27 September 1997: Link to FBI Technical Assistance Draft
24 September 1997: Link to House Intel Committee report on SAFE (194K)
13 September 1997
Source: Hardcopy from Declan McCullagh
<declan@well.com> of Time Magazine
See summary of amendment by McCullagh: http://jya.com/declan7.htm
See Netly News column by McCullagh: http://cgi.pathfinder.com/netly/opinion/0,1042,1385,00.html
From: Congressional Record: September 11, 1997 (Digest)
House of Representatives
Committee Meetings
SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT
Permanent Select Committee on Intelligence: Met in executive session
and ordered reported amended H.R. 695, Security and Freedom Through
Encryption (SAFE) Act.
Header all pages: F:\SLS\SECURE.002
H.L.C.
Footer all pages: September 10, 1997 (9:06 p.m.)
AMENDMENT IN THE NATURE OF A SUBSTITUTE
TO H.R. 695
OFFERED BY MR. GOSS AND MR. DICKS
Strike all after the enacting clause and insert the following:
SECTION 1. SHORT TITLE; TABLE OF CONTENTS
(a) Short Title. -- This act may be cited as the "Security and Freedom Through Encryption ('SAFE') Act of 1997".(b) Table of Contents. -- The table of contents is as follows:
Sec. 1. Short title; table of contents.
TITLE I -- DOMESTIC USES OF ENCRYPTION
Sec. 102. Lawful use of encryption
Sec. 103. Voluntary private sector participation in key management infrastructure.
Sec. 104. Unlawful use of encryption.
TITLE II -- GOVERNMENT PROCUREMENT
Sec. 201. Federal purchases of encryption products.
Sec. 202. Encryption products purchased with Federal funds.
Sec. 203. Networks established with Federal funds.
TITLE III -- EXPORTS OF ENCRYPTION
Sec. 301. Exports of encryption.
Sec. 302. License exception for certain encryption products.
Sec. 303. License exception for telecommunications products.
Sec. 304. Review for certain institutions.
Sec. 305. Encryption industry and information security board.
TITLE IV -- LIABILITY LIMITATIONS
Sec. 401. Compliance with court order.
[2]
Sec. 403. Reasonable Care Defense.
Sec. 406. Civil Action, Generally.
TITLE V -- INTERNATIONAL AGREEMENTS
Sec. 502. Failure to Negotiate.
TITLE VI -- MISCELLANEOUS PROVISIONS
Sec. 601. Effect on Law Enforcement Activities.
Sec. 603. Severability.
Amendment to the Amendment, Mr. Skaggs #1
Amendment to the Amendment, Mr. Skaggs #2
Amendment to the Amendment, Mr. Gibbons
It is the policy of the United States to protect public computer networks
through the use of strong encryption technology, to promote and improve the
export of encryption products developd and manufactured in the United States,
and to preserve public safety and national security.
For purposes of this Act:
(1) ATTORNEY FOR THE GOVERMENT. -- The term "attorney for the Government" has the meaning given such term in Rule 54(c) of the Federal Rules of Criminal Procedure, and also includes any duly authorized attorney of a State who is authorized to prosecute criminal offenses within such State.
3
(2) COMMUNICATIONS.-- The term "communications" means any wire communications or electronic communications as those terms are defined in paragraphs (1) and (12) of section 2510 of title 18, United States Code.
(3) COURT OF COMPETENT JURISDICTION.-- The term "court of competent jurisdiction" means any court of the United States organized under Article III of the Constitution of the United States, the court organized under the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), or a court of general criminal jurisdiction of a State authorized pursuant to the laws of such State to enter orders authorizing searches and seizures.
(4) DATA NETWORK SERVICE PROVIDER.-- The term "data network service provider" means a person offering any service to the general public that provides the users thereof with the ability to transmit or receive data, including communications.
(5) DECRYPTION.-- The term "decryption" means the retransformation or unscrambling of encrypted data, including communications, to tis readable plaintext version. To "decrypt" data, including communications, is to perform decryption.
4
(6) DECRYPTION INFORMATION.-- The term "decryption information" means information or technology that enables one to readily retransform or unscramble encrypted data from its unreadable and incomprehensible format to its readable plaintext version.
(7) ELECTRONIC STORAGE.-- The term "electronic storage" has the meaning given that term in section 2510(17) of title 18, United States Code.
(8) ENCRYPTION.-- The term "encryption" means the transformation or scrambling of data, including communications, from plaintext to an unreadable or incomprehensible format, regardless of the technique utilized for such transformation or scrambling and irrespective of the medium in which such data, including communications, occur or can be found, for the purposes of protecting the content of such data, including communications. To "encrypt" data, including communications, is to perform encryption.
(9) ENCRYPTION PRODUCT.-- The term "encryption product" means any software, technology, or mechanism, that be used to encrypt or decrypt, or has the capability of encrypting or decrypting any data, including communications.
5
(10) FOREIGN AVAILABILITY.-- The term "foreign availability" has the meaning applied to foreign availability of encryption products subject to controls under the Export Administration Regulations, as in effect on September 1, 1997.
(11) GOVERNMENT.-- The term "Government" means the Government of the United States and any agency or instrumentality thereof, or the government of any State.
(12) INVESTIGATIVE OR LAW ENFORCEMENT OFFICER.-- The term "investigative or law enforcement officer" has the meaning given that term in section 2510(7) of title 18, United States Code.
