Mr. LEAHY. Mr. President, I am joined today by Senators Burns, Dole, Pressler, and Murray in introducing a bill that is pro-business, pro-jobs and pro-privacy.
The Encrypted Communications Privacy Act of 1996 would enhance the global competitiveness of our high-technology industries, protect the high-paying good jobs in those industries and maximize the choices in encryption technology available for businesses and individuals to protect the privacy, confidentiality and security of their computer, telephone, and other wire and electronic communications.
The guiding principle for this bill can be summed up in one sentence: Encryption is good for American business and good business for Americans.
FBI Director Louis Freeh testified last week at a hearing on economic espionage and quoted Secretary of State Warren Christopher as saying that `Our national security is inseparable from our economic security.' I could not agree more. Yet, American businesses are suffering a double blow from our current encryption policies. First, American firms lose billions of dollars each year due to the theft of proprietary economic information, which could be better protected if strong encryption were more widely used. Second, government export restrictions tie the hands of American high-technology businesses by barring the export of strong encryption technology. The size of these combined losses makes encryption one of the critical issues facing American businesses today.
Moreover, the increasing use of and dependency on networked computers by Americans to obtain critical medical services, to conduct research, to be entertained, to go shopping and to communicate with friends and business associates, raises special concerns about the privacy and confidentiality of their computer transmissions. I have long been concerned about these issues, and have worked over the past decade to create a legal structure to foster privacy and security for our wire and electronic communications. Encryption technology provides an effective way to ensure that only the people we choose can read our communications.
A leading encryption expert, Matt Blaze, told me in a recent letter that our current regulations governing the use and export of encryption are having a `deleterious effect on our country's ability to develop a reliable and trustworthy information infrastructure.' It is time for Congress to take steps to put our national encryption policy on the right course.
The Encrypted Communications Privacy Act would accomplish three goals:
First, the bill encourages the use of encryption by legislatively confirming that Americans have the freedom to use and sell here in the United States any encryption technology that they feel is most appropriate to meet their privacy and security needs. The bill bars any government-mandated use of any particular encryption system, such as a key escrow encryption system.
Second, for those Americans who choose to use a key escrow encryption method, the bill establishes privacy standards for key holders and stringent procedures for how law enforcement can obtain access to decoding keys and decryption assistance. These standards would subject key holders to criminal and civil liability if they released the keys or divulged the identity and information about the user of the encryption system, without legal authorization. Commenting on these provisions, Bruce Schneir, who has literally written the textbook on encryption, said in a recent letter to me that the bill `recognizes the special obligations of keyholders to be vigilant in safeguarding the information entrusted to them, without imposing hurtles on the use of cryptography.'
Finally, the bill loosens export restrictions on encryption products. Under the bill, it would be lawful for American companies to export high-technology products with encryption capabilities when comparable encryption capabilities are available from foreign suppliers, and generally available encryption software, including mass market products and encryption that is in the public domain. According to Mr. Schneir, the bill `removes the strangle-hold that has encumbered the development of mass-market security solutions' which are so vital to the development of our information infrastructure.
Senator Murray took a leading role in the last Congress on reforming our export restrictions on encryption, and I commend her for continuing to give this important issue her committed attention again in this Congress.
Current export restrictions allow the export of primarily weak encryption software programs. So weak, in fact, that a January 1996 report by an ad hoc group of world-renowned cryptographers and computer scientists estimated that it would take a pedestrian hacker a matter of hours to break and a foreign intelligence agency a matter of nanoseconds to break. No wonder that foreign buyers of encryption products are increasingly looking elsewhere for strong security. This hurts the competitiveness of our high-technology industry.
A recent report by the Computer Systems Policy Project, which is a group of major American computer companies estimated that U.S. companies stand to lose between $30 and $60 billion in revenues and over 200,000 of high-technology jobs by the year 2000 because U.S. companies are handicapped in the global market by outdated export restrictions.
Even the Commerce Department reported in January that U.S. export controls may have a `negative effect on U.S. competitiveness' and `may discourage' the use of strong encryption domestically since manufacturers want to make only one product for export and for use here.
Although American companies account for almost 75 percent of the global market for prepackaged software, the rest of the world is competing strongly in the market for encryption software. Shortsighted government policy is holding back American business. Almost 2 years ago, I chaired a hearing of the Judiciary Subcommittee on Technology and the Law on the administration's Clipper Chip key escrow encryption program. I heard testimony about 340 foreign encryption products that were available worldwide, 155 of them employing encryption in a strength that American firms were prohibited from exporting.
In 2 short years, those numbers have increased. According to a survey of cryptographic products conducted by Trusted Information System, as of December 1995, 497 foreign products from 28 countries were available with encryption security. Almost 200 of these foreign products used strong encryption that American companies are barred from selling abroad. This study draws the obvious conclusion that `As a result, U.S. Government restrictions may be succeeding only in crippling a vital American industry's exporting ability.'
At the Clipper Chip hearing I chaired in 1994, I heard a number of reports about American companies losing business opportunities due to U.S. export restrictions. One data security company reported that despite its superior system, it had been unable to respond to requests from NATO and foreign telecommunications companies because it cannot export the encryption they demanded. This cost this single American company millions in foregone business. Another major computer company lost two sales in Western Europe in a single year totaling about $80 million because the file and data encryption in the integrated system they offered was not exportable.
