Union Calendar No. 149
106th CONGRESS
1st Session
H. R. 850
[Report No. 106-117, Parts I, II, III, IV, V]
A BILL
To amend title 18, United States Code, to affirm the rights of United States
persons to use and sell encryption and to relax export controls on encryption.
July 23, 1999
Reported from the Committee on Armed Services with
amendments
July 23, 1999
Reported from the Permanent Select Committee on Intelligence with an
amendment, committed to the Committee of the Whole House on the State of the
Union, and ordered to be printed
HR 850 RH
Union Calendar No. 149
106th CONGRESS
1st Session
H. R. 850
[Report No. 106-117, Parts I, II, III, IV, V]
To amend title 18, United States Code, to affirm the rights of United
States persons to use and sell encryption and to relax export controls on
encryption.
IN THE HOUSE OF REPRESENTATIVES
February 25, 1999
Mr. GOODLATTE (for himself, Ms. LOFGREN, Mr. ARMEY, Mr. DELAY, Mr. WATTS of
Oklahoma, Mr. DAVIS of Virginia, Mr. COX, Ms. PRYCE of Ohio, Mr. BLUNT, Mr.
GEPHARDT, Mr. BONIOR, Mr. FROST, Ms. DELAURO, Mr. LEWIS of Georgia, Mr.
GEJDENSON, Mr. SENSENBRENNER, Mr. GEKAS, Mr. COBLE, Mr. SMITH of Texas, Mr.
GALLEGLY, Mr. BRYANT, Mr. CHABOT, Mr. BARR of Georgia, Mr. HUTCHINSON, Mr.
PEASE, Mr. CANNON, Mr. ROGAN, Mrs. BONO, Mr. BACHUS, Mr. CONYERS, Mr. FRANK of
Massachusetts, Mr. BOUCHER, Mr. NADLER, Ms. JACKSON-LEE of Texas, Ms. WATERS,
Mr. MEEHAN, Mr. DELAHUNT, Mr. WEXLER, Mr. ACKERMAN, Mr. ANDREWS, Mr. ARCHER, Mr.
BALLENGER, Mr. BARCIA, Mr. BARRETT of Nebraska, Mr. BARRETT of Wisconsin, Mr.
BARTON of Texas, Mr. BILBRAY, Mr. BLUMENAUER, Mr. BOEHNER, Mr. BRADY of Texas,
Mr. BRADY of Pennsylvania, Ms. BROWN of Florida, Mr. BROWN of California, Mr.
BURR of North Carolina, Mr. BURTON of Indiana, Mr. CAMP, Mr. CAMPBELL, Mrs.
CAPPS, Mr. CHAMBLISS, Mrs. CHENOWETH, Mrs. CHRISTIAN-CHRISTENSEN, Mrs. CLAYTON,
Mr. CLEMENT, Mr. CLYBURN, Mr. COLLINS, Mr. COOK, Mr. COOKSEY, Mrs. CUBIN, Mr.
CUMMINGS, Mr. CUNNINGHAM, Mr. DAVIS of Illinois, Mr. DEAL of Georgia, Mr.
DEFAZIO, Mr. DEUTSCH, Mr. DICKEY, Mr. DOOLEY of California, Mr. DOOLITTLE, Mr.
DOYLE, Mr. DREIER, Mr. DUNCAN, Ms. DUNN, Mr. EHLERS, Mrs. EMERSON, Mr. ENGLISH,
Ms. ESHOO, Mr. EWING, Mr. FARR of California, Mr. FILNER, Mr. FORD, Mr.
FOSSELLA, Mr. FRANKS of New Jersey, Mr. GILLMOR, Mr. GOODE, Mr. GOODLING, Mr.
GORDON, Mr. GREEN of Texas, Mr. GUTKNECHT, Mr. HALL of Texas, Mr. HASTINGS of
Washington, Mr. HERGER, Mr. HILL of Montana, Mr. HOBSON, Mr. HOEKSTRA, Mr.
HOLDEN, Ms. HOOLEY of Oregon, Mr. HORN, Mr. HOUGHTON, Mr. INSLEE, Mr. ISTOOK,
Mr. JACKSON of Illinois, Mr. JEFFERSON, Ms. EDDIE BERNICE JOHNSON of Texas, Mrs.
JOHNSON of Connecticut, Mr. KANJORSKI, Mr. KASICH, Mrs. KELLY, Ms. KIKPATRICK,
Mr. KIND, Mr. KINGSTON, Mr. KNOLLENBERG, Mr. KOLBE, Mr. LAMPSON, Mr. LARGENT,
Mr. LATHAM, Ms. LEE, Mr. LEWIS of Kentucky, Mr. LINDER, Mr. LUCAS of Oklahoma,
Mr. LUTHER, Ms. MCCARTHY of Missouri, Mr. MCDERMOTT, Mr. MCGOVERN, Mr. MCINTOSH,
Mr. MALONEY of Connecticut, Mr. MANZULLO, Mr. MARKEY, Mr. MARTINEZ, Mr. MATSUI,
Mrs. MEEK of Florida, Mr. METCALF, Mr. MICA, Ms. MILLENDER-MCDONALD, Mr. GEORGE
MILLER of California, Mr. MOAKLEY, Mr. MORAN of Virginia, Mrs. MORELLA, Mrs.
MYRICK, Mrs. NAPOLITANO, Mr. NEAL of Massachusetts, Mr. NETHERCUTT, Mr. NORWOOD,
Mr. NUSSLE, Mr. OLVER, Mr. PACKARD, Mr. PALLONE, Mr. PASTOR, Mr. PETERSON of
Minnesota, Mr. PICKERING, Mr. POMBO, Mr. POMEROY, Mr. PRICE of North Carolina,
Mr. QUINN, Mr. RADANOVICH, Mr. RAHALL, Mr. RANGEL, Mr. REYNOLDS, Ms. RIVERS, Mr.
ROHRABACHER, Ms. ROS-LEHTINEN, Mr. RUSH, Mr. SALMON, Ms. SANCHEZ, Mr. SANDERS,
Mr. SANFORD, Mr. SCARBOROUGH, Mr. SCHAFFER, Mr. SESSIONS, Mr. SHAYS, Mr.
SHERMAN, Mr. SHIMKUS, Mr. SMITH of Washington, Mr. SMITH of New Jersey, Mr.
SOUDER, Ms. STABENOW, Mr. STARK, Mr. SUNUNU, Mr. TANNER, Mrs. TAUSCHER, Mr.
TAUZIN, Mr. TAYLOR of North Carolina, Mr. THOMAS, Mr. THOMPSON of Mississippi,
Mr. THUNE, Mr. TIAHRT, Mr. TIERNEY, Mr. UPTON, Mr. VENTO, Mr. WALSH, Mr. WAMP,
Mr. WATKINS, Mr. WELLER, Mr. WHITFIELD, Mr. WICKER, Ms. WOOLSEY, and Mr. WU)
introduced the following bill; which was referred to the Committee on the
Judiciary, and in addition to the Committee on International Relations, for a
period to be subsequently determined by the Speaker, in each case for
consideration of such provisions as fall within the jurisdiction of the
committee concerned
April 27, 1999
Reported from the Committee on the Judiciary
April 27, 1999
Referral to the Committee on International Relations extended for a period
ending not later than July 2, 1999
April 27, 1999
Referred to the Committees on Armed Services and Commerce and the Permanent
Select Committee on Intelligence for a period ending not later than July 2, 1999
July 2, 1999
Reported from the Committee on Commerce with an amendment
[Strike out all after the enacting clause and insert the part printed in
italic]
July 2, 1999
Referral to the Committee on International Relations extended for a period
ending not later than July 16, 1999
July 2, 1999
Referral to the Committee on Armed Services and the Permanent Select
Committee on Intelligence extended for a period ending not later than July 23,
1999
July 16, 1999
Referral to the Committee on International Relations extended for a period
ending not later than July 19, 1999
July 19, 1999
Reported from the Committee on International Relations with an amendment
[Strike out all after the enacting clause and insert the part printed in
boldface roman]
July 23, 1999
Reported from the Committee on Armed Services with amendments
[Strike out all after the enacting clause and insert the part printed in
italic and bold brackets]
July 23, 1999
Additional sponsors: Mr. HALL of Ohio, Mr. FORBES, Mr. HOLT, Mr. GIBBONS, Mr.
CALVERT, Ms. SLAUGHTER, Mr. BONILLA, Mr. DIAZ-BALART, Mr. ENGEL, Mr. HILLIARD,
Mr. KING, Mr. LAHOOD, Ms. MCKINNEY, Mr. NEY, Mrs. NORTHUP, Mr. RILEY, Mr.
SERRANO, Mr. STENHOLM, Mr. TANCREDO, Mr. HANSEN, Mr. MORAN of Kansas, Mr. SAM
JOHNSON of Texas, Mr. HILLEARY, Mr. GARY MILLER of California, Ms. NORTON, Mr.
SWEENEY, Mr. BAKER, Mr. CRANE, Mr. MCINNIS, Mr. WELDON of Florida, Mr. WISE, Mr.
OSE, Mr. BALDACCI, Mr. MINGE, Mr. UNDERWOOD, Mr. DEMINT, Mr. WALDEN of Oregon,
Mr. HAYES, Mr. FOLEY, Mr. TERRY, Mr. SHOWS, Mr. RYAN of Wisconsin, Mr.
ETHERIDGE, Mr. WATT of North Carolina, Mr. CROWLEY, Mr. UDALL of Colorado, Mr.
HOEFFEL, Mr. FLETCHER, Mr. BAIRD, Mr. TALENT, Mr. KENNEDY of Rhode Island, Mr.
UDALL of New Mexico, Mr. SAWYER, Mr. MENENDEZ, and Mr. Hinchey
Deleted sponsors: Mr. HOLDEN (added February 25, 1999; deleted April 21,
1999), and Mr. HASTINGS of Florida (added March 16, 1999; deleted June 10, 1999)
July 23, 1999
Reported from the Permanent Select Committee on Intelligence with an
amendment, committed to the Committee of the Whole House on the State of the
Union, and ordered to be printed
[Strike out all after the enacting clause and insert the part printed in
boldface italic]
A BILL
To amend title 18, United States Code, to affirm the rights of United
States persons to use and sell encryption and to relax export controls on
encryption.
Be it enacted by the Senate and House of Representatives of the United
States of America in Congress assembled,
[Struck out->] SECTION 1. SHORT TITLE.
[<-Struck
out]
[Struck out->] This Act may be cited as the `Security And Freedom
through Encryption (SAFE) Act'.
[<-Struck out]
[Struck out->] SEC. 2. SALE AND USE OF ENCRYPTION.
[<-Struck out]
[Struck out->] (a) IN GENERAL- Part I of title 18, United States
Code, is amended by inserting after chapter 123 the following new chapter:
[<-Struck out]
[Struck out->] `CHAPTER 125--ENCRYPTED WIRE AND ELECTRONIC
INFORMATION
[<-Struck out]
[Struck out->] `Sec.
[<-Struck out]
[Struck out->] `2801. Definitions.
[<-Struck
out]
[Struck out->] `2802. Freedom to use encryption.
[<-Struck out]
[Struck out->] `2803. Freedom to sell encryption.
[<-Struck out]
[Struck out->] `2804. Prohibition on mandatory key escrow.
[<-Struck out]
[Struck out->] `2805. Unlawful use of encryption in furtherance
of a criminal act.
[<-Struck out]
[Struck out->] `Sec. 2801. Definitions
[<-Struck
out]
[Struck out->] `As used in this chapter--
[<-Struck
out]
[Struck out->] `(1) the terms `person', `State', `wire
communication', `electronic communication', `investigative or law
enforcement officer', and `judge of competent jurisdiction' have the
meanings given those terms in section 2510 of this title;
[<-Struck out]
[Struck out->] `(2) the term `decrypt' means to retransform or
unscramble encrypted data, including communications, to its readable form;
[<-Struck out]
[Struck out->] `(3) the terms `encrypt', `encrypted', and
`encryption' mean the scrambling of wire communications, electronic
communications, or electronically stored information, using mathematical
formulas or algorithms in order to preserve the confidentiality, integrity,
or authenticity of, and prevent unauthorized recipients from accessing or
altering, such communications or information;
[<-Struck out]
[Struck out->] `(4) the term `key' means the variable
information used in a mathematical formula, code, or algorithm, or any
component thereof, used to decrypt wire communications, electronic
communications, or electronically stored information, that has been
encrypted; and
[<-Struck out]
[Struck out->] `(5) the term `key recovery information' means
information that would enable obtaining the key of a user of encryption;
[<-Struck out]
[Struck out->] `(6) the term `plaintext access capability'
means any method or mechanism which would provide information in readable
form prior to its being encrypted or after it has been decrypted;
[<-Struck out]
[Struck out->] `(7) the term `United States person' means--
[<-Struck out]
[Struck out->] `(A) any United States citizen;
[<-Struck out]
[Struck out->] `(B) any other person organized under the laws
of any State, the District of Columbia, or any commonwealth, territory, or
possession of the United States; and
[<-Struck out]
[Struck out->] `(C) any person organized under the laws of
any foreign country who is owned or controlled by individuals or persons
described in subparagraphs (A) and (B).
[<-Struck out]
[Struck out->] `Sec. 2802. Freedom to use encryption
[<-Struck out]
[Struck out->] `Subject to section 2805, it shall be lawful for
any person within any State, and for any United States person in a foreign
country, to use any encryption, regardless of the encryption algorithm
selected, encryption key length chosen, or implementation technique or medium
used.
[<-Struck out]
[Struck out->] `Sec. 2803. Freedom to sell encryption
[<-Struck out]
[Struck out->] `Subject to section 2805, it shall be lawful for
any person within any State to sell in interstate commerce any encryption,
regardless of the encryption algorithm selected, encryption key length chosen,
or implementation technique or medium used.
[<-Struck out]
[Struck out->] `Sec. 2804. Prohibition on mandatory key escrow
[<-Struck out]
[Struck out->] `(a) GENERAL PROHIBITION- Neither the Federal
Government nor a State may require that, or condition any approval on a
requirement that, a key, access to a key, key recovery information, or any
other plaintext access capability be--
[<-Struck out]
[Struck out->] `(1) built into computer hardware or software
for any purpose;
[<-Struck out]
[Struck out->] `(2) given to any other person, including a
Federal Government agency or an entity in the private sector that may be
certified or approved by the Federal Government or a State to receive it; or
[<-Struck out]
[Struck out->] `(3) retained by the owner or user of an
encryption key or any other person, other than for encryption products for
use by the Federal Government or a State.
[<-Struck out]
[Struck out->] `(b) PROHIBITION ON LINKAGE OF DIFFERENT USES OF
ENCRYPTION- Neither the Federal Government nor a State may--
[<-Struck out]
[Struck out->] `(1) require the use of encryption products,
standards, or services used for confidentiality purposes, as a condition of
the use of such products, standards, or services for authenticity or
integrity purposes; or
[<-Struck out]
[Struck out->] `(2) require the use of encryption products,
standards, or services used for authenticity or integrity purposes, as a
condition of the use of such products, standards, or services for
confidentiality purposes.
