum amendment passed by a voice vote.        

      Finally, new section 2805 makes it a crime to use encryption         

   unlawfully in furtherance of some other crime. This new crime is        

   punishable by a sentence of 5 years for the first offense and 10 years  

   for a subsequent offense. The Delahunt amendment that made technical    

   changes to the definitions also changed the language of this section.   

   The Delahunt amendment clarified two points relating to this new crime: 

   (1) it applies only to the use of encryption to avoid detection of some 

   other federal felony, and (2) it applies only when the encryption is    

   knowingly and willfully used to avoid detection. In other words, this   

   crime cannot occur without the commission of some other federal felony, 

   and the use of encryption must be a deliberate attempt to avoid         

   detection of that felony. It may not be unknowing or accidental. As     

   noted above, the Delahunt amendment passed on a voice vote.             

      Subsection 2(b) of H.R. 695 provides for a conforming amendment to   

   the table of chapters in Title 18.                                      

       Section 3. Exports of Encryption. Subsection 3(a) of H.R. 695 amends

   the Export Administration Act by creating a new subsection (g) to 50    

   U.S.C. App. 2416. New subsection (g)(1) would place all encryption      

   products, except those specifically designed or modified for military   

   use, under the jurisdiction of the Secretary of Commerce. New subsection

   (g)(2) allows encryption software that is generally available or in the 

   public domain, like mass-market software products, to be exported       

   freely. New subsection (g)(3) requires the Secretary to allow other     

   encryption software to be exported unless there is substantial evidence 

   that it will be put to military or terrorist uses or that it will be    

   reexported without U.S. authorization.                                  

      New subsection (g)(4) requires the Secretary to allow the export of  

   hardware with encryption capabilities when the Commerce Department finds

   that it is commercially available from foreign suppliers without        

   effective restrictions. New subsection (g)(5) provides definitions.     



      The Committee would like to clarify that with the ever increasing    

   incorporation of computer-like intelligence (including hardware and     

   software) into consumer products for the protection of privacy,         

   information security, and intellectual property interests, it intends   

   this legislation to cover all devices--whether traditional ``computing''

   devices or ``convergent'' consumer products--that incorporate           

   encryption. Further, the applications covered by this legislation       

   include video, audio, and data communications systems. Hardware and     

   software containing encryption, such as encoders, decoders, and network 

   terminals, which are essential to protect the video signal, are         

   therefore included under section 3(a) of this Act. Video, audio, and    

   data communications systems containing encryption and decryption        

   capability are used by cable, satellite, and wireless delivery systems. 

      Subsection 3(b) of H.R. 695 provides that for purposes of carrying   

   out the amendment made by subsection 3(a), the Export Administration Act

   shall be deemed to be in effect. This statement is necessary because    

   Congress allowed the Export Administration Act to lapse in 1994. To     

   date, it has not been renewed, and its policies have been continued by  

   executive order.                                                        

       Section 4. Effect on Law Enforcement Activities. Section 4 was not  

   part of the bill as introduced. An amendment offered by Mr. Hutchinson  

   added this language to the bill. Subsection 4(a) requires the Attorney  

   General to compile information on instances in which encryption has     

   interfered with, impeded, or obstructed the ability of the Justice      

   Department to enforce federal criminal law and to maintain that         

   information in classified form. The Committee intends that information  

   compiled by the Attorney General pursuant to this section also include  

   instances in which encryption has prevented crimes from occurring,      

   especially in protecting national infrastructures and preventing        

   economic espionage (although not limited to those areas). Subsection    

   4(b) requires that the Attorney General shall make the information      

   compiled under subsection 4(a), including an unclassified summary,      

   available to Members of Congress upon request. The Hutchinson amendment 

   passed on a voice vote.                                                 

                                        AGENCY VIEWS                              





       U.S. Department of Justice,                                             



       Office of Legislative Affairs,                                          



       Washington, DC, April 30, 1997.                                         







          Hon.  Howard Coble,            
Chairman, Subcommittee on Courts and Intellectual Property, 
Committee on the Judiciary, House of Representatives, Washington, DC.



       Dear Mr. Chairman: Your Subcommittee will soon begin mark-up of H.R.

