Congressional Documents
43 400
105 th Congress
Rept. 105 108
HOUSE OF REPRESENTATIVES
1st Session
Part 4
SECURITY AND FREEDOM THROUGH ENCRYPTION (``SAFE'') ACT OF 1997
September 16, 1997.--Ordered to be printed
Mr. Goss, from the Permanent Select Committee on Intelligence, submitted
the following
R E P O R T
together with
ADDITIONAL VIEWS
[To accompany H.R. 695]
[Including cost estimate of the Congressional Budget Office]
The Permanent Select Committee on Intelligence, to whom was referred
the bill (H.R. 695) to amend title 18, United States Code, to affirm the
rights of United States persons to use and sell encryption and to relax
export controls on encryption, having considered the same, report
favorably thereon with an amendment and recommend that the bill as
amended do pass.
The amendment is as follows:
Strike out all after the enacting clause and insert in lieu thereof
the following:
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Security and Freedom
Through Encryption (`SAFE') Act of 1997''.
(b) Table of Contents.--The table of contents is as follows:
Sec. 1. Short title; table of contents.
Sec. 2. Statement of policy.
TITLE I--DOMESTIC USES OF ENCRYPTION
Sec. 101. Definitions.
Sec. 102. Lawful use of encryption.
Sec. 103. Voluntary private sector participation in key management
infrastructure.
Sec. 104. Unlawful use of encryption.
TITLE II--GOVERNMENT PROCUREMENT
Sec. 201. Federal purchases of encryption products.
Sec. 202. Encryption products purchased with Federal funds.
Sec. 203. Networks established with Federal funds.
Sec. 204. Product labels.*COM003*
Sec. 205. No private mandate.
Sec. 206. Implementation.
TITLE III--EXPORTS OF ENCRYPTION
Sec. 301. Exports of encryption.
Sec. 302. License exception for certain encryption products.
Sec. 303. License exception for telecommunications products.
Sec. 304. Review for certain institutions.
Sec. 305. Encryption industry and information security board.
TITLE IV--LIABILITY LIMITATIONS
Sec. 401. Compliance with court order.
Sec. 402. Compliance defense.
Sec. 403. Reasonable care defense.
Sec. 404. Good faith defense.
Sec. 405. Sovereign immunity.
Sec. 406. Civil action, generally.
TITLE V--INTERNATIONAL AGREEMENTS
Sec. 501. Sense of congress.
Sec. 502. Failure to negotiate.
Sec. 503. Report to congress.
TITLE VI--MISCELLANEOUS PROVISIONS
Sec. 601. Effect on law enforcement activities.
Sec. 602. Interpretation.
Sec. 603. Severability.
SEC. 2. STATEMENT OF POLICY.
It is the policy of the United States to protect public computer
networks through the use of strong encryption technology, to promote and
improve the export of encryption products developed and manufactured in
the United States, and to preserve public safety and national security.
TITLE I--DOMESTIC USES OF ENCRYPTION
SEC. 101. DEFINITIONS.
For purposes of this Act:
(1) Attorney for the government.--The term ``attorney for the
Government'' has the meaning given such term in Rule 54(c) of the
Federal Rules of Criminal Procedure, and also includes any duly
authorized attorney of a State who is authorized to prosecute criminal
offenses within such State.
(2) Certificate authority.--The term ``certificate authority'' means
a person trusted by one or more persons to create and assign public key
certificates.
(3) Communications.--The term ``communications'' means any wire
communications or electronic communications as those terms are defined
in paragraphs (1) and (12) of section 2510 of title 18, United States
Code.
(4) Court of competent jurisdiction.--The term ``court of competent
jurisdiction'' means any court of the United States organized under
Article III of the Constitution of the United States, the court
organized under the Foreign Intelligence Surveillance Act of 1978 (50
U.S.C. 1801 et seq.), or a court of general criminal jurisdiction of a
State authorized pursuant to the laws of such State to enter orders
authorizing searches and seizures.
(5) Data network service provider.--The term ``data network service
provider'' means a person offering any service to the general public
that provides the users thereof with the ability to transmit or receive
data, including communications.
(6) Decryption.--The term ``decryption'' means the retransformation
or unscrambling of encrypted data, including communications, to its
readable plaintext version. To ``decrypt'' data, including
communications, is to perform decryption.
(7) Decryption information.--The term ``decryption information''
means information or technology that enables one to readily retransform
or unscramble encrypted data from its unreadable and incomprehensible
format to its readable plaintext version.
(8) Electronic storage.--The term ``electronic storage'' has the
meaning given that term in section 2510(17) of title 18, United States
Code.
(9) Encryption.--The term ``encryption'' means the transformation or
scrambling of data, including communications, from plaintext to an
unreadable or incomprehensible format, regardless of the technique
utilized for such transformation or scrambling and irrespective of the
medium in which such data, including communications, occur or can be
found, for the purposes of protecting the content of such data,
including communications. To ``encrypt'' data, including communications,
is to perform encryption.
(10) Encryption product.--The term ``encryption product'' means any
software, technology, or mechanism, that can be used to encrypt or
decrypt, or has the capability of encrypting or decrypting any data,
including communications.
(11) Foreign availability.--The term ``foreign availability'' has
the meaning applied to foreign availability of encryption products
subject to controls under the Export Administration Regulations, as in
effect on September 1, 1997.
(12) Government.--The term ``Government'' means the Government of
the United States and any agency or instrumentality thereof, or the
government of any State.
(13) Investigative or law enforcement officer.--The term
``investigative or law enforcement officer'' has the meaning given that
term in section 2510(7) of title 18, United States Code.
(14) Key recovery agent.--The term ``key recovery agent'' means a
person trusted by another person or persons to hold and maintain
sufficient decryption information to allow for the immediate decryption
of the encrypted data or communications of another person or persons for
whom that information is held, and who holds and maintains that
information as a business or governmental practice, whether or not for
profit. The term ``key recovery agent'' includes any person who holds
his or her decryption information.
(15) National security.--The term ``national security'' means the
national defense, foreign relations, or economic interests of the United
States.
(16) Plaintext.--The term ``plaintext'' means the readable or
comprehensible format of data, including communications, prior to its
being encrypted or after it has been decrypted.
(17) Plainvoice.--The term ``plainvoice'' means communication
specific plaintext.
(18) Secretary.--The term ``Secretary'' means the Secretary of
Commerce, unless otherwise specifically identified.
(19) State.--The term ``State'' has the meaning given that term in
section 2510(3) of title 18, United States Code.
(20) Telecommunications carrier.--The term ``telecommunications
carrier'' has the meaning given that term in section 102(8) of the
Communications Assistance for Law Enforcement Act (47 U.S.C. 1001(8)).
(21) Telecommunications system.--The term ``telecommunications
system'' means any equipment, technology, or related software used in
the movement, switching, interchange, transmission, reception, or
internal signaling of data, including communications over wire, fiber
optic, radio frequency, or other medium.
(22) United states person.--The term ``United States person'' means--
(A) any citizen of the United States;
(B) any other person organized under the laws of any State; and
(C) any person organized under the laws of any foreign country who
is owned or controlled by individuals or persons described in
subparagraphs (A) and (B).
SEC. 102. LAWFUL USE OF ENCRYPTION.
Except as otherwise provided by this Act or otherwise provided by
law, it shall be lawful for any person within any State and for any
United States person to use any encryption product, regardless of
encryption algorithm selected, encryption key length chosen, or
implementation technique or medium used.
SEC. 103. VOLUNTARY PRIVATE SECTOR PARTICIPATION IN KEY
MANAGEMENT INFRASTRUCTURE.
(a) Use is Voluntary.--The use of certificate authorities or key
recovery agents is voluntary.
(b) Regulations.--The Secretary shall promulgate regulations
establishing standards for creating key management infrastructures. Such
regulations should--
(1) allow for the voluntary participation by private persons and
non-Federal entities; and
(2) promote the development of certificate authorities and key
recovery agents.
(c) Registration of Certificate Authorities and Key Recovery
Agents.--Certificate authorities and key recovery agents meeting the
standards established by the Secretary may be registered by the
Secretary if they so choose, and may identify themselves as meeting the
standards of the Secretary.
SEC. 104. UNLAWFUL USE OF ENCRYPTION.
(a) In General.--Part I of title 18, United States Code, is amended
by inserting after chapter 121 the following new chapter:
``CHAPTER 122--ENCRYPTED DATA, INCLUDING COMMUNICATIONS
``Sec.
``2801. Unlawful use of encryption in furtherance of a criminal act.
``2802. Privacy protection.
``2803. Unlawful sale of encryption.
``2804. Encryption products manufactured and intended for use in
the United States.
``2805. Injunctive relief and proceedings.
``2806. Court order access to plaintext.
``2807. Notification procedures.
``2808. Lawful use of plaintext or decryption information.
``2809. Identification of decryption information.
``2810. Unlawful export of certain encryption products.
``2811. Definitions.
``2801. Unlawful use of encryption in furtherance of a criminal act
``(a) Prohibited Acts.--Whoever knowingly uses encryption in
furtherance of the commission of a criminal offense for which the person
may be prosecuted in a district court of the United States shall--
``(1) in the case of a first offense under this section, be
imprisoned for not more than 5 years, or fined under this title, or
both; and
``(2) in the case of a second or subsequent offense under this
section, be imprisoned for not more than 10 years, or fined under this
title, or both.
``(b) Consecutive Sentence.--Notwithstanding any other provision of
law, the court shall not place on probation any person convicted of a
violation of this section, nor shall the term of imprisonment imposed
under this section run concurrently with any other term of imprisonment
imposed for the underlying criminal offense.
``(c) Probable Cause Not Constituted By Use of Encryption.--The use
of encryption alone shall not constitute probable cause to believe that
a crime is being or has been committed.
``2802. Privacy protection
``(a) In General.--It shall be unlawful for any person to
intentionally--
``(1) obtain or use decryption information without lawful authority
for the purpose of decrypting data, including communications;
``(2) exceed lawful authority in decrypting data, including
communications;
``(3) break the encryption code of another person without lawful
authority for the purpose of violating the privacy or security of that
person or depriving that person of any property rights;
``(4) impersonate another person for the purpose of obtaining
decryption information of that person without lawful authority;
``(5) facilitate or assist in the encryption of data, including
communications, knowing that such data, including communications, are to
be used in furtherance of a crime; or
``(6) disclose decryption information in violation of a provision of
this chapter.
``(b) Criminal Penalty.--Whoever violates this section shall be
imprisoned for not more than 10 years, or fined under this title, or
both.
``2803. Unlawful sale of encryption
``Whoever, after January 31, 2000, sells in interstate or foreign
commerce any encryption product that does not include features or
functions permitting duly authorized persons immediate access to
plaintext or immediate decryption capabilities shall be imprisoned for
not more than 5 years, fined under this title, or both.
``2804. Encryption products manufactured and intended for use
in the United States
``(a) Public Network Service Providers.--After January 31, 2000,
public network service providers offering encryption products or
encryption services shall ensure that such products or services enable
the immediate decryption or access to plaintext of the data, including
communications, encrypted by such products or services on the public
network upon receipt of a court order or warrant, pursuant to section
2806.
``(b) Manufacturers, Distributors, and Importers.--After January 31,
2000, it shall be unlawful for any person to manufacture for
distribution, distribute, or import encryption products intended for
sale or use in the United States, unless that product--
``(1) includes features or functions that provide an immediate
access to plaintext capability, through any means, mechanism, or
technological method that--
``(A) permits immediate decryption of the encrypted data, including
communications, upon the receipt of decryption information by an
authorized party in possession of a facially valid order issued by a
court of competent jurisdiction; and
``(B) allows the decryption of encrypted data, including
communications, without the knowledge or cooperation of the person being
investigated, subject to the requirements set forth in section 2806;
``(2) can be used only on systems or networks that include features
or functions that provide an immediate access to plaintext capability,
through any means, mechanism, or technological method that--
``(A) permits immediate decryption of the encrypted data, including
communications, upon the receipt of decryption information by an
authorized party in possession of a facially valid order issued by a
court of competent jurisdiction; and
``(B) allows the decryption of encrypted data, including
communications, without the knowledge or cooperation of the person being
investigated, subject to the requirements set forth in section 2806; or
``(3) otherwise meets the technical requirements and functional
criteria promulgated by the Attorney General under subsection (c).
``(c) Attorney General Criteria.--
``(1) Publication of requirements.--Within 180 days after the date
of the enactment of this chapter, the Attorney General shall publish in
the Federal Register technical requirements and functional criteria for
complying with the decryption requirements set forth in this section.
``(2) Procedures for advisory opinions.--Within 180 days after the
date of the enactment of this chapter, the Attorney General shall
promulgate procedures by which data network service providers and
encryption product manufacturers, sellers, re-sellers, distributors, and
importers may obtain advisory opinions as to whether an encryption
product intended for sale or use in the United States after January 31,
2000, meets the requirements of this section and the technical
requirements and functional criteria promulgated pursuant to paragraph
(1).
``(3) Particular methodology not required.--Nothing in this chapter
or any other provision of law shall be construed as requiring the
implementation of any particular decryption methodology in order to
satisfy the requirements of subsections (a) and (b), or the technical
requirements and functional criteria required by the Attorney General
under paragraph (1).
``(d) Use of Prior Products Lawful.--After January 31, 2000, it shall
not be unlawful to use any encryption product purchased or in use prior
to such date.
``2805. Injunctive relief and proceedings
``(a) Injunction.--Whenever it appears to the Secretary or the
Attorney General that any person is engaged in, or is about to engage
in, any act that constitutes, or would constitute, a violation of
section 2804, the Attorney General may initiate a civil action in a
district court of the United States to enjoin such violation. Upon the
filing of the complaint seeking injunctive relief by the Attorney
General, the court shall automatically issue a temporary restraining
order against the party being sued.
``(b) Burden of Proof.--In a suit brought by the Attorney General
under subsection (a), the burden shall be upon the Government to
establish by a preponderance of the evidence that the encryption product
involved does not comport with the requirements set forth by the
Attorney General pursuant to section 2804 providing for immediate access
to plaintext by Federal, State, or local authorities.
``(c) Closing of Proceedings.--(1) Upon motion of the party against
whom injunction is being sought--
``(A) any or all of the proceedings under this section shall be
closed to the public; and
``(B) public disclosure of the proceedings shall be treated as
contempt of court.
``(2) Upon a written finding by the court that public disclosure of
information relevant to the prosecution of the injunction or relevant to
a determination of the
factual or legal issues raised in the case would cause
irreparable or financial harm to the party against whom the suit is
brought, or would otherwise disclose proprietary information of any
party to the case, all proceedings shall be closed to members of the
public, except the parties to the suit, and all transcripts, motions,
and orders shall be placed under seal to protect their disclosure to the
general public.
``(d) Advisory Opinion as Defense.--It is an absolute defense to a
suit under this subsection that the party against whom suit is brought
obtained an advisory opinion from the Attorney General pursuant to
section 2804(c) and that the product at issue in the suit comports in
every aspect with the requirements announced in such advisory opinion.
``(e) Basis for Permanent Injunction.--The court shall issue a
permanent injunction against the distribution of, and any future
manufacture of, the encryption product at issue in the suit filed under
subsection (a) if the court finds by a preponderance of the evidence
that the product does not meet the requirements set forth by the
Attorney General pursuant to section 2804 providing for immediate access
to plaintext by Federal, State, or local authorities.
``(f) Appeals.--Either party may appeal, to the appellate court with
jurisdiction of the case, any adverse ruling by the district court
entered pursuant to this section. For the purposes of appeal, the
parties shall be governed by the Federal Rules of Appellate Procedure,
except that the Government shall file its notice of appeal not later
than 30 days after the entry of the final order on the docket of the
district court. The appeal of such matter shall be considered on an
expedited basis and resolved as soon as practicable.
``2806. Court order access to plaintext
``(a) Court Order.--(1) A court of competent jurisdiction shall issue
an order, ex parte, granting an investigative or law enforcement officer
immediate access to the plaintext of encrypted data, including
communications, or requiring any person in possession of decryption
information to provide such information to a duly authorized
investigative or law enforcement officer--
``(A) upon the application by an attorney for the Government that--
``(i) is made under oath or affirmation by the attorney for the
Government; and
``(ii) provides a factual basis establishing the relevance that the
plaintext or decryption information being sought has to a law
enforcement or foreign counterintelligence investigation then being
conducted pursuant to lawful authorities; and
``(B) if the court finds, in writing, that the plaintext or
decryption information being sought is relevant to an ongoing lawful law
enforcement or foreign counterintelligence investigation and the
investigative or law enforcement officer is entitled to such plaintext
or decryption information.
``(2) The order issued by the court under this section shall be
placed under seal, except that a copy may be made available to the
investigative or law enforcement officer authorized to obtain access to
the plaintext of the encrypted information, or authorized to obtain the
decryption information sought in the application. Such order shall also
be made available to the person responsible for providing the plaintext
or the decryption information, pursuant to such order, to the
investigative or law enforcement officer.
``(3) Disclosure of an application made, or order issued, under this
section, is not authorized, except as may otherwise be specifically
permitted by this section or another order of the court.
``(b) Other Orders.--An attorney for the Government may make
application to a district court of the United States for an order under
subsection (a), upon a request from a foreign country pursuant to a
Mutual Legal Assistance Treaty with such country that is in effect at
the time of the request from such country.