Our current export restrictions on encryption technology are fencing off the global marketplace and hurting the competitiveness of this part of our high-technology industries. While national and domestic security concerns must weigh heavily, we need to do a better job of balancing these concerns with American business' need for encryption and the economic opportunities for our high-technology industries that encryption technology provides.
American businesses are not only suffering lost sales because of our current export restrictions, but are also suffering staggering losses due to economic espionage. FBI Director Freeh testified that the White House Office of Science and Technology Policy puts the amount of that loss at $100 billion per year. At a hearing last week on economic espionage, we heard from one witness who had to close down his software company, with a loss of 25 jobs, after China bribed an employee to steal the source code for the company's software.
We have bills pending before Congress to enact new criminal laws to punish people who steal trade secrets or other proprietary information and who break into computers to steal sensitive information. But new criminal laws are not the whole answer. Criminal laws often only come into play too late, after the theft has occurred or the injury inflicted.
We must encourage American firms to take preventive measures to protect their vital economic information. That is where encryption comes in. Just as we have security systems to lock up our offices and file drawers, we need strong encryption systems to protect the security and confidentiality of business information.
The Computer Systems Policy Project estimates that, without strong encryption, financial losses by the year 2000 from breaches of computer security systems to be from $40 to $80 billion. Unfortunately, some of these losses are already occurring. One U.S.-based manufacturer is quoted in the Project's report, saying:
[Page: S1517]
We had a multi-year, multi-billion dollar contract stolen off our P.C. (while bidding in a foreign country). Had it been encrypted, [the foreign competitor] could not have used it in the bidding time frame.
New technologies present enormous opportunities for Americans, but we must strive to safeguard our privacy if these technologies are to prosper in this information age. Otherwise, in the service of law enforcement and intelligence needs, we will dampen any enthusiasm Americans may have for taking advantage of the new technologies.
I look forward to working with my colleagues on this important matter, and ask unanimous consent that the bill, a summary of the bill, and three letters of support from Matt Blaze, Bruce Schneir, and Business Software Alliance, be included in the Record.
There being no objection, the material was ordered to be printed in the Record, as follows:
SECTION 1. SHORT TITLE.
This Act may be cited as the `Encrypted Communications Privacy Act of 1996'.
SEC. 2. PURPOSE.
It is the purpose of this Act--
(1) to ensure that Americans are able to have the maximum possible choice in encryption methods to protect the security, confidentiality, and privacy of their lawful wire or electronic communications; and
(2) to establish privacy standards for key holders who are voluntarily entrusted with the means to decrypt such communications, and procedures by which investigative or law enforcement officers may obtain assistance in decrypting such communications.
SEC. 3. FINDINGS.
The Congress finds that--
(1) the digitization of information and the explosion in the growth of computing and electronic networking offers tremendous potential benefits to the way Americans live, work, and are entertained, but also raises new threats to the privacy of American citizens and the competitiveness of American businesses;
(2) a secure, private, and trusted national and global information infrastructure is essential to promote economic growth, protect citizens' privacy, and meet the needs of American citizens and businesses;
(3) the rights of Americans to the privacy and security of their communications and in conducting their personal and business affairs should be preserved and protected;
(4) the authority and ability of investigative and law enforcement officers to access and decipher, in a timely manner and as provided by law, wire and electronic communications necessary to provide for public safety and national security should also be preserved;
(5) individuals will not entrust their sensitive personal, medical, financial, and other information to computers and computer networks unless the security and privacy of that information is assured;
(6) business will not entrust their proprietary and sensitive corporate information, including information about products, processes, customers, finances, and employees, to computers and computer networks unless the security and privacy of that information is assured;
(7) encryption technology can enhance the privacy, security, confidentiality, integrity, and authenticity of wire and electronic communications and stored electronic information;
(8) encryption techniques, technology, programs, and products are widely available worldwide;
(9) Americans should be free lawfully to use whatever particular encryption techniques, technologies, programs, or products developed in the marketplace they desire in order to interact electronically worldwide in a secure, private, and confidential manner;
(10) American companies should be free to compete and to sell encryption technology, programs, and products;
(11) there is a need to develop a national encryption policy that advances the development of the national and global information infrastructure, and preserves Americans' right to privacy and the Nation's public safety and national security;
(12) there is a need to clarify the legal rights and responsibilities of key holders who are voluntarily entrusted with the means to decrypt wire or electronic communications;
(13) the Congress and the American people have recognized the need to balance the right to privacy and the protection of the public safety and national security;
(14) the Congress has permitted lawful electronic surveillance by investigative or law enforcement officers only upon compliance with stringent statutory standards and procedures; and
(15) there is a need to clarify the standards and procedures by which investigative or law enforcement officers obtain assistance from key holders who are voluntarily entrusted with the means to decrypt wire or electronic communications, including such communications in electronic storage.
[Page: S1518]
SEC. 4. FREEDOM TO USE ENCRYPTION.
(a) Lawful Use of Encryption: It shall be lawful for any person within any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, and any territory or possession of the United States, and by United States persons in a foreign country to use any encryption, regardless of encryption algorithm selected, encryption key length chosen, or implementation technique or medium used except as provided in this Act and the amendments made by this Act or in any other law.
