STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS (Senate - May 12, 1998)

---

By Mr. ASHCROFT (for himself, Mr. Leahy, Mr. Burns, Mr. Craig, Mrs. Boxer, Mr. Faircloth, Mr. Wyden, Mr. Kempthorne, Mrs. Murray, and Mrs. Hutchison):

S. 2067. A bill to protect the privacy and constitutional rights of Americans, to establish standards and procedures regarding law enforcement access to decryption assistance for encrypted communications and stored electronic information, to affirm the rights of Americans to use and sell encryption products, and for other purposes; to the Committee on the Judiciary.

THE E-PRIVACY ACT

Mr. ASHCROFT. Mr. President, I rise to speak today on an issue that I find very important to the future of this country's leading position in the technology, and that is encryption. This issue has been under consideration since I first came to Capitol Hill, and for more than three years nothing has been accomplished by way of assistance to law enforcement, or to industry, or most importantly to the users of encryption in this country.

My first involvement in this entire discussion came about as a result of the need for protection and privacy. If we are to operate at our highest and best in the information age, instead of settling for something very far below our potential, we are going to need privacy and protection, and we are going to need the ability to operate with integrity on the Internet. The Internet has to be something more than speaking on the public square, it has to have the ability to allow individuals to communicate with each other. It has to have the same kind of rights and protections that are accorded to other aspects of communication. Without this privacy, the potential of the Internet is destroyed. In my judgment, the Internet would be destined to become just a sort of international bull session, nothing more than an international party line of commentary, or an international broadcast device. I do not believe it will fulfill its potential as a communication, entertainment, commercial and educational opportunity unless Internet communications are secure and the right of privacy is respected.

The Internet allows for the most participatory form of communications ever. In order for us to be able to both invite participation by everyone, and to be able to take advantage of it, we have to be able to exclude some parties from a particular communication. I do not know of any more successful exclusion technique in the electronic world than encryption, especially when so much information is going to be transmitted digitally, much of it through space as well as over hard lines of communication.

We have a tremendous potential for commerce on the Internet: everything from selling clothes, to real estate, to software itself. Electronic commerce has not reached its full potential, but it can. I think we've got a big agenda there, not just encryption but we've got to have legally binding signature legislation and therefore solid encryption.

Resisting efforts for mandatory domestic key recovery is also crucial. We have to remind ourselves that the Internet is like so much of the rest of the culture--government can't solve all the problems. At least we have to plead for restraint by those who would harm this technology. As I have said before, now is the time to draw a bright line against federal regulation of the computer industry. Washington must not start down the road of dreaming up regulations to fix problems that may or may not exist. Two things can be predicted with confidence about congressional meddling in this sector of the economy. First, legislation will be obsolete on the day it is passed. Second, it will hurt consumers, workers, shareholders, and the economy. If Congress had helped set up the transportation industry, there still might be a livery stable in every town, and buggy whip factories in large cities.

The irrationality of limiting the United States to levels of encryption which are far below what the world market is demanding and supplying in other settings, has been mind boggling. This legislation declares that American companies will be full and active participants in the encryption industry. Today, numerous editions of leading American designed and manufactured software bears the stamp, `Not for sale outside the United States,' because the software features robust encryption. That stamp does nothing to make Americans more secure, but it does provide aid and comfort to foreign competitors of American business. This legislation would eliminate that stamp once and for all.

Encryption, of course, is the most important issue to the future of electronic commerce and if we are to foster the integrity of the Internet we must have the means of communication domestically and international. I have to reaffirm that we must allow the software industry to compete in an international market where robust encryption already takes place. Months ago I went to a Commerce Committee meeting and took with me an ad from the Internet, which was from Seimens company in Germany advertising robust 128 bit encryption, saying that you can't get this from a U.S. manufacturer. The advertisement also indicated, however, that if you buy this you can use it in the United States and you can use it overseas as well, and, so if you want to have robust encryption buy it from Seimens. The Administration has decided to tie the hands of the U.S. encryption industry. To me that's a disaster, but it is also compounded by people beginning to develop relationships with foreign software providers as a result of the unavailability of 128 bit or robust encryption on the part of U.S. providers.

To see the Germans eagerly promoting this potential, and to have people from my own jurisdiction, from the state of Missouri, say, `John, we have an office in Singapore, we have to be able to speak with them confidentially and communicate with them, and the government is making it impossible for us to send the encryption that we can use domestically. We can't send it to our office in Singapore because we are ineligible to export it.' I don't want the situation to be such that I have to say, `Well, go to Seimens in Germany.' From Seimens you can buy the encryption that can be sent into the United States and from Seimens in Germany it can be sent to Singapore and so you can have your cake and eat it too by dealing with a non-domestic firm. For us to have a policy which provides for the slitting of our own throats, in a technology arena, where we have held the lead and must continue to hold the lead, I think is foolhardy to say the least. If we are to mark the next century as an `American Century,' or even to celebrate this week as high technology week in the Senate, we must be forward thinking and acting. This bill moves us away from antiquated export laws to a future in which American companies will be able to compete in the international marketplace without having one hand tied behind their back by the federal government.

This bill also clarifies the proper approach for encryption domestically as we move ahead in the digital age. The Administration and the FBI first indicated support for language that would mandate key recovery for all domestic encryption and now support several suggested approaches that would make using domestic key escrow a practical--though not legal--necessity. Director Freeh has gone so far as to mention the need for a new Fourth Amendment that considers the realities of the digital age. I think we need a new and improved approach to domestic encryption, not a new updated version of the Fourth Amendment. I, for one, am not eagerly awaiting the FBI's new release of Fourth Amendment 2.0 or First Amendment '98.

I think we have to work together to find a reasonable alternative to the current Administration policy and I think we have to ensure secure transactions. That's a clear responsibility. We can't have a situation where we don't have security and integrity in our business transactions. We have to be able to compete effectively in a worldwide marketplace. For us to limit our own potential in terms of competition makes no sense. We have to make sure that we don't allow those who would use information improperly or illegally to have access to it. That has to do with securing the transactions, and the integrity of the Internet as well.

This legislation is the solution to the problem. It is well thought out and attempts to address the legitimate concerns of all affected parties. I will seek passage of this legislation in this Congress and will commit the resources of my office that may be needed to achieve this end.

Business Week has recently reported that 61 percent of adults responded that they would be more likely to go on-line if the privacy of their information and communications would be protected. Mr. President, simply put, strong encryption means a strong economy. Mandatory access, by contrast, means weaker encryption and a less secure, and therefore less valuable, network.

I ask for unanimous consent that the entire bill be printed in the Record.

There being no objection, the bill was ordered to be printed in the Record, as follows:

[Page: S4716]

S. 2067

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title: This Act may be cited as the `Encryption Protects the Rights of Individuals from Violation and Abuse in Cyberspace (E-PRIVACY) Act'.
(b) Table of Contents: The table of contents for this Act is as follows:

Sec. 1. Short title; table of contents.

Sec. 2. Purposes.

Sec. 3. Findings.

Sec. 4. Definitions.

TITLE I--PRIVACY PROTECTION FOR COMMUNICATIONS AND ELECTRONIC INFORMATION

Sec. 101. Freedom to use encryption.

Sec. 102. Purchase and use of encryption products by the Federal Government.

Sec. 103. Enhanced privacy protection for information on computer networks.

Sec. 104. Government access to location information.

Sec. 105. Enhanced privacy protection for transactional information obtained from pen registers or trap and trace devices.

TITLE II--LAW ENFORCEMENT ASSISTANCE

Sec. 201. Encrypted wire or electronic communications and stored electronic communications.

TITLE III--EXPORTS OF ENCRYPTION PRODUCTS

Sec. 301. Commercial encryption products.

Sec. 302. License exception for mass market products.

Sec. 303. License exception for products without encryption capable of working with encryption products.

Sec. 304. License exception for product support and consulting services.

Sec. 305. License exception when comparable foreign products available.

Sec. 306. No export controls on encryption products used for nonconfidentiality purposes.

Sec. 307. Applicability of general export controls.

Sec. 308. Foreign trade barriers to United States products.

SEC. 2. PURPOSES.
The purposes of this Act are--

(1) to ensure that Americans have the maximum possible choice in encryption methods to protect the security, confidentiality, and privacy of their lawful wire and electronic communications and stored electronic information;

(2) to promote the privacy and constitutional rights of individuals and organizations in networked computer systems and other digital environments, protect the confidentiality of information and security of critical infrastructure systems relied on by individuals, businesses and government agencies, and properly balance the needs of law enforcement to have the same access to electronic communications and information as under current law; and

(3) to establish privacy standards and procedures by which investigative or law enforcement officers may obtain decryption assistance for encrypted communications and stored electronic information.

