[Congressional Bills 103th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5199 Introduced in House (IH)]

103d CONGRESS
  2d Session
                                H. R. 5199

  To amend the National Institute of Standards and Technology Act to 
 provide for the establishment and management of voluntary encryption 
      standards to protect the privacy and security of electronic 
                  information, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            October 6, 1994

   Mr. Brown of California introduced the following bill; which was 
      referred to the Committee on Science, Space, and Technology

_______________________________________________________________________

                                 A BILL


 
  To amend the National Institute of Standards and Technology Act to 
 provide for the establishment and management of voluntary encryption 
      standards to protect the privacy and security of electronic 
                  information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Encryption Standards and Procedures 
Act of 1994''.

SEC. 2. FINDINGS AND PURPOSES.

    (a) Findings.--The Congress finds the following:
            (1) Advancements in communications and information 
        technology and the widespread use of that technology have 
        enhanced the volume and value of domestic and international 
        communication of electronic information as well as the ability 
        to preserve the confidentiality, protect the privacy, and 
        authenticate the origin, of that information.
            (2) The proliferation of communications and information 
        technology has made it increasingly difficult for the 
        government to obtain and decipher, in a timely manner and as 
        provided by law, electronic information that is necessary to 
        provide for public safety and national security.
            (3) The development of the Nation's information 
        infrastructure and the realization of the full benefits of that 
        infrastructure require that electronic information resident in, 
        or communicated over, that infrastructure is secure, 
        confidential, and authentic.
            (4) Security, privacy, and authentication of electronic 
        information resident in, or communicated over, the Nation's 
        information infrastructure are enhanced with the use of 
        encryption technology.
            (5) The rights of individuals and other persons to 
        security, privacy, and protection in their communications and 
        in the dissemination and receipt of electronic information 
        should be preserved and protected.
            (6) The authority and ability of the government to obtain 
        and decipher, in a timely manner and as provided by law, 
        electronic information necessary to provide for public safety 
        and national security should also be preserved.
            (7) There is a national need to develop, adopt, and use 
        encryption methods and procedures that advance the development 
        of the Nation's information infrastructure and that preserve 
        the personal rights referred to in paragraph (5) and the 
        governmental authority and ability referred to in paragraph 
        (6), as provided by law.
    (b) Purposes.--It is the purpose of this Act--
            (1) to promote the development of the Nation's information 
        infrastructure consistent with public welfare and safety, 
        national security, and the privacy and protection of personal 
        property;
            (2) to encourage and facilitate the development, adoption, 
        and use of encryption standards and procedures that provide 
        sufficient privacy, protection, and authentication of 
        electronic information and that reasonably satisfy the needs of 
        government to provide for public safety and national security; 
        and
            (3) to establish Federal policy governing the development, 
        adoption, and use of encryption standards and procedures and a 
        Federal program to carry out that policy.

SEC. 3. ENCRYPTION STANDARDS AND PROCEDURES.

    (a) Computer System Security and Privacy Advisory Board.--
            (1) Requirement of privacy expertise.--Section 21(a)(2) of 
        the National Institute of Standards and Technology Act (15 
        U.S.C. 278g-4(a)(2)) is amended by inserting ``(including 
        computer systems privacy)'' after ``related disciplines''.
            (2) Expanded functions.--Section 21(b) of such Act (15 
        U.S.C. 278g-4(b)) is amended--
                    (A) by striking ``and'' at the end of paragraph 
                (2);
                    (B) by striking the period at the end of paragraph 
                (3) and inserting ``; and''; and
                    (C) by adding after paragraph (3) the following new 
                paragraph:
            ``(4) to advise the Institute and the Congress on privacy 
        issues pertaining to electronic information and on encryption 
        standards developed under section 31(b).''.
    (b) Standards and Procedures.--The National Institute of Standards 
and Technology Act is further amended--
            (1) by redesignating section 31 as section 32; and
            (2) by inserting after section 30 the following new section 
        31:

``SEC. 31. ENCRYPTION STANDARDS AND PROCEDURES.