``(c) Record of Access Required.--(1) There shall be created an
electronic record, or similar type record, of each instance in which an
investigative or law enforcement officer, pursuant to an order under
this section, gains access to the plaintext of otherwise encrypted
information, or is provided decryption information, without the
knowledge or consent of the owner of the data, including communications,
who is the user of the encryption product involved.
``(2) The court issuing the order under this section shall require
that the electronic or similar type of record described in paragraph (1)
is maintained in a place and a manner that is not within the custody or
control of an investigative or law enforcement officer gaining the
access or provided the decryption information. The record shall be
tendered to the court, upon notice from the court.
``(3) The court receiving such electronic or similar type of record
described in paragraph (1) shall make the original and a certified copy
of the record available to the attorney for the Government making
application under this section, and to the attorney for, or directly to,
the owner of the data, including communications, who is the user of the
encryption product.
``(d) Authority To Intercept Communications Not Increased.--Nothing
in this chapter shall be construed to enlarge or modify the
circumstances or procedures under which a Government entity is entitled
to intercept or obtain oral, wire, or electronic communications or
information.
``(e) Construction.--This chapter shall be strictly construed to
apply only to a Government entity's ability to decrypt data, including
communications, for which it has previously obtained lawful authority to
intercept or obtain pursuant to other lawful authorities that would
otherwise remain encrypted.
``2807. Notification procedures
``(a) In General.--Within a reasonable time, but not later than 90
days after the filing of an application for an order under section 2806
which is granted, the court shall cause to be served, on the persons
named in the order or the application, and such other parties whose
decryption information or whose plaintext has been provided to an
investigative or law enforcement officer pursuant to this chapter as the
court may determine that is in the interest of justice, an inventory
which shall include notice of--
``(1) the fact of the entry of the order or the application;
``(2) the date of the entry of the application and issuance of the
order; and
``(3) the fact that the person's decryption information or plaintext
data, including communications, have been provided or accessed by an
investigative or law enforcement officer.
The court, upon the filing of a motion, may make available to that
person or that person's counsel, for inspection, such portions of the
plaintext, applications, and orders as the court determines to be in the
interest of justice. On an ex parte showing of good cause to a court of
competent jurisdiction, the serving of the inventory required by this
subsection may be postponed.
``(b) Admission Into Evidence.--The contents of any encrypted
information that has been obtained pursuant to this chapter or evidence
derived therefrom shall not be received in evidence or otherwise
disclosed in any trial, hearing, or other proceeding in a Federal or
State court unless each party, not less than 10 days before the trial,
hearing, or proceeding, has been furnished with a copy of the order, and
accompanying application, under which the decryption or access to
plaintext was authorized or approved. This 10-day period may be waived
by the court if the court finds that it was not possible to furnish the
party with the information described in the preceding sentence within 10
days before the trial, hearing, or proceeding and that the party will
not be prejudiced by the delay in receiving such information.
``(c) Contempt.--Any violation of the provisions of this section may
be punished by the court as a contempt thereof.
``(d) Motion To Suppress.--Any aggrieved person in any trial,
hearing, or proceeding in or before any court, department, officer,
agency, regulatory body, or other authority of the United States or a
State may move to suppress the contents of any decrypted data, including
communications, obtained pursuant to this chapter, or evidence derived
therefrom, on the grounds that--
``(1) the plaintext was unlawfully decrypted or accessed;
``(2) the order of authorization or approval under which it was
decrypted or accessed is insufficient on its face; or
``(3) the decryption was not made in conformity with the order of
authorization or approval.
Such motion shall be made before the trial, hearing, or proceeding
unless there was no opportunity to make such motion, or the person was
not aware of the grounds of the motion. If the motion is granted, the
plaintext of the decrypted data, including communications, or evidence
derived therefrom, shall be treated as having been obtained in violation
of this chapter. The court, upon the filing of such motion by the
aggrieved person, may make available to the aggrieved person or that
person's counsel for inspection such portions of the decrypted
plaintext, or evidence derived therefrom, as the court determines to be
in the interests of justice.
``(e) Appeal by United States.--In addition to any other right to
appeal, the United States shall have the right to appeal from an order
granting a motion to suppress made under subsection (d), or the denial
of an application for an order under section 2806, if the United States
attorney certifies to the court or other official granting such motion
or denying such application that the appeal is not taken for purposes of
delay. Such appeal shall be taken within 30 days after the date the
order was entered on the docket and shall be diligently prosecuted.
``(f) Civil Action for Violation.--Except as otherwise provided in
this chapter, any person described in subsection (g) may in a civil
action recover from the United States Government the actual damages
suffered by the person as a result of a violation described in that
subsection, reasonable attorney's fees, and other litigation costs
reasonably incurred in prosecuting such claim.
``(g) Covered Persons.--Subsection (f) applies to any person whose
decryption information--
``(1) is knowingly obtained without lawful authority by an
investigative or law enforcement officer;
``(2) is obtained by an investigative or law enforcement officer
with lawful authority and is knowingly used or disclosed by such officer
unlawfully; or
``(3) is obtained by an investigative or law enforcement officer
with lawful authority and whose decryption information is unlawfully
used to disclose the plaintext of the data, including communications.
``(h) Limitation.--A civil action under subsection (f) shall be
commenced not later than 2 years after the date on which the unlawful
action took place, or 2 years after the date on which the claimant first
discovers the violation, whichever is later.
``(i) Exclusive Remedies.--The remedies and sanctions described in
this chapter with respect to the decryption of data, including
communications, are the only judicial remedies and sanctions for
violations of this chapter involving such decryptions, other than
violations based on the deprivation of any rights, privileges, or
immunities secured by the Constitution.
``(j) Technical Assistance by Providers.--A provider of encryption
technology or network service that has received an order issued by a
court pursuant to this chapter shall provide to the investigative or law
enforcement officer concerned such technical assistance as is necessary
to execute the order. Such provider may, however, move the court to
modify or quash the order on the ground that its assistance with respect
to the decryption or access to plaintext cannot be performed in a timely
or reasonable fashion. The court, upon notice to the Government, shall
decide such motion expeditiously.
``(k) Reports to Congress.--In May of each year, the Attorney
General, or an Assistant Attorney General specifically designated by the
Attorney General, shall report in writing to Congress on the number of
applications made and orders entered authorizing Federal, State, and
local law enforcement access to decryption information for the purposes
of reading the plaintext of otherwise encrypted data, including
communications, pursuant to this chapter. Such reports shall be
submitted to the Committees on the Judiciary of the House of
Representatives and of the Senate, and to the Permanent Select Committee
on Intelligence for the House of Representatives and the Select
Committee on Intelligence for the Senate.
``2808. Lawful use of plaintext or decryption information
``(a) Authorized Use of Decryption Information.--
``(1) Criminal investigations.--An investigative or law enforcement
officer to whom plaintext or decryption information is provided may use
such plaintext or decryption information for the purposes of conducting
a lawful criminal investigation or foreign counterintelligence
investigation, and for the purposes of preparing for and prosecuting any
criminal violation of law.
``(2) Civil redress.--Any plaintext or decryption information
provided under this chapter to an investigative or law enforcement
officer may not be disclosed, except by court order, to any other person
for use in a civil proceeding that is unrelated to a criminal
investigation and prosecution for which the plaintext or decryption
information is authorized under paragraph (1). Such order shall only
issue upon a showing by the party seeking disclosure that there is no
alternative means of obtaining the plaintext, or decryption information,
being sought and the court also finds that the interests of justice
would not be served by nondisclosure.
``(b) Limitation.--An investigative or law enforcement officer may
not use decryption information obtained under this chapter to determine
the plaintext of any data, including communications, unless it has
obtained lawful authority to obtain such data, including communications,
under other lawful authorities.
``(c) Return of Decryption Information.--An attorney for the
Government shall, upon the issuance of an order of a court of competent
jurisdiction--
``(1)(A) return any decryption information to the person responsible
for providing it to an investigative or law enforcement officer pursuant
to this chapter; or
``(B) destroy such decryption information, if the court finds that
the interests of justice or public safety require that such decryption
information should not be returned to the provider; and
``(2) within 10 days after execution of the court's order to destroy
the decryption information--
``(A) certify to the court that the decryption information has
either been returned or destroyed consistent with the court's order; and
``(B) notify the provider of the decryption information of the
destruction of such information.
``(d) Other Disclosure of Decryption Information.--Except as
otherwise provided in section 2806, a key recovery agent may not
disclose decryption information stored with the key recovery agent by a
person unless the disclosure is--
``(1) to the person, or an authorized agent thereof;
``(2) with the consent of the person, including pursuant to a
contract entered into with the person;
``(3) pursuant to a court order upon a showing of compelling need
for the information that cannot be accommodated by any other means if--
``(A) the person who supplied the information is given reasonable
notice, by the person seeking the disclosure, of the court proceeding
relevant to the issuance of the court order; and
``(B) the person who supplied the information is afforded the
opportunity to appear in the court proceeding and contest the claim of
the person seeking the disclosure;
``(4) pursuant to a determination by a court of competent
jurisdiction that another person is lawfully entitled to hold such
decryption information, including determinations arising from legal
proceedings associated with the incapacity, death, or dissolution of any
person; or
``(5) otherwise permitted by a provision of this chapter or
otherwise permitted by law.
``2809. Identification of decryption information
``(a) Identification.--To avoid inadvertent disclosure, any person
who provides decryption information to an investigative or law
enforcement officer pursuant to this chapter shall specifically identify
that part of the material provided that discloses decryption information
as such.
``(b) Responsibility of Investigative or Law Enforcement
Officer.--The investigative or law enforcement officer receiving any
decryption information under this chapter shall maintain such
information in facilities and in a method so as to reasonably assure
that inadvertent disclosure does not occur.
``2810. Unlawful export of certain encryption products
``Whoever, after January 31, 2000, knowingly exports an encryption
product that does not include features or functions providing duly
authorized persons immediate access to plaintext or immediate decryption
capabilities, as required under law, shall be imprisoned for not more
than 5 years, fined under this title, or both.
``2811. Definitions
``The definitions set forth in section 101 of the Security and
Freedom through Encryption (`SAFE') Act of 1997 shall apply to this
chapter.''.
(b) Conforming Amendment.--The table of chapters for part I of title
18, United States Code, is amended by inserting after the item relating
to chapter 121 the following new item:
``122. Encrypted data, including communications
2801''.
TITLE II--GOVERNMENT PROCUREMENT
SEC. 201. FEDERAL PURCHASES OF ENCRYPTION PRODUCTS.
After January 1, 1999, any encryption product or service purchased or
otherwise procured by the United States Government to provide the
security service of data confidentiality for a Federal computer system
shall include a technique enabling immediate decryption by an authorized
party without the knowledge or cooperation of the person using such
encryption products or services.
SEC. 202. ENCRYPTION PRODUCTS PURCHASED WITH FEDERAL FUNDS.
After January 1, 1999, any encryption product or service purchased
directly with Federal funds to provide the security service of data
confidentiality shall include a technique enabling immediate decryption
by an authorized party without the knowledge or cooperation of the
person using such encryption product or service unless the Secretary,
with the concurrence of the Attorney General, determines implementing
this requirement would not promote the purposes of this Act.
SEC. 203. NETWORKS ESTABLISHED WITH FEDERAL FUNDS.
After January 1, 1999, any communications network established with
the use of Federal funds shall use encryption products which include
techniques enabling immediate decryption by an authorized party without
the knowledge or cooperation of the person using such encryption
products or services unless the Secretary, with the concurrence of the
Attorney General, determines implementing this requirement would not
promote the purposes of this Act.
SEC. 204. PRODUCT LABELS.
An encryption product may be labeled to inform users that the product
is authorized for sale to or for use in transactions and communications
with the United States Government under this title.
SEC. 205. NO PRIVATE MANDATE.
The United States Government may not mandate the use of encryption
standards for the private sector other than for use with computer
systems, networks, or other systems of the United States Government, or
systems or networks created using Federal funds.
SEC. 206. IMPLEMENTATION.
(a) Exclusion.--Nothing in this title shall apply to encryption
products and services used solely for access control, authentication,
integrity, nonrepudiation, digital signatures, or other similar
purposes.
(b) Rulemaking.--The Secretary, in consultation with the Attorney
General and other affected agencies, may through rules provide for the
orderly implementation of this title and the effective use of secure
public networks.
TITLE III--EXPORTS OF ENCRYPTION
SEC. 301. EXPORTS OF ENCRYPTION.
(a) Coordination of Executive Branch Agencies Required.--The
Secretary, in close coordination with the Secretary of Defense and any
other executive branch department or agency with responsibility for
protecting the national security, shall have the authority to control
the export of encryption products not controlled on the United States
Munitions List.
(b) Decisions Not Subject to Judicial Review.--Decisions made by the
Secretary pursuant to subsection (a) with respect to exports of
encryption products under this title shall not be subject to judicial
review.
SEC. 302. LICENSE EXCEPTION FOR CERTAIN ENCRYPTION PRODUCTS.
(a) License Exception.--After January 31, 2000, encryption products,
without regard to encryption strength, shall be eligible for export
under a license exception if such encryption product--
(1) is submitted to the Secretary for a 1-time product review;
(2) does not include features or functions that would otherwise
require licensing under applicable regulations;
(3) is not destined for countries, end users, or end uses that the
Secretary, in coordination with the Secretary of Defense and other
executive branch departments or agencies with responsibility for
protecting the national security, by regulation, has determined should
be ineligible to receive such products, and is otherwise qualified for
export; and
(4)(A) includes features or functions providing an immediate access
to plaintext capability, if there is lawful authority for such immediate
access; or
(B) includes features or functions providing an immediate decryption
capability of the encrypted data, including communications, upon the
receipt of decryption information by an authorized party, and such
decryption can be accomplished without unauthorized disclosure.
(b) Enabling of Decryption Capabilities.--The features or functions
described in subsection (a)(4) need not be enabled by the manufacturer
before or at the time of export for purposes of this title. Such
features or functions may be enabled by the purchaser or end user.
(c) Responsibilities of the Secretary.--The Secretary, in close
coordination with the Secretary of Defense and other executive branch
departments or agencies with responsibility for protecting the national
security, shall--
(1) specify, by regulation, the information that must be submitted
for the 1-time review referred to in this section; and
(2) make all export determinations under this title within 30 days
following the date of submission to the Secretary of--
(A) the completed application for a license exception; and
(B) the encryption product intended for export that is to be
reviewed as required by this section.
(d) Exercise of Other Authorities.--The Secretary, and the Secretary
of Defense, may exercise the authorities they have under other
provisions of law, including the Export Administration Act of 1979, as
continued in effect under the International Emergency Economic Powers
Act, to carry out this section.
(e) Presumption in Favor of Exports.--There shall be a presumption in
favor of export of encryption products under this title.
(f) Waiver Authority.--The President may by Executive order waive any
provision of this title, or the applicability of any such provision to a
person or entity, if the President determines that the waiver is in the
interests of national security or public safety and security. The
President shall submit a report to the relevant committees of the
Congress not later than 15 days after such determination. The report
shall include the factual basis upon which such determination was made.
The report may be in classified format.
(g) Relevant Committees.--The relevant committees of the Congress
described in subsection (f) are the Committee on International
Relations, the Committee on the Judiciary, the Committee on National
Security, the Permanent Select Committee on Intelligence of the House of
Representatives, and the Committee on Foreign Relations, the Committee
on the Judiciary, the Committee on Armed Services, and the Select
Committee on Intelligence of the Senate.
SEC. 303. LICENSE EXCEPTION FOR TELECOMMUNICATIONS PRODUCTS.
After a 1-time review as described in section 302, the Secretary
shall authorize for export under a license exception voice encryption
products that do not contain decryption or access to plainvoice features
or functions otherwise required in section 302, if the Secretary, after
consultation with relevant executive branch departments or agencies,
determines that--
(1) information recovery requirements for such exports would
disadvantage United States exporters; and
(2) such exports under a license exception would not create a risk
to the foreign policy, non-proliferation, or national security of the
United States.
SEC. 304. REVIEW FOR CERTAIN INSTITUTIONS.
The Secretary, in consultation with other executive branch
departments or agencies, shall establish a procedure for expedited
review of export license applications involving encryption products for
use by qualified banks, financial institutions, subsidiaries of
companies owned or controlled by United States persons, or other users
specifically authorized by the Secretary.
SEC. 305. ENCRYPTION INDUSTRY AND INFORMATION SECURITY BOARD.
(a) Encryption Industry and Information Security Board
Established.--There is hereby established an Encryption Industry and
Information Security Board. The Board shall undertake an advisory role
for the President.
(b) Purposes.--The purposes of the Board are--
(1) to provide a forum to foster communication and coordination
between industry and the Federal Government on matters relating to the
use of encryption products;
(2) to promote the export of encryption products manufactured in the
United States;
(3) to encourage research and development of products that will
foster electronic commerce;
(4) to recommend policies enhancing the security of public networks;
(5) to promote the protection of intellectual property and privacy
rights of individuals using public networks;
(6) to enable the United States to effectively and continually
understand the benefits and risks to its national security, law
enforcement, and public safety interests by virtue of the proliferation
of strong encryption on the global market;
(7) to evaluate and make recommendations regarding the further
development and use of encryption;
(8) to advance the development of international standards regarding
interoperability and global use of encryption products; and
(9) to evaluate the foreign availability of encryption products and
their threat to United States industry.
