43 400 105 th Congress Rept. 105 108 HOUSE OF REPRESENTATIVES 1st Session Part 4 SECURITY AND FREEDOM THROUGH ENCRYPTION (``SAFE'') ACT OF 1997 September 16, 1997.--Ordered to be printed Mr. Goss, from the Permanent Select Committee on Intelligence, submitted the following R E P O R T together with ADDITIONAL VIEWS [To accompany H.R. 695] [Including cost estimate of the Congressional Budget Office] The Permanent Select Committee on Intelligence, to whom was referred the bill (H.R. 695) to amend title 18, United States Code, to affirm the rights of United States persons to use and sell encryption and to relax export controls on encryption, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass. The amendment is as follows: Strike out all after the enacting clause and insert in lieu thereof the following: SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) Short Title.--This Act may be cited as the ``Security and Freedom Through Encryption (`SAFE') Act of 1997''. (b) Table of Contents.--The table of contents is as follows: Sec. 1. Short title; table of contents. Sec. 2. Statement of policy. TITLE I--DOMESTIC USES OF ENCRYPTION Sec. 101. Definitions. Sec. 102. Lawful use of encryption. Sec. 103. Voluntary private sector participation in key management infrastructure. Sec. 104. Unlawful use of encryption. TITLE II--GOVERNMENT PROCUREMENT Sec. 201. Federal purchases of encryption products. Sec. 202. Encryption products purchased with Federal funds. Sec. 203. Networks established with Federal funds. Sec. 204. Product labels.*COM003* Sec. 205. No private mandate. Sec. 206. Implementation. TITLE III--EXPORTS OF ENCRYPTION Sec. 301. Exports of encryption. Sec. 302. License exception for certain encryption products. Sec. 303. License exception for telecommunications products. Sec. 304. Review for certain institutions. Sec. 305. Encryption industry and information security board. TITLE IV--LIABILITY LIMITATIONS Sec. 401. Compliance with court order. Sec. 402. Compliance defense. Sec. 403. Reasonable care defense. Sec. 404. Good faith defense. Sec. 405. Sovereign immunity. Sec. 406. Civil action, generally. TITLE V--INTERNATIONAL AGREEMENTS Sec. 501. Sense of congress. Sec. 502. Failure to negotiate. Sec. 503. Report to congress. TITLE VI--MISCELLANEOUS PROVISIONS Sec. 601. Effect on law enforcement activities. Sec. 602. Interpretation. Sec. 603. Severability. SEC. 2. STATEMENT OF POLICY. It is the policy of the United States to protect public computer networks through the use of strong encryption technology, to promote and improve the export of encryption products developed and manufactured in the United States, and to preserve public safety and national security. TITLE I--DOMESTIC USES OF ENCRYPTION SEC. 101. DEFINITIONS. For purposes of this Act: (1) Attorney for the government.--The term ``attorney for the Government'' has the meaning given such term in Rule 54(c) of the Federal Rules of Criminal Procedure, and also includes any duly authorized attorney of a State who is authorized to prosecute criminal offenses within such State. (2) Certificate authority.--The term ``certificate authority'' means a person trusted by one or more persons to create and assign public key certificates. (3) Communications.--The term ``communications'' means any wire communications or electronic communications as those terms are defined in paragraphs (1) and (12) of section 2510 of title 18, United States Code. (4) Court of competent jurisdiction.--The term ``court of competent jurisdiction'' means any court of the United States organized under Article III of the Constitution of the United States, the court organized under the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), or a court of general criminal jurisdiction of a State authorized pursuant to the laws of such State to enter orders authorizing searches and seizures. (5) Data network service provider.--The term ``data network service provider'' means a person offering any service to the general public that provides the users thereof with the ability to transmit or receive data, including communications. (6) Decryption.--The term ``decryption'' means the retransformation or unscrambling of encrypted data, including communications, to its readable plaintext version. To ``decrypt'' data, including communications, is to perform decryption. (7) Decryption information.--The term ``decryption information'' means information or technology that enables one to readily retransform or unscramble encrypted data from its unreadable and incomprehensible format to its readable plaintext version. (8) Electronic storage.--The term ``electronic storage'' has the meaning given that term in section 2510(17) of title 18, United States Code. (9) Encryption.--The term ``encryption'' means the transformation or scrambling of data, including communications, from plaintext to an unreadable or incomprehensible format, regardless of the technique utilized for such transformation or scrambling and irrespective of the medium in which such data, including communications, occur or can be found, for the purposes of protecting the content of such data, including communications. To ``encrypt'' data, including communications, is to perform encryption. (10) Encryption product.--The term ``encryption product'' means any software, technology, or mechanism, that can be used to encrypt or decrypt, or has the capability of encrypting or decrypting any data, including communications. (11) Foreign availability.--The term ``foreign availability'' has the meaning applied to foreign availability of encryption products subject to controls under the Export Administration Regulations, as in effect on September 1, 1997. (12) Government.--The term ``Government'' means the Government of the United States and any agency or instrumentality thereof, or the government of any State. (13) Investigative or law enforcement officer.--The term ``investigative or law enforcement officer'' has the meaning given that term in section 2510(7) of title 18, United States Code. (14) Key recovery agent.--The term ``key recovery agent'' means a person trusted by another person or persons to hold and maintain sufficient decryption information to allow for the immediate decryption of the encrypted data or communications of another person or persons for whom that information is held, and who holds and maintains that information as a business or governmental practice, whether or not for profit. The term ``key recovery agent'' includes any person who holds his or her decryption information. (15) National security.--The term ``national security'' means the national defense, foreign relations, or economic interests of the United States. (16) Plaintext.--The term ``plaintext'' means the readable or comprehensible format of data, including communications, prior to its being encrypted or after it has been decrypted. (17) Plainvoice.--The term ``plainvoice'' means communication specific plaintext. (18) Secretary.--The term ``Secretary'' means the Secretary of Commerce, unless otherwise specifically identified. (19) State.--The term ``State'' has the meaning given that term in section 2510(3) of title 18, United States Code. (20) Telecommunications carrier.--The term ``telecommunications carrier'' has the meaning given that term in section 102(8) of the Communications Assistance for Law Enforcement Act (47 U.S.C. 1001(8)). (21) Telecommunications system.--The term ``telecommunications system'' means any equipment, technology, or related software used in the movement, switching, interchange, transmission, reception, or internal signaling of data, including communications over wire, fiber optic, radio frequency, or other medium. (22) United states person.--The term ``United States person'' means-- (A) any citizen of the United States; (B) any other person organized under the laws of any State; and (C) any person organized under the laws of any foreign country who is owned or controlled by individuals or persons described in subparagraphs (A) and (B). SEC. 102. LAWFUL USE OF ENCRYPTION. Except as otherwise provided by this Act or otherwise provided by law, it shall be lawful for any person within any State and for any United States person to use any encryption product, regardless of encryption algorithm selected, encryption key length chosen, or implementation technique or medium used. SEC. 103. VOLUNTARY PRIVATE SECTOR PARTICIPATION IN KEY MANAGEMENT INFRASTRUCTURE. (a) Use is Voluntary.--The use of certificate authorities or key recovery agents is voluntary. (b) Regulations.--The Secretary shall promulgate regulations establishing standards for creating key management infrastructures. Such regulations should-- (1) allow for the voluntary participation by private persons and non-Federal entities; and (2) promote the development of certificate authorities and key recovery agents. (c) Registration of Certificate Authorities and Key Recovery Agents.--Certificate authorities and key recovery agents meeting the standards established by the Secretary may be registered by the Secretary if they so choose, and may identify themselves as meeting the standards of the Secretary. SEC. 104. UNLAWFUL USE OF ENCRYPTION. (a) In General.--Part I of title 18, United States Code, is amended by inserting after chapter 121 the following new chapter: ``CHAPTER 122--ENCRYPTED DATA, INCLUDING COMMUNICATIONS ``Sec. ``2801. Unlawful use of encryption in furtherance of a criminal act. ``2802. Privacy protection. ``2803. Unlawful sale of encryption. ``2804. Encryption products manufactured and intended for use in the United States. ``2805. Injunctive relief and proceedings. ``2806. Court order access to plaintext. ``2807. Notification procedures. ``2808. Lawful use of plaintext or decryption information. ``2809. Identification of decryption information. ``2810. Unlawful export of certain encryption products. ``2811. Definitions. ``2801. Unlawful use of encryption in furtherance of a criminal act ``(a) Prohibited Acts.--Whoever knowingly uses encryption in furtherance of the commission of a criminal offense for which the person may be prosecuted in a district court of the United States shall-- ``(1) in the case of a first offense under this section, be imprisoned for not more than 5 years, or fined under this title, or both; and ``(2) in the case of a second or subsequent offense under this section, be imprisoned for not more than 10 years, or fined under this title, or both. ``(b) Consecutive Sentence.--Notwithstanding any other provision of law, the court shall not place on probation any person convicted of a violation of this section, nor shall the term of imprisonment imposed under this section run concurrently with any other term of imprisonment imposed for the underlying criminal offense. ``(c) Probable Cause Not Constituted By Use of Encryption.--The use of encryption alone shall not constitute probable cause to believe that a crime is being or has been committed. ``2802. Privacy protection ``(a) In General.--It shall be unlawful for any person to intentionally-- ``(1) obtain or use decryption information without lawful authority for the purpose of decrypting data, including communications; ``(2) exceed lawful authority in decrypting data, including communications; ``(3) break the encryption code of another person without lawful authority for the purpose of violating the privacy or security of that person or depriving that person of any property rights; ``(4) impersonate another person for the purpose of obtaining decryption information of that person without lawful authority; ``(5) facilitate or assist in the encryption of data, including communications, knowing that such data, including communications, are to be used in furtherance of a crime; or ``(6) disclose decryption information in violation of a provision of this chapter. ``(b) Criminal Penalty.--Whoever violates this section shall be imprisoned for not more than 10 years, or fined under this title, or both. ``2803. Unlawful sale of encryption ``Whoever, after January 31, 2000, sells in interstate or foreign commerce any encryption product that does not include features or functions permitting duly authorized persons immediate access to plaintext or immediate decryption capabilities shall be imprisoned for not more than 5 years, fined under this title, or both. ``2804. Encryption products manufactured and intended for use in the United States ``(a) Public Network Service Providers.--After January 31, 2000, public network service providers offering encryption products or encryption services shall ensure that such products or services enable the immediate decryption or access to plaintext of the data, including communications, encrypted by such products or services on the public network upon receipt of a court order or warrant, pursuant to section 2806. ``(b) Manufacturers, Distributors, and Importers.--After January 31, 2000, it shall be unlawful for any person to manufacture for distribution, distribute, or import encryption products intended for sale or use in the United States, unless that product-- ``(1) includes features or functions that provide an immediate access to plaintext capability, through any means, mechanism, or technological method that-- ``(A) permits immediate decryption of the encrypted data, including communications, upon the receipt of decryption information by an authorized party in possession of a facially valid order issued by a court of competent jurisdiction; and ``(B) allows the decryption of encrypted data, including communications, without the knowledge or cooperation of the person being investigated, subject to the requirements set forth in section 2806; ``(2) can be used only on systems or networks that include features or functions that provide an immediate access to plaintext capability, through any means, mechanism, or technological method that-- ``(A) permits immediate decryption of the encrypted data, including communications, upon the receipt of decryption information by an authorized party in possession of a facially valid order issued by a court of competent jurisdiction; and ``(B) allows the decryption of encrypted data, including communications, without the knowledge or cooperation of the person being investigated, subject to the requirements set forth in section 2806; or ``(3) otherwise meets the technical requirements and functional criteria promulgated by the Attorney General under subsection (c). ``(c) Attorney General Criteria.-- ``(1) Publication of requirements.--Within 180 days after the date of the enactment of this chapter, the Attorney General shall publish in the Federal Register technical requirements and functional criteria for complying with the decryption requirements set forth in this section. ``(2) Procedures for advisory opinions.--Within 180 days after the date of the enactment of this chapter, the Attorney General shall promulgate procedures by which data network service providers and encryption product manufacturers, sellers, re-sellers, distributors, and importers may obtain advisory opinions as to whether an encryption product intended for sale or use in the United States after January 31, 2000, meets the requirements of this section and the technical requirements and functional criteria promulgated pursuant to paragraph (1). ``(3) Particular methodology not required.--Nothing in this chapter or any other provision of law shall be construed as requiring the implementation of any particular decryption methodology in order to satisfy the requirements of subsections (a) and (b), or the technical requirements and functional criteria required by the Attorney General under paragraph (1). ``(d) Use of Prior Products Lawful.--After January 31, 2000, it shall not be unlawful to use any encryption product purchased or in use prior to such date. ``2805. Injunctive relief and proceedings ``(a) Injunction.--Whenever it appears to the Secretary or the Attorney General that any person is engaged in, or is about to engage in, any act that constitutes, or would constitute, a violation of section 2804, the Attorney General may initiate a civil action in a district court of the United States to enjoin such violation. Upon the filing of the complaint seeking injunctive relief by the Attorney General, the court shall automatically issue a temporary restraining order against the party being sued. ``(b) Burden of Proof.--In a suit brought by the Attorney General under subsection (a), the burden shall be upon the Government to establish by a preponderance of the evidence that the encryption product involved does not comport with the requirements set forth by the Attorney General pursuant to section 2804 providing for immediate access to plaintext by Federal, State, or local authorities. ``(c) Closing of Proceedings.--(1) Upon motion of the party against whom injunction is being sought-- ``(A) any or all of the proceedings under this section shall be closed to the public; and ``(B) public disclosure of the proceedings shall be treated as contempt of court. ``(2) Upon a written finding by the court that public disclosure of information relevant to the prosecution of the injunction or relevant to a determination of the factual or legal issues raised in the case would cause irreparable or financial harm to the party against whom the suit is brought, or would otherwise disclose proprietary information of any party to the case, all proceedings shall be closed to members of the public, except the parties to the suit, and all transcripts, motions, and orders shall be placed under seal to protect their disclosure to the general public. ``(d) Advisory Opinion as Defense.--It is an absolute defense to a suit under this subsection that the party against whom suit is brought obtained an advisory opinion from the Attorney General pursuant to section 2804(c) and that the product at issue in the suit comports in every aspect with the requirements announced in such advisory opinion. ``(e) Basis for Permanent Injunction.--The court shall issue a permanent injunction against the distribution of, and any future manufacture of, the encryption product at issue in the suit filed under subsection (a) if the court finds by a preponderance of the evidence that the product does not meet the requirements set forth by the Attorney General pursuant to section 2804 providing for immediate access to plaintext by Federal, State, or local authorities. ``(f) Appeals.--Either party may appeal, to the appellate court with jurisdiction of the case, any adverse ruling by the district court entered pursuant to this section. For the purposes of appeal, the parties shall be governed by the Federal Rules of Appellate Procedure, except that the Government shall file its notice of appeal not later than 30 days after the entry of the final order on the docket of the district court. The appeal of such matter shall be considered on an expedited basis and resolved as soon as practicable. ``2806. Court order access to plaintext ``(a) Court Order.--(1) A court of competent jurisdiction shall issue an order, ex parte, granting an investigative or law enforcement officer immediate access to the plaintext of encrypted data, including communications, or requiring any person in possession of decryption information to provide such information to a duly authorized investigative or law enforcement officer-- ``(A) upon the application by an attorney for the Government that-- ``(i) is made under oath or affirmation by the attorney for the Government; and ``(ii) provides a factual basis establishing the relevance that the plaintext or decryption information being sought has to a law enforcement or foreign counterintelligence investigation then being conducted pursuant to lawful authorities; and ``(B) if the court finds, in writing, that the plaintext or decryption information being sought is relevant to an ongoing lawful law enforcement or foreign counterintelligence investigation and the investigative or law enforcement officer is entitled to such plaintext or decryption information. ``(2) The order issued by the court under this section shall be placed under seal, except that a copy may be made available to the investigative or law enforcement officer authorized to obtain access to the plaintext of the encrypted information, or authorized to obtain the decryption information sought in the application. Such order shall also be made available to the person responsible for providing the plaintext or the decryption information, pursuant to such order, to the investigative or law enforcement officer. ``(3) Disclosure of an application made, or order issued, under this section, is not authorized, except as may otherwise be specifically permitted by this section or another order of the court. ``(b) Other Orders.--An attorney for the Government may make application to a district court of the United States for an order under subsection (a), upon a request from a foreign country pursuant to a Mutual Legal Assistance Treaty with such country that is in effect at the time of the request from such country. ``(c) Record of Access Required.--(1) There shall be created an electronic record, or similar type record, of each instance in which an investigative or law enforcement officer, pursuant to an order under this section, gains access to the plaintext of otherwise encrypted information, or is provided decryption information, without the knowledge or consent of the owner of the data, including communications, who is the user of the encryption product involved. ``(2) The court issuing the order under this section shall require that the electronic or similar type of record described in paragraph (1) is maintained in a place and a manner that is not within the custody or control of an investigative or law enforcement officer gaining the access or provided the decryption information. The record shall be tendered to the court, upon notice from the court. ``(3) The court receiving such electronic or similar type of record described in paragraph (1) shall make the original and a certified copy of the record available to the attorney for the Government making application under this section, and to the attorney for, or directly to, the owner of the data, including communications, who is the user of the encryption product. ``(d) Authority To Intercept Communications Not Increased.