Congressional Documents
FILE h695.rh
Union Calendar No. 160
105th CONGRESS
1st Session
A BILL
To amend title 18, United States Code, to affirm the rights of
United States persons to use and sell encryption and to relax
export controls on encryption.
September 29, 1997
Reported from the Committee on Commerce with an amendment,
committed to the Committee of the Whole House on the State of the
Union, and ordered to be printed
H.R. 695 RH
105th CONGRESS
1st Session
[Report No. 105-108, Parts I, II, III, IV, V]
To amend title 18, United States Code, to affirm the rights of
United States persons to use and sell encryption and to relax
export controls on encryption.
IN THE HOUSE OF REPRESENTATIVES
February 12, 1997
Mr. GOODLATTE (for himself, Ms. LOFGREN, Mr. DELAY, Mr. BOEHNER,
Mr. COBLE, Mr. SENSENBRENNER, Mr. BONO, Mr. PEASE, Mr. CANNON,
Mr. CONYERS, Mr. BOUCHER, Mr. GEKAS, Mr. SMITH of Texas, Mr.
INGLIS of South Carolina, Mr. BRYANT, Mr. CHABOT, Mr. BARR of
Georgia, Ms. JACKSON-LEE of Texas, Ms. WATERS, Mr. ACKERMAN,
Mr. BAKER, Mr. BARTLETT of Maryland, Mr. CAMPBELL, Mr.
CHAMBLISS, Mr. CUNNINGHAM, Mr. DAVIS of Virginia, Mr. DICKEY,
Mr. DOOLITTLE, Mr. EHLERS, Mr. ENGEL, Ms. ESHOO, Mr. EVERETT,
Mr. EWING, Mr. FARR of California, Mr. GEJDENSON, Mr. GILLMOR,
Mr. GOODE, Ms. NORTON, Mr. HORN, Ms. EDDIE BERNICE JOHNSON of
Texas, Mr. SAM JOHNSON of Texas, Mr. KOLBE, Mr. MCINTOSH, Mr.
MCKEON, Mr. MANZULLO, Mr. MATSUI, Mr. MICA, Mr. MINGE, Mr.
MOAKLEY, Mr. NETHERCUTT, Mr. PACKARD, Mr. SESSIONS, Mr. UPTON,
Mr. WHITE, and Ms. WOOLSEY) introduced the following bill;
which was referred to the Committee on the Judiciary, and in
addition to the Committee on International Relations, for a
period to be subsequently determined by the Speaker, in each
case for consideration of such provisions as fall within the
jurisdiction of the committee concerned
May 22, 1997
Reported from the Committee on the Judiciary with an amendment
[STRIKE OUT ALL AFTER THE ENACTING CLAUSE AND INSERT THE PART
PRINTED IN ITALIC]
Referral to the Committee on International Relations extended for a
period ending not later than July 11, 1997
June 26, 1997
Referral to the Committee on International Relations extended for a
period ending not later than July 25, 1997
Referred to the Committees on Commerce, National Security, and the
Permanent Select Committee on Intelligence for a period ending
not later than September 5, 1997, for consideration of such
provisions of the bill and amendment reported by the Committee
on the Judiciary as fall within the jurisdiction of those
committees pursuant to clause 1(e) and (k), rule X and rule
XLVIII, respectively
July 25, 1997
Reported from the Committee on the International Relations with an
amendment
[STRIKE OUT ALL AFTER THE ENACTING CLAUSE AND INSERT THE PART
PRINTED IN BOLDFACE ROMAN]
July 30, 1997
Referral to the Permanent Select Committee on Intelligence extended
for a period ending not later than September 12, 1997
July 31, 1997
Referral to the Committee on National Security extended for a
period ending not later than September 12, 1997
September 5, 1997
Referral to the Committee on Commerce extended for a period ending
not later than September 12, 1997
September 11, 1997
Referral to the Permanent Select Committee on Intelligence extended
for a period ending not later than September 16, 1997
Referral to the Committee on Commerce extended for a period ending
not later than September 26, 1997
September 12, 1997
Reported from the Committee on the National Security with amendments
[OMIT THE PART STRUCK THROUGH IN BOLD BRACKETS AND INSERT THE PART
PRINTED IN BOLDFACE ITALIC AND AMEND THE TITLE]
September 16, 1997
Reported from the Permanent Select Committee on Intelligence with
an amendment
[STRIKE OUT ALL AFTER THE ENACTING CLAUSE AND INSERT THE PART
PRINTED IN BOLDFACE ROMAN IN DOUBLE BOLD BRACKETS]
September 25, 1997
Referral to the Committee on Commerce extended for a period ending
not later than September 29, 1997
September 29, 1997
Additional sponsors: Mr. HASTINGS of Washington, Mr. COOK, Mr. FOX
of Pennsylvania, Mrs. MORELLA, Mr. BILBRAY, Mrs. MYRICK, Mr.
DEFAZIO, Mr. WATKINS, Mr. FRANKS of New Jersey, Mr. MARTINEZ,
Mr. SHAYS, Mr. NADLER, Mr. HOSTETTLER, Mr. FALEOMAVAEGA, Mrs.
LINDA SMITH of Washington, Mr. PAXON, Mr. WELDON of Florida,
Mr. GORDON, Mr. HUTCHINSON, Ms. RIVERS, Mr. SNOWBARGER, Mrs.
TAUSCHER, Mr. DELAHUNT, Mr. ROHRABACHER, Mr. COOKSEY, Mr. MORAN
of Virginia, Mr. GALLEGLY, Mr. CAMP, Mr. WEXLER, Mr. WELLER,
Mr. SHERMAN, Mr. DREIER, Mr. CALVERT, Mr. CAPPS, Mr. LINDER,
Mr. MCINNIS, Mr. GRAHAM, Mr. THOMAS, Ms. MCKINNEY, Ms. MCCARTHY
of Missouri, Mr. FRANK of Massachusetts, Mr. SISISKY, Mr.
FORBES, Mr. BLUNT, Mr. ISTOOK, Mr. PICKERING, Mr. DOOLEY of
California, Mr. LATHAM, Mr. COX of California, Mr. ROEMER, Mr.
FAZIO of California, Mr. ADAM SMITH of Washington, Mr. KIND,
Mr. BALLENGER, Mr. NEY, Mr. SALMON, Mr. HOUGHTON, Mr. MCHUGH,
Ms. FURSE, Mr. HASTINGS of Florida, Mr. DIAZ-BALART, Mr. KING,
Ms. SLAUGHTER, Mr. FROST, Mr. BURTON of Indiana, Ms. DUNN, Ms.
CHRISTIAN-GREEN, Mr. ENGLISH of Pennsylvania, Mr. LAMPSON, Mr.
BRADY, Mr. SMITH of New Jersey, Mrs. CHENOWETH, Mr. COBURN,
Mrs. CUBIN, Mr. BOB SCHAFFER of Colorado, Mr. BARTON of Texas,
Mr. LARGENT, Mr. CLEMENT, Mr. HILLIARD, Mr. LUTHER, Mr. CRAPO,
Mr. ROGAN, Mr. ANDREWS, Mr. BONILLA, Ms. ROS-LEHTINEN, Mr.
GUTKNECHT, Mr. HAYWORTH, Mr. SUNUNU, Mr. SCARBOROUGH, Mr.
NEUMANN, Mr. SANFORD, Mr. NORWOOD, Ms. PRYCE of Ohio, Mr. LEWIS
of Kentucky, Mr. KASICH, Mr. ARCHER, Mr. HANSEN, Mr. HERGER,
Mr. RILEY, Mr. HILL, Mr. TAUZIN, Mr. MORAN of Kansas, Mr. BURR
of North Carolina, Mr. BLUMENAUER, Mr. POMEROY, Mr. RIGGS, Mr.
KINGSTON, Mr. MILLER of California, Mr. DUNCAN, Mr. WHITFIELD,
Mr. SMITH of Oregon, Mr. QUINN, Mr. KENNEDY of Massachusetts,
Mrs. KELLY, Mr. METCALF, Mr. MARKEY, Mr. NEAL of Massachusetts,
Mrs. EMERSON, Mr. CHRISTENSEN, Mr. WATTS of Oklahoma, Mr.
SOUDER, Mr. POMBO, Mr. STENHOLM, Mr. TIAHRT, Mr. MCGOVERN, Mr.
PARKER, Mr. WICKER, Mr. BARRETT of Nebraska, Mr. GEPHARDT, Mr.
KIM, Mrs. JOHNSON of Connecticut, Mr. LUCAS of Oklahoma, Mr.
BROWN of California, Mr. KNOLLENBERG, Mr. TALENT, Mr. TIENEY,
Mr. KLUG, Mr. JENKINS, Mr. CONDIT, Mr. HALL of Texas, Mr.
BACHUS, Mr. CRANE, Mr. WAMP, Mr. CASTLE, Mr. LAHOOD, Mr.
GOODLING, Mr. SHIMKUS, Mr. SERRANO, Mr. HOLDEN, Mr. HOBSON, Mr.
RAHALL, Mr. THOMPSON, Mr. THUNE, Mr. CLYBURN, Mr. HILLEARY, Mr.
DEAL of Georgia, Mr. COLLINS, Mr. DAN SCHAEFER of Colorado, Mr.
HALL of Ohio, Mr. LIVINGSTON, Mr. HOEKSTRA, Mr. WISE, Mr.
FILNER, Mr. MCDERMOTT, Ms. SANCHEZ, Mrs. THURMAN, Mr. TANNER,
Mr. PASTOR, Ms. KAPTUR, Mr. LEWIS of Georgia, Mr. JACKSON of
Illinois, Ms. MILLENDER-MCDONALD, Mr. CUMMINGS, Mr. JEFFERSON,
Mr. FORD, Mr. BARRETT of Wisconsin, Mr. FATTAH, Mr. BARCIA, Ms.
HOOLEY of Oregon, Mrs. NORTHUP, Mr. VENTO, Mr. BONIOR, Mrs.
CLAYTON, Mrs. KENNELLY of Connecticut, Mr. PALLONE, Mr. OLVER,
Ms. KILPATRICK, Ms. DELAURO, Mrs. MEEK of Florida, Ms.
STABENOW, Mr. STEARNS, Mr. RADANOVICH, Mr. TAYLOR of North
Carolina, Mr. WALSH, Mr. NUSSLE, Mr. DAVIS of Illinois, and Mr.
Rush
Deleted sponsors: Mr. EVERETT (added February 12, 1997; deleted
July 30, 1997), Ms. EDDIE BERNICE JOHNSON of Texas (added
February 12, 1997; deleted May 13, 1997), Mr. SOLOMON (added
March 13, 1997; deleted April 29, 1997), Mr. ROTHMAN (added
April 10, 1997; deleted July 24, 1997), Mr. JONES (added June
23, 1997; deleted September 8, 1997), Mr. BUNNING (added July
9, 1997; deleted July 30, 1997), Mr. THORNBERRY (added July 24,
1997; deleted September 4, 1997), and Mr. HEFLEY (added July
29, 1997; deleted July 30, 1997)
September 29, 1997
Reported from the Committee on Commerce with an amendment,
committed to the Committee of the Whole House on the State of
the Union, and ordered to be printed
[STRIKE OUT ALL AFTER THE ENACTING CLAUSE AND INSERT THE PART
PRINTED IN BOLDFACE ITALIC IN BOLD PARENTHESES]
A BILL
To amend title 18, United States Code, to affirm the rights of
United States persons to use and sell encryption and to relax
export controls on encryption.
Be it enacted by the Senate and House of
Representatives of the United States of America in Congress
assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the `Security and Freedom Through
Encryption (SAFE) Act'.
SEC. 2. SALE AND USE OF ENCRYPTION.
(a) IN GENERAL- Part I of title 18, United States Code, is
amended by inserting after chapter 121 the following new chapter:
`CHAPTER 122--ENCRYPTED WIRE AND ELECTRONIC INFORMATION
`2801. Definitions.
`2802. Freedom to use encryption.
`2803. Freedom to sell encryption.
`2804. Prohibition on mandatory key escrow.
`2805. Unlawful use of encryption in furtherance of a criminal act.