[<-Struck out]
[Struck out->] `(c) EXCEPTION FOR ACCESS FOR LAW ENFORCEMENT
PURPOSES- Subsection (a) shall not affect the authority of any investigative
or law enforcement officer, or any member of the intelligence community as
defined in section 3 of the National Security Act of 1947 (50 U.S.C. 401a),
acting under any law in effect on the effective date of this chapter, to gain
access to encrypted communications or information.
[<-Struck out]
[Struck out->] `Sec. 2805. Unlawful use of encryption in
furtherance of a criminal act
[<-Struck out]
[Struck out->] `(a) ENCRYPTION OF INCRIMINATING COMMUNICATIONS OR
INFORMATION UNLAWFUL- Any person who, in the commission of a felony under a
criminal statute of the United States, knowingly and willfully encrypts
incriminating communications or information relating to that felony with the
intent to conceal such communications or information for the purpose of
avoiding detection by law enforcement agencies or prosecution--
[<-Struck out]
[Struck out->] `(1) in the case of a first offense under this
section, shall be imprisoned for not more than 5 years, or fined in the
amount set forth in this title, or both; and
[<-Struck out]
[Struck out->] `(2) in the case of a second or subsequent
offense under this section, shall be imprisoned for not more than 10 years,
or fined in the amount set forth in this title, or both.
[<-Struck
out]
[Struck out->] `(b) USE OF ENCRYPTION NOT A BASIS FOR PROBABLE
CAUSE- The use of encryption by any person shall not be the sole basis for
establishing probable cause with respect to a criminal offense or a search
warrant.'.
[<-Struck out]
[Struck out->] (b) CONFORMING AMENDMENT- The table of chapters
for part I of title 18, United States Code, is amended by inserting after the
item relating to chapter 123 the following new item:
[<-Struck
out]
[Struck out->] 2801'.
[<-Struck out]
[Struck out->] SEC. 3. EXPORTS OF ENCRYPTION.
[<-Struck
out]
[Struck out->] (a) AMENDMENT TO EXPORT ADMINISTRATION ACT OF
1979- Section 17 of the Export Administration Act of 1979 (50 U.S.C. App.
2416) is amended by adding at the end thereof the following new subsection:
[<-Struck out]
[Struck out->] `(g) CERTAIN CONSUMER PRODUCTS, COMPUTERS, AND
RELATED EQUIPMENT-
[<-Struck out]
[Struck out->] `(1) GENERAL RULE- Subject to paragraphs (2) and
(3), the Secretary shall have exclusive authority to control exports of all
computer hardware, software, computing devices, customer premises equipment,
communications network equipment, and technology for information security
(including encryption), except that which is specifically designed or
modified for military use, including command, control, and intelligence
applications.
[<-Struck out]
[Struck out->] `(2) ITEMS NOT REQUIRING LICENSES- After a
one-time, 15-day technical review by the Secretary, no export license may be
required, except pursuant to the Trading with the enemy Act or the
International Emergency Economic Powers Act (but only to the extent that the
authority of such Act is not exercised to extend controls imposed under this
Act), for the export or reexport of--
[<-Struck out]
[Struck out->] `(A) any computer hardware or software or
computing device, including computer hardware or software or computing
devices with encryption capabilities--
[<-Struck out]
[Struck out->] `(i) that is generally available;
[<-Struck out]
[Struck out->] `(ii) that is in the public domain for which
copyright or other protection is not available under title 17, United
States Code, or that is available to the public because it is generally
accessible to the interested public in any form; or
[<-Struck
out]
[Struck out->] `(iii) that is used in a commercial,
off-the-shelf, consumer product or any component or subassembly designed
for use in such a consumer product available within the United States or
abroad which--
[<-Struck out]
[Struck out->] `(I) includes encryption capabilities
which are inaccessible to the end user; and
[<-Struck
out]
[Struck out->] `(II) is not designed for military or
intelligence end use;
[<-Struck out]
[Struck out->] `(B) any computing device solely because it
incorporates or employs in any form--
[<-Struck out]
[Struck out->] `(i) computer hardware or software
(including computer hardware or software with encryption capabilities)
that is exempted from any requirement for a license under subparagraph
(A); or
[<-Struck out]
[Struck out->] `(ii) computer hardware or software that is
no more technically complex in its encryption capabilities than computer
hardware or software that is exempted from any requirement for a license
under subparagraph (A) but is not designed for installation by the
purchaser;
[<-Struck out]
[Struck out->] `(C) any computer hardware or software or
computing device solely on the basis that it incorporates or employs in
any form interface mechanisms for interaction with other computer hardware
or software or computing devices, including computer hardware and software
and computing devices with encryption capabilities;
[<-Struck
out]
[Struck out->] `(D) any computing or telecommunication device
which incorporates or employs in any form computer hardware or software
encryption capabilities which--
[<-Struck out]
[Struck out->] `(i) are not directly available to the end
user; or
[<-Struck out]
[Struck out->] `(ii) limit the encryption to be
point-to-point from the user to a central communications point or link
and does not enable end-to-end user encryption;
[<-Struck
out]
[Struck out->] `(E) technical assistance and technical data
used for the installation or maintenance of computer hardware or software
or computing devices with encryption capabilities covered under this
subsection; or
[<-Struck out]
[Struck out->] `(F) any encryption hardware or software or
computing device not used for confidentiality purposes, such as
authentication, integrity, electronic signatures, nonrepudiation, or copy
protection.
[<-Struck out]
[Struck out->] `(3) COMPUTER HARDWARE OR SOFTWARE OR COMPUTING
DEVICES WITH ENCRYPTION CAPABILITIES- After a one-time, 15-day technical
review by the Secretary, the Secretary shall authorize the export or
reexport of computer hardware or software or computing devices with
encryption capabilities for nonmilitary end uses in any country--
[<-Struck out]
[Struck out->] `(A) to which exports of computer hardware or
software or computing devices of comparable strength are permitted for use
by financial institutions not controlled in fact by United States persons,
unless there is substantial evidence that such computer hardware or
software or computing devices will be--
[<-Struck out]
[Struck out->] `(i) diverted to a military end use or an
end use supporting international terrorism;
[<-Struck
out]
[Struck out->] `(ii) modified for military or terrorist end
use; or
[<-Struck out]
[Struck out->] `(iii) reexported without any authorization
by the United States that may be required under this Act; or
[<-Struck out]
[Struck out->] `(B) if the Secretary determines that a
computer hardware or software or computing device offering comparable
security is commercially available outside the United States from a
foreign supplier, without effective restrictions.
[<-Struck
out]
[Struck out->] `(4) DEFINITIONS- As used in this subsection--
[<-Struck out]
[Struck out->] `(A)(i) the term `encryption' means the
scrambling of wire communications, electronic communications, or
electronically stored information, using mathematical formulas or
algorithms in order to preserve the confidentiality, integrity, or
authenticity of, and prevent unauthorized recipients from accessing or
altering, such communications or information;
[<-Struck
out]
[Struck out->] `(ii) the terms `wire communication' and
`electronic communication' have the meanings given those terms in section
2510 of title 18, United States Code;
[<-Struck out]
[Struck out->] `(B) the term `generally available' means, in
the case of computer hardware or computer software (including computer
hardware or computer software with encryption capabilities)--
[<-Struck out]
[Struck out->] `(i) computer hardware or computer software
that is--
[<-Struck out]
[Struck out->] `(I) distributed through the Internet;
[<-Struck out]
[Struck out->] `(II) offered for sale, license, or
transfer to any person without restriction, whether or not for
consideration, including, but not limited to, over-the-counter retail
sales, mail order transactions, phone order transactions, electronic
distribution, or sale on approval;
[<-Struck
out]
[Struck out->] `(III) preloaded on computer hardware or
computing devices that are widely available for sale to the public; or
[<-Struck out]
[Struck out->] `(IV) assembled from computer hardware or
computer software components that are widely available for sale to the
public;
[<-Struck out]
[Struck out->] `(ii) not designed, developed, or tailored
by the manufacturer for specific purchasers or users, except that any
such purchaser or user may--
[<-Struck out]
[Struck out->] `(I) supply certain installation
parameters needed by the computer hardware or software to function
properly with the computer system of the user or purchaser; or
[<-Struck out]
[Struck out->] `(II) select from among options contained
in the computer hardware or computer software; and
[<-Struck
out]
[Struck out->] `(iii) with respect to which the
manufacturer of that computer hardware or computer software--
[<-Struck out]
[Struck out->] `(I) intended for the user or purchaser,
including any licensee or transferee, to install the computer hardware
or software and has supplied the necessary instructions to do so,
except that the manufacturer of the computer hardware or software, or
any agent of such manufacturer, may also provide telephone or
electronic mail help line services for installation, electronic
transmission, or basic operations; and
[<-Struck
out]
[Struck out->] `(II) the computer hardware or software is
designed for such installation by the user or purchaser without
further substantial support by the manufacturer;
[<-Struck
out]
[Struck out->] `(C) the term `computing device' means a
device which incorporates one or more microprocessor-based central
processing units that can accept, store, process, or provide output of
data;
[<-Struck out]
[Struck out->] `(D) the term `computer hardware' includes,
but is not limited to, computer systems, equipment, application-specific
assemblies, smart cards, modules, integrated circuits, and printed circuit
board assemblies;
[<-Struck out]
[Struck out->] `(E) the term `customer premises equipment'
means equipment employed on the premises of a person to originate, route,
or terminate communications;
[<-Struck out]
[Struck out->] `(F) the term `technical assistance' includes
instruction, skills training, working knowledge, consulting services, and
the transfer of technical data;
[<-Struck out]
[Struck out->] `(G) the term `technical data' includes
blueprints, plans, diagrams, models, formulas, tables, engineering designs
and specifications, and manuals and instructions written or recorded on
other media or devices such as disks, tapes, or read-only memories; and
[<-Struck out]
[Struck out->] `(H) the term `technical review' means a
review by the Secretary of computer hardware or software or computing
devices with encryption capabilities, based on information about the
product's encryption capabilities supplied by the manufacturer, that the
computer hardware or software or computing device works as represented.'.
[<-Struck out]
[Struck out->] (b) NO REINSTATEMENT OF EXPORT CONTROLS ON
PREVIOUSLY DECONTROLLED PRODUCTS- Any encryption product not requiring an
export license as of the date of enactment of this Act, as a result of
administrative decision or rulemaking, shall not require an export license on
or after such date of enactment.
[<-Struck out]
[Struck out->] (c) APPLICABILITY OF CERTAIN EXPORT CONTROLS-
[<-Struck out]
[Struck out->] (1) IN GENERAL- Nothing in this Act shall limit
the authority of the President under the International Emergency Economic
Powers Act, the Trading with the enemy Act, or the Export Administration Act
of 1979, to--
[<-Struck out]
[Struck out->] (A) prohibit the export of encryption products
to countries that have been determined to repeatedly provide support for
acts of international terrorism; or
[<-Struck out]
[Struck out->] (B) impose an embargo on exports to, and
imports from, a specific country.
[<-Struck out]
[Struck out->] (2) SPECIFIC DENIALS- The Secretary may prohibit
the export of specific encryption products to an individual or organization
in a specific foreign country identified by the Secretary, if the Secretary
determines that there is substantial evidence that such encryption products
will be used for military or terrorist end-use.
[<-Struck
out]
[Struck out->] (3) DEFINITION- As used in this subsection and
subsection (b), the term `encryption' has the meaning given that term in
section 17(g)(5)(A) of the Export Administration Act of 1979, as added by
subsection (a) of this section.
[<-Struck out]
[Struck out->] (d) CONTINUATION OF EXPORT ADMINISTRATION ACT- For
purposes of carrying out the amendment made by subsection (a), the Export
Administration Act of 1979 shall be deemed to be in effect.
[<-Struck out]
[Struck out->] SEC. 4. EFFECT ON LAW ENFORCEMENT ACTIVITIES.
[<-Struck out]
[Struck out->] (a) COLLECTION OF INFORMATION BY ATTORNEY GENERAL-
The Attorney General shall compile, and maintain in classified form, data on
the instances in which encryption (as defined in section 2801 of title 18,
United States Code) has interfered with, impeded, or obstructed the ability of
the Department of Justice to enforce the criminal laws of the United States.
[<-Struck out]
[Struck out->] (b) AVAILABILITY OF INFORMATION TO THE CONGRESS-
The information compiled under subsection (a), including an unclassified
summary thereof, shall be made available, upon request, to any Member of
Congress.
[<-Struck out]
SECTION 1. SHORT TITLE.
This Act may be cited as the `Security And Freedom through Encryption
(SAFE) Act'.
SEC. 2. DEFINITIONS.
For purposes of this Act, the following definitions shall
apply:
(1) COMPUTER HARDWARE- The term `computer hardware' includes
computer systems, equipment, application-specific assemblies, smart cards,
modules, integrated circuits, printed circuit board assemblies, and devices
that incorporate 1 or more microprocessor-based central processing units
that are capable of accepting, storing, processing, or providing output of
data.
(2) ENCRYPT AND ENCRYPTION- The terms `encrypt' and `encryption'
means the scrambling (and descrambling) of wire communications, electronic
communications, or electronically stored information, using mathematical
formulas or algorithms to preserve the confidentiality, integrity, or
authenticity of, and prevent unauthorized recipients from accessing or
altering, such communications or information.
(3) ENCRYPTION PRODUCT- The term `encryption product'--
(A) means computer hardware, computer software, or technology with
encryption capabilities; and
(B) includes any subsequent version of or update to an encryption
product, if the encryption capabilities are not changed.
(4) KEY- The term `key' means the variable information used in a
mathematical formula, code, or algorithm, or any component thereof, used to
decrypt wire communications, electronic communications, or electronically
stored information, that has been encrypted.
(5) KEY RECOVERY INFORMATION- The term `key recovery information'
means information that would enable obtaining the key of a user of
encryption.
(6) PERSON- The term `person' has the meaning given the term in
section 2510 of title 18, United States Code.
(7) SECRETARY- The term `Secretary' means the Secretary of
Commerce.
(8) STATE- The term `State' means any State of the United States and
includes the District of Columbia and any commonwealth, territory, or
possessions of the United States.
(9) UNITED STATES PERSON- The term `United States person' means
any--
(A) United States citizen; or
(i) is organized under the laws of the United States, or any
States, the District of Columbia, or any commonwealth, territory, or
possession of the United States; and
(ii) has its principal place of business in the United
States.
(10) WIRE COMMUNICATION; ELECTRONIC COMMUNICATION- The terms `wire
communication' and `electronic communication' have the meanings given such
terms in section 2510 of title 18, United States Code.
SEC. 3. ENSURING DEVELOPMENT AND DEPLOYMENT OF ENCRYPTION IS A VOLUNTARY
PRIVATE SECTOR ACTIVITY.
(a) STATEMENT OF POLICY- It is the policy of the United States that
the use, development, manufacture, sale, distribution, and importation of
encryption products, standards, and services for purposes of assuring the
confidentiality, authenticity, or integrity of electronic information shall be
voluntary and market driven.