(c) Membership.--(1) The Board shall be composed of 13 members, as
follows:
(A) The Secretary, or the Secretary's designee, who shall chair the
Board.
(B) The Attorney General, or the Director of the Federal Bureau of
Investigation, or a respective designee.
(C) The Secretary of Defense, or the Secretary's designee.
(D) the Director of Central Intelligence, or his or her designee.
(E) The Special Assistant to the President for National Security
Affairs, or his or her designee.
(F) Two private sector individuals, appointed by the President, who
have expertise in consumer and privacy interests relating to or affected
by information security technology.
(G) Six representatives from the private sector who have expertise
in the development, operation, marketing, law, or public policy relating
to information security or technology.
(2) The six private sector representatives described in paragraph
(1)(G) shall be appointed as follows:
(A) Two by the Speaker of the House of Representatives.
(B) One by the Minority Leader of the House of Representatives.
(C) Two by the Majority Leader of the Senate.
(D) One by the Minority Leader of the Senate.
(e) Meetings.--The Board shall meet at such times and in such places
as the Secretary may prescribe, but not less frequently than every four
months. The Federal Advisory Committee Act (5 U.S.C. App.) does not
apply to the Board or to meetings held by the Board under this section.
(f) Findings and Recommendations.--The chair of the Board shall
convey the findings and recommendations of the Board to the President
and to the Congress within 30 days after each meeting of the Board. The
recommendations of the Board are not binding upon the President.
(g) Foreign Availability.--The consideration of foreign availability
by the Board shall include computer software that is distributed over
the Internet or advertised for sale, license, or transfer, including
over-the-counter retail sales, mail order transactions, telephone order
transactions, electronic distribution, or sale on approval.
TITLE IV--LIABILITY LIMITATIONS
SEC. 401. COMPLIANCE WITH COURT ORDER.
(a) No Liability for Compliance.--Subject to subsection (b), no civil
or criminal liability under this Act, or under any other provision of
law, shall attach to any person for disclosing or providing--
(1) the plaintext of encrypted data, including communications;
(2) the decryption information of such encrypted data, including
communications; or
(3) technical assistance for access to the plaintext of, or
decryption information for, encrypted data, including communications.
(b) Exception.--Subsection (a) shall not apply to a person who
provides plaintext or decryption information to another and is not
authorized by court order to disclose such plaintext or decryption
information.
SEC. 402. COMPLIANCE DEFENSE.
Compliance with the provisions of sections 2806, 2807, 2808, or 2809
of title 18, United States Code, as added by section 104(a) of this Act,
or any regulations authorized thereunder, shall provide a complete
defense for any civil action for damages based upon activities covered
by this Act, other than an action founded on contract.
SEC. 403. REASONABLE CARE DEFENSE.
The participation by person in the key management infrastructure
established by regulation for United States Government information
security operations under section 103 shall be treated as evidence of
reasonable care or due diligence in any proceeding where the
reasonableness of one's actions is an element of the claim at issue.
SEC. 404. GOOD FAITH DEFENSE.
An objectively reasonable reliance on the legal authority provided by
this Act and the amendments made by this Act, requiring or authorizing
access to the plaintext of otherwise encrypted data, including
communications, or to the decryption information that will allow the
immediate decryption of data, including communications, that is
otherwise encrypted, shall be a complete defense to any criminal or
civil action that may be brought under the laws of the United States or
any State.
SEC. 405. SOVEREIGN IMMUNITY.
Except as otherwise specifically provided otherwise, nothing in this
Act or the amendments made by this Act, or any regulations promulgated
thereunder, modifies or amends the sovereign immunity of the United
States.
SEC. 406. CIVIL ACTION, GENERALLY.
A civil action may be brought against any person who, regardless of
that person's participation in the key management infrastructure to be
established by regulations promulgated by the Secretary pursuant to
section 103, violates or acts in a manner that is inconsistent with or
violates the provisions or intent of this Act or the amendments made by
this Act.
TITLE V--INTERNATIONAL AGREEMENTS
SEC. 501. SENSE OF CONGRESS.
It is the sense of Congress that--
(1) the President should conduct negotiations with foreign
governments for the purposes of mutual recognition of any key management
infrastructures, and their component parts, that exist or are developed;
and
(2) such mutual recognition agreements will safeguard the privacy of
the citizens of the United States, prevent economic espionage, and
enhance the information security needs of the United States.
SEC. 502. FAILURE TO NEGOTIATE.
The President may consider a government's refusal to negotiate mutual
recognition agreements described in section 501 when considering the
participation of the United States in any cooperation or assistance
program with that country.
SEC. 503. REPORT TO CONGRESS.
(a) Report to Congress.--The President shall report annually to the
Congress on the status of the international effort outlined by section
501.
(b) First Report.--The first report required under subsection (a)
shall be submitted in unclassified form no later than December 15, 1998.
TITLE VI--MISCELLANEOUS PROVISIONS
SEC. 601. EFFECT ON LAW ENFORCEMENT ACTIVITIES.
(a) Collection of Information by Attorney General.--The Attorney
General shall compile, and maintain in classified form, data on the
instances in which encryption has interfered with, impeded, or
obstructed the ability of the Department of Justice to enforce the
criminal laws of the United States.
(b) Availability of Information to the Congress.--The information
compiled under subsection (a), including an unclassified summary
thereof, shall be made available, upon request, to any Member of
Congress.
SEC. 602. INTERPRETATION.
Nothing contained in this Act or the amendments made by this Act
shall be deemed to--
(1) preempt or otherwise affect the application of the Arms Export
Control Act (22 U.S.C. 2751 et seq.), the Export Administration Act of
1979 (50 U.S.C. App. 2401 et seq.), or the International Emergency
Economic Powers Act (50 U.S.C. 1701 et seq.) or any regulations
promulgated thereunder;
(2) affect foreign intelligence activities of the United States; or
(3) negate or diminish any intellectual property protections under
the laws of the United States or of any State.
SEC. 603. SEVERABILITY.
If any provision of this Act or the amendments made by this Act, or
the application thereof, to any person or circumstances is held invalid
by a court of the United States, the remainder of this Act or such
amendments, and the application thereof, to other persons or
circumstances shall not be affected thereby.
PURPOSE
Americans expect their phone calls, electronic mail, personal
documents, and electronic commercial activities to be secure and
private. The rapid expansion of communication and computer technology
has created vulnerabilities that leave many personal communications and
commercial transactions potentially exposed to fraud and misuse. The
development and use of strong encryption is essential to a thriving
electronic communications capability, and necessary to help safeguard
privacy and protect ourselves from crime. H.R. 695 promotes the
development and distribution of strong encryption technologies that are
intended to provide a heightened level of security and freedom to engage
in electronic commerce.
Chief among the government's obligations to its people is the duty to
protect them from threats of harm to their persons or property.
Similarly, in order to establish and maintain a government that serves
the common good and provides for the common defense, which the Framers
acknowledged was essential to a free society, national security
interests must be carefully weighed against the people's inalienable
rights of life, liberty, and property. With this interest in maintaining
the balance between individual rights and our nation's security, the
Permanent Select Committee on Intelligence sought and obtained referral
of the bill, H.R. 695. The Committee's consideration of H.R. 695 brought
to light that the bill as introduced and reported by the Committee on
the Judiciary, though certainly well-intentioned, left our intelligence
and intelligence-related capabilities at considerable risk. Likewise,
enacted without amendment, it might jeopardize the nation's (including
our state and local law enforcement agencies) ability to investigate,
apprehend, and prosecute criminals of the most serious stripe.
The Committee received evidence that strong encryption has already
been used to facilitate drug trafficking, protect child pornographers,
shield terrorist plots and communications, and hide evidence of credit
card fraud, among other notable crimes. Furthermore, the Committee is of
the view that such a law enforcement and national security risk should
not be left to the forces of the marketplace. Doing so abdicates the
responsibility of the government to protect its people from enemies,
both foreign and domestic.
Thus, the amendment in the nature of a substitute to H.R. 695,
reported favorably by the Committee, seeks simply to ensure that the
critical national security and law enforcement concerns at issue in this
debate over the nature and direction of encryption policy for the United
States will be seriously addressed.
SUMMARY
section-by-section
Section 1.--Short title
This section provides the title of the bill as the ``Security and
Freedom through Encryption (``SAFE'') Act of 1997.''
Section 2.--Statement of policy
This section sets forth the policy of the United States with respect
to encryption technology.
TITLE I--DOMESTIC USES OF ENCRYPTION
Section 101.--Definitions
This section establishes the definitions of specific terms used
throughout the bill.
Section 102.--Lawful use of encryption
This section makes clear that, except as otherwise provided, it is
lawful to use encryption products, regardless of algorithm length
selected, encryption key length chosen, or implementation technique or
medium used.
Section 103.--Voluntary private sector participation in key
management infrastructure
Subsection (a) clarifies that the use of certificate authorities or
key recovery agents is completely voluntary.
Subsection (b) provides the Secretary of Commerce with regulatory
authority to establish standards for creating voluntary key management
infrastructures. The Committee believes that the development of key
management infrastructures is important to the interoperability that is
necessary for the further development of safe and secure electronic
commerce. Any regulations promulgated should allow the voluntary
participation of private persons and non-federal entities. These
regulations should also encourage the development of certificate
authorities and key recovery agents.
Subsection (c) will permit key recovery agents or certificate
authorities to register themselves with the Commerce Department. In
addition, such entities will be allowed, if they choose, to identify
themselves as meeting the standards established by the Secretary.
Section 104.--Unlawful use of encryption
This section amends Title 18, United States Code, by new sections
2801 through 2811 within a new chapter 122, which bears the heading,
``Chapter 122-Encrypted Data, Including Communications.''
New section 2801 of title 18, United States Code, would make it a
criminal offense to use encryption in furtherance of the commission of a
federal crime. The penalties attached to such crimes would be in
addition to any sentence imposed for the underlying offense. For first
time offenders, the potential penalties are not more than 5 years in
prison, a fine under Title 18, United States Code,\1\
or both. For repeat offenders of this provision, the jail time is
potentially no more than an additional 10 years. This section would
apply equally to any investigative or law enforcement officer who is
found to have violated these provisions.
\1\Title 18, United States Code, Section 3571 establishes the fine
schedule for all Title 18 criminal violations. For an individual
convicted of a felony, the fine would, generally, be $250,000. For an
organization convicted of a felony, the fine would, generally, be
$500,000. Some specific criminal provisions may specify higher fine
amounts. Any criminal provision authorizing a lower fine amount is
nullified by enactment of subsection (e) of section 3571 of Title 18,
United States Code.
New section 2801 creates several new crimes. First, it makes it
illegal to intentionally obtain or use decryption information without
lawful authority in order to decrypt data, including information. Next,
it makes it a criminal offense to exceed lawful authority in decrypting
data, including communications. This new section would make the breaking
of the encryption code of another without lawful authority and with the
purpose of violating that person's privacy or security, or for the
purpose of depriving that person of his or her property a criminal
violation of law. Likewise, it would be illegal to impersonate another
for the purpose of obtaining that person's decryption information
without lawful authority. Importantly, it also makes it unlawful to
facilitate or assist in the encryption of data, including
communications, that are to be used in furtherance of a crime. Finally,
it makes it illegal to otherwise disclose decryption information in
violation of the provisions of new chapter 122 of Title 18, United
States Code. Each of these criminal violations is subject to a potential
penalty of not more than 10 years in prison, a fine under Title 18,
United States Code, or both. This section would apply equally to any
investigative or law enforcement officer who is found to have violated
these provisions.
New section 2803 will make it unlawful after January 31, 2000, to
sell in interstate or foreign commerce any encryption product that does
not provide duly authorized persons an immediate access to plaintext
capability, or immediate decryption capability. Under this new chapter
of Title 18, United States Code, such duly authorized persons only
include those presenting an order from a court of competent jurisdiction
requiring that such access or provision of decryption information be
made. This section would apply equally to any investigative or law
enforcement officer who is found to have violated these provisions.
New section 2804 establishes manufacturing and service requirements
on encryption products intended for distribution and use after January
31, 2000. Subsection (a) requires all public network service providers
to offer encryption products or services that ensure an immediate
decryption capability or an immediate access to plaintext capability.
Subsection (b) requires any person who manufactures for distribution,
distributes, or imports encryption products intended for sale or use in
the United States to include in such products features or functions that
provide an immediate access to plaintext capability. These features or
functions must permit the immediate decryption of data, including
communications, without the knowledge or cooperation of the person being
investigated, but only upon the presentation of a facially valid order
issued by a court of competent jurisdiction. Alternatively, encryption
products may be manufactured for distribution, distributed, or imported
even if they do not meet the requirements set forth above, so long as
they can be used only on systems or networks that include features or
functions that otherwise provide the immediate access to plaintext
capability previously discussed. Finally, persons are free to
manufacture encryption products that do not comport with any of the
requirements set forth here, so long as they otherwise meet the
technical requirements and functional criteria established by the
Attorney General, pursuant to subsection (c).
Subsection (c) provides the Attorney General with regulatory
authority to promulgate technical requirements and functional criteria
for encryption products that will allow for an immediate access to
plaintext capability, or otherwise enable the immediate decryption of
the otherwise encrypted data, including communications. This subsection
provides industry with an opportunity to seek an advisory opinion from
the Attorney General as to a particular product intended for
manufacturer or distribution. Such advisory opinions serve an important
function in that they will provide the industry with clear guidance on
products intended for sale. This procedure will hopefully alleviate the
need for lawsuits to enjoin the distribution or manufacture of
encryption products. This subsection specifically provides that the
Attorney General cannot require a particular methodology to be used in
meeting her technical requirements or functional criteria.
Subsection (d) authorizes the use, even after January 31, 2000, of
encryption products purchased or in use prior to that date. This
alleviates any ex post facto problem. The Committee also recognizes that
industry will need to develop new product lines to comply with the
provisions of this amendment. Thus, in order to allow those
manufacturers an opportunity to recoup some of their research and
development investment this provision allows them to continue to sell
their current product line for the next two-plus years.
New section 2805 sets forth procedures whereby the onus is on the
government to prohibit the manufacture or distribution of an encryption
product, after January 31, 2000, that she or the Secretary of Commerce
believes does not meet the technical requirements or functional criteria
established by the Attorney General. The Committee believes that it is
appropriate for the Attorney General to bear the burden, in a court of
law, before an independent arbiter of the facts, of keeping a particular
encryption product out of the market place. The provision allows for the
closure of such proceedings to protect the proprietary interest in any
information that might be disclosed through a public proceeding.
Furthermore, the provision will provide those who obtained an advisory
opinion with an absolute defense to the lawsuit as long as the product
at issue comports in every aspect with the requirements announced in the
Attorney General's advisory opinion.
New section 2806 sets forth the standards and procedures for the
issuance of a court order granting an investigative or law enforcement
officer access to the plaintext of otherwise encrypted data, including
communications, or compelling the provision of decryption information to
an investigative or law enforcement officer. The application for such
order must be made by an attorney for the government. That application
must establish facts supporting the finding that the plaintext or
decryption information is relevant to an on-going and legitimate law
enforcement or foreign counterintelligence investigation. The
application and any order issued thereon may be made ex parte and placed
under seal. Disclosure of the application or order is not authorized by
anyone, except as otherwise permitted by this section, or another order
of the court. This section also comports with any obligation the United
States may have to any foreign government under any effective Mutual
Legal Assistance Treaties
This section also requires that the court granting access to
plaintext or the disclosure of decryption information, shall also ensure
that a verifiable audit trail of any access to plaintext or decryption
information be maintained. This record shall not be maintained in a
place or in a manner under the custody or control of the investigative
or law enforcement officer gaining the access under this section. The
record will then be tendered to the court upon an order of the court.
Subsection (d) clarifies that nothing in this new chapter shall be
read to expand or modify any other constitutional or statutory
requirement under which a government entity is entitled to intercept or
obtain oral, wire, or electronic communications, or information.
Subsection (e) mandates a strict construction of this new chapter so
that it is read only to apply to a government entity's ability to
decrypt or otherwise gain access to the plaintext of data, including
communications, for which it previously obtained lawful authority to
intercept or obtain.
New section 2807 provides the users of encryption products with a
statutory right to be notified when their decryption information is
provided to law enforcement, or when law enforcement is granted access
to the plaintext of their data, including communications. This section
does provide for a delayed notification to the user so as not to
jeopardize the integrity of the on-going criminal investigation or
foreign counter-intelligence investigation. Basically, the user must be
notified within 90 days after the filing of an application for the
decryption information, or for access to the plaintext, unless the judge
finds good cause warranting the delay. Specifically, however, none of
the decrypted contents of the encrypted information that has been
obtained, nor any evidence derived therefrom may be used in any
proceeding unless the user has been furnished with a copy of the order,
application, and the data, including communications. The user may move
to suppress the use of any of the plaintext or evidence derived
therefrom in any proceeding on the grounds that the plaintext or the
decryption information was unlawfully obtained. This section also
provides aggrieved persons with a civil cause of action for any
violations of this new chapter.