`Sec. 2801. Definitions
`As used in this chapter--
`(1) the terms `person', `State', `wire communication',
`electronic communication', `investigative or law enforcement
officer', `judge of competent jurisdiction', and `electronic
storage' have the meanings given those terms in section 2510 of
this title;
`(2) the terms `encrypt' and `encryption' refer to the
scrambling of wire or electronic information using mathematical
formulas or algorithms in order to preserve the
confidentiality, integrity, or authenticity of, and prevent
unauthorized recipients from accessing or altering, such
information;
`(3) the term `key' means the variable information used in a
mathematical formula, code, or algorithm, or any component
thereof, used to decrypt wire or electronic information that
has been encrypted; and
`(4) the term `United States person' means--
`(A) any United States citizen;
`(B) any other person organized under the laws of any
State, the District of Columbia, or any commonwealth,
territory, or possession of the United States; and
`(C) any person organized under the laws of any foreign
country who is owned or controlled by individuals or
persons described in subparagraphs (A) and (B).
`Sec. 2802. Freedom to use encryption
`Subject to section 2805, it shall be lawful for any person
within any State, and for any United States person in a foreign
country, to use any encryption, regardless of the encryption
algorithm selected, encryption key length chosen, or implementation
technique or medium used.
`Sec. 2803. Freedom to sell encryption
`Subject to section 2805, it shall be lawful for any person
within any State to sell in interstate commerce any encryption,
regardless of the encryption algorithm selected, encryption key
length chosen, or implementation technique or medium used.
`Sec. 2804. Prohibition on mandatory key escrow
`(a) PROHIBITION- No person in lawful possession of a key to
encrypted information may be required by Federal or State law to
relinquish to another person control of that key.
`(b) EXCEPTION FOR ACCESS FOR LAW ENFORCEMENT PURPOSES-
Subsection (a) shall not affect the authority of any investigative
or law enforcement officer, acting under any law in effect on the
effective date of this chapter, to gain access to encrypted
information.
`Sec. 2805. Unlawful use of encryption in furtherance of a criminal
act
`Any person who willfully uses encryption in furtherance of the
commission of a criminal offense for which the person may be
prosecuted in a court of competent jurisdiction--
`(1) in the case of a first offense under this section, shall
be imprisoned for not more than 5 years, or fined in the amount
set forth in this title, or both; and
`(2) in the case of a second or subsequent offense under this
section, shall be imprisoned for not more than 10 years, or
fined in the amount set forth in this title, or both.'.
(b) CONFORMING AMENDMENT- The table of chapters for part I of
title 18, United States Code, is amended by inserting after the
item relating to chapter 33 the following new item:
2801'.
[ SEC. 3. EXPORTS OF ENCRYPTION.
[ (a) AMENDMENT TO EXPORT
ADMINISTRATION ACT OF 1979- Section 17 of the Export Administration
Act of 1979 (50 U.S.C. App. 2416) is amended by adding at the end
thereof the following new subsection:
[ `(g) COMPUTERS AND RELATED
EQUIPMENT-
[ `(1) GENERAL RULE-
Subject to paragraphs (2), (3), and (4), the Secretary shall
have exclusive authority to control exports of all computer
hardware, software, and technology for information security
(including encryption), except that which is specifically
designed or modified for military use, including command,
control, and intelligence applications.
[ `(2) ITEMS NOT REQUIRING
LICENSES- No validated license may be required, except pursuant
to the Trading With The Enemy Act or the International
Emergency Economic Powers Act (but only to the extent that the
authority of such Act is not exercised to extend controls
imposed under this Act), for the export or reexport of--
[ `(A) any software,
including software with encryption capabilities--
[ `(i) that is
generally available, as is, and is designed for
installation by the purchaser; or
[ `(ii) that is in
the public domain for which copyright or other
protection is not available under title 17, United
States Code, or that is available to the public because
it is generally accessible to the interested public in
any form; or
[ `(B) any computing
device solely because it incorporates or employs in any
form software (including software with encryption
capabilities) exempted from any requirement for a validated
license under subparagraph (A).
[ `(3) SOFTWARE WITH
ENCRYPTION CAPABILITIES- The Secretary shall authorize the
export or reexport of software with encryption capabilities for
nonmilitary end uses in any country to which exports of
software of similar capability are permitted for use by
financial institutions not controlled in fact by United States
persons, unless there is substantial evidence that such
software will be--
[ `(A) diverted to a
military end use or an end use supporting international
terrorism;
[ `(B) modified for
military or terrorist end use; or
[ `(C) reexported
without any authorization by the United States that may be
required under this Act.
[ `(4) HARDWARE WITH
ENCRYPTION CAPABILITIES- The Secretary shall authorize the
export or reexport of computer hardware with encryption
capabilities if the Secretary determines that a product
offering comparable security is commercially available outside
the United States from a foreign supplier, without effective
restrictions.
[ `(5) DEFINITIONS- As used
in this subsection--
[ `(A) the term
`encryption' means the scrambling of wire or electronic
information using mathematical formulas or algorithms in
order to preserve the confidentiality, integrity, or
authenticity of, and prevent unauthorized recipients from
accessing or altering, such information;
[ `(B) the term
`generally available' means, in the case of software
(including software with encryption capabilities), software
that is offered for sale, license, or transfer to any
person without restriction, whether or not for
consideration, including, but not limited to,
over-the-counter retail sales, mail order transactions,
phone order transactions, electronic distribution, or sale
on approval;
[ `(C) the term `as is'
means, in the case of software (including software with
encryption capabilities), a software program that is not
designed, developed, or tailored by the software publisher
for specific purchasers, except that such purchasers may
supply certain installation parameters needed by the
software program to function properly with the purchaser's
system and may customize the software program by choosing
among options contained in the software program;
[ `(D) the term `is
designed for installation by the purchaser' means, in the
case of software (including software with encryption
capabilities) that--
[ `(i) the software
publisher intends for the purchaser (including any
licensee or transferee), who may not be the actual
program user, to install the software program on a
computing device and has supplied the necessary
instructions to do so, except that the publisher may
also provide telephone help line services for software
installation, electronic transmission, or basic
operations; and
[ `(ii) the
software program is designed for installation by the
purchaser without further substantial support by the
supplier;
[ `(E) the term
`computing device' means a device which incorporates one or
more microprocessor-based central processing units that can
accept, store, process, or provide output of data; and
[ `(F) the term
`computer hardware', when used in conjunction with
information security, includes, but is not limited to,
computer systems, equipment, application-specific
assemblies, modules, and integrated circuits.'.
[ (b) CONTINUATION OF EXPORT
ADMINISTRATION ACT- For purposes of carrying out the amendment made
by subsection (a), the Export Administration Act of 1979 shall be
deemed to be in effect. ]
SEC. 3. EXPORTS OF ENCRYPTION.
(a) EXPORT CONTROL OF ENCRYPTION PRODUCTS NOT CONTROLLED ON THE
UNITED STATES MUNITIONS LIST- The Secretary of Commerce, with the
concurrence of the Secretary of Defense, shall have the authority
to control the export of encryption products not controlled on the
United States Munitions List. Decisions made by the Secretary of
Commerce with the concurrence of the Secretary of Defense with
respect to exports of encryption products under this section shall
not be subject to judicial review.
(b) LICENSE EXCEPTION FOR CERTAIN ENCRYPTION PRODUCTS- Encryption
products with encryption strength equal to or less than the level
identified in subsection (d) shall be eligible for export under a
license exception after a 1-time review, if the encryption product
being exported does not include features that would otherwise
require licensing under applicable regulations, is not destined for
countries, end-users, or end-uses that the Secretary of Commerce
has determined by regulation, with the concurrence of the Secretary
of Defense, are ineligible to receive such products, and is
otherwise qualified for export.
(c) ONE-TIME PRODUCT REVIEW- The Secretary of Commerce, with the
concurrence of the Secretary of Defense, shall specify the
information that must be submitted for the 1-time review referred
to in subsection (b).
(d) ELIGIBLE ENCRYPTION LEVELS-
(1) INITIAL ELIGIBILITY LEVEL- Not later than 30 days after
the date of the enactment of this Act, the President shall
notify the Congress of the maximum level of encryption strength
that could be exported from the United States under license
exception pursuant to this section without harm to the national
security of the United States. Such level shall not become
effective until 60 days after such notification.
(2) ANNUAL REVIEW OF ELIGIBILITY LEVEL- Not later than 1 year
after notifying the Congress of the maximum level of encryption
strength under paragraph (1), and annually thereafter, the
President shall notify the Congress of the maximum level of
encryption strength that could be exported from the United
States under license exception pursuant to this section without
harm to the national security of the United States. Such level
shall not become effective until 60 days after such notification.
(3) CALCULATION OF 60-DAY PERIOD- The 60-day period referred
to in paragraphs (1) and (2) shall be computed by excluding--
(A) the days on which either House is not in session
because of an adjournment of more than 3 days to a day
certain or an adjournment of the Congress sine die; and
(B) each Saturday and Sunday, not excluded under
subparagraph (A), when either House is not in session.
(e) EXCERCISE OF EXISTING AUTHORITIES- The Secretary of Commerce
and the Secretary of Defense may exercise the authorities they have
under other provisions of law to carry out this section.
SECTION 1. SHORT TITLE.
This Act may be cited as the `Security and Freedom Through
Encryption (SAFE) Act'.
SEC. 2. SALE AND USE OF ENCRYPTION.
(a) IN GENERAL- Part I of title 18, United States Code, is
amended by inserting after chapter 123 the following new chapter:
`CHAPTER 125--ENCRYPTED WIRE AND ELECTRONIC INFORMATION
`2801. Definitions.
`2802. Freedom to use encryption.
`2803. Freedom to sell encryption.
`2804. Prohibition on mandatory key escrow.
`2805. Unlawful use of encryption in furtherance of a criminal act.
`Sec. 2801. Definitions
`As used in this chapter--
`(1) the terms `person', `State', `wire communication',
`electronic communication', `investigative or law enforcement
officer', and `judge of competent jurisdiction' have the
meanings given those terms in section 2510 of this title;
`(2) the terms `encrypt' and `encryption' refer to the
scrambling of wire communications, electronic communications,
or electronically stored information, using mathematical
formulas or algorithms in order to preserve the
confidentiality, integrity, or authenticity of, and prevent
unauthorized recipients from accessing or altering, such
communications or information;
`(3) the term `key' means the variable information used in a
mathematical formula, code, or algorithm, or any component
thereof, used to decrypt wire communications, electronic
communications, or electronically stored information, that has
been encrypted; and
`(4) the term `United States person' means--
`(A) any United States citizen;
`(B) any other person organized under the laws of any
State, the District of Columbia, or any commonwealth,
territory, or possession of the United States; and
`(C) any person organized under the laws of any foreign
country who is owned or controlled by individuals or
persons described in subparagraphs (A) and (B).
`Sec. 2802. Freedom to use encryption
`Subject to section 2805, it shall be lawful for any person
within any State, and for any United States person in a foreign
country, to use any encryption, regardless of the encryption
algorithm selected, encryption key length chosen, or implementation
technique or medium used.
`Sec. 2803. Freedom to sell encryption
`Subject to section 2805, it shall be lawful for any person
within any State to sell in interstate commerce any encryption,
regardless of the encryption algorithm selected, encryption key
length chosen, or implementation technique or medium used.
`Sec. 2804. Prohibition on mandatory key escrow
`(a) PROHIBITION- No person in lawful possession of a key to
encrypted communications or information may be required by Federal
or State law to relinquish to another person control of that key.
`(b) EXCEPTION FOR ACCESS FOR LAW ENFORCEMENT PURPOSES-
Subsection (a) shall not affect the authority of any investigative
or law enforcement officer, or any member of the intelligence
community as defined in section 3 of the National Security Act of
1947 (50 U.S.C. 401a), acting under any law in effect on the
effective date of this chapter, to gain access to encrypted
communications or information.
`Sec. 2805. Unlawful use of encryption in furtherance of a criminal
act
`Any person who, in the commission of a felony under a criminal
statute of the United States, knowingly and willfully encrypts
incriminating communications or information relating to that felony
with the intent to conceal such communications or information for
the purpose of avoiding detection by law enforcement agencies or
prosecution--
`(1) in the case of a first offense under this section, shall
be imprisoned for not more than 5 years, or fined in the amount
set forth in this title, or both; and
`(2) in the case of a second or subsequent offense under this
section, shall be imprisoned for not more than 10 years, or
fined in the amount set forth in this title, or both.'.
(b) CONFORMING AMENDMENT- The table of chapters for part I of
title 18, United States Code, is amended by inserting after the
item relating to chapter 123 the following new item:
2801'.
SEC. 3. EXPORTS OF ENCRYPTION.