(b) LIMITATION ON REGULATION- Neither the Federal Government nor a
State may establish any conditions, ties, or links between encryption
products, standards, and services used for confidentiality, and those used for
authenticity or integrity purposes.
SEC. 4. PROTECTION OF DOMESTIC SALE AND USE OF ENCRYPTION.
Except as otherwise provided by this Act, it is lawful for any person
within any State, and for any United States person in a foreign country, to
develop, manufacture, sell, distribute, import, or use any encryption product,
regardless of the encryption algorithm selected, encryption key length chosen,
existence of key recovery, or other plaintext access capability, or
implementation or medium used.
SEC. 5. PROHIBITION ON MANDATORY GOVERNMENT ACCESS TO
PLAINTEXT.
(a) IN GENERAL- No department, agency, or instrumentality of the
United States or of any State may require that, set standards for, condition
any approval on, create incentives for, or tie any benefit to a requirement
that, a decryption key, access to a key, key recovery information, or any
other plaintext access capability be--
(1) required to be built into computer hardware or software for any
purpose;
(2) given to any other person (including a department, agency, or
instrumentality of the United States or an entity in the private sector that
may be certified or approved by the United States or a State); or
(3) retained by the owner or user of an encryption key or any other
person, other than for encryption products for the use of the United States
Government or a State government.
(b) PROTECTION OF EXISTING ACCESS- Subsection (a) does not affect the
authority of any investigative or law enforcement officer, or any member of
the intelligence community (as defined in section 3 of the National Security
Act of 1947 (50 U.S.C. 401a)), acting under any law in effect on the date of
the enactment of this Act, to gain access to encrypted communications or
information.
SEC. 6. UNLAWFUL USE OF ENCRYPTION IN FURTHERANCE OF A CRIMINAL
ACT.
(a) ENCRYPTION OF INCRIMINATING COMMUNICATIONS OR INFORMATION
UNLAWFUL- Any person who, in the commission of a felony under a criminal
statute of the United States, knowingly and willfully encrypts incriminating
communications or information relating to that felony with the intent to
conceal such communications or information for the purpose of avoiding
detection by law enforcement agencies or prosecution--
(1) in the case of a first offense under this section, shall be
imprisoned for not more than 5 years, or fined under title 18, United States
Code, or both; and
(2) in the case of a second or subsequent offense under this
section, shall be imprisoned for not more than 10 years, or fined under
title 18, United States Code, or both.
(b) USE OF ENCRYPTION NOT A BASIS FOR PROBABLE CAUSE- The use of
encryption by any person shall not be the sole basis for establishing probable
cause with respect to a criminal offense or a search warrant.
SEC. 7. EXPORTS OF ENCRYPTION.
(a) AMENDMENT TO EXPORT ADMINISTRATION ACT OF 1979- Section 17 of the
Export Administration Act of 1979 (50 U.S.C. App. 2416) is amended by adding
at the end the following new subsection:
`(g) CERTAIN CONSUMER PRODUCTS, COMPUTERS, AND RELATED EQUIPMENT-
`(1) GENERAL RULE- Subject to paragraphs (2), (3), and (4), the
Secretary shall have exclusive authority to control exports of all computer
hardware, software, computing devices, customer premises equipment,
communications network equipment, and technology for information security
(including encryption), except that which is specifically designed or
modified for military use, including command, control, and intelligence
applications.
`(2) CRITICAL INFRASTRUCTURE PROTECTION PRODUCTS-
`(A) IDENTIFICATION- Not later than 90 days after the date of the
enactment of the Security And Freedom through Encryption (SAFE) Act, the
Assistant Secretary of Commerce for Communications and Information and the
National Telecommunications and Information Administration shall issue
regulations that identify, define, or determine which products and
equipment described in paragraph (1) are designed for improvement of
network security, network reliability, or data security.
`(B) NTIA RESPONSIBILITY- Not later than the expiration of the
2-year period beginning on the date of the enactment of the Security And
Freedom through Encryption (SAFE) Act, all authority of the Secretary
under this subsection and all determinations and reviews required by this
section, with respect to products and equipment described in paragraph (1)
that are designed for improvement of network security, network
reliability, or data security through the use of encryption, shall be
exercised through and made by the Assistant Secretary of Commerce for
Communications and Information and the National Telecommunications and
Information Administration. The Secretary may, at any time, assign to the
Assistant Secretary and the NTIA authority of the Secretary under this
section with respect to other products and equipment described in
paragraph (1).
`(3) ITEMS NOT REQUIRING LICENSES- After a one-time technical review
by the Secretary of not more than 30 working days, which shall include
consultation with the Secretary of Defense, the Secretary of State, the
Attorney General, and the Director of Central Intelligence, no export
license may be required, except pursuant to the Trading with the Enemy Act
or the International Emergency Economic Powers Act (but only to the extent
that the authority of such Act is not exercised to extend controls imposed
under this Act), for the export or reexport of--
`(A) any computer hardware or software or computing device,
including computer hardware or software or computing devices with
encryption capabilities--
`(i) that is generally available;
`(ii) that is in the public domain for which copyright or other
protection is not available under title 17, United States Code, or that
is available to the public because it is generally accessible to the
interested public in any form; or
`(iii) that is used in a commercial, off-the-shelf, consumer
product or any component or subassembly designed for use in such a
consumer product available within the United States or abroad
which--
`(I) includes encryption capabilities which are inaccessible
to the end user; and
`(II) is not designed for military or intelligence end
use;
`(B) any computing device solely because it incorporates or
employs in any form--
`(i) computer hardware or software (including computer hardware
or software with encryption capabilities) that is exempted from any
requirement for a license under subparagraph (A); or
`(ii) computer hardware or software that is no more technically
complex in its encryption capabilities than computer hardware or
software that is exempted from any requirement for a license under
subparagraph (A) but is not designed for installation by the
purchaser;
`(C) any computer hardware or software or computing device solely
on the basis that it incorporates or employs in any form interface
mechanisms for interaction with other computer hardware or software or
computing devices, including computer hardware and software and computing
devices with encryption capabilities;
`(D) any computing or telecommunication device which incorporates
or employs in any form computer hardware or software encryption
capabilities which--
`(i) are not directly available to the end user;
or
`(ii) limit the encryption to be point-to-point from the user to
a central communications point or link and does not enable end-to-end
user encryption;
`(E) technical assistance and technical data used for the
installation or maintenance of computer hardware or software or computing
devices with encryption capabilities covered under this subsection;
or
`(F) any encryption hardware or software or computing device not
used for confidentiality purposes, such as authentication, integrity,
electronic signatures, nonrepudiation, or copy protection.
`(4) COMPUTER HARDWARE OR SOFTWARE OR COMPUTING DEVICES WITH
ENCRYPTION CAPABILITIES- After a one-time technical review by the Secretary
of not more than 30 working days, which shall include consultation with the
Secretary of Defense, the Secretary of State, the Attorney General, and the
Director of Central Intelligence, the Secretary shall authorize the export
or reexport of computer hardware or software or computing devices with
encryption capabilities for nonmilitary end uses in any country--
`(A) to which exports of computer hardware or software or
computing devices of comparable strength are permitted for use by
financial institutions not controlled in fact by United States persons,
unless there is substantial evidence that such computer hardware or
software or computing devices will be--
`(i) diverted to a military end use or an end use supporting
international terrorism;
`(ii) modified for military or terrorist end
use;
`(iii) reexported without any authorization by the United States
that may be required under this Act; or
`(iv)(I) harmful to the national security of the United States,
including capabilities of the United States in fighting drug
trafficking, terrorism, or espionage, (II) used in illegal activities
involving the sexual exploitation of, abuse of, or sexually explicit
conduct with minors (including activities in violation of chapter 110 of
title 18, United States Code, and section 2423 of such title), or (III)
used in illegal activities involving organized crime;
or
`(B) if the Secretary determines that a computer hardware or
software or computing device offering comparable security is commercially
available in such country from a foreign supplier, without effective
restrictions.
`(5) DEFINITIONS- For purposes of this subsection--
`(A) the term `computer hardware' has the meaning given such term
in section 2 of the Security And Freedom through Encryption (SAFE)
Act;
`(B) the term `computing device' means a device which incorporates
one or more microprocessor-based central processing units that can accept,
store, process, or provide output of data;
`(C) the term `customer premises equipment' means equipment
employed on the premises of a person to originate, route, or terminate
communications;
`(D) the term `data security' means the protection, through
techniques used by individual computer and communications users, of data
from unauthorized penetration, manipulation, or disclosure;
`(E) the term `encryption' has the meaning given such term in
section 2 of the Security And Freedom through Encryption (SAFE)
Act;
`(F) the term `generally available' means, in the case of computer
hardware or computer software (including computer hardware or computer
software with encryption capabilities)--
`(i) computer hardware or computer software that
is--
`(I) distributed through the Internet;
`(II) offered for sale, license, or transfer to any person
without restriction, whether or not for consideration, including, but
not limited to, over-the-counter retail sales, mail order
transactions, phone order transactions, electronic distribution, or
sale on approval;
`(III) preloaded on computer hardware or computing devices
that are widely available for sale to the public;
or
`(IV) assembled from computer hardware or computer software
components that are widely available for sale to the
public;
`(ii) not designed, developed, or tailored by the manufacturer
for specific purchasers or users, except that any such purchaser or user
may--
`(I) supply certain installation parameters needed by the
computer hardware or software to function properly with the computer
system of the user or purchaser; or
`(II) select from among options contained in the computer
hardware or computer software; and
`(iii) with respect to which the manufacturer of that computer
hardware or computer software--
`(I) intended for the user or purchaser, including any
licensee or transferee, to install the computer hardware or software
and has supplied the necessary instructions to do so, except that the
manufacturer of the computer hardware or software, or any agent of
such manufacturer, may also provide telephone or electronic mail help
line services for installation, electronic transmission, or basic
operations; and
`(II) the computer hardware or software is designed for such
installation by the user or purchaser without further substantial
support by the manufacturer;
`(G) the term `network reliability' means the prevention, through
techniques used by providers of computer and communications services, of
the malfunction, and the promotion of the continued operations, of
computer or communications network;
`(H) the term `network security' means the prevention, through
techniques used by providers of computer and communications services, of
unauthorized penetration, manipulation, or disclosure of information of a
computer or communications network;
`(I) the term `technical assistance' includes instruction, skills
training, working knowledge, consulting services, and the transfer of
technical data;
`(J) the term `technical data' includes blueprints, plans,
diagrams, models, formulas, tables, engineering designs and
specifications, and manuals and instructions written or recorded on other
media or devices such as disks, tapes, or read-only memories;
and
`(K) the term `technical review' means a review by the Secretary
of computer hardware or software or computing devices with encryption
capabilities, based on information about the product's encryption
capabilities supplied by the manufacturer, that the computer hardware or
software or computing device works as represented.'.
(b) TRANSFER OF AUTHORITY TO NATIONAL TELECOMMUNICATIONS AND
INFORMATION ADMINISTRATION- Section 103(b) of the National Telecommunications
and Information Administration Organization Act (47 U.S.C. 902(b)) is amended
by adding at the end the following new paragraph:
`(4) EXPORT OF COMMUNICATIONS TRANSACTION TECHNOLOGIES- In
accordance with section 17(g)(2) of the Export Administration Act of 1979
(50 U.S.C. App. 2416(g)(2)), the Secretary shall assign to the Assistant
Secretary and the NTIA the authority of the Secretary under such section
17(g), with respect to products and equipment described in paragraph (1) of
such section that are designed for improvement of network security, network
reliability, or data security, that (after the expiration of the 2-year
period beginning on the date of the enactment of the Security And Freedom
through Encryption (SAFE) Act) is to be exercised by the Assistant Secretary
and the NTIA.'.
(c) NO REINSTATEMENT OF EXPORT CONTROLS ON PREVIOUSLY DECONTROLLED
PRODUCTS- Any encryption product not requiring an export license as of the
date of enactment of this Act, as a result of administrative decision or
rulemaking, shall not require an export license on or after such date of
enactment.
(d) APPLICABILITY OF CERTAIN EXPORT CONTROLS-
(1) IN GENERAL- Nothing in this Act shall limit the authority of the
President under the International Emergency Economic Powers Act, the Trading
with the Enemy Act, or the Export Administration Act of 1979,
to--
(A) prohibit the export of encryption products to countries that
have been determined to repeatedly provide support for acts of
international terrorism; or
(B) impose an embargo on exports to, and imports from, a specific
country.
(2) SPECIFIC DENIALS- The Secretary of Commerce may prohibit the
export of specific encryption products to an individual or organization in a
specific foreign country identified by the Secretary, if the Secretary
determines that there is substantial evidence that such encryption products
will be--
(A) used for military or terrorist end-use or modified for
military or terrorist end use;
(B) harmful to United States national security, including United
States capabilities in fighting drug trafficking, terrorism, or
espionage;
(C) used in illegal activities involving the sexual exploitation
of, abuse of, or sexually explicit conduct with minors (including
activities in violation of chapter 110 of title 18, United States Code,
and section 2423 of such title); or
(D) used in illegal activities involving organized
crime.
(3) OTHER EXPORT CONTROLS- An encryption product is subject to any
export control imposed on that product for any reason other than the
existence of encryption capability. Nothing in this Act or the amendments
made by this Act alters the ability of the Secretary of Commerce to control
exports of products for reasons other than encryption.
(e) CONTINUATION OF EXPORT ADMINISTRATION ACT- For purposes of
carrying out the amendment made by subsection (a), the Export Administration
Act of 1979 shall be deemed to be in effect.
SEC. 8. GOVERNMENT PROCUREMENT OF ENCRYPTION PRODUCTS.
(a) STATEMENT OF POLICY- It is the policy of the United
States--
(1) to permit the public to interact with government through
commercial networks and infrastructure; and
(2) to protect the privacy and security of any electronic
communication from, or stored information obtained from, the
public.
(b) PURCHASE OF ENCRYPTION PRODUCTS BY FEDERAL GOVERNMENT- Any
department, agency, or instrumentality of the United States may purchase
encryption products for internal use by officers and employees of the United
States to the extent and in the manner authorized by law.
(c) PROHIBITION OF REQUIREMENT FOR CITIZENS TO PURCHASE SPECIFIED
PRODUCTS- No department, agency, or instrumentality of the United States, nor
any department, agency, or political subdivision of a State, may require any
person in the private sector to use any particular encryption product or
methodology, including products with a decryption key, access to a key, key
recovery information, or any other plaintext access capability, to communicate
with, or transact business with, the government.
SEC. 9. NATIONAL ELECTRONIC TECHNOLOGIES CENTER.
Part A of the National Telecommunications and Information
Administration Organization Act is amended by inserting after section 105 (47
U.S.C. 904) the following new section:
`SEC. 106. NATIONAL ELECTRONIC TECHNOLOGIES CENTER.
`(a) ESTABLISHMENT- There is established in the NTIA a National
Electronic Technologies Center (in this section referred to as the `NET
Center').
