[Congressional Bills 104th Congress]
[From the U.S. Government Publishing Office]
[S. 1587 Introduced in Senate (IS)]

  2d Session
                                S. 1587

To affirm the rights of Americans to use and sell encryption products, 
   to establish privacy standards for voluntary escrowed encryption 
                    systems, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             March 5, 1996

  Mr. Leahy (for himself, Mr. Burns, Mr. Dole, Mr. Pressler, and Mrs. 
    Murray) introduced the following bill; which was read twice and 
               referred to the Committee on the Judiciary

_______________________________________________________________________

                                 A BILL


 
To affirm the rights of Americans to use and sell encryption products, 
   to establish privacy standards for voluntary escrowed encryption 
                    systems, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Encrypted Communications Privacy Act 
of 1996''.

SEC. 2. PURPOSE.

    It is the purpose of this Act--
            (1) to ensure that Americans are able to have the maximum 
        possible choice in encryption methods to protect the security, 
        confidentiality, and privacy of their lawful wire or electronic 
        communications; and
            (2) to establish privacy standards for key holders who are 
        voluntarily entrusted with the means to decrypt such 
        communications, and procedures by which investigative or law 
        enforcement officers may obtain assistance in decrypting such 
        communications.

SEC. 3. FINDINGS.

    The Congress finds that--
            (1) the digitization of information and the explosion in 
        the growth of computing and electronic networking offers 
        tremendous potential benefits to the way Americans live, work, 
        and are entertained, but also raises new threats to the privacy 
        of American citizens and the competitiveness of American 
        businesses;
            (2) a secure, private, and trusted national and global 
        information infrastructure is essential to promote economic 
        growth, protect citizens' privacy, and meet the needs of 
        American citizens and businesses;
            (3) the rights of Americans to the privacy and security of 
        their communications and in conducting their personal and 
        business affairs should be preserved and protected;
            (4) the authority and ability of investigative and law 
        enforcement officers to access and decipher, in a timely manner 
        and as provided by law, wire and electronic communications 
        necessary to provide for public safety and national security 
        should also be preserved;
            (5) individuals will not entrust their sensitive personal, 
        medical, financial, and other information to computers and 
        computer networks unless the security and privacy of that 
        information is assured;
            (6) business will not entrust their proprietary and 
        sensitive corporate information, including information about 
        products, processes, customers, finances, and employees, to 
        computers and computer networks unless the security and privacy 
        of that information is assured;
            (7) encryption technology can enhance the privacy, 
        security, confidentiality, integrity, and authenticity of wire 
        and electronic communications and stored electronic 
        information;
            (8) encryption techniques, technology, programs, and 
        products are widely available worldwide;
            (9) Americans should be free lawfully to use whatever 
        particular encryption techniques, technologies, programs, or 
        products developed in the marketplace they desire in order to 
        interact electronically worldwide in a secure, private, and 
        confidential manner;
            (10) American companies should be free to compete and to 
        sell encryption technology, programs, and products;
            (11) there is a need to develop a national encryption 
        policy that advances the development of the national and global 
        information infrastructure, and preserves Americans' right to 
        privacy and the Nation's public safety and national security;
            (12) there is a need to clarify the legal rights and 
        responsibilities of key holders who are voluntarily entrusted 
        with the means to decrypt wire or electronic communications;
            (13) the Congress and the American people have recognized 
        the need to balance the right to privacy and the protection of 
        the public safety and national security;
            (14) the Congress has permitted lawful electronic 
        surveillance by investigative or law enforcement officers only 
upon compliance with stringent statutory standards and procedures; and
            (15) there is a need to clarify the standards and 
        procedures by which investigative or law enforcement officers 
        obtain assistance from key holders who are voluntarily 
        entrusted with the means to decrypt wire or electronic 
        communications, including such communications in electronic 
        storage.

SEC. 4. FREEDOM TO USE ENCRYPTION.

    (a) Lawful Use of Encryption.--It shall be lawful for any person 
within any State of the United States, the District of Columbia, the 
Commonwealth of Puerto Rico, and any territory or possession of the 
United States, and by United States persons in a foreign country to use 
any encryption, regardless of encryption algorithm selected, encryption 
key length chosen, or implementation technique or medium used except as 
provided in this Act and the amendments made by this Act or in any 
other law.
    (b) General Construction.--Nothing in this Act or the amendments 
made by this Act shall be construed to--
            (1) require the use by any person of any form of 
        encryption;
            (2) limit or affect the ability of any person to use 
        encryption without a key escrow function; or
            (3) limit or affect the ability of any person who chooses 
        to use encryption with a key escrow function not to use a key 
        holder.