[Page: S4717]

SEC. 3. FINDINGS.
Congress finds that--

(1) the digitization of information and the explosion in the growth of computing and electronic networking offers tremendous potential benefits to the way Americans live, work, and are entertained, but also raises new threats to the privacy of American citizens and the competitiveness of American businesses;

(2) a secure, private, and trusted national and global information infrastructure is essential to promote economic growth, protect privacy, and meet the needs of American citizens and businesses;

(3) the rights of Americans to the privacy and security of their communications and in the conducting of personal and business affairs should be promoted and protected;

(4) the authority and ability of investigative and law enforcement officers to access and decipher, in a timely manner and as provided by law, wire and electronic communications, and stored electronic information necessary to provide for public safety and national security should also be preserved;

(5) individuals will not entrust their sensitive personal, medical, financial, and other information to computers and computer networks unless the security and privacy of that information is assured;

(6) businesses will not entrust their proprietary and sensitive corporate information, including information about products, processes, customers, finances, and employees, to computers and computer networks unless the security and privacy of that information is assured;

(7) America's critical infrastructures, including its telecommunications system, banking and financial infrastructure, and power and transportation infrastructure, increasingly rely on vulnerable information systems, and will represent a growing risk to national security and public safety unless the security and privacy of those information systems is assured;

(8) encryption technology is an essential tool to promote and protect the privacy, security, confidentiality, integrity, and authenticity of wire and electronic communications and stored electronic information;

(9) encryption techniques, technology, programs, and products are widely available worldwide;

(10) Americans should be free to use lawfully whatever particular encryption techniques, technologies, programs, or products developed in the marketplace that best suits their needs in order to interact electronically with the government and others worldwide in a secure, private, and confidential manner;

(11) government mandates for, or otherwise compelled use of, third-party key recovery systems or other systems that provide surreptitious access to encrypted data threatens the security and privacy of information systems;

(12) American companies should be free to compete and sell encryption technology, programs, and products, and to exchange encryption technology, programs, and products through the use of the Internet, which is rapidly emerging as the preferred method of distribution of computer software and related information;

(13) a national encryption policy is needed to advance the development of the national and global information infrastructure, and preserve the right to privacy of Americans and the public safety and national security of the United States;

(14) Congress and the American people have recognized the need to balance the right to privacy and the protection of the public safety with national security;

(15) the Constitution of the United States permits lawful electronic surveillance by investigative or law enforcement officers and the seizure of stored electronic information only upon compliance with stringent standards and procedures; and

(16) there is a need to clarify the standards and procedures by which investigative or law enforcement officers obtain decryption assistance from persons--

(A) who are voluntarily entrusted with the means to decrypt wire and electronic communications and stored electronic information; or

(B) have information that enables the decryption of such communications and information.

SEC. 4. DEFINITIONS.
In this Act:

(1) Agency: The term `agency' has the meaning given the term in section 6 of title 18, United States Code.

(2) Computer hardware: The term `computer hardware' includes computer systems, equipment, application-specific assemblies, smart cards, modules, and integrated circuits.

(3) Computing device: The term `computing device' means a device that incorporates 1 or more microprocessor-based central processing units that are capable of accepting, storing, processing, or providing output of data.

(4) Encrypt and encryption: The terms `encrypt' and `encryption' refer to the scrambling (and descrambling) of wire communications, electronic communications, or electronically stored information, using mathematical formulas or algorithms in order to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering, such communications or information.

(5) Encryption product: The term `encryption product'--

(A) means a computing device, computer hardware, computer software, or technology, with encryption capabilities; and

(B) includes any subsequent version of or update to an encryption product, if the encryption capabilities are not changed.

(6) Exportable: The term `exportable' means the ability to transfer, ship, or transmit to foreign users.

(7) Key: The term `key' means the variable information used in or produced by a mathematical formula, code, or algorithm, or any component thereof, used to encrypt or decrypt wire communications, electronic communications, or electronically stored information.

(8) Person: The term `person' has the meaning given the term in section 2510(6) of title 18, United States Code.

(9) Remote computing service: The term `remote computing service' has the meaning given the term in section 2711(2) of title 18, United States Code.

(10) State: The term `State' has the meaning given the term in section 3156(a)(5) of title 18, United States Code.

(11) Technical review: The term `technical review' means a review by the Secretary, based on information about a product's encryption capabilities supplied by the manufacturer, that an encryption product works as represented.

(12) United states person: The term `United States person' means any--

(A) United States citizen; or

(B) any legal entity that--

(i) is organized under the laws of the United States, or any State, the District of Columbia, or any commonwealth, territory, or possession of the United States; and

(ii) has its principal place of business in the United States.

TITLE I--PRIVACY PROTECTION FOR COMMUNICATIONS AND ELECTRONIC INFORMATION

SEC. 101. FREEDOM TO USE ENCRYPTION.
(a) In General: Except as otherwise provided by this Act and the amendments made by this Act, it shall be lawful for any person within the United States, and for any United States person in a foreign country, to use, develop, manufacture, sell, distribute, or import any encryption product, regardless of the encryption algorithm selected, encryption key length chosen, existence of key recovery or other plaintext access capability, or implementation or medium used.
(b) Prohibition on Government-Compelled Key Escrow or Key Recovery Encryption:

(1) In general: Except as provided in paragraph (3), no agency of the United States nor any State may require, compel, set standards for, condition any approval on, or condition the receipt of any benefit on, a requirement that a decryption key, access to a decryption key, key recovery information, or other plaintext access capability be--

(A) given to any other person, including any agency of the United States or a State, or any entity in the private sector; or

(B) retained by any person using encryption.

(2) Use of particular products: No agency of the United States may require any person who is not an employee or agent of the United States or a State to use any key recovery or other plaintext access features for communicating or transacting business with any agency of the United States.

(3) Exception: The prohibition in paragraph (1) does not apply to encryption used by an agency of the United States or a State, or the employees or agents of such an agency, solely for the internal operations and telecommunications systems of the United States or the State.
(c) Use of Encryption for Authentication or Integrity Purposes:

(1) In general: The use, development, manufacture, sale, distribution and import of encryption products, standards, and services for purposes of assuring the confidentiality, authenticity, or integrity or access control of electronic information shall be voluntary and market driven.

(2) Conditions: No agency of the United States or a State shall establish any condition, tie, or link between encryption products, standards, and services used for confidentiality, and those used for authentication, integrity, or access control purposes.

SEC. 102. PURCHASE AND USE OF ENCRYPTION PRODUCTS BY THE FEDERAL GOVERNMENT.
(a) Purchases: An agency of the United States may purchase encryption products for--

(1) the internal operations and telecommunications systems of the agency; or

(2) use by, among, and between that agency and any other agency of the United States, the employees of the agency, or persons operating under contract with the agency.
(b) Interoperability: To ensure that secure electronic access to the Government is available to persons outside of and not operating under contract with agencies of the United States, the United States shall purchase no encryption product with a key recovery or other plaintext access feature if such key recovery or plaintext access feature would interfere with use of the product's full encryption capabilities when interoperating with other commercial encryption products.

[Page: S4718]

SEC. 103. ENHANCED PRIVACY PROTECTION FOR INFORMATION ON COMPUTER NETWORKS.
Section 2703 of title 18, United States Code, is amended by adding at the end the following:
`(g) Access to Stored Electronic Information:

`(1) Disclosure:

`(A) In general: Subject to subparagraph (B), a governmental entity may require the disclosure by a provider of a remote computing service of the contents of an electronic record in networked electronic storage only if the person who created the record is accorded the same protections that would be available if the record had remained in that person's possession.

`(B) Networked electronic storage: In addition to the requirements of subparagraph (A) and subject to paragraph (2), a governmental entity may require the disclosure of the contents of an electronic record in networked electronic storage only--

`(i) pursuant to a warrant issued under the Federal Rules of Criminal Procedure or equivalent State warrant, a copy of which warrant shall be served on the person who created the record prior to or at the same time the warrant is served on the provider of the remote computing service;

`(ii) pursuant to a subpoena issued under the Federal Rules of Criminal Procedure or equivalent State warrant, a copy of which subpoena shall be served on the person who created the record, under circumstances allowing that person a meaningful opportunity to challenge the subpoena; or

`(iii) upon the consent of the person who created the record.

`(2) Definition: In this subsection, an electronic record is in `networked electronic storage' if--

`(A) it is not covered by subsection (a) of this section;

`(B) the person holding the record is not authorized to access the contents of such record for any purposes other than in connection with providing the service of storage; and

`(C) the person who created the record is able to access and modify it remotely through electronic means.'.

SEC. 104. GOVERNMENT ACCESS TO LOCATION INFORMATION.
(a) Court Order Required: Section 2703 of title 18, United States Code, is amended by adding at the end the following:
`(h) Requirements for Disclosure of Location Information: A provider of mobile electronic communication service shall provide to a governmental entity information generated by and disclosing, on a real time basis, the physical location of a subscriber's equipment only if the governmental entity obtains a court order issued upon a finding that there is probable cause to believe that an individual using or possessing the subscriber equipment is committing, has committed, or is about to commit a felony offense.'.
(b) Conforming Amendment: Section 2703(c)(1)(B) of title 18, United States Code, is amended by inserting `or wireless location information covered by subsection (g) of this section' after `(b) of this section'.