`(b) DIRECTOR- The NET Center shall have a Director, who shall be
appointed by the Assistant Secretary.
`(c) DUTIES- The duties of the NET Center shall be--
`(1) to serve as a center for industry and government entities to
exchange information and methodology regarding data security techniques and
technologies;
`(2) to examine encryption techniques and methods to facilitate the
ability of law enforcement to gain efficient access to plaintext of
communications and electronic information;
`(3) to conduct research to develop efficient methods, and improve
the efficiency of existing methods, of accessing plaintext of communications
and electronic information;
`(4) to investigate and research new and emerging techniques and
technologies to facilitate access to communications and electronic
information, including --
`(A) reverse-steganography;
`(B) decompression of information that previously has been
compressed for transmission; and
`(5) to obtain information regarding the most current computer
hardware and software, telecommunications, and other capabilities to
understand how to access information transmitted across computer and
communications networks; and
`(6) to serve as a center for Federal, State, and local law
enforcement authorities for information and assistance regarding decryption
and other access requirements.
`(d) EQUAL ACCESS- State and local law enforcement agencies and
authorities shall have access to information, services, resources, and
assistance provided by the NET Center to the same extent that Federal law
enforcement agencies and authorities have such access.
`(e) PERSONNEL- The Director may appoint such personnel as the
Director considers appropriate to carry out the duties of the NET
Center.
`(f) ASSISTANCE OF OTHER FEDERAL AGENCIES- Upon the request of the
Director of the NET Center, the head of any department or agency of the
Federal Government may, to assist the NET Center in carrying out its duties
under this section--
`(1) detail, on a reimbursable basis, any of the personnel of such
department or agency to the NET Center; and
`(2) provide to the NET Center facilities, information, and other
non-personnel resources.
`(g) PRIVATE INDUSTRY ASSISTANCE- The NET Center may accept, use, and
dispose of gifts, bequests, or devises of money, services, or property, both
real and personal, for the purpose of aiding or facilitating the work of the
Center. Gifts, bequests, or devises of money and proceeds from sales of other
property received as gifts, bequests, or devises shall be deposited in the
Treasury and shall be available for disbursement upon order of the Director of
the NET Center.
`(1) ESTABLISHMENT- There is established the Advisory Board of the
NET Center (in this subsection referred to as the `Advisory Board'), which
shall be comprised of 11 members who shall have the qualifications described
in paragraph (2) and who shall be appointed by the Assistant Secretary not
later than 6 months after the date of the enactment of this Act. The
chairman of the Advisory Board shall be designated by the Assistant
Secretary at the time of appointment.
`(2) QUALIFICATIONS- Each member of the Advisory Board shall have
experience or expertise in the field of encryption, decryption, electronic
communication, information security, electronic commerce, or law
enforcement.
`(3) DUTIES- The duty of the Advisory Board shall be to advise the
NET Center and the Federal Government regarding new and emerging
technologies relating to encryption and decryption of communications and
electronic information.
`(i) IMPLEMENTATION PLAN- Within 2 months after the date of the
enactment of this Act, the Assistant Secretary, in consultation and
cooperation with other appropriate Federal agencies and appropriate industry
participants, develop and cause to be published in the Federal Register a plan
for establishing the NET Center. The plan shall--
`(1) specify the physical location of the NET Center and the
equipment, software, and personnel resources necessary to carry out the
duties of the NET Center under this section;
`(2) assess the amount of funding necessary to establish and operate
the NET Center; and
`(3) identify sources of probable funding for the NET Center,
including any sources of in-kind contributions from private
industry.'.
SEC. 10. STUDY OF NETWORK AND DATA SECURITY ISSUES.
Part C of the National Telecommunications and Information
Administration Organization Act is amended by adding at the end the following
new section:
`SEC. 156. STUDY OF NETWORK RELIABILITY AND SECURITY AND DATA SECURITY
ISSUES.
`(a) IN GENERAL- The NTIA shall conduct an examination of--
`(1) the relationship between--
`(A) network reliability (for communications and computer
networks), network security (for such networks), and data security issues;
and
`(B) the conduct, in interstate commerce, of electronic commerce
transactions, including through the medium of the telecommunications
networks, the Internet, or other interactive computer
systems;
`(2) the availability of various methods for encrypting
communications; and
`(3) the effects of various methods of providing access to encrypted
communications and to information to further law enforcement
activities.
`(b) SPECIFIC ISSUES- In conducting the examination required by
subsection (a), the NTIA shall--
`(1) analyze and evaluate the requirements under paragraphs (3) and
(4) of section 17(g) of the Export Administration Act of 1979 (50 U.S.C.
App. 2416(g); as added by section 7(a) of this Act) for products referred to
in such paragraphs to qualify for the license exemption or mandatory export
authorization under such paragraphs, and determine--
`(A) the scope and applicability of such requirements and the
products that, at the time of the examination, qualify for such license
exemption or export authorization; and
`(B) the products that will, 12 months after the examination is
conducted, qualify for such license exemption or export authorization;
and
`(2) assess possible methods for providing access to encrypted
communications and to information to further law enforcement
activities.
`(c) REPORTS- Within one year after the date of enactment of this
section, the NTIA shall submit to the Congress and the President a detailed
report on the examination required by subsections (a) and (b). Annually
thereafter, the NTIA shall submit to the Congress and the President an update
on such report.
`(d) DEFINITIONS- For purposes of this section--
`(1) the terms `data security', `encryption', `network reliability',
and `network security' have the meanings given such terms in section
17(g)(5) of the Export Administration Act of 1979 (50 U.S.C. App.
2416(g)(5)); and
`(2) the terms `Internet' and `interactive computer systems' have
the meanings provided by section 230(e) of the Communications Act of 1934
(47 U.S.C. 230(e)).'.
SEC. 11. TREATMENT OF ENCRYPTION IN INTERSTATE AND FOREIGN
COMMERCE.
(a) INQUIRY REGARDING IMPEDIMENTS TO COMMERCE- Within 180 days after
the date of the enactment of this Act, the Secretary of Commerce shall
complete an inquiry to--
(1) identify any domestic and foreign impediments to trade in
encryption products and services and the manners in which and extent to
which such impediments inhibit the development of interstate and foreign
commerce; and
(2) identify import restrictions imposed by foreign nations that
constitute trade barriers to providers of encryption products or
services.
The Secretary shall submit a report to the Congress regarding the
results of such inquiry by such date.
(b) REMOVAL OF IMPEDIMENTS TO TRADE- Within 1 year after such date of
enactment, the Secretary shall prescribe such regulations as may be necessary
to reduce the impediments to trade in encryption products and services
identified in the inquiry pursuant to subsection (a) for the purpose of
facilitating the development of interstate and foreign commerce. Such
regulations shall be designed to--
(1) promote the sale and distribution, including through electronic
commerce, in foreign commerce of encryption products and services
manufactured in the United States; and
(2) strengthen the competitiveness of domestic providers of
encryption products and services in foreign commerce, including electronic
commerce.
(c) INTERNATIONAL AGREEMENTS-
(1) REPORT TO PRESIDENT- Upon the completion of the inquiry under
subsection (a), the Secretary shall submit a report to the President
regarding reducing any impediments to trade in encryption products and
services that are identified by the inquiry and could, in the determination
of the Secretary, require international negotiations for such
reduction.
(2) NEGOTIATIONS- The President shall take all actions necessary to
conduct negotiations with other countries for the purposes of (A) concluding
international agreements on the promotion of encryption products and
services, and (B) achieving mutual recognition of countries' export
controls, in order to meet the needs of countries to preserve national
security, safeguard privacy, and prevent commercial espionage. The President
may consider a country's refusal to negotiate such international export and
mutual recognition agreements when considering the participation of the
United States in any cooperation or assistance program with that country.
The President shall submit a report to the Congress regarding the status of
international efforts regarding cryptography not later than December 31,
2000.
SEC. 12. COLLECTION OF INFORMATION ON EFFECT OF ENCRYPTION ON LAW
ENFORCEMENT ACTIVITIES.
(a) COLLECTION OF INFORMATION BY ATTORNEY GENERAL- The Attorney
General shall compile, and maintain in classified form, data on the instances
in which encryption (as defined in section 2801 of title 18, United States
Code) has interfered with, impeded, or obstructed the ability of the
Department of Justice to enforce the criminal laws of the United
States.
(b) AVAILABILITY OF INFORMATION TO THE CONGRESS- The information
compiled under subsection (a), including an unclassified summary thereof,
shall be made available, upon request, to any Member of Congress.
SEC. 13. PROHIBITION ON TRANSFERS TO PLA AND COMMUNIST CHINESE MILITARY
COMPANIES.
(a) PROHIBITION- Whoever knowingly and willfully transfers to the
People's Liberation Army or to any Communist Chinese military company any
encryption product that utilizes a key length of more than 56 bits--
(1) in the case of a first offense under this section, shall be
imprisoned for not more than 5 years, or fined under title 18, United States
Code, or both; and
(2) in the case of second or subsequent offense under this section,
shall be imprisoned for not more than 10 years, or fined under title 18,
United States Code, or both.
(b) DEFINITIONS- For purposes of this section:
(1) COMMUNIST CHINESE MILITARY COMPANY- (A) Subject to subparagraph
(B), the term `Communist Chinese military company' has the meaning given
that term in section 1237(b)(4) of the Strom Thurmond National Defense
Authorization Act for Fiscal Year 1999 (50 U.S.C. 1701 note).
(B) At such time as the determination and publication of persons are
made under section 1237(b)(1) of the Strom Thurmond National Defense
Authorization Act for Fiscal Year 1999, the term `Communist Chinese military
company' shall mean the list of those persons so published, as revised under
section 1237(b)(2) of that Act.
(2) PEOPLE'S LIBERATION ARMY- The term `People's Liberation Army'
has the meaning given that term in section 1237(c) of the Strom Thurmond
National Defense Authorization Act for Fiscal Year 1999.
SEC. 14. FAILURE TO DECRYPT INFORMATION OBTAINED UNDER COURT
ORDER.
Whoever is required by an order of any court to provide to the court
or any other party any information in such person's possession which has been
encrypted and who, having possession of the key or such other capability to
decrypt such information into the readable or comprehensible format of such
information prior to its encryption, fails to provide such information in
accordance with the order in such readable or comprehensible form--
(1) in the case of a first offense under this section, shall be
imprisoned for not more than 5 years, or fined under title 18, United States
Code, or both; and
(2) in the case of second or subsequent offense under this section,
shall be imprisoned for not more than 10 years, or fined under title 18
United States Code, or both.
SECTION 1. SHORT TITLE.
This Act may be cited as the `Security And Freedom through Encryption
(SAFE) Act'.
SEC. 2. SALE AND USE OF ENCRYPTION.
(a) IN GENERAL- Part I of title 18, United States Code, is amended by
inserting after chapter 123 the following new chapter:
`CHAPTER 125--ENCRYPTED WIRE AND ELECTRONIC INFORMATION
`2802. Freedom to use encryption.
`2803. Freedom to sell encryption.
`2804. Prohibition on mandatory key escrow.
`2805. Unlawful use of encryption in furtherance of a criminal
act.
`Sec. 2801. Definitions
`As used in this chapter--
`(1) the terms `person', `State', `wire communication', `electronic
communication', `investigative or law enforcement officer', and `judge of
competent jurisdiction' have the meanings given those terms in section 2510
of this title;
`(2) the term `decrypt' means to retransform or unscramble encrypted
data, including communications, to its readable form;
`(3) the terms `encrypt', `encrypted', and `encryption' mean the
scrambling of wire communications, electronic communications, or
electronically stored information, using mathematical formulas or algorithms
in order to preserve the confidentiality, integrity, or authenticity of, and
prevent unauthorized recipients from accessing or altering, such
communications or information;
`(4) the term `key' means the variable information used in a
mathematical formula, code, or algorithm, or any component thereof, used to
decrypt wire communications, electronic communications, or electronically
stored information, that has been encrypted; and
`(5) the term `key recovery information' means information that would
enable obtaining the key of a user of encryption;
`(6) the term `plaintext access capability' means any method or
mechanism which would provide information in readable form prior to its
being encrypted or after it has been decrypted;
`(7) the term `United States person' means--
`(A) any United States citizen;
`(B) any other person organized under the laws of any State, the
District of Columbia, or any commonwealth, territory, or possession of the
United States; and
`(C) any person organized under the laws of any foreign country who is
owned or controlled by individuals or persons described in subparagraphs
(A) and (B).
`Sec. 2802. Freedom to use encryption
`Subject to section 2805, it shall be lawful for any person within any
State, and for any United States person in a foreign country, to use any
encryption, regardless of the encryption algorithm selected, encryption key
length chosen, or implementation technique or medium used.
`Sec. 2803. Freedom to sell encryption
`Subject to section 2805, it shall be lawful for any person within any
State to sell in interstate commerce any encryption, regardless of the
encryption algorithm selected, encryption key length chosen, or implementation
technique or medium used.
`Sec. 2804. Prohibition on mandatory key escrow
`(a) GENERAL PROHIBITION- Neither the Federal Government nor a State may
require that, or condition any approval on a requirement that, a key, access
to a key, key recovery information, or any other plaintext access capability
be--
`(1) built into computer hardware or software for any purpose;
`(2) given to any other person, including a Federal Government agency or
an entity in the private sector that may be certified or approved by the
Federal Government or a State to receive it; or
`(3) retained by the owner or user of an encryption key or any other
person, other than for encryption products for use by the Federal Government
or a State.
`(b) EXCEPTION FOR GOVERNMENT NATIONAL SECURITY AND LAW ENFORCEMENT
PURPOSES- The prohibition contained in subsection (a) shall not apply to any
department, agency, or instrumentality of the United States, or to any
department, agency, or political subdivision of a State, that has a valid
contract with a nongovernmental entity that is assisting in the performance of
national security or law enforcement activity.
`(c) EXCEPTION FOR ACCESS FOR LAW ENFORCEMENT PURPOSES- Subsection (a)
shall not affect the authority of any investigative or law enforcement
officer, or any member of the intelligence community as defined in section 3
of the National Security Act of 1947 (50 U.S.C. 401a), acting under any law in
effect on the effective date of this chapter, to gain access to encrypted
communications or information.
`Sec. 2805. Unlawful use of encryption in furtherance of a criminal act
`(a) ENCRYPTION OF INCRIMINATING COMMUNICATIONS OR INFORMATION UNLAWFUL-
Any person who, in the commission of a felony under a criminal statute of the
United States, knowingly and willfully encrypts incriminating communications
or information relating to that felony with the intent to conceal such
communications or information for the purpose of avoiding detection by law
enforcement agencies or prosecution--
`(1) in the case of a first offense under this section, shall be
imprisoned for not more than 5 years, or fined in the amount set forth in
this title, or both; and
`(2) in the case of a second or subsequent offense under this section,
shall be imprisoned for not more than 10 years, or fined in the amount set
forth in this title, or both.
`(b) USE OF ENCRYPTION NOT A BASIS FOR PROBABLE CAUSE- The use of
encryption by any person shall not be the sole basis for establishing probable
cause with respect to a criminal offense or a search warrant.'.