(13) NATIONAL SECURITY.-- The term "national security" means the national defense, foreign relations, or economic interests of the United States.
(14) PLAINTEXT.-- The term "plaintext" means the readable or comprehensible format of data, including communications, prior to its being encrypted or after it has been decrypted.
(15) PLAINVOICE.-- The term "plainvoice" means communication specific plaintext.
(16) SECRETARY.-- The term "secretary" means the Secretary of Commerce, unless otherwise specifically identified.
6
(17) STATE.-- The term "State has the meaning given that term in section 2510(3) of title 18, United States Code.
(18) TELECOMMUNICATIONS CARRIER.-- The term "telecommunications carrier" has the meaning given that term in section 102(8) of the Communications Assistance for Law Enforcement Act (47 U.S.C. 1001(8)).
(19) TELECOMMUNICATIONS SYSTEM.-- the term "telecommunications system" means any equipment, technology, or related software used in the movement, switching, interchange, transmission, reception, or internal signaling of data, including communications over wire, fiber optic, radio frequency, or other medium.
(20) UNITED STATES PERSON.-- The term "United States Person" means --
(A) any citizen of the United States;(B) any other person organized under the laws of any State; and
(C) any person organized under the laws of any foreign country who is owned or controlled by individuals or persons described in subparagraphs (A) and (B).
7
SEC. 102. LAWFUL USE OF ENCRYPTION.
Except as otherwise provided by this Act or otherwise provided by law, it shall be lawful for any person within any State and for any United States person to use any encryption, regardless of encryption algorithm selected, encryption key length chosen, or implementation technique or medium used.
SEC. 103. VOLUNTARY PRIVATE SECTOR PARTICIPATION IN KEY MANAGEMENT INFRASTRUCTURE
(a) USE IS VOLUNTARY.-- The use of registered certificate authorities or key recovery agents is voluntary.(b) REGULATIONS.-- The Secretary shall promulgate regulations establishing standards for creating key management infrastructures. Such regulations should--
(1) allow for the voluntary participation by private persons and non-Federal entities; and(2) promote the development of certificate authorities and key recovery agents.
(c) REGISTRATION OF CERTIFICATE AUTHORITIES AND KEY RECOVERY AGENTS.-- Certificate authorities and key recovery agents meeting the standards established by the Secretary may be registered by the Secretary if they so choose, and may identify themselves as meeting the standards of the Secretary.
8
SEC. 104. UNLAWFUL USE OF ENCRYPTION.
(a) In General. -- Part I of title 18, United States Code, is amended by inserting after chapter 121 the following new chapter:
"CHAPTER 122 -- ENCRYPTED DATA, INCLUDING
COMMUNICATIONS
"Sec."2801. Unlawful use of encryption in furtherance of a criminal act.
"2802. Privacy protection.
"2803. Unlawful sale of encryption.
"2804. Encryption products manufactured and intended for use in the United States.
"2805. Injunctive relief and proceedings.
"2806. Court order access to plaintext.
"2807. Notification procedures.
"2808. Lawful use of plaintext or decryption information.
"2809. Identification of decryption information.
"2810. Unlawful export of certain encryption products.
"2811. Definitions.
"§ 2801. Unlawful use of encryption in furtherance of a criminal act
"(a) Prohibited Acts. -- Whoever knowingly uses encryption in furtherance of the commission of a criminal offense for which the person may be prosecuted in a district court of the United States shall --"(1) in the case of a first offense under this section, shall be imprisoned for not more than 5 years, or fined under this title, or both; and"(2) in the case of a second or subsequent offense under this section, shall be imprisoned for not more than 10 years, or fined under this title, or both.
9
"(b) CONSECUTIVE SENTENCE.-- Notwithstanding any other provision of law, the court shall not place on probation any person convicted of a violation of this section, nor shall the term of imprisonment imposed under this section run concurrently with any other term of imprisonment imposed for the underlying criminal offense.
"(c) PROBABLE CAUSE NOT CONSTITUTED BY USE OF ENCRYPTION.-- The use of encryption alone shall not constitute probable cause to believe that a crime is being or has been committed.
"§ 2802. Privacy protection
"(a) IN GENERAL.-- It shall be unlawful for any person to intentionally--
"(1) obtain or use decryption information without lawful authority for the purpose of decrypting data, including communications;
"(2) exceed lawful authority in decrypting data, including communications;
"(3) break the encryption code of another person without lawful authority for the purpose of violating the privacy or security of that person or depriving that person of any property rights;
"(4) impersonate another person for the purpose of obtaining decryption information of that person without lawful authority;
10
"(5) facilitate or assists in the encryption of data, including communications, knowing that such data, including communications, are to be used in furtherance of a crime; or
"(6) disclose decryption information in violation of a provision of this chapter.
"(b) CRIMINAL PENALTY.-- Whoever violated this section shall be imprisoned not more that 10 years, fined under this title, or both.
"§ 2803. Unlawful sale of encryption
"Whoever sells in interstate or foreign commerce any encryption product that does not include features or functions permitting duly authorized persons immediate access to plaintext or immediate decryption capabilities shall be imprisoned for not more than 5 years, fined under this title, or both.
"§ 2804. Encryption products manufactured and intended for use in the United States
"(a) PUBLIC NETWORK SERVICE PROVIDERS.-- Not later than January 31, 2000, public network service providers offering encryption products or encryption services shall ensure that such products or services enable the immediate decryption or access to plaintext of the data, including communications, encrypted by such products or
11
services on the public network upon receipt of a court order or warrant, pursuant to section 2806.