New section 2808 limits the lawful uses of any plaintext or
decryption information may be put. It may be used for the purposes of
conducting a lawful criminal or foreign counterintelligence
investigation, and for the purposes of preparing for and prosecuting any
criminal violation of law. It may not be disclosed to any party to a
civil suit that does not arise from the criminal investigation or
prosecution, unless a court finds that there is no alternative means of
obtaining the plaintext, or decryption information and that the
interests of justice would not be served by nondisclosure. This section
further clarifies that decryption information may not be used to
determine the plaintext unless the officer possesses other lawful
authority to the plaintext.
This section also outlines the procedures for returning or destroying
any decryption information upon the conclusion of the investigation,
trial, or proceeding.
This section also places limitations upon any person acting as a key
recovery agent. It specifies to whom and under what circumstances
decryption information may be provided to another person by a key
recovery agent.
New section 2809 requires those who are providing decryption
information to an investigative or law enforcement officer to so
identify that information in order to avoid any inadvertent disclosure.
The officer is responsible for maintaining the decryption information in
such a manner so as to reasonably assure against inadvertent disclosure.
New section 2810 makes it a crime to knowingly export an encryption
product after January 31, 2000 that does not include an immediate access
to plaintext capability, or that does not provide an immediate
decryption capability. This criminal provision carries a potential
prison term of not more than 5 years.
New section 2811 incorporates the definitions set forth at section
101 of this Act as the definitions to be utilized for new chapter 122 of
Title 18, United States Code.
TITLE II--GOVERNMENT PROCUREMENT
Section 201.--Federal purchases of encryption products
This section requires the United States Government, after January 1,
1999, to purchase only those encryption products enabling the immediate
decryption by an authorized party, without the knowledge or cooperation
of the person using the encryption product. This requirement only
applies to those products or services obtained for providing security
service for a federal computer system.
Section 202.--Encryption products purchased with Federal funds
This section requires that any encryption product or service
purchased directly with federal funds after January 1, 1999, shall
enable the immediate decryption by an authorized party, without the
knowledge or cooperation of the person using the encryption product. The
Committee does not intend that this provision applies to any product
purchased by institutions receiving federal grants or other funding, if
such institution does not require interoperability with the United
States government, such as universities or public libraries.
Section 203.--Networks established with Federal funds
This section requires that any communications network that is
established directly with federal funds after January 1, 1999, must use
encryption products that include techniques enabling the immediate
decryption of data, including communications, without the knowledge or
cooperation of the person using the encryption product or service. It is
not intended that private communications networks that might benefit
from federal grants satisfy this requirement. Rather, the Committee
intends that this provision apply solely to those communication networks
established for the purpose of communication with the United States
government, either on a contractual basis, or as an element of the
government.
Section 204.--Product labels
This section allows for the labeling of encryption products so that
purchasers and users are aware that the product is authorized for sale
to, or for use in transactions with, the United States government.
Section 205.--No private mandate
This section articulates the policy that the United States government
shall not require the use of particular encryption standards for the
private sector.
Section 206.--Implementation
This section specifically states that encryption products used solely
for access control, authentication, integrity, nonrepudiation, or
digital signatures are not covered by the provisions of this title.
Moreover, this section grants the Secretary of Commerce regulatory
authority to effectuate the provisions of this title.
TITLE III--EXPORTS OF ENCRYPTION
Section 301.--Exports of encryption
Subsection (a) establishes that the Secretary of Commerce, acting in
close coordination with the Secretary of Defense, and other executive
branch agencies with responsibility for protecting the national
security, has the authority to exercise control over the export of
encryption products.
Subsection (b) clarifies that export control decisions made by the
Secretary are not subject to judicial review.
Section 302.--License exception for certain encryption products
Subsection (a) sets criteria for export license exceptions of
encryption products after January 31, 2000. Specifically, products
eligible for exemptions must: be submitted to the Secretary of Commerce
for a 1-time product review; not include features that would require
licensing under other applicable regulations; not be destined for
countries that are determined ineligible on national security grounds.
In addition, the product must include a means of obtaining immediate
access to plaintext capability if there is lawful authority for such
access.
Subsection (b) clarifies that the immediate access to plaintext
capability need not be enabled by the manufacturer before or at the time
of export.
Subsection (c) requires the Secretary, in close coordination with the
Secretary of Defense and other relevant executive branch agency heads,
to promulgate regulations for the 1-time review process; and sets a time
limit of 30 days for that review process. This subsection establishes
that the 30-day time clock starts when the Secretary has received a
completed application for license exception and the encryption product
intended for export.
Subsection (d) clarifies that the Secretary of Commerce and the
Secretary of Defense still maintain any authorities they currently
possess under any other provisions of law, including the Export
Administration Act of 1979, as continued in effect under the
International Emergency Economic Powers Act.
Subsection (e) establishes a presumption in favor of exporting
products submitted to the Secretary under this section. The burden will
be on the Secretary of Commerce to deny export.
Subsection (f) provides the President with the authority to waive any
portion of this title for national security purposes. Requires the
President to report to the relevant committees of Congress within 15
days after this authority is used.
Subsection (g) lists the committees in the House and Senate that
would receive a report under the previous subsection.
Section 303.--License exception for telecommunications products
This section provides a specific exemption for certain voice
encryption products. Products will be eligible for this exemption if,
after a 1-time review, the Secretary of Commerce determines that the
inclusion of information recovery capability would disadvantage U.S.
exporters; and the export of the voice encryption product would not pose
a risk to foreign policy, nonproliferation, or national security.
Section 304.--Review for certain institutions
This section requires the Secretary of Commerce to establish an
expedited export license exception review process for encryption
products to be used by qualified banks, financial institutions, U.S.
businesses, and other users specifically authorized by the Secretary.
Section 305.--Encryption Industry and Information Security Board
This section establishes an Encryption Industry and Information
Security Board (``EIISB'') to advise the President on future encryption
policy and technological advancements that would serve to alter the
United States policy on encryption products. This section also defines
the purposes of the board. It further specifies that the Board shall be
composed of 13 members, and how those members shall be appointed. In
addition to the Secretaries of Commerce and Defense, the Attorney
General or the FBI Director, the Director of Central Intelligence, and
the National Security Advisor to the President, or their designees will
sit on the EIIS Board. The board shall include two individuals appointed
by the President who should have no ties to the industry, but who can
represent the interests of consumer groups and civil liberties advocacy
groups. There will also be appointed six representatives from the
private sector who together have expertise in the many facets of
information security, including the technical and legal issues
surrounding the use of information security technology. The Board will
report to the President and Congress, and their recommendations are not
binding.
TITLE IV--LIABILITY LIMITATIONS
Section 401.--Compliance with court order
This section states that a person shall not be held civilly or
criminally liable under this Act, or under any other provision of law,
for acting in compliance with a court order compelling the disclosure of
plaintext or decryption information.
Section 402.--Compliance defense
This section provides a complete defense for any non-contract action
for damages based upon activities covered by the Act as long as the
person complies with the provisions of sections 2806, 2807, 2808, or
2809 of title 18, United States Code, as added by section 104(a) of this
Act, or any regulations authorized thereunder.
Section 403.--Reasonable care defense
This provision encourages the participation in a key management
infrastructure that meets the standards suggested by the Secretary of
Commerce under section 103 of this Act. This section authorizes the use
of one's participation in such key management infrastructure as evidence
of reasonable care in a case where the reasonableness of one's actions
is at issue.
Section 404.--Good faith defense
This section provides anyone who relies on the legal authority
provided under this Act as the basis for providing an investigative or
law enforcement officer with access to the plaintext of otherwise
encrypted data, including communications, or for providing such officer
with decryption information, with a complete defense to any criminal or
civil action arising therefrom.
Section 405.--Sovereign immunity
This section clarifies that nothing in this Act modifies or amends
the sovereign immunity of the United States.
Section 406.--Civil action, generally
This section allows a civil action to be brought against any person
who violates or acts in a way that is inconsistent with the provisions
or intent of this Act.
TITLE V--INTERNATIONAL AGREEMENTS
Section 501.--Sense of Congress
This section expresses the Sense of Congress that the President
should negotiate with foreign governments to establish mutual
recognition of key management infrastructures.
Section 502.--Failure to negotiate
This section permits the President to take a country's refusal to
negotiate into consideration when making decisions about U.S.
participation in any cooperation or assistance program with that
country.
Section 503.--Report to Congress
This section requires an annual report to Congress on the status of
the negotiations, with the first report due December 15, 1998.
TITLE VI--MISCELLANEOUS PROVISIONS
Section 601.--Effect on law enforcement activities
This section requires the Attorney General to compile, and maintain
in classified form, information on those instances where encryption has
posed problems in the enforcement of federal laws. This information will
be available to any Member of Congress upon request.
Section 602.--Interpretation
This section clarifies the relationship of the bill to the
interpretation of certain laws: the bill does not preempt the
application of other important export control acts, including: the Arms
Export Control Act, the Export Administration Act, or the International
Emergency Economic Powers Act; it does not affect foreign intelligence
activities of the United States; nor does it diminish US or State
intellectual property protections.
Section 603.--Severability
This section permits any court reviewing this Act to sever any
provision from the remainder of the Act, so as not to find the Act
invalid in its entirety.
BACKGROUND AND NEED FOR LEGISLATION
H.R. 695, as amended by the Committee on the Judiciary, has broad
implications on the intelligence and intelligence-related activities of
the United States. The Intelligence Committee has jurisdiction over
legislation relating to the intelligence and intelligence-related
capabilities of the United States, including the FBI's domestic
counter-intelligence and counter-terrorism functions. Thus, upon the
Chairman's request, the Speaker referred the bill to the Committee for
its consideration.
Primary among the Committee's concerns was how the development of
strong and unbreakable encryption technology would affect the national
security of the United States. The Defense Department's need for
information security technology is essential to its force protection and
war fighting functions. Likewise, information security is critical to
the President and his advisors. It is necessary to the Department of
State in its development of sound foreign policy. Encryption technology
that does not provide for access points to plaintext, or the re-capture
of communications and data, puts these needs at considerable risk.
The development of encryption technologies that does not take into
consideration society's desire to prevent, investigate, and prosecute
crimes, is of no sizable benefit to society. Such encryption technology
would allow criminals to act with impunity, without concern that their
actions might be subject to exposure by lawful authorities. The FBI, the
agency primarily responsible for counter-terrorism and domestic
counter-espionage efforts, and the investigation of child pornography
and kidnapping, could find itself especially handicapped in these areas.
Likewise, the Drug Enforcement Administration, which is responsible to
the nation for counter-narcotics operations, could be negatively
affected by H.R. 695. Similarly, the Committee was greatly concerned
that State and local law enforcement agencies' ability to provide their
citizenry with a free and peaceful place to live and work would be
seriously jeopardized.
As considered by the Permanent Select Committee on Intelligence, H.R.
695 left the public's safety and our nation's security to the forces of
the marketplace. The ``SAFE'' Act provided no mechanism or technological
capability for law enforcement or national security to access the
plaintext of data, including communications. It would ultimately have
rendered meaningless any other law, including the Fourth Amendment,
entitling law enforcement to such evidence. It would have
negated our intelligence collectors' abilities to perform their vital
national security functions. The Committee found that, to the detriment
of the national security and law enforcement equities of the United
States, H.R. 695 encouraged the development of unbreakable encryption
technologies, seeming based upon an absolutist's view of the First
Amendment and one's ``right of privacy.''
H.R. 695 did nothing to encourage the development of systems or
software that would meet the crucial needs of national security or law
enforcement. The bill placed the determination of whether a particular
export of encryption technology affected the national security interests
of the United States solely in the hands of the Secretary of Commerce,
with no role whatsoever for the national security apparatus of the
United States government. This, despite the proponents acknowledgment of
the national security benefit that encryption technology can provide to
the government.
The proponents of H.R. 695 argue that the legislation enhances the
needs of law enforcement. They contend that strong encryption software,
widely available to the public, will secure our computer networks,
defeat fraud, and instill trust in the already booming Internet. This
trust, they assert, is necessary to release the opportunities available
through electronic commerce.
None of this is disputed.
Congress has on many occasions accepted the premise that the use of
electronic surveillance is a tool of utmost importance in many criminal
investigations, especially those involving serious and violent crime,
terrorism, espionage, organized crime, drug-trafficking, corruption, and
fraud. There have been numerous cases where law enforcement, through the
use of electronic surveillance, has not only solved and successfully
prosecuted serious crimes and dangerous criminals, but has also been
able to prevent serious and life-threatening criminal acts. For example,
terrorists in New York were plotting to bomb the United Nations
building, the Lincoln and Holland tunnels, and 26 Federal Plaza as well
as conduct assassinations of political figures. Court-authorized
electronic surveillance enabled the FBI to disrupt the plot as
explosives were being mixed. Ultimately, the evidence obtained was used
to convict the conspirators. In another example, electronic surveillance
was used to prevent and then convict two men who intended to kidnap,
molest and then kill a male child.
The supporters of the bill insist that the problem for law
enforcement is a narrow problem, only affecting approximately 1,100
wiretaps per year, while encryption provides great security benefits to
the electronic marketplace.\2\
The Committee is concerned that the problems posed by H.R. 695 are not
as narrow as the bill's supporters claim. The problem that some see as
``narrow'' is in fact the entirety of the problem. Were the 1,100 or so
wiretaps conducted by federal, state, and local law enforcement agencies
across the country in the last year protected with unbreakable
encryption, the scores of drug traffickers, child pornographers,
kidnappers, Mafiosi, terrorists, and spies that were identified,
investigated, and prosecuted, through the use of those wiretaps, would
still be at large.
\2\Mr. Jerry Berman, Executive Director of the Center for Technology and
Democracy before the House Judiciary Committee, March 20, 1997.
The Committee notes, with considerable concern, that the threat such
encryption creates is not limited to the FBI alone.
From a national security perspective, this is not a problem that will
begin sometime in the future; we are already encountering the effects of
encryption today. For example:
Convicted spy Aldrich Ames was told by the Russian intelligence
service to encrypt computer file information that was to be passed to
them;
An international terrorist was plotting to blow up 11 U.S.-owned
commercial airliners in the far east. His laptop computer which was
seized during his arrest in Manila contained encrypted files concerning
this terrorist plot; and
A major international drug trafficking subject recently used a
telephone encryption device to frustrate court-approved electronic
surveillance.
H.R. 695 did little to facilitate or promote technological
development of access points for interception, or provide for an
immediate decryption capability, through a court order process. The
Committee is of the view that these requirements can be fashioned in a
way that does not undermine a citizen's right against unreasonable
searches and seizures or unnecessarily abridge his or her freedom of
speech. There is considerable precedent in statute for a regime that
balances privacy, law enforcement concerns, and national security.\3\
\3\Title III of the Omnibus Crime Control Act of 1968 codified the
government's authority to require service providers to supply technical
assistance to enable law enforcement (Federal, state, and local) to
intercept oral, electronic, and wire communications, upon the
presentment of a court order. That Act balanced the competing rights of
the individual and the government under the 4th Amendment by setting out
in the statute judicial oversight, minimization, and delayed
notification procedures that have met the test of time. That Act
established the constitutionality of a government mandate upon
technology for the societal benefit of public safety and national
security.
The benefit that strong encryption, without access to plaintext
capabilities, provides to the individual encryption user is equally
provided to the person with criminal intent. The child pornographer will
be able to operate with impunity. If there is no mechanism, no
technological way of decrypting his files without his permission, there
will be no way for the law to break his code, to access his computer
files, to develop evidence of his criminal acts and bring him to
justice. This is the world without a statutory requirement for access to
plaintext capability for stored data, or communications.
Likewise, without access to plaintext capability for our intelligence
collectors, international terrorists communicating across the Internet,
or through digital communications, sending encrypted messages to their
comrades discussing their plans to attack United States interests, can
rest assured that their conspiracy will not be discovered, penetrated,
frustrated, nor prosecuted by law enforcement authorities.
To be sure, as envisioned by the authors of the Bill of Rights, the
Fourth Amendment stands as a bulwark against unreasonable government
intrusion into the lives of its citizens. That freedom is jealously
guarded by the people, through the power and authority of the Judicial
Branch of our governmental structure. Certainly, the use of encryption
technology to protect electronic data and communication accesses the
same right to privacy as the use of a safe to protect paper documents.
Nothing in our constitutional framework, however, provides for
absolutes. There is no absolute freedom of expression. There is no
absolute freedom from search and seizure. Nothing about computer
technology alters this constitutional truism. The Bill of Rights
delicately balances the competing interests of the people and the
nation. The Constitution recognizes that the freedoms embodied in the
Bill of Rights are joined with responsibilities. The people are
responsible for acting within the bounds of the law. The government, on
the other hand, is responsible for acting reasonably. When a citizen
violates the law, the Constitution permits reasonable government action
to discover and expose that criminal activity. This is the essence of
the Fourth Amendment. The Committee notes with concern that encryption
technology, which will have enormous benefits, can also threaten the
underpinnings of the Constitutional balance struck in the text of the
Fourth Amendment if the technology is allowed to develop unchecked and
without regard to one's civic responsibilities.
The privacy interests of encryption users should not be minimized,
nor given absolute value. A balance must be established. It is true that
access to decryption information could give the government an
opportunity for mischief. Statutory safeguards against the impermissible
use of decryption information can be employed to adequately deter such
violations of privacy. Additionally, users of encryption should be
notified that their decryption information has been accessed. But, the
timing of this notification, like that permitted by the wiretap statute,
is very important to the integrity of any criminal or
counter-intelligence investigation.