   695, the ``Security and Freedom Through Encryption (SAFE) Act.''        

   Although the Department of Justice supports H.R. 695's overall goal of  

   promoting the wide dissemination of strong encryption, we believe that  

   the bill would severely compromise law enforcement's ability to protect 

   the American people from the threats posed by terrorists, organized     

   crime, child pornographers, drug cartels, financial predators, hostile  

   foreign intelligence agents, and other criminals. In addition, the bill 

   would greatly impair the government's ability to prosecute those crimes 

   when they do occur. We urge the Subcommittee to reject H.R. 695 in its  

   present form.                                                           

      There is widespread agreement that strong encryption is essential to 

   the success of the emerging Global Information Infrastructure (GII).    

   Communications and data must be protected--both in transit and in       

   storage--if the GII is to be used for personal communications, financial

   transactions, medical care, the development of new intellectual         

   property, and myriad other applications. Having recognized the          

   importance of encryption, we must ensure that its application is        

   consistent with the larger goals of society. One approach, that taken by

   H.R. 695 advocates the proliferation of unbreakable encryption that     

   would not only protect commerce and privacy, but also unintentionally   

   protect criminals. A better approach, advocated by the Administration,  

   encourages the use of data recovery products that fully protect commerce

   and privacy, but without sacrificing public safety and national         

   security.                                                               

      Viewed in this light, the proposed legislation poses two major       

   problems for federal, state, and local law enforcement. First, it would 

   effectively eliminate all export controls on                            



                    strong encryption, thereby undermining public safety and      

          national security by encouraging the proliferation of unbreakable       

          encryption. Second, the bill discourages formation of a key management  

          infrastructure that addresses the needs of public safety, economic      

          security and privacy.                                                   

      The elimination of export controls would adversely affect national   

   security and foreign policy interests and severely impair many law      

   enforcement efforts at the federal, state and local level. We have      

   heard, of course, the oft-repeated argument that the ``genie is already 

   out of the bottle''--that strong encryption is already widely available 

   overseas and over the Internet and that attempts to limit its spread are

   futile, and serve only to handicap U.S. manufacturers seeking to sell   

   their encryption products overseas. In fact, this is not the case.      

      Although strong encryption products can be found overseas, these     

   products are not ubiquitous, in part because the export of strong       

   encryption is controlled by both the U.S. and other countries. It is    

   worth noting in this regard that export of encryption over the Internet,

   like any other means of export, is restricted under U.S. law. Although  

   it is difficult to prevent completely encryption products from being    

   sent abroad over the Internet, we believe that the legal restrictions   

   will limit the use of the Internet as a means of evading export         

   controls.                                                               

      In addition, the quality of encryption products offered abroad varies

   greatly, with some encryption products not providing the levels of      

   protection advertised. Finally, the vast majority of businesses with a  

   serious need for strong encryption are not likely to rely on encryption 

   downloaded from the Internet from untested sources, but will prefer     

   instead to deal with known and reliable suppliers. For these reasons,   

   export controls continue to serve a critical function.                  

      A few other factors are important to consider regarding export       

   controls. First, our allies strongly concur that unrestricted export of 

   encryption would severely hamper law enforcement objectives. It would be

   a terrible irony if this government--which prides itself on its         

   leadership in fighting international crime--were to enact a law that    

   would jeopardize public safety and weaken law enforcement agencies      

   worldwide.                                                              

      Second, critics of export controls have mistakenly assumed that the  

   lifting of export controls would result in unrestricted access to       

   markets abroad by U.S. companies. But this assumption ignores the likely

   reaction of foreign governments to the elimination of U.S. export       

   controls. To date, most other countries have not needed to restrict     

   imports or domestic use of encryption, largely because export controls  

   in the U.S.--the                                                        



                    world leader in computer technology--and other countries have 

          made such restrictions unnecessary. But given other countries'          

          legitimate concerns about the potential worldwide proliferation of      

          unbreakable encryption products, we believe that many of those countries

          would respond to any lifting of U.S. export controls by imposing import 

          controls, or by restricting use of strong encryption by their citizens. 