SEC. 105. ENHANCED PRIVACY PROTECTION FOR TRANSACTIONAL INFORMATION OBTAINED FROM PEN REGISTERS OR TRAP AND TRACE DEVICES.
Subsection 3123(a) of title 18, United States Code, is amended to read as follows:
`(a) In General: Upon an application made under section 3122, the court may enter an ex parte order--

`(1) authorizing the installation and use of a pen register or a trap and trace device within the jurisdiction of the court if the court finds, based on the certification by the attorney for the Government or the State law enforcement or investigative officer, that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation; and

`(2) directing that the use of the pen register or trap and trace device be conducted in such a way as to minimize the recording or decoding of any electronic or other impulses that are not related to the dialing and signaling information utilized in call processing.'.

TITLE II--LAW ENFORCEMENT ASSISTANCE

SEC. 201. ENCRYPTED WIRE OR ELECTRONIC COMMUNICATIONS AND STORED ELECTRONIC COMMUNICATIONS.
(a) In General: Part I of title 18, United States Code, is amended by inserting after chapter 123 the following:

`CHAPTER 124--ENCRYPTED WIRE OR ELECTRONIC COMMUNICATIONS AND STORED ELECTRONIC INFORMATION

`Sec.

`2801. Definitions.

`2802. Unlawful use of encryption.

`2803. Access to decryption assistance for communications.

`2804. Access to decryption assistance for stored electronic communications or records.

`2805. Foreign government access to decryption assistance.

`2806. Establishment and operations of National Electronic Technologies Center.

`2801. Definitions
`In this chapter:

`(1) Decryption assistance: The term `decryption assistance' means assistance that provides or facilitates access to the plaintext of an encrypted wire or electronic communication or stored electronic information, including the disclosure of a decryption key or the use of a decryption key to produce plaintext.

`(2) Decryption key: The term `decryption key' means the variable information used in or produced by a mathematical formula, code, or algorithm, or any component thereof, used to decrypt a wire communication or electronic communication or stored electronic information that has been encrypted.

`(3) Encrypt; encryption: The terms `encrypt' and `encryption' refer to the scrambling (and descrambling) of wire communications, electronic communications, or electronically stored information, using mathematical formulas or algorithms in order to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering, such communications or information.

`(4) Foreign government: The term `foreign government' has the meaning given the term in section 1116.

`(5) Official request: The term `official request' has the meaning given the term in section 3506(c).

`(6) Incorporated definitions: Any term used in this chapter that is not defined in this chapter and that is defined in section 2510, has the meaning given the term in section 2510.

`2802. Unlawful use of encryption
`Any person who, during the commission of a felony under Federal law, knowingly and willfully encrypts any incriminating communication or information relating to that felony, with the intent to conceal that communication or information for the purpose of avoiding detection by a law enforcement agency or prosecutor--

`(1) in the case of a first offense under this section, shall be imprisoned not more than 5 years, fined under this title, or both; and

`(2) in the case of a second or subsequent offense under this section, shall be imprisoned not more than 10 years, fined under this title, or both.

`2803. Access to decryption assistance for communications
`(a) Criminal Investigations:

`(1) In general: An order authorizing the interception of a wire or electronic communication under section 2518 shall, upon request of the applicant, direct that a provider of wire or electronic communication service, or any other person possessing information capable of decrypting that communication, other than a person whose communications are the subject of the interception, shall promptly furnish the applicant with the necessary decryption assistance, if the court finds that the decryption assistance sought is necessary for the decryption of a communication intercepted pursuant to the order.

`(2) Limitations: Each order described in paragraph (1), and any extension of such an order, shall--

`(A) contain a provision that the decryption assistance provided shall involve disclosure of a private key only if no other form of decryption assistance is available and otherwise shall be limited to the minimum necessary to decrypt the communications intercepted pursuant to this chapter; and

`(B) terminate on the earlier of--

`(i) the date on which the authorized objective is attained; or

`(ii) 30 days after the date on which the order or extension, as applicable, is issued.

`(3) Notice: If decryption assistance is provided pursuant to an order under this subsection, the court issuing the order described in paragraph (1)--

`(A) shall cause to be served on the person whose communications are the subject of such decryption assistance, as part of the inventory required to be served pursuant to section 2518(8), notice of the receipt of the decryption assistance and a specific description of the keys or other assistance disclosed; and

`(B) upon the filing of a motion and for good cause shown, shall make available to such person, or to counsel for that person, for inspection, the intercepted communications to which the decryption assistance related, except that on an ex parte showing of good cause, the serving of the inventory required by section 2518(8) may be postponed.
`(b) Foreign Intelligence Investigations:

`(1) In general: An order authorizing the interception of a wire or electronic communication under section 105(b)(2) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1805(b)(2)) shall, upon request of the applicant, direct that a provider of wire or electronic communication service or any other person possessing information capable of decrypting such communications, other than a person whose communications are the subject of the interception, shall promptly furnish the applicant with the necessary decryption assistance, if the court finds that the decryption assistance sought is necessary for the decryption of a communication intercepted pursuant to the order.

`(2) Limitations: Each order described in paragraph (1), and any extension of such an order, shall--

`(A) contain a provision that the decryption assistance provided shall be limited to the minimum necessary to decrypt the communications intercepted pursuant to this chapter; and

`(B) terminate on the earlier of--

`(i) the date on which the authorized objective is attained; or

`(ii) 30 days after the date on which the order or extension, as applicable, is issued.
`(c) General Prohibition on Disclosure: Other than pursuant to an order under subsection (a) or (b) of this section, no person possessing information capable of decrypting a wire or electronic communication of another person shall disclose that information or provide decryption assistance to an investigative or law enforcement officer (as defined in section 2510(7)).

[Page: S4719]

`2804. Access to decryption assistance for stored electronic communications or records
`(a) Decryption Assistance: No person may disclose a decryption key or provide decryption assistance pertaining to the contents of stored electronic communications or records, including those disclosed pursuant to section 2703, to a governmental entity, except--

`(1) pursuant to a warrant issued under the Federal Rules of Criminal Procedure or an equivalent State warrant, a copy of which warrant shall be served on the person who created the electronic communication prior to or at the same time service is made on the keyholder;

`(2) pursuant to a subpoena, a copy of which subpoena shall be served on the person who created the electronic communication or record, under circumstances allowing the person meaningful opportunity to challenge the subpoena; or

`(3) upon the consent of the person who created the electronic communication or record.
`(b) Delay of Notification: In the case of communications disclosed pursuant to section 2703(a), service of the copy of the warrant or subpoena on the person who created the electronic communication under subsection (a) may be delayed for a period of not to exceed 90 days upon request to the court by the governmental entity requiring the decryption assistance, if the court determines that there is reason to believe that notification of the existence of the court order or subpoena may have an adverse result described in section 2705(a)(2).

`2805. Foreign government access to decryption assistance
`(a) In General: No investigative or law enforcement officer may--

`(1) release a decryption key to a foreign government or to a law enforcement agency of a foreign government; or

`(2) except as provided in subsection (b), provide decryption assistance to a foreign government or to a law enforcement agency of a foreign government.
`(b) Conditions for Cooperation With Foreign Government:

`(1) Application for an order: In any case in which the United States has entered into a treaty or convention with a foreign government to provide mutual assistance with respect to providing decryption assistance, the Attorney General (or the designee of the Attorney General) may, upon an official request to the United States from the foreign government, apply for an order described in paragraph (2) from the district court in which the person possessing information capable of decrypting the communication or information at issue resides--

`(A) directing that person to release a decryption key or provide decryption assistance to the Attorney General (or the designee of the Attorney General); and

`(B) authorizing the Attorney General (or the designee of the Attorney General) to furnish the foreign government with the plaintext of the encrypted communication or stored electronic information at issue.

`(2) Contents of order: An order is described in this paragraph if it is an order directing the person possessing information capable of decrypting the communication or information at issue to

`(A) release a decryption key to the Attorney General (or the designee of the Attorney General) so that the plaintext of the communication or information may be furnished to the foreign government; or

`(B) provide decryption assistance to the Attorney General (or the designee of the Attorney General) so that the plaintext of the communication or information may be furnished to the foreign government.

`(3) Requirements for order: The court described in paragraph (1) may issue an order described in paragraph (2) if the court finds, on the basis of an application made by the Attorney General under this subsection, that--

`(A) the decryption key or decryption assistance sought is necessary for the decryption of a communication or information that the foreign government is authorized to intercept or seize pursuant to the law of that foreign country;

`(B) the law of the foreign country provides for adequate protection against arbitrary interference with respect to privacy rights; and

`(C) the decryption key or decryption assistance is being sought in connection with a criminal investigation for conduct that would constitute a violation of a criminal law of the United States if committed within the jurisdiction of the United States.

`2806. Establishment and operations of National Electronic Technologies Center
`(a) National Electronic Technologies Center:

`(1) Establishment: There is established in the Department of Justice a National Electronic Technologies Center (referred to in this section as the `NET Center').

`(2) Director: The NET Center shall be administered by a Director (referred to in this section as the `Director'), who shall be appointed by the Attorney General.