With respect to export controls over encryption products, including
software, hardware, and technology, it is important to the country's
security interests to permit the export only of those encryption
products that fulfill the goals of promoting and securing information
systems of American citizens, while at the same time enabling the
intelligence community to continue to support our policy makers,
deployed forces, and U.S. interests at home and overseas.
Currently, the Administration regulates the export of encryption
products and requires a license prior to export. On October 1, 1996, the
Vice President announced for the Administration that it would begin
allowing 56-bit DES encryption products, or its equivalent, under a
general license upon the presentment of the product for a one-time
review so long as the exporting company committed to building and
marketing future products that were supportive of key recovery. On
November 1, 1996, President Clinton issued Executive Order 13026, 61
Fed. Reg. 58767 (November 19, 1996) implementing the policy outlined by
the Vice President the month before. The Administration, through
Ambassador Aaron, the U.S. Special Envoy for Encryption Policy, is also
currently engaged in a multi-lateral effort to reach agreement in the
international community on export standards supportive of key recovery
products.
Proponents of H.R. 695 argue that export barriers need to be removed
to enhance and improve the already superior position of American
encryption manufacturers in foreign markets. They contend that our
software industry will in a matter of years, under the current
regulatory regime, suffer substantial losses in terms of jobs and
profits. They argue that there are encryption products already widely
available in foreign countries and on the Internet that are competing
with U.S. manufactured encryption products and in the near term could
strip U.S. industry of its preeminence in this field.
Foreign availability is an issue that is repeatedly raised in the
encryption debate. Industry claims that encryption products are widely
available overseas, that other countries do not control their export,
and that American firms are suffering significant losses. A study of
this issue found that claims of widespread foreign availability of
encryption products were not entirely accurate. According to industry
experts, widespread use of foreign encryption has not become manifest,
although the pace of change and the market for information technology is
rapid and a growing number of strong encryption products exist.
Only a few countries, other than the United States, produce
encryption products at this time. Some, like Switzerland, produce only
specialized products for a small segment of the market. Others, like
Japan, produce primarily hardware products. These countries all have
export controls on encryption. As noted, Ambassador Aaron is engaged in
regular discussions with them. The Committee believes that the issue of
foreign availability is one which the Administration must closely
monitor as we move toward a permanent policy on encryption.
The Committee shares the concern that American encryption products
could be replaced by foreign competitors. It notes, however, that the
American grip on the market is remarkable, not just for its share of the
market, but for its longevity. American technology manufacturers control
no less than 75% of the global market, despite what many consider to be
a ``restrictive'' policy on encryption products. It is acknowledged on
both sides of this issue that American encryption technology is the best
in the world. There is no desire to undermine that position, nor
diminish the U.S. preeminence in this regard.
CONCLUSION
The encryption policy of the United States requires a comprehensive
approach that takes into account the equities and prerogatives of the
intelligence community; federal, state, and local law enforcement;
industry; and the citizens of the United States. The Committee's
amendment in the nature of a substitute to the bill as reported by the
Committee on the Judiciary, which is further explained in the
section-by-section analysis, makes an effort at balancing the important
national security, public safety, and privacy interests that are at
stake in this debate.
COMMITTEE PROCEEDINGS
The Committee was briefed on the subject of encryption on May 6, 1997
by the Hon. William Reinsch, Under Secretary, Bureau of Export
Administration, Department of Commerce; Hon. William Crowell, Deputy
Director, National Security Agency; and Hon. Robert Litt, Deputy
Assistant Attorney General, Criminal Division, United States Department
of Justice.
The Committee held a hearing on September 9, 1997 in which it heard
testimony from: the Hon. Bob Goodlatte, United States Representative,
6th District of Virginia; Hon. Zoe Lofgren, United States
Representative, 16th District of California; Hon. Louis J. Freeh,
Director, Federal Bureau of Investigation; Hon. William Reinsch, Under
Secretary, Bureau of Export Administration, Department of Commerce; and
Hon. William Crowell, Deputy Director, National Security Agency.
The Committee extensively reviewed additional testimony and written
materials relating to encryption policy in general and H.R. 695 in
particular, including: ``Terrorism in the Next Millennium: Enter the
Cyberterrorist,'' by George R. Barth, National Counterintelligence
Center; ``Deciphering the Cryptography Debate,'' by Kenneth Flamm, The
Brookings Institution; Hon. Michelle Van Cleave, Assistant Director for
National Security, White House Office of Science and Technology Policy,
remarks before AFCEA Convention, June 25, 1992; Hon. Janet Reno, United
States Attorney General, letter to Members of Congress, July 18, 1997;
Hon. Louis J. Freeh, Director, Federal Bureau of Investigation,
testimony before the United States Senate Committee on Commerce, Science
and Transportation, March 19, 1997; Hon. Louis J. Freeh, testimony
before the United States Senate Committee on the Judiciary, June 25,
1997; Hon. John Kyl, United States Senator, Arizona, remarks before the
Heritage Foundation, July 28, 1997;
Testimony before the United States Senate Judiciary Subcommittee on
Technology, Terrorism and Government Information, September 3, 1997:
Hon. Louis J. Freeh, Director, Federal Bureau of Investigation; Dorothy
E. Denning, Georgetown University; Jeffery A. Herig, Special Agent,
Florida Department of Law Enforcement; Robert R. Burke, Director of
Corporate Services and Security, Monsanto Company, and Chairman of the
Subcommittee for Protection of Information and Technology, Overseas
Security Advisory Council, United States Department of State; Ken
Lieberman, Senior Vice President for Corporate Risk Management, Visa
USA; R. Patrick Watson, Director, Worldwide Corporate Security, Eastman
Kodak Company;
Testimony before the United States House of Representatives Commerce
Subcommittee on Telecommunications, Trade, and Consumer Protection,
September 4, 1997: Hon. Bob Goodlatte, United States Representative, 6th
District of Virginia; Hon. William Reinsch, Under Secretary, Bureau of
Export Administration, Department of Commerce; Hon. Robert Litt, Deputy
Assistant Attorney General, Criminal Division, Department of Justice;
Stephen T. Walker, President and CEO, Trusted Information Systems, Inc.;
Thomas Parenty, Director of Data/Communications Security, Sybase, Inc.;
George A. Keyworth, II, Ph.D., Chairman, Progress & Freedom Foundation;
Jerry Berman, Executive Director, Center for Democracy and Technology;
Hearing records of: Hearing on H.R. 3011 (104th Congress), before the
United States House of Representatives Committee on the Judiciary,
September 25, 1996; Hearing on H.R. 695, before the United States House
of Representatives Judiciary Subcommittee on Courts and Intellectual
Property, March 20, 1997; and the redacted released transcript of the
United States House of Representatives International Relations Committee
Members' briefing, June 26, 1997.
In addition, the Committee staff was briefed on the subject of
encryption from representatives of IBM, ORACLE, Center for Technology
and Democracy, Netscape, and Motorola.
COMMITTEE CONSIDERATION
The Committee met on September 11, 1997, and in open session
approved, by voice vote, the Goss/Dicks amendment in the nature of a
substitute to H.R. 695, as amended and reported by the Committee on the
Judiciary. The Committee, in open session, ordered H.R. 695, as amended,
reported favorably by voice vote, a quorum being present.
VOTE OF THE COMMITTEE
During its consideration of H.R. 695, the Committee took no rollcall
votes.
FINDINGS AND RECOMMENDATIONS OF THE COMMITTEE ON GOVERNMENT REFORM AND
OVERSIGHT
With respect to clause 2(l)(3)(D) of rule XI of the Rules of the
House of Representatives, the Committee has not received a report form
the Committee on Government Reform and Oversight pertaining to the
subject of the bill.
OVERSIGHT FINDINGS
In compliance with clause 2(l)(3)(A) of rule XI of the Rules of the
House of Representatives, the Committee reports that the findings and
recommendations of the Committee, based on oversight activities under
clause 2(b)(1) of rule X of the Rules of the House of Representatives,
are incorporated in the descriptive portions of this report.
NEW BUDGET AUTHORITY AND TAX EXPENDITURES
Clause 2(l)(3)(B) of House rule XI does not apply because this
legislation does not provide new budgetary authority or increased tax
expenditures.
CONGRESSIONAL BUDGET OFFICE ESTIMATES
U.S. Congress,
Congressional Budget Office,
Washington, DC, September 16, 1997.
Hon. Porter J. Goss, Chairman, Committee on Intelligence,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has prepared the
enclosed cost estimate for H.R. 695, the Security and Freedom Through
Encryption (SAFE) Act.
If you wish further details on this estimate, we will be pleased to
provide them. The CBO staff contacts are Rachel Forward (for federal
costs); Alyssa Trzeszkowski (for revenues); Pepper Santalucia (for the
state and local impact); and Jean Wooster (for the private-sector
impact).
Sincerely,
James L. Blum
(For June E. O'Neill, Director ).
Enclosure.
H.R. 695--Security and Freedom Through Encryption (SAFE) Act of 1997
Summary: H.R. 695 would establish policies for the domestic use and
export of encryption products that facilitate the creation of secure
computer networks.
Assuming appropriation of the necessary amounts, CBO estimates that
enacting this bill would result in additional discretionary spending of
between $4.5 million and $7.1 million over the 1998 2002 period by the
Bureau of Export Administration (BXA) and the Department of Justice
(DOJ). Spending by BXA and DOJ for activities required by H.R. 695 would
total between $9 million and $11.6 million over the next five years--as
compared to spending by BXA of about $4.5 million over the same period
under current policies. (Spending related to monitor encryption products
by DOJ is negligible under current law.)
Enacting H.R. 695 also would affect direct spending and receipts
beginning in fiscal year 1998 through the imposition of criminal fines
and the resulting spending from the Crime Victims Fund. Therefore,
pay-as-you-go procedures would apply. CBO estimates, however, that the
amounts of direct spending or receipts would not be significant.
H.R. 695 contains an intergovernmental mandate as defined in the
Unfunded Mandates Reform Act (UMRA), but CBO cannot estimate the cost of
complying with that mandate at this time. The bill also would impose a
private-sector mandate on public network service providers and
manufacturers, distributors, and importers of encryption products. CBO
estimates that the total direct cost of complying with this mandate
would exceed the statutory threshold ($100 million in 1996, adjusted
annually for inflation) for private-sector mandates established in UMRA.
CBO's full analysis of the cost of the intergovernmental and the
private-sector mandates will be provided under separate cover.
Description of the bill's major provisions: H.R. 695 would establish
controls for the domestic use and export of encryption technologies. The
bill would allow individuals in the United States to use any form of
encryption but would prevent the sale of encryption products without
plaintext recovery systems after January 31, 2000. (The term
``plaintext'' means the readable or comprehensible format of
information.) The bill would authorize the Department of Commerce to
exempt encryption products with plaintext recovery systems from certain
export licensing requirements after the same date. In addition, H.R. 695
would require the Secretary of Commerce to establish a key management
system for use by the federal government and private-sector
organizations. A key management system enables agencies or companies to
entrust the code to encryption products to a third party.
H.R. 695 would establish procedures to enable law enforcement
officials to gain access to plaintext recovery systems upon presentation
of a court order. The bill would direct the Attorney General to maintain
data on the instances in which encryption impedes or obstructs the
ability of DOJ to enforce criminal laws. Finally, the bill would
establish criminal penalties and fines for the use of encryption
technologies to further a crime, for the unlawful access of encrypted
information, or for the unlawful sale of encryption technologies.
Estimated cost to the Federal Government
Spending Subject to Appropriation
Under current policy, BXA would likely spend about $900,000 a year,
totaling $4.5 million over the 1998 2002 period, to monitor exports of
encryption products. Assuming appropriation of the necessary amounts,
CBO estimates that enacting H.R. 695 would increase BXA's
encryption-related costs to about $6.6 million over the same period.
That cost consists of two components: (1) costs to monitor encryption
exports, and (2) costs for the new key management system. H.R. 695 would
authorize the Department of Commerce through BXA to exempt encryption
products with plaintext recovery systems from certain export licensing
requirements after January 31, 2000. As a result, CBO estimates that the
agency's cost to monitor encryption exports would decrease from about
$900,000 in fiscal years 1998 and 1999 to about $650,000 in fiscal year
2000 and $500,000 in each year thereafter, for a five-year total of
about $3.5 million. H.R. 695 also would require the agency to establish
and maintain a key management system. Based on information from BXA, CBO
estimates that establishing and maintaining this system would cost BXA
about $500,000 in fiscal year 1998 and $600,000 in each year thereafter,
for a five-year total of about $3.1 million.
H.R. 695 would require the Department of Justice to collect and
maintain data on the instances in which encryption impedes or obstructs
the ability of the agency to enforce criminal laws. The agency is
uncertain as to how much it would cost to track such classified
information nationwide. For the purposes of this estimate, CBO projects
that collecting and maintaining the data would cost DOJ between $500,000
and $1 million a year, assuming appropriation of the necessary amounts.
Direct Spending and Revenues
Enacting H.R. 695 would affect direct spending and receipts through
the imposition of criminal fines for the use of encryption technologies
to further a crime, for the unlawful access of encrypted information,
and for the unlawful sale of encryption technologies. CBO estimates that
collections from such fines are likely to be negligible, however,
because the federal government would probably not pursue many cases
under the bill. Any such collections would be deposited in the Crime
Victims Fund and spent the following year. Because the increase in
direct spending would be the same amount as the amount of fines
collected with a one-year lag, the additional direct spending also would
be negligible.
The costs of this legislation fall within budget functions 370
(commerce and housing credit) and 750 (administration of justice).
Pay-as-you-go considerations: Section 252 of the Balanced Budget and
Emergency Deficit Control Act of 1985 sets up pay-as-you-go procedures
for legislation affecting direct spending or receipts. H.R. 695 would
affect direct spending and receipts through the imposition of criminal
fines and the resulting spending from the Crime Victims Fund. CBO
estimates, however, that any collections and spending resulting from
such fines would not be significant.
Estimated impact on State, local, and tribal governments: H.R. 695
contains an intergovernmental mandate as defined in UMRA, because state
and local governments that offer Internet access to their citizens would
meet the bill's definition of ``network service provider.'' As such,
they would be required to ensure that any encryption products or
services they provide enable the immediate decryption or access to the
plaintext of encrypted data. At the present time, CBO is unsure of how
many states and localities offer Internet access, as well as the steps
these governments would take to comply with the mandate. CBO therefore
cannot estimate the cost of complying with the mandate at this time and
cannot determine whether the threshold established in UMRA would be
exceeded.
Estimated impact on the private sector: H.R. 695 would establish
controls on domestic encryption technology. Specifically, the bill would
require sellers of encryption products to include features or functions
that permit duly authorized individuals to gain immediate access to the
encrypted material without the knowledge or cooperation of the user of
those products. Thus, it would impose a federal private-sector mandate
on network service providers and manufacturers, distributors, and
importers of encryption products. CBO estimates that the total direct
cost of complying with this mandate would exceed the statutory threshold
($100 million in 1996, adjusted annually for inflation) for
private-sector mandates established in UMRA.
Section 4 of UMRA excludes from consideration any provisions that are
considered necessary for national security purposes. Such provisions are
found in Title III, Exports of Encryption.
CBO's full analysis of the costs of the intergovernmental and
private-sector mandates will be provided under separate cover.
Previous CBO estimate: CBO provided cost estimates for H.R. 695 as
ordered reported by the House Committee on the Judiciary on May 14,
1997, by the House Committee on International Relations on July 22,
1997, and by the House Committee on National Security on September 9,
1997. Assuming appropriation of the necessary amounts, CBO estimates
that costs over the 1998 2002 period would total between $5 million and
$7 million for the Judiciary Committee's version, about $2.2 million for
the International Relations Committee's version, and about $4.5 million
for the National Security Committee's version. In comparison, CBO
estimates that enacting this version of the bill would cost between $9
million and $11.6 million and that spending under current policies would
total $4.5 million.
Estimate prepared by: Federal Costs: Rachel Forward; Revenues: Alyssa
Trzeszkowski; Impact on State, Local, and Tribal Governments; Pepper
Santalucia; and Impact on the Private Sector: Jean Wooster.
Estimate approved by: Paul N. Van de Water, Assistant Director for
Budget Analysis.
COMMITTEE COST ESTIMATES
The Committee agrees with the estimate of the Congressional Budget
Office.
SPECIFIC CONSTITUTIONAL AUTHORITY FOR CONGRESSIONAL ENACTMENT OF THIS
LEGISLATION
The intelligence and intelligence-related activities of the United
States government are carried out to support the national security
interests of the United States, to support and assist the armed forces
of the United States, and to support the President in the execution of
the foreign policy of the United States. Article 1, section 8, of the
Constitution of the United States provides, in pertinent part, that
``Congress shall have power * * * to pay the debts and provide for the
common defence and general welfare of the United States; * * *''; ``to
raise and support Armies, * * *''; ``to provide and maintain a Navy; * *
*'' and ``to make all laws which shall be necessary and proper for the
carrying into execution * * * all other powers vested by this
Constitution in the Government of the United States, or in any
Department or Officer thereof.'' Therefore, pursuant to such authority,
Congress is empowered to enact this legislation.
CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
In compliance with clause 3 of rule XIII of the Rules of the House of
Representatives, changes in existing law made by the bill, as reported,
are shown as follows (new matter is printed in italic and existing law
in which no change is proposed is shown in roman):
TITLE 18, UNITED STATES CODE
* * * * * * *
PART I--CRIMES
* * * * * * *
Chap.
Sec.
1. General provisions
1
* * * * * * *
121. Stored wire and electronic communications and
transactional records access
2701
122. Encrypted data, including communications
2801
* * * * * * *
CHAPTER 122--ENCRYPTED DATA, INCLUDING COMMUNICATIONS
Sec.
2801. Unlawful use of encryption in furtherance of a criminal act.
2802. Privacy protection.
2803. Unlawful sale of encryption.
2804. Encryption products manufactured and intended for use in the
United States.
2805. Injunctive relief and proceedings.
2806. Court order access to plaintext.
2807. Notification procedures.
2808. Lawful use of plaintext or decryption information.
2809. Identification of decryption information.
2810. Unlawful export of certain encryption products.
2811. Definitions.
2801. Unlawful use of encryption in furtherance of a criminal act
(a) Prohibited Acts.--Whoever knowingly uses encryption in
furtherance of the commission of a criminal offense for which the person
may be prosecuted in a district court of the United States shall--
(1) in the case of a first offense under this section, be imprisoned
for not more than 5 years, or fined under this title, or both; and
(2) in the case of a second or subsequent offense under this
section, be imprisoned for not more than 10 years, or fined under this
title, or both.
(b) Consecutive Sentence.--Notwithstanding any other provision of
law, the court shall not place on probation any person convicted of a
violation of this section, nor shall the term of imprisonment imposed
under this section run concurrently with any other term of imprisonment
imposed for the underlying criminal offense.
(c) Probable Cause Not Constituted by Use of Encryption.--The use of
encryption alone shall not constitute probable cause to believe that a
crime is being or has been committed.
2802. Privacy protection
(a) In General.--It shall be unlawful for any person to
intentionally--
(1) obtain or use decryption information without lawful authority
for the purpose of decrypting data, including communications;
(2) exceed lawful authority in decrypting data, including
communications;
(3) break the encryption code of another person without lawful
authority for the purpose of violating the privacy or security of that
person or depriving that person of any property rights;
(4) impersonate another person for the purpose of obtaining
decryption information of that person without lawful authority;
(5) facilitate or assist in the encryption of data, including
communications, knowing that such data, including communications, are to
be used in furtherance of a crime; or
(6) disclose decryption information in violation of a provision of
this chapter.
(b) Criminal Penalty.--Whoever violates this section shall be
imprisoned for not more than 10 years, or fined under this title, or
both.
2803. Unlawful sale of encryption
Whoever, after January 31, 2000, sells in interstate or foreign
commerce any encryption product that does not include features or
functions permitting duly authorized persons immediate access to
plaintext or immediate decryption capabilities shall be imprisoned for
not more than 5 years, fined under this title, or both.
2804. Encryption products manufactured and intended for use in
the United States
(a) Public Network Service Providers.--After January 31, 2000, public
network service providers offering encryption products or encryption
services shall ensure that such products or services enable the
immediate decryption or access to plaintext of the data, including
communications, encrypted by such products or services on the public
network upon receipt of a court order or warrant, pursuant to section
2806.
(b) Manufacturers, Distributors, and Importers.--After January 31,
2000, it shall be unlawful for any person to manufacture for
distribution, distribute, or import encryption products intended for
sale or use in the United States, unless that product--
(1) includes features or functions that provide an immediate access
to plaintext capability, through any means, mechanism, or technological
method that--
(A) permits immediate decryption of the encrypted data, including
communications, upon the receipt of
decryption information by an authorized party in possession of
a facially valid order issued by a court of competent jurisdiction; and
(B) allows the decryption of encrypted data, including
communications, without the knowledge or cooperation of the person being
investigated, subject to the requirements set forth in section 2806;
(2) can be used only on systems or networks that include features or
functions that provide an immediate access to plaintext capability,
through any means, mechanism, or technological method that--
(A) permits immediate decryption of the encrypted data, including
communications, upon the receipt of decryption information by an
authorized party in possession of a facially valid order issued by a
court of competent jurisdiction; and
(B) allows the decryption of encrypted data, including
communications, without the knowledge or cooperation of the person being
investigated, subject to the requirements set forth in section 2806; or
(3) otherwise meets the technical requirements and functional
criteria promulgated by the Attorney General under subsection (c).
(c) Attorney General Criteria.--
(1) Publication of requirements.--Within 180 days after the date of
the enactment of this chapter, the Attorney General shall publish in the
Federal Register technical requirements and functional criteria for
complying with the decryption requirements set forth in this section.
(2) Procedures for advisory opinions.--Within 180 days after the
date of the enactment of this chapter, the Attorney General shall
promulgate procedures by which data network service providers and
encryption product manufacturers, sellers, re-sellers, distributors, and
importers may obtain advisory opinions as to whether an encryption
product intended for sale or use in the United States after January 31,
2000, meets the requirements of this section and the technical
requirements and functional criteria promulgated pursuant to paragraph
(1).
(3) Particular methodology not required.--Nothing in this chapter or
any other provision of law shall be construed as requiring the
implementation of any particular decryption methodology in order to
satisfy the requirements of subsections (a) and (b), or the technical
requirements and functional criteria required by the Attorney General
under paragraph (1).
(d) Use of Prior Products Lawful.--After January 31, 2000, it shall
not be unlawful to use any encryption product purchased or in use prior
to such date.
2805. Injunctive relief and proceedings
(a) Injunction.--Whenever it appears to the Secretary or the Attorney
General that any person is engaged in, or is about to engage in, any act
that constitutes, or would constitute, a violation of section 2804, the
Attorney General may initiate a civil action in a district court of the
United States to enjoin such violation. Upon the filing of the complaint
seeking injunctive relief by the Attorney General, the court shall
automatically issue a temporary restraining order against the party
being sued.
(b) Burden of Proof.--In a suit brought by the Attorney General under
subsection (a), the burden shall be upon the Government to establish by
a preponderance of the evidence that the encryption product involved
does not comport with the requirements set forth by the Attorney General
pursuant to section 2804 providing for immediate access to plaintext by
Federal, State, or local authorities.
(c) Closing of Proceedings.--(1) Upon motion of the party against
whom injunction is being sought--
(A) any or all of the proceedings under this section shall be closed
to the public; and
(B) public disclosure of the proceedings shall be treated as
contempt of court.
(2) Upon a written finding by the court that public disclosure of
information relevant to the prosecution of the injunction or relevant to
a determination of the factual or legal issues raised in the case would
cause irreparable or financial harm to the party against whom the suit
is brought, or would otherwise disclose proprietary information of any
party to the case, all proceedings shall be closed to members of the
public, except the parties to the suit, and all transcripts, motions,
and orders shall be placed under seal to protect their disclosure to the
general public.
(d) Advisory Opinion as Defense.--It is an absolute defense to a suit
under this subsection that the party against whom suit is brought
obtained an advisory opinion from the Attorney General pursuant to
section 2804(c) and that the product at issue in the suit comports in
every aspect with the requirements announced in such advisory opinion.
(e) Basis for Permanent Injunction.--The court shall issue a
permanent injunction against the distribution of, and any future
manufacture of, the encryption product at issue in the suit filed under
subsection (a) if the court finds by a preponderance of the evidence
that the product does not meet the requirements set forth by the
Attorney General pursuant to section 2804 providing for immediate access
to plaintext by Federal, State, or local authorities.
(f) Appeals.--Either party may appeal, to the appellate court with
jurisdiction of the case, any adverse ruling by the district court
entered pursuant to this section. For the purposes of appeal, the
parties shall be governed by the Federal Rules of Appellate Procedure,
except that the Government shall file its notice of appeal not later
than 30 days after the entry of the final order on the docket of the
district court. The appeal of such matter shall be considered on an
expedited basis and resolved as soon as practicable.
2806. Court order access to plaintext
(a) Court Order.--(1) A court of competent jurisdiction shall issue
an order, ex parte, granting an investigative or law enforcement officer
immediate access to the plaintext of encrypted data, including
communications, or requiring any person in possession of decryption
information to provide such information to a duly authorized
investigative or law enforcement officer--
(A) upon the application by an attorney for the Government that--
(i) is made under oath or affirmation by the attorney for the
Government; and
(ii) provides a factual basis establishing the relevance that the
plaintext or decryption information being sought has to a law
enforcement or foreign counterintelligence investigation then being
conducted pursuant to lawful authorities; and
(B) if the court finds, in writing, that the plaintext or decryption
information being sought is relevant to an ongoing lawful law
enforcement or foreign counterintelligence investigation and the
investigative or law enforcement officer is entitled to such plaintext
or decryption information.
(2) The order issued by the court under this section shall be placed
under seal, except that a copy may be made available to the
investigative or law enforcement officer authorized to obtain access to
the plaintext of the encrypted information, or authorized to obtain the
decryption information sought in the application. Such order shall also
be made available to the person responsible for providing the plaintext
or the decryption information, pursuant to such order, to the
investigative or law enforcement officer.
(3) Disclosure of an application made, or order issued, under this
section, is not authorized, except as may otherwise be specifically
permitted by this section or another order of the court.
(b) Other Orders.--An attorney for the Government may make
application to a district court of the United States for an order under
subsection (a), upon a request from a foreign country pursuant to a
Mutual Legal Assistance Treaty with such country that is in effect at
the time of the request from such country.
(c) Record of Access Required.--(1) There shall be created an
electronic record, or similar type record, of each instance in which an
investigative or law enforcement officer, pursuant to an order under
this section, gains access to the plaintext of otherwise encrypted
information, or is provided decryption information, without the
knowledge or consent of the owner of the data, including communications,
who is the user of the encryption product involved.
(2) The court issuing the order under this section shall require that
the electronic or similar type of record described in paragraph (1) is
maintained in a place and a manner that is not within the custody or
control of an investigative or law enforcement officer gaining the
access or provided the decryption information. The record shall be
tendered to the court, upon notice from the court.
(3) The court receiving such electronic or similar type of record
described in paragraph (1) shall make the original and a certified copy
of the record available to the attorney for the Government making
application under this section, and to the attorney for, or directly to,
the owner of the data, including communications, who is the user of the
encryption product.
(d) Authority To Intercept Communications Not Increased.--Nothing in
this chapter shall be construed to enlarge or modify the circumstances
or procedures under which a Government entity is entitled to intercept
or obtain oral, wire, or electronic communications or information.
(e) Construction.--This chapter shall be strictly construed to apply
only to a Government entity's ability to decrypt data, including
communications, for which it has previously obtained lawful authority to
intercept or obtain pursuant to other lawful authorities that would
otherwise remain encrypted.
2807. Notification procedures
(a) In General.--Within a reasonable time, but not later than 90 days
after the filing of an application for an order under section 2806 which
is granted, the court shall cause to be served, on the persons named in
the order or the application, and such other parties whose decryption
information or whose plaintext has been provided to an investigative or
law enforcement officer pursuant to this chapter as the court may
determine that is in the interest of justice, an inventory which shall
include notice of--
(1) the fact of the entry of the order or the application;
(2) the date of the entry of the application and issuance of the
order; and
(3) the fact that the person's decryption information or plaintext
data, including communications, have been provided or accessed by an
investigative or law enforcement officer.
The court, upon the filing of a motion, may make available to that
person or that person's counsel, for inspection, such portions of the
plaintext, applications, and orders as the court determines to be in the
interest of justice. On an ex parte showing of good cause to a court of
competent jurisdiction, the serving of the inventory required by this
subsection may be postponed.
(b) Admission Into Evidence.--The contents of any encrypted
information that has been obtained pursuant to this chapter or evidence
derived therefrom shall not be received in evidence or otherwise
disclosed in any trial, hearing, or other proceeding in a Federal or
State court unless each party, not less than 10 days before the trial,
hearing, or proceeding, has been furnished with a copy of the order, and
accompanying application, under which the decryption or access to
plaintext was authorized or approved. This 10-day period may be waived
by the court if the court finds that it was not possible to furnish the
party with the information described in the preceding sentence within 10
days before the trial, hearing, or proceeding and that the party will
not be prejudiced by the delay in receiving such information.
(c) Contempt.--Any violation of the provisions of this section may be
punished by the court as a contempt thereof.
(d) Motion To Suppress.--Any aggrieved person in any trial, hearing,
or proceeding in or before any court, department, officer, agency,
regulatory body, or other authority of the United States or a State may
move to suppress the contents of any decrypted data, including
communications, obtained pursuant to this chapter, or evidence derived
therefrom, on the grounds that --
(1) the plaintext was unlawfully decrypted or accessed;
(2) the order of authorization or approval under which it was
decrypted or accessed is insufficient on its face; or
(3) the decryption was not made in conformity with the order of
authorization or approval.
Such motion shall be made before the trial, hearing, or proceeding
unless there was no opportunity to make such motion, or the person was
not aware of the grounds of the motion. If the motion is granted, the
plaintext of the decrypted data, including communications, or evidence
derived therefrom, shall be treated as having been obtained in violation
of this chapter. The court, upon the filing of such motion by the
aggrieved person, may make available to the aggrieved person or that
person's counsel for inspection such portions of the decrypted
plaintext, or evidence derived therefrom, as the court determines to be
in the interests of justice.
(e) Appeal by United States.--In addition to any other right to
appeal, the United States shall have the right to appeal from an order
granting a motion to suppress made under subsection (d), or the denial
of an application for an order under section 2806, if the United States
attorney certifies to the court or other official granting such motion
or denying such application that the appeal is not taken for purposes of
delay. Such appeal shall be taken within 30 days after the date the
order was entered on the docket and shall be diligently prosecuted.
(f) Civil Action for Violation.--Except as otherwise provided in this
chapter, any person described in subsection (g) may in a civil action
recover from the United States Government the actual damages suffered by
the person as a result of a violation described in that subsection,
reasonable attorney's fees, and other litigation costs reasonably
incurred in prosecuting such claim.
(g) Covered Persons.--Subsection (f) applies to any person whose
decryption information--
(1) is knowingly obtained without lawful authority by an
investigative or law enforcement officer;
(2) is obtained by an investigative or law enforcement officer with
lawful authority and is knowingly used or disclosed by such officer
unlawfully; or
(3) is obtained by an investigative or law enforcement officer with
lawful authority and whose decryption information is unlawfully used to
disclose the plaintext of the data, including communications.
(h) Limitation.--A civil action under subsection (f) shall be
commenced not later than 2 years after the date on which the unlawful
action took place, or 2 years after the date on which the claimant first
discovers the violation, whichever is later.
(i) Exclusive Remedies.--The remedies and sanctions described in this
chapter with respect to the decryption of data, including
communications, are the only judicial remedies and sanctions for
violations of this chapter involving such decryptions, other than
violations based on the deprivation of any rights, privileges, or
immunities secured by the Constitution.
(j) Technical Assistance by Providers.--A provider of encryption
technology or network service that has received an order issued by a
court pursuant to this chapter shall provide to the investigative or law
enforcement officer concerned such technical assistance as is necessary
to execute the order. Such provider may, however, move the court to
modify or quash the order on the ground that its assistance with respect
to the decryption or access to plaintext cannot be performed in a timely
or reasonable fashion. The court, upon notice to the Government, shall
decide such motion expeditiously.
(k) Reports to Congress.--In May of each year, the Attorney General,
or an Assistant Attorney General specifically designated by the Attorney
General, shall report in writing to Congress on the number of
applications made and orders entered authorizing Federal, State, and
local law enforcement access to decryption information for the purposes
of reading the plaintext of otherwise encrypted data, including
communications, pursuant to this chapter. Such reports shall be
submitted to the Committees on the Judiciary of the House of
Representatives and of the Senate, and to the Permanent Select Committee
on Intelligence for the House of Representatives and the Select
Committee on Intelligence for the Senate.
2808. Lawful use of plaintext or decryption information
(a) Authorized Use of Decryption Information.--
(1) Criminal investigations.--An investigative or law enforcement
officer to whom plaintext or decryption information is provided may use
such plaintext or decryption information for the purposes of conducting
a lawful criminal investigation or foreign counterintelligence
investigation, and for the purposes of preparing for and prosecuting any
criminal violation of law.
(2) Civil redress.--Any plaintext or decryption information provided
under this chapter to an investigative or law enforcement officer may
not be disclosed, except by court order, to any other person for use in
a civil proceeding that is unrelated to a criminal investigation and
prosecution for which the plaintext or decryption information is
authorized under paragraph (1). Such order shall only issue upon a
showing by the party seeking disclosure that there is no alternative
means of obtaining the plaintext, or decryption information, being
sought and the court also finds that the interests of justice would not
be served by nondisclosure.
(b) Limitation.--An investigative or law enforcement officer may not
use decryption information obtained under this chapter to determine the
plaintext of any data, including communications, unless it has obtained
lawful authority to obtain such data, including communications, under
other lawful authorities.