--Nothing in this chapter shall be construed to enlarge or modify the circumstances or procedures under which a Government entity is entitled to intercept or obtain oral, wire, or electronic communications or information. ``(e) Construction.--This chapter shall be strictly construed to apply only to a Government entity's ability to decrypt data, including communications, for which it has previously obtained lawful authority to intercept or obtain pursuant to other lawful authorities that would otherwise remain encrypted. ``2807. Notification procedures ``(a) In General.--Within a reasonable time, but not later than 90 days after the filing of an application for an order under section 2806 which is granted, the court shall cause to be served, on the persons named in the order or the application, and such other parties whose decryption information or whose plaintext has been provided to an investigative or law enforcement officer pursuant to this chapter as the court may determine that is in the interest of justice, an inventory which shall include notice of-- ``(1) the fact of the entry of the order or the application; ``(2) the date of the entry of the application and issuance of the order; and ``(3) the fact that the person's decryption information or plaintext data, including communications, have been provided or accessed by an investigative or law enforcement officer. The court, upon the filing of a motion, may make available to that person or that person's counsel, for inspection, such portions of the plaintext, applications, and orders as the court determines to be in the interest of justice. On an ex parte showing of good cause to a court of competent jurisdiction, the serving of the inventory required by this subsection may be postponed. ``(b) Admission Into Evidence.--The contents of any encrypted information that has been obtained pursuant to this chapter or evidence derived therefrom shall not be received in evidence or otherwise disclosed in any trial, hearing, or other proceeding in a Federal or State court unless each party, not less than 10 days before the trial, hearing, or proceeding, has been furnished with a copy of the order, and accompanying application, under which the decryption or access to plaintext was authorized or approved. This 10-day period may be waived by the court if the court finds that it was not possible to furnish the party with the information described in the preceding sentence within 10 days before the trial, hearing, or proceeding and that the party will not be prejudiced by the delay in receiving such information. ``(c) Contempt.--Any violation of the provisions of this section may be punished by the court as a contempt thereof. ``(d) Motion To Suppress.--Any aggrieved person in any trial, hearing, or proceeding in or before any court, department, officer, agency, regulatory body, or other authority of the United States or a State may move to suppress the contents of any decrypted data, including communications, obtained pursuant to this chapter, or evidence derived therefrom, on the grounds that-- ``(1) the plaintext was unlawfully decrypted or accessed; ``(2) the order of authorization or approval under which it was decrypted or accessed is insufficient on its face; or ``(3) the decryption was not made in conformity with the order of authorization or approval. Such motion shall be made before the trial, hearing, or proceeding unless there was no opportunity to make such motion, or the person was not aware of the grounds of the motion. If the motion is granted, the plaintext of the decrypted data, including communications, or evidence derived therefrom, shall be treated as having been obtained in violation of this chapter. The court, upon the filing of such motion by the aggrieved person, may make available to the aggrieved person or that person's counsel for inspection such portions of the decrypted plaintext, or evidence derived therefrom, as the court determines to be in the interests of justice. ``(e) Appeal by United States.--In addition to any other right to appeal, the United States shall have the right to appeal from an order granting a motion to suppress made under subsection (d), or the denial of an application for an order under section 2806, if the United States attorney certifies to the court or other official granting such motion or denying such application that the appeal is not taken for purposes of delay. Such appeal shall be taken within 30 days after the date the order was entered on the docket and shall be diligently prosecuted. ``(f) Civil Action for Violation.--Except as otherwise provided in this chapter, any person described in subsection (g) may in a civil action recover from the United States Government the actual damages suffered by the person as a result of a violation described in that subsection, reasonable attorney's fees, and other litigation costs reasonably incurred in prosecuting such claim. ``(g) Covered Persons.--Subsection (f) applies to any person whose decryption information-- ``(1) is knowingly obtained without lawful authority by an investigative or law enforcement officer; ``(2) is obtained by an investigative or law enforcement officer with lawful authority and is knowingly used or disclosed by such officer unlawfully; or ``(3) is obtained by an investigative or law enforcement officer with lawful authority and whose decryption information is unlawfully used to disclose the plaintext of the data, including communications. ``(h) Limitation.--A civil action under subsection (f) shall be commenced not later than 2 years after the date on which the unlawful action took place, or 2 years after the date on which the claimant first discovers the violation, whichever is later. ``(i) Exclusive Remedies.--The remedies and sanctions described in this chapter with respect to the decryption of data, including communications, are the only judicial remedies and sanctions for violations of this chapter involving such decryptions, other than violations based on the deprivation of any rights, privileges, or immunities secured by the Constitution. ``(j) Technical Assistance by Providers.--A provider of encryption technology or network service that has received an order issued by a court pursuant to this chapter shall provide to the investigative or law enforcement officer concerned such technical assistance as is necessary to execute the order. Such provider may, however, move the court to modify or quash the order on the ground that its assistance with respect to the decryption or access to plaintext cannot be performed in a timely or reasonable fashion. The court, upon notice to the Government, shall decide such motion expeditiously. ``(k) Reports to Congress.--In May of each year, the Attorney General, or an Assistant Attorney General specifically designated by the Attorney General, shall report in writing to Congress on the number of applications made and orders entered authorizing Federal, State, and local law enforcement access to decryption information for the purposes of reading the plaintext of otherwise encrypted data, including communications, pursuant to this chapter. Such reports shall be submitted to the Committees on the Judiciary of the House of Representatives and of the Senate, and to the Permanent Select Committee on Intelligence for the House of Representatives and the Select Committee on Intelligence for the Senate. ``2808. Lawful use of plaintext or decryption information ``(a) Authorized Use of Decryption Information.-- ``(1) Criminal investigations.--An investigative or law enforcement officer to whom plaintext or decryption information is provided may use such plaintext or decryption information for the purposes of conducting a lawful criminal investigation or foreign counterintelligence investigation, and for the purposes of preparing for and prosecuting any criminal violation of law. ``(2) Civil redress.--Any plaintext or decryption information provided under this chapter to an investigative or law enforcement officer may not be disclosed, except by court order, to any other person for use in a civil proceeding that is unrelated to a criminal investigation and prosecution for which the plaintext or decryption information is authorized under paragraph (1). Such order shall only issue upon a showing by the party seeking disclosure that there is no alternative means of obtaining the plaintext, or decryption information, being sought and the court also finds that the interests of justice would not be served by nondisclosure. ``(b) Limitation.--An investigative or law enforcement officer may not use decryption information obtained under this chapter to determine the plaintext of any data, including communications, unless it has obtained lawful authority to obtain such data, including communications, under other lawful authorities. ``(c) Return of Decryption Information.--An attorney for the Government shall, upon the issuance of an order of a court of competent jurisdiction-- ``(1)(A) return any decryption information to the person responsible for providing it to an investigative or law enforcement officer pursuant to this chapter; or ``(B) destroy such decryption information, if the court finds that the interests of justice or public safety require that such decryption information should not be returned to the provider; and ``(2) within 10 days after execution of the court's order to destroy the decryption information-- ``(A) certify to the court that the decryption information has either been returned or destroyed consistent with the court's order; and ``(B) notify the provider of the decryption information of the destruction of such information. ``(d) Other Disclosure of Decryption Information.--Except as otherwise provided in section 2806, a key recovery agent may not disclose decryption information stored with the key recovery agent by a person unless the disclosure is-- ``(1) to the person, or an authorized agent thereof; ``(2) with the consent of the person, including pursuant to a contract entered into with the person; ``(3) pursuant to a court order upon a showing of compelling need for the information that cannot be accommodated by any other means if-- ``(A) the person who supplied the information is given reasonable notice, by the person seeking the disclosure, of the court proceeding relevant to the issuance of the court order; and ``(B) the person who supplied the information is afforded the opportunity to appear in the court proceeding and contest the claim of the person seeking the disclosure; ``(4) pursuant to a determination by a court of competent jurisdiction that another person is lawfully entitled to hold such decryption information, including determinations arising from legal proceedings associated with the incapacity, death, or dissolution of any person; or ``(5) otherwise permitted by a provision of this chapter or otherwise permitted by law. ``2809. Identification of decryption information ``(a) Identification.--To avoid inadvertent disclosure, any person who provides decryption information to an investigative or law enforcement officer pursuant to this chapter shall specifically identify that part of the material provided that discloses decryption information as such. ``(b) Responsibility of Investigative or Law Enforcement Officer.--The investigative or law enforcement officer receiving any decryption information under this chapter shall maintain such information in facilities and in a method so as to reasonably assure that inadvertent disclosure does not occur. ``2810. Unlawful export of certain encryption products ``Whoever, after January 31, 2000, knowingly exports an encryption product that does not include features or functions providing duly authorized persons immediate access to plaintext or immediate decryption capabilities, as required under law, shall be imprisoned for not more than 5 years, fined under this title, or both. ``2811. Definitions ``The definitions set forth in section 101 of the Security and Freedom through Encryption (`SAFE') Act of 1997 shall apply to this chapter.''. (b) Conforming Amendment.--The table of chapters for part I of title 18, United States Code, is amended by inserting after the item relating to chapter 121 the following new item: ``122. Encrypted data, including communications 2801''. TITLE II--GOVERNMENT PROCUREMENT SEC. 201. FEDERAL PURCHASES OF ENCRYPTION PRODUCTS. After January 1, 1999, any encryption product or service purchased or otherwise procured by the United States Government to provide the security service of data confidentiality for a Federal computer system shall include a technique enabling immediate decryption by an authorized party without the knowledge or cooperation of the person using such encryption products or services. SEC. 202. ENCRYPTION PRODUCTS PURCHASED WITH FEDERAL FUNDS. After January 1, 1999, any encryption product or service purchased directly with Federal funds to provide the security service of data confidentiality shall include a technique enabling immediate decryption by an authorized party without the knowledge or cooperation of the person using such encryption product or service unless the Secretary, with the concurrence of the Attorney General, determines implementing this requirement would not promote the purposes of this Act. SEC. 203. NETWORKS ESTABLISHED WITH FEDERAL FUNDS. After January 1, 1999, any communications network established with the use of Federal funds shall use encryption products which include techniques enabling immediate decryption by an authorized party without the knowledge or cooperation of the person using such encryption products or services unless the Secretary, with the concurrence of the Attorney General, determines implementing this requirement would not promote the purposes of this Act. SEC. 204. PRODUCT LABELS. An encryption product may be labeled to inform users that the product is authorized for sale to or for use in transactions and communications with the United States Government under this title. SEC. 205. NO PRIVATE MANDATE. The United States Government may not mandate the use of encryption standards for the private sector other than for use with computer systems, networks, or other systems of the United States Government, or systems or networks created using Federal funds. SEC. 206. IMPLEMENTATION. (a) Exclusion.--Nothing in this title shall apply to encryption products and services used solely for access control, authentication, integrity, nonrepudiation, digital signatures, or other similar purposes. (b) Rulemaking.--The Secretary, in consultation with the Attorney General and other affected agencies, may through rules provide for the orderly implementation of this title and the effective use of secure public networks. TITLE III--EXPORTS OF ENCRYPTION SEC. 301. EXPORTS OF ENCRYPTION. (a) Coordination of Executive Branch Agencies Required.--The Secretary, in close coordination with the Secretary of Defense and any other executive branch department or agency with responsibility for protecting the national security, shall have the authority to control the export of encryption products not controlled on the United States Munitions List. (b) Decisions Not Subject to Judicial Review.--Decisions made by the Secretary pursuant to subsection (a) with respect to exports of encryption products under this title shall not be subject to judicial review. SEC. 302. LICENSE EXCEPTION FOR CERTAIN ENCRYPTION PRODUCTS. (a) License Exception.--After January 31, 2000, encryption products, without regard to encryption strength, shall be eligible for export under a license exception if such encryption product-- (1) is submitted to the Secretary for a 1-time product review; (2) does not include features or functions that would otherwise require licensing under applicable regulations; (3) is not destined for countries, end users, or end uses that the Secretary, in coordination with the Secretary of Defense and other executive branch departments or agencies with responsibility for protecting the national security, by regulation, has determined should be ineligible to receive such products, and is otherwise qualified for export; and (4)(A) includes features or functions providing an immediate access to plaintext capability, if there is lawful authority for such immediate access; or (B) includes features or functions providing an immediate decryption capability of the encrypted data, including communications, upon the receipt of decryption information by an authorized party, and such decryption can be accomplished without unauthorized disclosure. (b) Enabling of Decryption Capabilities.--The features or functions described in subsection (a)(4) need not be enabled by the manufacturer before or at the time of export for purposes of this title. Such features or functions may be enabled by the purchaser or end user. (c) Responsibilities of the Secretary.--The Secretary, in close coordination with the Secretary of Defense and other executive branch departments or agencies with responsibility for protecting the national security, shall-- (1) specify, by regulation, the information that must be submitted for the 1-time review referred to in this section; and (2) make all export determinations under this title within 30 days following the date of submission to the Secretary of-- (A) the completed application for a license exception; and (B) the encryption product intended for export that is to be reviewed as required by this section. (d) Exercise of Other Authorities.--The Secretary, and the Secretary of Defense, may exercise the authorities they have under other provisions of law, including the Export Administration Act of 1979, as continued in effect under the International Emergency Economic Powers Act, to carry out this section. (e) Presumption in Favor of Exports.--There shall be a presumption in favor of export of encryption products under this title. (f) Waiver Authority.--The President may by Executive order waive any provision of this title, or the applicability of any such provision to a person or entity, if the President determines that the waiver is in the interests of national security or public safety and security. The President shall submit a report to the relevant committees of the Congress not later than 15 days after such determination. The report shall include the factual basis upon which such determination was made. The report may be in classified format. (g) Relevant Committees.--The relevant committees of the Congress described in subsection (f) are the Committee on International Relations, the Committee on the Judiciary, the Committee on National Security, the Permanent Select Committee on Intelligence of the House of Representatives, and the Committee on Foreign Relations, the Committee on the Judiciary, the Committee on Armed Services, and the Select Committee on Intelligence of the Senate. SEC. 303. LICENSE EXCEPTION FOR TELECOMMUNICATIONS PRODUCTS. After a 1-time review as described in section 302, the Secretary shall authorize for export under a license exception voice encryption products that do not contain decryption or access to plainvoice features or functions otherwise required in section 302, if the Secretary, after consultation with relevant executive branch departments or agencies, determines that-- (1) information recovery requirements for such exports would disadvantage United States exporters; and (2) such exports under a license exception would not create a risk to the foreign policy, non-proliferation, or national security of the United States. SEC. 304. REVIEW FOR CERTAIN INSTITUTIONS. The Secretary, in consultation with other executive branch departments or agencies, shall establish a procedure for expedited review of export license applications involving encryption products for use by qualified banks, financial institutions, subsidiaries of companies owned or controlled by United States persons, or other users specifically authorized by the Secretary. SEC. 305. ENCRYPTION INDUSTRY AND INFORMATION SECURITY BOARD. (a) Encryption Industry and Information Security Board Established.--There is hereby established an Encryption Industry and Information Security Board. The Board shall undertake an advisory role for the President. (b) Purposes.--The purposes of the Board are-- (1) to provide a forum to foster communication and coordination between industry and the Federal Government on matters relating to the use of encryption products; (2) to promote the export of encryption products manufactured in the United States; (3) to encourage research and development of products that will foster electronic commerce; (4) to recommend policies enhancing the security of public networks; (5) to promote the protection of intellectual property and privacy rights of individuals using public networks; (6) to enable the United States to effectively and continually understand the benefits and risks to its national security, law enforcement, and public safety interests by virtue of the proliferation of strong encryption on the global market; (7) to evaluate and make recommendations regarding the further development and use of encryption; (8) to advance the development of international standards regarding interoperability and global use of encryption products; and (9) to evaluate the foreign availability of encryption products and their threat to United States industry. (c) Membership.--(1) The Board shall be composed of 13 members, as follows: (A) The Secretary, or the Secretary's designee, who shall chair the Board. (B) The Attorney General, or the Director of the Federal Bureau of Investigation, or a respective designee. (C) The Secretary of Defense, or the Secretary's designee. (D) the Director of Central Intelligence, or his or her designee. (E) The Special Assistant to the President for National Security Affairs, or his or her designee. (F) Two private sector individuals, appointed by the President, who have expertise in consumer and privacy interests relating to or affected by information security technology. (G) Six representatives from the private sector who have expertise in the development, operation, marketing, law, or public policy relating to information security or technology. (2) The six private sector representatives described in paragraph (1)(G) shall be appointed as follows: (A) Two by the Speaker of the House of Representatives. (B) One by the Minority Leader of the House of Representatives. (C) Two by the Majority Leader of the Senate. (D) One by the Minority Leader of the Senate. (e) Meetings.