(b) CONFORMING AMENDMENT- The table of chapters for part I of title 18,
United States Code, is amended by inserting after the item relating to chapter
123 the following new item:
2801'.
SEC. 3. EXPORTS OF ENCRYPTION.
(a) AMENDMENT TO EXPORT ADMINISTRATION ACT OF 1979- Section 17 of the
Export Administration Act of 1979 (50 U.S.C. App. 2416) is amended by adding
at the end thereof the following new subsection:
`(g) CERTAIN CONSUMER PRODUCTS, COMPUTERS, AND RELATED EQUIPMENT-
`(1) GENERAL RULE- Subject to paragraphs (2) and (3), the Secretary
shall have exclusive authority to control exports of all computer hardware,
software, computing devices, customer premises equipment, communications
network equipment, and technology for information security (including
encryption), except that which is specifically designed or modified for
military use, including command, control, and intelligence
applications.
`(2) ITEMS NOT REQUIRING LICENSES- After a 1-time technical review by
the Secretary, which shall be completed not later than 30 working days after
submission of the product concerned for such technical review, no export
license may be required, except pursuant to the Trading with the enemy Act
or the International Emergency Economic Powers Act (but only to the extent
that the authority of such Act is not exercised to extend controls imposed
under this Act), for the export or reexport of--
`(A) any computer hardware or software or computing device, including
computer hardware or software or computing devices with encryption
capabilities--
`(i) that is generally available;
`(ii) that is in the public domain for which copyright or other
protection is not available under title 17, United States Code, or that
is available to the public because it is generally accessible to the
interested public in any form; or
`(iii) that is used in a commercial, off-the-shelf, consumer product
or any component or subassembly designed for use in such a consumer
product available within the United States or abroad which--
`(I) includes encryption capabilities which are inaccessible to
the end user; and
`(II) is not designed for military or intelligence end
use;
`(B) any computing device solely because it incorporates or employs in
any form--
`(i) computer hardware or software (including computer hardware or
software with encryption capabilities) that is exempted from any
requirement for a license under subparagraph (A); or
`(ii) computer hardware or software that is no more technically
complex in its encryption capabilities than computer hardware or
software that is exempted from any requirement for a license under
subparagraph (A) but is not designed for installation by the
purchaser;
`(C) any computer hardware or software or computing device solely on
the basis that it incorporates or employs in any form interface mechanisms
for interaction with other computer hardware or software or computing
devices, including computer hardware and software and computing devices
with encryption capabilities;
`(D) any computing or telecommunication device which incorporates or
employs in any form computer hardware or software encryption capabilities
which--
`(i) are not directly available to the end user; or
`(ii) limit the encryption to be point-to-point from the user to a
central communications point or link and does not enable end-to-end user
encryption;
`(E) technical assistance and technical data used for the installation
or maintenance of computer hardware or software or computing devices with
encryption capabilities covered under this subsection; or
`(F) any encryption hardware or software or computing device not used
for confidentiality purposes, such as authentication, integrity,
electronic signatures, nonrepudiation, or copy protection.
`(3) COMPUTER HARDWARE OR SOFTWARE OR COMPUTING DEVICES WITH ENCRYPTION
CAPABILITIES- After a 1-time technical review by the Secretary, which shall
be completed not later than 30 working days after submission of the product
concerned for such technical review, the Secretary shall authorize the
export or reexport of computer hardware or software or computing devices
with encryption capabilities for nonmilitary end uses in any country--
`(A) to which exports of computer hardware or software or computing
devices of comparable strength are permitted for use by financial
institutions not controlled in fact by United States persons, unless there
is credible evidence that such computer hardware or software or computing
devices will be--
`(i) diverted to a military end use or an end use supporting
international terrorism;
`(ii) modified for military or terrorist end use; or
`(iii) reexported without any authorization by the United States
that may be required under this Act; or
`(B) if the Secretary determines that a computer hardware or software
or computing device offering comparable security is commercially available
outside the United States from a foreign supplier, without effective
restrictions.
`(4) EXPORTS TO MAJOR DRUG-TRANSIT AND ILLICIT DRUG PRODUCING COUNTRIES-
The Secretary, before approving any export or reexport of encryption
products to any major drug-transit country or major illicit drug producing
country identified under section 490(h) of the Foreign Assistance Act of
1961, shall consult with the Attorney General of the United States, the
Director of the Federal Bureau of Investigation, and the Administrator of
the Drug Enforcement Administration on the potential impact of such export
or reexport on the flow of illicit drugs into the United States. This
paragraph shall not authorize the denial of an export of an encryption
product, or of the issuance of a specific export license, for which such
denial is not otherwise appropriate, solely because the country of
destination is a major drug-transit country or major illicit drug producing
country.
`(5) DEFINITIONS- As used in this subsection--
`(A)(i) the term `encryption' means the scrambling of wire
communications, electronic communications, or electronically stored
information, using mathematical formulas or algorithms in order to
preserve the confidentiality, integrity, or authenticity of, and prevent
unauthorized recipients from accessing or altering, such communications or
information;
`(ii) the terms `wire communication' and `electronic communication'
have the meanings given those terms in section 2510 of title 18, United
States Code;
`(B) the term `generally available' means, in the case of computer
hardware or computer software (including computer hardware or computer
software with encryption capabilities)--
`(i) computer hardware or computer software that is--
`(I) distributed through the Internet;
`(II) offered for sale, license, or transfer to any person without
restriction, whether or not for consideration, including, but not
limited to, over-the-counter retail sales, mail order transactions,
phone order transactions, electronic distribution, or sale on
approval;
`(III) preloaded on computer hardware or computing devices that
are widely available for sale to the public; or
`(IV) assembled from computer hardware or computer software
components that are widely available for sale to the
public;
`(ii) not designed, developed, or tailored by the manufacturer for
specific purchasers or users, except that any such purchaser or user
may--
`(I) supply certain installation parameters needed by the computer
hardware or software to function properly with the computer system of
the user or purchaser; or
`(II) select from among options contained in the computer hardware
or computer software;
`(iii) with respect to which the manufacturer of that computer
hardware or computer software--
`(I) intended for the user or purchaser, including any licensee or
transferee, to install the computer hardware or software and has
supplied the necessary instructions to do so, except that the
manufacturer of the computer hardware or software, or any agent of
such manufacturer, may also provide telephone or electronic mail help
line services for installation, electronic transmission, or basic
operations; and
`(II) the computer hardware or software is designed for such
installation by the user or purchaser without further substantial
support by the manufacturer; and
`(iv) offered for sale, license, or transfer to any person without
restriction, whether or not for consideration, including, but not
limited to, over-the-counter retail sales, mail order transactions,
phone order transactions, electronic distribution, or sale on
approval;
`(C) the term `computing device' means a device which incorporates one
or more microprocessor-based central processing units that can accept,
store, process, or provide output of data;
`(D) the term `computer hardware' includes, but is not limited to,
computer systems, equipment, application-specific assemblies, smart cards,
modules, integrated circuits, and printed circuit board
assemblies;
`(E) the term `customer premises equipment' means equipment employed
on the premises of a person to originate, route, or terminate
communications;
`(F) the term `technical assistance' includes instruction, skills
training, working knowledge, consulting services, and the transfer of
technical data;
`(G) the term `technical data' includes blueprints, plans, diagrams,
models, formulas, tables, engineering designs and specifications, and
manuals and instructions written or recorded on other media or devices
such as disks, tapes, or read-only memories; and
`(H) the term `technical review' means a review by the Secretary of
computer hardware or software or computing devices with encryption
capabilities, based on information about the product's encryption
capabilities supplied by the manufacturer, that the computer hardware or
software or computing device works as represented.'.
(b) NO REINSTATEMENT OF EXPORT CONTROLS ON PREVIOUSLY DECONTROLLED
PRODUCTS- Any encryption product not requiring an export license as of the
date of enactment of this Act, as a result of administrative decision or
rulemaking, shall not require an export license on or after such date of
enactment.
(c) APPLICABILITY OF CERTAIN EXPORT CONTROLS-
(1) IN GENERAL- Nothing in this Act shall limit the authority of the
President under the International Emergency Economic Powers Act, the Trading
with the enemy Act, or the Export Administration Act of 1979, to--
(A) prohibit the export of encryption products to countries that have
been determined to repeatedly provide support for acts of international
terrorism;
(B) prohibit the export or reexport of any encryption product with an
encryption strength of more than 56 bits to any military unit of the
People's Republic of China, including the People's Liberation Army (as
defined in section 1237(c) of the Strom Thurmond National Defense
Authorization Act for Fiscal Year 1999 (50 U.S.C. 1701 note)); or
(C) impose an embargo on exports to, and imports from, a specific
country.
(2) SPECIFIC DENIALS- The Secretary of Commerce may prohibit the export
of specific encryption products to an individual or organization in a
specific foreign country or countries identified by the Secretary, if the
Secretary, in consultation with the Secretary of Defense, the Secretary of
State, the Attorney General, the Director of the Federal Bureau of
Investigation, the Administrator of the Drug Enforcement Administration, and
the Director of Central Intelligence, determines that there is credible
evidence that such encryption products will be used--
(A) for military or terrorist end-use;
(B) to facilitate the import of illicit drugs into the United
States;
(C) in the manufacture of weapons of mass destruction or otherwise to
assist in the proliferation of weapons of mass destruction; or
(D) for illegal activities involving the sexual exploitation of, abuse
of, or sexually explicit conduct with minors.
(3) OTHER EXPORT CONTROLS- Any encryption product is subject to export
controls for any reason other than the existence of encryption capability,
including export controls imposed on high performance computers. Nothing in
this Act or the amendments made by this Act alters the ability of the
Secretary of Commerce to control exports for reasons other than encryption
capabilities.
(4) DEFINITION- As used in this subsection and subsection (b), the term
`encryption' has the meaning given that term in section 17(g)(5)(A) of the
Export Administration Act of 1979, as added by subsection (a) of this
section.
(d) CONTINUATION OF EXPORT ADMINISTRATION ACT- For purposes of carrying
out the amendment made by subsection (a), the Export Administration Act of
1979 shall be deemed to be in effect.
SEC. 4. EFFECT ON LAW ENFORCEMENT ACTIVITIES.
(a) COLLECTION OF INFORMATION BY ATTORNEY GENERAL- The Attorney General
shall compile, and maintain in classified form, data on the instances in which
encryption (as defined in section 2801 of title 18, United States Code) has
interfered with, impeded, or obstructed the ability of the Department of
Justice to enforce the criminal laws of the United States.
(b) AVAILABILITY OF INFORMATION TO THE CONGRESS- The information compiled
under subsection (a), including an unclassified summary thereof, shall be made
available, upon request, to any Member of Congress.
[Struck out->][ SECTION 1. SHORT
TITLE.
[Struck out->][ This Act may be cited as the
`Protection of National Security and Public Safety Act'.
[Struck out->][ SEC. 2. EXPORTS OF
ENCRYPTION.
[Struck out->][ (a) AUTHORITY TO CONTROL
EXPORTS- The President shall control the export of all dual-use encryption
products.
[Struck out->][ (b) AUTHORITY TO DENY EXPORT
FOR NATIONAL SECURITY REASONS- Notwithstanding any provision of this Act, the
President may deny the export of any encryption product on the basis that its
export is contrary to the national security interests of the United
States.
[Struck out->][ (c) DECISIONS NOT SUBJECT TO
JUDICIAL REVIEW- Any decision made by the President or his designee with
respect to the export of encryption products under this Act shall not be
subject to judicial review.
[Struck out->][ SEC. 3. LICENSE EXCEPTION FOR
CERTAIN ENCRYPTION PRODUCTS.
[Struck out->][ Encryption products with
encryption strength equal to or less than the level identified in section 5
shall be eligible for export under a license exception if--
[Struck out->][ (1) such encryption
product is submitted for a 1-time technical review;
[Struck out->][ (2) such encryption
product does not require licensing under otherwise applicable
regulations;
[Struck out->][ (3) such encryption
product is not intended for a country, end user, or end use that is by
regulation ineligible to receive such product, and the encryption product is
otherwise qualified for export; and
[Struck out->][ (4) the exporter, at the
time of submission of the product for technical review, provides the names
and addresses of its distribution chain partners.
[Struck out->][ SEC. 4. ONE-TIME PRODUCT
REVIEW.
[Struck out->][ The President shall specify
the information that must be submitted for the 1-time review referred to in
section 3.
[Struck out->][ SEC. 5. ELIGIBILITY
LEVELS.
[Struck out->][ (a) INITIAL ELIGIBILITY
LEVEL- Not later than 180 days after the date of the enactment of this Act,
the President shall notify the Congress of the maximum level of encryption
strength that may be exported from the United States under license exception
pursuant to section 3 without harm to the national security interests of the
United States. Such level shall not become effective until 30 days after such
notification.
[Struck out->][ (b) PERIODIC REVIEW OF
ELIGIBILITY LEVEL- The President shall, at the end of each successive 180-day
period after the notice provided to the Congress under subsection (a), notify
the Congress of the maximum level of encryption strength, which may not be
lower than that in effect under this section during that 180-day period, that
may be exported from the United States under a license exception pursuant to
section 3 without harm to the national security interests of the United
States. Such level shall not become effective until 30 days after such
notification.
[Struck out->][ SEC. 6. ENCRYPTION LICENSES
REQUIRED.
[Struck out->][ (a) UNITED STATES PRODUCTS
EXCEEDING CERTAIN BIT LENGTH- An export license is required for the export of
any encryption product designed or manufactured within the United States with
an encryption strength exceeding the maximum level eligible for a license
exception under section 3.
[Struck out->][ (b) REQUIREMENTS FOR EXPORT
LICENSE APPLICATION- To apply for an export license, the applicant shall
submit--
[Struck out->][ (1) the product for
technical review;
[Struck out->][ (2) a certification
identifying--
[Struck out->][ (A) the intended end use
of the product; and
[Struck out->][ (B) the expected end
user of the product;
[Struck out->][ (3) in instances where the
export is to a distribution chain partner--
[Struck out->][ (A) proof that the
distribution chain partner has contractually agreed to abide by all laws
and regulations of the United States concerning the export and reexport of
encryption products designed or manufactured within the United States;
and
[Struck out->][ (B) the name and address
of the distribution chain partner; and
[Struck out->][ (4) any other information
required by the President.
[Struck out->][ (c) POST-EXPORT REPORTING-
[Struck out->][ (1) UNAUTHORIZED USE- Any
exporter of encryption products that are designed or manufactured within the
United States shall submit a report to the Secretary at any time the
exporter has reason to believe that any such product exported pursuant to
this section is being diverted to a use or user not approved at the time of
export.
[Struck out->][ (2) DISTRIBUTION CHAIN
PARTNERS- All exporters of encryption products that are designed and
manufactured within the United States, and all distribution chain partners
of such exporters, shall submit to the Secretary a report which shall
specify--
[Struck out->][ (A) the particular
product sold;
[Struck out->][ (B) the name and address
of the end user of the product; and
[Struck out->][ (C) the intended use of
the product sold.