"(b) MANUFACTURERS, DISTRIBUTORS, AND IMPORTERS.-- Not later than January 31, 2000, it shall be unlawful for any person to manufacture for distribution, distribute, or import encryption products intended for sale or use in the United States, unless that product--
"(1) includes features or functions that provide an immediate access to plaintext capability, through any means, mechanism, or technological method that--
"(A) permits immediate decryption of the encrypted data, including communications, upon the receipt of decryption information by an authorized party in possession of a facially valid order issued by a court of competent jurisdiction; and
"(B) allows the decryption of encrypted data, including communications, without the knowledge or cooperation of the person being investigated, subject to the requirements set forth in section 2806; or
"(2) can be used only on systems or networks that include features or functions that provide an immediate access to plaintext capability, through
12
any means, mechanism, or technological method that--
"(A) permits immediate decryption of the encrypted data, including communications, upon the receipt of decryption information by an authorized party in possession of a facially valid order issued by a court of competent jurisdiction; and"(B) allows the decryption of encrypted data, including communications, without the knowledge or cooperation of the person being investigated, subject to the requirements set forth in section 2806; or
"(3) otherwise meets the technical requirements and functional criteria promulgated by the Attorney General under subsection (c).
"(c) ATTORNEY GENERAL CRITERIA.--"(1) PUBLICATION OF REQUIREMENTS.-- Within 180 days after the date of the enactment of this chapter, the Attorney General shall publish in the Federal Register technical requirements and functional criteria for complying with the decryption requirements set forth in this section."(2) PROCEDURES FOR ADVISORY OPINIONS.-- Within 180 days after the date of the enactment of
13
this chapter, the Attorney General shall promulgate procedures by which data network service providers and encryption product manufacturers, sellers, resellers, distributors, and importers may obtain advisory opinions as to whether an encryption product intended for sale or use in the United States after January 1, 2000, meets the requirements and functional criteria promulgated pursuant to paragraph (1)."(3) PARTICULAR METHODOLOGY NOT REQUIRED.-- Nothing in this chapter or any other provision of law shall be construed as requiring the implementation of any particular decryption methodology in order to satisfy the requirements of subsection (a) and (b) of this section, or the technical requirements and functional criteria required by the Attorney General under paragraph (1).
"(d) USE OF PRIOR PRODUCTS LAWFUL.-- After January 31, 2000, it shall not be unlawful to use any encryption product purchased or in use prior to such date.
"§ 2805. Injunctive relief and proceedings
"(a) INJUNCTION.-- Whenever it appears to the Secretary or the Attorney General that any person is engaged in, or is about to engage in, any act that constitutes, or
14
would constitute, a violation of section 2804, the Attorney General may initiate a civil action in a district court of the United States to enjoin such violation. Upon the filing of the complaint seeking injunctive relief by the Attorney General, the court shall automatically issue a temporary restraining order against the party being sued."(b) BURDEN OF PROOF.-- In a suit brought by the Attorney General under subsection (a), the burden shall be upon the Government to establish by a preponderance of the evidence that the encryption product to be manufactured and distributed for use in the United States does not comport with the requirements set forth by the Attorney General pursuant to section 2804 providing for immediate access to plaintext by Federal, State, or local authorities.
"(c) CLOSING OF PROCEEDINGS.--
"(1) Upon motion of the party against whom injunction is being sought--"(A) any or all of the proceedings under this section shall be closed to the public; and"(B) public disclosure of the proceedings shall be treated as contempt of court.
"(2) Upon a written finding by the court that public disclosure of information relevant to the prosecution of the injunction or relevant to a determination of the factual or legal issues raised in the case would cause irreparable
15
or financial harm to the party against whom the suit is brought, or would otherwise disclose proprietary information of any party to the case, all proceedings shall be closed to members of the public, except the parties to the suit, and all transcripts, motions, and orders shall be placed under seal to protect their disclosure to the general public."(d) ADVISORY OPINION AS DEFENSE.-- It is an absolute defense to a suit under this subsection that the party against whom suit is brought obtained an advisory opinion from the Attorney General pursuant to section 2804(c) and that the product at issue in the suite comports in every aspect with the requirements announced in such advisory opinion.
"(e) BASIS FOR PERMANENT INJUNCTION.-- The court shall issue a permanent injunction against the distribution of, and any future manufacture of, the product at issue in the suit filed under subsection (a) if the court finds by a preponderance of the evidence that the product does not meet the requirements set forth by the Attorney General pursuant to section 2804 providing for immediate access to plaintext by Federal, State, or local authorities."(f) APPEALS.-- Either party may appeal, to the appellate court with jurisdiction of the case, any adverse ruling by the district court entered pursuant to this section.
16
For the purposes appeal, the parties shall be governed by the Federal Rules of Appellate Procedure, except that the Government shall file its notice of appeal not later than 30 days after the entry of the final order on the docket of the district court. the appeal of such matter shall be considered on an expedited basis and resolved as soon as practicable.