--The Board shall meet at such times and in such places as the Secretary may prescribe, but not less frequently than every four months. The Federal Advisory Committee Act (5 U.S.C. App.) does not apply to the Board or to meetings held by the Board under this section. (f) Findings and Recommendations.--The chair of the Board shall convey the findings and recommendations of the Board to the President and to the Congress within 30 days after each meeting of the Board. The recommendations of the Board are not binding upon the President. (g) Foreign Availability.--The consideration of foreign availability by the Board shall include computer software that is distributed over the Internet or advertised for sale, license, or transfer, including over-the-counter retail sales, mail order transactions, telephone order transactions, electronic distribution, or sale on approval. TITLE IV--LIABILITY LIMITATIONS SEC. 401. COMPLIANCE WITH COURT ORDER. (a) No Liability for Compliance.--Subject to subsection (b), no civil or criminal liability under this Act, or under any other provision of law, shall attach to any person for disclosing or providing-- (1) the plaintext of encrypted data, including communications; (2) the decryption information of such encrypted data, including communications; or (3) technical assistance for access to the plaintext of, or decryption information for, encrypted data, including communications. (b) Exception.--Subsection (a) shall not apply to a person who provides plaintext or decryption information to another and is not authorized by court order to disclose such plaintext or decryption information. SEC. 402. COMPLIANCE DEFENSE. Compliance with the provisions of sections 2806, 2807, 2808, or 2809 of title 18, United States Code, as added by section 104(a) of this Act, or any regulations authorized thereunder, shall provide a complete defense for any civil action for damages based upon activities covered by this Act, other than an action founded on contract. SEC. 403. REASONABLE CARE DEFENSE. The participation by person in the key management infrastructure established by regulation for United States Government information security operations under section 103 shall be treated as evidence of reasonable care or due diligence in any proceeding where the reasonableness of one's actions is an element of the claim at issue. SEC. 404. GOOD FAITH DEFENSE. An objectively reasonable reliance on the legal authority provided by this Act and the amendments made by this Act, requiring or authorizing access to the plaintext of otherwise encrypted data, including communications, or to the decryption information that will allow the immediate decryption of data, including communications, that is otherwise encrypted, shall be a complete defense to any criminal or civil action that may be brought under the laws of the United States or any State. SEC. 405. SOVEREIGN IMMUNITY. Except as otherwise specifically provided otherwise, nothing in this Act or the amendments made by this Act, or any regulations promulgated thereunder, modifies or amends the sovereign immunity of the United States. SEC. 406. CIVIL ACTION, GENERALLY. A civil action may be brought against any person who, regardless of that person's participation in the key management infrastructure to be established by regulations promulgated by the Secretary pursuant to section 103, violates or acts in a manner that is inconsistent with or violates the provisions or intent of this Act or the amendments made by this Act. TITLE V--INTERNATIONAL AGREEMENTS SEC. 501. SENSE OF CONGRESS. It is the sense of Congress that-- (1) the President should conduct negotiations with foreign governments for the purposes of mutual recognition of any key management infrastructures, and their component parts, that exist or are developed; and (2) such mutual recognition agreements will safeguard the privacy of the citizens of the United States, prevent economic espionage, and enhance the information security needs of the United States. SEC. 502. FAILURE TO NEGOTIATE. The President may consider a government's refusal to negotiate mutual recognition agreements described in section 501 when considering the participation of the United States in any cooperation or assistance program with that country. SEC. 503. REPORT TO CONGRESS. (a) Report to Congress.--The President shall report annually to the Congress on the status of the international effort outlined by section 501. (b) First Report.--The first report required under subsection (a) shall be submitted in unclassified form no later than December 15, 1998. TITLE VI--MISCELLANEOUS PROVISIONS SEC. 601. EFFECT ON LAW ENFORCEMENT ACTIVITIES. (a) Collection of Information by Attorney General.--The Attorney General shall compile, and maintain in classified form, data on the instances in which encryption has interfered with, impeded, or obstructed the ability of the Department of Justice to enforce the criminal laws of the United States. (b) Availability of Information to the Congress.--The information compiled under subsection (a), including an unclassified summary thereof, shall be made available, upon request, to any Member of Congress. SEC. 602. INTERPRETATION. Nothing contained in this Act or the amendments made by this Act shall be deemed to-- (1) preempt or otherwise affect the application of the Arms Export Control Act (22 U.S.C. 2751 et seq.), the Export Administration Act of 1979 (50 U.S.C. App. 2401 et seq.), or the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) or any regulations promulgated thereunder; (2) affect foreign intelligence activities of the United States; or (3) negate or diminish any intellectual property protections under the laws of the United States or of any State. SEC. 603. SEVERABILITY. If any provision of this Act or the amendments made by this Act, or the application thereof, to any person or circumstances is held invalid by a court of the United States, the remainder of this Act or such amendments, and the application thereof, to other persons or circumstances shall not be affected thereby. PURPOSE Americans expect their phone calls, electronic mail, personal documents, and electronic commercial activities to be secure and private. The rapid expansion of communication and computer technology has created vulnerabilities that leave many personal communications and commercial transactions potentially exposed to fraud and misuse. The development and use of strong encryption is essential to a thriving electronic communications capability, and necessary to help safeguard privacy and protect ourselves from crime. H.R. 695 promotes the development and distribution of strong encryption technologies that are intended to provide a heightened level of security and freedom to engage in electronic commerce. Chief among the government's obligations to its people is the duty to protect them from threats of harm to their persons or property. Similarly, in order to establish and maintain a government that serves the common good and provides for the common defense, which the Framers acknowledged was essential to a free society, national security interests must be carefully weighed against the people's inalienable rights of life, liberty, and property. With this interest in maintaining the balance between individual rights and our nation's security, the Permanent Select Committee on Intelligence sought and obtained referral of the bill, H.R. 695. The Committee's consideration of H.R. 695 brought to light that the bill as introduced and reported by the Committee on the Judiciary, though certainly well-intentioned, left our intelligence and intelligence-related capabilities at considerable risk. Likewise, enacted without amendment, it might jeopardize the nation's (including our state and local law enforcement agencies) ability to investigate, apprehend, and prosecute criminals of the most serious stripe. The Committee received evidence that strong encryption has already been used to facilitate drug trafficking, protect child pornographers, shield terrorist plots and communications, and hide evidence of credit card fraud, among other notable crimes. Furthermore, the Committee is of the view that such a law enforcement and national security risk should not be left to the forces of the marketplace. Doing so abdicates the responsibility of the government to protect its people from enemies, both foreign and domestic. Thus, the amendment in the nature of a substitute to H.R. 695, reported favorably by the Committee, seeks simply to ensure that the critical national security and law enforcement concerns at issue in this debate over the nature and direction of encryption policy for the United States will be seriously addressed. SUMMARY section-by-section Section 1.--Short title This section provides the title of the bill as the ``Security and Freedom through Encryption (``SAFE'') Act of 1997.'' Section 2.--Statement of policy This section sets forth the policy of the United States with respect to encryption technology. TITLE I--DOMESTIC USES OF ENCRYPTION Section 101.--Definitions This section establishes the definitions of specific terms used throughout the bill. Section 102.--Lawful use of encryption This section makes clear that, except as otherwise provided, it is lawful to use encryption products, regardless of algorithm length selected, encryption key length chosen, or implementation technique or medium used. Section 103.--Voluntary private sector participation in key management infrastructure Subsection (a) clarifies that the use of certificate authorities or key recovery agents is completely voluntary. Subsection (b) provides the Secretary of Commerce with regulatory authority to establish standards for creating voluntary key management infrastructures. The Committee believes that the development of key management infrastructures is important to the interoperability that is necessary for the further development of safe and secure electronic commerce. Any regulations promulgated should allow the voluntary participation of private persons and non-federal entities. These regulations should also encourage the development of certificate authorities and key recovery agents. Subsection (c) will permit key recovery agents or certificate authorities to register themselves with the Commerce Department. In addition, such entities will be allowed, if they choose, to identify themselves as meeting the standards established by the Secretary. Section 104.--Unlawful use of encryption This section amends Title 18, United States Code, by new sections 2801 through 2811 within a new chapter 122, which bears the heading, ``Chapter 122-Encrypted Data, Including Communications.'' New section 2801 of title 18, United States Code, would make it a criminal offense to use encryption in furtherance of the commission of a federal crime. The penalties attached to such crimes would be in addition to any sentence imposed for the underlying offense. For first time offenders, the potential penalties are not more than 5 years in prison, a fine under Title 18, United States Code,\1\ or both. For repeat offenders of this provision, the jail time is potentially no more than an additional 10 years. This section would apply equally to any investigative or law enforcement officer who is found to have violated these provisions. \1\Title 18, United States Code, Section 3571 establishes the fine schedule for all Title 18 criminal violations. For an individual convicted of a felony, the fine would, generally, be $250,000. For an organization convicted of a felony, the fine would, generally, be $500,000. Some specific criminal provisions may specify higher fine amounts. Any criminal provision authorizing a lower fine amount is nullified by enactment of subsection (e) of section 3571 of Title 18, United States Code. New section 2801 creates several new crimes. First, it makes it illegal to intentionally obtain or use decryption information without lawful authority in order to decrypt data, including information. Next, it makes it a criminal offense to exceed lawful authority in decrypting data, including communications. This new section would make the breaking of the encryption code of another without lawful authority and with the purpose of violating that person's privacy or security, or for the purpose of depriving that person of his or her property a criminal violation of law. Likewise, it would be illegal to impersonate another for the purpose of obtaining that person's decryption information without lawful authority. Importantly, it also makes it unlawful to facilitate or assist in the encryption of data, including communications, that are to be used in furtherance of a crime. Finally, it makes it illegal to otherwise disclose decryption information in violation of the provisions of new chapter 122 of Title 18, United States Code. Each of these criminal violations is subject to a potential penalty of not more than 10 years in prison, a fine under Title 18, United States Code, or both. This section would apply equally to any investigative or law enforcement officer who is found to have violated these provisions. New section 2803 will make it unlawful after January 31, 2000, to sell in interstate or foreign commerce any encryption product that does not provide duly authorized persons an immediate access to plaintext capability, or immediate decryption capability. Under this new chapter of Title 18, United States Code, such duly authorized persons only include those presenting an order from a court of competent jurisdiction requiring that such access or provision of decryption information be made. This section would apply equally to any investigative or law enforcement officer who is found to have violated these provisions. New section 2804 establishes manufacturing and service requirements on encryption products intended for distribution and use after January 31, 2000. Subsection (a) requires all public network service providers to offer encryption products or services that ensure an immediate decryption capability or an immediate access to plaintext capability. Subsection (b) requires any person who manufactures for distribution, distributes, or imports encryption products intended for sale or use in the United States to include in such products features or functions that provide an immediate access to plaintext capability. These features or functions must permit the immediate decryption of data, including communications, without the knowledge or cooperation of the person being investigated, but only upon the presentation of a facially valid order issued by a court of competent jurisdiction. Alternatively, encryption products may be manufactured for distribution, distributed, or imported even if they do not meet the requirements set forth above, so long as they can be used only on systems or networks that include features or functions that otherwise provide the immediate access to plaintext capability previously discussed. Finally, persons are free to manufacture encryption products that do not comport with any of the requirements set forth here, so long as they otherwise meet the technical requirements and functional criteria established by the Attorney General, pursuant to subsection (c). Subsection (c) provides the Attorney General with regulatory authority to promulgate technical requirements and functional criteria for encryption products that will allow for an immediate access to plaintext capability, or otherwise enable the immediate decryption of the otherwise encrypted data, including communications. This subsection provides industry with an opportunity to seek an advisory opinion from the Attorney General as to a particular product intended for manufacturer or distribution. Such advisory opinions serve an important function in that they will provide the industry with clear guidance on products intended for sale. This procedure will hopefully alleviate the need for lawsuits to enjoin the distribution or manufacture of encryption products. This subsection specifically provides that the Attorney General cannot require a particular methodology to be used in meeting her technical requirements or functional criteria. Subsection (d) authorizes the use, even after January 31, 2000, of encryption products purchased or in use prior to that date. This alleviates any ex post facto problem. The Committee also recognizes that industry will need to develop new product lines to comply with the provisions of this amendment. Thus, in order to allow those manufacturers an opportunity to recoup some of their research and development investment this provision allows them to continue to sell their current product line for the next two-plus years. New section 2805 sets forth procedures whereby the onus is on the government to prohibit the manufacture or distribution of an encryption product, after January 31, 2000, that she or the Secretary of Commerce believes does not meet the technical requirements or functional criteria established by the Attorney General. The Committee believes that it is appropriate for the Attorney General to bear the burden, in a court of law, before an independent arbiter of the facts, of keeping a particular encryption product out of the market place. The provision allows for the closure of such proceedings to protect the proprietary interest in any information that might be disclosed through a public proceeding. Furthermore, the provision will provide those who obtained an advisory opinion with an absolute defense to the lawsuit as long as the product at issue comports in every aspect with the requirements announced in the Attorney General's advisory opinion. New section 2806 sets forth the standards and procedures for the issuance of a court order granting an investigative or law enforcement officer access to the plaintext of otherwise encrypted data, including communications, or compelling the provision of decryption information to an investigative or law enforcement officer. The application for such order must be made by an attorney for the government. That application must establish facts supporting the finding that the plaintext or decryption information is relevant to an on-going and legitimate law enforcement or foreign counterintelligence investigation. The application and any order issued thereon may be made ex parte and placed under seal. Disclosure of the application or order is not authorized by anyone, except as otherwise permitted by this section, or another order of the court. This section also comports with any obligation the United States may have to any foreign government under any effective Mutual Legal Assistance Treaties This section also requires that the court granting access to plaintext or the disclosure of decryption information, shall also ensure that a verifiable audit trail of any access to plaintext or decryption information be maintained. This record shall not be maintained in a place or in a manner under the custody or control of the investigative or law enforcement officer gaining the access under this section. The record will then be tendered to the court upon an order of the court. Subsection (d) clarifies that nothing in this new chapter shall be read to expand or modify any other constitutional or statutory requirement under which a government entity is entitled to intercept or obtain oral, wire, or electronic communications, or information. Subsection (e) mandates a strict construction of this new chapter so that it is read only to apply to a government entity's ability to decrypt or otherwise gain access to the plaintext of data, including communications, for which it previously obtained lawful authority to intercept or obtain. New section 2807 provides the users of encryption products with a statutory right to be notified when their decryption information is provided to law enforcement, or when law enforcement is granted access to the plaintext of their data, including communications. This section does provide for a delayed notification to the user so as not to jeopardize the integrity of the on-going criminal investigation or foreign counter-intelligence investigation. Basically, the user must be notified within 90 days after the filing of an application for the decryption information, or for access to the plaintext, unless the judge finds good cause warranting the delay. Specifically, however, none of the decrypted contents of the encrypted information that has been obtained, nor any evidence derived therefrom may be used in any proceeding unless the user has been furnished with a copy of the order, application, and the data, including communications. The user may move to suppress the use of any of the plaintext or evidence derived therefrom in any proceeding on the grounds that the plaintext or the decryption information was unlawfully obtained. This section also provides aggrieved persons with a civil cause of action for any violations of this new chapter. New section 2808 limits the lawful uses of any plaintext or decryption information may be put. It may be used for the purposes of conducting a lawful criminal or foreign counterintelligence investigation, and for the purposes of preparing for and prosecuting any criminal violation of law. It may not be disclosed to any party to a civil suit that does not arise from the criminal investigation or prosecution, unless a court finds that there is no alternative means of obtaining the plaintext, or decryption information and that the interests of justice would not be served by nondisclosure. This section further clarifies that decryption information may not be used to determine the plaintext unless the officer possesses other lawful authority to the plaintext. This section also outlines the procedures for returning or destroying any decryption information upon the conclusion of the investigation, trial, or proceeding. This section also places limitations upon any person acting as a key recovery agent. It specifies to whom and under what circumstances decryption information may be provided to another person by a key recovery agent. New section 2809 requires those who are providing decryption information to an investigative or law enforcement officer to so identify that information in order to avoid any inadvertent disclosure. The officer is responsible for maintaining the decryption information in such a manner so as to reasonably assure against inadvertent disclosure. New section 2810 makes it a crime to knowingly export an encryption product after January 31, 2000 that does not include an immediate access to plaintext capability, or that does not provide an immediate decryption capability. This criminal provision carries a potential prison term of not more than 5 years. New section 2811 incorporates the definitions set forth at section 101 of this Act as the definitions to be utilized for new chapter 122 of Title 18, United States Code. TITLE II--GOVERNMENT PROCUREMENT Section 201.