(a) AMENDMENT TO EXPORT ADMINISTRATION ACT OF 1979- Section 17 of
the Export Administration Act of 1979 (50 U.S.C. App. 2416) is
amended by adding at the end thereof the following new subsection:
`(g) COMPUTERS AND RELATED EQUIPMENT-
`(1) GENERAL RULE- Subject to paragraphs (2), (3), and (4),
the Secretary shall have exclusive authority to control exports
of all computer hardware, software, and technology for
information security (including encryption), except that which
is specifically designed or modified for military use,
including command, control, and intelligence applications.
`(2) ITEMS NOT REQUIRING LICENSES- No validated license may
be required, except pursuant to the Trading With The Enemy Act
or the International Emergency Economic Powers Act (but only to
the extent that the authority of such Act is not exercised to
extend controls imposed under this Act), for the export or
reexport of--
`(A) any software, including software with encryption
capabilities--
`(i) that is generally available, as is, and is
designed for installation by the purchaser; or
`(ii) that is in the public domain for which
copyright or other protection is not available under
title 17, United States Code, or that is available to
the public because it is generally accessible to the
interested public in any form; or
`(B) any computing device solely because it incorporates
or employs in any form software (including software with
encryption capabilities) exempted from any requirement for
a validated license under subparagraph (A).
`(3) SOFTWARE WITH ENCRYPTION CAPABILITIES- The Secretary
shall authorize the export or reexport of software with
encryption capabilities for nonmilitary end uses in any country
to which exports of software of similar capability are
permitted for use by financial institutions not controlled in
fact by United States persons, unless there is substantial
evidence that such software will be--
`(A) diverted to a military end use or an end use
supporting international terrorism;
`(B) modified for military or terrorist end use; or
`(C) reexported without any authorization by the United
States that may be required under this Act.
`(4) HARDWARE WITH ENCRYPTION CAPABILITIES- The Secretary
shall authorize the export or reexport of computer hardware
with encryption capabilities if the Secretary determines that a
product offering comparable security is commercially available
outside the United States from a foreign supplier, without
effective restrictions.
`(5) DEFINITIONS- As used in this subsection--
`(A) the term `encryption' means the scrambling of wire
or electronic information using mathematical formulas or
algorithms in order to preserve the confidentiality,
integrity, or authenticity of, and prevent unauthorized
recipients from accessing or altering, such information;
`(B) the term `generally available' means, in the case of
software (including software with encryption capabilities),
software that is offered for sale, license, or transfer to
any person without restriction, whether or not for
consideration, including, but not limited to,
over-the-counter retail sales, mail order transactions,
phone order transactions, electronic distribution, or sale
on approval;
`(C) the term `as is' means, in the case of software
(including software with encryption capabilities), a
software program that is not designed, developed, or
tailored by the software publisher for specific purchasers,
except that such purchasers may supply certain installation
parameters needed by the software program to function
properly with the purchaser's system and may customize the
software program by choosing among options contained in the
software program;
`(D) the term `is designed for installation by the
purchaser' means, in the case of software (including
software with encryption capabilities) that--
`(i) the software publisher intends for the purchaser
(including any licensee or transferee), who may not be
the actual program user, to install the software
program on a computing device and has supplied the
necessary instructions to do so, except that the
publisher may also provide telephone help line services
for software installation, electronic transmission, or
basic operations; and
`(ii) the software program is designed for
installation by the purchaser without further
substantial support by the supplier;
`(E) the term `computing device' means a device which
incorporates one or more microprocessor-based central
processing units that can accept, store, process, or
provide output of data; and
`(F) the term `computer hardware', when used in
conjunction with information security, includes, but is not
limited to, computer systems, equipment,
application-specific assemblies, modules, and integrated
circuits.'.
(b) CONTINUATION OF EXPORT ADMINISTRATION ACT- For purposes of
carrying out the amendment made by subsection (a), the Export
Administration Act of 1979 shall be deemed to be in effect.
SEC. 4. EFFECT ON LAW ENFORCEMENT ACTIVITIES.
(a) COLLECTION OF INFORMATION BY ATTORNEY GENERAL- The Attorney
General shall compile, and maintain in classified form, data on the
instances in which encryption (as defined in section 2801 of title
18, United States Code) has interfered with, impeded, or obstructed
the ability of the Department of Justice to enforce the criminal
laws of the United States.
(b) AVAILABILITY OF INFORMATION TO THE CONGRESS- The information
compiled under subsection (a), including an unclassified summary
thereof, shall be made available, upon request, to any Member of
Congress.
SECTION 1. SHORT TITLE.
This Act may be cited as the `Security and Freedom Through
Encryption (SAFE) Act'.
SEC. 2. SALE AND USE OF ENCRYPTION.
(a) IN GENERAL- Part I of title 18, United States Code, is
amended by inserting after chapter 121 the following new chapter:
`CHAPTER 122--ENCRYPTED WIRE AND ELECTRONIC INFORMATION
`2801. Definitions.
`2802. Freedom to use encryption.
`2803. Freedom to sell encryption.
`2804. Prohibition on mandatory key escrow.
`2805. Unlawful use of encryption in furtherance of a criminal act.
`Sec. 2801. Definitions
`As used in this chapter--
`(1) the terms `person', `State', `wire communication',
`electronic communication', `investigative or law enforcement
officer', `judge of competent jurisdiction', and `electronic
storage' have the meanings given those terms in section 2510 of
this title;
`(2) the terms `encrypt' and `encryption' refer to the
scrambling of wire or electronic information using mathematical
formulas or algorithms in order to preserve the
confidentiality, integrity, or authenticity of, and prevent
unauthorized recipients from accessing or altering, such
information;
`(3) the term `key' means the variable information used in a
mathematical formula, code, or algorithm, or any component
thereof, used to decrypt wire or electronic information that
has been encrypted; and
`(4) the term `United States person' means--
`(A) any United States citizen;
`(B) any other person organized under the laws of any
State, the District of Columbia, or any commonwealth,
territory, or possession of the United States; and
`(C) any person organized under the laws of any foreign
country who is owned or controlled by individuals or
persons described in subparagraphs (A) and (B).
`Sec. 2802. Freedom to use encryption
`Subject to section 2805, it shall be lawful for any person
within any State, and for any United States person in a foreign
country, to use any encryption, regardless of the encryption
algorithm selected, encryption key length chosen, or implementation
technique or medium used.
`Sec. 2803. Freedom to sell encryption
`Subject to section 2805, it shall be lawful for any person
within any State to sell in interstate commerce any encryption,
regardless of the encryption algorithm selected, encryption key
length chosen, or implementation technique or medium used.
`Sec. 2804. Prohibition on mandatory key escrow
`(a) PROHIBITION- No person in lawful possession of a key to
encrypted information may be required by Federal or State law to
relinquish to another person control of that key.
`(b) EXCEPTION FOR ACCESS FOR LAW ENFORCEMENT PURPOSES-
Subsection (a) shall not affect the authority of any investigative
or law enforcement officer, acting under any law in effect on the
effective date of this chapter, to gain access to encrypted
information.
`Sec. 2805. Unlawful use of encryption in furtherance of a criminal
act
`Any person who willfully uses encryption in furtherance of the
commission of a criminal offense for which the person may be
prosecuted in a court of competent jurisdiction--
`(1) in the case of a first offense under this section, shall
be imprisoned for not more than 5 years, or fined in the amount
set forth in this title, or both; and
`(2) in the case of a second or subsequent offense under this
section, shall be imprisoned for not more than 10 years, or
fined in the amount set forth in this title, or both.'.
(b) CONFORMING AMENDMENT- The table of chapters for part I of
title 18, United States Code, is amended by inserting after the
item relating to chapter 33 the following new item:
2801'.
SEC. 3. EXPORTS OF ENCRYPTION.
(a) AMENDMENT TO EXPORT ADMINISTRATION ACT OF 1979- Section 17 of
the Export Administration Act of 1979 (50 U.S.C. App. 2416) is
amended by adding at the end thereof the following new subsection:
`(g) CERTAIN CONSUMER PRODUCTS, COMPUTERS, AND RELATED EQUIPMENT-
`(1) GENERAL RULE- Subject to paragraphs (2), (3), and (4),
the Secretary shall have exclusive authority to control exports
of all computer hardware, software, and technology for
information security (including encryption), except that which
is specifically designed or modified for military use,
including command, control, and intelligence applications.
`(2) ITEMS NOT REQUIRING LICENSES- No validated license may
be required, except pursuant to the Trading With The Enemy Act
or the International Emergency Economic Powers Act (but only to
the extent that the authority of such Act is not exercised to
extend controls imposed under this Act), for the export or
reexport of--
`(A) any consumer product commercially available within
the United States or abroad which--
`(i) includes encryption capabilities which are
inaccessible to the end user; and
`(ii) is not designed for military or intelligence
end use;
`(B) any component or subassembly designed for use in a
consumer product described in subparagraph (A) which itself
contains encryption capabilities and is not capable of
military or intelligence end use in its condition as
exported;
`(C) any software, including software with encryption
capabilities--
`(i) that is generally available, as is, and is
designed for installation by the purchaser;
`(ii) that is in the public domain for which
copyright or other protection is not available under
title 17, United States Code, or that is available to
the public because it is generally accessible to the
interested public in any form; or
`(iii) that is customized for an otherwise lawful use
by a specific purchaser or group of purchasers;
`(D) any computing device solely because it incorporates
or employs in any form--
`(i) software (including software with encryption
capabilities) that is exempted from any requirement for
a validated license under subparagraph (C); or
`(ii) software that is no more technically complex in
its encryption capabilties than software that is
exempted from any requirement for a validated license
under subparagraph (C) but is not designed for
installation by the purchaser;
`(E) any computer hardware that is generally available,
solely because it has encryption capabilities; or
`(F) any software or computing device solely on the basis
that it incorporates or employs in any form interface
mechanisms for interaction with other hardware and
software, including hardware, and software, with encryption
capabilities.
`(3) SOFTWARE WITH ENCRYPTION CAPABILITIES- The Secretary
shall authorize the export or reexport of software with
encryption capabilities for nonmilitary end uses in any country
to which exports of software of similar capability are
permitted for use by financial institutions not controlled in
fact by United States persons, unless there is substantial
evidence that such software will be--
`(A) diverted to a military end use or an end use
supporting international terrorism;
`(B) modified for military or terrorist end use; or
`(C) reexported without any authorization by the United
States that may be required under this Act.
`(4) HARDWARE WITH ENCRYPTION CAPABILITIES- The Secretary
shall authorize the export or reexport of computer hardware
with encryption capabilities if the Secretary determines that a
product offering comparable security is commercially available
outside the United States from a foreign supplier, without
effective restrictions.
`(5) DEFINITIONS- As used in this subsection--
`(A) the term `encryption' means the scrambling of wire
or electronic information using mathematical formulas or
algorithms in order to preserve the confidentiality,
integrity, or authenticity of, and prevent unauthorized
recipients from accessing or altering, such information;
`(B) the term `generally available' means--
`(i) in the case of software (including software with
encryption capabilities), software that is offered for
sale, license, or transfer to any person without
restriction, whether or not for consideration,
including, but not limited to, over-the-counter retail
sales, mail order transactions, phone order
transactions, electronic distribution, or sale on
approval; and
`(ii) in the case of hardware with encryption
capabilities, hardware that is offered for sale,
license, or transfer to any person without restriction,
whether or not for consideration, including, but not
limited to, over-the-counter retail sales, mail order
transactions, phone order transactions, electronic
distribution, or sale on approval;
`(C) the term `as is' means, in the case of software
(including software with encryption capabilities), a
software program that is not designed, developed, or
tailored by the software publisher for specific purchasers,
except that such purchasers may supply certain installation
parameters needed by the software program to function
properly with the purchaser's system and may customize the
software program by choosing among options contained in the
software program;
`(D) the term `is designed for installation by the
purchaser' means, in the case of software (including
software with encryption capabilities) that--
`(i) the software publisher intends for the purchaser
(including any licensee or transferee), who may not be
the actual program user, to install the software
program on a computing device and has supplied the
necessary instructions to do so, except that the
publisher may also provide telephone help line services
for software installation, electronic transmission, or
basic operations; and
`(ii) the software program is designed for
installation by the purchaser without further
substantial support by the supplier;
`(E) the term `computing device' means a device which
incorporates one or more microprocessor-based central
processing units that can accept, store, process, or
provide output of data; and
`(F) the term `computer hardware', when used in
conjunction with information security, includes, but is not
limited to, computer systems, equipment,
application-specific assemblies, modules, and integrated
circuits.'.