"§ 2806. Court order access to plaintext
"(a) COURT ORDER.--"(1) A court of competent jurisdiction shall issue an order, ex parte, granting an investigative or law enforcement officer access to the plaintext of encrypted data, including communications, or requiring any person in possession of decryption information to provide such information to a duly authorized investigative or law enforcement officer--"(A) upon the application by an attorney for the Government that--"(i) is made under oath or affirmation by the attorney for the Government; and"(ii) provides a factual basis establishing the relevance of the plaintext, or decryption information, being sought has to a law enforcement or foreign counterintelligence investigation then being conducted pursuant to lawful authorities; and
17
"(B) if the court finds , in writing, that the plaintext or decryption information being sought is relevant to an ongoing lawful law enforcement or foreign counterintelligence investigation and the investigative or law enforcement officer is entitled to such plaintext or decryption information."(2) The order issued by the court under this section shall be placed under seal, except that a copy may be made available to the investigative or law enforcement officer authorized to obtain access to the plaintext of the encrypted information, or authorized to obtain the decryption information sought in the application. Such order shall also be made available to the person responsible for providing the plaintext or the decryption information, pursuant to such order, to the investigative or law enforcement officer.
"(3) Disclosure of an application made, or order issued, under this section, is not authorized, except as may otherwise be specifically permitted by this section or another order of the court.
"(b) OTHER ORDERS.--(1) An attorney for the Government may apply to a court of competent jurisdiction for a warrant or order, including the court established by the Foreign Intelligence Surveillance Act of 1978 ( 50 U.S.C. 1801 et seq.), to obtain immediate access to the
18
plaintext of encrypted data, including communications, or to obtain decryption information that will allow for immediate decryption of encrypted data, including communications. "(2) An attorney for the Government may make application to a district court of the United States to obtain access to the plaintext of encrypted data, including communications, or to obtain decryption information that will allow for immediate decryption of encrypted data, including communications upon a request from a foreign country pursuant to a Mutual Legal Assistance Treaty with such country that is in effect at the time of the request from such country.
[Insert Mr. Skaggs #1 amendment*]
"(c) AUTHORITY TO INTERCEPT COMMUNICATIONS NOT INCREASED.-- Nothing in this chapter shall be construed to enlarge or modify the circumstances or procedures under which a Government entity is entitled to intercept or obtain oral, wire, or electronic communications or information."(d) CONSTRUCTION.-- This chapter shall be strictly construed to apply only to a Government entity's ability to decrypt data, including communications, for which it has previously obtained lawful authority to intercept or obtain pursuant to other lawful authorities that would otherwise remain encrypted.
_______________________
* Change made by hand.
19
"§ 2807.Notification procedures
"(a) IN GENERAL.-- Within a reasonable time, but not later that 90 days after the filing of an application for an order under section 2806 which is granted, the judge shall cause to be served, on the persons named in the order or the application, and such other parties whose decryption information or whose plaintext has been provided to an investigative or law enforcement officer pursuant to this chapter as the judge may determine in his or her discretion that is in the interest of justice, an inventory which shall include notice of--"(1) the fact of the entry of the order or the application;"(2) the date of the entry of the application and issuance of the order; and
"(3) the fact that the person's decryption information or plaintext data, including communications, have been provided or accessed by an investigative or law enforcement officer.
The judge, upon the filing of a motion, may in his or her discretion make available to that person or that person's counsel, for inspection, such portions of the plaintext, applications, and orders as the judge determines to be in the interest of justice. On an ex parte showing of good cause to a judge of competent jurisdiction, the serving of
20
the inventory required by this subsection may be postponed."(b) ADMISSION INTO EVIDENCE.-- The contents of any encrypted information that has been pursuant to this chapter or evidence derived therefrom shall not be received in evidence or otherwise disclosed in any trial, hearing, or other proceeding in a Federal or State court unless each party, not less that 10 days before the trial, hearing, or proceeding, has been furnished with a copy of the order, and accompanying application, under which the decryption or access to plaintext was authorized or approved. this 10-day period may be waived by the judge if he finds that it was not possible to furnish the party with the information described in the preceding sentence within 10 days before the trail, hearing, or proceeding and that the party will not be prejudiced by the delay in receiving such information.
"(c) CONTEMPT.-- Any violation of the provisions of this subsection may be punished as contempt of the issuing or denying judge.
"(d) MOTION TO SUPPRESS.-- Any aggrieved person in any trial, hearing, or proceeding in or before any court, department, officer, agency, regulatory body, or other authority of the United States or a State may move to suppress the contents of any decrypted data, including com-
21
munications, obtained pursuant to this chapter, or evidence derived therefrom, on the grounds that --"(1) the plaintext was unlawfully decrypted or accessed;"(2) the order of authorization or approval under which it was decrypted or accessed is insufficient on its face; or
"(iii)[sic] the decryption was not made in conformity with the order of authorization or approval.
Such motion shall be made before the trial, hearing, or proceeding unless there was no opportunity to make such motion, or the person was not aware of the grounds of the motion. If the motion is granted, the plaintext of the decrypted data, including communications, or evidence derived therefrom, shall be treated as having been obtained in violation of this chapter. The judge, upon the filing of such motion by the aggrieved person, may in his or her discretion make available to the aggrieved person or that person's counsel for inspection such portions of the decrypted plaintext, or evidence derived therefrom, as the judge determines to be in the interests of justice.
"(e) APPEAL BY UNITED STATES.-- In addition to any other right to appeal, the United States shall have the right to appeal from an order granting a motion to suppress made under subsection (d), or the denial of an
22
application for an order of approval, if the United States attorney certifies to the judge or other official granting such motion or denying such application that the appeal is not taken for purposes of delay. Such appeal shall be taken within 30 days after the date the order was entered on the docket and shall be diligently prosecuted."(f) CIVIL ACTION FOR VIOLATION.-- except as otherwise provided in this chapter, any person described in subsection (g) may in a civil action recover from the United States Government the actual damages suffered by the person as a result of a violation described in that subsection, reasonable attorney's fees, and other litigation costs reasonably incurred in prosecuting such claim.