(b) General Construction: Nothing in this Act or the amendments made by this Act shall be construed to--
(1) require the use by any person of any form of encryption;
(2) limit or affect the ability of any person to use encryption without a key escrow function; or
(3) limit or affect the ability of any person who chooses to use encryption with a key escrow function not to use a key holder.
SEC. 5. ENCRYPTED WIRE AND ELECTRONIC COMMUNICATIONS.
(a) In General: Part I of title 18, United States Code, is amended by inserting after chapter 121 the following new chapter:
`2801. Definitions.
`2802. Prohibited acts by key holders.
`2803. Reporting requirements.
`2804. Unlawful use of encryption to obstruct justice.
`2805. Freedom to sell encryption products.
`2801. Definitions
`As used in this chapter--
`(1) the terms `person', `State', `wire communication', `electronic communication', `investigative or law enforcement officer', `judge of competent jurisdiction', and `electronic storage' have the same meanings given such terms in section 2510 of this title;
`(2) the term `encryption' means the scrambling of wire or electronic communications using mathematical formulas or algorithms in order to preserve the confidentiality, integrity or authenticity and prevent unauthorized recipients from accessing or altering such communications;
`(3) the term `key holder' means a person located within the United States (which may, but is not required to, be a Federal agency) who is voluntarily entrusted by another independent person with the means to decrypt that person's wire or electronic communications for the purpose of subsequent decryption of such communications;
`(4) the term `decryption key' means the variable information used in a mathematical formula, code, or algorithm, or any component thereof, used to decrypt wire or electronic communications that have been encrypted; and
`(5) the term `decryption assistance' means providing access, to the extent possible, to the plain text of encrypted wire or electronic communications.
`2802. Prohibited acts by key holders
`(a) Unauthorized Release of Key: Except as provided in subsection (b), any key holder who releases a decryption key or provides decryption assistance shall be subject to the criminal penalties provided in subsection (e) and to civil liability as provided in subsection (f).
`(b) Authorized Release of Key: A key holder shall only release a decryption key in its possession or control or provide decryption assistance--
`(1) with the lawful consent of the person whose key is being held or managed by the key holder;
`(2) as may be necessarily incident to the holding or management of the key by the key holder; or
`(3) to investigative or law enforcement officers authorized by law to intercept wire or electronic communications under chapter 119, to obtain access to stored wire and electronic communications and transactional records under chapter 121, or to conduct electronic surveillance, as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801), upon compliance with subsection (c) of this section.
`(c) Requirements for Release of Decryption Key or Provision of Decryption Assistance to Investigative or Law Enforcement Officer:
`(1) Contents of wire and electronic communications: A key holder is authorized to release a decryption key or provide decryption assistance to an investigative or law enforcement officer authorized by law to conduct electronic surveillance under chapter 119, only if--
`(A) the key holder is given--
`(i) a court order signed by a judge of competent jurisdiction directing such release or assistance; or
`(ii) a certification in writing by a person specified in section 2518(7) or the Attorney General stating that--
`(I) no warrant or court order is required by law;
`(II) all requirements under section 2518(7) have been met; and
`(III) the specified release or assistance is required;
`(B) the order or certification under paragraph (A)--
`(i) specifies the decryption key or decryption assistance which is being sought; and
`(ii) identifies the termination date of the period for which release or assistance has been authorized; and
`(C) in compliance with an order or certification under subparagraph (A), the key holder shall provide only such key release or decryption assistance as is necessary for access to communications covered by subparagraph (B).
`(2) Stored wire and electronic communications: (A) A key holder is authorized to release a decryption key or provide decryption assistance to an investigative or law enforcement officer authorized by law to obtain access to stored wire and electronic communications and transactional records under chapter 121, only if the key holder is directed to give such assistance pursuant to the same lawful process (court warrant, order, subpoena, or certification) used to obtain access to the stored wire and electronic communications and transactional records.
`(B) The notification required under section 2703(b) shall, in the event that encrypted wire or electronic communications were obtained from electronic storage, include notice of the fact that a key to such communications was or was not released or decryption assistance was or was not provided by a key holder.
`(C) In compliance with the lawful process under subparagraph (A), the key holder shall provide only such key release or decryption assistance as is necessary for access to the communications covered by such lawful process.
`(3) Use of key: (A) An investigative or law enforcement officer to whom a key has been released under this subsection may use the key only in the manner and for the purpose and duration that is expressly provided for in the court order or other provision of law authorizing such release and use, not to exceed the duration of the electronic surveillance for which the key was released.
`(B) On or before completion of the authorized release period, the investigative or law enforcement officer to whom a key has been released shall destroy and not retain the released key.
`(C) The inventory required to be served pursuant to section 2518(8)(d) on persons named in the order or the application under section 2518(7)(b), and such other parties to intercepted communications as the judge may determine, in the interest of justice, shall, in the event that encrypted wire or electronic communications were intercepted, include notice of the fact that during the period of the order or extensions thereof a key to, or decryption assistance for, any encrypted wire or electronic communications of the person or party intercepted was or was not provided by a key holder.