[Struck out->][ SEC. 7. WAIVER
AUTHORITY.
[Struck out->][ (a) IN GENERAL- The
President may by Executive order waive the applicability of any provision of
section 3 to a person or entity if the President determines that the waiver is
necessary to protect the national security interests of the United States. The
President shall, not later than 15 days after making such determination,
submit a report to the committees referred to in subsection (c) that includes
the factual basis upon which such determination was made. The report may be in
classified format.
[Struck out->][ (b) WAIVERS FOR CERTAIN
CLASSES OF END USERS- The President may by Executive order waive the licensing
requirements of section 6 for specific classes of end users identified as
being eligible for receipt of encryption commodities and software under
license exception in section 740.17 of title 15, Code of Federal Regulations,
as in effect on July 17, 1999. The President shall, not later than 15 days
after issuing such a waiver, submit a report to the committees referred to in
subsection (c) that includes the factual basis upon which such waiver was
made. The report may be in classified format.
[Struck out->][ (c) COMMITTEES- The
committees referred to in subsections (a) and (b) are the Committee on
International Relations, the Committee on Armed Services, and the Permanent
Select Committee on Intelligence of the House of Representatives, and the
Committee on Foreign Relations, the Committee on Armed Services, and the
Select Committee on Intelligence of the Senate.
[Struck out->][ SEC. 8. ENCRYPTION INDUSTRY
AND INFORMATION SECURITY BOARD.
[Struck out->][ (a) ENCRYPTION INDUSTRY AND
INFORMATION SECURITY BOARD ESTABLISHED- There is hereby established an
Encryption Industry and Information Security Board. The Board shall undertake
an advisory role for the President on the matter of foreign availability of
encryption products.
[Struck out->][ (b) MEMBERSHIP- (1) The
Board shall be composed of 12 members, as follows:
[Struck out->][ (A) The Secretary, or the
Secretary's designee.
[Struck out->][ (B) The Attorney General,
or his or her designee.
[Struck out->][ (C) The Secretary of
Defense, or his or her designee.
[Struck out->][ (D) The Director of
Central Intelligence, or his or her designee.
[Struck out->][ (E) The Director of the
Federal Bureau of Investigation, or his or her designee.
[Struck out->][ (F) The Special Assistant
to the President for National Security Affairs, or his or her designee, who
shall chair the Board.
[Struck out->][ (G) Six representatives
from the private sector who have expertise in the development, operation,
marketing, law, or public policy relating to information security or
technology. Members under this subparagraph shall each serve for 5-year
terms.
[Struck out->][ (2) The six private sector
representatives described in paragraph (1)(G) shall be appointed as
follows:
[Struck out->][ (A) Two by the Speaker
of the House of Representatives.
[Struck out->][ (B) One by the Minority
Leader of the House of Representatives.
[Struck out->][ (C) Two by the Majority
Leader of the Senate.
[Struck out->][ (D) One by the Minority
Leader of the Senate.
[Struck out->][ (c) MEETINGS- The Board
shall meet at such times and in such places as the Secretary may prescribe,
but not less frequently than every four months.
[Struck out->][ (d) FINDINGS AND
RECOMMENDATIONS- The chair of the Board shall convey the findings and
recommendations of the Board to the President and to the Congress within 30
days after each meeting of the Board. The recommendations of the Board are not
binding upon the President.
[Struck out->][ (e) LIMITATION- The Board
shall have no authority to review any export determination made pursuant to
this Act.
[Struck out->][ (f) TERMINATION- This
section shall cease to be effective 10 years after the date of the enactment
of this Act.
[Struck out->][ SEC. 9. MARKET SHARE
SURVEY.
[Struck out->][ The Secretary shall, at
least once every 6 months, conduct a market share survey of foreign markets
for encryption products. The Secretary shall publish the results of the survey
in the Federal Register. The publication shall include an assessment of the
market share of each foreign encryption product in each market surveyed and a
description of the general characteristics of each encryption product.
[Struck out->][ SEC. 10.
DEFINITIONS.
[Struck out->][ In this Act:
[Struck out->][ (1) ENCRYPTION- The term
`encryption' means the transformation or scrambling of data, for the purpose
of protecting such data, from plaintext to an unreadable or incomprehensible
format, regardless of the techniques used for such transformation or
scrambling and regardless of the medium in which such data occur or can be
found.
[Struck out->][ (2) EXPORT AND EXPORTER-
The term `export' includes reexport, the term `exporter' includes
`reexporter'.
[Struck out->][ (3) SECRETARY- The term
`Secretary' means the Secretary of Commerce.
]
[<-Struck out]
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) SHORT TITLE- This Act may be cited as the `Encryption for the
National Interest Act'.
(b) TABLE OF CONTENTS- The table of contents is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Statement of policy.
Sec. 3. Congressional findings.
TITLE I--DOMESTIC USES OF ENCRYPTION
Sec. 102. Lawful use of encryption.
Sec. 103. Unlawful use of encryption.
TITLE II--GOVERNMENT PROCUREMENT
Sec. 201. Federal purchases of encryption
products.
Sec. 202. Networks established with Federal funds.
Sec. 203. Government contract authority.
Sec. 204. Product labels.
Sec. 205. No private mandate.
TITLE III--EXPORTS OF ENCRYPTION
Sec. 301. Exports of encryption.
Sec. 302. License exception for certain encryption
products.
Sec. 303. Discretionary authority.
Sec. 304. Expedited review authority.
Sec. 305. Encryption licenses required.
Sec. 306. Encryption Industry and Information Security
Board.
TITLE IV--LIABILITY LIMITATIONS
Sec. 401. Compliance with court order.
Sec. 402. Compliance defense.
Sec. 403. Good faith defense.
TITLE V--INTERNATIONAL AGREEMENTS
Sec. 501. Sense of Congress.
Sec. 502. Failure to negotiate.
Sec. 503. Report to Congress.
TITLE VI--MISCELLANEOUS PROVISIONS
Sec. 601. Effect on law enforcement activities.
Sec. 602. Interpretation.
Sec. 603. FBI technical support.
SEC. 2. STATEMENT OF POLICY.
It is the policy of the United States to protect public computer
networks through the use of strong encryption technology, to promote the
export of encryption products developed and manufactured in the United States,
and to preserve public safety and national security.
SEC. 3. CONGRESSIONAL FINDINGS.
The Congress finds the following:
(1) Information security technology, encryption,
is--
(A) fundamental to secure the flow of intelligence information
to national policy makers;
(B) critical to the President and national command authority of
the United States;
(C) necessary to the Secretary of State for the development and
execution of the foreign policy of the United States;
(D) essential to the Secretary of Defense's responsibilities to
ensure the effectiveness of the Armed Forces of the United
States;
(E) invaluable to the protection of the citizens of the United
States from fraud, theft, drug trafficking, child pornography; kidnapping,
and money laundering; and
(F) basic to the protection of the nation's critical
infrastructures, including electrical grids, banking and financial
systems, telecommunications, water supplies, and
transportation.
(2) The goal of any encryption legislation should be to enhance
and promote the global market strength of United States encryption
manufacturers, while guaranteeing that national security and public safety
obligations of the Government can still be accomplished.
(3) It is essential to the national security interests of the
United States that United States encryption products dominate the global
market.
(4) Widespread use of unregulated encryption products poses a
significant threat to the national security interests of the United
States.
(5) Leaving the national security and public safety
responsibilities of the Government to the marketplace alone is not
consistent with the obligations of the Government to protect the public
safety and to defend the Nation.
(6) In order for the United States position in the global market
to benefit the national security interests of the United States, it is
imperative that the export of encryption products be subject to a dynamic
and constructive export control regime.
(7) Export of commercial items are best managed through a
regulatory structure which has flexibility to address constantly changing
market conditions.
(8) Managing sensitive dual-use technologies, such as encryption
products, is challenging in any regulatory environment due to the difficulty
in balancing competing interests in national security, public safety,
privacy, fair competition within the industry, and the dynamic nature of the
technology.
(9) There is a widespread perception that the executive branch
has not adequately balanced the equal and competing interests of national
security, public safety, privacy, and industry.
(10) There is a perception that the current encryption export
control policy has done more to disadvantage United States business
interests than to promote and protect national security and public safety
interests.
(11) A balance can and must be achieved between industry
interests, national security, law enforcement requirements, and privacy
needs.
(12) A court order process should be required for access to
plaintext, where and when available, and criminal and civil penalties should
be imposed for misuse of decryption information.
(13) Timely access to plaintext capability is--
(A) necessary to thwarting potential terrorist
activities;
(B) extremely useful in the collection of foreign
intelligence;
(C) indispensable to force protection
requirements;
(D) critical to the investigation and prosecution of criminals;
and
(E) both technically and economically
possible.
(14) The United States Government should encourage the
development of those products that would provide a capability allowing law
enforcement (Federal, State, and local), with a court order only, to gain
timely access to the plaintext of either stored data or data in
transit.
(15) Unless law enforcement has the benefit of such market
encouragement, drug traffickers, spies, child pornographers, pedophiles,
kidnappers, terrorists, mobsters, weapons proliferators, fraud schemers, and
other criminals will be able to use encryption software to protect their
criminal activity and hinder the criminal justice system.
(16) An effective regulatory approach to manage the proliferation
of encryption products which have dual-use capabilities must be maintained
and greater confidence in the ability of the executive branch to preserve
and promote the competitive advantage of the United States encryption
industry in the global market must be provided.
TITLE I--DOMESTIC USES OF ENCRYPTION
SEC. 101. DEFINITIONS.
For purposes of this Act:
(1) ATTORNEY FOR THE GOVERNMENT- The term `attorney for the
Government' has the meaning given such term in Rule 54(c) of the Federal
Rules of Criminal Procedure, and also includes any duly authorized attorney
of a State who is authorized to prosecute criminal offenses within such
State.
(2) AUTHORIZED PARTY- The term `authorized party' means any
person with the legal authority to obtain decryption information or
plaintext of encrypted data, including communications.
(3) COMMUNICATIONS- The term `communications' means any wire
communications or electronic communications as those terms are defined in
paragraphs (1) and (12) of section 2510 of title 18, United States
Code.
(4) COURT OF COMPETENT JURISDICTION- The term `court of competent
jurisdiction' means any court of the United States organized under Article
III of the Constitution of the United States, the court organized under the
Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), or a
court of general criminal jurisdiction of a State authorized pursuant to the
laws of such State to enter orders authorizing searches and
seizures.
(5) DATA NETWORK SERVICE PROVIDER- The term `data network service
provider' means a person offering any service to the general public that
provides the users thereof with the ability to transmit or receive data,
including communications.
(6) DECRYPTION- The term `decryption' means the retransformation
or unscrambling of encrypted data, including communications, to its readable
plaintext version. To `decrypt' data, including communications, is to
perform decryption.
(7) DECRYPTION INFORMATION- The term `decryption information'
means information or technology that enables one to readily retransform or
unscramble encrypted data from its unreadable and incomprehensible format to
its readable plaintext version.
(8) ELECTRONIC STORAGE- The term `electronic storage' has the
meaning given that term in section 2510(17) of title 18, United States
Code.
(9) ENCRYPTION- The term `encryption' means the transformation or
scrambling of data, including communications, from plaintext to an
unreadable or incomprehensible format, regardless of the technique utilized
for such transformation or scrambling and irrespective of the medium in
which such data, including communications, occur or can be found, for the
purposes of protecting the content of such data, including communications.
To `encrypt' data, including communications, is to perform
encryption.
(10) ENCRYPTION PRODUCT- The term `encryption product' means any
software, technology, commodity, or mechanism, that can be used to encrypt
or decrypt or has the capability of encrypting or decrypting any data,
including communications.
(11) FOREIGN AVAILABILITY- The term `foreign availability' has
the meaning applied to foreign availability of encryption products subject
to controls under the Export Administration Regulations, as in effect on
July 1, 1999.
(12) GOVERNMENT- The term `Government' means the Government of
the United States and any agency or instrumentality thereof, or the
government of any State, and any of its political
subdivisions.
(13) INVESTIGATIVE OR LAW ENFORCEMENT OFFICER- The term
`investigative or law enforcement officer' has the meaning given that term
in section 2510(7) of title 18, United States Code.
(14) NATIONAL SECURITY- The term `national security' means the
national defense, intelligence, or foreign policy interests of the United
States.
(15) PLAINTEXT- The term `plaintext' means the readable or
comprehensible format of that data, including communications, which has been
encrypted.
(16) PLAINVOICE- The term `plainvoice' means communication
specific plaintext.
(17) SECRETARY- The term `Secretary' means the Secretary of
Commerce, unless otherwise specifically identified.
(18) STATE- The term `State' has the meaning given that term in
section 2510(3) of title 18, United States Code.
(19) TELECOMMUNICATIONS CARRIER- The term `telecommunications
carrier' has the meaning given that term in section 3 of the Communications
Act of 1934 (47 U.S.C. 153).
(20) TELECOMMUNICATIONS SYSTEM- The term `telecommunications
system' means any equipment, technology, or related software used in the
movement, switching, interchange, transmission, reception, or internal
signaling of data, including communications over wire, fiber optic, radio
frequency, or any other medium.
(21) UNITED STATES PERSON- The term `United States person'
means--
(A) any citizen of the United States;
(B) any other person organized under the laws of any State;
and
(C) any person organized under the laws of any foreign country
who is owned or controlled by individuals or persons described in
subparagraphs (A) and (B).
SEC. 102. LAWFUL USE OF ENCRYPTION.
Except as otherwise provided by this Act or otherwise provided by
law, it shall be lawful for any person within any State and for any United
States person to use any encryption product, regardless of encryption
algorithm selected, encryption bit length chosen, or implementation technique
or medium used.
SEC. 103. UNLAWFUL USE OF ENCRYPTION.
(a) IN GENERAL- Part I of title 18, United States Code, is amended
by inserting after chapter 123 the following new chapter:
`CHAPTER 125--ENCRYPTED DATA, INCLUDING
COMMUNICATIONS
`Sec.
`2801. Unlawful use of encryption in furtherance of a criminal
act.
`2802. Privacy protection.
`2803. Court order access to plaintext or decryption
information.
`2804. Notification procedures.
`2805. Lawful use of plaintext or decryption
information.
`2806. Identification of decryption information.
`Sec. 2801. Unlawful use of encryption in furtherance of a criminal
act
`(a) PROHIBITED ACTS- Whoever knowingly uses encryption in
furtherance of the commission of a criminal offense for which the person may
be prosecuted in a district court of the United States shall--
`(1) in the case of a first offense under this section, be
imprisoned for not more than 5 years, or fined under this title, or both;
and
`(2) in the case of a second or subsequent offense under this
section, be imprisoned for not more than 10 years, or fined under this
title, or both.
`(b) CONSECUTIVE SENTENCE- Notwithstanding any other provision of
law, the court shall not place on probation any person convicted of a
violation of this section, nor shall the term of imprisonment imposed under
this section run concurrently with any other term of imprisonment imposed for
the underlying criminal offense.