"(g) COVERED PERSONS.-- Subsection (f) applies to any person whose decryption information--
"(1) is knowingly obtained without lawful authority by an investigative or law enforcement officer;"(2) is obtained by an investigative or law enforcement officer with lawful authority and is knowingly used or disclosed by such officer unlawfully; or
"(3) is obtained by an investigative or law enforcement officer with lawful authority and whose decryption information is unlawfully used to disclose the plaintext of the data, including communications.
23
"(h) LIMITATION.-- A civil action under subsection (f) shall be commenced not later that 2 years after the date on which the unlawful action took place, or 2 years after the date on which the claimant first discovers the violation, whichever is later."(i) EXCLUSIVE REMEDIES.-- The remedies and sanctions described in this chapter with respect to the decryption of data, including communications, are the only judicial remedies and sanctions for nonconstitutional violations of this chapter involving such decryptions.
"(j) TECHNICAL ASSISTANCE BY PROVIDERS.-- A provider of encryption technology or network service that has received an order issued by a court pursuant to this chapter shall provide to the investigative or law enforcement officer concerned such technical assistance as is necessary to execute the order. Such provider may, however, move the court to modify or quash the order on the ground that its assistance with respect to the decryption or access to plaintext cannot be performed ina timely or reasonable fashion. The court, upon notice to the Government, shall decide such motion expeditiously.
"(k) REPORTS TO CONGRESS.--In May of each year, the Attorney General, or an Assistant Attorney General specifically designated by the Attorney General, shall report, in writing, to Congress on the number of applications
24
made and orders entered authorizing Federal, State, and local law enforcement access to decryption information for the purposes of reading the plaintext of otherwise encrypted data, including communications, pursuant to this chapter. Such reports shall be submitted to the Committees on the Judiciary of the House of Representatives and of the Senate, and to the Permanent Select Committee on Intelligence for the House of Representatives and the Select Committee on Intelligence for the Senate.
"§ 2808. Lawful use of plaintext or decryption information
"(a) AUTHORIZED USE OF DECRYPTION INFORMATION.--"(1) CRIMINAL INVESTIGATIONS.-- An investigative or law enforcement officer to whom plaintext or decryption information is provided may use such plaintext or decryption information for the purposes of conducting a lawful criminal investigation, and for the purposes of preparing for and prosecuting any criminal violation of law."(2) CIVIL REDRESS.-- Any plaintext or decryption information provided under this chapter to an investigative or law enforcement officer may not be disclosed, except by court order, to any other
25
person for use in a civil proceeding that is unrelated to a criminal investigation and prosecution for which the plaintext or decryption information is authorized under paragraph (1). Such order shall only issue upon a showing by the party seeking disclosure that there is no alternative means of obtaining the plaintext, or decryption information, being sought and the court also finds that the interests of justice would not be served any non-disclosure.
"(b) LIMITATION.-- An investigative or law enforcement officer may not use decryption information obtained under this chapter to determine the plaintext of any data, including communications, unless it has obtained lawful authority to obtain such data, including communications, under other lawful authorities."(c) RETURN OF DECRYPTION INFORMATION.-- An attorney for the Government shall, upon the issuance of an order of a court of competent jurisdiction--
"(1)"(A) return any decryption information to the person responsible for providing it to an investigative or law enforcement officer pursuant to this chapter; or"(B) destroy such decryption information, if the court finds that the interests of justice or public
26
safety require that such decryption information should not be returned to the provider; and"(2) within 10 days after execution of the court's order to destroy the decryption information--
"(A) certify to the court that the decryption information has either been returned or destroyed consistent with the court's order; and"(B) notify the provider of the decryption information of the destruction of such information.
"(d) OTHER DISCLOSURE OF DECRYPTION INFORMATION.-- Except as otherwise provided in section 2806, a key recovery agent may not disclose decryption information stored with the key recover agent by a person unless the disclosure is--"(1) to the person, or an authorized agent thereof;"(2) with the consent of the person, including pursuant to a contract entered into with the person;
"(3) pursuant to a court order upon a showing of compelling need for the information that cannot be accommodated by any other means if--
27
"(A) the person who supplied the information is given reasonable notice, by the person seeking the disclosure, of the court proceeding relevant to the issuance of the court order; and"(B) the person who supplied the information is afforded the opportunity to appear in the court proceeding and context the claim of the person seeking the disclosure;
"(4) pursuant to a determination by a court of competent jurisdiction that another person is lawfully entitled to hold such decryption information, including determinations arising from legal proceedings associated with the incapacity, death, or dissolution of any person; or
"(5) otherwise permitted by a provision of this chapter or otherwise permitted by law.
"§ 2809. Identification of decryption information
"(a) IDENTIFICATION.-- to avoid inadvertent disclosure, any person who provides decryption information to an investigative or law enforcement officer pursuant to this chapter shall specifically identify that part of the material provided that discloses decryption information as such."(b) RESPONSIBILITY OF INVESTIGATIVE OR LAW ENFORCEMENT OFFICER.-- The investigative or law en-
28
forcment officer receiving any decryption information under this chapter shall maintain such information in facilities and in a method so as to reasonably assure that inadvertent disclosure shall not occur.