(c) Return of Decryption Information.--An attorney for the Government
shall, upon the issuance of an order of a court of competent
jurisdiction--
(1)(A) return any decryption information to the person responsible
for providing it to an investigative or law enforcement officer pursuant
to this chapter; or
(B) destroy such decryption information, if the court finds that the
interests of justice or public safety require that such decryption
information should not be returned to the provider; and
(2) within 10 days after execution of the court's order to destroy
the decryption information--
(A) certify to the court that the decryption information has either
been returned or destroyed consistent with the court's order; and
(B) notify the provider of the decryption information of the
destruction of such information.
(d) Other Disclosure of Decryption Information.--Except as otherwise
provided in section 2806, a key recovery agent may not disclose
decryption information stored with the key recovery agent by a person
unless the disclosure is--
(1) to the person, or an authorized agent thereof;
(2) with the consent of the person, including pursuant to a contract
entered into with the person;
(3) pursuant to a court order upon a showing of compelling need for
the information that cannot be accommodated by any other means if--
(A) the person who supplied the information is given reasonable
notice, by the person seeking the disclosure, of the court proceeding
relevant to the issuance of the court order; and
(B) the person who supplied the information is afforded the
opportunity to appear in the court proceeding and contest the claim of
the person seeking the disclosure;
(4) pursuant to a determination by a court of competent jurisdiction
that another person is lawfully entitled to hold such decryption
information, including determinations arising from legal proceedings
associated with the incapacity, death, or dissolution of any person; or
(5) otherwise permitted by a provision of this chapter or otherwise
permitted by law.
2809. Identification of decryption information
(a) Identification.--To avoid inadvertent disclosure, any person who
provides decryption information to an investigative or law enforcement
officer pursuant to this chapter shall specifically identify that part
of the material provided that discloses decryption information as such.
(b) Responsibility of Investigative or Law Enforcement Officer.--The
investigative or law enforcement officer receiving any decryption
information under this chapter shall maintain such information in
facilities and in a method so as to reasonably assure that inadvertent
disclosure does not occur.
2810. Unlawful export of certain encryption products
Whoever, after January 31, 2000, knowingly exports an encryption
product that does not include features or functions providing duly
authorized persons immediate access to plaintext or immediate decryption
capabilities, as required under law, shall be imprisoned for not more
than 5 years, fined under this title, or both.
2811. Definitions
The definitions set forth in section 101 of the Security and Freedom
through Encryption (``SAFE'') Act of 1997 shall apply to this chapter.
* * * * * * *
ADDITIONAL VIEWS OF REPRESENTATIVES DICKS, SKELTON, AND BISHOP
In considering H.R. 695, we used six principles as a guide through
the difficult and complex issues posed by encryption technology.
First, Congress should take no action to impair or abridge the
rights, liberties, and privacy of the American people guaranteed by our
constitution.
Second, Congress has an obligation to ensure that the ability of law
enforcement agencies to provide protection against violent criminals,
terrorists, narcotics dealers, organized crime syndicates, and espionage
is not unwisely diminished.
Third, there is an equally compelling need to guarantee the
protection of electronic information for the security of the nation, for
the privacy and protection of our citizens and their property, and for
the prosperity of the country through a new form of commerce.
Fourth, Congress must protect our ability to collect intelligence to
support national defense, diplomacy, and law enforcement.
Fifth, we must not disadvantage, and should as best we can promote,
American workers and companies seeking to maintain dominance in
information technologies.
Finally, our domestic and foreign policy in this area should, to the
maximum extent possible, be consistent and reinforcing.
It is commonly asserted that these principles are substantially at
odds with one another, such that any consistent policy position must
entail compromises among them--perhaps fatal ones. We do not believe
that is true and am convinced that the substitute the Committee adopted
is faithful to all these principles.
In contrast, H.R. 695 as referred to the Committee is in conflict
with several of the foregoing principles. H.R. 695 is incompatible with
national security because it essentially does away with the export
control process. Gutting the export control process would also have
serious foreign policy consequences, undermining administration attempts
to develop an international consensus on encryption policy and perhaps
prompting other countries to erect import barriers to U.S. encryption
products and associated hardware and software systems. The bill would do
nothing to foster a domestic key management infrastructure, which the
administration, the Committee, and much of industry believe is important
for the rapid expansion of electronic commerce. The bill is deficient
also in that it would not help law enforcement overcome the negative
consequences of the inevitable proliferation of strong encryption.
Without legislative intervention, in the near future the nation's
police departments and the FBI will not need to bother to install
wiretaps because everything they hear will be encrypted. Proponents of
H.R. 695 as referred to the Committee acknowledge this problem but argue
that the law enforcement interest is a narrow one and should be
sacrificed. Others assert that it is futile to try to protect law
enforcement equities either because unbreakable encryption will
proliferate no matter what the government does, or that any government
regulatory actions will do much more harm than good. With regard to
export controls, proponents of H.R. 695 contend that without an
inclusive international compact to regulate encryption, it is pointless,
crippling to U.S. industry, to maintain a rigid export control regime.
They assert that there is no reason to believe that any international
consensus is likely, and that U.S. industry already faces an imminent
competitive threat.
We reject these arguments. Communications intercepts are a critically
important and effective law enforcement tool. While it is true that the
government cannot hope to prevent determined and resourceful criminals,
terrorists, and others from using unbreakable encryption to hide their
activities, these elements must interact with society at large, and
therefore must conduct most of their business using standard forms of
electronic commerce and communication. If the latter provide lawful
access to the plaintext of encrypted information, or to decryption
information pursuant to court order, law enforcement will be able to
conduct investigations effectively. Thus it is neither necessary nor
expected that the Committee substitute would eradicate unapproved
encryption capabilities.
In terms of the practicality of regulating encryption products, we
recognize also that it is not a certainty that the burden the substitute
would place on the marketplace to provide some form of access for
communications will prove to be marginally costly or inconvenient. We
acknowledge the possibility that critics could be right--that these
requirements will be unwieldy or expensive, or both. But it is far from
clear today that the critics are right, and the administration predicts
modest annual user costs. If the law is to err, however, we strongly
favor doing it on the side of ensuring that our public safety and
national security officials can continue to do their jobs effectively.
We recognize that there is no certainty of success in the attempt to
convince the other advanced nations of the need to control encryption to
protect law enforcement as we propose to do. The United States cannot
hope to convince others to take this path, however, if it decides first
to flood the world with unbreakable encryption, and second to proclaim
that domestic controls are somewhat incompatible with liberty.
Furthermore, any fair assessment of the status of discussions with
other advanced nations on this issue would conclude that success is
quite feasible. Similarly, claims about the availability of truly strong
encryption products on the world market that users can readily access
and employ are clearly exaggerated. Finally, as the section-by-section
analysis in this report explains, the Committee substitute provides for
the export of encryption products with an access ``on-off switch,'' in
effect allowing industry to export unbreakable encryption to countries
that have no requirement for law enforcement access to plaintext.
Critics also assert that it is unreasonable for Congress to consider
levying a mandate on the private sector in information technology to
provide a means for lawful access to encrypted information. In fact,
there is an important precedent for such action. Just a few years ago,
law enforcement agencies were similarly faced with the prospect of
loosing the ability to intercept communications because of the
astonishing complexity of the nation's emerging digital
telecommunications networks--even when the underlying information is
unencrypted. Congress met the political challenge of supporting law
enforcement in this instance by requiring communications service
providers to install capabilities to permit effective wiretaps. This
digital telephony act also required telephone communications service
providers to provide access to plaintext to duly authorized law
enforcement agencies where the service providers offered their customers
encryption capabilities that could be decrypted. The point is that
Congress was willing to do what was right when the issue was clear.
We face another such challenge today. We believe that my colleagues
will respond appropriately once they realize what is at stake. The place
to start that educational process is here, with the Committee
substitute. We do not think that a fair analysis of the substitute could
conclude that it would compromise the rights of our citizens by
insisting that law enforcement agencies merely retain their current
ability to gather evidence through judicially sanctioned electronic
surveillance.
Norm Dicks.
Ike Skelton.
Sanford D. Bishop, Jr.
ADDITIONAL VIEWS OF REPRESENTATIVES HARMAN, SKAGGS, AND DIXON
The issue of encryption is one of the most difficult we have faced in
our careers in the Congress. The technical complexities of algorithms
and bit strength are the least of the problem. What is most challenging
is discovering a way to balance competing policy concerns in the face of
a rapidly evolving electronic infrastructure.
We are convinced that H.R. 695 as introduced and reported from the
Committees on Judiciary and International Relations is neither the right
answer, nor a comprehensive approach to the challenges we face. As
members of the Permanent Select Committee on Intelligence we believe
U.S. policy should balance sometimes conflicting goals: protecting
public computer networks from the threats of terrorists and other
criminals through the use of strong encryption; promoting the economic
competitiveness and the research and development breakthroughs of our
vital information technology industry; encouraging the legal framework
necessary for robust and reliable electronic commerce; and helping
preserve public safety and national security.
H.R. 695 as introduced was intended to promote economic
competitiveness but it does little to address the strongly expressed
concerns of law enforcement officials from around the country that the
legislation would eliminate the possibility of electronic surveillance
under lawful court order.
The substitute the Committee has ordered reported is an attempt to
address all of the issues in the debate comprehensively. Yet, it has
been developed under an extremely short time frame, subject to a limited
referral. We believe the legislation is too sweeping, particularly in
placing new requirements on the manufacture, sale, and import of
encryption products in the United States.
While we want United States law enforcement and national security
agencies, working under proper oversight, to have the tools they need to
respond to threats to the public safety and national security, the
requirement in the legislation that encryption products manufactured and
distributed for sale or use, or imported for sale or use after January
31, 2000, include features or functions that provide, upon presentment
of a court order, immediate access to plaintext data or decryption
information from the encryption provider, raises a host of new questions
and issues that need further exploration. We are worried less about the
narrow question of technical feasibility than how such a requirement
would implicate valid concerns about privacy, abuse of official
authority, and the inherent security of data security services. We are
concerned whether the legislation's provision on imports might be
interpreted to mean an individual on the Internet downloading encryption
from a foreign country was violating the law and about where the line
would be drawn on the prohibited distribution of encryption products not
meeting the bill's legal requirements.
The substitute is intended to put in place a legal framework for, and
safeguards on, law enforcement access to encrypted electronic
information. This is positive. Imposing new criminal penalties for the
invasion of privacy relating to the misuse of decryption information is
appropriate to ensure that government officials who gain access to
information on the electronic network do not exceed their lawful
authority. Likewise, we support requiring a verifiable audit trail
whenever government officials obtain access to plaintext and decrypted
information, regardless of whether or not a recovery-capable mandate on
encryption is enacted. We are fast approaching what Kenneth Flamm of the
Brookings Institution calls ``a digital future in which almost
everything * * * is stored or communicated electronically, connected to
or accessible through some computer network.'' It is time to take action
on these issues.
In addition, we recognize that the issues raised in this debate are
international in scope. Given the availability of encryption technology
abroad, and the ease of its dissemination, a unilateral export control
policy on encryption will not work. Therefore, we must encourage, if not
direct, the Administration to monitor closely international developments
and to engage other countries in working out a multilateral approach to
this issue.
Recent events suggest passage of H.R. 695 as originally conceived is
highly unlikely in the House of Representatives. We believe there now
needs to be a very careful and deliberative effort to fashion balanced
legislation. The information technology industry should suggest targeted
legislative and regulatory amendments which will meet its need for fewer
uncertainties in the export control process, while still allowing for
regulatory flexibility as technology advances. Privacy advocates should
recognize that government access to information residing on the
electronic infrastructure in order to protect public safety is
legitimate within reasonable constraints, and should propose what those
reasonable constraints should be. Law enforcement officials should
carefully evaluate where their highest priorities lie in protecting the
public safety and preventing crime. The Administration should redouble
its efforts to secure international agreements of mutual recognition of
encryption management infrastructures to safeguard the privacy of United
States citizens and enhance U.S. information security needs in
electronic commerce. Continued stalemate on balancing the competing
policy concerns is not in the interests of industry, law enforcement or
the American people.
Jane Harman.
David E. Skaggs.
Julian C. Dixon.
ADDITIONAL VIEWS OF REPRESENTATIVE NANCY PELOSI
I oppose the substitute to H.R. 695 ordered reported from the
Permanent Select Committee on Intelligence. While there are indeed
serious national security and law enforcement issues at stake in this
debate, there are also serious questions about the impact of this
legislation on the civil liberties on which this nation is based. A
balance must be struck. The bill passed by the Committee does not strike
the requisite balance.
I was very concerned about the lack of an audit mechanism in the
Committee's substitute as proposed and am pleased that the bill was
amended to require an electronic audit trail, to ensure that there is
accountability when an investigative or law enforcement officer obtains
access to the plaintext of otherwise encrypted information or the
provision of decryption information.
Among the reasons I oppose the bill are the following:
With respect to domestic controls, the ramifications of enacting a
requirement that encryption products manufactured, distributed or
imported in the United States after January 2000 contain features that
provide, upon presentment of a court order, immediate plaintext access
or decryption information, are not well understood. It is not clear such
a requirement could pass constitutional muster, particularly where it
might place restrictions on the distribution of encryption algorithms or
the free flow of ideas among scientists working in the area of
information technology. Indeed imposing domestic controls runs counter
to the first recommendation of the National Research Council's
widely-respected CRISIS report (``Cryptography's Role in Security in the
Information Society,'' June 1996) that no law bar the manufacture, sale
or use of any form of encryption in the United States. Despite the many
provisions of the legislation designed to place civil and criminal
penalties on official misuse of decryption information, and provide
privacy protections to those who encrypt information, further debate is
needed on whether the legal framework governing lawful wiretaps is the
appropriate model for the 21st Century as so much information concerning
our personal and economic lives is connected and accessible on-line.
With respect to export controls, the legislation would force U.S.
manufacturers to include features that could provide plaintext access or
decryption information in encryption products exported overseas.
Although the legislation allows these features to be enabled at the
foreign purchaser's option, and does not require any keys or recovery
information be held in escrow in the United States, demanding recovery
capable features in exportable U.S. technology may provide repressive
totalitarian regimes a new method of control over dissidents and human
rights advocates who today evade surveillance by utilizing unbreakable
encryption on the Internet.
Also of concern is the impact of certain of the substitute's
provisions on human rights activists in authoritarian countries. Human
rights activists worldwide are using cryptography to protect their
sources from reprisals by governments that violate human rights. Under
the Committee substitute, the U.S. government can get a court order for
violating the security of communications ``upon a request from a foreign
country pursuant to a Mutual Legal Assistance Treaty.'' This provision
will permit governments to breach the protection of confidential
sources, thereby both endangering human rights activists using
electronic communications and discouraging people who know of human
rights violations to speak about them, even in private. Authoritarian
governments often define the activities of those who dare to speak out
against them as ``treason'' or ``revealing classified information,''
crimes recognized by the U.S. government. Under the Committee
substitute, legitimate human rights activists, who now communicate
safely through the Internet with strong encryption protection, will no
longer have that safety.
In addition, the legislation enshrines the broad concept that all
decisions of the Secretary of Commerce with respect to the export of
encryption products are not subject to judicial review. If the question
at hand has to do with national security implications, the President
could waive judicial review on a case-by-case basis as needed, rather
than Congress acting to grant a blanket waiver of a citizen's right to
recourse to the legal system.
The serious issues involving national security and public safety
could have been resolved with a more narrowly targeted approach. I hope
efforts will be made to craft a consensus measure before H.R. 695 is
considered on the floor of the House of Representatives.
Nancy Pelosi.
LETTERS FROM LAW ENFORCEMENT OFFICERS AND THE SECRETARY OF DEFENSE
The Secretary of Defense,
Washington, DC, July 21, 1997.
Dear Member of Congress: Recently you received a letter from the
nation's senior law enforcement officials regarding U.S. encryption
policies. I am writing today to express my strong support for their
views on their important issue.
As you know, the Department of Defense is involved on a daily basis
in countering international terrorism, narcotics trafficking, and the
proliferation of weapons of mass destruction. The spread of unbreakable
encryption, as a standard feature of mass market communication products,
presents a significant threat to the ability of the U.S. and its allies
to monitor the dangerous groups and individuals involved in these
activities. Passage of legislation which effectively decontrols
commercial encryption exports would undermine U.S. efforts to foster the
use of strong key recovery encryption domestically and abroad. Key
recovery products will preserve governments' abilities to counter
worldwide terrorism, narcotics trafficking and proliferation.
It is also important to note that the Department of Defense relies on
the Federal Bureau of Investigation for the apprehension and prosecution
of spies. Sadly, there have been over 60 espionage convictions of
federal employees over the last decade. While these individuals
represent a tiny minority of government employees, the impact of
espionage activities on our nation's security can be enormous. As the
recent arrests of Nicholson, Pitts and Kim clearly indicate, espionage
remains a very serious problem. Any policies that detract from the FBI's
ability to perform its vital counterintelligence function, including the
ability to perform wiretaps, inevitably detract from the security of the
Department of Defense and the nation.
Encryption legislation must also address the nation's domestic
information security needs. Today, approximately 95% of DoD
communications rely on public networks; other parts of government, and
industry, are even more dependent on the trustworthiness of such
networks. Clearly, we must ensure that encryption legislation addresses
these needs. An approach such as the one contained in S. 909 can go a
long way toward balancing the need for strong encryption with the need
to preserve national security and public safety. I hope that you will
work with the Administration to enact legislation that addresses these
national security concerns as well as the rights of the American people.
I appreciate your consideration of these views.