      France, Russia and Israel, for example, have already established     

   domestic restrictions on the import, manufacture, sale and use of       

   encryption products. In addition, a number of European Union countries  

   are moving towards the adoption of a key-recovery-based key management  

   infrastructure similar to that proposed by the Administration. In the   

   long run, then, U.S. companies might not be any better off if U.S.      

   export controls were lifted, but the would have undermined our          

   leadership role in fighting international crime and damaged our own     

   national security interests in the meantime.                            

      We also oppose H.R. 695 because it would impede or prevent the       

   development of a key management infrastructure. The bill could be read  

   as prohibiting the United States government from using appropriate      

   incentives to support a key management infrastructure and key recovery. 

   Without such an infrastructure supporting key recovery, federal law     

   enforcement investigations will become far more difficult. The problems 

   that enactment of H.R. 695 would pose for state and local law           

   enforcement, which lack access to supercomputers, are even greater.     

      In law enforcement, quick action can save lives, reduce crime and    

   apprehend criminals. Criminals, therefore, rely on techniques that help 

   them slow or prevent law enforcement officers from detecting and solving

   crimes and catching offenders. The passage of H.R. 695 could            

   unintentionally add a powerful new technique--unbreakable encryption--to

   the collection of methods that criminals use to thwart law enforcement  

   and prey upon the residents of the United States. It is difficult enough

   to fight crime without making criminals' tasks any easier.              

      The Subcommittee should approve a bill that encourages the           

   development of a key management infrastructure and key recovery system  

   coupled with responsible export controls. We look forward to working    

   with you in developing an approach to encryption that meets the dual    

   goals of maintaining law enforcement's ability to fight crime and       

   protecting the right to privacy within the burgeoning global information

   infrastructure. We are hopeful that by working together we can create a 

   mutually acceptable national encryption policy. The Office of Management

   and Budget has advised that there is no objection from the standpoint of

   the Administration's program to the presentation of this report.        

   Sincerely,                                                              



         Andrew Fois,                                                           



        Assistant Attorney General.                                             





                   CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED          



      In compliance with clause 3 of rule XIII of the Rules of the House of

   Representatives, changes in existing law made by the bill, as reported, 

   are shown as follows (new matter is printed in italic, and existing law 

   in which no change is proposed is shown in roman):                      

                                TITLE 18, UNITED STATES CODE                      



         * * * * * * *                                                           



          PART I--CRIMES                                                          





 Chap.                                                                   



 Sec.                                                                    



         1.   General provisions                                                



        1                                                                      



         * * * * * * *                                                           





         125. Encrypted wire and electronic information                         



        2801                                                                   





         * * * * * * *                                                           



                   CHAPTER 125--ENCRYPTED WIRE AND ELECTRONIC INFORMATION         





      2801. Definitions.                                                      



      2802. Freedom to use encryption.                                        



      2803. Freedom to sell encryption.                                       



      2804. Prohibition on mandatory key escrow.                              



      2805. Unlawful use of encryption in furtherance of a criminal act.      





          2801. Definitions                                                       



   As used in this chapter--                                              



       (1) the terms ``person'', ``State'', ``wire communication'',        

   ``electronic communication'', ``investigative or law enforcement        

   officer'', and ``judge of competent jurisdiction'' have the meanings    

   given those terms in section 2510 of this title;                        

       (2) the terms ``encrypt'' and ``encryption'' refer to the scrambling

   of wire communications, electronic communications, or electronically    

   stored information, using mathematical formulas or algorithms in order  

   to preserve the confidentiality, integrity, or authenticity of, and     

   prevent unauthorized recipients from accessing or altering, such        

   communications or information;                                          

       (3) the term ``key'' means the variable information used in a       

   mathematical formula, code, or algorithm, or any component thereof, used

   to decrypt wire communications, electronic communications, or           

   electronically stored information, that has been encrypted; and         

    (4) the term ``United States person'' means--                          



    (A) any United States citizen;                                         



       (B) any other person organized under the laws of any State, the     

   District of Columbia, or any commonwealth, territory, or possession of  

   the United States; and                                                  

       (C) any person organized under the laws of any foreign country who  

   is owned or controlled by individuals or persons described in           

   subparagraphs (A) and (B).                                              

          2802. Freedom to use encryption                                         



     Subject to section 2805, it shall be lawful for any person within any

  State, and for any United States person in a foreign country, to use any

  encryption, regardless of the encryption algorithm selected, encryption 

  key length chosen, or implementation technique or medium used.          