`(c) PROBABLE CAUSE NOT CONSTITUTED BY USE OF ENCRYPTION- The use
of encryption by itself shall not establish probable cause to believe that a
crime is being or has been committed.
`Sec. 2802. Privacy protection
`(a) IN GENERAL- It shall be unlawful for any person to
intentionally--
`(1) obtain or use decryption information without lawful
authority for the purpose of decrypting data, including
communications;
`(2) exceed lawful authority in decrypting data, including
communications;
`(3) break the encryption code of another person without lawful
authority for the purpose of violating the privacy or security of that
person or depriving that person of any property rights;
`(4) impersonate another person for the purpose of obtaining
decryption information of that person without lawful
authority;
`(5) facilitate or assist in the encryption of data, including
communications, knowing that such data, including communications, are to be
used in furtherance of a crime; or
`(6) disclose decryption information in violation of a provision
of this chapter.
`(b) CRIMINAL PENALTY- Whoever violates this section shall be
imprisoned for not more than 10 years, or fined under this title, or
both.
`Sec. 2803. Court order access to plaintext or decryption
information
`(a) COURT ORDER- (1) A court of competent jurisdiction shall issue
an order, ex parte, granting an investigative or law enforcement officer
timely access to the plaintext of encrypted data, including communications, or
requiring any person in possession of decryption information to provide such
information to a duly authorized investigative or law enforcement
officer--
`(A) upon the application by an attorney for the Government
that--
`(i) is made under oath or affirmation by the attorney for the
Government; and
`(ii) provides a factual basis establishing the relevance that
the plaintext or decryption information being sought has to a law
enforcement, foreign counterintelligence, or international terrorism
investigation then being conducted pursuant to lawful authorities;
and
`(B) if the court finds, in writing, that the plaintext or
decryption information being sought is relevant to an ongoing lawful law
enforcement, foreign counterintelligence, or international terrorism
investigation and the investigative or law enforcement officer is entitled
to such plaintext or decryption information.
`(2) The order issued by the court under this section shall be
placed under seal, except that a copy may be made available to the
investigative or law enforcement officer authorized to obtain access to the
plaintext of the encrypted information, or authorized to obtain the decryption
information sought in the application. Such order shall, subject to the
notification procedures set forth in section 2804, also be made available to
the person responsible for providing the plaintext or the decryption
information, pursuant to such order, to the investigative or law enforcement
officer.
`(3) Disclosure of an application made, or order issued, under this
section, is not authorized, except as may otherwise be specifically permitted
by this section or another order of the court.
`(b) RECORD OF ACCESS REQUIRED- (1) There shall be created an
electronic record, or similar type record, of each instance in which an
investigative or law enforcement officer, pursuant to an order under this
section, gains access to the plaintext of otherwise encrypted information, or
is provided decryption information, without the knowledge or consent of the
owner of the data, including communications, who is the user of the encryption
product involved.
`(2) The court issuing the order under this section may require
that the electronic or similar type of record described in paragraph (1) is
maintained in a place and a manner that is not within the custody or control
of an investigative or law enforcement officer gaining the access or provided
the decryption information. The record shall be tendered to the court, upon
notice from the court.
`(3) The court receiving such electronic or similar type of record
described in paragraph (1) shall make the original and a certified copy of the
record available to the attorney for the Government making application under
this section, and to the attorney for, or directly to, the owner of the data,
including communications, who is the user of the encryption product, pursuant
to the notification procedures set forth in section 2804.
`(c) AUTHORITY TO INTERCEPT COMMUNICATIONS NOT INCREASED- Nothing
in this chapter shall be construed to enlarge or modify the circumstances or
procedures under which a Government entity is entitled to intercept or obtain
oral, wire, or electronic communications or information.
`(d) CONSTRUCTION- This chapter shall be strictly construed to
apply only to a Government entity's ability to decrypt data, including
communications, for which it has previously obtained lawful authority to
intercept or obtain pursuant to other lawful authorities, which without an
order issued under this section would otherwise remain encrypted.
`Sec. 2804. Notification procedures
`(a) IN GENERAL- Within a reasonable time, but not later than 90
days after the filing of an application for an order under section 2803 which
is granted, the court shall cause to be served, on the persons named in the
order or the application, and such other parties whose decryption information
or whose plaintext has been provided to an investigative or law enforcement
officer pursuant to this chapter, as the court may determine is in the
interest of justice, an inventory which shall include notice of--
`(1) the fact of the entry of the order or the
application;
`(2) the date of the entry of the application and issuance of the
order; and
`(3) the fact that the person's decryption information or
plaintext data, including communications, has been provided or accessed by
an investigative or law enforcement officer.
The court, upon the filing of a motion, may make available to that
person or that person's counsel, for inspection, such portions of the
plaintext, applications, and orders as the court determines to be in the
interest of justice.
`(b) POSTPONEMENT OF INVENTORY FOR GOOD CAUSE- (1) On an ex parte
showing of good cause by an attorney for the Government to a court of
competent jurisdiction, the serving of the inventory required by subsection
(a) may be postponed for an additional 30 days after the granting of an order
pursuant to the ex parte motion.
`(2) No more than 3 ex parte motions pursuant to paragraph (1) are
authorized.
`(c) ADMISSION INTO EVIDENCE- The content of any encrypted
information that has been obtained pursuant to this chapter or evidence
derived therefrom shall not be received in evidence or otherwise disclosed in
any trial, hearing, or other proceeding in a Federal or State court, other
than the court organized pursuant to the Foreign Intelligence Surveillance Act
of 1978, unless each party, not less than 10 days before the trial, hearing,
or proceeding, has been furnished with a copy of the order, and accompanying
application, under which the decryption or access to plaintext was authorized
or approved. This 10-day period may be waived by the court if the court finds
that it was not possible to furnish the party with the information described
in the preceding sentence within 10 days before the trial, hearing, or
proceeding and that the party will not be prejudiced by the delay in receiving
such information.
`(d) CONSTRUCTION- The provisions of this chapter shall be
construed consistent with--
`(1) the Classified Information Procedures Act (18 U.S.C. App.);
and
`(2) the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C.
1801 et seq.).
`(e) CONTEMPT- Any violation of the provisions of this section may
be punished by the court as a contempt thereof.
`(f) MOTION TO SUPPRESS- Any aggrieved person in any trial,
hearing, or proceeding in or before any court, department, officer, agency,
regulatory body, or other authority of the United States or a State, other
than the court organized pursuant to the Foreign Intelligence Surveillance Act
of 1978, may move to suppress the contents of any decrypted data, including
communications, obtained pursuant to this chapter, or evidence derived
therefrom, on the grounds that --
`(1) the plaintext was decrypted or accessed in violation of this
chapter;
`(2) the order of authorization or approval under which it was
decrypted or accessed is insufficient on its face; or
`(3) the decryption was not made in conformity with the order of
authorization or approval.
Such motion shall be made before the trial, hearing, or proceeding
unless there was no opportunity to make such motion, or the person was not
aware of the grounds of the motion. If the motion is granted, the plaintext of
the decrypted data, including communications, or evidence derived therefrom,
shall be treated as having been obtained in violation of this chapter. The
court, upon the filing of such motion by the aggrieved person, may make
available to the aggrieved person or that person's counsel for inspection such
portions of the decrypted plaintext, or evidence derived therefrom, as the
court determines to be in the interests of justice.
`(g) APPEAL BY UNITED STATES- In addition to any other right to
appeal, the United States shall have the right to appeal from an order
granting a motion to suppress made under subsection (f), or the denial of an
application for an order under section 2803, if the attorney for the
Government certifies to the court or other official granting such motion or
denying such application that the appeal is not taken for purposes of delay.
Such appeal shall be taken within 30 days after the date the order was entered
on the docket and shall be diligently prosecuted.
`(h) CIVIL ACTION FOR VIOLATION- Except as otherwise provided in
this chapter, any person described in subsection (i) may, in a civil action,
recover from the United States Government the actual damages suffered by the
person as a result of a violation described in that subsection, reasonable
attorney's fees, and other litigation costs reasonably incurred in prosecuting
such claim.
`(i) COVERED PERSONS- Subsection (h) applies to any person whose
decryption information--
`(1) is knowingly obtained without lawful authority by an
investigative or law enforcement officer;
`(2) is obtained by an investigative or law enforcement officer
with lawful authority and is knowingly used or disclosed by such officer
unlawfully; or
`(3) is obtained by an investigative or law enforcement officer
with lawful authority and whose decryption information is unlawfully used to
disclose the plaintext of the data, including communications.
`(j) LIMITATION- A civil action under subsection (h) shall be
commenced not later than 2 years after the date on which the unlawful action
took place, or 2 years after the date on which the claimant first discovers
the violation, whichever is later.
`(k) EXCLUSIVE REMEDIES- The remedies and sanctions described in
this chapter with respect to the decryption of data, including communications,
are the only judicial remedies and sanctions for violations of this chapter
involving such decryptions, other than violations based on the deprivation of
any rights, privileges, or immunities secured by the Constitution.
`(l) TECHNICAL ASSISTANCE BY PROVIDERS- A provider of encryption
technology or network service that has received an order issued by a court
pursuant to this chapter shall provide to the investigative or law enforcement
officer concerned such technical assistance as is necessary to execute the
order. Such provider may, however, move the court to modify or quash the order
on the ground that its assistance with respect to the decryption or access to
plaintext cannot be performed in fact, or in a timely or reasonable fashion.
The court, upon notice to the Government, shall decide such motion
expeditiously.
`(m) REPORTS TO CONGRESS- In May of each year, the Attorney
General, or an Assistant Attorney General specifically designated by the
Attorney General, shall report in writing to Congress on the number of
applications made and orders entered authorizing Federal, State, and local law
enforcement access to decryption information for the purposes of reading the
plaintext of otherwise encrypted data, including communications, pursuant to
this chapter. Such reports shall be submitted to the Committees on the
Judiciary of the House of Representatives and of the Senate, and to the
Permanent Select Committee on Intelligence for the House of Representatives
and the Select Committee on Intelligence for the Senate.
`Sec. 2805. Lawful use of plaintext or decryption
information
`(a) AUTHORIZED USE OF DECRYPTION INFORMATION-
`(1) CRIMINAL INVESTIGATIONS- An investigative or law enforcement
officer to whom plaintext or decryption information is provided may only use
such plaintext or decryption information for the purposes of conducting a
lawful criminal investigation, foreign counterintelligence, or international
terrorism investigation, and for the purposes of preparing for and
prosecuting any criminal violation of law.
`(2) CIVIL REDRESS- Any plaintext or decryption information
provided under this chapter to an investigative or law enforcement officer
may not be disclosed, except by court order, to any other person for use in
a civil proceeding that is unrelated to a criminal investigation and
prosecution for which the plaintext or decryption information is authorized
under paragraph (1). Such order shall only issue upon a showing by the party
seeking disclosure that there is no alternative means of obtaining the
plaintext, or decryption information, being sought and the court also finds
that the interests of justice would not be served by
nondisclosure.
`(b) LIMITATION- An investigative or law enforcement officer may
not use decryption information obtained under this chapter to determine the
plaintext of any data, including communications, unless it has obtained lawful
authority to obtain such data, including communications, under other lawful
authorities.
`(c) RETURN OF DECRYPTION INFORMATION- An attorney for the
Government shall, upon the issuance of an order of a court of competent
jurisdiction--
`(1)(A) return any decryption information to the person
responsible for providing it to an investigative or law enforcement officer
pursuant to this chapter; or
`(B) destroy such decryption information, if the court finds that
the interests of justice or public safety require that such decryption
information should not be returned to the provider; and
`(2) within 10 days after execution of the court's order to
return or destroy the decryption information--
`(A) certify to the court that the decryption information has
either been returned or destroyed consistent with the court's order;
and
`(B) if applicable, notify the provider of the decryption
information of the destruction of such information.
`(d) OTHER DISCLOSURE OF DECRYPTION INFORMATION- Except as
otherwise provided in section 2803, decryption information or the plaintext of
otherwise encrypted data, including communications, shall not be disclosed by
any person unless the disclosure is--
`(1) to the person encrypting the data, including communications,
or an authorized agent thereof;
`(2) with the consent of the person encrypting the data,
including pursuant to a contract entered into with the
person;
`(3) pursuant to a court order upon a showing of compelling need
for the information that cannot be accommodated by any other means
if--
`(A) the person who supplied the information is given
reasonable notice, by the person seeking the disclosure, of the court
proceeding relevant to the issuance of the court order;
and
`(B) the person who supplied the information is afforded the
opportunity to appear in the court proceeding and contest the claim of the
person seeking the disclosure;
`(4) pursuant to a determination by a court of competent
jurisdiction that another person is lawfully entitled to hold such
decryption information, including determinations arising from legal
proceedings associated with the incapacity, death, or dissolution of any
person; or
`(5) otherwise permitted by law.
`Sec. 2806. Identification of decryption information
`(a) IDENTIFICATION- To avoid inadvertent disclosure of decryption
information, any person who provides decryption information to an
investigative or law enforcement officer pursuant to this chapter shall
specifically identify that part of the material that discloses decryption
information as such.
`(b) RESPONSIBILITY OF INVESTIGATIVE OR LAW ENFORCEMENT OFFICER-
The investigative or law enforcement officer receiving any decryption
information under this chapter shall maintain such information in a facility
and in a method so as to reasonably assure that inadvertent disclosure does
not occur.
`Sec. 2807. Definitions
`The definitions set forth in section 101 of the Encryption for the
National Interest Act shall apply to this chapter.'.
(b) CONFORMING AMENDMENT- The table of chapters for part I of title
18, United States Code, is amended by inserting after the item relating to
chapter 121 the following new item:
2801'.
TITLE II--GOVERNMENT PROCUREMENT
SEC. 201. FEDERAL PURCHASES OF ENCRYPTION PRODUCTS.
(a) DECRYPTION CAPABILITIES- The President may, consistent with the
provisions of subsection (b), direct that any encryption product or service
purchased or otherwise procured by the United States Government to provide the
security service of data confidentiality for a computer system owned and
operated by the United States Government shall include recoverability features
or functions that enable the timely decryption of encrypted data, including
communications, or timely access to plaintext by an authorized party without
the knowledge or cooperation of the person using such encryption products or
services.
(b) CONSISTENCY WITH INTELLIGENCE SERVICES AND MILITARY OPERATIONS-
The President shall ensure that all encryption products purchased or used by
the United States Government are supportive of, and consistent with, all
statutory obligations to protect sources and methods of intelligence
collection and activities, and supportive of, and consistent with, those needs
required for military operations and the conduct of foreign
policy.
SEC. 202. NETWORKS ESTABLISHED WITH FEDERAL FUNDS.
The President may direct that any communications network
established for the purpose of conducting the business of the Federal
Government shall use encryption products that--
(1) include features and functions that enable the timely
decryption of encrypted data, including communications, or timely access to
plaintext, by an authorized party without the knowledge or cooperation of
the person using such encryption products or services; and
(2) are supportive of, and consistent with, all statutory
obligations to protect sources and methods of intelligence collection and
activities, and supportive of, and consistent with, those needs required for
military operations and the conduct of foreign policy.