"§ 2810. Unlawful export of certain encryption products
"Whoever knowingly exports an encryption product that does not include features or functions providing duly authorized persons immediate access to plaintext or immediate decryption capabilities, as required under law, shall be imprisoned for not more that 5 years, fined under this title or both.
"§ 2811. Definitions
"The definitions set forth in section 101 of the Security and Freedom through Encryption ('SAFE') Act of 1997 shall apply to this chapter.
[SEC. 104] (b) CONFORMING AMENDMENT.-- The table of chapters for part I of title 18, United States Code, is amended by inserting after the item relating to chapter 33 the following new item:
"122. Encrypted data,including communications.......2801".
29
SEC. 201. FEDERAL PURCHASES OF ENCRYPTION PRODUCTS.
After January 1, 1999, any encryption product or service purchased or otherwise procured by the United States Government to provide the security service of data confidentiality for a Federal computer system shall include a technique for enabling immediate decryption by an authorized party without the knowledge or cooperation of the person using such encryption products or services.
SEC. 202. ENCRYPTION PRODUCTS PURCHASED WITH FEDERAL FUNDS.
After January 1, 1999, any encryption product or service purchased directly with Federal funds to provide the security service of data confidentiality shall include a technique for enabling immediate decryption by an authorized party without the knowledge or cooperation of the person using such encryption product or service unless the Secretary of commerce, with the concurrence of the Attorney General, determines implementing this requirement would not promote the purposes of this Act.
SEC. 203. NETWORKS ESTABLISHED WITH FEDERAL FUNDS.
After January 1, 1999, any communications network established with the use of Federal funds shall use encryption products which include a techniques for enabling immediate decryption by an authorized party without the knowledge or cooperation of the person using such encryption products or services unless the Secretary of commerce, with the concurrence of the Attorney General, determines implementing this requirement would not promote the purposes of this Act.
An encryption product may be labeled to inform users that the product is authorized for sale to or for use in transactions and communications with the United States Government under this title.
The United States Government may not mandate the use of encryption standards for the private sector other than for use with computer systems, networks or other systems of the United States Government, or systems or networks created using Federal funds.
(a) EXCLUSION.-- Nothing in this title shall apply to encryption products and services used solely for access control, authentication, integrity, nonrepudiation, digital signatures, or similar purposes.(b) RULEMAKING.-- The Secretary, in consultation with the Attorney General and other affected agencies,
31
may through rules provide for the orderly implementation of this title and the effective use of secure public networks.
SEC. 301. EXPORTS OF ENCRYPTION
(a) COORDINATION OF EXECUTIVE BRANCH AGENCIES REQUIRED.-- The Secretary, in close coordination with the Secretary of Defense and other executive branch department or agency with responsibility for protecting the national security of the United States, shall have the authority to control the export of encryption products not controlled on the United States Munitions List.
(b) DECISIONS NOT SUBJECT TO JUDICIAL REVIEW.-- Decisions made by the Secretary, after coordination with the Secretary of Defense and other executive branch department or agency with respect to exports of encryption products under this title shall not be subject to judicial review.
SEC. 302. LICENSE EXCEPTION FOR CERTAIN ENCRYPTION PRODUCTS.
(a) LICENSE EXCEPTION.-- Beginning January 31, 2000, encryption products, without regard to encryption strength, shall be eligible for export under a license exception if such encryption product --
32
(1) is submitted to the Secretary for a 1-time product review;(2) does not include features or functions that would otherwise require licensing under applicable regulations;
(3) is not destined for countries, end users, or end uses that the Secretary, in coordination with the Secretary of Defense and other executive branch departments or agencies with responsibility for protecting the national security of the United States, by regulation, has determined should be ineligible to receive such products, and is otherwise qualified for export; and
(4)
(A) includes features or functions providing an immediate access to plaintext capability, if there is lawful authority for such immediate access; or(B) includes features or functions providing an immediate decryption capability of the encrypted data, including communications, upon the receipt of decryption information by an authorized party, and such decryption can be accomplished without unauthorized disclosure.
(b) ENABLING DECRYPTION CAPABILITIES.-- The features or functions described in subsection (a)(4) need not be enabled by the manufacturer at the time of export
33
for purposes of this title. Such features and functions may be enabled by the purchaser or end-user.(c) RESPONSIBILITIES OF THE SECRETARY.-- The Secretary, in coordination with the Secretary of Defense and other executive branch departments or agencies with responsibility for protecting the national security of the United States, shall,--
(1) specify, by regulation, the information that must be submitted for the 1-time review referred to in this section; and(2) make all export determinations under this title within 30 days following the date of submission to the Secretary of--
(A) the completed application for a license exception; and(B) the encryption product intended for export that shall be reviewed as required by this section.
(d) EXERCISE OF OTHER AUTHORITIES.-- The Secretary, and the Secretary of Defense, may exercise the authorities they have under other provisions of law, including the Export Administration Act of 1979, as continued in effect under the International Emergency Economic Powers Act, to carry out this section.
34
(e) PRESUMPTION IN FAVOR OF EXPORTS.-- There shall bed a presumption in favor of export of encryption products under this title.(f) WAIVER AUTHORITY.-- The president may by Executive order waive any provision of this Act, or the applicability of any such provision to a person or entity, if the President determines that the waiver is in the interests of national security or public safety and security. The president shall submit a report to the relevant committees of the Congress not later than 15 days after such determination. The report shall include the factual basis upon which such determination was made. The report may be in classified format.