          2803. Freedom to sell encryption                                        



     Subject to section 2805, it shall be lawful for any person within any

  State to sell in interstate commerce any encryption, regardless of the  

  encryption algorithm selected, encryption key length chosen, or         

  implementation technique or medium used.                                

          2804. Prohibition on mandatory key escrow                               



     (a) Prohibition.--No person in lawful possession of a key to         

  encrypted communications or information may be required by Federal or   

  State law to relinquish to another person control of that key.          

     (b) Exception for Access for Law Enforcement Purposes.--Subsection   

  (a) shall not affect the authority of any investigative or law          

  enforcement officer, or any member of the intelligence community as     

  defined in section 3 of the National Security Act of 1947 (50 U.S.C.    

  401a), acting under any law in effect on the effective date of this     

  chapter, to gain access to encrypted communications or information.     

          2805. Unlawful use of encryption in furtherance of a criminal act       



     Any person who, in the commission of a felony under a criminal       

  statute of the United States, knowingly and willfully encrypts          

  incriminating communications or information relating to that felony with

  the intent to conceal such communications or information for the purpose

  of avoiding detection by law enforcement agencies or prosecution--      

       (1) in the case of a first offense under this section, shall be     

   imprisoned for not more than 5 years, or fined in the amount set forth  

   in this title, or both; and                                             

       (2) in the case of a second or subsequent offense under this        

   section, shall be imprisoned for not more than 10 years, or fined in the

   amount set forth in this title, or both.                                



         * * * * * * *                                                           



                                                                                 



                     SECTION 17 OF THE EXPORT ADMINISTRATION ACT OF 1979          



    Sec.  17. (a) * * *                                                   



         * * * * * * *                                                           





   (g)  Computers and Related Equipment.--                                



       (1) General rule.--Subject to paragraphs (2), (3), and (4), the     

   Secretary shall have exclusive authority to control exports of all      

   computer hardware, software, and technology for information security    

   (including encryption), except that which is specifically designed or   

   modified for military use, including command, control, and intelligence 

   applications.                                                           

       (2) Items not requiring licenses.--No validated license may be      

   required, except pursuant to the Trading With The Enemy Act or the      

   International Emergency Economic Powers Act (but only to the extent that

   the authority of such Act is not exercised to extend controls imposed   

   under this Act), for the export or reexport of--                        

    (A) any software, including software with encryption capabilities--    



       (i) that is generally available, as is, and is designed for         

   installation by the purchaser; or                                       

       (ii) that is in the public domain for which copyright or other      

   protection is not available under title 17, United States Code, or that 

   is available to the public because it is generally accessible to the    

   interested public in any form; or                                       

       (B) any computing device solely because it incorporates or employs  

   in any form software (including software with encryption capabilities)  

   exempted from any requirement for a validated license under subparagraph

   (A).                                                                    

       (3) Software with encryption capabilities.--The Secretary shall     

   authorize the export or reexport of software with encryption            

   capabilities for nonmilitary end uses in any country to which exports of

   software of similar capability are permitted for use by financial       

   institutions not controlled in fact by United States persons, unless    

   there is substantial evidence that such software will be--              

       (A) diverted to a military end use or an end use supporting         

   international terrorism;                                                

    (B) modified for military or terrorist end use; or                     



       (C) reexported without any authorization by the United States that  

   may be required under this Act.                                         

       (4) Hardware with encryption capabilities.--The Secretary shall     

   authorize the export or reexport of computer hardware with encryption   

   capabilities if the Secretary determines that a product offering        

   comparable security is commercially available outside the United States 

   from a foreign supplier, without effective restrictions.                