`(3) Duties: The NET Center shall--

`(A) serve as a center for Federal, State, and local law enforcement authorities for information and assistance regarding decryption and other access requirements;

`(B) serve as a center for industry and government entities to exchange information and methodology regarding information security techniques and technologies;

`(C) support and share information and methodology regarding information security techniques and technologies with the Computer Investigations and Infrastructure Threat Assessment Center (CITAC) and Field Computer Investigations and Infrastructure Threat Assessment (CITA) Squads of the Federal Bureau of Investigation;

`(D) examine encryption techniques and methods to facilitate the ability of law enforcement to gain efficient access to plaintext of communications and electronic information;

`(E) conduct research to develop efficient methods, and improve the efficiency of existing methods, of accessing plaintext of communications and electronic information;

`(F) investigate and research new and emerging techniques and technologies to facilitate access to communications and electronic information, including--

`(i) reverse-stenography;

`(ii) decompression of information that previously has been compressed for transmission; and

`(iii) demultiplexing;

`(G) investigate and research interception and access techniques that preserve the privacy and security of information not authorized to be intercepted; and

`(H) obtain information regarding the most current hardware, software, telecommunications, and other capabilities to understand how to access digitized information transmitted across networks.

`(4) Equal access: State and local law enforcement agencies and authorities shall have access to information, services, resources, and assistance provided by the NET Center to the same extent that Federal law enforcement agencies and authorities have such access.

`(5) Personnel: The Director may appoint such personnel as the Director considers appropriate to carry out the duties of the NET Center.

`(6) Assistance of other federal agencies: Upon the request of the Director of the NET Center, the head of any department or agency of the Federal Government may, to assist the NET Center in carrying out its duties under this subsection--

`(A) detail, on a reimbursable basis, any of the personnel of such department or agency to the NET Center; and

`(B) provide to the NET Center facilities, information, and other nonpersonnel resources.

`(7) Private industry assistance: The NET Center may accept, use, and dispose of gifts, bequests, or devises of money, services, or property, both real and personal, for the purpose of aiding or facilitating the work of the Center. Gifts, bequests, or devises of money and proceeds from sales of other property received as gifts, bequests, or devises shall be deposited in the Treasury and shall be available for disbursement upon order of the Director of the NET Center.

`(8) Advisory board:

`(A) Establishment: There is established in the NET Center an Advisory Board for Excellence in Information Security (in this paragraph referred to as the `Advisory Board'), which shall be comprised of members who have the qualifications described in subparagraph (B) and who are appointed by the Attorney General. The Attorney General shall appoint a chairman of the Advisory Board.

`(B) Qualifications: Each member of the Advisory Board shall have experience or expertise in the field of encryption, decryption, electronic communication, information security, electronic commerce, privacy protection, or law enforcement.

`(C) Duties: The duty of the Advisory Board shall be to advise the NET Center and the Federal Government regarding new and emerging technologies relating to encryption and decryption of communications and electronic information.

`(9) Implementation plan:

`(A) In general: Not later than 2 months after the date of enactment of this chapter, the Attorney General shall, in consultation and cooperation with other appropriate Federal agencies and appropriate industry participants, develop and cause to be published in the Federal Register a plan for establishing the NET Center.

`(B) Contents of plan: The plan published under subparagraph (A) shall--

`(i) specify the physical location of the NET Center and the equipment, software, and personnel resources necessary to carry out the duties of the NET Center under this subsection;

`(ii) assess the amount of funding necessary to establish and operate the NET Center; and

`(iii) identify sources of probable funding for the NET Center, including any sources of in-kind contributions from private industry.
`(b) Authorization: There are authorized to be appropriated such sums as may be necessary for the establishment and operation of the NET Center.'.
(b) Technical and Conforming Amendment: The analysis for part I of title 18, United States Code, is amended by adding at the end the following:

`124. Encrypted wire or electronic communications and stored electronic information

2801'.

[Page: S4720]

TITLE III--EXPORTS OF ENCRYPTION PRODUCTS

SEC. 301. COMMERCIAL ENCRYPTION PRODUCTS.
(a) Provisions Applicable to Commercial Products: The provisions of this title apply to all encryption products, regardless of the encryption algorithm selected, encryption key length chosen, exclusion of key recovery or other plaintext access capability, or implementation or medium used, except those specifically designed or modified for military use, including command, control, and intelligence applications.
(b) Control by Secretary of Commerce: Subject to the provisions of this title, and notwithstanding any other provision of law, the Secretary of Commerce shall have exclusive authority to control exports of encryption products covered under subsection (a).

SEC. 302. LICENSE EXCEPTION FOR MASS MARKET PRODUCTS.
(a) Export Control Relief: Subject to section 307, an encryption product that is generally available, or incorporates or employs in any form, implementation, or medium, an encryption product that is generally available, shall be exportable without the need for an export license, and without restrictions other than those permitted under this Act, after a 1-time 15-day technical review by the Secretary of Commerce.
(b) Definitions: In this section, the term `generally available' means an encryption product that is--

(1) offered for sale, license, or transfer to any person without restriction, whether or not for consideration, including, but not limited to, over-the-counter retail sales, mail order transactions, phone order transactions, electronic distribution, or sale on approval; and

(2) not designed, developed, or customized by the manufacturer for specific purchasers except for user or purchaser selection among installation or configuration parameters.
(c) Commerce Department Assurance:

(1) In general: The manufacturer or exporter of an encryption product may request written assurance from the Secretary of Commerce that an encryption product is considered generally available for purposes of this section.

(2) Response: Not later than 30 days after receiving a request under paragraph (1), the Secretary shall make a determination regarding whether to issue a written assurance under that paragraph, and shall notify the person making the request, in writing, of that determination.

(3) Effect on manufacturers and exporters: A manufacturer or exporter who obtains a written assurance under this subsection shall not be held liable, responsible, or subject to sanctions for failing to obtain an export license for the encryption product at issue.

SEC. 303. LICENSE EXCEPTION FOR PRODUCTS WITHOUT ENCRYPTION CAPABLE OF WORKING WITH ENCRYPTION PRODUCTS.
Subject to section 307, any product that does not itself provide encryption capabilities, but that incorporates or employs in any form cryptographic application programming interfaces or other interface mechanisms for interaction with other encryption products covered by section 301(a), shall be exportable without the need for an export license, and without restrictions other than those permitted under this Act, after a 1-time, 15-day technical review by the Secretary of Commerce.

SEC. 304. LICENSE EXCEPTION FOR PRODUCT SUPPORT AND CONSULTING SERVICES.
(a) No Additional Export Controls Imposed if Underlying Product Covered by License Exception: Technical assistance and technical data associated with the installation and maintenance of encryption products covered by sections 302 and 303 shall be exportable without the need for an export license, and without restrictions other than those permitted under this Act.
(b) Definitions: In this section:

(1) Technical assistance: The term `technical assistance' means services, including instruction, skills training, working knowledge, and consulting services, and the transfer of technical data.

(2) Technical data: The term `technical data' means information including blueprints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals and instructions written or recorded on other media or devices such as disk, tape, or read-only memories.

SEC. 305. LICENSE EXCEPTION WHEN COMPARABLE FOREIGN PRODUCTS AVAILABLE.
(a) Foreign Availability Standard: An encryption product not qualifying under section 302 shall be exportable without the need for an export license, and without restrictions other than those permitted under this Act, after a 1-time 15-day technical review by the Secretary of Commerce, if an encryption product utilizing the same or greater key length or otherwise providing comparable security to such encryption product is, or will be within the next 18 months, commercially available outside the United States from a foreign supplier.
(b) Determination of Foreign Availability:

(1) Encryption export advisory board established: There is hereby established a board to be known as the `Encryption Export Advisory Board' (in this section referred to as the `Board').

(2) Membership: The Board shall be comprised of--

(A) the Under Secretary of Commerce for Export Administration, who shall be Chairman;

(B) seven individuals appointed by the President, of whom--

(i) one shall be a representative from each of--

(I) the National Security Agency;

(II) the Central Intelligence Agency; and

(III) the Office of the President; and

(ii) four shall be individuals from the private sector who have expertise in the development, operation, or marketing of information technology products; and

(C) four individuals appointed by Congress from among individuals in the private sector who have expertise in the development, operation, or marketing of information technology products, of whom--

(i) one shall be appointed by the Majority Leader of the Senate;

(ii) one shall be appointed by the Minority Leader of the Senate;

(iii) one shall be appointed by the Speaker of the House of Representatives; and

(iv) one shall be appointed by the Minority Leader of the House of Representatives.

(3) Meetings:

(A) In general: Subject to subparagraph (B), the Board shall meet at the call of the Under Secretary of Commerce for Export Administration.

(B) Meetings when applications pending: If any application referred to in paragraph (4)(A) is pending, the Board shall meet not less than once every 30 days.

(4) Duties:

(A) In general: Whenever an application for a license exception for an encryption product under this section is submitted to the Secretary of Commerce, the Board shall determine whether a comparable encryption product is commercially available outside the United States from a foreign supplier as specified in subsection (a).

(B) Majority vote required: The Board shall make a determination under this paragraph upon a vote of the majority of the members of the Board.

(C) Deadline: The Board shall make a determination with respect to an encryption product under this paragraph not later than 30 days after receipt by the Secretary of an application for a license exception under this subsection based on the encryption product.

(D) Notice of determinations: The Board shall notify the Secretary of Commerce of each determination under this paragraph.

(E) Reports to president: Not later than 30 days after a meeting under this paragraph, the Board shall submit to the President a report on the meeting.