    ``(a) Establishment and Authority.--The Secretary, acting through 
the Director, shall establish an Encryption Standards and Procedures 
Program to carry out this section. In carrying out this section, the 
Secretary, acting through the Director, may (in addition to the 
authority provided under section 2) conduct research and development on 
encryption standards and procedures, make grants, and enter into 
contracts, cooperative agreements, joint ventures, royalty 
arrangements, and licensing agreements on such terms and conditions the 
Secretary considers appropriate.
    ``(b) Federal Encryption Standards.--
            ``(1) In general.--The Secretary, acting through the 
        Director and after providing notice to the public and an 
        opportunity for comment, may by regulation develop encryption 
        standards as part of the program established under subsection 
        (a).
            ``(2) Requirements.--Any encryption standard developed 
        under paragraph (1)--
                    ``(A) shall, to the maximum extent practicable, 
                provide for the confidentiality, integrity, or 
                authenticity of electronic information;
                    ``(B) shall advance the development, and enhance 
                the security, of the Nation's information 
                infrastructure;
                    ``(C) shall contribute to public safety and 
                national security;
                    ``(D) shall not diminish existing privacy rights of 
                individuals and other persons;
                    ``(E) shall preserve the functional ability of the 
                government to decipher, in a timely manner, electronic 
                information that has been obtained pursuant to an 
                electronic surveillance permitted by law;
                    ``(F) may be implemented in software, firmware, 
                hardware, or any combination thereof; and
                    ``(G) shall include a validation program to 
                determine the extent to which such standards have been 
                implemented in conformance with the requirements set 
                forth in this paragraph.
            ``(3) Consultation.--Standards developed under paragraph 
        (1) shall be developed in consultation with the heads of other 
        appropriate Federal agencies.
    ``(c) Permitted Use of Standards.--The Federal Government shall 
make available for public use any standard established under subsection 
(b), except that nothing in this Act may be construed to require such 
use by any individual or other person.
    ``(d) Escrow Agents.--
            ``(1) Designation.--If a key escrow encryption standard is 
        established under subsection (b), the President shall designate 
        at least 2 Federal agencies that satisfy the qualifications 
        referred to in paragraph (2) to act as key escrow agents for 
        that standard.
            ``(2) Qualifications.--A key escrow agent designated under 
        paragraph (1) shall be a Federal agency that--
                    ``(A) possesses the capability, competency, and 
                resources to administer the key escrow encryption 
                standard, to safeguard sensitive information related to 
                it, and to carry out the responsibilities set forth in 
                paragraph (3) in a timely manner; and
                    ``(B) is not a Federal agency that is authorized by 
                law to conduct electronic surveillance.
            ``(3) Responsibilities.--A key escrow agent designated 
        under paragraph (1) shall, by regulation and in consultation 
        with the Secretary and any other key escrow agent designated 
        under such paragraph, establish procedures and take other 
        appropriate steps--
                    ``(A) to safeguard the confidentiality, integrity, 
                and availability of keys or components thereof held by 
                the agent pursuant to this subsection;
                    ``(B) to preserve the integrity of any key escrow 
                encryption standard established under subsection (b) 
                for which the agent holds the keys or components 
                thereof;
                    ``(C) to hold and manage the keys or components 
                thereof consistent with the requirements of this 
                section and the encryption standard established under 
                subsection (b); and
                    ``(D) to carry out the responsibilities set forth 
                in this paragraph in the most effective and efficient 
                manner practicable.
            ``(4) Authority.--A key escrow agent designated under 
        paragraph (1) may enter into contracts, cooperative agreements, 
        and joint ventures and take other appropriate steps to carry 
        out its responsibilities.
    ``(e) Limitations on Access and Use.--
            ``(1) Release of key to certain agencies.--A key escrow 
        agent designated under subsection (d) may release a key or 
        component thereof held by the agent pursuant to that subsection 
        only to a Federal agency that is authorized by law to conduct 
        electronic surveillance and that is authorized to obtain and 
        use the key or component by court order or other provision of 
        law. An entity to whom a key or component thereof has been 
        released under this paragraph may use the key or component 
        thereof only in the manner and for the purpose and duration 
        that is expressly provided for in the court order or other 
        provision of law authorizing such release and use.
            ``(2) Limitation on use by private persons and foreign 
        citizens.--
                    ``(A) In general.--Except as provided in 
                subparagraph (B), a person (including a person not a 
                citizen or permanent resident of the United States) 
                that is not an agency of the Federal Government or a 
                State or local government shall not have access to or 
                use keys associated with an encryption standard 
                established under subsection (b).
                    ``(B) Exception.--A representative of a foreign 
                government may have access to and use a key associated 
                with an encryption standard established under 
                subsection (b) only if the President determines that 
                such access and use is in the national security and 
                foreign policy interests of the United States. The 
                President shall prescribe the manner and conditions of 
                any such access and use.
            ``(3) Limit on use by government agencies.--A government 
        agency, instrumentality, or political subdivision thereof shall 