`(4) Nondisclosure of release: No key holder, officer, employee, or agent thereof shall disclose the key release or provision of decryption assistance pursuant to subsection (b), except as may otherwise be required by legal process and then only after prior notification to the Attorney General or to the principal prosecuting attorney of a State or any political subdivision of a State, as may be appropriate.
`(d) Records or Other Information Held by Key Holders: A key holder, shall not disclose a record or other information (not including the key) pertaining to any person whose key is being held or managed by the key holder, except--
`(1) with the lawful consent of the person whose key is being held or managed by the key holder; or
`(2) to an investigative or law enforcement officer pursuant to a subpoena authorized under Federal or State law, court order, or lawful process.
An investigative or law enforcement officer receiving a record or information under paragraph (2) is not required to provide notice to the person to whom the record or information pertains. Any disclosure in violation of this subsection shall render the person committing the violation liable for the civil damages provided for in subsection (f).
`(e) Criminal Penalties: The punishment for an offense under subsection (a) of this section is--
`(1) if the offense is committed for a tortious, malicious, or illegal purpose, or for purposes of direct or indirect commercial advantage or private commercial gain--
`(A) a fine under this title or imprisonment for not more than 1 year, or both, in the case of a first offense under this subparagraph; or
`(B) a fine under this title or imprisonment for not more than 2 years, or both, for any second or subsequent offense; and
`(2) in any other case where the offense is committed recklessly or intentionally, a fine of not more than $5,000 or imprisonment for not more than 6 months, or both.
`(f) Civil Damages:
`(1) In general: Any person aggrieved by any act of a person in violation of subsections (a) or (d) may in a civil action recover from such person appropriate relief.
`(2) Relief: In an action under this subsection, appropriate relief includes--
`(A) such preliminary and other equitable or declaratory relief as may be appropriate;
`(B) damages under paragraph (3) and punitive damages in appropriate cases; and
`(C) a reasonable attorney's fee and other litigation costs reasonably incurred.
`(3) Computation of damages: The court may assess as damages whichever is the greater of--
`(A) the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation; or
`(B) statutory damages in the amount of $5,000.
`(4) Limitation: A civil action under this subsection shall not be commenced later than 2 years after the date upon which the plaintiff first knew or should have known of the violation.
`(g) Defense: It shall be a complete defense against any civil or criminal action brought under this chapter that the defendant acted in good faith reliance upon a court warrant or order, grand jury or trial subpoena, or statutory authorization.
[Page: S1519]
`2803. Reporting requirements
`(a) In General: In reporting to the Administrative Office of the United States Courts as required under section 2519(2) of this title, the Attorney General, an Assistant Attorney General specially designated by the Attorney General, the principal prosecuting attorney of a State, or the principal prosecuting attorney of any political subdivision of a State, shall report on the number of orders and extensions served on key holders to obtain access to decryption keys or decryption assistance.
`(b) Requirements: The Director of the Administrative Office of the United States Courts shall include as part of the report transmitted to the Congress under section 2519(3) of this title, the number of orders and extensions served on key holders to obtain access to decryption keys or decryption assistance and the offenses for which the orders were obtained.
`2804. Unlawful use of encryption to obstruct justice
`Whoever willfully endeavors by means of encryption to obstruct, impede, or prevent the communication of information in furtherance of a felony which may be prosecuted in a court of the United States, to an investigative or law enforcement officer shall--
`(1) in the case of a first conviction, be sentenced to imprisonment for not more than 5 years, fined under this title, or both; or
`(2) in the case of a second or subsequent conviction, be sentenced to imprisonment for not more than 10 years, fined under this title, or both.
`2805. Freedom to sell encryption products
`(a) In General: It shall be lawful for any person within any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, and any territory or possession of the United States, to sell in interstate commerce any encryption, regardless of encryption algorithm selected, encryption key length chosen, or implementation technique or medium used.
`(b) Control of Exports by Secretary of Commerce:
`(1) General rule: Notwithstanding any other law, subject to paragraphs (2), (3), and (4), the Secretary of Commerce shall have exclusive authority to control exports of all computer hardware, software, and technology for information security (including encryption), except computer hardware, software, and technology that is specifically designed or modified for military use, including command, control, and intelligence applications.
`(2) Items not requiring licenses: No validated license may be required, except pursuant to the Trading With The Enemy Act or the International Emergency Economic Powers Act (IEEPA) (but only to the extent that the authority of the IEEPA is not exercised to extend controls imposed under the Export Administration Act of 1979), for the export or reexport of--
`(A) any software, including software with encryption capabilities, that is--
`(i) generally available, as is, and designed for installation by the purchaser; or
`(ii) in the public domain or publicly available because it is generally accessible to the interested public in any form; or
`(B) any computing device solely because it incorporates or employs in any form software (including software with encryption capabilities) exempted from any requirement for a validated license under subparagraph (A).
`(3) Software with encryption capabilities: The Secretary of Commerce shall authorize the export or reexport of software with encryption capabilities for nonmilitary end-uses in any country to which exports of software of similar capability are permitted for use by financial institutions not controlled in fact by United States persons, unless there is substantial evidence that such software will be--
`(A) diverted to a military end-use or an end-use supporting international terrorism;
`(B) modified for military or terrorist end-use; or
`(C) reexported without requisite United States authorization.