(F) Applicability of faca: The provisions of the Federal Advisory Committee Act (5 U.S.C. App.) shall not apply to the Board or to meetings held by the Board under this paragraph.

(5) Action by secretary of commerce:

(A) Approval or disapproval: The Secretary of Commerce shall specifically approve or disapprove each determination of the Board under paragraph (5) not later than 30 days of the submittal of such determination to the Secretary under that paragraph.

(B) Notification and publication of decision: The Secretary of Commerce shall--

(i) notify the Board of each approval or disapproval under this paragraph; and

(ii) publish a notice of the approval or disapproval in the Federal Register.

(C) Contents of notice: Each notice of a decision of disapproval by the Secretary of Commerce under subparagraph (B) of a determination of the Board under paragraph (4) that an encryption product is commercially available outside the United States from a foreign supplier shall set forth an explanation in detail of the reasons for the decision, including why and how continued export control of the encryption product which the determination concerned will be effective in achieving its purpose and the amount of lost sales and loss in market share of United States encryption products as a result of the decision.

(6) Judicial review: Notwithstanding any other provision of law, a decision of disapproval by the Secretary of Commerce under paragraph (5) of a determination of the Board under paragraph (4) that an encryption product is commercially available outside the United States from a foreign supplier shall be subject to judicial review under the provisions of subchapter II of chapter 5 of title 5, United States Code (commonly referred to as the `Administrative Procedures Act').
(c) Inclusion of Comparable Foreign Encryption Product in a United States Product Not Basis for Export Controls: A product that incorporates or employs a foreign encryption product, in the way it was intended to be used and that the Board has determined to be commercially available outside the United States, shall be exportable without the need for an export license and without restrictions other than those permitted under this Act, after a 1-time 15-day technical review by the Secretary of Commerce.

[Page: S4721]

SEC. 306. NO EXPORT CONTROLS ON ENCRYPTION PRODUCTS USED FOR NONCONFIDENTIALITY PURPOSES.
(a) Prohibition on New Controls: The Federal Government shall not restrict the export of encryption products used for nonconfidentiality purposes such as authentication, integrity, digital signatures, nonrepudiation, and copy protection.
(b) No Reinstatement of Controls on Previously Decontrolled Products: Those encryption products previously decontrolled and not requiring an export license as of January 1, 1998, as a result of administrative decision or rulemaking shall not require an export license.

SEC. 307. APPLICABILITY OF GENERAL EXPORT CONTROLS.
(a) Subject to Terrorist and Embargo Controls: Nothing in this Act shall be construed to limit the authority of the President under the International Emergency Economic Powers Act, the Trading with the Enemy Act, or the Export Administration Act, to--

(1) prohibit the export of encryption products to countries that have been determined to repeatedly provide support for acts of international terrorism; or

(2) impose an embargo on exports to, and imports from, a specific country.
(b) Subject to Specific Denials for Specific Reasons: The Secretary of Commerce shall prohibit the export of particular encryption products to an individual or organization in a specific foreign country identified by the Secretary if the Secretary determines that there is substantial evidence that such encryption products will be used for military or terrorist end-use, including acts against the national security, public safety, or the integrity of the transportation, communications, or other essential systems of interstate commerce in the United States.
(c) Other Export Controls Remain Applicable: (1) Encryption products shall remain subject to all export controls imposed on such products for reasons other than the existence of encryption capabilities.
(2) Nothing in this Act alters the Secretary's ability to control exports of products for reasons other than encryption.

SEC. 308. FOREIGN TRADE BARRIERS TO UNITED STATES PRODUCTS.
Not later than 180 days after the date of enactment of this Act, the Secretary of Commerce, in consultation with the United States Trade Representative, shall--

(1) identify foreign barriers to exports of United States encryption products;

(2) initiate appropriate actions to address such barriers; and

(3) submit to Congress a report on the actions taken under this section.

Mr. LEAHY. Mr. President, I am pleased to join Senator Ashcroft, and others, in introducing today the `Encryption Protects the Rights of Individuals from Violation and Abuse in Cyberspace,' or E-PRIVACY Act, to reform our nation's cryptography policy in a constructive and positive manner. It is time the Administration woke up to the critical need for a common sense encryption policy in this country.

I have been sounding the alarm bells about this issue for several years now, and have introduced encryption legislation, with bipartisan support, in the last Congress and again in this one, to balance the important privacy, economic, national security and law enforcement interests at stake. The volume of those alarm bells should be raised to emergency sirens.

Hardly a month goes by without press reports of serious breaches of computer security that threaten our critical infrastructures, including Defense Department computer systems, the telephone network, or computer systems for airport control towers. The lesson of these computer breaches--often committed by computer savvy teenagers--is that all the physical barriers we might put in place can be circumvented using the wires that run into every building to support the computers and computer networks that are the mainstay of how we do business. A well-focused cyber-attack on the computer networks that support telecommunications, transportation, water supply, banking, electrical power and other critical infrastructure systems could wreak havoc on our national economy or even jeopardize our national defense or public safety.

We have been aware of the vulnerabilities of our computer networks for some time. It became clear to me almost a decade ago, during hearings I chaired of the Judiciary Subcommittee on Technology and the Law on the risks of high-tech terrorism, that merely `hardening' our physical space from potential attack is not enough. We must also `harden' our critical infrastructures to ensure our security and our safety.

That is where encryption technology comes in. Encryption can protect the security of our computer information and networks. Indeed, both former Senator Sam Nunn and former Deputy Attorney General Jamie Gorelick, who serve as co-chairs of the Advisory Committee to the President's Commission on Critical Infrastructure Protection, have testified that `encryption is essential for infrastructure protection.'

Yet U.S. encryption policy has acted as a deterrent to better security. As long ago as 1988, at the High-Tech Terrorism hearings I chaired, Jim Woolsey, who later became the director of the Central Intelligence Agency, testified about the need to do a better job of using encryption to protect our computer networks. Of particular concern is the recent testimony of former Senator Sam Nunn that the `continuing federal government-private sector deadlock over encryption and export policies' may pose an obstacle to the cooperation needed to protect our country's critical infrastructures.

I have long advocated the use of strong encryption by individuals, government agencies and private companies to protect their valuable and confidential computer information. Moreover, as more Americans every year use the Internet and other computer networks to obtain critical medical services, and conduct their personal and business affairs, maintaining the privacy and confidentiality of our computer communications both here and abroad has only grown in importance. As an avid computer user and Internet surfer myself, I care deeply about protecting individual privacy and encouraging the development of the Internet as a secure and trusted communications medium.

Encryption is the key to protecting the privacy of our online communications and electronic records by ensuring that only the people we choose can read those communications and records. That is why the primary thrust of the encryption legislation I have introduced is to encourage--and not stand in the way of--the widespread use of strong encryption.

Strong encryption serves as a crime prevention shield to stop hackers, industrial spies and thieves from snooping into private computer files and stealing valuable proprietary information. Unfortunately, we still have a long away to go to reform our country's encryption policy to reflect that this technology is a significant crime and terrorism prevention tool.

Even as our law enforcement and intelligence agencies try to slow down the widespread use of strong encryption, technology continues to move forward. Ironically, foot-dragging by the Administration on export controls is driving encryption technology, expertise and manufacturing overseas where we will lose even more control over its proliferation.

Indeed, due to the sorry state of our export controls on encryption, we are seeing rising numbers of our high-tech companies turning to overseas firms as suppliers of the strong encryption demanded by their customers. For example, Network Associates recently announced that it will make strong encryption software developed in the United States available through a Swiss company. Other companies, including Sun Microsystems, are cooperating with foreign firms to manufacture and distribute overseas strong encryption software originally developed here at home.

Encryption technology, invented with American ingenuity, will now be manufactured and distributed in Europe, and imported back into this country.

Driving encryption expertise overseas is extremely short-sighted and poses a real threat to our national security. Driving high-tech jobs overseas is a threat to our economic security, and stifling the widespread, integrated use of strong encryption is a threat to our public safety. The E-PRIVACY Act would reverse the incentives for American companies to look abroad for strong encryption by relaxing our export controls.

Specifically, the bill would grant export license exceptions, after a one-time technical review, for mass market products with encryption capabilities, products which do not themselves provide encryption but are capable of interoperating with encryption products, and customized hardware and software with encryption capabilities so long as foreign products with comparable encryption are available.

At the same time, the bill retains important restrictions on encryption exports for military end-uses or to terrorist-designated or embargoed countries, such as Cuba and North Korea. It also affirms the continued authority of the Secretary of Commerce over encryption exports and assures that before export, the Secretary is able to conduct a one-time technical review of all encryption products to ensure that the product works as represented.

The E-PRIVACY Act puts to rest the specter of domestic controls on encryption. This legislation bars government-mandated key recovery (or key escrow encryption) and ensures that all computer users are free to choose any encryption method to protect the privacy of their online communications and computer files.

At the heart of the encryption debate is the power this technology gives computer users to choose who may access their communications and stored records, to the exclusion of all others. For the same reason that encryption is a powerful privacy enhancing tool, it also poses challenges for law enforcement. Law enforcement agencies want access even when we do not choose to give it. We are mindful of these national security and law enforcement concerns that have dictated the Administration's policy choices on encryption.