        not have access to or use a key or component thereof associated 
        with an encryption standard established under subsection (b) 
        that is held by a key escrow agent under subsection (d) unless 
        such access or use is authorized by this section, by court 
        order, or by other law.
    ``(f) Review and Report.--
            ``(1) In general.--Within 2 years after the date of the 
        enactment of this Act and at least once every 2 years 
        thereafter, the Secretary shall conduct a hearing on the record 
        in which all interested parties shall have an opportunity to 
        comment on the extent to which encryption standards, 
        procedures, and requirements established under this section 
        have succeeded in fulfilling the purposes of this section and 
        the manner and extent to which such standards, procedures, and 
        requirements can be improved.
            ``(2) Report.--Upon completion of a hearing conducted under 
        paragraph (1), the Secretary shall submit to the Congress a 
        report containing a statement of the Secretary's findings 
        pursuant to the hearing along with recommendations and a plan 
        for correcting any deficiencies or abuses in achieving the 
        purposes of this section that are identified as a result of the 
        hearing.
    ``(g) Regulations.--Within one year after the date of the enactment 
of this Act, the Secretary and each key escrow agent designated by the 
President under subsection (d) shall, after notice to the public and 
opportunity for comment, issue any regulations necessary to carry out 
this section.
    ``(h) Liability.--The United States shall not be liable for any 
loss incurred by any individual or other person resulting from any 
compromise or security breach of any encryption standard established 
under subsection (b) or any violation of this section or any regulation 
or procedure established by or under this section by--
            ``(1) any person who is not an official or employee of the 
        United States; or
            ``(2) any person who is an official or employee of the 
        United States, unless such compromise, breach, or violation is 
        willful.
    ``(i) Severability.--If any provision of this section, or the 
application thereof, to any person or circumstance, is held invalid, 
the remainder of this section, and the application thereof, to other 
persons or circumstances shall not be affected thereby.
    ``(j) Definitions.--For purposes of this section:
            ``(1) The term `content', when used with respect to 
        electronic information, includes the substance, purport, or 
        meaning of that information.
            ``(2) The term `electronic communications system' has the 
        meaning given such term in section 2510(14) of title 18, United 
        States Code.
            ``(3) The term `encryption' means a method--
                    ``(A) to encipher and decipher the content of 
                electronic information to protect the privacy and 
                security of such information; or
                    ``(B) to verify the integrity, or authenticate the 
                origin, of electronic information.
            ``(4) The term `encryption standard' means a technical, 
        management, physical, or administrative standard or associated 
        guideline or procedure for conducting encryption, including key 
        escrow encryption, to ensure or verify the integrity, 
        authenticity, or confidentiality of electronic information 
        that, regardless of application or purpose, is stored, 
        processed, transmitted, or otherwise communicated domestically 
        or internationally in any public or private electronic 
        communications system.
            ``(5) The term `key escrow encryption' means an encryption 
        method that allows the government, pursuant to court order or 
        other provision of law, to decipher electronic information that 
        has been encrypted with that method by using a unique secret 
        code or key that is, in whole or in part, held by and obtained 
        from a key escrow agent.
            ``(6) The term `key escrow agent' means an entity 
        designated by the President under subsection (d) to hold and 
        manage keys associated with an encryption standard established 
        under subsection (b).
            ``(7) The term `key' means a unique secret code or 
        character string that enables a party other than the sender, 
        holder, or intended recipient of electronic information to 
        decipher such information that has been enciphered with a 
        corresponding encryption standard established under subsection 
        (b) only with such code or string.
            ``(8) The term `electronic information' means the content, 
        source, or destination of any information in any electronic 
        form and in any medium which has not been specifically 
        authorized by a Federal statute or an Executive Order to be 
        kept secret in the interest of national defense or foreign 
        policy and which is stored, processed, transmitted or otherwise 
        communicated, domestically or internationally, in an electronic 
        communications system, and
                    ``(A) electronic communication within the meaning 
                of section 2510(12) of title 18, United States Code; or
                    ``(B) wire communication within the meaning of 
                section 2510(1) of such title.
            ``(9) The term `government' means the Federal Government, a 
        State or political subdivision of a State, the District of 
        Columbia, or a commonwealth, territory, or possession of the 
        United States.
    ``(k) Authorization of Appropriations.--
            ``(1) In general.--From amounts otherwise authorized to be 
        appropriated to the Secretary of Commerce for fiscal years 1995 
        through 1997 to carry out the programs of the Institute, the 
        amount of $50,000,000 shall be available for such fiscal years 
        to carry out this section. Such amount shall remain available 
        until expended. Of such amount, $1,000,000 shall be available 
        for the National Research Council study on national 
        cryptography policy authorized under section 267 of the 
        National Defense Authorization Act for Fiscal Year 1994 (10 
        U.S.C 421 note).
            ``(2) Transfer authority.--The Secretary may transfer funds 
        appropriated pursuant to paragraph (1) to a key escrow agent 
        other than the Secretary in amounts sufficient to cover the 
        cost of carrying out the responsibilities of the agent under 
        this section. Funds so transferred shall remain available until 
        expended.''.
                                 <all>
HR 5199 IH----2