`(4) Hardware with encryption capabilities: The Secretary shall authorize the export or reexport of computer hardware with encryption capabilities if the Secretary determines that a product offering comparable security is commercially available from a foreign supplier without effective restrictions outside the United States.
`(5) Definitions: As used in this subsection--
`(A) the term `generally available' means, in the case of software (including software with encryption capabilities), software that is widely offered for sale, license, or transfer including, but not limited to, over-the-counter retail sales, mail order transactions, phone order transactions, electronic distribution, or sale on approval;
`(B) the term `as is' means, in the case of software (including software with encryption capabilities), a software program that is not designed, developed, or tailored by the software company for specific purchasers, except that such purchasers may supply certain installation parameters needed by the software program to function properly with the purchaser's system and may customize the software program by choosing among options contained in the software program;
`(C) the term `is designed for installation by the purchaser' means, in the case of software (including software with encryption capabilities)--
`(i) the software company intends for the purchaser (including any licensee or transferee), who may not be the actual program user, to install the software program on a computing device and has supplied the necessary instructions to do so, except that the company may also provide telephone help-line services for software installation, electronic transmission, or basic operations; and
`(ii) that the software program is designed for installation by the purchaser without further substantial support by the supplier;
`(D) the term `computing device' means a device which incorporates one or more microprocessor-based central processing units that can accept, store, process, or provide output of data; and
`(E) the term `computer hardware', when used in conjunction with information security, includes, but is not limited to, computer systems, equipment, application-specific assemblies, modules, and integrated circuits.'.
(b) Technical Amendment: The table of chapters for part I of title 18, United States Code, is amended by inserting after the item relating to chapter 33, the following new item:
2801'.
SEC. 6. INTELLIGENCE ACTIVITIES.
(a) Construction: Nothing in this Act or the amendments made by this Act constitutes authority for the conduct of any intelligence activity.
(b) Certain Conduct: Nothing in this Act or the amendments made by this Act shall affect the conduct, by officers or employees of the United States Government in accordance with other applicable Federal law, under procedures approved by the Attorney General, or activities intended to--
(1) intercept encrypted or other official communications of United States executive branch entities or United States Government contractors for communications security purposes;
(2) intercept radio communications transmitted between or among foreign powers or agents of a foreign power as defined by the Foreign Intelligence Surveillance Act of 1978; or
(3) access an electronic communication system used exclusively by a foreign power or agent of a foreign power as defined by the Foreign Intelligence Surveillance Act of 1978.
Sec. 1. Short Title. The Act many be cited as the `Encrypted Communications Privacy Act of 1996.'
Sec. 2. Purpose. The Act would ensure that Americans have the maximum possible choice in encryption methods to protect the security, confidentiality and privacy of their lawful wire and electronic communications. For those Americans who choose an encryption method in which another person, called a `key holder,' is voluntarily entrusted with the decryption key, the Act would establish privacy standards for the key holder, and procedures for law enforcement officers to follow to obtain assistance from the key holder in decrypting encrypted communications.
Sec. 3. Findings. The Act enumerates fifteen congressional findings, including that a secure, private and trusted national and global information infrastructure is essential to promote citizens' privacy and meet the needs of both American citizens and businesses, that encryption technology widely available worldwide can help meet those needs, that Americans should be free to use, and American businesses free to compete and sell, encryption technology, programs and products, and that there is a need to develop a national encryption policy to advance the global information infrastructure and preserve Americans' right to privacy and the Nation's public safety and national security.
[Page: S1520]
Sec. 4. Freedom to Use Encryption
(a) Lawful Use of Encryption. The Act legislatively confirms current practice in the United States that any person in this country may lawfully use any encryption method, regardless of encryption algorithm, key length or implementation selected. The Act thereby prohibits any government-mandated use of any particular encryption system, such as a key escrow encryption system.
The Act further makes lawful the use of any encryption method by United States persons in a foreign country. This provision is consistent with, though broader than, the Department of State's new personal use exemption published in the Federal Register on February 16, 1996, that permits the export of cryptographic products by U.S. citizens and permanent residents who have the need to temporarily export the cryptographic products when leaving the U.S. for brief periods of time. For example, under this new exemption, U.S. citizens traveling abroad will be able to take their laptop computers containing copies of Lotus Notes software, many versions of which contain an encryption program otherwise not exportable.
(b) General Constructions. Nothing in the Act is to be construed to require the use of encryption, a key escrow encryption system, or a key holder if a person chooses to use a key escrow encryption system.
Sec. 5. Encrypted wire and electronic communications. This section of the Act adds a new chapter 122, entitled `Encrypted Wire and Electronic Communications,' to title 18 of the United States Code to establish privacy standards for key holders and to set forth procedures that law enforcement officers must follow to obtain decryption assistance from key holders.
(a) In General. New chapter 122 has five sections.
2801. Definitions. Generally, the terms used in the new chapter have the same meanings as in the federal wiretap statute in 18 U.S.C. Sec. 2510. Definitions are provided for `encryption', `key holder', `decryption key', and `decryption assistance'. A `key holder' may, but is not required to be, a Federal agency.
This chapter applies only to wire or electronic communications and communications in electronic storage, as defined in 18 U.S.C. 2510, and not to stored electronic data. For example, encrypted electronic mail messages, encrypted telephone conversations, encrypted facsimile transmissions, encrypted computer transmissions and encrypted file transfers over the Internet would be covered, but not encrypted data merely stored on computers.