(b) CONTINUATION OF EXPORT ADMINISTRATION ACT- For purposes of
carrying out the amendment made by subsection (a), the Export
Administration Act of 1979 shall be deemed to be in effect.
SEC. 4. SENSE OF CONGRESS REGARDING INTERNATIONAL COOPERATION.
(a) FINDINGS- The Congress finds that--
(1) implementing export restrictions on widely available
technology without the concurrence of all countries capable of
producing, transshipping, or otherwise transferring that
technology is detrimental to the competitiveness of the United
States and should only be imposed on technology and countries
in order to protect the United States against a compelling
national security threat; and
(2) the President has not been able to come to agreement with
other encryption producing countries on export controls on
encryption and has imposed excessively stringent export
controls on this widely available technology.
(b) SENSE OF CONGRESS- It is the sense of the Congress that the
President should immediately take the necessary steps to call an
international conference for the purpose of coming to an agreement
with encryption producing countries on policies which will ensure
that the free use and trade of this technology does not hinder
mutual security.
[ [
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
[ [
(a) SHORT TITLE- This Act may be cited as the `Security
and Freedom through Encryption (`SAFE') Act of 1997'.
[ [
(b) TABLE OF CONTENTS- The table of contents is as follows:
[ [
Sec. 1. Short title; table of contents.
[ [
Sec. 2. Statement of policy.
[ [
TITLE I--DOMESTIC USES OF ENCRYPTION
[ [
Sec. 101. Definitions.
[ [
Sec. 102. Lawful use of encryption.
[ [
Sec. 103. Voluntary private sector participation in
key management infrastructure.
[ [
Sec. 104. Unlawful use of encryption.
[ [
TITLE II--GOVERNMENT PROCUREMENT
[ [
Sec. 201. Federal purchases of encryption products.
[ [
Sec. 202. Encryption products purchased with Federal
funds.
[ [
Sec. 203. Networks established with Federal funds.
[ [
Sec. 204. Product labels.
[ [
Sec. 205. No private mandate.
[ [
Sec. 206. Implementation.
[ [
TITLE III--EXPORTS OF ENCRYPTION
[ [
Sec. 301. Exports of encryption.
[ [
Sec. 302. License exception for certain encryption
products-
[ [
Sec. 303. License exception for telecommunications
products.
[ [
Sec. 304. Review for certain institutions.
[ [
Sec. 305. Encryption industry and information security
board.
[ [
TITLE IV--LIABILITY LIMITATIONS
[ [
Sec. 401. Compliance with court order.
[ [
Sec. 402. Compliance defense.
[ [
Sec. 403. Reasonable care defense.
[ [
Sec. 404. Good faith defense.
[ [
Sec. 405. Sovereign immunity.
[ [
Sec. 406. Civil action, generally.
[ [
TITLE V--INTERNATIONAL AGREEMENTS
[ [
Sec. 501. Sense of congress.
[ [
Sec. 502. Failure to negotiate.
[ [
Sec. 503. Report to congress.
[ [
TITLE VI--MISCELLANEOUS PROVISIONS
[ [
Sec. 601. Effect on law enforcement activities.
[ [
Sec. 602. Interpretation.
[ [
Sec. 603. Severability.
[ [
SEC. 2. STATEMENT OF POLICY.
[ [
It is the policy of the United States to protect public
computer networks through the use of strong encryption technology,
to promote and improve the export of encryption products developed
and manufactured in the United States, and to preserve public
safety and national security.
[ [
TITLE I--DOMESTIC USES OF ENCRYPTION
[ [
SEC. 101. DEFINITIONS.
[ [
For purposes of this Act:
[
[ (1) ATTORNEY FOR THE GOVERNMENT- The term `attorney
for the Government' has the meaning given such term in Rule
54(c) of the Federal Rules of Criminal Procedure, and also
includes any duly authorized attorney of a State who is
authorized to prosecute criminal offenses within such State.
[
[ (2) CERTIFICATE AUTHORITY- The term `certificate
authority' means a person trusted by one or more persons to
create and assign public key certificates.
[
[ (3) COMMUNICATIONS- The term `communications' means
any wire communications or electronic communications as those
terms are defined in paragraphs (1) and (12) of section 2510 of
title 18, United States Code.
[
[ (4) COURT OF COMPETENT JURISDICTION- The term `court
of competent jurisdiction' means any court of the United States
organized under Article III of the Constitution of the United
States, the court organized under the Foreign Intelligence
Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), or a court
of general criminal jurisdiction of a State authorized pursuant
to the laws of such State to enter orders authorizing searches
and seizures.
[
[ (5) DATA NETWORK SERVICE PROVIDER- The term `data
network service provider' means a person offering any service
to the general public that provides the users thereof with the
ability to transmit or receive data, including communications.
[
[ (6) DECRYPTION- The term `decryption' means the
retransformation or unscrambling of encrypted data, including
communications, to its readable plaintext version. To `decrypt'
data, including communications, is to perform decryption.
[
[ (7) DECRYPTION INFORMATION- The term `decryption
information' means information or technology that enables one
to readily retransform or unscramble encrypted data from its
unreadable and incomprehensible format to its readable
plaintext version.
[
[ (8) ELECTRONIC STORAGE- The term `electronic
storage' has the meaning given that term in section 2510(17) of
title 18, United States Code.
[
[ (9) ENCRYPTION- The term `encryption' means the
transformation or scrambling of data, including communications,
from plaintext to an unreadable or incomprehensible format,
regardless of the technique utilized for such transformation or
scrambling and irrespective of the medium in which such data,
including communications, occur or can be found, for the
purposes of protecting the content of such data, including
communications. To `encrypt' data, including communications, is
to perform encryption.
[
[ (10) ENCRYPTION PRODUCT- The term `encryption
product' means any software, technology, or mechanism, that can
be used to encrypt or decrypt, or has the capability of
encrypting or decrypting any data, including communications.
[
[ (11) FOREIGN AVAILABILITY- The term `foreign
availability' has the meaning applied to foreign availability
of encryption products subject to controls under the Export
Administration Regulations, as in effect on September 1, 1997.
[
[ (12) GOVERNMENT- The term `Government' means the
Government of the United States and any agency or
instrumentality thereof, or the government of any State.
[
[ (13) INVESTIGATIVE OR LAW ENFORCEMENT OFFICER- The
term `investigative or law enforcement officer' has the meaning
given that term in section 2510(7) of title 18, United States
Code.
[
[ (14) KEY RECOVERY AGENT- The term `key recovery
agent' means a person trusted by another person or persons to
hold and maintain sufficient decryption information to allow
for the immediate decryption of the encrypted data or
communications of another person or persons for whom that
information is held, and who holds and maintains that
information as a business or governmental practice, whether or
not for profit. The term `key recovery agent' includes any
person who holds his or her decryption information.
[
[ (15) NATIONAL SECURITY- The term `national security'
means the national defense, foreign relations, or economic
interests of the United States.
[
[ (16) PLAINTEXT- The term `plaintext' means the
readable or comprehensible format of data, including
communications, prior to its being encrypted or after it has
been decrypted.
[
[ (17) PLAINVOICE- The term `plainvoice' means
communication specific plaintext.
[
[ (18) SECRETARY- The term `Secretary' means the
Secretary of Commerce, unless otherwise specifically identified.
[
[ (19) STATE- The term `State' has the meaning given
that term in section 2510(3) of title 18, United States Code.
[
[ (20) TELECOMMUNICATIONS CARRIER- The term
`telecommunications carrier' has the meaning given that term in
section 102(8) of the Communications Assistance for Law
Enforcement Act (47 U.S.C. 1001(8)).
[
[ (21) TELECOMMUNICATIONS SYSTEM- The term
`telecommunications system' means any equipment, technology, or
related software used in the movement, switching, interchange,
transmission, reception, or internal signaling of data,
including communications over wire, fiber optic, radio
frequency, or other medium.
[
[ (22) UNITED STATES PERSON- The term `United States
person' means--
[
[ (A) any citizen of the United States;
[
[ (B) any other person organized under
the laws of any State; and
[
[ (C) any person organized under the laws
of any foreign country who is owned or controlled by
individuals or persons described in subparagraphs (A) and
(B).
[ [
SEC. 102. LAWFUL USE OF ENCRYPTION.
[ [
Except as otherwise provided by this Act or otherwise
provided by law, it shall be lawful for any person within any State
and for any United States person to use any encryption product,
regardless of encryption algorithm selected, encryption key length
chosen, or implementation technique or medium used.
[ [
SEC. 103. VOLUNTARY PRIVATE SECTOR
PARTICIPATION IN KEY MANAGEMENT INFRASTRUCTURE.
[ [
(a) USE IS VOLUNTARY- The use of certificate authorities
or key recovery agents is voluntary.
[ [
(b) REGULATIONS- The Secretary shall promulgate
regulations establishing standards for creating key management
infrastructures. Such regulations should--
[
[ (1) allow for the voluntary participation by private
persons and non-Federal entities; and
[
[ (2) promote the development of certificate
authorities and key recovery agents.
[ [
(c) REGISTRATION OF CERTIFICATE AUTHORITIES AND KEY
RECOVERY AGENTS- Certificate authorities and key recovery agents
meeting the standards established by the Secretary may be
registered by the Secretary if they so choose, and may identify
themselves as meeting the standards of the Secretary.
[ [
SEC. 104. UNLAWFUL USE OF ENCRYPTION.
[ [
(a) IN GENERAL- Part I of title 18, United States Code, is
amended by inserting after chapter 121 the following new chapter:
`CHAPTER 122--ENCRYPTED DATA, INCLUDING COMMUNICATIONS
`Sec.
[ [
`2801. Unlawful use of encryption in furtherance of a
criminal act.
[ [
`2802. Privacy protection.
[ [
`2803. Unlawful sale of encryption.
[ [
`2804. Encryption products manufactured and intended
for use in the United States.
[ [
`2805. Injunctive relief and proceedings.
[ [
`2806. Court order access to plaintext.
[ [
`2807. Notification procedures.
[ [
`2808. Lawful use of plaintext or decryption
information.
[ [
`2809. Identification of decryption information.
[ [
`2810. Unlawful export of certain encryption products.
[ [
`2811. Definitions.
[ [
`Sec. 2801. Unlawful use of encryption in furtherance of a
criminal act
[ [
`(a) PROHIBITED ACTS- Whoever knowingly uses encryption in
furtherance of the commission of a criminal offense for which the
person may be prosecuted in a district court of the United States
shall--
[
[ `(1) in the case of a first offense under this
section, be imprisoned for not more than 5 years, or fined
under this title, or both; and
[
[ `(2) in the case of a second or subsequent offense
under this section, be imprisoned for not more than 10 years,
or fined under this title, or both.
[ [
`(b) CONSECUTIVE SENTENCE- Notwithstanding any other
provision of law, the court shall not place on probation any person
convicted of a violation of this section, nor shall the term of
imprisonment imposed under this section run concurrently with any
other term of imprisonment imposed for the underlying criminal
offense.
[ [
`(c) PROBABLE CAUSE NOT CONSTITUTED BY USE OF ENCRYPTION-
The use of encryption alone shall not constitute probable cause to
believe that a crime is being or has been committed.
[ [
`Sec. 2802. Privacy protection
[ [
`(a) IN GENERAL- It shall be unlawful for any person to
intentionally--
[
[ `(1) obtain or use decryption information without
lawful authority for the purpose of decrypting data, including
communications;
[
[ `(2) exceed lawful authority in decrypting data,
including communications;
[
[ `(3) break the encryption code of another person
without lawful authority for the purpose of violating the
privacy or security of that person or depriving that person of
any property rights;
[
[ `(4) impersonate another person for the purpose of
obtaining decryption information of that person without lawful
authority;
[
[ `(5) facilitate or assist in the encryption of data,
including communications, knowing that such data, including
communications, are to be used in furtherance of a crime; or
[
[ `(6) disclose decryption information in violation of
a provision of this chapter.
[ [
`(b) CRIMINAL PENALTY- Whoever violates this section shall
be imprisoned for not more than 10 years, or fined under this
title, or both.
[ [
`Sec. 2803. Unlawful sale of encryption
[ [
`Whoever, after January 31, 2000, sells in interstate or
foreign commerce any encryption product that does not include
features or functions permitting duly authorized persons immediate
access to plaintext or immediate decryption capabilities shall be
imprisoned for not more than 5 years, fined under this title, or
both.