--Federal purchases of encryption products This section requires the United States Government, after January 1, 1999, to purchase only those encryption products enabling the immediate decryption by an authorized party, without the knowledge or cooperation of the person using the encryption product. This requirement only applies to those products or services obtained for providing security service for a federal computer system. Section 202.--Encryption products purchased with Federal funds This section requires that any encryption product or service purchased directly with federal funds after January 1, 1999, shall enable the immediate decryption by an authorized party, without the knowledge or cooperation of the person using the encryption product. The Committee does not intend that this provision applies to any product purchased by institutions receiving federal grants or other funding, if such institution does not require interoperability with the United States government, such as universities or public libraries. Section 203.--Networks established with Federal funds This section requires that any communications network that is established directly with federal funds after January 1, 1999, must use encryption products that include techniques enabling the immediate decryption of data, including communications, without the knowledge or cooperation of the person using the encryption product or service. It is not intended that private communications networks that might benefit from federal grants satisfy this requirement. Rather, the Committee intends that this provision apply solely to those communication networks established for the purpose of communication with the United States government, either on a contractual basis, or as an element of the government. Section 204.--Product labels This section allows for the labeling of encryption products so that purchasers and users are aware that the product is authorized for sale to, or for use in transactions with, the United States government. Section 205.--No private mandate This section articulates the policy that the United States government shall not require the use of particular encryption standards for the private sector. Section 206.--Implementation This section specifically states that encryption products used solely for access control, authentication, integrity, nonrepudiation, or digital signatures are not covered by the provisions of this title. Moreover, this section grants the Secretary of Commerce regulatory authority to effectuate the provisions of this title. TITLE III--EXPORTS OF ENCRYPTION Section 301.--Exports of encryption Subsection (a) establishes that the Secretary of Commerce, acting in close coordination with the Secretary of Defense, and other executive branch agencies with responsibility for protecting the national security, has the authority to exercise control over the export of encryption products. Subsection (b) clarifies that export control decisions made by the Secretary are not subject to judicial review. Section 302.--License exception for certain encryption products Subsection (a) sets criteria for export license exceptions of encryption products after January 31, 2000. Specifically, products eligible for exemptions must: be submitted to the Secretary of Commerce for a 1-time product review; not include features that would require licensing under other applicable regulations; not be destined for countries that are determined ineligible on national security grounds. In addition, the product must include a means of obtaining immediate access to plaintext capability if there is lawful authority for such access. Subsection (b) clarifies that the immediate access to plaintext capability need not be enabled by the manufacturer before or at the time of export. Subsection (c) requires the Secretary, in close coordination with the Secretary of Defense and other relevant executive branch agency heads, to promulgate regulations for the 1-time review process; and sets a time limit of 30 days for that review process. This subsection establishes that the 30-day time clock starts when the Secretary has received a completed application for license exception and the encryption product intended for export. Subsection (d) clarifies that the Secretary of Commerce and the Secretary of Defense still maintain any authorities they currently possess under any other provisions of law, including the Export Administration Act of 1979, as continued in effect under the International Emergency Economic Powers Act. Subsection (e) establishes a presumption in favor of exporting products submitted to the Secretary under this section. The burden will be on the Secretary of Commerce to deny export. Subsection (f) provides the President with the authority to waive any portion of this title for national security purposes. Requires the President to report to the relevant committees of Congress within 15 days after this authority is used. Subsection (g) lists the committees in the House and Senate that would receive a report under the previous subsection. Section 303.--License exception for telecommunications products This section provides a specific exemption for certain voice encryption products. Products will be eligible for this exemption if, after a 1-time review, the Secretary of Commerce determines that the inclusion of information recovery capability would disadvantage U.S. exporters; and the export of the voice encryption product would not pose a risk to foreign policy, nonproliferation, or national security. Section 304.--Review for certain institutions This section requires the Secretary of Commerce to establish an expedited export license exception review process for encryption products to be used by qualified banks, financial institutions, U.S. businesses, and other users specifically authorized by the Secretary. Section 305.--Encryption Industry and Information Security Board This section establishes an Encryption Industry and Information Security Board (``EIISB'') to advise the President on future encryption policy and technological advancements that would serve to alter the United States policy on encryption products. This section also defines the purposes of the board. It further specifies that the Board shall be composed of 13 members, and how those members shall be appointed. In addition to the Secretaries of Commerce and Defense, the Attorney General or the FBI Director, the Director of Central Intelligence, and the National Security Advisor to the President, or their designees will sit on the EIIS Board. The board shall include two individuals appointed by the President who should have no ties to the industry, but who can represent the interests of consumer groups and civil liberties advocacy groups. There will also be appointed six representatives from the private sector who together have expertise in the many facets of information security, including the technical and legal issues surrounding the use of information security technology. The Board will report to the President and Congress, and their recommendations are not binding. TITLE IV--LIABILITY LIMITATIONS Section 401.--Compliance with court order This section states that a person shall not be held civilly or criminally liable under this Act, or under any other provision of law, for acting in compliance with a court order compelling the disclosure of plaintext or decryption information. Section 402.--Compliance defense This section provides a complete defense for any non-contract action for damages based upon activities covered by the Act as long as the person complies with the provisions of sections 2806, 2807, 2808, or 2809 of title 18, United States Code, as added by section 104(a) of this Act, or any regulations authorized thereunder. Section 403.--Reasonable care defense This provision encourages the participation in a key management infrastructure that meets the standards suggested by the Secretary of Commerce under section 103 of this Act. This section authorizes the use of one's participation in such key management infrastructure as evidence of reasonable care in a case where the reasonableness of one's actions is at issue. Section 404.--Good faith defense This section provides anyone who relies on the legal authority provided under this Act as the basis for providing an investigative or law enforcement officer with access to the plaintext of otherwise encrypted data, including communications, or for providing such officer with decryption information, with a complete defense to any criminal or civil action arising therefrom. Section 405.--Sovereign immunity This section clarifies that nothing in this Act modifies or amends the sovereign immunity of the United States. Section 406.--Civil action, generally This section allows a civil action to be brought against any person who violates or acts in a way that is inconsistent with the provisions or intent of this Act. TITLE V--INTERNATIONAL AGREEMENTS Section 501.--Sense of Congress This section expresses the Sense of Congress that the President should negotiate with foreign governments to establish mutual recognition of key management infrastructures. Section 502.--Failure to negotiate This section permits the President to take a country's refusal to negotiate into consideration when making decisions about U.S. participation in any cooperation or assistance program with that country. Section 503.--Report to Congress This section requires an annual report to Congress on the status of the negotiations, with the first report due December 15, 1998. TITLE VI--MISCELLANEOUS PROVISIONS Section 601.--Effect on law enforcement activities This section requires the Attorney General to compile, and maintain in classified form, information on those instances where encryption has posed problems in the enforcement of federal laws. This information will be available to any Member of Congress upon request. Section 602.--Interpretation This section clarifies the relationship of the bill to the interpretation of certain laws: the bill does not preempt the application of other important export control acts, including: the Arms Export Control Act, the Export Administration Act, or the International Emergency Economic Powers Act; it does not affect foreign intelligence activities of the United States; nor does it diminish US or State intellectual property protections. Section 603.--Severability This section permits any court reviewing this Act to sever any provision from the remainder of the Act, so as not to find the Act invalid in its entirety. BACKGROUND AND NEED FOR LEGISLATION H.R. 695, as amended by the Committee on the Judiciary, has broad implications on the intelligence and intelligence-related activities of the United States. The Intelligence Committee has jurisdiction over legislation relating to the intelligence and intelligence-related capabilities of the United States, including the FBI's domestic counter-intelligence and counter-terrorism functions. Thus, upon the Chairman's request, the Speaker referred the bill to the Committee for its consideration. Primary among the Committee's concerns was how the development of strong and unbreakable encryption technology would affect the national security of the United States. The Defense Department's need for information security technology is essential to its force protection and war fighting functions. Likewise, information security is critical to the President and his advisors. It is necessary to the Department of State in its development of sound foreign policy. Encryption technology that does not provide for access points to plaintext, or the re-capture of communications and data, puts these needs at considerable risk. The development of encryption technologies that does not take into consideration society's desire to prevent, investigate, and prosecute crimes, is of no sizable benefit to society. Such encryption technology would allow criminals to act with impunity, without concern that their actions might be subject to exposure by lawful authorities. The FBI, the agency primarily responsible for counter-terrorism and domestic counter-espionage efforts, and the investigation of child pornography and kidnapping, could find itself especially handicapped in these areas. Likewise, the Drug Enforcement Administration, which is responsible to the nation for counter-narcotics operations, could be negatively affected by H.R. 695. Similarly, the Committee was greatly concerned that State and local law enforcement agencies' ability to provide their citizenry with a free and peaceful place to live and work would be seriously jeopardized. As considered by the Permanent Select Committee on Intelligence, H.R. 695 left the public's safety and our nation's security to the forces of the marketplace. The ``SAFE'' Act provided no mechanism or technological capability for law enforcement or national security to access the plaintext of data, including communications. It would ultimately have rendered meaningless any other law, including the Fourth Amendment, entitling law enforcement to such evidence. It would have negated our intelligence collectors' abilities to perform their vital national security functions. The Committee found that, to the detriment of the national security and law enforcement equities of the United States, H.R. 695 encouraged the development of unbreakable encryption technologies, seeming based upon an absolutist's view of the First Amendment and one's ``right of privacy.'' H.R. 695 did nothing to encourage the development of systems or software that would meet the crucial needs of national security or law enforcement. The bill placed the determination of whether a particular export of encryption technology affected the national security interests of the United States solely in the hands of the Secretary of Commerce, with no role whatsoever for the national security apparatus of the United States government. This, despite the proponents acknowledgment of the national security benefit that encryption technology can provide to the government. The proponents of H.R. 695 argue that the legislation enhances the needs of law enforcement. They contend that strong encryption software, widely available to the public, will secure our computer networks, defeat fraud, and instill trust in the already booming Internet. This trust, they assert, is necessary to release the opportunities available through electronic commerce. None of this is disputed. Congress has on many occasions accepted the premise that the use of electronic surveillance is a tool of utmost importance in many criminal investigations, especially those involving serious and violent crime, terrorism, espionage, organized crime, drug-trafficking, corruption, and fraud. There have been numerous cases where law enforcement, through the use of electronic surveillance, has not only solved and successfully prosecuted serious crimes and dangerous criminals, but has also been able to prevent serious and life-threatening criminal acts. For example, terrorists in New York were plotting to bomb the United Nations building, the Lincoln and Holland tunnels, and 26 Federal Plaza as well as conduct assassinations of political figures. Court-authorized electronic surveillance enabled the FBI to disrupt the plot as explosives were being mixed. Ultimately, the evidence obtained was used to convict the conspirators. In another example, electronic surveillance was used to prevent and then convict two men who intended to kidnap, molest and then kill a male child. The supporters of the bill insist that the problem for law enforcement is a narrow problem, only affecting approximately 1,100 wiretaps per year, while encryption provides great security benefits to the electronic marketplace.\2\ The Committee is concerned that the problems posed by H.R. 695 are not as narrow as the bill's supporters claim. The problem that some see as ``narrow'' is in fact the entirety of the problem. Were the 1,100 or so wiretaps conducted by federal, state, and local law enforcement agencies across the country in the last year protected with unbreakable encryption, the scores of drug traffickers, child pornographers, kidnappers, Mafiosi, terrorists, and spies that were identified, investigated, and prosecuted, through the use of those wiretaps, would still be at large. \2\Mr. Jerry Berman, Executive Director of the Center for Technology and Democracy before the House Judiciary Committee, March 20, 1997. The Committee notes, with considerable concern, that the threat such encryption creates is not limited to the FBI alone. From a national security perspective, this is not a problem that will begin sometime in the future; we are already encountering the effects of encryption today. For example: Convicted spy Aldrich Ames was told by the Russian intelligence service to encrypt computer file information that was to be passed to them; An international terrorist was plotting to blow up 11 U.S.-owned commercial airliners in the far east. His laptop computer which was seized during his arrest in Manila contained encrypted files concerning this terrorist plot; and A major international drug trafficking subject recently used a telephone encryption device to frustrate court-approved electronic surveillance. H.R. 695 did little to facilitate or promote technological development of access points for interception, or provide for an immediate decryption capability, through a court order process. The Committee is of the view that these requirements can be fashioned in a way that does not undermine a citizen's right against unreasonable searches and seizures or unnecessarily abridge his or her freedom of speech. There is considerable precedent in statute for a regime that balances privacy, law enforcement concerns, and national security.\3\ \3\Title III of the Omnibus Crime Control Act of 1968 codified the government's authority to require service providers to supply technical assistance to enable law enforcement (Federal, state, and local) to intercept oral, electronic, and wire communications, upon the presentment of a court order. That Act balanced the competing rights of the individual and the government under the 4th Amendment by setting out in the statute judicial oversight, minimization, and delayed notification procedures that have met the test of time. That Act established the constitutionality of a government mandate upon technology for the societal benefit of public safety and national security. The benefit that strong encryption, without access to plaintext capabilities, provides to the individual encryption user is equally provided to the person with criminal intent. The child pornographer will be able to operate with impunity. If there is no mechanism, no technological way of decrypting his files without his permission, there will be no way for the law to break his code, to access his computer files, to develop evidence of his criminal acts and bring him to justice. This is the world without a statutory requirement for access to plaintext capability for stored data, or communications. Likewise, without access to plaintext capability for our intelligence collectors, international terrorists communicating across the Internet, or through digital communications, sending encrypted messages to their comrades discussing their plans to attack United States interests, can rest assured that their conspiracy will not be discovered, penetrated, frustrated, nor prosecuted by law enforcement authorities. To be sure, as envisioned by the authors of the Bill of Rights, the Fourth Amendment stands as a bulwark against unreasonable government intrusion into the lives of its citizens. That freedom is jealously guarded by the people, through the power and authority of the Judicial Branch of our governmental structure. Certainly, the use of encryption technology to protect electronic data and communication accesses the same right to privacy as the use of a safe to protect paper documents. Nothing in our constitutional framework, however, provides for absolutes. There is no absolute freedom of expression. There is no absolute freedom from search and seizure. Nothing about computer technology alters this constitutional truism. The Bill of Rights delicately balances the competing interests of the people and the nation. The Constitution recognizes that the freedoms embodied in the Bill of Rights are joined with responsibilities. The people are responsible for acting within the bounds of the law. The government, on the other hand, is responsible for acting reasonably. When a citizen violates the law, the Constitution permits reasonable government action to discover and expose that criminal activity. This is the essence of the Fourth Amendment. The Committee notes with concern that encryption technology, which will have enormous benefits, can also threaten the underpinnings of the Constitutional balance struck in the text of the Fourth Amendment if the technology is allowed to develop unchecked and without regard to one's civic responsibilities. The privacy interests of encryption users should not be minimized, nor given absolute value. A balance must be established. It is true that access to decryption information could give the government an opportunity for mischief. Statutory safeguards against the impermissible