    (5)  Definitions.--As used in this subsection--                        



       (A) the term ``encryption'' means the scrambling of wire or         

   electronic information using mathematical formulas or algorithms in     

   order to preserve the confidentiality, integrity, or authenticity of,   

   and prevent unauthorized recipients from accessing or altering, such    

   information;                                                            

       (B) the term ``generally available'' means, in the case of software 

   (including software with encryption capabilities), software that is     

   offered for sale, license, or transfer to any person without            

   restriction, whether or not for consideration, including, but not       

   limited to, over-the-counter retail sales, mail order transactions,     

   phone order transactions, electronic distribution, or sale on approval; 

       (C) the term ``as is'' means, in the case of software (including    

   software with encryption capabilities), a software program that is not  

   designed, developed, or tailored by the software publisher for specific 

   purchasers, except that such purchasers may supply certain installation 

   parameters needed by the software program to function properly with the 

   purchaser's system and may customize the software program by choosing   

   among options contained in the software program;                        

       (D) the term ``is designed for installation by the purchaser''      

   means, in the case of software (including software with encryption      

   capabilities) that--                                                    

       (i) the software publisher intends for the purchaser (including any 

   licensee or transferee), who may not be the actual program user, to     

   install the software program on a computing device and has supplied the 

   necessary instructions to do so, except that the publisher may also     

   provide telephone help line services for software installation,         

   electronic transmission, or basic operations; and                       

       (ii) the software program is designed for installation by the       

   purchaser without further substantial support by the supplier;          

       (E) the term ``computing device'' means a device which incorporates 

   one or more microprocessor-based central processing units that can      

   accept, store, process, or provide output of data; and                  

       (F) the term ``computer hardware'', when used in conjunction with   

   information security, includes, but is not limited to, computer systems,

   equipment, application-specific assemblies, modules, and integrated     

   circuits.                                                               



                           ADDITIONAL VIEWS OF HON. BOB GOODLATTE                 



      H.R. 695, the Security And Freedom through Encryption (SAFE) Act of  

   1997, accomplishes three critical goals: preventing economic crime,     

   promoting electronic commerce, and protecting the personal privacy of   

   all law-abiding Americans. I am pleased that both the Courts and        

   Intellectual Property Subcommittee and the full Judiciary Committee have

   approved this bipartisan legislation by voice vote. I would also like to

   thank the lead cosponsor of the SAFE Act, Rep. Zoe Lofgren (D CA), for  

   her leadership. support, and dedication to this important issue.        

      The Administration's encryption policies are at odds with its stated 

   goals. For example, the Administration has stated in testimony before   

   both the House and Senate that it supports the widespread use of strong 

   encryption. However, the Administration continues to enforce antiquated 

   Cold War export restrictions that prevent the widespread use of strong  

   encryption.                                                             

      The Department of Justice has been particularly hostile to H.R. 695, 

   even going so far as publicly stating that the bill would be devastating

   to international law enforcement. As an example, just hours prior to    

   Subcommittee markup of H.R. 695 on April 30, 1997, the Department of    

   Justice circulated a letter to Judiciary Committee members opposing the 

   legislation. This letter contained a series of allegations which deserve

   a response.                                                             



                     DOJ Claim: The bill ``discourages formation of a   

          key management infrastructure''.                              

                     Response: The SAFE Act takes no position on the    

          development of a key management infrastructure.               



      The term ``key management infrastructure'' refers to a system, yet to

   be fully developed, that would allow Internet users to know with whom   

   they are communicating, to verify document signatures, and to identify  

   whether documents are tampered with or altered in transmission. Such a  

   system could partly operate through ``Certificate Authorities'', or     

   commercial entities that would certify, like digital notary publics,    

   that certain public keys are in fact the keys of particular individuals 

   or corporations.                                                        

      Driven by user needs, the on-line world is developing such systems of

   assurance without government intervention. The security and             

   effectiveness of these systems will be tested by the market.            

   Consequently, it is impossible to know at this point which systems will 

   succeed and which will fail--the intensely competitive global           

   marketplace will decide that question. Government bureaucracy and       

   regulation is neither necessary nor desirable.                          

      Perhaps the greatest impediment to the development of a widespread   

   global key management infrastructure to date has been the               

   Administration's restrictive export policies. By preventing American    

   companies from exporting strong encryption, this Administration has     

   perpetuated a sense of uncertainty in the global market that has        

   discouraged these companies from developing commercial infrastructures. 