SEC. 203. GOVERNMENT CONTRACT AUTHORITY.
The President may require as a condition of any contract by the
Government with a private sector vendor that any encryption product used by
the vendor in carrying out the provisions of the contract with the Government
include features and functions that enable the timely decryption of encrypted
data, including communications, or timely access to plaintext, by an
authorized party without the knowledge or cooperation of the person using such
encryption products or services.
SEC. 204. PRODUCT LABELS.
An encryption product may be labeled to inform Government users
that the product is authorized for sale to or for use by Government agencies
or Government contractors in transactions and communications with the United
States Government under this title.
SEC. 205. NO PRIVATE MANDATE.
The United States Government may not require the use of encryption
standards for the private sector except as otherwise authorized by section
204.
SEC. 206. EXCLUSION.
Nothing in this title shall apply to encryption products and
services used solely for access control, authentication, integrity,
nonrepudiation, digital signatures, or other similar purposes.
TITLE III--EXPORTS OF ENCRYPTION
SEC. 301. EXPORTS OF ENCRYPTION.
(a) AUTHORITY TO CONTROL EXPORTS- The President shall control the
export of all dual-use encryption products.
(b) AUTHORITY TO DENY EXPORT FOR NATIONAL SECURITY REASONS-
Notwithstanding any provision of this title, the President may deny the export
of any encryption product on the basis that its export is contrary to the
national security.
(c) DECISIONS NOT SUBJECT TO JUDICIAL REVIEW- Any decision made by
the President or his designee with respect to the export of encryption
products under this title shall not be subject to judicial review.
SEC. 302. LICENSE EXCEPTION FOR CERTAIN ENCRYPTION
PRODUCTS.
(a) LICENSE EXCEPTION- Upon the enactment of this Act, any
encryption product with an encryption strength of 64 bits or less shall be
eligible for export under a license exception if--
(1) such encryption product is submitted for a 1-time technical
review;
(2) such encryption product does not require licensing under
otherwise applicable regulations;
(3) such encryption product is not intended for a country, end
user, or end use that is by regulation ineligible to receive such product,
and the encryption product is otherwise qualified for export;
(4) the exporter, within 180 days after the export of the
product, submits a certification identifying--
(A) the intended end use of the product; and
(B) the name and address of the intended recipient of the
product, where available;
(5) the exporter, within 180 days of the export of the product,
provides the names and addresses of its distribution chain partners;
and
(6) the exporter, at the time of submission of the product for
technical review, provides proof that its distribution chain partners have
contractually agreed to abide by all laws and regulations of the United
States concerning the export and reexport of encryption products designed or
manufactured within the United States.
(b) ONE-TIME TECHNICAL REVIEW- (1) The technical review referred to
in subsection (a) shall be completed within no longer than 45 days after the
submission of all of the information required under paragraph (2).
(2) The President shall specify the information that must be
submitted for the 1-time technical review referred to in this
section.
(3) An encryption product may not be exported during the technical
review of that product under this section.
(c) PERIODIC REVIEW OF LICENSE EXCEPTION ELIGIBILITY LEVEL- (1) Not
later than 180 days after the date of the enactment of this Act, the President
shall notify the Congress of the maximum level of encryption strength, which
may not be lower than 64-bit, that may be exported from the United States
under license exception pursuant to this section consistent with the national
security.
(2) The President shall, at the end of each successive 180-day
period after the notice provided to the Congress under paragraph (1), notify
the Congress of the maximum level of encryption strength, which may not be
lower than that in effect under this section during that 180-day period, that
may be exported from the United States under a license exception pursuant to
this section consistent with the national security.
(d) FACTORS NOT TO BE CONSIDERED- A license exception for the
exports of an encryption product under this section may be allowed whether or
not the product contains a method of decrypting encrypted data.
SEC. 303. DISCRETIONARY AUTHORITY.
Notwithstanding the requirements of section 305, the President may
permit the export, under a license exception pursuant to the conditions of
section 302, of encryption products with an encryption strength exceeding the
maximum level eligible for a license exception under section 302, if the
export is consistent with the national security.
SEC. 304. EXPEDITED REVIEW AUTHORITY.
The President shall establish procedures for the expedited review
of commodity classification requests, or export license applications,
involving encryption products that are specifically approved, by regulation,
for export.
SEC. 305. ENCRYPTION LICENSES REQUIRED.
(a) UNITED STATES PRODUCTS EXCEEDING CERTAIN BIT LENGTH- Except as
permitted under section 303, in the case of all encryption products with an
encryption strength exceeding the maximum level eligible for a license
exception under section 302, which are designed or manufactured within the
United States, the President may grant a license for export of such encryption
products, under the following conditions:
(1) There shall not be any requirement, as a basis for an export
license, that a product contains a method of--
(A) gaining timely access to plaintext; or
(B) gaining timely access to decryption
information.
(2) The export license applicant shall submit--
(A) the product for technical review;
(B) a certification, under oath,
identifying--
(i) the intended end use of the product;
and
(ii) the expected end user or class of end users of the
product;
(C) proof that its distribution chain partners have
contractually agreed to abide by all laws and regulations of the United
States concerning the export and reexport of encryption products designed
or manufactured within the United States; and
(D) the names and addresses of its distribution chain
partners.
(b) TECHNICAL REVIEW FOR LICENSE APPLICANTS- (1) The technical
review described in subsection (a)(3)(A) shall be completed within 45 days
after the submission of all the information required under paragraph
(2).
(2) The information to be submitted for the technical review shall
be the same as that required to be submitted pursuant to section
302(b)(2).
(3) An encryption product may not be exported during the technical
review of that product under this section.
(c) POST-EXPORT REPORTING-
(1) UNAUTHORIZED USE- All exporters of encryption products that
are designed or manufactured within the United States shall submit a report
to the Secretary at any time the exporter has reason to believe any such
exported product is being diverted to a use or a user not approved at the
time of export.
(2) PIRATING- All exporters of encryption products that are
designed or manufactured within the United States shall report any pirating
of their technology or intellectual property to the Secretary as soon as
practicable after discovery.
(3) DISTRIBUTION CHAIN PARTNERS- All exporters of encryption
products that are designed or manufactured within the United States, and all
distribution chain partners of such exporters, shall submit to the Secretary
a report which shall specify--
(A) the particular product sold;
(B) the name and address of--
(i) the ultimate end user of the product, if known;
or
(ii) the name and address of the next purchaser in the
distribution chain; and
(C) the intended use of the product sold.
(d) EXERCISE OF OTHER AUTHORITIES- The Secretary, the Secretary of
Defense, and the Secretary of State may exercise the authorities they have
under other provisions of law, including the Export Administration Act of
1979, as continued in effect under the International Emergency Economic Powers
Act, to carry out this title.
(1) IN GENERAL- The President may by Executive order waive any
provision of this title, or the applicability of any such provision to a
person or entity, if the President determines that the waiver is necessary
to advance the national security. The President shall, not later than 15
days after making such determination, submit a report to the committees
referred to in paragraph (2) that includes the factual basis upon which such
determination was made. The report may be in classified
format.
(2) COMMITTEES- The committees referred to in paragraph (1) are
the Committee on International Relations, the Committee on Armed Services,
and the Permanent Select Committee on Intelligence of the House of
Representatives, and the Committee on Foreign Relations, the Committee on
Armed Services, and the Select Committee on Intelligence of the
Senate.
(3) DECISIONS NOT SUBJECT TO JUDICIAL REVIEW- Any determination
made by the President under this subsection shall not be subject to judicial
review.
SEC. 306. ENCRYPTION INDUSTRY AND INFORMATION SECURITY
BOARD.
(a) ENCRYPTION INDUSTRY AND INFORMATION SECURITY BOARD ESTABLISHED-
There is hereby established an Encryption Industry and Information Security
Board. The Board shall undertake an advisory role for the
President.
(b) PURPOSES- The purposes of the Board are--
(1) to provide a forum to foster communication and coordination
between industry and the Federal Government on matters relating to the use
of encryption products;
(2) to enable the United States to effectively and continually
understand the benefits and risks to its national security, law enforcement,
and public safety interests by virtue of the proliferation of strong
encryption on the global market;
(3) to evaluate and make recommendations regarding the further
development and use of encryption;
(4) to advance the development of international standards
regarding interoperability and global use of encryption
products;
(5) to promote the export of encryption products manufactured in
the United States;
(6) to recommend policies enhancing the security of public
networks;
(7) to encourage research and development of products that will
foster electronic commerce;
(8) to promote the protection of intellectual property and
privacy rights of individuals using public networks; and
(9) to evaluate the availability and market share of foreign
encryption products and their threat to United States
industry.
(c) MEMBERSHIP- (1) The Board shall be composed of 12 members, as
follows:
(A) The Secretary, or the Secretary's designee.
(B) The Attorney General, or his or her designee.
(C) The Secretary of Defense, or the Secretary's
designee.
(D) The Director of Central Intelligence, or his or her
designee.
(E) The Director of the Federal Bureau of Investigation, or his
or her designee.
(F) The Special Assistant to the President for National Security
Affairs, or his or her designee, who shall chair the Board.
(G) Six representatives from the private sector who have
expertise in the development, operation, marketing, law, or public policy
relating to information security or technology. Members under this
subparagraph shall each serve for 5-year terms.
(2) The six private sector representatives described in paragraph
(1)(G) shall be appointed as follows:
(A) Two by the Speaker of the House of
Representatives.
(B) One by the Minority Leader of the House of
Representatives.
(C) Two by the Majority Leader of the Senate.
(D) One by the Minority Leader of the Senate.
(e) MEETINGS- The Board shall meet at such times and in such places
as the Secretary may prescribe, but not less frequently than every four
months. The Federal Advisory Committee Act (5 U.S.C. App.) does not apply to
the Board or to meetings held by the Board under this section.
(f) FINDINGS AND RECOMMENDATIONS- The chair of the Board shall
convey the findings and recommendations of the Board to the President and to
the Congress within 30 days after each meeting of the Board. The
recommendations of the Board are not binding upon the President.
(g) LIMITATION- The Board shall have no authority to review any
export determination made pursuant to this title.
(h) FOREIGN AVAILABILITY- The consideration of foreign availability
by the Board shall include computer software that is distributed over the
Internet or advertised for sale, license, or transfer, including
over-the-counter retail sales, mail order transactions, telephone order
transactions, electronic distribution, or sale on approval and its
comparability with United States products and its use in United States and
foreign markets.
(i) TERMINATION- This section shall cease to be effective 10 years
after the date of the enactment of this Act.
TITLE IV--LIABILITY LIMITATIONS
SEC. 401. COMPLIANCE WITH COURT ORDER.
(a) NO LIABILITY FOR COMPLIANCE- Subject to subsection (b), no
civil or criminal liability under this Act, or under any other provision of
law, shall attach to any person for disclosing or providing--
(1) the plaintext of encrypted data, including
communications;
(2) the decryption information of such encrypted data, including
communications; or
(3) technical assistance for access to the plaintext of, or
decryption information for, encrypted data, including
communications.
(b) EXCEPTION- Subsection (a) shall not apply to a person who
provides plaintext or decryption information to another in violation of the
provisions of this Act.
SEC. 402. COMPLIANCE DEFENSE.
Compliance with the provisions of sections 2803, 2804, 2805, or
2806 of title 18, United States Code, as added by section 103(a) of this Act,
or any regulations authorized by this Act, shall provide a complete defense
for any civil action for damages based upon activities covered by this Act,
other than an action founded on contract.
SEC. 403. GOOD FAITH DEFENSE.
An objectively reasonable reliance on the legal authority provided
by this Act and the amendments made by this Act, authorizing access to the
plaintext of otherwise encrypted data, including communications, or to
decryption information that will allow the timely decryption of data,
including communications, that is otherwise encrypted, shall be an affirmative
defense to any criminal or civil action that may be brought under the laws of
the United States or any State.
TITLE V--INTERNATIONAL AGREEMENTS
SEC. 501. SENSE OF CONGRESS.
It is the sense of Congress that--
(1) the President should conduct negotiations with foreign
governments for the purposes of establishing binding export control
requirements on strong nonrecoverable encryption products;
and
(2) such agreements should safeguard the privacy of the citizens
of the United States, prevent economic espionage, and enhance the
information security needs of the United States.
SEC. 502. FAILURE TO NEGOTIATE.
The President may consider a government's refusal to negotiate
agreements described in section 501 when considering the participation of the
United States in any cooperation or assistance program with that
country.
SEC. 503. REPORT TO CONGRESS.
(a) REPORT TO CONGRESS- The President shall report annually to the
Congress on the status of the international effort outlined by section
501.
(b) FIRST REPORT- The first report required under subsection (a)
shall be submitted in unclassified form no later than September 1,
2000.
TITLE VI--MISCELLANEOUS PROVISIONS
SEC. 601. EFFECT ON LAW ENFORCEMENT ACTIVITIES.
(a) COLLECTION OF INFORMATION BY ATTORNEY GENERAL- The Attorney
General shall compile, and maintain in classified form, data on--
(1) the instances in which encryption has interfered with,
impeded, or obstructed the ability of the Department of Justice to enforce
the laws of the United States; and
(2) the instances where the Department of Justice has been
successful in overcoming any encryption encountered in an
investigation.
(b) AVAILABILITY OF INFORMATION TO THE CONGRESS- The information
compiled under subsection (a), including an unclassified summary thereof,
shall be submitted to Congress annually beginning October 1, 2000.
SEC. 602. INTERPRETATION.
Nothing contained in this Act or the amendments made by this Act
shall be deemed to--
(1) preempt or otherwise affect the application of the Arms
Export Control Act (22 U.S.C. 2751 et seq.), the Export Administration Act
of 1979 (50 U.S.C. App. 2401 et seq.), or the International Emergency
Economic Powers Act (50 U.S.C. 1701 et seq.) or any regulations promulgated
thereunder;
(2) affect foreign intelligence activities of the United States;
or
(3) negate or diminish any intellectual property protections
under the laws of the United States or of any State.
SEC. 603. FBI TECHNICAL SUPPORT.
There are authorized to be appropriated for the Technical Support
Center in the Federal Bureau of Investigation, established pursuant to section
811(a)(1) of the Antiterrorism and Effective Death Penalty Act of 1996 (Public
Law 104-132)--
(1) $25,000,000 for fiscal year 2000 for building and personnel
costs;
(2) $20,000,000 for fiscal year 2001 for personnel and equipment
costs;
(3) $15,000,000 for fiscal year 2002; and
(4) $15,000,000 for fiscal year 2003.
SEC. 604. SEVERABILITY.
If any provision of this Act or the amendments made by this Act, or
the application thereof, to any person or circumstances is held invalid by a
court of the United States, the remainder of this Act or such amendments, and
the application thereof, to other persons or circumstances shall not be
affected thereby.
Amend the title so as to read: `A bill to protect national security and
public safety through the balanced use of export controls on encryption
products.'.
END