[ [
`Sec. 2804. Encryption products manufactured and intended
for use in the United States
[ [
`(a) PUBLIC NETWORK SERVICE PROVIDERS- After January 31,
2000, public network service providers offering encryption products
or encryption services shall ensure that such products or services
enable the immediate decryption or access to plaintext of the data,
including communications, encrypted by such products or services on
the public network upon receipt of a court order or warrant,
pursuant to section 2806.
[ [
`(b) MANUFACTURERS, DISTRIBUTORS, AND IMPORTERS- After
January 31, 2000, it shall be unlawful for any person to
manufacture for distribution, distribute, or import encryption
products intended for sale or use in the United States, unless that
product--
[
[ `(1) includes features or functions that provide an
immediate access to plaintext capability, through any means,
mechanism, or technological method that--
[
[ `(A) permits immediate decryption of
the encrypted data, including communications, upon the
receipt of decryption information by an authorized party in
possession of a facially valid order issued by a court of
competent jurisdiction; and
[
[ `(B) allows the decryption of encrypted
data, including communications, without the knowledge or
cooperation of the person being investigated, subject to
the requirements set forth in section 2806;
[
[ `(2) can be used only on systems or networks that
include features or functions that provide an immediate access
to plaintext capability, through any means, mechanism, or
technological method that--
[
[ `(A) permits immediate decryption of
the encrypted data, including communications, upon the
receipt of decryption information by an authorized party in
possession of a facially valid order issued by a court of
competent jurisdiction; and
[
[ `(B) allows the decryption of encrypted
data, including communications, without the knowledge or
cooperation of the person being investigated, subject to
the requirements set forth in section 2806; or
[
[ `(3) otherwise meets the technical requirements and
functional criteria promulgated by the Attorney General under
subsection (c).
[ [
`(c) ATTORNEY GENERAL CRITERIA-
[
[ `(1) PUBLICATION OF REQUIREMENTS- Within 180 days
after the date of the enactment of this chapter, the Attorney
General shall publish in the Federal Register technical
requirements and functional criteria for complying with the
decryption requirements set forth in this section.
[
[ `(2) PROCEDURES FOR ADVISORY OPINIONS- Within 180
days after the date of the enactment of this chapter, the
Attorney General shall promulgate procedures by which data
network service providers and encryption product manufacturers,
sellers, re-sellers, distributors, and importers may obtain
advisory opinions as to whether an encryption product intended
for sale or use in the United States after January 31, 2000,
meets the requirements of this section and the technical
requirements and functional criteria promulgated pursuant to
paragraph (1).
[
[ `(3) PARTICULAR METHODOLOGY NOT REQUIRED- Nothing in
this chapter or any other provision of law shall be construed
as requiring the implementation of any particular decryption
methodology in order to satisfy the requirements of subsections
(a) and (b), or the technical requirements and functional
criteria required by the Attorney General under paragraph (1).
[ [
`(d) USE OF PRIOR PRODUCTS LAWFUL- After January 31, 2000,
it shall not be unlawful to use any encryption product purchased or
in use prior to such date.
[ [
`Sec. 2805. Injunctive relief and proceedings
[ [
`(a) INJUNCTION- Whenever it appears to the Secretary or
the Attorney General that any person is engaged in, or is about to
engage in, any act that constitutes, or would constitute, a
violation of section 2804, the Attorney General may initiate a
civil action in a district court of the United States to enjoin
such violation. Upon the filing of the complaint seeking injunctive
relief by the Attorney General, the court shall automatically issue
a temporary restraining order against the party being sued.
[ [
`(b) BURDEN OF PROOF- In a suit brought by the Attorney
General under subsection (a), the burden shall be upon the
Government to establish by a preponderance of the evidence that the
encryption product involved does not comport with the requirements
set forth by the Attorney General pursuant to section 2804
providing for immediate access to plaintext by Federal, State, or
local authorities.
[ [
`(c) CLOSING OF PROCEEDINGS- (1) Upon motion of the party
against whom injunction is being sought--
[
[ `(A) any or all of the proceedings under this
section shall be closed to the public; and
[
[ `(B) public disclosure of the proceedings shall be
treated as contempt of court.
[ [
`(2) Upon a written finding by the court that public
disclosure of information relevant to the prosecution of the
injunction or relevant to a determination of the factual or legal
issues raised in the case would cause irreparable or financial harm
to the party against whom the suit is brought, or would otherwise
disclose proprietary information of any party to the case, all
proceedings shall be closed to members of the public, except the
parties to the suit, and all transcripts, motions, and orders shall
be placed under seal to protect their disclosure to the general
public.
[ [
`(d) ADVISORY OPINION AS DEFENSE- It is an absolute
defense to a suit under this subsection that the party against whom
suit is brought obtained an advisory opinion from the Attorney
General pursuant to section 2804(c) and that the product at issue
in the suit comports in every aspect with the requirements
announced in such advisory opinion.
[ [
`(e) BASIS FOR PERMANENT INJUNCTION- The court shall issue
a permanent injunction against the distribution of, and any future
manufacture of, the encryption product at issue in the suit filed
under subsection (a) if the court finds by a preponderance of the
evidence that the product does not meet the requirements set forth
by the Attorney General pursuant to section 2804 providing for
immediate access to plaintext by Federal, State, or local
authorities.
[ [
`(f) APPEALS- Either party may appeal, to the appellate
court with jurisdiction of the case, any adverse ruling by the
district court entered pursuant to this section. For the purposes
of appeal, the parties shall be governed by the Federal Rules of
Appellate Procedure, except that the Government shall file its
notice of appeal not later than 30 days after the entry of the
final order on the docket of the district court. The appeal of such
matter shall be considered on an expedited basis and resolved as
soon as practicable.
[ [
`Sec. 2806. Court order access to plaintext
[ [
`(a) COURT ORDER- (1) A court of competent jurisdiction
shall issue an order, ex parte, granting an investigative or law
enforcement officer immediate access to the plaintext of encrypted
data, including communications, or requiring any person in
possession of decryption information to provide such information to
a duly authorized investigative or law enforcement officer--
[
[ `(A) upon the application by an attorney for the
Government that--
[
[ `(i) is made under oath or affirmation
by the attorney for the Government; and
[
[ `(ii) provides a factual basis
establishing the relevance that the plaintext or decryption
information being sought has to a law enforcement or
foreign counterintelligence investigation then being
conducted pursuant to lawful authorities; and
[
[ `(B) if the court finds, in writing, that the
plaintext or decryption information being sought is relevant to
an ongoing lawful law enforcement or foreign
counterintelligence investigation and the investigative or law
enforcement officer is entitled to such plaintext or decryption
information.
[ [
`(2) The order issued by the court under this section
shall be placed under seal, except that a copy may be made
available to the investigative or law enforcement officer
authorized to obtain access to the plaintext of the encrypted
information, or authorized to obtain the decryption information
sought in the application. Such order shall also be made available
to the person responsible for providing the plaintext or the
decryption information, pursuant to such order, to the
investigative or law enforcement officer.
[ [
`(3) Disclosure of an application made, or order issued,
under this section, is not authorized, except as may otherwise be
specifically permitted by this section or another order of the court.
[ [
`(b) OTHER ORDERS- An attorney for the Government may make
application to a district court of the United States for an order
under subsection (a), upon a request from a foreign country
pursuant to a Mutual Legal Assistance Treaty with such country that
is in effect at the time of the request from such country.
[ [
`(c) RECORD OF ACCESS REQUIRED- (1) There shall be created
an electronic record, or similar type record, of each instance in
which an investigative or law enforcement officer, pursuant to an
order under this section, gains access to the plaintext of
otherwise encrypted information, or is provided decryption
information, without the knowledge or consent of the owner of the
data, including communications, who is the user of the encryption
product involved.
[ [
`(2) The court issuing the order under this section shall
require that the electronic or similar type of record described in
paragraph (1) is maintained in a place and a manner that is not
within the custody or control of an investigative or law
enforcement officer gaining the access or provided the decryption
information. The record shall be tendered to the court, upon notice
from the court.
[ [
`(3) The court receiving such electronic or similar type
of record described in paragraph (1) shall make the original and a
certified copy of the record available to the attorney for the
Government making application under this section, and to the
attorney for, or directly to, the owner of the data, including
communications, who is the user of the encryption product.
[ [
`(d) AUTHORITY TO INTERCEPT COMMUNICATIONS NOT INCREASED-
Nothing in this chapter shall be construed to enlarge or modify the
circumstances or procedures under which a Government entity is
entitled to intercept or obtain oral, wire, or electronic
communications or information.
[ [
`(e) CONSTRUCTION- This chapter shall be strictly
construed to apply only to a Government entity's ability to decrypt
data, including communications, for which it has previously
obtained lawful authority to intercept or obtain pursuant to other
lawful authorities that would otherwise remain encrypted.
[ [
`Sec. 2807. Notification procedures
[ [
`(a) IN GENERAL- Within a reasonable time, but not later
than 90 days after the filing of an application for an order under
section 2806 which is granted, the court shall cause to be served,
on the persons named in the order or the application, and such
other parties whose decryption information or whose plaintext has
been provided to an investigative or law enforcement officer
pursuant to this chapter as the court may determine that is in the
interest of justice, an inventory which shall include notice of--
[
[ `(1) the fact of the entry of the order or the
application;
[
[ `(2) the date of the entry of the application and
issuance of the order; and
[
[ `(3) the fact that the person's decryption
information or plaintext data, including communications, have
been provided or accessed by an investigative or law
enforcement officer.
The court, upon the filing of a motion, may make available to that
person or that person's counsel, for inspection, such portions of
the plaintext, applications, and orders as the court determines to
be in the interest of justice. On an ex parte showing of good cause
to a court of competent jurisdiction, the serving of the inventory
required by this subsection may be postponed.
[ [
`(b) ADMISSION INTO EVIDENCE- The contents of any
encrypted information that has been obtained pursuant to this
chapter or evidence derived therefrom shall not be received in
evidence or otherwise disclosed in any trial, hearing, or other
proceeding in a Federal or State court unless each party, not less
than 10 days before the trial, hearing, or proceeding, has been
furnished with a copy of the order, and accompanying application,
under which the decryption or access to plaintext was authorized or
approved. This 10-day period may be waived by the court if the
court finds that it was not possible to furnish the party with the
information described in the preceding sentence within 10 days
before the trial, hearing, or proceeding and that the party will
not be prejudiced by the delay in receiving such information.
[ [
`(c) CONTEMPT- Any violation of the provisions of this
section may be punished by the court as a contempt thereof.
[ [
`(d) MOTION TO SUPPRESS- Any aggrieved person in any
trial, hearing, or proceeding in or before any court, department,
officer, agency, regulatory body, or other authority of the United
States or a State may move to suppress the contents of any
decrypted data, including communications, obtained pursuant to this
chapter, or evidence derived therefrom, on the grounds that --
[
[ `(1) the plaintext was unlawfully decrypted or
accessed;
[
[ `(2) the order of authorization or approval under
which it was decrypted or accessed is insufficient on its face;
or
[
[ `(3) the decryption was not made in conformity with
the order of authorization or approval.
Such motion shall be made before the trial, hearing, or proceeding
unless there was no opportunity to make such motion, or the person
was not aware of the grounds of the motion. If the motion is
granted, the plaintext of the decrypted data, including
communications, or evidence derived therefrom, shall be treated as
having been obtained in violation of this chapter. The court, upon
the filing of such motion by the aggrieved person, may make
available to the aggrieved person or that person's counsel for
inspection such portions of the decrypted plaintext, or evidence
derived therefrom, as the court determines to be in the interests
of justice.
[ [
`(e) APPEAL BY UNITED STATES- In addition to any other
right to appeal, the United States shall have the right to appeal
from an order granting a motion to suppress made under subsection
(d), or the denial of an application for an order under section
2806, if the United States attorney certifies to the court or other
official granting such motion or denying such application that the
appeal is not taken for purposes of delay. Such appeal shall be
taken within 30 days after the date the order was entered on the
docket and shall be diligently prosecuted.
[ [
`(f) CIVIL ACTION FOR VIOLATION- Except as otherwise
provided in this chapter, any person described in subsection (g)
may in a civil action recover from the United States Government the
actual damages suffered by the person as a result of a violation
described in that subsection, reasonable attorney's fees, and other
litigation costs reasonably incurred in prosecuting such claim.