2802. Prohibited acts by key holders
(a) Unauthorized release of key: Key holders will be subject to both criminal and civil liability for the unauthorized release of decryption keys or providing unauthorized decryption assistance.
(b) Authorized release of key: Key holders are authorized to release decryption keys or provide decryption assistance with the consent of the key owner, as may be necessary for the holding or management of the key, or to investigative or law enforcement officers upon compliance with the procedures set forth in subsection (c).
(c) Requirements for release of decryption key to investigative or law enforcement officer: To obtain access to a decryption key or decryption assistance from a key holder, an investigative or law enforcement officer must present to the key holder the same form of lawful process used to obtain access to the encrypted content. For example, to obtain the decryption key to, or decryption assistance for, an encrypted telephone conversation that is the subject of a court-ordered wiretap under 18 U.S.C. 2518, a law enforcement agent must present a court order to the key holder to obtain the decoding key. Likewise, to obtain the decryption key to, or decryption assistance for, an encrypted stored wire or electronic communication, a law enforcement officer must present a court warrant, order, subpoena or certification, depending upon what process was used to obtain
access to the stored communication.
Key holders may only provide the minimal key release or decryption assistance needed to access the particular communications specified by court order or other legal process. Released keys or other decryption assistance may only be used in the manner and for the purpose and duration expressly provided by court order or other legal process.
A key holder who fails to provide the decryption key or decryption assistance called for in the court order, subpoena or other lawful process may be penalized under current contempt or obstruction laws.
(d) Records or other information held by key holders: Key holders are prohibited from disclosing records or other information (not including decryption keys) pertaining to key owners, except with the owner's consent or to an investigative or law enforcement officer, pursuant to a subpoena, court order or other lawful process.
(e) Criminal penalties: Key holders who violate this section for a tortious, malicious or an illegal purpose, or for direct or indirect commercial advantage or private commercial gain, will be subject to a fine and up to 1 year imprisonment for a first offense, and fine and up to 2 years' imprisonment for a second offense. Other reckless and intentional violations would subject the key holder to a fine of up to $5,000 and up to 6 months' imprisonment.
(f) Civil damages: Persons aggrieved by key holder violations may sue for injunctive relief, and actual damages or statutory damages of $5,000, whichever is greater.
(g) Defense: A complete defense is provided if the defendant acted in good faith reliance upon a court order, warrant, grand jury or trial subpoena or statutory authorization.
2803. Reporting requirements. The Attorney General is required to include in her report to the Administrative Office of the U.S. Courts under 18 U.S.C. Sec. 2519(2), the number of orders and extensions served on key holders to obtain access to decryption keys or decryption assistance. The Director of the Administrative Office of the U.S. Courts is required to include this information, and the offenses for which the orders were obtained, in the report to Congress under 18 U.S.C. 2519(3).
2804. Unlawful use of encryption to obstruct justice. Persons who willfully use encryption in an effort and for the purpose of obstructing, impeding, or prevent the communication of information in furtherance of a federal felony crime to a law enforcement officer, would be subject to a fine and up to 5 years' imprisonment for a first offense, and up to 10 years' imprisonment for a second or subsequent offense.
2805. Freedom to sell encryption products
(a) In general: The Act, legislatively confirms that it is lawful to sell any encryption, regardless of encryption algorithm, key length or implementation used, domestically in the United States or its territories.
(b) Control of exports by Secretary of Commerce: Notwithstanding any other law, the Act vests the Secretary of Commerce with control of exports of hardware, software and technology for information security, including encryption for both communications and other stored data, except when the hardware, software or technology is specifically designed or modified for military use.
No export license may be required for encryption software and hardware with encryption capabilities that is generally available, including mass market products (i.e., those generally available, sold `as is', and designed for installation by the purchaser) or encryption in the public domain and generally accessible. For example, no licenses would be required for encryption products commercially available without restriction and sold `as is', such as Netscape's commercially available World Wide Web Browser, which cannot be exported. Similarly, no license would be required to export software and corresponding hardware placed in the public domain and generally accessible, such as Phil Zimmerman's Pretty Good Privacy program, which has been distributed to the public free of charge via the Internet.
In addition, the Secretary of Commerce must authorize the export of encryption software to commercial users in any country to which exports of such software has been approved for use by foreign financial institutions, except when there is substantial evidence that the software will be diverted or modified for military or terrorists' end-use or re-exported without requisite U.S. authorization. Finally, the Secretary of Commerce must authorize the export of computer hardware with encryption capabilities if the Secretary determines that a product with comparable security is commercially available from foreign suppliers without effective restrictions outside the United States.
Significantly, the government is authorized to continue controls on countries that pose terrorism concerns, such as Libya, Syria and Iran, or other embargoes countries, such as Cuba and North Korea, pursuant to the Trading With the Enemy Act or the International Emergency Economic Powers Act.
(b) Technical Amendment. The Act adds new chapter 122 and the new title in the table of chapters in title 18 of the United States Code.