With the appropriate procedural safeguards in place, law enforcement agencies should be able to get access to decryption assistance. The E-PRIVACY Act contains a number of provisions designed to address these concerns, including a new criminal offense for willful use of encryption to hide incriminating evidence from law enforcement detection, establishment of a NET Center to help federal, state and local law enforcement stay abreast of advanced technologies, and explicit procedures for law enforcement to obtain decryption assistance from third parties for encrypted communications or records to which law enforcement has lawful access.

One of the starkest deficiencies in the Administration's key recovery proposals has always been the question of foreign government access. The Administration has sought reciprocal relationships with foreign governments as a critical part of an effective global key recovery system. Yet many Americans and American companies are rightfully concerned about the terms under which foreign governments would get access to decryption assistance. The E-PRIVACY Act makes clear what those terms will be and ensures that foreign governments will not get access to private decryption keys, but only, at most, plaintext.

This is not just an important issue for the privacy and security of Americans; it also is a significant human rights issue. Today, human rights organizations worldwide are using encryption to protect their work and the lives of investigators, witnesses and victims overseas. Amnesty International uses it. Human Rights Watch uses it. The human rights program in the American Association for the Advancement of Science uses it. It is used to protect witnesses

who report human rights abuses in the Balkans, in Burma, in Guatemala, in Tibet. I have been told about a number of other instances in which strong encryption has been used to further the causes of democracy and human rights.

For example, in the ongoing trial of Argentinean military officers in Spain, on charges of genocide and terrorism arising out of the `dirty war,' the human rights group Derechos uses the encryption program Pretty Good Privacy (PGP)--which the United States government tried to keep out of the hands of foreigners--to encrypt particularly confidential messages that go between Spain and Argentina, to stop the Argentinean intelligence forces from being able to read them and so try to jeopardize the trial.

A group in Guatemala is using a computer database to track the names of witnesses to military massacres. A South African organization keeps the names of applicants for amnesty for political crimes carried out in South Africa during the apartheid regime. Workers at both groups could be subject to intimidation, harassment, or murder by those intent on preventing the public discussion and analysis of the claims. Both systems are protected by strong cryptography.

A not-for-profit agency working for human rights in the Balkans uses PGP to protect all sensitive files. Its offices have been raided by various police forces looking for evidence of `subversive activities.' Last year in Zagreb, security police raided its office and confiscated its computers in the hope of retrieving information about the identity of people who had complained about human rights abuses by the authorities. PGP allowed the group to communicate and protect its files from any attempt to gain access. The director of the organization spent 13 days in prison for not opening his encrypted files but has said `it was a very small price to pay for protecting our clients.'

The Iraqi National Congress, a group opposing Saddam Hussein with offices in London and supporters inside Iraq, uses encrypted e-mail to communicate with its supporters inside Iraq. (Non-governmental Internet connections are banned in Iraq, but the dissidents within Iraq access e-mail by dialing outside the country with satellite telephones).

Burmese human rights activists working in the relative safe haven of Thailand use encryption when communicating on-line, because the Thai government maintains diplomatic relations with the Burmese government and is expected to turn over information to the Burmese authorities.

The FBI has argued that lives may be lost in sensitive terrorist and other investigations if government agencies do not have access to private encryption keys. However, the reverse is equally true: weak encryption or easy government access to decryption assistance could jeopardize lives as well.

Finally, the E-PRIVACY Act contains provisions to enhance the privacy protections for communications, even when encryption is not employed. Specifically, the bill would require law enforcement to obtain a court order based on probable cause before using a cellular telephone as a tracking device. In addition, the bill would require law enforcement agencies to obtain a court order or provide notice when seizing electronic records that a person stores on a computer network rather than on the hard drive of his or her own personal computer. Finally, the bill grants Federal judges authority to evaluate the reasons proffered by a prosecutor for issuance of an ex parte pen register or trap and trace device order, by contrast to their mere ministerial authority under current law.

In sum, the E-PRIVACY Act accomplishes the eight goals that Senator Ashcroft and I set out during our April 2, 1998, colloquy on the floor. Specifically, we sought to craft legislation that promotes the following principles:

First, ensure the right of Americans to choose how to protect the privacy and security of their communications and information;

Second, bar a government-mandated key escrow encryption system;

Third, establish both procedures and standards for access by law enforcement to decryption keys or decryption assistance for both encrypted communications and stored electronic information and only permit such access upon court order authorization, with appropriate notice and other procedural safeguards;

Fourth, establish both procedures and standards for access by foreign governments and foreign law enforcement agencies to the plaintext of encrypted communications and stored electronic information of United States persons;

Fifth, modify the current export regime for encryption to promote the global competitiveness of American companies;

Sixth, avoid linking the use of certificate authorities with key recovery agents or, in other words, not link the use of encryption for confidentiality purposes with use of encryption for authenticity and integrity purposes;

Seventh, consistent with these goals of promoting privacy and the global competitiveness of our high-tech industries, help our law enforcement agencies and national security agencies deal with the challenges posed by the use of encryption; and

Eighth, protect the security and privacy of information provided by Americans to the government by ensuring that encryption products used by the government interoperate with commercial encryption products.

Resolving the encryption debate is critical for our economy, our national security and our privacy. This is not a partisan issue. This is not a black-and-white issue of being either for law enforcement and national security or for Internet freedom. Characterizing the debate in these simplistic terms is neither productive nor accurate.

Delays in resolving the encryption debate hurt most the very public safety and national security interests that are posed as obstacles to resolving this issue. We need sensible solutions in legislation that will not be subject to change at the whim of agency bureaucrats.

Every American, not just those in the software and high-tech industries and not just those in law enforcement agencies, has a stake in the outcome of this debate. We have a legislative stalemate right now that needs to be resolved, and I hope to work closely with my colleagues and the Administration on a solution.

I ask unanimous consent that the sectional summary for the `E-PRIVACY Act' be printed in the Record.

There being no objection, the summary was ordered to be printed in the Record, as follows:

[Page: S4723]

Section-by-Section Analysis of E-Privacy Act

Sec. 1. Short Title.--The Act may be cited as the `Encryption Protects the Rights of Individuals from Violation and Abuse in CYberspace (E-PRIVACY) Act.'

Sec. 2 Purposes: The Act would ensure that Americans have the maximum possible choice in encryption methods to protect the security, confidentiality and privacy of their lawful wire and electronic communications and stored electronic information. The Act would also promote the privacy and constitutional rights of individuals and organizations and the security of critical information infrastructures. Finally, the Act would establish privacy standards and procedures for law enforcement officers to follow to obtain decryption assistance for encrypted communications and information.

Sec. 3 Findings.--The Act enumerates sixteen congressional findings, including that a secure, private and trusted national and global information infrastructure is essential to promote citizens' privacy, economic growth and meet the needs of both American citizens and businesses, that encryption technology widely available worldwide can help meet those needs, that Americans should be free to use, and American businesses free to compete and sell, encryption technology, programs and products, and that there is a need to develop a national encryption policy to advance the global information infrastructure and preserve Americans' right to privacy and the Nation's public safety and national security.

Sec. 4 Definitions.--The terms `agency', `person', `remote computing service' and `state' have the same meaning given those terms in specified sections of title 18, United States Code.

Additional definitions are provided for the following terms:

The terms `encrypt' and `encryption' mean the use of mathematical formulas or algorithms to scramble or descramble electronic data or communications for purposes of confidentiality, integrity, or authenticity. As defined, the terms cover a broad range of scrambling techniques and applications including cryptographic applications such as PGP or RSA's encryption algorithms; stegonagraphy; authentication; and winnowing and chafing.

The term `encryption product' includes any hardware, software, devices, or other technology with encryption capabilities, whether or not offered for sale or distribution. A particular encryption product includes subsequent versions of the product, if the encryption capabilities remain the same.

The term `exportable' means the ability to transfer, ship,
or transmit to foreign users. The term includes the ability to electronically transmit via the Internet.

The term `key' means the variable information used in or produced by a mathematical formula to encrypt or decrypt wire or electronic communications, or electronically stored information.

The term `technical review' means a review by the Secretary of Commerce based on information about a product's encryption capabilities supplied by the manufacturer that an encryption product works as represented.

TITLE I--PRIVACY PROTECTION FOR COMMUNICATIONS AND ELECTRONIC INFORMATION

Sec. 101. Freedom to use Encryption.

(a) In General: The Act legislatively confirms current practice in the United States that any person in this country may lawfully use any encryption method, regardless of encryption algorithm, key length, existence of key recovery or other plaintext access capability, or implementation selected. Specifically, the Act states the freedom of any person in the U.S., as well as U.S. persons in a foreign country, to make, use, import, and distribute any encryption product without regard to its strength or the use of key recovery, subject to the other provisions of the Act.

(b) Prohibition on Government-Compelled Key Escrow or Key Recovery Encryption: The Act prohibits any federal or state agency from compelling the use of key recovery systems or other plaintext access systems. Agencies may not set standards, or condition approval or benefits, to compel use of these systems. U.S. agencies may not require persons to use particular key recovery products for interaction with the government. These prohibitions do not apply to systems for use solely for the internal operations and telecommunications systems of a U.S. or a State government agency.