[ [
`(g) COVERED PERSONS- Subsection (f) applies to any person
whose decryption information--
[
[ `(1) is knowingly obtained without lawful authority
by an investigative or law enforcement officer;
[
[ `(2) is obtained by an investigative or law
enforcement officer with lawful authority and is knowingly used
or disclosed by such officer unlawfully; or
[
[ `(3) is obtained by an investigative or law
enforcement officer with lawful authority and whose decryption
information is unlawfully used to disclose the plaintext of the
data, including communications.
[ [
`(h) LIMITATION- A civil action under subsection (f) shall
be commenced not later than 2 years after the date on which the
unlawful action took place, or 2 years after the date on which the
claimant first discovers the violation, whichever is later.
[ [
`(i) EXCLUSIVE REMEDIES- The remedies and sanctions
described in this chapter with respect to the decryption of data,
including communications, are the only judicial remedies and
sanctions for violations of this chapter involving such
decryptions, other than violations based on the deprivation of any
rights, privileges, or immunities secured by the Constitution.
[ [
`(j) TECHNICAL ASSISTANCE BY PROVIDERS- A provider of
encryption technology or network service that has received an order
issued by a court pursuant to this chapter shall provide to the
investigative or law enforcement officer concerned such technical
assistance as is necessary to execute the order. Such provider may,
however, move the court to modify or quash the order on the ground
that its assistance with respect to the decryption or access to
plaintext cannot be performed in a timely or reasonable fashion.
The court, upon notice to the Government, shall decide such motion
expeditiously.
[ [
`(k) REPORTS TO CONGRESS- In May of each year, the
Attorney General, or an Assistant Attorney General specifically
designated by the Attorney General, shall report in writing to
Congress on the number of applications made and orders entered
authorizing Federal, State, and local law enforcement access to
decryption information for the purposes of reading the plaintext of
otherwise encrypted data, including communications, pursuant to
this chapter. Such reports shall be submitted to the Committees on
the Judiciary of the House of Representatives and of the Senate,
and to the Permanent Select Committee on Intelligence for the House
of Representatives and the Select Committee on Intelligence for the
Senate.
[ [
`Sec. 2808. Lawful use of plaintext or decryption
information
[ [
`(a) AUTHORIZED USE OF DECRYPTION INFORMATION-
[
[ `(1) CRIMINAL INVESTIGATIONS- An investigative or
law enforcement officer to whom plaintext or decryption
information is provided may use such plaintext or decryption
information for the purposes of conducting a lawful criminal
investigation or foreign counterintelligence investigation, and
for the purposes of preparing for and prosecuting any criminal
violation of law.
[
[ `(2) CIVIL REDRESS- Any plaintext or decryption
information provided under this chapter to an investigative or
law enforcement officer may not be disclosed, except by court
order, to any other person for use in a civil proceeding that
is unrelated to a criminal investigation and prosecution for
which the plaintext or decryption information is authorized
under paragraph (1). Such order shall only issue upon a showing
by the party seeking disclosure that there is no alternative
means of obtaining the plaintext, or decryption information,
being sought and the court also finds that the interests of
justice would not be served by nondisclosure.
[ [
`(b) LIMITATION- An investigative or law enforcement
officer may not use decryption information obtained under this
chapter to determine the plaintext of any data, including
communications, unless it has obtained lawful authority to obtain
such data, including communications, under other lawful authorities.
[ [
`(c) RETURN OF DECRYPTION INFORMATION- An attorney for the
Government shall, upon the issuance of an order of a court of
competent jurisdiction--
[
[ `(1)(A) return any decryption information to the
person responsible for providing it to an investigative or law
enforcement officer pursuant to this chapter; or
[
[ `(B) destroy such decryption information, if the
court finds that the interests of justice or public safety
require that such decryption information should not be returned
to the provider; and
[
[ `(2) within 10 days after execution of the court's
order to destroy the decryption information--
[
[ `(A) certify to the court that the
decryption information has either been returned or
destroyed consistent with the court's order; and
[
[ `(B) notify the provider of the
decryption information of the destruction of such
information.
[ [
`(d) OTHER DISCLOSURE OF DECRYPTION INFORMATION- Except as
otherwise provided in section 2806, a key recovery agent may not
disclose decryption information stored with the key recovery agent
by a person unless the disclosure is--
[
[ `(1) to the person, or an authorized agent thereof;
[
[ `(2) with the consent of the person, including
pursuant to a contract entered into with the person;
[
[ `(3) pursuant to a court order upon a showing of
compelling need for the information that cannot be accommodated
by any other means if--
[
[ `(A) the person who supplied the
information is given reasonable notice, by the person
seeking the disclosure, of the court proceeding relevant to
the issuance of the court order; and
[
[ `(B) the person who supplied the
information is afforded the opportunity to appear in the
court proceeding and contest the claim of the person
seeking the disclosure;
[
[ `(4) pursuant to a determination by a court of
competent jurisdiction that another person is lawfully entitled
to hold such decryption information, including determinations
arising from legal proceedings associated with the incapacity,
death, or dissolution of any person; or
[
[ `(5) otherwise permitted by a provision of this
chapter or otherwise permitted by law.
[ [
`Sec. 2809. Identification of decryption information
[ [
`(a) IDENTIFICATION- To avoid inadvertent disclosure, any
person who provides decryption information to an investigative or
law enforcement officer pursuant to this chapter shall specifically
identify that part of the material provided that discloses
decryption information as such.
[ [
`(b) RESPONSIBILITY OF INVESTIGATIVE OR LAW ENFORCEMENT
OFFICER- The investigative or law enforcement officer receiving any
decryption information under this chapter shall maintain such
information in facilities and in a method so as to reasonably
assure that inadvertent disclosure does not occur.
[ [
`Sec. 2810. Unlawful export of certain encryption products
[ [
`Whoever, after January 31, 2000, knowingly exports an
encryption product that does not include features or functions
providing duly authorized persons immediate access to plaintext or
immediate decryption capabilities, as required under law, shall be
imprisoned for not more than 5 years, fined under this title, or
both.
[ [
`Sec. 2811. Definitions
[ [
`The definitions set forth in section 101 of the Security
and Freedom through Encryption (`SAFE`) Act of 1997 shall apply to
this chapter.'.
[ [
(b) CONFORMING AMENDMENT- The table of chapters for part I
of title 18, United States Code, is amended by inserting after the
item relating to chapter 121 the following new item:
2801'.
[ [
TITLE II--GOVERNMENT PROCUREMENT
[ [
SEC. 201. FEDERAL PURCHASES OF
ENCRYPTION PRODUCTS.
[ [
After January 1, 1999, any encryption product or service
purchased or otherwise procured by the United States Government to
provide the security service of data confidentiality for a Federal
computer system shall include a technique enabling immediate
decryption by an authorized party without the knowledge or
cooperation of the person using such encryption products or services.
[ [
SEC. 202. ENCRYPTION PRODUCTS PURCHASED
WITH FEDERAL FUNDS.
[ [
After January 1, 1999, any encryption product or service
purchased directly with Federal funds to provide the security
service of data confidentiality shall include a technique enabling
immediate decryption by an authorized party without the knowledge
or cooperation of the person using such encryption product or
service unless the Secretary, with the concurrence of the Attorney
General, determines implementing this requirement would not promote
the purposes of this Act.
[ [
SEC. 203. NETWORKS ESTABLISHED WITH
FEDERAL FUNDS.
[ [
After January 1, 1999, any communications network
established with the use of Federal funds shall use encryption
products which include techniques enabling immediate decryption by
an authorized party without the knowledge or cooperation of the
person using such encryption products or services unless the
Secretary, with the concurrence of the Attorney General, determines
implementing this requirement would not promote the purposes of
this Act.
[ [
SEC. 204. PRODUCT LABELS.
[ [
An encryption product may be labeled to inform users that
the product is authorized for sale to or for use in transactions
and communications with the United States Government under this
title.
[ [
SEC. 205. NO PRIVATE MANDATE.
[ [
The United States Government may not mandate the use of
encryption standards for the private sector other than for use with
computer systems, networks, or other systems of the United States
Government, or systems or networks created using Federal funds.
[ [
SEC. 206. IMPLEMENTATION.
[ [
(a) EXCLUSION- Nothing in this title shall apply to
encryption products and services used solely for access control,
authentication, integrity, nonrepudiation, digital signatures, or
other similar purposes.
[ [
(b) RULEMAKING- The Secretary, in consultation with the
Attorney General and other affected agencies, may through rules
provide for the orderly implementation of this title and the
effective use of secure public networks.
[ [
TITLE III--EXPORTS OF ENCRYPTION
[ [
SEC. 301. EXPORTS OF ENCRYPTION.
[ [
(a) COORDINATION OF EXECUTIVE BRANCH AGENCIES REQUIRED-
The Secretary, in close coordination with the Secretary of Defense
and any other executive branch department or agency with
responsibility for protecting the national security, shall have the
authority to control the export of encryption products not
controlled on the United States Munitions List.
[ [
(b) DECISIONS NOT SUBJECT TO JUDICIAL REVIEW- Decisions
made by the Secretary pursuant to subsection (a) with respect to
exports of encryption products under this title shall not be
subject to judicial review.
[ [
SEC. 302. LICENSE EXCEPTION FOR CERTAIN
ENCRYPTION PRODUCTS.
[ [
(a) LICENSE EXCEPTION- After January 31, 2000, encryption
products, without regard to encryption strength, shall be eligible
for export under a license exception if such encryption product--
[
[ (1) is submitted to the Secretary for a 1-time
product review;
[
[ (2) does not include features or functions that
would otherwise require licensing under applicable regulations;
[
[ (3) is not destined for countries, end users, or end
uses that the Secretary, in coordination with the Secretary of
Defense and other executive branch departments or agencies with
responsibility for protecting the national security, by
regulation, has determined should be ineligible to receive such
products, and is otherwise qualified for export; and
[
[ (4)(A) includes features or functions providing an
immediate access to plaintext capability, if there is lawful
authority for such immediate access; or
[
[ (B) includes features or functions providing an
immediate decryption capability of the encrypted data,
including communications, upon the receipt of decryption
information by an authorized party, and such decryption can be
accomplished without unauthorized disclosure.
[ [
(b) ENABLING OF DECRYPTION CAPABILITIES- The features or
functions described in subsection (a)(4) need not be enabled by the
manufacturer before or at the time of export for purposes of this
title. Such features or functions may be enabled by the purchaser
or end user.
[ [
(c) RESPONSIBILITIES OF THE SECRETARY- The Secretary, in
close coordination with the Secretary of Defense and other
executive branch departments or agencies with responsibility for
protecting the national security, shall--
[
[ (1) specify, by regulation, the information that
must be submitted for the 1-time review referred to in this
section; and
[
[ (2) make all export determinations under this title
within 30 days following the date of submission to the
Secretary of--
[
[ (A) the completed application for a
license exception; and
[
[ (B) the encryption product intended for
export that is to be reviewed as required by this section.
[ [
(d) EXERCISE OF OTHER AUTHORITIES- The Secretary, and the
Secretary of Defense, may exercise the authorities they have under
other provisions of law, including the Export Administration Act of
1979, as continued in effect under the International Emergency
Economic Powers Act, to carry out this section.
[ [
(e) PRESUMPTION IN FAVOR OF EXPORTS- There shall be a
presumption in favor of export of encryption products under this
title.
[ [
(f) WAIVER AUTHORITY- The President may by Executive order
waive any provision of this title, or the applicability of any such
provision to a person or entity, if the President determines that
the waiver is in the interests of national security or public
safety and security. The President shall submit a report to the
relevant committees of the Congress not later than 15 days after
such determination. The report shall include the factual basis upon
which such determination was made. The report may be in classified
format.
[ [
(g) RELEVANT COMMITTEES- The relevant committees of the
Congress described in subsection (f) are the Committee on
International Relations, the Committee on the Judiciary, the
Committee on National Security, and the Permanent Select Committee
on Intelligence of the House of Representatives, and the Committee
on Foreign Relations, the Committee on the Judiciary, the Committee
on Armed Services, and the Select Committee on Intelligence of the
Senate.
[ [
SEC. 303. LICENSE EXCEPTION FOR
TELECOMMUNICATIONS PRODUCTS.
[ [
After a 1-time review as described in section 302, the
Secretary shall authorize for export under a license exception
voice encryption products that do not contain decryption or access
to plainvoice features or functions otherwise required in section
302, if the Secretary, after consultation with relevant executive
branch departments or agencies, determines that--
[
[ (1) information recovery requirements for such
exports would disadvantage United States exporters; and
[
[ (2) such exports under a license exception would not
create a risk to the foreign policy, non-proliferation, or
national security of the United States.