   Contrary to the Administration's claim, therefore, H.R. 695 would       

   actually promote development of' Certificate Authorities and key        

   management infrastructures in the best way possible, by removing        

   unwanted, unworkable, and unwise government bureaucracy and regulation. 

      A recent report issued by nine of the world's top cryptographers,    

   entitled ``The Risks of Key Recovery, Key Escrow, and Trusted Third     

   Party Encryption'', offers further evidence that various key escrow, key

   recovery. and key management systems that have been proposed by the     

   Administration are neither feasible nor advisable. As stated In this    

   report:                                                                 



                     Government key recovery proposals call for one of  

          the most ambitious and far-reaching deployments of the        

          information age. The field of cryptography has no experience  

          in deploying secure systems of this scope and complexity.* * *

          Attempts to force the widespread adoption of key recovery     

          encryption through export controls, import or domestic use    

          regulations, or international standards should be considered  

          in light of these factors. The public must carefully consider 

          the costs and benefits of embracing government-access key     

          recovery before imposing the new security risks and spending  

          the huge investment required--potentially many billions of    

          dollars, in direct and indirect costs--to deploy a global key 

          recovery infrastructure.                                      



    The Administration has stated publicly that ``only industry can build 

  a robust and scalable key management infrastructure''. This report shows

  quite clearly that proposals to establish global key management systems,

  including incentives to use such systems, are at best premature. As     

  former British Prime Minister Margaret Thatcher aptly put it,           

  ``Governments * * * are themselves `blind forces' blundering about in   

  the dark, and obstructing the operations of markets rather than         

  improving them.''                                                       



                     DOJ Claim: Strong encryption is not widely         

          available overseas, in part because of U.S. export controls.  

                     Response: German, Dutch, Swedish, British, Russian 

          and other foreign manufacturers have created strong and       

          reliable encryption products that are available               

          internationally and on the Internet.                          



      As evidence of this, the following excerpt is from a recent New York 

   Times article discussing the success of a German company, Brokat        

   Informationsysteme, which produces a 128-bit encryption program:        



                     Far from hindering the spread of powerful          

          encryption programs * * * American policy has created a       

          bonanza for alert entrepreneurs outside the United States.    

          When America Online wanted to offer on-line banking and       

          shopping services in Europe, it turned to Brokat for the      

          software that encodes transactions and protects them from     

          hackers and on-line bandits. When Netscape Communications and 

          Microsoft wanted to sell Internet software to Germany's       

          biggest banks, they had to team up with Brokat to deliver the 

          security guarantees that the banks demanded.* * * Besides     

          America Online, Brokat's customers include more than 30 big   

          banking and financial institutions around Europe.             



      Perhaps a more vivid example of the folly of the Administration's    

   export restrictions is the recent announcement that Sun Microsystems,   

   one of the leading U.S. computer companies, will be entering into a     

   partnership with Elvis+, a Russian encryption manufacturer, to          

   distribute strong encryption worldwide. Since the U.S. has no import or 

   domestic controls on the use of non-key escrow encryption, Sun can      

   import the Russian product and distribute it domestically, while the    

   Russian company distributes the same product overseas. Therefore, U.S.  

   companies will now be able to securely communicate with their overseas  

   offices and subsidiaries without violating the export control laws.     



      The Sun announcement demonstrates three critical facts that reveal   

   the absurdity of arguments the Administration uses to defend its current

   policies: (1) consumers are demanding strong encryption products to     

   protect their digital communications; (2) strong encryption products are

   already available from foreign manufacturers, and reputable U.S. firms  

   are willing to stake their corporate reputations on the quality of those

   products; and (3) the current export control scheme is taking jobs and  

   revenue away from our economy.                                          

      Additionally, many individuals and small businesses rely on the      

   Pretty Good Privacy encryption program, which is available on the       

   Internet worldwide. PGP is equivalent to 128-bit encryption, and has    

   been tested again and again. It is based on a public algorithm, so every

   hacker, graduate student, and computer scientist in the world can try to

   break it. None have succeeded.                                          



                     DOJ Claim: If the U.S. were to relax its current   

          export controls on strong encryption, foreign governments     

          would respond by creating import controls on U.S. products and

          thus those markets would not open to U.S. companies.          