use of decryption information can be employed to adequately deter such violations of privacy. Additionally, users of encryption should be notified that their decryption information has been accessed. But, the timing of this notification, like that permitted by the wiretap statute, is very important to the integrity of any criminal or counter-intelligence investigation. With respect to export controls over encryption products, including software, hardware, and technology, it is important to the country's security interests to permit the export only of those encryption products that fulfill the goals of promoting and securing information systems of American citizens, while at the same time enabling the intelligence community to continue to support our policy makers, deployed forces, and U.S. interests at home and overseas. Currently, the Administration regulates the export of encryption products and requires a license prior to export. On October 1, 1996, the Vice President announced for the Administration that it would begin allowing 56-bit DES encryption products, or its equivalent, under a general license upon the presentment of the product for a one-time review so long as the exporting company committed to building and marketing future products that were supportive of key recovery. On November 1, 1996, President Clinton issued Executive Order 13026, 61 Fed. Reg. 58767 (November 19, 1996) implementing the policy outlined by the Vice President the month before. The Administration, through Ambassador Aaron, the U.S. Special Envoy for Encryption Policy, is also currently engaged in a multi-lateral effort to reach agreement in the international community on export standards supportive of key recovery products. Proponents of H.R. 695 argue that export barriers need to be removed to enhance and improve the already superior position of American encryption manufacturers in foreign markets. They contend that our software industry will in a matter of years, under the current regulatory regime, suffer substantial losses in terms of jobs and profits. They argue that there are encryption products already widely available in foreign countries and on the Internet that are competing with U.S. manufactured encryption products and in the near term could strip U.S. industry of its preeminence in this field. Foreign availability is an issue that is repeatedly raised in the encryption debate. Industry claims that encryption products are widely available overseas, that other countries do not control their export, and that American firms are suffering significant losses. A study of this issue found that claims of widespread foreign availability of encryption products were not entirely accurate. According to industry experts, widespread use of foreign encryption has not become manifest, although the pace of change and the market for information technology is rapid and a growing number of strong encryption products exist. Only a few countries, other than the United States, produce encryption products at this time. Some, like Switzerland, produce only specialized products for a small segment of the market. Others, like Japan, produce primarily hardware products. These countries all have export controls on encryption. As noted, Ambassador Aaron is engaged in regular discussions with them. The Committee believes that the issue of foreign availability is one which the Administration must closely monitor as we move toward a permanent policy on encryption. The Committee shares the concern that American encryption products could be replaced by foreign competitors. It notes, however, that the American grip on the market is remarkable, not just for its share of the market, but for its longevity. American technology manufacturers control no less than 75% of the global market, despite what many consider to be a ``restrictive'' policy on encryption products. It is acknowledged on both sides of this issue that American encryption technology is the best in the world. There is no desire to undermine that position, nor diminish the U.S. preeminence in this regard. CONCLUSION The encryption policy of the United States requires a comprehensive approach that takes into account the equities and prerogatives of the intelligence community; federal, state, and local law enforcement; industry; and the citizens of the United States. The Committee's amendment in the nature of a substitute to the bill as reported by the Committee on the Judiciary, which is further explained in the section-by-section analysis, makes an effort at balancing the important national security, public safety, and privacy interests that are at stake in this debate. COMMITTEE PROCEEDINGS The Committee was briefed on the subject of encryption on May 6, 1997 by the Hon. William Reinsch, Under Secretary, Bureau of Export Administration, Department of Commerce; Hon. William Crowell, Deputy Director, National Security Agency; and Hon. Robert Litt, Deputy Assistant Attorney General, Criminal Division, United States Department of Justice. The Committee held a hearing on September 9, 1997 in which it heard testimony from: the Hon. Bob Goodlatte, United States Representative, 6th District of Virginia; Hon. Zoe Lofgren, United States Representative, 16th District of California; Hon. Louis J. Freeh, Director, Federal Bureau of Investigation; Hon. William Reinsch, Under Secretary, Bureau of Export Administration, Department of Commerce; and Hon. William Crowell, Deputy Director, National Security Agency. The Committee extensively reviewed additional testimony and written materials relating to encryption policy in general and H.R. 695 in particular, including: ``Terrorism in the Next Millennium: Enter the Cyberterrorist,'' by George R. Barth, National Counterintelligence Center; ``Deciphering the Cryptography Debate,'' by Kenneth Flamm, The Brookings Institution; Hon. Michelle Van Cleave, Assistant Director for National Security, White House Office of Science and Technology Policy, remarks before AFCEA Convention, June 25, 1992; Hon. Janet Reno, United States Attorney General, letter to Members of Congress, July 18, 1997; Hon. Louis J. Freeh, Director, Federal Bureau of Investigation, testimony before the United States Senate Committee on Commerce, Science and Transportation, March 19, 1997; Hon. Louis J. Freeh, testimony before the United States Senate Committee on the Judiciary, June 25, 1997; Hon. John Kyl, United States Senator, Arizona, remarks before the Heritage Foundation, July 28, 1997; Testimony before the United States Senate Judiciary Subcommittee on Technology, Terrorism and Government Information, September 3, 1997: Hon. Louis J. Freeh, Director, Federal Bureau of Investigation; Dorothy E. Denning, Georgetown University; Jeffery A. Herig, Special Agent, Florida Department of Law Enforcement; Robert R. Burke, Director of Corporate Services and Security, Monsanto Company, and Chairman of the Subcommittee for Protection of Information and Technology, Overseas Security Advisory Council, United States Department of State; Ken Lieberman, Senior Vice President for Corporate Risk Management, Visa USA; R. Patrick Watson, Director, Worldwide Corporate Security, Eastman Kodak Company; Testimony before the United States House of Representatives Commerce Subcommittee on Telecommunications, Trade, and Consumer Protection, September 4, 1997: Hon. Bob Goodlatte, United States Representative, 6th District of Virginia; Hon. William Reinsch, Under Secretary, Bureau of Export Administration, Department of Commerce; Hon. Robert Litt, Deputy Assistant Attorney General, Criminal Division, Department of Justice; Stephen T. Walker, President and CEO, Trusted Information Systems, Inc.; Thomas Parenty, Director of Data/Communications Security, Sybase, Inc.; George A. Keyworth, II, Ph.D., Chairman, Progress & Freedom Foundation; Jerry Berman, Executive Director, Center for Democracy and Technology; Hearing records of: Hearing on H.R. 3011 (104th Congress), before the United States House of Representatives Committee on the Judiciary, September 25, 1996; Hearing on H.R. 695, before the United States House of Representatives Judiciary Subcommittee on Courts and Intellectual Property, March 20, 1997; and the redacted released transcript of the United States House of Representatives International Relations Committee Members' briefing, June 26, 1997. In addition, the Committee staff was briefed on the subject of encryption from representatives of IBM, ORACLE, Center for Technology and Democracy, Netscape, and Motorola. COMMITTEE CONSIDERATION The Committee met on September 11, 1997, and in open session approved, by voice vote, the Goss/Dicks amendment in the nature of a substitute to H.R. 695, as amended and reported by the Committee on the Judiciary. The Committee, in open session, ordered H.R. 695, as amended, reported favorably by voice vote, a quorum being present. VOTE OF THE COMMITTEE During its consideration of H.R. 695, the Committee took no rollcall votes. FINDINGS AND RECOMMENDATIONS OF THE COMMITTEE ON GOVERNMENT REFORM AND OVERSIGHT With respect to clause 2(l)(3)(D) of rule XI of the Rules of the House of Representatives, the Committee has not received a report form the Committee on Government Reform and Oversight pertaining to the subject of the bill. OVERSIGHT FINDINGS In compliance with clause 2(l)(3)(A) of rule XI of the Rules of the House of Representatives, the Committee reports that the findings and recommendations of the Committee, based on oversight activities under clause 2(b)(1) of rule X of the Rules of the House of Representatives, are incorporated in the descriptive portions of this report. NEW BUDGET AUTHORITY AND TAX EXPENDITURES Clause 2(l)(3)(B) of House rule XI does not apply because this legislation does not provide new budgetary authority or increased tax expenditures. CONGRESSIONAL BUDGET OFFICE ESTIMATES U.S. Congress, Congressional Budget Office, Washington, DC, September 16, 1997. Hon. Porter J. Goss, Chairman, Committee on Intelligence, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for H.R. 695, the Security and Freedom Through Encryption (SAFE) Act. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contacts are Rachel Forward (for federal costs); Alyssa Trzeszkowski (for revenues); Pepper Santalucia (for the state and local impact); and Jean Wooster (for the private-sector impact). Sincerely, James L. Blum (For June E. O'Neill, Director ). Enclosure. H.R. 695--Security and Freedom Through Encryption (SAFE) Act of 1997 Summary: H.R. 695 would establish policies for the domestic use and export of encryption products that facilitate the creation of secure computer networks. Assuming appropriation of the necessary amounts, CBO estimates that enacting this bill would result in additional discretionary spending of between $4.5 million and $7.1 million over the 1998 2002 period by the Bureau of Export Administration (BXA) and the Department of Justice (DOJ). Spending by BXA and DOJ for activities required by H.R. 695 would total between $9 million and $11.6 million over the next five years--as compared to spending by BXA of about $4.5 million over the same period under current policies. (Spending related to monitor encryption products by DOJ is negligible under current law.) Enacting H.R. 695 also would affect direct spending and receipts beginning in fiscal year 1998 through the imposition of criminal fines and the resulting spending from the Crime Victims Fund. Therefore, pay-as-you-go procedures would apply. CBO estimates, however, that the amounts of direct spending or receipts would not be significant. H.R. 695 contains an intergovernmental mandate as defined in the Unfunded Mandates Reform Act (UMRA), but CBO cannot estimate the cost of complying with that mandate at this time. The bill also would impose a private-sector mandate on public network service providers and manufacturers, distributors, and importers of encryption products. CBO estimates that the total direct cost of complying with this mandate would exceed the statutory threshold ($100 million in 1996, adjusted annually for inflation) for private-sector mandates established in UMRA. CBO's full analysis of the cost of the intergovernmental and the private-sector mandates will be provided under separate cover. Description of the bill's major provisions: H.R. 695 would establish controls for the domestic use and export of encryption technologies. The bill would allow individuals in the United States to use any form of encryption but would prevent the sale of encryption products without plaintext recovery systems after January 31, 2000. (The term ``plaintext'' means the readable or comprehensible format of information.) The bill would authorize the Department of Commerce to exempt encryption products with plaintext recovery systems from certain export licensing requirements after the same date. In addition, H.R. 695 would require the Secretary of Commerce to establish a key management system for use by the federal government and private-sector organizations. A key management system enables agencies or companies to entrust the code to encryption products to a third party. H.R. 695 would establish procedures to enable law enforcement officials to gain access to plaintext recovery systems upon presentation of a court order. The bill would direct the Attorney General to maintain data on the instances in which encryption impedes or obstructs the ability of DOJ to enforce criminal laws. Finally, the bill would establish criminal penalties and fines for the use of encryption technologies to further a crime, for the unlawful access of encrypted information, or for the unlawful sale of encryption technologies. Estimated cost to the Federal Government Spending Subject to Appropriation Under current policy, BXA would likely spend about $900,000 a year, totaling $4.5 million over the 1998 2002 period, to monitor exports of encryption products. Assuming appropriation of the necessary amounts, CBO estimates that enacting H.R. 695 would increase BXA's encryption-related costs to about $6.6 million over the same period. That cost consists of two components: (1) costs to monitor encryption exports, and (2) costs for the new key management system. H.R. 695 would authorize the Department of Commerce through BXA to exempt encryption products with plaintext recovery systems from certain export licensing requirements after January 31, 2000. As a result, CBO estimates that the agency's cost to monitor encryption exports would decrease from about $900,000 in fiscal years 1998 and 1999 to about $650,000 in fiscal year 2000 and $500,000 in each year thereafter, for a five-year total of about $3.5 million. H.R. 695 also would require the agency to establish and maintain a key management system. Based on information from BXA, CBO estimates that establishing and maintaining this system would cost BXA about $500,000 in fiscal year 1998 and $600,000 in each year thereafter, for a five-year total of about $3.1 million. H.R. 695 would require the Department of Justice to collect and maintain data on the instances in which encryption impedes or obstructs the ability of the agency to enforce criminal laws. The agency is uncertain as to how much it would cost to track such classified information nationwide. For the purposes of this estimate, CBO projects that collecting and maintaining the data would cost DOJ between $500,000 and $1 million a year, assuming appropriation of the necessary amounts. Direct Spending and Revenues Enacting H.R. 695 would affect direct spending and receipts through the imposition of criminal fines for the use of encryption technologies to further a crime, for the unlawful access of encrypted information, and for the unlawful sale of encryption technologies. CBO estimates that collections from such fines are likely to be negligible, however, because the federal government would probably not pursue many cases under the bill. Any such collections would be deposited in the Crime Victims Fund and spent the following year. Because the increase in direct spending would be the same amount as the amount of fines collected with a one-year lag, the additional direct spending also would be negligible. The costs of this legislation fall within budget functions 370 (commerce and housing credit) and 750 (administration of justice). Pay-as-you-go considerations: Section 252 of the Balanced Budget and Emergency Deficit Control Act of 1985 sets up pay-as-you-go procedures for legislation affecting direct spending or receipts. H.R. 695 would affect direct spending and receipts through the imposition of criminal fines and the resulting spending from the Crime Victims Fund. CBO estimates, however, that any collections and spending resulting from such fines would not be significant. Estimated impact on State, local, and tribal governments: H.R. 695 contains an intergovernmental mandate as defined in UMRA, because state and local governments that offer Internet access to their citizens would meet the bill's definition of ``network service provider.'' As such, they would be required to ensure that any encryption products or services they provide enable the immediate decryption or access to the plaintext of encrypted data. At the present time, CBO is unsure of how many states and localities offer Internet access, as well as the steps these governments would take to comply with the mandate. CBO therefore cannot estimate the cost of complying with the mandate at this time and cannot determine whether the threshold established in UMRA would be exceeded. Estimated impact on the private sector: H.R. 695 would establish controls on domestic encryption technology. Specifically, the bill would require sellers of encryption products to include features or functions that permit duly authorized individuals to gain immediate access to the encrypted material without the knowledge or cooperation of the user of those products. Thus, it would impose a federal private-sector mandate on network service providers and manufacturers, distributors, and importers of encryption products. CBO estimates that the total direct cost of complying with this mandate would exceed the statutory threshold ($100 million in 1996, adjusted annually for inflation) for private-sector mandates established in UMRA. Section 4 of UMRA excludes from consideration any provisions that are considered necessary for national security purposes. Such provisions are found in Title III, Exports of Encryption. CBO's full analysis of the costs of the intergovernmental and private-sector mandates will be provided under separate cover. Previous CBO estimate: CBO provided cost estimates for H.R. 695 as ordered reported by the House Committee on the Judiciary on May 14, 1997, by the House Committee on International Relations on July 22, 1997, and by the House Committee on National Security on September 9, 1997. Assuming appropriation of the necessary amounts, CBO estimates that costs over the 1998 2002 period would total between $5 million and $7 million for the Judiciary Committee's version, about $2.2 million for the International Relations Committee's version, and about $4.5 million for the National Security Committee's version. In comparison, CBO estimates that enacting this version of the bill would cost between $9 million and $11.6 million and that spending under current policies would total $4.5 million. Estimate prepared by: Federal Costs: Rachel Forward; Revenues: Alyssa Trzeszkowski; Impact on State, Local, and Tribal Governments; Pepper Santalucia; and Impact on the Private Sector: Jean Wooster. Estimate approved by: Paul N. Van de Water, Assistant Director for Budget Analysis. COMMITTEE COST ESTIMATES The Committee agrees with the estimate of the Congressional Budget Office. SPECIFIC CONSTITUTIONAL AUTHORITY FOR CONGRESSIONAL ENACTMENT OF THIS LEGISLATION The intelligence and intelligence-related activities of the United States government are carried out to support the national security interests of the United States, to support and assist the armed forces of the United States, and to support the President in the execution of the foreign policy of the United States. Article 1, section 8, of the Constitution of the United States provides, in pertinent part, that ``Congress shall have power * * * to pay the debts and provide for the common defence and general welfare of the United States; * * *''; ``to raise and support Armies, * * *''; ``to provide and maintain a Navy; * * *'' and ``to make all laws which shall be necessary and proper for the carrying into execution * * * all other powers vested by this Constitution in the Government of the United States, or in any Department or Officer thereof.'' Therefore, pursuant to such authority, Congress is empowered to enact this legislation. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED In compliance with clause 3 of rule XIII of the Rules of the House of Representatives, changes in existing law made by the bill, as reported, are shown as follows (new matter is printed in italic and existing law in which no change is proposed is shown in roman): TITLE 18, UNITED STATES CODE * * * * * * * PART I--CRIMES * * * * * * * Chap. Sec. 1. General provisions 1 * * * * * * * 121. Stored wire and electronic communications and transactional records access 2701 122. Encrypted data, including communications 2801 * * * * * * * CHAPTER 122--ENCRYPTED DATA, INCLUDING COMMUNICATIONS Sec. 2801. Unlawful use of encryption in furtherance of a criminal act. 2802. Privacy protection. 2803. Unlawful sale of encryption. 2804. Encryption products manufactured and intended for use in the United States. 2805. Injunctive relief and proceedings. 2806. Court order access to plaintext. 2807. Notification procedures. 2808. Lawful use of plaintext or decryption information. 2809. Identification of decryption information. 2810. Unlawful export of certain encryption products. 2811. Definitions. 2801. Unlawful use of encryption in furtherance of a criminal act (a) Prohibited Acts.--Whoever knowingly uses encryption in furtherance of the commission of a criminal offense for which the person may be prosecuted in a district court of the United States shall-- (1) in the case of a first offense under this section, be imprisoned for not more than 5 years, or fined under this title, or both; and (2) in the case of a second or subsequent offense under this section, be imprisoned for not more than 10 years, or fined under this title, or both. (b) Consecutive Sentence.