[ [
SEC. 304. REVIEW FOR CERTAIN INSTITUTIONS.
[ [
The Secretary, in consultation with other executive branch
departments or agencies, shall establish a procedure for expedited
review of export license applications involving encryption products
for use by qualified banks, financial institutions, subsidiaries of
companies owned or controlled by United States persons, or other
users specifically authorized by the Secretary.
[ [
SEC. 305. ENCRYPTION INDUSTRY AND
INFORMATION SECURITY BOARD.
[ [
(a) ENCRYPTION INDUSTRY AND INFORMATION SECURITY BOARD
ESTABLISHED- There is hereby established an Encryption Industry and
Information Security Board. The Board shall undertake an advisory
role for the President.
[ [
(b) PURPOSES- The purposes of the Board are--
[
[ (1) to provide a forum to foster communication and
coordination between industry and the Federal Government on
matters relating to the use of encryption products;
[
[ (2) to promote the export of encryption products
manufactured in the United States;
[
[ (3) to encourage research and development of
products that will foster electronic commerce;
[
[ (4) to recommend policies enhancing the security of
public networks;
[
[ (5) to promote the protection of intellectual
property and privacy rights of individuals using public networks;
[
[ (6) to enable the United States to effectively and
continually understand the benefits and risks to its national
security, law enforcement, and public safety interests by
virtue of the proliferation of strong encryption on the global
market;
[
[ (7) to evaluate and make recommendations regarding
the further development and use of encryption;
[
[ (8) to advance the development of international
standards regarding interoperability and global use of
encryption products; and
[
[ (9) to evaluate the foreign availability of
encryption products and their threat to United States industry.
[ [
(c) MEMBERSHIP- (1) The Board shall be composed of 13
members, as follows:
[
[ (A) The Secretary, or the Secretary's designee, who
shall chair the Board.
[
[ (B) The Attorney General, or the Director of the
Federal Bureau of Investigation, or a respective designee.
[
[ (C) The Secretary of Defense, or the Secretary's
designee.
[
[ (D) the Director of Central Intelligence, or his or
her designee.
[
[ (E) The Special Assistant to the President for
National Security Affairs, or his or her designee.
[
[ (F) Two private sector individuals, appointed by the
President, who have expertise in consumer and privacy interests
relating to or affected by information security technology.
[
[ (G) Six representatives from the private sector who
have expertise in the development, operation, marketing, law,
or public policy relating to information security or technology.
[ [
(2) The six private sector representatives described in
paragraph (1)(G) shall be appointed as follows:
[
[ (A) Two by the Speaker of the House of
Representatives.
[
[ (B) One by the Minority Leader of the
House of Representatives.
[
[ (C) Two by the Majority Leader of the
Senate.
[
[ (D) One by the Minority Leader of the
Senate.
[ [
(e) MEETINGS- The Board shall meet at such times and in
such places as the Secretary may prescribe, but not less frequently
than every four months. The Federal Advisory Committee Act (5
U.S.C. App.) does not apply to the Board or to meetings held by the
Board under this section.
[ [
(f) FINDINGS AND RECOMMENDATIONS- The chair of the Board
shall convey the findings and recommendations of the Board to the
President and to the Congress within 30 days after each meeting of
the Board. The recommendations of the Board are not binding upon
the President.
[ [
(g) FOREIGN AVAILABILITY- The consideration of foreign
availability by the Board shall include computer software that is
distributed over the Internet or advertised for sale, license, or
transfer, including over-the-counter retail sales, mail order
transactions, telephone order transactions, electronic
distribution, or sale on approval.
[ [
TITLE IV--LIABILITY LIMITATIONS
[ [
SEC. 401. COMPLIANCE WITH COURT ORDER.
[ [
(a) NO LIABILITY FOR COMPLIANCE- Subject to subsection
(b), no civil or criminal liability under this Act, or under any
other provision of law, shall attach to any person for disclosing
or providing--
[
[ (1) the plaintext of encrypted data, including
communications;
[
[ (2) the decryption information of such encrypted
data, including communications; or
[
[ (3) technical assistance for access to the plaintext
of, or decryption information for, encrypted data, including
communications.
[ [
(b) EXCEPTION- Subsection (a) shall not apply to a person
who provides plaintext or decryption information to another and is
not authorized by court order to disclose such plaintext or
decryption information.
[ [
SEC. 402. COMPLIANCE DEFENSE.
[ [
Compliance with the provisions of sections 2806, 2807,
2808, or 2809 of title 18, United States Code, as added by section
104(a) of this Act, or any regulations authorized thereunder, shall
provide a complete defense for any civil action for damages based
upon activities covered by this Act, other than an action founded
on contract.
[ [
SEC. 403. REASONABLE CARE DEFENSE.
[ [
The participation by person in the key management
infrastructure established by regulation for United States
Government information security operations under section 103 shall
be treated as evidence of reasonable care or due diligence in any
proceeding where the reasonableness of one's actions is an element
of the claim at issue.
[ [
SEC. 404. GOOD FAITH DEFENSE.
[ [
An objectively reasonable reliance on the legal authority
provided by this Act and the amendments made by this Act, requiring
or authorizing access to the plaintext of otherwise encrypted data,
including communications, or to the decryption information that
will allow the immediate decryption of data, including
communications, that is otherwise encrypted, shall be a complete
defense to any criminal or civil action that may be brought under
the laws of the United States or any State.
[ [
SEC. 405. SOVEREIGN IMMUNITY.
[ [
Except as otherwise specifically provided otherwise,
nothing in this Act or the amendments made by this Act, or any
regulations promulgated thereunder, modifies or amends the
sovereign immunity of the United States.
[ [
SEC. 406. CIVIL ACTION, GENERALLY.
[ [
A civil action may be brought against any person who,
regardless of that person's participation in the key management
infrastructure to be established by regulations promulgated by the
Secretary pursuant to section 103, violates or acts in a manner
that is inconsistent with or violates the provisions or intent of
this Act or the amendments made by this Act.
[ [
TITLE V--INTERNATIONAL AGREEMENTS
[ [
SEC. 501. SENSE OF CONGRESS.
[ [
It is the sense of Congress that--
[
[ (1) the President should conduct negotiations with
foreign governments for the purposes of mutual recognition of
any key management infrastructures, and their component parts,
that exist or are developed; and
[
[ (2) such mutual recognition agreements will
safeguard the privacy of the citizens of the United States,
prevent economic espionage, and enhance the information
security needs of the United States.
[ [
SEC. 502. FAILURE TO NEGOTIATE.
[ [
The President may consider a government's refusal to
negotiate mutual recognition agreements described in section 501
when considering the participation of the United States in any
cooperation or assistance program with that country.
[ [
SEC. 503. REPORT TO CONGRESS.
[ [
(a) REPORT TO CONGRESS- The President shall report
annually to the Congress on the status of the international effort
outlined by section 501.
[ [
(b) FIRST REPORT- The first report required under
subsection (a) shall be submitted in unclassified form no later
than December 15, 1998.
[ [
TITLE VI--MISCELLANEOUS PROVISIONS
[ [
SEC. 601. EFFECT ON LAW ENFORCEMENT
ACTIVITIES.
[ [
(a) COLLECTION OF INFORMATION BY ATTORNEY GENERAL- The
Attorney General shall compile, and maintain in classified form,
data on the instances in which encryption has interfered with,
impeded, or obstructed the ability of the Department of Justice to
enforce the criminal laws of the United States.
[ [
(b) AVAILABILITY OF INFORMATION TO THE CONGRESS- The
information compiled under subsection (a), including an
unclassified summary thereof, shall be made available, upon
request, to any Member of Congress.
[ [
SEC. 602. INTERPRETATION.
[ [
Nothing contained in this Act or the amendments made by
this Act shall be deemed to--
[
[ (1) preempt or otherwise affect the application of
the Arms Export Control Act (22 U.S.C. 2751 et seq.), the
Export Administration Act of 1979 (50 U.S.C. App. 2401 et
seq.), or the International Emergency Economic Powers Act (50
U.S.C. 1701 et seq.) or any regulations promulgated thereunder;
[
[ (2) affect foreign intelligence activities of the
United States; or
[
[ (3) negate or diminish any intellectual property
protections under the laws of the United States or of any State.
[ [
SEC. 603. SEVERABILITY.
[ [
If any provision of this Act or the amendments made by
this Act, or the application thereof, to any person or
circumstances is held invalid by a court of the United States, the
remainder of this Act or such amendments, and the application
thereof, to other persons or circumstances shall not be affected
thereby. ] ]
( SECTION 1. SHORT TITLE.
( This Act may be cited as the `Security and
Freedom Through Encryption (SAFE) Act'.
( SEC. 2. SALE AND USE OF ENCRYPTION.
( (a) IN GENERAL- Part I of title 18, United
States Code, is amended by inserting after chapter 123 the
following new chapter:
( `CHAPTER 125--ENCRYPTED WIRE AND
ELECTRONIC INFORMATION
( `2801. Definitions.
( `2802. Assistance for law enforcement.
( `2803. Freedom to sell encryption.
( `2804. Prohibition on mandatory key escrow.
( `2805. Unlawful use of encryption in
furtherance of a criminal act.
( `2806. Liability limitations.
( `Sec. 2801. Definitions
( `As used in this chapter--
( `(1) the terms `person', `State', `wire
communication', `electronic communication', and `investigative
or law enforcement officer' have the meanings given those terms
in section 2510 of this title;
( `(2) the terms `encrypt' and
`encryption' refer to the scrambling of wire communications,
electronic communications, or electronically stored
information, using mathematical formulas or algorithms in order
to preserve the confidentiality, integrity, or authenticity of,
and prevent unauthorized recipients from accessing or altering,
such communications or information;
( `(3) the term `key' means the variable
information used in a mathematical formula, code, or algorithm,
or any component thereof, used to decrypt wire communications,
electronic communications, or electronically stored
information, that has been encrypted; and
( `(4) the term `United States person'
means--
( `(A) any United States citizen;
( `(B) any other person organized
under the laws of any State; and
( `(C) any person organized under the
laws of any foreign country who is owned or controlled by
individuals or persons described in subparagraphs (A) and
(B).
( `Sec. 2802. Assistance for law enforcement
( `(a) NATIONAL ELECTRONIC TECHNOLOGIES CENTER-
( `(1) ESTABLISHMENT- There is established
in the Department of Justice a National Electronic Technologies
Center (in this subsection referred to as the `NET Center').
( `(2) DIRECTOR- The NET Center shall have
a Director, who shall be appointed by the Attorney General.
( `(3) DUTIES- The duties of the NET
Center shall be--
( `(A) to serve as a center for
Federal, State, and local law enforcement authorities for
information and assistance regarding decryption and other
access requirements;
( `(B) to serve as a center for
industry and government entities to exchange information
and methodology regarding information security techniques
and technologies;
( `(C) to examine encryption
techniques and methods to facilitate the ability of law
enforcement to gain efficient access to plaintext of
communications and electronic information;
( `(D) to conduct research to develop
efficient methods, and improve the efficiency of existing
methods, of accessing plaintext of communications and
electronic information;
( `(E) to investigate and research new
and emerging techniques and technologies to facilitate
access to communications and electronic information,
including --
( `(i) reverse-steganography;
( `(ii) decompression of
information that previously has been compressed for
transmission; and
( `(iii) de-multiplexing; and
( `(F) to obtain information regarding
the most current hardware, software, telecommunications,
and other capabilities to understand how to access
information transmitted across networks.
( `(4) EQUAL ACCESS- State and local law
enforcement agencies and authorities shall have access to
information, services, resources, and assistance provided by the
NET Center to the same extent that Federal law enforcement agencies
and authorities have such access.
( `(5) PERSONNEL- The Director may appoint
such personnel as the Director considers appropriate to carry
out the duties of the NET Center.
( `(6) ASSISTANCE OF OTHER FEDERAL
AGENCIES- Upon the request of the Director of the NET Center,
the head of any department or agency of the Federal Government
may, to assist the NET Center in carrying out its duties under
this subsection--
( `(A) detail, on a reimbursable
basis, any of the personnel of such department or agency to
the NET Center; and
( `(B) provide to the NET Center
facilities, information, and other non-personnel resources.
( `(7) PRIVATE INDUSTRY ASSISTANCE- The
NET Center may accept, use, and dispose of gifts, bequests, or
devises of money, services, or property, both real and
personal, for the purpose of aiding or facilitating the work of
the Center. Gifts, bequests, or devises of money and proceeds
from sales of other property received as gifts, bequests, or
devises shall be deposited in the Treasury and shall be
available for disbursement upon order of the Director of the
NET Center.