                     Response: The United States should not set its     

          export policies on the basis of actions that other countries  

          might take.                                                   



      The U.S. government should not stand in the way of our industry's    

   ability to compete in the global marketplace--in fact, it should use any

   resources available to help American companies succeed in global        

   markets. When foreign governments raise import barriers to keep out U.S.

   products, they do so to allow their own industries to dominate the      

   marketplace. We should not allow ourselves to be fooled into believing  

   otherwise.                                                              



                     DOJ Claim: H.R. 695 would ``adversely affect       

          national security and foreign policy interests and severely   

          impair many law enforcement efforts at the federal, state, and

          local level.''                                                

                     Response: Strong encryption prevents crime.        

          Consider the findings of the National Research Council on the 

          use of strong encryption:                                     



                    If cryptography can protect the trade secrets and   

          proprietary information of businesses and thereby reduce      

          economic espionage (which it can). it also supports in a most 

          important manner the job of law enforcement. If cryptography  

          can help protect nationally critical information systems and  

          networks against unauthorized penetration (which it can), it  

          also supports the national security of the United States.     





      When criminals talk to other criminals, they will always be able to  

   use strong encryption, with no mechanism for law enforcement access, to 

   protect their communications. The Administration's policy will not      

   prevent this, since it is not proposing direct domestic or import       

   controls on strong encryption, and cannot prevent foreign companies from

   developing and distributing such products. However, when these criminals

   communicate with legitimate organizations, such as banks, law           

   enforcement will always be able to obtain evidence from such            

   organizations via court order or grand jury subpoena. Therefore,        

   allowing law-abiding people to use strong encryption to protect         

   themselves, and allowing U.S. companies to fully compete in the global  

   marketplace, will not prevent law enforcement from pursuing and stopping

   criminals.                                                              

      It is truly ironic that law enforcement agencies would oppose        

   legislation that prevents crime. Unfortunately, it seems that the       

   Administration does not want to empower our citizens and our industries 

   to protect themselves in the Information Age. Just as dead-bolt locks   

   and alarm systems help people protect their houses against intruders,   

   thereby assisting law enforcement in preventing crime, strong encryption

   allows people to protect their digital communications and computer      

   systems against criminal hackers and computer thieves.                  

      The SAFE Act prevents crime, promotes commerce, and protects privacy.

   Additionally, it allows the free market to design its own standards and 

   solutions for the development of global commerce, free from unwanted and

   unworkable government regulation. This bipartisan legislation ensures   

   that all law-abiding Americans will be able to communicate and conduct  

   business securely in the Information Age.                               



         Bob Goodlatte.                                                         





                                 ADDITIONAL MINORITY VIEWS                        



      We offer these additional views not to foment dissent but to         

   encourage dialogue with the Administration on the issues related to     

   encryption. We would like to work with federal law enforcement and      

   national security agencies to address their concerns.                   

      We sympathize with the difficulties faced by investigative and       

   security agencies in combating crime, terrorism, and espionage. We      

   believe it is quite legitimate for the Administration to be concerned   

   about the uncertain impact that strong and ubiquitous encryption        

   products may have on law enforcement and national security agencies. We 

   realize that it may ultimately become impossible for government agencies

   to decipher intercepted or retrieved data and communications that have, 

   by encryption, been transformed into a seemingly unintelligible form.   

      We recognize the days of cracking strong codes are nearly gone.      

   Unbreakable codes (256-bit key algorithms can generate more possible    

   solutions than there are particles in the known universe) are already   

   widely known. Private security experts and sophisticated hackers have   

   already realized this and are beginning to develop ways of attacking the

   vulnerable points before and after the information is encrypted (i.e.,  

   on the sender's hard drive or at a ``good-guy'' recipient such as a     

   bank). We suspect that law enforcement and national security experts    

   within the government are acquiring similar capabilities. But these     

   alternative (and more subtle) approaches are not reflected in the       

   Administration's current public policy toward encryption.               