(c) Use of Encryption For Authentication or Integrity Purposes: The Act requires that the use of encryption products shall be voluntary and market-driven, and no federal or state agency may link the use of encryption for authentication or identity (such as through certificate authority and digital signature systems) to the use of encryption for confidentiality purposes. For example, some Administration proposals would condition receipt of a digital certificate from a licensed certificate authority on the use of key recovery. Such conditions would be prohibited.

Sec. 102. Purchase and Use of Encryption Products by the Federal Government: The Act authorizes agencies of the United States to purchase encryption products for internal governmental operations and telecommunications systems. To ensure that secure electronic access to the Government is available to persons outside of and not operating under contract with Federal agencies, the Act requires that any key recovery features in encryption products used by the Government interoperate with commercial encryption products.

Sec. 103. Enhanced Privacy Protection For Electronic Records on Computer Networks: The Act adds a new subsection (g) to section 2703 of title 18, United States Code, to extend privacy protections to electronic information stored on computer networks.

Under United States v. Miller, 425 U.S. 435 (1976) (customer has no standing to object to bank disclosure of customer records) and its progeny, records in the possession of third parties do not receive Fourth Amendment protection. When held in a person's home, such records can only be seized pursuant to a warrant based upon probable cause, or compelled under a subpoena which can be challenged and quashed. In both these instances, the record owner has notice of the search and an opportunity to challenge it. By contrast, production of records held by third parties can be compelled by a governmental agent with a subpoena to the third party holding the information, without notice to the person to whom the records belong or pertain. The record owner may never receive notice or any meaningful opportunity to challenge the production.

This lack of protection for records held by third parties presents new privacy problems in the information age. With the rise of network computing, electronic information that was previously held on a person's own computer is increasingly stored elsewhere, such as on a network server or an ISP's computers. In many cases the location of such information is not even known to the record's owner.

The Act amends section 2703 to extend the same privacy protections to a person's records whether storage takes place on that person's personal computer in their possession or in networked electronic storage. The term `networked electronic storage' applies to electronic records held by a third party, who is not authorized to access the contents of the record except in connection with providing storage services, and where the person who created the record is able to access and modify the record remotely through electronic means. Electronic data stored incident to transmission (such as e-mail) and covered under 2703(a) is not included.

The new section 2703(g) requires that a governmental entity may only require disclosure of electronic records in `networked electronic storage' pursuant to (i) a state or federal warrant
(based upon probable cause), with a copy to be served on the record owner at the same time the warrant is served on the record holder; (ii) a subpoena that must also be served on the record owner with a meaningful opportunity to challenge the subpoena; or (iii) the consent of the record owner.

Sec. 104. Government Access to Location Information.--The Act adds a new subsection (h) to section 2703 of title 18, United States Code, to extend privacy protections for physical location information generated on a real time basis by mobile electronic communications services, such as cellular telephones. This section requires that when cellular telephones are used as contemporaneous tracking devices, the physical location information generated by the service provider may only be released to a governmental entity pursuant to a court order based upon probable cause.

Sec. 105. Enhanced Privacy Protection for Transactional Information Obtained From Pen Registers or Trap and Trace Devices.--The Act enhances privacy protections for information obtained from pen register and trap and trace devices by amending section 3123(a) of title 18, United States Code. This amendment would not change the standard for issuance of an ex parte order authorizing use of a pen register or trap and trace device, but would grant a court authority to review the information presented in a certification by the prosecuting attorney to determine whether the information likely to be obtained is relevant to an ongoing criminal investigation. Under current law, the court is relegated to a mere ministerial function and must issue the order upon presentation of a certification.

In addition, the amendment requires law enforcement to minimize the information obtained from the pen register or trap and trace device that is not related to the dialing and signaling information utilized in call processing. Currently, such devices capture not just such dialing information but also any other dialed digits after a call has been completed.

[Page: S4724]

TITLE II--LAW ENFORCEMENT ASSISTANCE

Sec. 201. Encrypted Wire or Electronic Communications and Stored Electronic Communications.--The Act adds a new chapter 124 to Title 18, Part I, governing the unlawful use of encryption, protections and standards for governmental access, including foreign governments, to decryption assistance from third parties, and establishment of a `Net Center' to assist law enforcement in dealing with advanced technologies, such as encryption.

(a) In General.--New chapter 124 has six sections. This chapter applies to wire or electronic communications and communications in electronic storage, as defined in 18 U.S.C. 2510, and to stored electronic data. Thus, this chapter describes procedures for law enforcement to obtain assistance in decrypting encrypted electronic mail messages, encrypted telephone conversations, encrypted facsimile transmissions, encrypted computer transmissions and encrypted file transfers over the Internet that are lawfully intercepted pursuant to a wiretap order, under 18 U.S.C. Sec. 2518, or obtained pursuant to lawful process, under 18 U.S.C. 2703, and encrypted information stored on computers that are seized pursuant to a search warrant or other lawful process.

2801. Definitions.--Generally, the terms used in the new chapter have the same meanings as in the federal wiretap statute, 18 U.S.C. Sec. 2510. Definitions are provided for `decryption assistance', `decryption key', `encrypt; encryption', `foreign government' and `official request'.

2802. Unlawful use of encryption.--This section creates a new federal crime for knowingly and willfully using encryption during the commission of a Federal felony offense, with the intent to conceal that information for the purpose of avoiding detection by law enforcement. This new offense would be subject to a fine and up to 5 years' imprisonment for a first offense, and up to 10 years' imprisonment for a second or subsequent offense.

2803. Access to decryption assistance for communications.--In the United States today, decryption keys and other decryption assistance held by third parties constitute third party records and may be disclosed to a governmental entity with a subpoena or an administrative request, and without any notice to the owner of the encrypted data. Such a low standard of access creates new problems in the information age because encryption users rely heavily on the integrity of keys to protect personal information or sensitive trade secrets, even when those keys are placed in the hands of trusted agents for recovery purposes.

Under new section 2803, in criminal investigations a third party holding decryption keys or other decryption assistance for wire or electronic communications may be required to release such assistance pursuant to a court order, if the court issuing the order finds that such assistance is needed for the decryption of communications covered by the order. Specifically, such an order for decryption assistance may be issued upon a finding that the key or assistance is necessary to decrypt communications or stored data lawfully intercepted or seized. The standard for release of the key or provision of decryption assistance is tied directly to the problem at hand: the need to decrypt a message or information that the government is otherwise authorized to intercept or obtain.

This will ensure that third parties holding decryption keys or decryption information need respond to only one type of compulsory process--a court order. Moreover, this Act will set a single standard for law enforcement, removing any extra burden on law enforcement to demonstrate, for example, probable cause for two separate orders (i.e., for the encrypted communications or information and for decryption assistance) and possibly before two different judges (i.e., the judge issuing the order for the encrypted communications or information and the judge issuing the order to the third party able to provide decryption assistance).

The Act reinforces the principle of minimization. The decryption assistance provided is limited to the minimum necessary to access the particular communications or information specified by court order. Under some key recovery schemes, release of a key holder's private key--rather than an individual session key--might provide the ability to decrypt every communication or stored file ever encrypted by a particular key owner, or by every user in an entire corporation, or by every user who was ever a customer of the key holder. The Act protects against such over broad releases of keys by requiring the court issuing the order to find that the decryption assistance being sought is necessary. Private keys may only be released if no other form of decryption assistance is available.

Notice of the assistance given will be included as part of the inventory provided to subjects of the interception pursuant to current wiretap law standards.

For foreign intelligence investigations, new section 2803 allows FISA orders to direct third-party holders to release decryption assistance if the court finds the assistance is needed to decrypt covered communications. Minimization is also required, though no notice is provided to the target of the investigation.

Under new section 2803, decryption assistance is only required under third-parties (i.e., other than those whose communications are the subject of interception), thereby avoiding self-incrimination problems.

Finally, new section 2803 generally prohibits any person from providing decryption assistance for another person's communications to a governmental entity, except pursuant to the orders described.

2804. Access to decryption assistance for stored electronic communications or records.--New section 2804 governs access to decryption assistance for stored electronic communications and records.

As noted above, under current law third party decryption assistance may be disclosed to a governmental entity with a subpoena or even a mere request and without notice. This standard is particularly problematic for stored encrypted data, which may exist in insecure media but rely on encryption to maintain security; in such cases easy access to keys destroys the encryption security so heavily relied upon.

Under new section 2804, third parties holding decryption keys or other decryption assistance for stored electronic communications may only release such assistance to a governmental entity pursuant to (1) a state or federal warrant (based upon probable cause), with a copy to be served on the record owner at the same time the warrant is served on the record holder; (2) a subpoena that must also be served on the record owner with a meaningful opportunity to challenge the subpoena; or (3) the consent of the record owner. This standard closely mirrors the protection that would be afforded to encryption keys that are actually kept in the possession of those whose records were encrypted. In the specific case of decryption assistance for communications stored incident to transit (such as e-mail), notice may be delayed under the standards laid out for delayed notice under current law in section 2705(a)(2) of title 18, United States Code.