SEC. 5. ENCRYPTED WIRE AND ELECTRONIC COMMUNICATIONS.

    (a) In General.--Part I of title 18, United States Code, is amended 
by inserting after chapter 121 the following new chapter:

      ``CHAPTER 122--ENCRYPTED WIRE AND ELECTRONIC COMMUNICATIONS

``2801. Definitions.
``2802. Prohibited acts by key holders.
``2803. Reporting requirements.
``2804. Unlawful use of encryption to obstruct justice.
``2805. Freedom to sell encryption products.
``Sec. 2801. Definitions
    ``As used in this chapter--
            ``(1) the terms `person', `State', `wire communication', 
        `electronic communication', `investigative or law enforcement 
        officer', `judge of competent jurisdiction', and `electronic 
        storage' have the same meanings given such terms in section 
        2510 of this title;
            ``(2) the term `encryption' means the scrambling of wire or 
        electronic communications using mathematical formulas or 
        algorithms in order to preserve the confidentiality, integrity 
        or authenticity and prevent unauthorized recipients from 
        accessing or altering such communications;
            ``(3) the term `key holder' means a person located within 
        the United States (which may, but is not required to, be a 
        Federal agency) who is voluntarily entrusted by another 
        independent person with the means to decrypt that person's wire 
        or electronic communications for the purpose of subsequent 
        decryption of such communications;
            ``(4) the term `decryption key' means the variable 
        information used in a mathematical formula, code, or algorithm, 
        or any component thereof, used to decrypt wire or electronic 
        communications that have been encrypted; and
            ``(5) the term `decryption assistance' means providing 
        access, to the extent possible, to the plain text of encrypted 
        wire or electronic communications.
``Sec. 2802. Prohibited acts by key holders
    ``(a) Unauthorized Release of Key.--Except as provided in 
subsection (b), any key holder who releases a decryption key or 
provides decryption assistance shall be subject to the criminal 
penalties provided in subsection (e) and to civil liability as provided 
in subsection (f).
    ``(b) Authorized Release of Key.--A key holder shall only release a 
decryption key in its possession or control or provide decryption 
assistance--
            ``(1) with the lawful consent of the person whose key is 
        being held or managed by the key holder;
            ``(2) as may be necessarily incident to the holding or 
        management of the key by the key holder; or
            ``(3) to investigative or law enforcement officers 
        authorized by law to intercept wire or electronic 
        communications under chapter 119, to obtain access to stored 
        wire and electronic communications and transactional records 
        under chapter 121, or to conduct electronic surveillance, as 
        defined in section 101 of the Foreign Intelligence Surveillance 
        Act of 1978 (50 U.S.C. 1801), upon compliance with subsection 
        (c) of this section.
    ``(c) Requirements for Release of Decryption Key or Provision of 
Decryption Assistance to Investigative or Law Enforcement Officer.--
            ``(1) Contents of wire and electronic communications.--A 
        key holder is authorized to release a decryption key or provide 
        decryption assistance to an investigative or law enforcement 
        officer authorized by law to conduct electronic surveillance 
under chapter 119, only if--
                    ``(A) the key holder is given--
                            ``(i) a court order signed by a judge of 
                        competent jurisdiction directing such release 
                        or assistance; or
                            ``(ii) a certification in writing by a 
                        person specified in section 2518(7) or the 
                        Attorney General stating that--
                                    ``(I) no warrant or court order is 
                                required by law;
                                    ``(II) all requirements under 
                                section 2518(7) have been met; and
                                    ``(III) the specified release or 
                                assistance is required;
                    ``(B) the order or certification under paragraph 
                (A)--
                            ``(i) specifies the decryption key or 
                        decryption assistance which is being sought; 
                        and
                            ``(ii) identifies the termination date of 
                        the period for which release or assistance has 
                        been authorized; and
                    ``(C) in compliance with an order or certification 
                under subparagraph (A), the key holder shall provide 
                only such key release or decryption assistance as is 
                necessary for access to communications covered by 
                subparagraph (B).
            ``(2) Stored wire and electronic communications.--(A) A key 
        holder is authorized to release a decryption key or provide 
        decryption assistance to an investigative or law enforcement 
        officer authorized by law to obtain access to stored wire and 