( `(8) ADVISORY BOARD-
( `(A) ESTABLISHMENT- There is
established the Advisory Board of the Strategic NET Center
for Excellence in Information Security (in this paragraph
referred to as the `Advisory Board'), which shall be
comprised of members who have the qualifications described
in subparagraph (B) and who are appointed by the Attorney
General. The Attorney General shall appoint a chairman of
the Advisory Board.
( `(B) QUALIFICATIONS- Each member of
the Advisory Board shall have experience or expertise in
the field of encryption, decryption, electronic
communication, information security, electronic commerce,
or law enforcement.
( `(C) DUTIES- The duty of the
Advisory Board shall be to advise the NET Center and the
Federal Government regarding new and emerging technologies
relating to encryption and decryption of communications and
electronic information.
( `(9) IMPLEMENTATION PLAN- Within 2
months after the date of the enactment of the Security and
Freedom Through Encryption (SAFE) Act, the Attorney General
shall, in consultation and cooperation with other appropriate
Federal agencies and appropriate industry participants, develop
and cause to be published in the Federal Register a plan for
establishing the NET Center. The plan shall--
( `(A) specify the physical location
of the NET Center and the equipment, software, and
personnel resources necessary to carry out the duties of
the NET Center under this subsection;
( `(B) assess the amount of funding
necessary to establish and operate the NET Center; and
( `(C) identify sources of probable
funding for the NET Center, including any sources of
in-kind contributions from private industry.
( `(b) FREEDOM OF USE- Subject to section
2805, it shall be lawful for any person within any State, and for
any United States person in a foreign country, to use any
encryption, regardless of the encryption algorithm selected,
encryption key length chosen, or implementation technique or medium
used. No Federal or State law or regulation may condition the
issuance of certificates of authentication or certificates of
authority for any encryption product upon any escrowing or other
sharing of private encryption keys, whether with private agents or
government entities, or establish a licensing, labeling, or other
regulatory scheme for any encryption product that requires key
escrow as a condition of licensing or regulatory approval.
( `Sec. 2803. Freedom to sell encryption
( `Subject to section 2805, it shall be lawful
for any person within any State to sell in interstate commerce any
encryption, regardless of the encryption algorithm selected,
encryption key length chosen, or implementation technique or medium
used.
( `Sec. 2804. Prohibition on mandatory key escrow
( `(a) PROHIBITION- No person in lawful
possession of a key to encrypted communications or information may
be required by Federal or State law to relinquish to another person
control of that key.
( `(b) EXCEPTION FOR ACCESS FOR LAW
ENFORCEMENT PURPOSES- Subsection (a) shall not affect the authority
of any investigative or law enforcement officer, or any member of
the intelligence community as defined in section 3 of the National
Security Act of 1947 (50 U.S.C. 401a), acting under any law in
effect on the effective date of this chapter, to gain access to
encrypted communications or information.
( `Sec. 2805. Unlawful use of encryption in
furtherance of a criminal act
( `Any person who, in the commission of a
felony under a criminal statute of the United States, knowingly and
willfully encrypts incriminating communications or information
relating to that felony with the intent to conceal such
communications or information for the purpose of avoiding detection
by law enforcement agencies or prosecution--
( `(1) in the case of a first offense
under this section, shall be imprisoned for not more than 10
years, or fined in the amount set forth in this title, or both;
and
( `(2) in the case of a second or
subsequent offense under this section, shall be imprisoned for
not more than 20 years, or fined in the amount set forth in
this title, or both.
( `Sec. 2806. Liability limitations
( `No person shall be subject to civil or
criminal liability for providing access to the plaintext of
encrypted communications or electronic information to any law
enforcement official or authorized government entity, pursuant to
judicial process.'.
( (b) STUDY- Within 6 months after the date of
the enactment of this Act, the National Telecommunications and
Information Administration shall conduct a study, and prepare and
submit to the Congress and the President a report regarding such
study, that--
( (1) assesses the effect that
establishment of a mandatory system for recovery of encryption
keys for encrypted communications and information would have on--
( (A) electronic commerce;
( (B) data security;
( (C) privacy in interstate commerce;
and
( (D) law enforcement authorities and
activities; and
( (2) assesses other possible methods for
providing access to encrypted communications and information to
further law enforcement activities.
( (c) CONFORMING AMENDMENT- The table of
chapters for part I of title 18, United States Code, is amended by
inserting after the item relating to chapter 123 the following new
item:
2801'.
( SEC. 3. EXPORTS OF ENCRYPTION.
( (a) AMENDMENT TO EXPORT ADMINISTRATION ACT
OF 1979- Section 17 of the Export Administration Act of 1979 (50
U.S.C. App. 2416) is amended by adding at the end thereof the
following new subsection:
( `(g) COMPUTERS AND RELATED EQUIPMENT-
( `(1) GENERAL RULE- Subject to paragraphs
(2), (3), and (4), the Secretary shall have exclusive authority
to control exports of all computer hardware, software, and
technology for information security (including encryption),
except that which is specifically designed or modified for
military use, including command, control, and intelligence
applications.
( `(2) ITEMS NOT REQUIRING LICENSES- No
validated license may be required, except pursuant to the
Trading With The Enemy Act or the International Emergency
Economic Powers Act (but only to the extent that the authority
of such Act is not exercised to extend controls imposed under
this Act), for the export or reexport of--
( `(A) any software, including
software with encryption capabilities--
( `(i) that is generally
available, as is, and is designed for installation by
the purchaser; or
( `(ii) that is in the public
domain for which copyright or other protection is not
available under title 17, United States Code, or that
is available to the public because it is generally
accessible to the interested public in any form; or
( `(B) any computing device solely
because it incorporates or employs in any form software
(including software with encryption capabilities) exempted
from any requirement for a validated license under
subparagraph (A).
( `(3) SOFTWARE WITH ENCRYPTION
CAPABILITIES- The Secretary shall authorize the export or
reexport of software with encryption capabilities for
nonmilitary end uses in any country to which exports of
software of similar capability are permitted for use by
financial institutions not controlled in fact by United States
persons, unless there is substantial evidence that such
software will be--
( `(A) diverted to a military end use
or an end use supporting international terrorism;
( `(B) modified for military or
terrorist end use; or
( `(C) reexported without any
authorization by the United States that may be required
under this Act.
( `(4) HARDWARE WITH ENCRYPTION
CAPABILITIES- The Secretary shall authorize the export or
reexport of computer hardware with encryption capabilities if
the Secretary determines that a product offering comparable
security is commercially available outside the United States
from a foreign supplier, without effective restrictions.
( `(5) DEFINITIONS- As used in this
subsection--
( `(A) the term `encryption' means the
scrambling of wire or electronic information using
mathematical formulas or algorithms in order to preserve
the confidentiality, integrity, or authenticity of, and
prevent unauthorized recipients from accessing or altering,
such information;
( `(B) the term `generally available'
means, in the case of software (including software with
encryption capabilities), software that is offered for
sale, license, or transfer to any person without
restriction, whether or not for consideration, including,
but not limited to, over-the-counter retail sales, mail
order transactions, phone order transactions, electronic
distribution, or sale on approval;
( `(C) the term `as is' means, in the
case of software (including software with encryption
capabilities), a software program that is not designed,
developed, or tailored by the software publisher for
specific purchasers, except that such purchasers may supply
certain installation parameters needed by the software
program to function properly with the purchaser's system
and may customize the software program by choosing among
options contained in the software program;
( `(D) the term `is designed for
installation by the purchaser' means, in the case of
software (including software with encryption capabilities)
that--
( `(i) the software publisher
intends for the purchaser (including any licensee or
transferee), who may not be the actual program user, to
install the software program on a computing device and
has supplied the necessary instructions to do so,
except that the publisher may also provide telephone
help line services for software installation,
electronic transmission, or basic operations; and
( `(ii) the software program is
designed for installation by the purchaser without
further substantial support by the supplier;
( `(E) the term `computing device'
means a device which incorporates one or more
microprocessor-based central processing units that can
accept, store, process, or provide output of data; and
( `(F) the term `computer hardware',
when used in conjunction with information security,
includes, but is not limited to, computer systems,
equipment, application-specific assemblies, modules, and
integrated circuits.'.
( (b) CONTINUATION OF EXPORT ADMINISTRATION
ACT- For purposes of carrying out the amendment made by subsection
(a), the Export Administration Act of 1979 shall be deemed to be in
effect.
( SEC. 4. TREATMENT OF ENCRYPTION IN INTERSTATE
AND FOREIGN COMMERCE.
( (a) INQUIRY REGARDING IMPEDIMENTS TO TRADE-
Within 180 days after the date of the
enactment of this Act, the Secretary of Commerce shall complete an
inquiry to--
( (1) identify any domestic and foreign
impediments to trade in encryption products and services and
the manners in which and extent to which such impediments
inhibit the development of interstate and foreign commerce; and
( (2) identify import restrictions imposed
by foreign nations that constitute unfair trade barriers to
providers of encryption products or services.
The Secretary shall submit a report to the Congress regarding the
results of such inquiry by such date.
( (b) REMOVAL OF IMPEDIMENTS TO TRADE- Within
1 year after such date of enactment, the Secretary of Commerce, in
consultation with the Attorney General, shall prescribe such
regulations as may be necessary to reduce the impediments to trade
in encryption products and services identified in the inquiry
pursuant to subsection (a) for the purpose of facilitating the
development of interstate and foreign commerce. Such regulations
shall be designed to--
( (1) promote the sale and distribution in
foreign commerce of encryption products and services
manufactured in the United States; and
( (2) strengthen the competitiveness of
domestic providers of encryption products and services in
foreign commerce.
( (c) INTERNATIONAL AGREEMENTS-
( (1) REPORT TO PRESIDENT- Upon the
completion of the inquiry under subsection (a), the Secretary
of Commerce shall submit a report to the President regarding
reducing any impediments to trade in encryption products and
services that are identified by the inquiry and could, in the
determination of the Secretary, require international
negotiations for such reduction.
( (2) NEGOTIATIONS- The President shall
take all actions necessary to conduct negotiations with other
countries for the purposes of (A) concluding international
agreements on the promotion of encryption products and
services, and (B) achieving mutual recognition of countries'
export controls, in order to meet the needs of countries to
preserve national security, safeguard privacy, and prevent
commercial espionage. The President may consider a country's
refusal to negotiate such international export and mutual
recognition agreements when considering the participation of
the United States in any cooperation or assistance program with
that country. The President shall submit a report to the
Congress regarding the status of international efforts
regarding cryptography not later than December 31, 2000.
( (d) DEFINITIONS- For purposes of this
section, the following definitions shall apply:
( (1) COMMUNICATION- The term
`communication' includes wire communication and electronic
communication.
( (2) DECRYPT; DECRYPTION- The terms
`decrypt' and `decryption' refer to the electronic
retransformation of communications or electronically stored
information that has been encrypted into the original form of
the communication or information.
( (3) ELECTRONIC COMMUNICATION- The term
`electronic communication' has the meaning given such term in
section 2510 of title 18, United States Code.
( (4) ENCRYPT; ENCRYPTION- The terms
`encrypt' and `encryption' have the meanings given such terms
in section 2801 of title 18, United States Code (as added by
section 2 of this Act).
( (5) ENCRYPTION PRODUCT- The term
`encryption product' means any product, software, or technology
that can be used to encrypt and decrypt communications or
electronic information and any product, software, or technology
with encryption capabilities;
( (6) WIRE COMMUNICATION- The term `wire
communication' has the meaning given such term in section 3 of
the Communications Act of 1934 (47 U.S.C. 153).
( SEC. 5. EFFECT ON LAW ENFORCEMENT ACTIVITIES.
( (a) COLLECTION OF INFORMATION BY ATTORNEY
GENERAL- The Attorney General shall compile, and maintain in
classified form, data on the instances in which encryption (as
defined in section 2801 of title 18, United States Code) has
interfered with, impeded, or obstructed the ability of the
Department of Justice to enforce the criminal laws of the United
States.
( (b) AVAILABILITY OF INFORMATION TO THE
CONGRESS- The information compiled under subsection (a), including
an unclassified summary thereof, shall be made available, upon
request, to any Member of Congress. )
Amend the title so as to read: `A bill to amend title 18, United
States Code, to affirm the rights of United States persons to use
and sell encryption.'.