2805. Foreign government access to decryption assistance.--New section 2805 creates standards for the U.S. government to provide decryption assistance to foreign governments. No law enforcement officer would be permitted to release decryption keys to a foreign government, but only to provide decryption assistance in the form of producing plaintext. No officer would be permitted to provide decryption assistance except upon an order requested by the Attorney General or designee. Such an order could require the production of decryption keys or assistance to the Attorney General only if the court finds that (1) the assistance is necessary to decrypt data the foreign government is authorized to intercept under foreign law; (2) the foreign country's laws provide `adequate protection against arbitrary interference with respect to privacy rights'; and (3) the assistance is sought for a criminal investigation of conduct that would violate U.S. criminal law if committed in the United States.

2806. Establishment and operations of National Electronic Technologies Center.--This section establishes a National Electronic Technologies Center (`NET Center') to serve as a focal point for information and assistance to federal, state, and local law enforcement authorities to address the technical difficulties of obtaining plaintext of communications and electronic information through the use of encryption, steganography, compression, multiplexing, and other techniques.

TITLE III--EXPORTS OF ENCRYPTION PRODUCTS

Sec. 301. Commercial Encryption Products.

(a) Provisions Applicable to Commercial Products: This title applies to all encryption products other than those specifically designed or modified for military use.

(b) Control by Secretary of Commerce: This section grants exclusive authority to the Secretary of Commerce (the `Secretary') to control commercial encryption product exports.

Sec. 302. License Exception for Mass Market Products.

(a) Export Control Relief: The Act permits export under a license exception of generally available, mass market, encryption products, which by their nature are uncontrollable given the volume sold and ease of distribution, without a license or restrictions, other than those permitted under this Act, after a 1-time 15-day technical review by the Secretary.

(b) Definitions: This section defines `generally available' as a product offered for sale, license, or transfer, including over-the-counter sales, mail or phone order transactions, electronic distribution, or sale on approval and not designed, developed or customized by the manufacturer for specific purchasers (except for installation or configuration parameters).

(c) Commerce Department Assurance: This section permits requests from manufacturers or exporters to the Secretary for written assurance that a product is `generally available,' and requires that the Secretary notify the petitioner of a decision within 30 days. This section prohibits imposition of liability or sanctions on petitioners who receive such a written assurance for failing to obtain an export license.

Sec. 303. License Exception for Products Without Encryption Capable of Working With Encryption Products.

This section permits export under a license exception of products, which do not provide any encryption themselves, but that are capable of working with encryption products, without restriction other than those permitted under this Act, after a 1-time, 15 day technical review by the Secretary.

Sec. 304. License Exception For Product Support and Consulting Services.

(a) No Additional Export Controls Imposed if Underlying Product Covered by License Exception: This section permits export of product support and consulting services, including technical assistance and technical data associated with the installation and maintenance of mass market encryption products or products capable of working with encryption products without an export license and without restrictions other than those permitted under this Act.

(b) Definitions: This section defines technical assistance as services, such as instruction, skills training, working knowledge, consulting services and transfer of technical data. `Technical data' is defined as information, including blueprints, plans, diagrams, models, formulae, table, engineering designs and specifications, manuals and instructions.

Sec. 304. License Exception When Comparable Foreign Products Available.

(a) Foreign Availability Standard: This section permits unrestricted export of customized encryption hardware and software products (i.e., not generally available mass market products) if a foreign encryption product using the same or greater key length or providing comparable security is, or will within 18 months, be commercially available outside the United States.

(b) Determination of Foreign Availability: This section establishes an Encryption Export Advisory Board (the `Board'), which is chaired by the Under Secretary of Commerce for Export Administration, with seven Presidential appointees (3 government and 4 private sector representatives); and four Congressional appointees from the private sector. The Board is required to meet at the call of the Chairman, or if there are any pending applications for a license exception, the Board shall meet at least once every 30 days.

The primary duties of the Board shall be to determine whether comparable foreign encryption products are commercially available outside the United States. The decision is by majority vote, and must be made within 30 days of receipt of application for a license exception. The Board must notify the Secretary of its determination, and submit a report to the President within 30 days. Board meetings are exempt from the Federal Advisory Committee Act.

The Secretary is required to approve or disapprove each Board determination within 30 days of receipt of that determination, notify the Board of the approval or disapproval, and publish notice of the approval or disapproval in the Federal Register. The notice shall include an explanation in detail of the reasons for the decision, including why and how continued export controls will be effective and the amount of lost sales and market share of U.S. encryption product which resulted. Judicial review of the Secretary's decision to disapprove a Board decision that a product is commercially available is permitted.

(c) Inclusion of Comparable Foreign Encryption Products in a United States Product Not Baiss for Export Controls: This section permits export under a license exception of products incorporating or employing a foreign encryption product in the way it was intended to be used and that the Board has determined to be commercially available outside the United States, without an export license and without restrictions other than those under the Act, after a 1-time 15 day review by the Secretary.

Sec. 306. No Export Controls on Encryption Products Used For Nonconfidentiality Purposes.

(a) Prohibition on New Controls: This section prohibits restrictions on encryption exports used for nonconfidentiality purposes such as authentication, integrity, digital signatures, nonrepudiation and copy protection.

(b) No Reinstatement of Controls on Previously Decontrolled products: This section prohibits administratively imposed encryption controls on previously decontrolled products not requiring an export license as of January 1, 1998.

Sec. 307. Applicability of General Export Controls.

(a) Subject to Terrorists and Embargo Controls: Nothing in the Act shall limit the President's authority under the International Emergency Economic Powers Act, the Trading With the Enemy Act, or the Export Administration Act to prohibit export of encryption products to countries that have repeatedly provided support for international terrorism, or impose an embargo on exports or imports from a specific country.

(b) Subject to Specific Denials for Specific Reasons: The Secretary is required to prohibit export of encryption products to an individual or organization in a specific foreign country identified by the Secretary, if the Secretary determines that there is substantial evidence that such encryption product will be used for military or terrorist end-use, including acts against the critical infrastructure of the United States.

(c) Other Export Controls Remain Applicable: Encryption products remain subject to all export controls imposed for reasons other than the existence of encryption capabilities, and the Secretary retains the authority to control exports of products for reasons other than encryption.

Sec. 308. Foreign Trade Barriers to United States Products.

The Secretary, in consultation with the United States Trade Representative, is required within 180 days of enactment of the Act to: (1) identify foreign barriers to the export of U.S. encryption products; (2) initiate appropriate actions to address such barriers; and (3) submit to Congress a report on the actions taken under this section.

[Page: S4725]

Mr. BURNS. Mr. President, I stand before the chamber today in support of the e-Privacy Act because the very future of electronic commerce on the Internet is being held hostage to cold-war era export controls. These outdated regulations tie the hands of the U.S. high technology industry and pose a threat to privacy and security of all Americans who use the Internet. Despite some small concessions by the Administration, the competitive advantage of the U.S. high technology industries and the privacy and security of our citizens remain trapped by the Clinton Administration's outdated policy.

The e-Privacy Act will relax current export controls on encryption technologies so that U.S. companies can effectively compete in the global marketplace. The bill will also prevent the government from mandating risky and expensive `key-recovery' or `key-escrow' encryption systems domestically. It's a good bill, it has broad support from the computer and communications industry, Internet users, and privacy advocates from both the left and right of the political spectrum.

The Clinton Administration has expressed concerns about the impact the e-Privacy Act would have on the legitimate needs of law enforcement and national security. My colleagues and I do not take their concerns lightly. Several provisions in the e-Privacy Act address the Administration's valid concerns while at the same time freeing U.S. companies to effectively compete in the global marketplace, and ensuring that the American people can trust the Internet as a secure means of commerce, education, and free expression of ideas.

The e-Privacy Act would create a National Electronic Technology Center (`NET Center') to serve as a central point for information and assistance to federal, state, and local law enforcement authorities to address the technical difficulties of obtaining electronic information because of encryption. National security and law enforcement would be given seats at the table in making these determinations. Once again, I am very sensitive to the legitimate needs of national security and law enforcement, and I think the provisions made in the e-Privacy Act address them.

The e-Privacy Act also extends to citizens that same privacy rights that they have in their homes to their digital property in cyberspace. The bill would require a court order or subpoena to obtain either the plaintext or decryption key from their parties. I believe that this is the correct approach.

Citizens are also specifically given the right to use whatever kind of encryption software at whatever strength they choose. The bill recognizes the folly of requiring the government to create procedures to license `key certificate authorities' and `key-recovery agents,' as well as require the development of a massive and complicated infrastructure to ensure that the government could recover the right key out of the hundreds of millions of keys in real time.

On many occasions, the world's leading cryptographers concluded that building such a key recovery infrastructure would be prohibitively expensive and would create a less secure network. The bill recognizes that mandatory key escrow will never work, no one will use it and certainly no criminals or other bad actors will use a system that is immediately accessible by the government.

I urge my colleagues to support the e-Privacy Act, which I feel is the true compromise package. We all have the same goals in mind--allowing for the continued growth of high tech industries while not harming national security. If we move forward with the compromise bill being offered today, I am confident we can do both.

[Page: S4726]

END