Sincerely,
Bill Cohen.
Office of the Attorney General,
Washington, DC, July 18, 1997.
Dear Member of Congress: Congress is considering a variety of
legislative proposals concerning encryption. Some of these proposals
would, in effect, make it impossible for the Federal Bureau of
Investigation (FBI), Drug Enforcement Administration (DEA), Secret
Service, Customs Service, Bureau of Alcohol, Tobacco and Firearms, and
other federal, state, and local law enforcement agencies to lawfully
gain access to criminal telephone conversations or electronically stored
evidence possessed by terrorists, child pornographers, drug kingpins,
spies and other criminals. Since the impact of these proposals would
seriously jeopardize public safety and national security, we
collectively urge you to support a different, balanced approach that
strongly supports commercial and privacy interests but maintains our
ability to investigate and prosecute serious crimes.
We fully recognize that encryption is critical to communications
security and privacy, and that substantial commercial interests are at
stake. Perhaps in recognition of these facts, all the bills being
considered allow market forces to shape the development of encryption
products. We, too, place substantial reliance on market forces to
promote electronic security and privacy, but believe that we cannot rely
solely on market forces to protect the public safety and national
security. Obviously, the government cannot abdicate its solemn
responsibility to protect public safety and national security.
Currently, of course, encryption is not widely used, and most data is
stored, and transmitted, in the clear. As we move from a plaintext world
to an encrypted one, we have a critical choice to make: we can either
(1) choose robust, unbreakable encryption that protects commerce and
privacy but gives criminals a powerful new weapon, or (2) choose robust,
unbreakable encryption that protects commerce and privacy and gives law
enforcement the ability to protect public safety. The choice should be
obvious and it would be a mistake of historic proportions to do nothing
about the dangers to public safety posed by encryption without adequate
safeguards for law enforcement.
Let there be no doubt: without encryption safeguards, all Americans
will be endangered. No one disputes this fact; not industry, not
encryption users, no one. We need to take definitive actions to protect
the safety of the public and security of the nation. That is why law
enforcement at all levels of government--including the Justice
Department, Treasury Department, the National Association of Attorneys
General, International Association of Chiefs of Police, the Major City
Chiefs, the National Sheriffs' Association, and the National District
Attorneys Association--are so concerned about this issue.
We all agree that without adequate legislation, law enforcement in
the United States will be severely limited in its ability to combat the
worst criminals and terrorists. Further, law enforcement agrees that the
widespread use of robust non-key recovery encryption ultimately will
devastate our ability to fight crime and prevent terrorism.
Simply stated, technology is rapidly developing to the point where
powerful encryption will become commonplace both for routine telephone
communications and for stored computer data. Without legislation that
accommodates public safety and national security concerns, society's
most dangerous criminals will be able to communicate safely and
electronically store data without fear of discovery. Court orders to
conduct electronic surveillance and court-authorized search warrants
will be ineffectual, and the Fourth Amendment's carefully-struck balance
between ensuring privacy and protecting public safety will be forever
altered by technology. Technology should not dictate public policy, and
it should promote, rather than defeat, public safety.
We are not suggesting the balance of the Fourth Amendment be tipped
toward law enforcement either. To the contrary, we only seek the status
quo, not the lessening of any legal standard or the expansion of any law
enforcement authority. The Fourth Amendment protects the privacy and
liberties of our citizens but permits law enforcement to use tightly
controlled investigative techniques to obtain evidence of crimes. The
result has been the freest country in the world with the strongest
economy.
Law enforcement has already confronted encryption in high-profile
espionage, terrorist, and criminal cases. For example:
An international terrorist was plotting to blow up 11 U.S.-owned
commercial airliners in the Far East. His laptop computer, which was
seized in Manila, contained encrypted files concerning this terrorist
plot;
A subject in a child pornography case used encryption in
transmitting obscene and pornographic images of children over the
Internet; and
A major international drug trafficking subject recently used a
telephone encryption device to frustrate court-approved electronic
surveillance.
And this is just the tip of the iceberg. Convicted spy Aldrich Ames,
for example, was told by the Russian Intelligence Service to encrypt
computer file information that was to be passed to them.
Further, today's international drug trafficking organizations are the
most powerful, ruthless and affluent criminal enterprises we have ever
faced. We know from numerous past investigations that they have utilized
their virtually unlimited wealth to purchase sophisticated electronic
equipment to facilitate their illegal activities. This has included
state of the art communication and encryption devices. They have used
this equipment as part of their command and control process for their
international criminal operations. We believe you share our concern that
criminals will increasingly take advantage of developing technology to
further insulate their violent and destructive activities.
Requests for cryptographic support pertaining to electronic
surveillance interceptions from FBI Field Offices and other law
enforcement agencies have steadily risen over the past several years.
There has been an increase in the number of instances where the FBI's
and DEA's court-authorized electronic efforts were frustrated by the use
of encryption that did not allow for law enforcement access.
There have also been numerous other cases where law enforcement,
through the use of electronic surveillance, has not only solved and
successfully prosecuted serious crimes but has also been able to prevent
life-threatening criminal acts. For example, terrorists in New York were
plotting to bomb the United Nations building, the Lincoln and Holland
Tunnels, and 26 Federal Plaza as well as conduct assassinations of
political figures. Court-authorized electronic surveillance enabled the
FBI to disrupt the plot as explosives were being mixed. Ultimately, the
evidence obtained was used to convict the conspirators. In another
example, electronic surveillance was used to stop and then convict two
men who intended to kidnap, molest, and kill a child. In all of these
cases, the use of encryption might have seriously jeopardized public
safety and resulted in the loss of life.
To preserve law enforcement's abilities, and to preserve the balance
so carefully established by the Constitution, we believe any encryption
legislation must accomplish three goals in addition to promoting the
widespread use of strong encryption. It must establish:
A viable key management infrastructure that promotes electronic
commerce and enjoys the confidence of encryption users;
A key management infrastructure that supports a key recovery scheme
that will allow encryption users access to their own data should the
need arise, and that will permit law enforcement to obtain lawful access
to the plaintext of encrypted communications and data; and
An enforcement mechanism that criminalizes both improper use of
encryption key recovery information and the use of encryption for
criminal purposes.
Only one bill, S. 909 (the McCain/Kerrey/Hollings bill), comes close
to meeting these core public safety, law enforcement, and national
security needs. The other bills being considered by Congress, as
currently written, risk great harm to our ability to enforce the laws
and protect our citizens. We look forward to working to improve the
McCain/Kerrey/Hollings bill.
In sum, while encryption is certainly a commercial interest of great
importance to this Nation, it is not solely a commercial or business
issue. Those of us charged with the protection of public safety and
national security, believe that the misuse of encryption
technology will become a matter of life and death in many instances.
That is why we urge you to adopt a balanced approach that accomplishes
the goals mentioned above. Only this approach will allow police
departments, attorneys general, district attorneys, sheriffs, and
federal authorities to continue to use their most effective
investigative techniques, with court approval, to fight crime and
espionage and prevent terrorism.
Sincerely yours,
Janet Reno,
Attorney General.
Louis Freeh,
Director, Federal Bureau of Investigation.
Thomas A. Constantine,
Director, Drug Enforcement Administration.
Raymond W. Kelly,
Undersecretary for Enforcement, U.S. Department of the Treasury.
John W. Magaw,
Director, Bureau of Alcohol, Tobacco and Firearms.
Barry McCaffrey,
Director, Office of National Drug Control Policy.
Lewis C. Merletti,
Director, United States Secret Service.
George J. Weise,
Commissioner, United States Customs Service.
International Association of
Chiefs of Police,
Alexandria, VA, July 21, 1997.
Dear Member of Congress: Enclosed is a letter sent to you by the
Attorney General, the Director of National Drug Control Policy and all
the federal law enforcement heads concerning encryption legislation
being considered by congress. Collectively we, the undersigned,
represent over 17,000 police departments including every major city
police department, over 3,000 sheriffs departments, nearly every
district attorney in the United States and all of the state Attorneys
General. We fully endorse the position taken by our federal counterparts
in the enclosed letter. As we have stated many times, Congress must
adopt a balanced approach to encryption that fully addresses public
safety concerns or the ability of state and local law enforcement to
fight crime and drugs will be severely damaged.
Any encryption legislation that does not ensure that law enforcement
can gain timely access to the plaintext of encrypted conversations and
information by established legal procedures will cause grave harm to
public safety. The risk cannot be left to the uncertainty of market
forces or commercial interests as the current legislative proposals
would require. Without adequate safeguards, the unbridled use of
powerful encryption soon will deprive law enforcement of two of its most
effective tools, court authorized electronic surveillance and the search
and seizure of information stored in computers. This will substantially
tip the balance in the fight against crime towards society's most
dangerous criminals as the information age develops.
We are in unanimous agreement that congress must adopt encryption
legislation that requires the development, manufacture, distribution and
sale of only key recovery products and we are opposed to the bills that
do not do so. Only the key recovery approach will ensure that law
enforcement can continue to gain timely access to the plaintext of
encrypted conversations and other evidence of crimes when authorized by
a court to do so. If we lose this ability--and the bills you are
considering will have this result--it will be a substantial setback for
law enforcement at the direct expense of public safety.
Sincerely yours,
Darrell L. Sanders,
President, International Association of Chiefs of Police.
James E. Doyle,
President, National Association of Attorneys General.
Fred Scoralie,
President, National Sheriffs' Association.
William L. Murphy,
President, National District Attorneys Association.
Major Cities Chiefs,
Chicago IL, July 24, 1997.
Hon. Orrin G. Hatch, Chairman, Judiciary Committee, Senate Hart Office Building, Washington, DC.
Dear Mr. Chairman: The Major Cities Chiefs is a professional
association of police executives representing the largest jurisdictions
in the United States. The association provides a forum for urban police
chiefs, sheriffs and other law enforcement chief executives to discuss
common problems associated with protecting cites with populations
exceeding 500,000 people.
Congress is considering a variety of legislative proposals concerning
encryption. Some of these proposals would, in effect, make it impossible
for law enforcement agencies across the country, both on the federal,
state and local level, to lawfully gain access to criminal telephone
conversations or electronically stored evidence. Since the impact of
these proposals would seriously jeopardize public safety, our
association urges you to support a balanced approach that strongly
supports commercial and private interests but also maintains law
enforcements ability to investigate and prosecute serious crime.
While we recognize that encryption is critical to communications
security and privacy and that commercial interests are at stake, we all
agree that without adequate legislation, law enforcement across the
country will be severely limited in its ability to combat serious crime.
The widespread use of non-key recovery encryption ultimately will
eliminate our ability to obtain valuable evidence of criminal activity.
The legitimate and lawful interception of communications, pursuant to a
court order, for the most serious criminal acts will be meaningless
because of our inability to decipher the evidence.
Encryption is certainly of great importance to the commercial
interests across this country. However, public safety concerns are just
as critical and we must not loose sight of this. The need to preserve an
invaluable investigative tool is of the utmost importance in law
enforcements ability to protect the public against serious crime.
Sincerely yours,
Matt L. Rodriguez, Chairman.
National District
Attorneys Association,
Alexandria, VA.
RESOLUTION
Encryption
Whereas, the introduction of digitally-based telecommunications
technologies as well as the widespread use of computers and computer
networks having encryption capabilities are facilitating the development
and production of strong, affordable encryption products and services
for private sector use; and
Whereas, on one hand the use of strong encryption products and
services are extremely beneficial when used legitimately to protect
commercially sensitive information and communications. On the other
hand, the potential use of strong encryption products and services that
do not allow for timely law enforcement decryption by a vast array of
criminals and terrorist to conceal their criminal communications and
information from law enforcement poses an extremely serious threat to
public safety: and
Whereas, the law enforcement community is extremely concerned about
the serious threat posed by the use of these strong encryption products
and services that do not allow for authorization (court-authorized
wiretaps or court-authorized search and seizure); and
Whereas, law enforcement fully supports a balanced encryption policy
that satisfies both the commercial needs of industry for strong
encryption while at the same time satisfying law enforcement's public
safety needs for the timely decryption of encrypted criminal
communications and information; and
Whereas, law enforcement has found that strong key recovery
encryption products and services are clearly the best way, and perhaps
the only way, to achieve both the goals of industry and law enforcement;
and
Whereas, government representatives have been working with industry
to encourage the voluntary development, sale, and use of key recovery
encryption products and services in its pursuit of a balanced encryption
policy;
Be it resolved, That the National District Attorneys Association
supports and encourages the development and adoption of a balanced
encryption policy that encourages the development, sale, and use of key
recovery encryption products and services, both domestically and abroad.
We believe that this approach represents a policy that appropriately
addresses both the commercial needs of industry while at the same time
satisfying law enforcement's public safety needs.
ENCRYPTION
Whereas, the introduction of digitally-based telecommunications
technologies, as well as the widespread use of computers and computer
networks having encryption capabilities are facilitating the development
and production of affordable and robust encryption products for private
sector use; and
Whereas, on one hand encryption is extremely beneficial when used
legitimately to protect commercially sensitive information and
communications. On the other hand, the potential use of such encryption
products by a vast array of criminals and terrorists to conceal their
criminal communications and information from law enforcement poses an
extremely serious threat to public safety; and
Whereas, the law enforcement community is extremely concerned about
the serious threat posed by the use of robust encryption products that
do not allow for law enforcement access and its timely decryption,
pursuant to lawful authorization (court-authorized wiretaps or
court-authorized search and seizure); and
Whereas, law enforcement fully supports a balanced encryption policy
that satisfies both the commercial needs of industry for robust
encryption while at the same time satisfying law enforcement's public
safety needs; and
Whereas, law enforcement has found that robust key-escrow encryption
is clearly the best way, and perhaps the only way, to achieve both the
goals of industry and law enforcement; and
Whereas, government representatives have been working with industry
to encourage the voluntary development, sale, and use of key-escrow
encryption in its pursuit of a balanced encryption policy: Now,
therefore, be it
Resolved, that the International Association of Chiefs of Police,
duly assembled at its 103rd annual conference in Phoenix, Arizona
supports and encourages the development and adoption of a key-escrow
encryption policy, which we believe represents a policy that
appropriately addresses both the commercial needs of industry while at
the same time satisfying law enforcement's public safety needs and that
we oppose any efforts, legislatively or otherwise, that would undercut
the adoption of such a balanced encryption policy.
National Sheriffs' Association
Chiefs of Police,
RESOLUTION
DIGITAL TELECOMMUNICATIONS ENCRYPTION
Whereas, the introduction of digitally-based telecommunications
technologies as well as the widespread use of computers and computer
networks having encryption capabilities are facilitating the development
and production of affordable and robust encryption products for private
sector use: and
Whereas, on one hand, encryption is extremely beneficial when used
legitimately to protect commercially sensitive information and
communications. On the other hand, the potential use of such encryption
products by a vast array of criminals and terrorists to conceal their
criminal communications and information from law enforcement poses an
extremely serious threat to public safety; and
Whereas, the law enforcement community is extremely concerned about
the serious threat posed by the use of robust encryption products that
do not allow for court authorized law enforcement access and its timely
decryption, pursuant to lawful authorization; and
Whereas, law enforcement fully supports a balanced encryption policy
that satisfies both the commercial needs of industry for robust
encryption while at the same time satisfying law enforcement's public
safety needs; and
Whereas, law enforcement has found that robust key-escrow encryption
is clearly the best way, and perhaps the only way, to achieve both the
goals of industry and law enforcement; and
Whereas, government representatives have been working with industry
to encourage the voluntary development, sale and use of key-escrow
encryption in its pursuit of a balanced encryption policy; and
therefore, be it
Resolved That the National Sheriffs' Association supports and
encourages the development and adoption of a key-escrow encryption
policy which we believe represents a policy that appropriately addresses
both the commercial needs of industry while at the same time satisfying
law enforcement's public safety needs and that we oppose any efforts,
legislatively or otherwise, that would undercut the adoption of such a
balanced encryption policy.
Imperial County Sheriff,
Coroner's Office,
El Centro, CA, August 26, 1997.
Re Key recovery of encrypted data.
Hon. Porter J. Goss, Chairman, Permanent Select Committee on Intelligence, Washington, DC.
Dear Chairman Goss: I join my associates in Federal law enforcement,
as well as the International Association of Chiefs of Police, the
National Sheriff's Association, and the National District Attorney's
Association, in urging you to make provisions for key recovery of
encrypted data. Both of you and your Committee are familiar with the
technology and the issues, and I won't waste your time or attention in a
lengthy discourse on what encryption or key recovery is. You know as
much about the technology as I do.
Of particular interest to me is the ability of international drug
cartels to thwart legitimate, court-sanctioned interception of criminal
communications here along the border. Drug trafficking organizations are
sophisticated, aggressive, and well-funded. They certainly are taking
advantage today of encryption technology in our own country. Without
provisions for key recovery, it will be virtually impossible for law
enforcement to conduct criminal investigations of telecommunications
activity or electronic data files. A simple solution is to require a
provision in trade agreements which requires a trustworthy key agent to
maintain the key to encrypted data. Such a requirement would still allow
legitimate safeguarding of data, but would also allow law enforcement to
crack coded information in criminal investigations and national security
matters.
I would be pleased to discuss this vital matter with you and I will
be appreciative of any consideration you may give this issue.
Sincerely,
Oren R. Fox, Sheriff-Coroner.