--Notwithstanding any other provision of law, the court shall not place on probation any person convicted of a violation of this section, nor shall the term of imprisonment imposed under this section run concurrently with any other term of imprisonment imposed for the underlying criminal offense. (c) Probable Cause Not Constituted by Use of Encryption.--The use of encryption alone shall not constitute probable cause to believe that a crime is being or has been committed. 2802. Privacy protection (a) In General.--It shall be unlawful for any person to intentionally-- (1) obtain or use decryption information without lawful authority for the purpose of decrypting data, including communications; (2) exceed lawful authority in decrypting data, including communications; (3) break the encryption code of another person without lawful authority for the purpose of violating the privacy or security of that person or depriving that person of any property rights; (4) impersonate another person for the purpose of obtaining decryption information of that person without lawful authority; (5) facilitate or assist in the encryption of data, including communications, knowing that such data, including communications, are to be used in furtherance of a crime; or (6) disclose decryption information in violation of a provision of this chapter. (b) Criminal Penalty.--Whoever violates this section shall be imprisoned for not more than 10 years, or fined under this title, or both. 2803. Unlawful sale of encryption Whoever, after January 31, 2000, sells in interstate or foreign commerce any encryption product that does not include features or functions permitting duly authorized persons immediate access to plaintext or immediate decryption capabilities shall be imprisoned for not more than 5 years, fined under this title, or both. 2804. Encryption products manufactured and intended for use in the United States (a) Public Network Service Providers.--After January 31, 2000, public network service providers offering encryption products or encryption services shall ensure that such products or services enable the immediate decryption or access to plaintext of the data, including communications, encrypted by such products or services on the public network upon receipt of a court order or warrant, pursuant to section 2806. (b) Manufacturers, Distributors, and Importers.--After January 31, 2000, it shall be unlawful for any person to manufacture for distribution, distribute, or import encryption products intended for sale or use in the United States, unless that product-- (1) includes features or functions that provide an immediate access to plaintext capability, through any means, mechanism, or technological method that-- (A) permits immediate decryption of the encrypted data, including communications, upon the receipt of decryption information by an authorized party in possession of a facially valid order issued by a court of competent jurisdiction; and (B) allows the decryption of encrypted data, including communications, without the knowledge or cooperation of the person being investigated, subject to the requirements set forth in section 2806; (2) can be used only on systems or networks that include features or functions that provide an immediate access to plaintext capability, through any means, mechanism, or technological method that-- (A) permits immediate decryption of the encrypted data, including communications, upon the receipt of decryption information by an authorized party in possession of a facially valid order issued by a court of competent jurisdiction; and (B) allows the decryption of encrypted data, including communications, without the knowledge or cooperation of the person being investigated, subject to the requirements set forth in section 2806; or (3) otherwise meets the technical requirements and functional criteria promulgated by the Attorney General under subsection (c). (c) Attorney General Criteria.-- (1) Publication of requirements.--Within 180 days after the date of the enactment of this chapter, the Attorney General shall publish in the Federal Register technical requirements and functional criteria for complying with the decryption requirements set forth in this section. (2) Procedures for advisory opinions.--Within 180 days after the date of the enactment of this chapter, the Attorney General shall promulgate procedures by which data network service providers and encryption product manufacturers, sellers, re-sellers, distributors, and importers may obtain advisory opinions as to whether an encryption product intended for sale or use in the United States after January 31, 2000, meets the requirements of this section and the technical requirements and functional criteria promulgated pursuant to paragraph (1). (3) Particular methodology not required.--Nothing in this chapter or any other provision of law shall be construed as requiring the implementation of any particular decryption methodology in order to satisfy the requirements of subsections (a) and (b), or the technical requirements and functional criteria required by the Attorney General under paragraph (1). (d) Use of Prior Products Lawful.--After January 31, 2000, it shall not be unlawful to use any encryption product purchased or in use prior to such date. 2805. Injunctive relief and proceedings (a) Injunction.--Whenever it appears to the Secretary or the Attorney General that any person is engaged in, or is about to engage in, any act that constitutes, or would constitute, a violation of section 2804, the Attorney General may initiate a civil action in a district court of the United States to enjoin such violation. Upon the filing of the complaint seeking injunctive relief by the Attorney General, the court shall automatically issue a temporary restraining order against the party being sued. (b) Burden of Proof.--In a suit brought by the Attorney General under subsection (a), the burden shall be upon the Government to establish by a preponderance of the evidence that the encryption product involved does not comport with the requirements set forth by the Attorney General pursuant to section 2804 providing for immediate access to plaintext by Federal, State, or local authorities. (c) Closing of Proceedings.--(1) Upon motion of the party against whom injunction is being sought-- (A) any or all of the proceedings under this section shall be closed to the public; and (B) public disclosure of the proceedings shall be treated as contempt of court. (2) Upon a written finding by the court that public disclosure of information relevant to the prosecution of the injunction or relevant to a determination of the factual or legal issues raised in the case would cause irreparable or financial harm to the party against whom the suit is brought, or would otherwise disclose proprietary information of any party to the case, all proceedings shall be closed to members of the public, except the parties to the suit, and all transcripts, motions, and orders shall be placed under seal to protect their disclosure to the general public. (d) Advisory Opinion as Defense.--It is an absolute defense to a suit under this subsection that the party against whom suit is brought obtained an advisory opinion from the Attorney General pursuant to section 2804(c) and that the product at issue in the suit comports in every aspect with the requirements announced in such advisory opinion. (e) Basis for Permanent Injunction.--The court shall issue a permanent injunction against the distribution of, and any future manufacture of, the encryption product at issue in the suit filed under subsection (a) if the court finds by a preponderance of the evidence that the product does not meet the requirements set forth by the Attorney General pursuant to section 2804 providing for immediate access to plaintext by Federal, State, or local authorities. (f) Appeals.--Either party may appeal, to the appellate court with jurisdiction of the case, any adverse ruling by the district court entered pursuant to this section. For the purposes of appeal, the parties shall be governed by the Federal Rules of Appellate Procedure, except that the Government shall file its notice of appeal not later than 30 days after the entry of the final order on the docket of the district court. The appeal of such matter shall be considered on an expedited basis and resolved as soon as practicable. 2806. Court order access to plaintext (a) Court Order.--(1) A court of competent jurisdiction shall issue an order, ex parte, granting an investigative or law enforcement officer immediate access to the plaintext of encrypted data, including communications, or requiring any person in possession of decryption information to provide such information to a duly authorized investigative or law enforcement officer-- (A) upon the application by an attorney for the Government that-- (i) is made under oath or affirmation by the attorney for the Government; and (ii) provides a factual basis establishing the relevance that the plaintext or decryption information being sought has to a law enforcement or foreign counterintelligence investigation then being conducted pursuant to lawful authorities; and (B) if the court finds, in writing, that the plaintext or decryption information being sought is relevant to an ongoing lawful law enforcement or foreign counterintelligence investigation and the investigative or law enforcement officer is entitled to such plaintext or decryption information. (2) The order issued by the court under this section shall be placed under seal, except that a copy may be made available to the investigative or law enforcement officer authorized to obtain access to the plaintext of the encrypted information, or authorized to obtain the decryption information sought in the application. Such order shall also be made available to the person responsible for providing the plaintext or the decryption information, pursuant to such order, to the investigative or law enforcement officer. (3) Disclosure of an application made, or order issued, under this section, is not authorized, except as may otherwise be specifically permitted by this section or another order of the court. (b) Other Orders.--An attorney for the Government may make application to a district court of the United States for an order under subsection (a), upon a request from a foreign country pursuant to a Mutual Legal Assistance Treaty with such country that is in effect at the time of the request from such country. (c) Record of Access Required.--(1) There shall be created an electronic record, or similar type record, of each instance in which an investigative or law enforcement officer, pursuant to an order under this section, gains access to the plaintext of otherwise encrypted information, or is provided decryption information, without the knowledge or consent of the owner of the data, including communications, who is the user of the encryption product involved. (2) The court issuing the order under this section shall require that the electronic or similar type of record described in paragraph (1) is maintained in a place and a manner that is not within the custody or control of an investigative or law enforcement officer gaining the access or provided the decryption information. The record shall be tendered to the court, upon notice from the court. (3) The court receiving such electronic or similar type of record described in paragraph (1) shall make the original and a certified copy of the record available to the attorney for the Government making application under this section, and to the attorney for, or directly to, the owner of the data, including communications, who is the user of the encryption product. (d) Authority To Intercept Communications Not Increased.--Nothing in this chapter shall be construed to enlarge or modify the circumstances or procedures under which a Government entity is entitled to intercept or obtain oral, wire, or electronic communications or information. (e) Construction.--This chapter shall be strictly construed to apply only to a Government entity's ability to decrypt data, including communications, for which it has previously obtained lawful authority to intercept or obtain pursuant to other lawful authorities that would otherwise remain encrypted. 2807. Notification procedures (a) In General.--Within a reasonable time, but not later than 90 days after the filing of an application for an order under section 2806 which is granted, the court shall cause to be served, on the persons named in the order or the application, and such other parties whose decryption information or whose plaintext has been provided to an investigative or law enforcement officer pursuant to this chapter as the court may determine that is in the interest of justice, an inventory which shall include notice of-- (1) the fact of the entry of the order or the application; (2) the date of the entry of the application and issuance of the order; and (3) the fact that the person's decryption information or plaintext data, including communications, have been provided or accessed by an investigative or law enforcement officer. The court, upon the filing of a motion, may make available to that person or that person's counsel, for inspection, such portions of the plaintext, applications, and orders as the court determines to be in the interest of justice. On an ex parte showing of good cause to a court of competent jurisdiction, the serving of the inventory required by this subsection may be postponed. (b) Admission Into Evidence.--The contents of any encrypted information that has been obtained pursuant to this chapter or evidence derived therefrom shall not be received in evidence or otherwise disclosed in any trial, hearing, or other proceeding in a Federal or State court unless each party, not less than 10 days before the trial, hearing, or proceeding, has been furnished with a copy of the order, and accompanying application, under which the decryption or access to plaintext was authorized or approved. This 10-day period may be waived by the court if the court finds that it was not possible to furnish the party with the information described in the preceding sentence within 10 days before the trial, hearing, or proceeding and that the party will not be prejudiced by the delay in receiving such information. (c) Contempt.--Any violation of the provisions of this section may be punished by the court as a contempt thereof. (d) Motion To Suppress.--Any aggrieved person in any trial, hearing, or proceeding in or before any court, department, officer, agency, regulatory body, or other authority of the United States or a State may move to suppress the contents of any decrypted data, including communications, obtained pursuant to this chapter, or evidence derived therefrom, on the grounds that -- (1) the plaintext was unlawfully decrypted or accessed; (2) the order of authorization or approval under which it was decrypted or accessed is insufficient on its face; or (3) the decryption was not made in conformity with the order of authorization or approval. Such motion shall be made before the trial, hearing, or proceeding unless there was no opportunity to make such motion, or the person was not aware of the grounds of the motion. If the motion is granted, the plaintext of the decrypted data, including communications, or evidence derived therefrom, shall be treated as having been obtained in violation of this chapter. The court, upon the filing of such motion by the aggrieved person, may make available to the aggrieved person or that person's counsel for inspection such portions of the decrypted plaintext, or evidence derived therefrom, as the court determines to be in the interests of justice. (e) Appeal by United States.--In addition to any other right to appeal, the United States shall have the right to appeal from an order granting a motion to suppress made under subsection (d), or the denial of an application for an order under section 2806, if the United States attorney certifies to the court or other official granting such motion or denying such application that the appeal is not taken for purposes of delay. Such appeal shall be taken within 30 days after the date the order was entered on the docket and shall be diligently prosecuted. (f) Civil Action for Violation.--Except as otherwise provided in this chapter, any person described in subsection (g) may in a civil action recover from the United States Government the actual damages suffered by the person as a result of a violation described in that subsection, reasonable attorney's fees, and other litigation costs reasonably incurred in prosecuting such claim. (g) Covered Persons.--Subsection (f) applies to any person whose decryption information-- (1) is knowingly obtained without lawful authority by an investigative or law enforcement officer; (2) is obtained by an investigative or law enforcement officer with lawful authority and is knowingly used or disclosed by such officer unlawfully; or (3) is obtained by an investigative or law enforcement officer with lawful authority and whose decryption information is unlawfully used to disclose the plaintext of the data, including communications. (h) Limitation.--A civil action under subsection (f) shall be commenced not later than 2 years after the date on which the unlawful action took place, or 2 years after the date on which the claimant first discovers the violation, whichever is later. (i) Exclusive Remedies.--The remedies and sanctions described in this chapter with respect to the decryption of data, including communications, are the only judicial remedies and sanctions for violations of this chapter involving such decryptions, other than violations based on the deprivation of any rights, privileges, or immunities secured by the Constitution. (j) Technical Assistance by Providers.--A provider of encryption technology or network service that has received an order issued by a court pursuant to this chapter shall provide to the investigative or law enforcement officer concerned such technical assistance as is necessary to execute the order. Such provider may, however, move the court to modify or quash the order on the ground that its assistance with respect to the decryption or access to plaintext cannot be performed in a timely or reasonable fashion. The court, upon notice to the Government, shall decide such motion expeditiously. (k) Reports to Congress.--In May of each year, the Attorney General, or an Assistant Attorney General specifically designated by the Attorney General, shall report in writing to Congress on the number of applications made and orders entered authorizing Federal, State, and local law enforcement access to decryption information for the purposes of reading the plaintext of otherwise encrypted data, including communications, pursuant to this chapter. Such reports shall be submitted to the Committees on the Judiciary of the House of Representatives and of the Senate, and to the Permanent Select Committee on Intelligence for the House of Representatives and the Select Committee on Intelligence for the Senate. 2808. Lawful use of plaintext or decryption information (a) Authorized Use of Decryption Information.-- (1) Criminal investigations.--An investigative or law enforcement officer to whom plaintext or decryption information is provided may use such plaintext or decryption information for the purposes of conducting a lawful criminal investigation or foreign counterintelligence investigation, and for the purposes of preparing for and prosecuting any criminal violation of law. (2) Civil redress.--Any plaintext or decryption information provided under this chapter to an investigative or law enforcement officer may not be disclosed, except by court order, to any other person for use in a civil proceeding that is unrelated to a criminal investigation and prosecution for which the plaintext or decryption information is authorized under paragraph (1). Such order shall only issue upon a showing by the party seeking disclosure that there is no alternative means of obtaining the plaintext, or decryption information, being sought and the court also finds that the interests of justice would not be served by nondisclosure. (b) Limitation.--An investigative or law enforcement officer may not use decryption information obtained under this chapter to determine the plaintext of any data, including communications, unless it has obtained lawful authority to obtain such data, including communications, under other lawful authorities. (c) Return of Decryption Information.--An attorney for the Government shall, upon the issuance of an order of a court of competent jurisdiction-- (1)(A) return any decryption information to the person responsible for providing it to an investigative or law enforcement officer pursuant to this chapter; or (B) destroy such decryption information, if the court finds that the interests of justice or public safety require that such decryption information should not be returned to the provider; and (2) within 10 days after execution of the court's order to destroy the decryption information-- (A) certify to the court that the decryption information has either been returned or destroyed consistent with the court's order; and (B) notify the provider of the decryption information of the destruction of such information. (d) Other Disclosure of Decryption Information.--Except as otherwise provided in section 2806, a key recovery agent may not disclose decryption information stored with the key recovery agent by a person unless the disclosure is-- (1) to the person, or an authorized agent thereof; (2) with the consent of the person, including pursuant to a contract entered into with the person; (3) pursuant to a court order upon a showing of compelling need for the information that cannot be accommodated by any other means if-- (A) the person who supplied the information is given reasonable notice, by the person seeking the disclosure, of the court proceeding relevant to the issuance of the court order; and (B) the person who supplied the information is afforded the opportunity to appear in the court proceeding and contest the claim of the person seeking the disclosure; (4) pursuant to a determination by a court of competent jurisdiction that another person is lawfully entitled to hold such decryption information, including determinations arising from legal proceedings associated with the incapacity, death, or dissolution of any person; or (5) otherwise permitted by a provision of this chapter or otherwise permitted by law. 2809. Identification of decryption information (a) Identification.