(g) RELEVANT COMMITTEES.-- The relevant committees of the Congress described in subsection (f) are the Committee on International Relations, the Committee on the Judiciary, the Committee on National Security, and the Permanent Select Committee on Intelligence of the House of Representatives, and the Committee on Foreign Relations, the Committee on the Judiciary, the Committee on Armed Services, and the Select Committee on Intelligence of the Senate.
35
SEC. 303. LICENSE EXCEPTION FOR TELECOMMUNICATIONS PRODUCTS.
After a 1-time review as described in section 302, the Secretary shall authorize for export under a license exception voice encryption products that do not contain decryption or access to plainvoice features or functions otherwise required in section 302, if the Secretary, after consultation with relevant executive branch departments or agencies, determines that--
(1) information recovery requirements for such exports would disadvantage United States exporters; and(2) such exports under a license exception would not create risk to the foreign policy, non-proliferation, or national security of the United States.
SEC. 304. REVIEW FOR CERTAIN INSTITUTIONS.
The Secretary, in consultation with other executive branch departments or agencies, shall establish a procedure for expedited review of export license applications involving encryption products for use by qualified banks, financial institutions, subsidiaries of United States owned and controlled companies, or other users authorized by the Secretary.
36
SEC. 305. ENCRYPTION INDUSTRY AND INFORMATION SECURITY BOARD.
(a) ENCRYPTION INDUSTRY AND INFORMATION SECURITY BOARD ESTABLISHED.-- There is hereby established an Encryption Industry and Information Security Board. The Board shall undertake an advisory role for the president.(b) PURPOSES.-- The purposes of the Board are--
(1) to provide a forum to foster communication and coordination between industry and the Federal Government on matters relating to the use of encryption products;(2) to promote the export of encryption products manufactured in the United States;
(3) to encourage research and development of products that will foster electronic commerce;
(4) to recommend policies enhancing the security of public networks;
(5) to promote the protection of intellectual property and privacy rights of individuals using public networks;
(6) to enable the United States to effectively and continually understand the benefits and risks to its national security, law enforcement, and public safety interests by virtue of the proliferation of strong encryption on the global market.
37
(7) to evaluate and make recommendations regarding the further development and use of encryption;(8) to advance the development of international standards regarding interoperability and global use of encryption products; and
(9) to evaluate the foreign availability of encryption products and their threat to United States industry.
(c) MEMBERSHIP.--(1) The Board shall be composed of11[13*] members, as follows:(A) The Secretary of Commerce, or the Secretary's designee, who shall chair the Board.(B) The Attorney General, or the Director of the Federal Bureau of Investigation, or a respective designee.
(C) the Secretary of Defense, or the Secretary's designee.
(D) The Director of Central Intelligence, or his or her designee.
(E) The Special Assistant to the President for National Security Affairs, or his or her designee.
(F) Six representatives from the [insert Mr. Skaggs #2 amendment*] private sector who have expertise in the development, operation,
38
marketing, law, or public policy relating to information security or technology.
(2) The six private sector representatives described in paragraph (1)(F) shall be appointed as follows:(A) Two by the Speaker of the house of Representatives.(B) One by the Minority Leader of the House of Representatives.
(C) Two by the Majority Leader of the Senate.
(D) One by the Minority Leader of the Senate.
[Subsection (d) not used.]
(e) MEETINGS.-- The Board shall meet at such times and in such places as the Secretary may prescribe, but not less frequently than every four months. The Federal Advisory Committee Act (5 U.S.C. App.) does not apply to the Board or to meetings held by the Board under this section.(f) FINDINGS AND RECOMMENDATIONS.-- The chair of the board shall convey the findings and recommendations of the Board to the President [and to the Congress [Mr. Gibbons]*] within 30 days after each meeting of the Board. The recommendations of the Board are not binding upon the President.
(g) FOREIGN AVAILABILITY.-- The consideration of foreign availability by the Board shall include computer
39
software that is distributed over the Internet or advertised for sale, license, or transfer, including over-the-counter retail sales, mail order transactions, telephone order transactions, electronic distribution, or sale on approval.
SEC. 401. COMPLIANCE WITH COURT ORDER
(a) NO LIABILITY FOR COMPLIANCE.-- Subject to subsection (b), no civil or criminal liability under this Act, or under any other provision of law, shall attach to any person for disclosing or providing--(1) the plaintext of encrypted data, including communications;(2) the decryption information of such encrypted data, including communications; or
(3) technical assistance for access to the plaintext of, or decryption information for, encrypted data, including communications.
(b) EXCEPTION.-- Subsection (a) shall not apply to a person who provides plaintext or decryption information to another and is not authorized by court order to disclose such plaintext or decryption information.
Compliance with the provisions of this Act, or any regulations authorized hereunder, shall provide a complete
40
defense for any non-contractual civil action for damages based upon activities covered by this Act.
SEC. 403. REASONABLE CARE DEFENSE.
The participation by any Federal or non-Federal person in the key management infrastructure established by regulation for United States Government information security operations under section 103 shall be treated as evidence of reasonable care or due diligence in any proceeding where the reasonableness of one's actions is an element of the claim at issue.