Sec. 6. Intelligence activities. The Act does not authorize the conduct of intelligence activities, nor affect the conduct by Federal government officers or employees in intercepting (1) encrypted or other official communications of Federal executive branch or Federal contractors for communications security purposes; (2) radio communications between or among foreign powers or agents, as defined by the Foreign Intelligence Surveillance Act (FISA); or (3) electronic communication systems used exclusively by foreign powers or agents, as defined by FISA.
Murray Hill, NJ,
March 1, 1996.
Hon. Patrick Leahy,
U.S. Senate.
[Page: S1521]
Dear Senator Leahy: Thank you for introducing the Encrypted Communications Privacy Act of 1996. As a member of the computer security and cryptology research community, I have observed firsthand the deleterious effect that the current regulations governing the use and export of cryptography are having on our country's ability to develop a reliable and trustworthy information infrastructure. Your bill takes an important first step toward creating regulations that reflect the modern realities of this increasingly critical technology.
Unlike previous government encryption initiatives such as the technically-flawed and unworkable `Clipper' chip, your bill re-affirms the role of the marketplace in providing ordinary citizens and businesses with a full range of choices for securing their private information. In particular by freeing mass-market cryptographic software and hardware from the burdensome export controls that govern the international arms trade, the bill will help the American software industry compete, for the first time, in the international market for high-quality security products.
Law enforcement need not fear the widespread availability of encryption; indeed, they should welcome and promote it. Encryption thwarts electronic predators by preventing unauthorized access to private data and computer systems, and the use of strong cryptography to protect computer networks is becoming as natural and necessary as the use of locks and burglar alarms to protect our homes and businesses. While criminals, too, might occasionally derive some advantage from the use of cryptography, the benefits of widely-available encryption technology overwhelmingly favor the honest user. By recognizing that those who hold decryption keys on behalf of others are in a special position of trust, your bill is respectful of the privacy of law-abiding citizens without introducing impediments to the government's ability to investigate and prevent crime.
I have also examined the new provision designed to discourage the use of cryptography by criminals in the furtherance of a felony, and hope to see your carefully-worded language reinforced by a narrow interpretation in the courts, consistent with your intent.
Again, thank you for your continued leadership in this area, and I look forward to doing whatever I can to help you bring encryption regulations in line with the fast-changing reality of this emerging technology.
Sincerely,
Matt Blaze.
Hon. Patrick Leahy,
U.S. Senate.
Dear Senator Leahy. I would like to thank you for introducing the Encrypted Communications Privacy Act. As a member of the computer and information security research community, I am keenly aware of the vital role of cryptography in fostering the development of our information infrastructure.
As the author of the book, `Applied Cryptography', I have unusual insights into the absurdity of cryptography export restrictions. It is not without irony that one may export my book in paper format, but not electronically. Presumably no rational person believes that the current restrictions actually prevent the spread of cryptography. I believe you recognize this, as evidenced from the strong stance taken in your bill.
As the bill recognizes, we can no longer afford to hold on to the obsolete notion that cryptography is the sole province of government communications; the growth of modern networks has irrevocably pushed it into the mainstream. I applaud your leadership towards codifying these principles in a balanced and responsible way. In particular, the bill:
Removes the regulatory strangle-hold that has encumbered the development of mass-market security solutions; Recognizes the futility of applying regulations intended to control the international arms trade to even the most mundane and commonly available software; Encourages public confidence in encryption by allowing the marketplace to provide a full range of choices for privacy and security needs; Recognizes the special obligations of keyholders to be vigilant in safeguarding the information entrusted to them, without imposing hurtles on the use of cryptography; Allows the United States to continue its leadership role as a technological innovator; Acknowledges the pivotal role of cryptography in electronic commerce.
I continue to have concerns that the new criminal obstruction provision will discourage law abiding citizens from using cryptography. I hope that legislative history and further discussion will demonstrate the narrow intent of this crime.
Overall, your bill takes very necessary strides towards ensuring that the protections we take for granted in traditional media keep pace with technology, and I commend your efforts.
Sincerely,
Bruce Schneier.
Business Software Alliance,
Washington, DC, March 4, 1996,
Hon. Patrick J. Leahy,
Russell Senate Office Building,
Washington, DC.
Dear Senator Leahy: As President of the Business Software Alliance (BSA), I am writing to express our strong support for the Encryption Communications Privacy Act of 1996 which I understand you will introduce tomorrow. BSA represents the leading publishers of software for personal computers and the client server environment including Adobe, Autodesk, Bentley, Lotus Development, Microsoft, Novell, Sybase, Symantec and the Santa Cruz Operation.
We have had an opportunity to review the legislation and find it a significant step toward placing the U.S. software industry on a level playing field with our foreign competitors. Currently, we are only allowed to export weak (40-bit) encryption. Your legislation would allow us to export generally available software which offers security at prevailing world levels. While many would prefer export restrictions being lifted in their entirety, this legislation at least would place us on an equal footing with our foreign competitors which is critical to the continued success of the U.S. software industry in the global market place.
As you well know, today, America's software industry is the envy of the world. U.S. software companies hold an estimated 75% worldwide market share for mass market software with exports accounting for more than one-half of revenues for our companies. According to a 1993 study by Economists Inc., the American mass market software industry was the fastest growing industry in the U.S. between 1982 and 1992 and had become larger than all but five manufacturing industries. This translates into jobs here in the U.S.