--To avoid inadvertent disclosure, any person who provides decryption information to an investigative or law enforcement officer pursuant to this chapter shall specifically identify that part of the material provided that discloses decryption information as such. (b) Responsibility of Investigative or Law Enforcement Officer.--The investigative or law enforcement officer receiving any decryption information under this chapter shall maintain such information in facilities and in a method so as to reasonably assure that inadvertent disclosure does not occur. 2810. Unlawful export of certain encryption products Whoever, after January 31, 2000, knowingly exports an encryption product that does not include features or functions providing duly authorized persons immediate access to plaintext or immediate decryption capabilities, as required under law, shall be imprisoned for not more than 5 years, fined under this title, or both. 2811. Definitions The definitions set forth in section 101 of the Security and Freedom through Encryption (``SAFE'') Act of 1997 shall apply to this chapter. * * * * * * * ADDITIONAL VIEWS OF REPRESENTATIVES DICKS, SKELTON, AND BISHOP In considering H.R. 695, we used six principles as a guide through the difficult and complex issues posed by encryption technology. First, Congress should take no action to impair or abridge the rights, liberties, and privacy of the American people guaranteed by our constitution. Second, Congress has an obligation to ensure that the ability of law enforcement agencies to provide protection against violent criminals, terrorists, narcotics dealers, organized crime syndicates, and espionage is not unwisely diminished. Third, there is an equally compelling need to guarantee the protection of electronic information for the security of the nation, for the privacy and protection of our citizens and their property, and for the prosperity of the country through a new form of commerce. Fourth, Congress must protect our ability to collect intelligence to support national defense, diplomacy, and law enforcement. Fifth, we must not disadvantage, and should as best we can promote, American workers and companies seeking to maintain dominance in information technologies. Finally, our domestic and foreign policy in this area should, to the maximum extent possible, be consistent and reinforcing. It is commonly asserted that these principles are substantially at odds with one another, such that any consistent policy position must entail compromises among them--perhaps fatal ones. We do not believe that is true and am convinced that the substitute the Committee adopted is faithful to all these principles. In contrast, H.R. 695 as referred to the Committee is in conflict with several of the foregoing principles. H.R. 695 is incompatible with national security because it essentially does away with the export control process. Gutting the export control process would also have serious foreign policy consequences, undermining administration attempts to develop an international consensus on encryption policy and perhaps prompting other countries to erect import barriers to U.S. encryption products and associated hardware and software systems. The bill would do nothing to foster a domestic key management infrastructure, which the administration, the Committee, and much of industry believe is important for the rapid expansion of electronic commerce. The bill is deficient also in that it would not help law enforcement overcome the negative consequences of the inevitable proliferation of strong encryption. Without legislative intervention, in the near future the nation's police departments and the FBI will not need to bother to install wiretaps because everything they hear will be encrypted. Proponents of H.R. 695 as referred to the Committee acknowledge this problem but argue that the law enforcement interest is a narrow one and should be sacrificed. Others assert that it is futile to try to protect law enforcement equities either because unbreakable encryption will proliferate no matter what the government does, or that any government regulatory actions will do much more harm than good. With regard to export controls, proponents of H.R. 695 contend that without an inclusive international compact to regulate encryption, it is pointless, crippling to U.S. industry, to maintain a rigid export control regime. They assert that there is no reason to believe that any international consensus is likely, and that U.S. industry already faces an imminent competitive threat. We reject these arguments. Communications intercepts are a critically important and effective law enforcement tool. While it is true that the government cannot hope to prevent determined and resourceful criminals, terrorists, and others from using unbreakable encryption to hide their activities, these elements must interact with society at large, and therefore must conduct most of their business using standard forms of electronic commerce and communication. If the latter provide lawful access to the plaintext of encrypted information, or to decryption information pursuant to court order, law enforcement will be able to conduct investigations effectively. Thus it is neither necessary nor expected that the Committee substitute would eradicate unapproved encryption capabilities. In terms of the practicality of regulating encryption products, we recognize also that it is not a certainty that the burden the substitute would place on the marketplace to provide some form of access for communications will prove to be marginally costly or inconvenient. We acknowledge the possibility that critics could be right--that these requirements will be unwieldy or expensive, or both. But it is far from clear today that the critics are right, and the administration predicts modest annual user costs. If the law is to err, however, we strongly favor doing it on the side of ensuring that our public safety and national security officials can continue to do their jobs effectively. We recognize that there is no certainty of success in the attempt to convince the other advanced nations of the need to control encryption to protect law enforcement as we propose to do. The United States cannot hope to convince others to take this path, however, if it decides first to flood the world with unbreakable encryption, and second to proclaim that domestic controls are somewhat incompatible with liberty. Furthermore, any fair assessment of the status of discussions with other advanced nations on this issue would conclude that success is quite feasible. Similarly, claims about the availability of truly strong encryption products on the world market that users can readily access and employ are clearly exaggerated. Finally, as the section-by-section analysis in this report explains, the Committee substitute provides for the export of encryption products with an access ``on-off switch,'' in effect allowing industry to export unbreakable encryption to countries that have no requirement for law enforcement access to plaintext. Critics also assert that it is unreasonable for Congress to consider levying a mandate on the private sector in information technology to provide a means for lawful access to encrypted information. In fact, there is an important precedent for such action. Just a few years ago, law enforcement agencies were similarly faced with the prospect of loosing the ability to intercept communications because of the astonishing complexity of the nation's emerging digital telecommunications networks--even when the underlying information is unencrypted. Congress met the political challenge of supporting law enforcement in this instance by requiring communications service providers to install capabilities to permit effective wiretaps. This digital telephony act also required telephone communications service providers to provide access to plaintext to duly authorized law enforcement agencies where the service providers offered their customers encryption capabilities that could be decrypted. The point is that Congress was willing to do what was right when the issue was clear. We face another such challenge today. We believe that my colleagues will respond appropriately once they realize what is at stake. The place to start that educational process is here, with the Committee substitute. We do not think that a fair analysis of the substitute could conclude that it would compromise the rights of our citizens by insisting that law enforcement agencies merely retain their current ability to gather evidence through judicially sanctioned electronic surveillance. Norm Dicks. Ike Skelton. Sanford D. Bishop, Jr. ADDITIONAL VIEWS OF REPRESENTATIVES HARMAN, SKAGGS, AND DIXON The issue of encryption is one of the most difficult we have faced in our careers in the Congress. The technical complexities of algorithms and bit strength are the least of the problem. What is most challenging is discovering a way to balance competing policy concerns in the face of a rapidly evolving electronic infrastructure. We are convinced that H.R. 695 as introduced and reported from the Committees on Judiciary and International Relations is neither the right answer, nor a comprehensive approach to the challenges we face. As members of the Permanent Select Committee on Intelligence we believe U.S. policy should balance sometimes conflicting goals: protecting public computer networks from the threats of terrorists and other criminals through the use of strong encryption; promoting the economic competitiveness and the research and development breakthroughs of our vital information technology industry; encouraging the legal framework necessary for robust and reliable electronic commerce; and helping preserve public safety and national security. H.R. 695 as introduced was intended to promote economic competitiveness but it does little to address the strongly expressed concerns of law enforcement officials from around the country that the legislation would eliminate the possibility of electronic surveillance under lawful court order. The substitute the Committee has ordered reported is an attempt to address all of the issues in the debate comprehensively. Yet, it has been developed under an extremely short time frame, subject to a limited referral. We believe the legislation is too sweeping, particularly in placing new requirements on the manufacture, sale, and import of encryption products in the United States. While we want United States law enforcement and national security agencies, working under proper oversight, to have the tools they need to respond to threats to the public safety and national security, the requirement in the legislation that encryption products manufactured and distributed for sale or use, or imported for sale or use after January 31, 2000, include features or functions that provide, upon presentment of a court order, immediate access to plaintext data or decryption information from the encryption provider, raises a host of new questions and issues that need further exploration. We are worried less about the narrow question of technical feasibility than how such a requirement would implicate valid concerns about privacy, abuse of official authority, and the inherent security of data security services. We are concerned whether the legislation's provision on imports might be interpreted to mean an individual on the Internet downloading encryption from a foreign country was violating the law and about where the line would be drawn on the prohibited distribution of encryption products not meeting the bill's legal requirements. The substitute is intended to put in place a legal framework for, and safeguards on, law enforcement access to encrypted electronic information. This is positive. Imposing new criminal penalties for the invasion of privacy relating to the misuse of decryption information is appropriate to ensure that government officials who gain access to information on the electronic network do not exceed their lawful authority. Likewise, we support requiring a verifiable audit trail whenever government officials obtain access to plaintext and decrypted information, regardless of whether or not a recovery-capable mandate on encryption is enacted. We are fast approaching what Kenneth Flamm of the Brookings Institution calls ``a digital future in which almost everything * * * is stored or communicated electronically, connected to or accessible through some computer network.'' It is time to take action on these issues. In addition, we recognize that the issues raised in this debate are international in scope. Given the availability of encryption technology abroad, and the ease of its dissemination, a unilateral export control policy on encryption will not work. Therefore, we must encourage, if not direct, the Administration to monitor closely international developments and to engage other countries in working out a multilateral approach to this issue. Recent events suggest passage of H.R. 695 as originally conceived is highly unlikely in the House of Representatives. We believe there now needs to be a very careful and deliberative effort to fashion balanced legislation. The information technology industry should suggest targeted legislative and regulatory amendments which will meet its need for fewer uncertainties in the export control process, while still allowing for regulatory flexibility as technology advances. Privacy advocates should recognize that government access to information residing on the electronic infrastructure in order to protect public safety is legitimate within reasonable constraints, and should propose what those reasonable constraints should be. Law enforcement officials should carefully evaluate where their highest priorities lie in protecting the public safety and preventing crime. The Administration should redouble its efforts to secure international agreements of mutual recognition of encryption management infrastructures to safeguard the privacy of United States citizens and enhance U.S. information security needs in electronic commerce. Continued stalemate on balancing the competing policy concerns is not in the interests of industry, law enforcement or the American people. Jane Harman. David E. Skaggs. Julian C. Dixon. ADDITIONAL VIEWS OF REPRESENTATIVE NANCY PELOSI I oppose the substitute to H.R. 695 ordered reported from the Permanent Select Committee on Intelligence. While there are indeed serious national security and law enforcement issues at stake in this debate, there are also serious questions about the impact of this legislation on the civil liberties on which this nation is based. A balance must be struck. The bill passed by the Committee does not strike the requisite balance. I was very concerned about the lack of an audit mechanism in the Committee's substitute as proposed and am pleased that the bill was amended to require an electronic audit trail, to ensure that there is accountability when an investigative or law enforcement officer obtains access to the plaintext of otherwise encrypted information or the provision of decryption information. Among the reasons I oppose the bill are the following: With respect to domestic controls, the ramifications of enacting a requirement that encryption products manufactured, distributed or imported in the United States after January 2000 contain features that provide, upon presentment of a court order, immediate plaintext access or decryption information, are not well understood. It is not clear such a requirement could pass constitutional muster, particularly where it might place restrictions on the distribution of encryption algorithms or the free flow of ideas among scientists working in the area of information technology. Indeed imposing domestic controls runs counter to the first recommendation of the National Research Council's widely-respected CRISIS report (``Cryptography's Role in Security in the Information Society,'' June 1996) that no law bar the manufacture, sale or use of any form of encryption in the United States. Despite the many provisions of the legislation designed to place civil and criminal penalties on official misuse of decryption information, and provide privacy protections to those who encrypt information, further debate is needed on whether the legal framework governing lawful wiretaps is the appropriate model for the 21st Century as so much information concerning our personal and economic lives is connected and accessible on-line. With respect to export controls, the legislation would force U.S. manufacturers to include features that could provide plaintext access or decryption information in encryption products exported overseas. Although the legislation allows these features to be enabled at the foreign purchaser's option, and does not require any keys or recovery information be held in escrow in the United States, demanding recovery capable features in exportable U.S. technology may provide repressive totalitarian regimes a new method of control over dissidents and human rights advocates who today evade surveillance by utilizing unbreakable encryption on the Internet. Also of concern is the impact of certain of the substitute's provisions on human rights activists in authoritarian countries. Human rights activists worldwide are using cryptography to protect their sources from reprisals by governments that violate human rights. Under the Committee substitute, the U.S. government can get a court order for violating the security of communications ``upon a request from a foreign country pursuant to a Mutual Legal Assistance Treaty.'' This provision will permit governments to breach the protection of confidential sources, thereby both endangering human rights activists using electronic communications and discouraging people who know of human rights violations to speak about them, even in private. Authoritarian governments often define the activities of those who dare to speak out against them as ``treason'' or ``revealing classified information,'' crimes recognized by the U.S. government. Under the Committee substitute, legitimate human rights activists, who now communicate safely through the Internet with strong encryption protection, will no longer have that safety. In addition, the legislation enshrines the broad concept that all decisions of the Secretary of Commerce with respect to the export of encryption products are not subject to judicial review. If the question at hand has to do with national security implications, the President could waive judicial review on a case-by-case basis as needed, rather than Congress acting to grant a blanket waiver of a citizen's right to recourse to the legal system. The serious issues involving national security and public safety could have been resolved with a more narrowly targeted approach. I hope efforts will be made to craft a consensus measure before H.R. 695 is considered on the floor of the House of Representatives. Nancy Pelosi. LETTERS FROM LAW ENFORCEMENT OFFICERS AND THE SECRETARY OF DEFENSE The Secretary of Defense, Washington, DC, July 21, 1997. Dear Member of Congress: Recently you received a letter from the nation's senior law enforcement officials regarding U.S. encryption policies. I am writing today to express my strong support for their views on their important issue. As you know, the Department of Defense is involved on a daily basis in countering international terrorism, narcotics trafficking, and the proliferation of weapons of mass destruction. The spread of unbreakable encryption, as a standard feature of mass market communication products, presents a significant threat to the ability of the U.S. and its allies to monitor the dangerous groups and individuals involved in these activities. Passage of legislation which effectively decontrols commercial encryption exports would undermine U.S. efforts to foster the use of strong key recovery encryption domestically and abroad. Key recovery products will preserve governments' abilities to counter worldwide terrorism, narcotics trafficking and proliferation. It is also important to note that the Department of Defense relies on the Federal Bureau of Investigation for the apprehension and prosecution of spies. Sadly, there have been over 60 espionage convictions of federal employees over the last decade. While these individuals represent a tiny minority of government employees, the impact of espionage activities on our nation's security can be enormous. As the recent arrests of Nicholson, Pitts and Kim clearly indicate, espionage remains a very serious problem. Any policies that detract from the FBI's ability to perform its vital counterintelligence function, including the ability to perform wiretaps, inevitably detract from the security of the Department of Defense and the nation. Encryption legislation must also address the nation's domestic information security needs. Today, approximately 95% of DoD communications rely on public networks; other parts of government, and industry, are even more dependent on the trustworthiness of such networks. Clearly, we must ensure that encryption legislation addresses these needs. An approach such as the one contained in S. 909 can go a long way toward balancing the need for strong encryption with the need to preserve national security and public safety. I hope that you will work with the Administration to enact legislation that addresses these national security concerns as well as the rights of the American people. I appreciate your consideration of these views. Sincerely, Bill Cohen. Office of the Attorney General, Washington, DC, July 18, 1997. Dear Member of Congress: Congress is considering a variety