An objectively reasonable reliance on the legal authority provided by this Act and the amendments made by this Act, requiring or authorizing access to the plaintext of otherwise encrypted data, including communications, or to the decryption information that will allow the immediate decryption of data, including communications, that is otherwise encrypted, shall be a complete defense to any criminal or civil action that may be brought under the laws of the United States or and State.
Except as otherwise specifically provided otherwise, nothing in this Act or the amendments made by this Act, or any regulations promulgated thereunder, modifies or
41
amends the sovereign immunity of the United States Government.
SEC. 406. CIVIL ACTION, GENERALLY.
A civil action may be brought against any person who, regardless of that
person's participation in the key management infrastructure to be established
by regulations promulgated by the Secretary pursuant to section 103, violates
or acts in a manner that is inconsistent with or violates the provisions
or intent of this Act.
It is the sense of Congress that --
(1) the President should conduct negotiations with foreign governments for the purposes of mutual recognition of any key management infrastructures, and their component parts, that exist or are developed; and(2) such mutual recognition agreements will safeguard the privacy of the citizens of the United States, prevent economic espionage, and enhance the information security needs of the United States.
SEC. 502. FAILURE TO NEGOTIATE.
The President may consider a government's refusal to negotiate mutual recognition agreements described in
42
section 501 when considering the participation of the United States in any cooperation or assistance program with that country.
(a) REPORT TO CONGRESS.-- The President shall report annually to the Congress on the status of the international effort outlined by section 501.(b) FIRST REPORT.--The first report required under subsection (a) shall be submitted in unclassified form no later that December 15, 1998.
SEC. 601. EFFECT ON LAW ENFORCEMENT ACTIVITIES.
(a) COLLECTION OF INFORMATION BY ATTORNEY GENERAL.-- The Attorney General shall compile, and maintain in classified form, data on the instances in which encryption has interfered with, impeded, or obstructed the ability of the Department of Justice to enforce criminal laws of the United States.(b) AVAILABILITY OF INFORMATION TO THE CONGRESS.-- The information compiled under subsection (a), including an unclassified summary thereof, shall be made available, upon request, to any Member of Congress.
43
Nothing contained in this Act or the amendments made by this Act shall be deemed to --
(1) preempt or otherwise affect the application of the Arms Export control Act (22 U.S.C. 2751, et seq.), the Export Administration Act of 1979 (50 U.S.C. App. 2401 and following), or the International emergency Economic Powers Act (50 U.S.C. 1701-06). or any regulations promulgated thereunder;(2) affect foreign intelligence activities of the United States; or
(3) negate or diminish any intellectual property protections found in the laws of the United States or any State.
If any provision of this Act, or the application thereof, to any person or circumstances is held invalid by a court of the United States, the remainder of this Act, and the application thereof, to other persons or circumstances shall not be affected thereby.
AMENDMENT TO THE
GOSS/DICKS
AMENDMENT IN THE NATURE OF A SUBSTITUTE
TO H.R. 695
OFFERED BY MR. SKAGGS
#1
(a) At page 18, line 13, after paragraph "(2)", which ends with the words "such country.", insert the following new subsection:
"(c) ELECTRONIC AUDIT TRAIL REQUIRED. -- A verifiable audit trail shall be utilized so that in the case of access to the plaintext of otherwise encrypted information, or the provision of decryption information, to an investigative or law enforcement officer there shall be created an electronic record, or similar type record, of each instance in which an investigative or law enforcement officer gains such access or is provided such information, without the knowledge or consent of the owner of the data, including communications, who is the user of the encryption product."(d) MAINTENANCE OF AUDIT RECORD.-- The electronic or similar type of record, described in subsection (c) shall be maintained in a place and a manner that is not within the custody or control of an investigative of law enforcement officer gaining the access or provision of decryption
information. It shall be tendered to the court issuing the order described in this section, upon notice from the court."(e) DISCOVERY OF AUDIT RECORD.-- The court receiving such electronic or similar type of record as described pursuant to paragraph (3) shall make the original and a certified copy of the record available to the attorney for the government making application under this section, and to the attorney for, or directly to, the owner of the data, including communications, who is the user of the encryption product."
(b)Redesignate current subsections "(c)" and "(d)" as "(f)" and "(g)", respectively.
2
AMENDMENT TO THE
GOSS/DICKS
AMENDMENT IN THE NATURE OF A SUBSTITUTE
TO H.R. 695
OFFERED BY MR. SKAGGS
#2
(a) At page 37, line 11, strike the words "11 members", and replace with the words "13 members".
(b) Following paragraph "(E)" insert the following new paragraph:
"(F) Two private sector individuals, appointed by the President, who have expertise in consumer and privacy interests relating to or affected by information security technology."
(c) Redesignate current paragraph "(F)" as "(G)".
AMENDMENT TO THE
GOSS/DICKS
AMENDMENT IN THE NATURE OF A SUBSTITUTE
TO H.R. 695
OFFERED BY MR. GIBBONS
At page 38, line 21, insert the words "and to the Congress", after the words, "to the President".
[End]
Digitized and hypertexted by NYA/Urban Deadline.
Source: http://clerkweb.house.gov/mbrcmtee/cmtees/standing/comassign.htm
[Excerpt]
PERMANENT SELECT COMMITTEE ON
INTELLIGENCE
| Republicans |
Democrats
SUBCOMMITTEES OF THE PERMANENT SELECT COMMITTEE ON INTELLIGENCE
Republicans
|
Democrats
|
Republicans
|
Democrats
|