      The Administration's current encryption policy, a policy that runs   

   back at least to the Bush Administration, creates more problems than it 

   resolves. The policy is a combination of encryption export controls and 

   a key escrow system by which the key to the code encrypting the         

   information is to be held by a third party (so it may be made available 

   to the government).                                                     

      We need to be honest about this situation. We don't expect most      

   narcotics traffickers, terrorists, or criminals to respect export       

   restrictions on encryption when they don't respect our underlying drugs 

   or weapons laws. And we don't generally expect anyone who employs       

   encryption in furtherance of a crime to readily give their keys to some 

   third party so they may be made available to the government.            

      The Administration maintains that there is a commercial need for key 

   recovery. While that may be true to some extent, there appears to be    

   little or no demand for the all-encompassing system they want to        

   mandate. Experts have uniformly concluded the government's proposed     

   system is either excessively costly and complex or insecure. In part,   

   this is true because the government seeks access to real-time           

   communications and data transmissions, rather than the ability to       

   recover stored data.                                                    

      The Administration insists it doesn't want domestic restrictions on  

   encryption. We are concerned, however, that the Administration policy   

   does have this effect. Development of software programs, including those

   utilizing encryption, occurs at an amazingly rapid pace, so it is not   

   feasible for computer software and hardware companies to develop        

   separate products for export and for domestic use. As a result, as a    

   practical matter, only products that are exportable, with weaker        

   encryption or with government-approved key recovery-escrow, can be      

   marketed at present.                                                    

      We fear that current encryption policy, encouraging as it does weaker

   encryption, makes every American more vulnerable to illicit or          

   surreptitious access to our computer files, our phone conversations, and

   personal information, and thus exposes our citizens to hackers,         

   terrorists, and thieves. It is ironic that what is trumpeted as an aid  

   to law enforcement may instead                                          



          compromise individual and corporate security.                           



      What we have here is not only a combination of export controls and a 

   key recovery system that does not work, we have a system that           

   compromises the competitiveness and security of this nation's software  

   and hardware industry, as well as our privacy rights. As conceded by    

   Administration witnesses, the proposed key recovery system can succeed  

   only as long as there is no non-conforming encryption software readily  

   available in the market. But there is already an abundance of such      

   software, some of it freeware, that is readily available over the       

   Internet.                                                               

      The proposed key recovery system can not work unless the United      

   States persuades every other nation to adopt key recovery. We can safely

   say we are unlikely to obtain the agreement of Libya, Iran, Iraq, or    

   North Korea. In addition, the efforts to date of David Aaron, U.S.      

   Ambassador to the Organization for Economic Cooperation and Development 

   (OECD), to obtain a consensus in support of key recovery resulted       

   instead in a consensus opposing it.                                     

      The Administration's policy has therefore been a strong market       

   incentive:                                                              

       (a) for non-participants (in the Administration's key escrow        

   program) to make non-standard, secure encryption available, and         

       (b) for U.S. companies to set up abroad in ``encryption havens'' so 

   they may legally market strong, secure encryption products to customers 

   who decline to make their ``international key'' available to diverse    

   governments around the world.                                           

    There are already U.S. companies establishing ties with foreign       

  companies in Japan, Russia, and elsewhere.                              

      Nor is this policy without its cost. It is estimated that, if the    

   U.S. persists in its current policy through the year 2000, we shall lose

   200,000 jobs and $60 billion each year. This is what it will cost this  

   nation to lose the cryptography lead we enjoy and the competitive       

   expertise necessary to maintain our market position.                    

      Unfortunately, our discussions to date with law enforcement and      

   intelligence agencies have not admitted of the possibility of any       

   further relaxation of export restrictions as part of the broader process

   essential to resolving this complex question. Nor has the Administration

   offered to consider alternatives to its key escrow or key recovery      

   system.                                                                 

      H.R. 695 need not be the end of the process but the beginning of a   

   real dialogue. This is what we would like to happen. We continue to     

   remain hopeful that the Administration will acknowledge the shortcomings

   of its current policy and sincerely hope that this will happen soon lest

   more serious damage be done to our industry, to our security and to our 

   privacy.                                                                



     John Conyers,  Jr.                                                     



     Rick Boucher .                                                         



     Zoe Lofgren .                                                          



     Maxine Waters .                                                        



     William Delahunt .                                                     



     Martin T. Meehan .