of legislative proposals concerning encryption. Some of these proposals would, in effect, make it impossible for the Federal Bureau of Investigation (FBI), Drug Enforcement Administration (DEA), Secret Service, Customs Service, Bureau of Alcohol, Tobacco and Firearms, and other federal, state, and local law enforcement agencies to lawfully gain access to criminal telephone conversations or electronically stored evidence possessed by terrorists, child pornographers, drug kingpins, spies and other criminals. Since the impact of these proposals would seriously jeopardize public safety and national security, we collectively urge you to support a different, balanced approach that strongly supports commercial and privacy interests but maintains our ability to investigate and prosecute serious crimes. We fully recognize that encryption is critical to communications security and privacy, and that substantial commercial interests are at stake. Perhaps in recognition of these facts, all the bills being considered allow market forces to shape the development of encryption products. We, too, place substantial reliance on market forces to promote electronic security and privacy, but believe that we cannot rely solely on market forces to protect the public safety and national security. Obviously, the government cannot abdicate its solemn responsibility to protect public safety and national security. Currently, of course, encryption is not widely used, and most data is stored, and transmitted, in the clear. As we move from a plaintext world to an encrypted one, we have a critical choice to make: we can either (1) choose robust, unbreakable encryption that protects commerce and privacy but gives criminals a powerful new weapon, or (2) choose robust, unbreakable encryption that protects commerce and privacy and gives law enforcement the ability to protect public safety. The choice should be obvious and it would be a mistake of historic proportions to do nothing about the dangers to public safety posed by encryption without adequate safeguards for law enforcement. Let there be no doubt: without encryption safeguards, all Americans will be endangered. No one disputes this fact; not industry, not encryption users, no one. We need to take definitive actions to protect the safety of the public and security of the nation. That is why law enforcement at all levels of government--including the Justice Department, Treasury Department, the National Association of Attorneys General, International Association of Chiefs of Police, the Major City Chiefs, the National Sheriffs' Association, and the National District Attorneys Association--are so concerned about this issue. We all agree that without adequate legislation, law enforcement in the United States will be severely limited in its ability to combat the worst criminals and terrorists. Further, law enforcement agrees that the widespread use of robust non-key recovery encryption ultimately will devastate our ability to fight crime and prevent terrorism. Simply stated, technology is rapidly developing to the point where powerful encryption will become commonplace both for routine telephone communications and for stored computer data. Without legislation that accommodates public safety and national security concerns, society's most dangerous criminals will be able to communicate safely and electronically store data without fear of discovery. Court orders to conduct electronic surveillance and court-authorized search warrants will be ineffectual, and the Fourth Amendment's carefully-struck balance between ensuring privacy and protecting public safety will be forever altered by technology. Technology should not dictate public policy, and it should promote, rather than defeat, public safety. We are not suggesting the balance of the Fourth Amendment be tipped toward law enforcement either. To the contrary, we only seek the status quo, not the lessening of any legal standard or the expansion of any law enforcement authority. The Fourth Amendment protects the privacy and liberties of our citizens but permits law enforcement to use tightly controlled investigative techniques to obtain evidence of crimes. The result has been the freest country in the world with the strongest economy. Law enforcement has already confronted encryption in high-profile espionage, terrorist, and criminal cases. For example: An international terrorist was plotting to blow up 11 U.S.-owned commercial airliners in the Far East. His laptop computer, which was seized in Manila, contained encrypted files concerning this terrorist plot; A subject in a child pornography case used encryption in transmitting obscene and pornographic images of children over the Internet; and A major international drug trafficking subject recently used a telephone encryption device to frustrate court-approved electronic surveillance. And this is just the tip of the iceberg. Convicted spy Aldrich Ames, for example, was told by the Russian Intelligence Service to encrypt computer file information that was to be passed to them. Further, today's international drug trafficking organizations are the most powerful, ruthless and affluent criminal enterprises we have ever faced. We know from numerous past investigations that they have utilized their virtually unlimited wealth to purchase sophisticated electronic equipment to facilitate their illegal activities. This has included state of the art communication and encryption devices. They have used this equipment as part of their command and control process for their international criminal operations. We believe you share our concern that criminals will increasingly take advantage of developing technology to further insulate their violent and destructive activities. Requests for cryptographic support pertaining to electronic surveillance interceptions from FBI Field Offices and other law enforcement agencies have steadily risen over the past several years. There has been an increase in the number of instances where the FBI's and DEA's court-authorized electronic efforts were frustrated by the use of encryption that did not allow for law enforcement access. There have also been numerous other cases where law enforcement, through the use of electronic surveillance, has not only solved and successfully prosecuted serious crimes but has also been able to prevent life-threatening criminal acts. For example, terrorists in New York were plotting to bomb the United Nations building, the Lincoln and Holland Tunnels, and 26 Federal Plaza as well as conduct assassinations of political figures. Court-authorized electronic surveillance enabled the FBI to disrupt the plot as explosives were being mixed. Ultimately, the evidence obtained was used to convict the conspirators. In another example, electronic surveillance was used to stop and then convict two men who intended to kidnap, molest, and kill a child. In all of these cases, the use of encryption might have seriously jeopardized public safety and resulted in the loss of life. To preserve law enforcement's abilities, and to preserve the balance so carefully established by the Constitution, we believe any encryption legislation must accomplish three goals in addition to promoting the widespread use of strong encryption. It must establish: A viable key management infrastructure that promotes electronic commerce and enjoys the confidence of encryption users; A key management infrastructure that supports a key recovery scheme that will allow encryption users access to their own data should the need arise, and that will permit law enforcement to obtain lawful access to the plaintext of encrypted communications and data; and An enforcement mechanism that criminalizes both improper use of encryption key recovery information and the use of encryption for criminal purposes. Only one bill, S. 909 (the McCain/Kerrey/Hollings bill), comes close to meeting these core public safety, law enforcement, and national security needs. The other bills being considered by Congress, as currently written, risk great harm to our ability to enforce the laws and protect our citizens. We look forward to working to improve the McCain/Kerrey/Hollings bill. In sum, while encryption is certainly a commercial interest of great importance to this Nation, it is not solely a commercial or business issue. Those of us charged with the protection of public safety and national security, believe that the misuse of encryption technology will become a matter of life and death in many instances. That is why we urge you to adopt a balanced approach that accomplishes the goals mentioned above. Only this approach will allow police departments, attorneys general, district attorneys, sheriffs, and federal authorities to continue to use their most effective investigative techniques, with court approval, to fight crime and espionage and prevent terrorism. Sincerely yours, Janet Reno, Attorney General. Louis Freeh, Director, Federal Bureau of Investigation. Thomas A. Constantine, Director, Drug Enforcement Administration. Raymond W. Kelly, Undersecretary for Enforcement, U.S. Department of the Treasury. John W. Magaw, Director, Bureau of Alcohol, Tobacco and Firearms. Barry McCaffrey, Director, Office of National Drug Control Policy. Lewis C. Merletti, Director, United States Secret Service. George J. Weise, Commissioner, United States Customs Service. International Association of Chiefs of Police, Alexandria, VA, July 21, 1997. Dear Member of Congress: Enclosed is a letter sent to you by the Attorney General, the Director of National Drug Control Policy and all the federal law enforcement heads concerning encryption legislation being considered by congress. Collectively we, the undersigned, represent over 17,000 police departments including every major city police department, over 3,000 sheriffs departments, nearly every district attorney in the United States and all of the state Attorneys General. We fully endorse the position taken by our federal counterparts in the enclosed letter. As we have stated many times, Congress must adopt a balanced approach to encryption that fully addresses public safety concerns or the ability of state and local law enforcement to fight crime and drugs will be severely damaged. Any encryption legislation that does not ensure that law enforcement can gain timely access to the plaintext of encrypted conversations and information by established legal procedures will cause grave harm to public safety. The risk cannot be left to the uncertainty of market forces or commercial interests as the current legislative proposals would require. Without adequate safeguards, the unbridled use of powerful encryption soon will deprive law enforcement of two of its most effective tools, court authorized electronic surveillance and the search and seizure of information stored in computers. This will substantially tip the balance in the fight against crime towards society's most dangerous criminals as the information age develops. We are in unanimous agreement that congress must adopt encryption legislation that requires the development, manufacture, distribution and sale of only key recovery products and we are opposed to the bills that do not do so. Only the key recovery approach will ensure that law enforcement can continue to gain timely access to the plaintext of encrypted conversations and other evidence of crimes when authorized by a court to do so. If we lose this ability--and the bills you are considering will have this result--it will be a substantial setback for law enforcement at the direct expense of public safety. Sincerely yours, Darrell L. Sanders, President, International Association of Chiefs of Police. James E. Doyle, President, National Association of Attorneys General. Fred Scoralie, President, National Sheriffs' Association. William L. Murphy, President, National District Attorneys Association. Major Cities Chiefs, Chicago IL, July 24, 1997. Hon. Orrin G. Hatch, Chairman, Judiciary Committee, Senate Hart Office Building, Washington, DC. Dear Mr. Chairman: The Major Cities Chiefs is a professional association of police executives representing the largest jurisdictions in the United States. The association provides a forum for urban police chiefs, sheriffs and other law enforcement chief executives to discuss common problems associated with protecting cites with populations exceeding 500,000 people. Congress is considering a variety of legislative proposals concerning encryption. Some of these proposals would, in effect, make it impossible for law enforcement agencies across the country, both on the federal, state and local level, to lawfully gain access to criminal telephone conversations or electronically stored evidence. Since the impact of these proposals would seriously jeopardize public safety, our association urges you to support a balanced approach that strongly supports commercial and private interests but also maintains law enforcements ability to investigate and prosecute serious crime. While we recognize that encryption is critical to communications security and privacy and that commercial interests are at stake, we all agree that without adequate legislation, law enforcement across the country will be severely limited in its ability to combat serious crime. The widespread use of non-key recovery encryption ultimately will eliminate our ability to obtain valuable evidence of criminal activity. The legitimate and lawful interception of communications, pursuant to a court order, for the most serious criminal acts will be meaningless because of our inability to decipher the evidence. Encryption is certainly of great importance to the commercial interests across this country. However, public safety concerns are just as critical and we must not loose sight of this. The need to preserve an invaluable investigative tool is of the utmost importance in law enforcements ability to protect the public against serious crime. Sincerely yours, Matt L. Rodriguez, Chairman. National District Attorneys Association, Alexandria, VA. RESOLUTION Encryption Whereas, the introduction of digitally-based telecommunications technologies as well as the widespread use of computers and computer networks having encryption capabilities are facilitating the development and production of strong, affordable encryption products and services for private sector use; and Whereas, on one hand the use of strong encryption products and services are extremely beneficial when used legitimately to protect commercially sensitive information and communications. On the other hand, the potential use of strong encryption products and services that do not allow for timely law enforcement decryption by a vast array of criminals and terrorist to conceal their criminal communications and information from law enforcement poses an extremely serious threat to public safety: and Whereas, the law enforcement community is extremely concerned about the serious threat posed by the use of these strong encryption products and services that do not allow for authorization (court-authorized wiretaps or court-authorized search and seizure); and Whereas, law enforcement fully supports a balanced encryption policy that satisfies both the commercial needs of industry for strong encryption while at the same time satisfying law enforcement's public safety needs for the timely decryption of encrypted criminal communications and information; and Whereas, law enforcement has found that strong key recovery encryption products and services are clearly the best way, and perhaps the only way, to achieve both the goals of industry and law enforcement; and Whereas, government representatives have been working with industry to encourage the voluntary development, sale, and use of key recovery encryption products and services in its pursuit of a balanced encryption policy; Be it resolved, That the National District Attorneys Association supports and encourages the development and adoption of a balanced encryption policy that encourages the development, sale, and use of key recovery encryption products and services, both domestically and abroad. We believe that this approach represents a policy that appropriately addresses both the commercial needs of industry while at the same time satisfying law enforcement's public safety needs. ENCRYPTION Whereas, the introduction of digitally-based telecommunications technologies, as well as the widespread use of computers and computer networks having encryption capabilities are facilitating the development and production of affordable and robust encryption products for private sector use; and Whereas, on one hand encryption is extremely beneficial when used legitimately to protect commercially sensitive information and communications. On the other hand, the potential use of such encryption products by a vast array of criminals and terrorists to conceal their criminal communications and information from law enforcement poses an extremely serious threat to public safety; and Whereas, the law enforcement community is extremely concerned about the serious threat posed by the use of robust encryption products that do not allow for law enforcement access and its timely decryption, pursuant to lawful authorization (court-authorized wiretaps or court-authorized search and seizure); and Whereas, law enforcement fully supports a balanced encryption policy that satisfies both the commercial needs of industry for robust encryption while at the same time satisfying law enforcement's public safety needs; and Whereas, law enforcement has found that robust key-escrow encryption is clearly the best way, and perhaps the only way, to achieve both the goals of industry and law enforcement; and Whereas, government representatives have been working with industry to encourage the voluntary development, sale, and use of key-escrow encryption in its pursuit of a balanced encryption policy: Now, therefore, be it Resolved, that the International Association of Chiefs of Police, duly assembled at its 103rd annual conference in Phoenix, Arizona supports and encourages the development and adoption of a key-escrow encryption policy, which we believe represents a policy that appropriately addresses both the commercial needs of industry while at the same time satisfying law enforcement's public safety needs and that we oppose any efforts, legislatively or otherwise, that would undercut the adoption of such a balanced encryption policy. National Sheriffs' Association Chiefs of Police, RESOLUTION DIGITAL TELECOMMUNICATIONS ENCRYPTION Whereas, the introduction of digitally-based telecommunications technologies as well as the widespread use of computers and computer networks having encryption capabilities are facilitating the development and production of affordable and robust encryption products for private sector use: and Whereas, on one hand, encryption is extremely beneficial when used legitimately to protect commercially sensitive information and communications. On the other hand, the potential use of such encryption products by a vast array of criminals and terrorists to conceal their criminal communications and information from law enforcement poses an extremely serious threat to public safety; and Whereas, the law enforcement community is extremely concerned about the serious threat posed by the use of robust encryption products that do not allow for court authorized law enforcement access and its timely decryption, pursuant to lawful authorization; and Whereas, law enforcement fully supports a balanced encryption policy that satisfies both the commercial needs of industry for robust encryption while at the same time satisfying law enforcement's public safety needs; and Whereas, law enforcement has found that robust key-escrow encryption is clearly the best way, and perhaps the only way, to achieve both the goals of industry and law enforcement; and Whereas, government representatives have been working with industry to encourage the voluntary development, sale and use of key-escrow encryption in its pursuit of a balanced encryption policy; and therefore, be it Resolved That the National Sheriffs' Association supports and encourages the development and adoption of a key-escrow encryption policy which we believe represents a policy that appropriately addresses both the commercial needs of industry while at the same time satisfying law enforcement's public safety needs and that we oppose any efforts, legislatively or otherwise, that would undercut the adoption of such a balanced encryption policy. Imperial County Sheriff, Coroner's Office, El Centro, CA, August 26, 1997. Re Key recovery of encrypted data. Hon. Porter J. Goss, Chairman, Permanent Select Committee on Intelligence, Washington, DC. Dear Chairman Goss: I join my associates in Federal law enforcement, as well as the International Association of Chiefs of Police, the National Sheriff's Association, and the National District Attorney's Association, in urging you to make provisions for key recovery of encrypted data. Both of you and your Committee are familiar with the technology and the issues, and I won't waste your time or attention in a lengthy discourse on what encryption or key recovery is. You know as much about the technology as I do. Of particular interest to me is the ability of international drug cartels to thwart legitimate, court-sanctioned interception of criminal communications here along the border. Drug trafficking organizations are sophisticated, aggressive, and well-funded. They certainly are taking advantage today of encryption technology in our own country. Without provisions for key recovery, it will be virtually impossible for law enforcement to conduct criminal investigations of telecommunications activity or electronic data files. A simple solution is to require a provision in trade agreements which requires a trustworthy key agent to maintain the key to encrypted data. Such a requirement would still allow legitimate safeguarding of data, but would also allow law enforcement to crack coded information in criminal investigations and national security matters. I would be pleased to discuss this vital matter with you and I will be appreciative of any consideration you may give this issue. Sincerely, Oren R. Fox, Sheriff-Coroner.