The continued growth and success of our industry is directly threatened by existing U.S. government export controls. For that reason, our companies have consistently made this one of its top policy issues. As importantly, the availability of easy to use, affordable encryption will be essential to the successful development of the Global Information Infrastructure (GII). As more and more transactions are being done on-line, consumers are increasingly demanding software with strong encryption capabilities. In two studies, 90% of the respondents believe information security is important. In one study 37% of the respondents said that they would consider purchasing foreign software with otherwise less desirable features if that software offered data security not available in a U.S. program. Additionally, a recent study shows there are nearly 500 foreign encryption products from 28 countries currently available. U.S. export restrictions simply put U.S. industry at a competitive disadvantage. Your bill would address this issue by allowing U.S. industry to export generally available software with strong security features.
As you may know, the Administration has attempted to address this issue with a `64-bit key escrow encryption proposal.' Under that proposal, in order to be allowed to export software with strong security features, U.S. industry would be required to build a back door into the program with a spare key held by a U.S. government certified agent. After careful and serious deliberation by our members, we concluded that the Administration's approach is fatally flawed and cannot be the basis for progress in this area. We simply have not found a market for such a product. Any resolution must be market driven. Your bill takes a very different approach. It reaffirms Americans right to chose the encryption they use, either with key escrow or without. For those who chose voluntarily to use key holders, your legislation provides standards so that their privacy is not violated. Your legislation allows the market to work. We wholeheartedly endorse this market driven approach.
The digital information age and the Global Information Infrastructure present opportunities and challenges to computer users concerned about privacy at home and in their businesses, as well as for the U.S. government. From that point of view, we are all in a similar position. Information security policies for the electronic world are fundamental to the success of the GII and we are pleased to support your legislation which is pro-market, pro-competition, pro-privacy and pro-progress.
We look forward to working with you toward the enactment of this legislation.
Sincerely,
Robert W. Holleyman II,
President.
Mrs. MURRAY. Mr. President, I am pleased to join Senator Leahy today as an original cosponsor of the Encrypted Communications Privacy Act. Senator Leahy is truly a leader on this issue, and I've had the pleasure of working on encryption policy with him over the past 3 years. I'm excited to once again join him in this effort to make sense out of our national export control policies, and to promote export opportunities for American software and hardware producers.
As many of my colleagues know, with help from Congresswoman Cantwell in the 103d Congress, I was able to persuade the administration to study the extent to which U.S. companies are stymied by our country's current encryption and export control policies.
The Department of Commerce released that report last month. And let me just say that there are some findings in this report that we should be aware of, and concerned about. For instance, the report acknowledges there are tremendous international growth opportunities for software exporters in the next 5 to 10 years. Unfortunately, the report also finds that most U.S. companies don't pursue international sales because our export control laws are too cost prohibitive.
Mr. President, there are legitimate national security concerns underpinning the Export Administration Act. However, these outdated laws are no longer relevant to the post-cold-war world we now lived in. Today's national security controls should target those items that really need to be controlled in order to maintain national security. Simply, they should make better sense; it doesn't make sense to tell a U.S. software producer they can't export a product that is already widely available on the world market.
Senator Leahy's bill seeks a balanced approach to implementing viable, safe, and secure encryption technology on both domestically sold products and exported products. It protects our privacy concerns, and it lays out the appropriate procedures law enforcement officials should use when obtaining encrypted materials. And, most important, it protects industry ingenuity and prohibits mandatory key escrow.
Mr. President, I introduced the Commercial Export Administration Act in the 103d Congress. I am pleased Senator Leahy is incorporating my language into his bill. My language reduces regulatory redtape and makes it easier to export generally available mass-marketed commercial software. Washington State is home to some of the most innovative software producers in the world, and they are eager to export their goods. Unfortunately, our export controls keep Washington State's companies from penetrating the world market. Senator Leahy's bill, however will fix this problem.
We are hearing a lot on the Presidential campaign trail about the damage that comes from trade--how trade hurts our economy and our workers. That's nonsense. My Washington State friends and neighbors know full-well that trade is essential to our State's success. One out of every five jobs in Washington State is trade related; and these are highly skilled, family wage jobs that pay 15 percent higher than the national average. Moreover, Washington State's small- and mid-sized high-technology companies provided over 98,000 jobs in 1995.
Mr. President, I mention this because our bill will increase exports and enable our high-technology companies to grow further. Higher growth means more jobs--plain and simple. A recent study revealed that in 1995 U.S. exporters lost $60 billion in international sales, and it estimates the industry will lose 200,000 potential jobs by the year 2000. Given the increase in international competition, we can no longer afford to persist in holding U.S. companies back from potential world sales.
This legislation makes good sense. First and foremost, it ensures every American's right to use any appropriate encryption available on the market. It also sets out necessary guidelines that should accompany any policy regarding the use of key escrow. And finally, it paves the way for new, streamlined export policies.
Mr. President, this legislation is badly needed, and I urge my colleagues to join Senator Leahy and me in supporting it.
[Page: S1522]
By Mr. STEVENS:
S. 1588. A bill to authorize the Secretary of Transportation to issue a certificate of documentation and coastwise trade endorsement for the vessel Kalypso; to the Committee on Commerce, Science, and Transportation.