        electronic communications and transactional records under 
        chapter 121, only if the key holder is directed to give such 
        assistance pursuant to the same lawful process (court warrant, 
        order, subpoena, or certification) used to obtain access to the 
        stored wire and electronic communications and transactional 
        records.
            ``(B) The notification required under section 2703(b) 
        shall, in the event that encrypted wire or electronic 
        communications were obtained from electronic storage, include 
        notice of the fact that a key to such communications was or was 
        not released or decryption assistance was or was not provided 
        by a key holder.
            ``(C) In compliance with the lawful process under 
        subparagraph (A), the key holder shall provide only such key 
        release or decryption assistance as is necessary for access to 
        the communications covered by such lawful process.
            ``(3) Use of key.--(A) An investigative or law enforcement 
        officer to whom a key has been released under this subsection 
        may use the key only in the manner and for the purpose and 
        duration that is expressly provided for in the court order or 
        other provision of law authorizing such release and use, not to 
        exceed the duration of the electronic surveillance for which 
        the key was released.
            ``(B) On or before completion of the authorized release 
        period, the investigative or law enforcement officer to whom a 
        key has been released shall destroy and not retain the released 
        key.
            ``(C) The inventory required to be served pursuant to 
        section 2518(8)(d) on persons named in the order or the 
        application under section 2518(7)(b), and such other parties to 
        intercepted communications as the judge may determine, in the 
        interest of justice, shall, in the event that encrypted wire or 
        electronic communications were intercepted, include notice of 
        the fact that during the period of the order or extensions 
        thereof a key to, or decryption assistance for, any encrypted 
        wire or electronic communications of the person or party 
        intercepted was or was not provided by a key holder.
            ``(4) Nondisclosure of release.--No key holder, officer, 
        employee, or agent thereof shall disclose the key release or 
        provision of decryption assistance pursuant to subsection (b), 
        except as may otherwise be required by legal process and then 
        only after prior notification to the Attorney General or to the 
        principal prosecuting attorney of a State or any political 
        subdivision of a State, as may be appropriate.
    ``(d) Records or Other Information Held by Key Holders.--A key 
holder, shall not disclose a record or other information (not including 
the key) pertaining to any person whose key is being held or managed by 
the key holder, except--
            ``(1) with the lawful consent of the person whose key is 
        being held or managed by the key holder; or
            ``(2) to an investigative or law enforcement officer 
        pursuant to a subpoena authorized under Federal or State law, 
        court order, or lawful process.
An investigative or law enforcement officer receiving a record or 
information under paragraph (2) is not required to provide notice to 
the person to whom the record or information pertains. Any disclosure 
in violation of this subsection shall render the person committing the 
violation liable for the civil damages provided for in subsection (f).
    ``(e) Criminal Penalties.--The punishment for an offense under 
subsection (a) of this section is--
            ``(1) if the offense is committed for a tortious, 
        malicious, or illegal purpose, or for purposes of direct or 
        indirect commercial advantage or private commercial gain--
                    ``(A) a fine under this title or imprisonment for 
                not more than 1 year, or both, in the case of a first 
                offense under this subparagraph; or
                    ``(B) a fine under this title or imprisonment for 
                not more than 2 years, or both, for any second or 
                subsequent offense; and
            ``(2) in any other case where the offense is committed 
        recklessly or intentionally, a fine of not more than $5,000 or 
        imprisonment for not more than 6 months, or both.
    ``(f) Civil Damages.--
            ``(1) In general.--Any person aggrieved by any act of a 
        person in violation of subsections (a) or (d) may in a civil 
        action recover from such person appropriate relief.
            ``(2) Relief.--In an action under this subsection, 
        appropriate relief includes--
                    ``(A) such preliminary and other equitable or 
                declaratory relief as may be appropriate;
                    ``(B) damages under paragraph (3) and punitive 
                damages in appropriate cases; and
                    ``(C) a reasonable attorney's fee and other 
                litigation costs reasonably incurred.
            ``(3) Computation of damages.--The court may assess as 
        damages whichever is the greater of--
                    ``(A) the sum of the actual damages suffered by the 
                plaintiff and any profits made by the violator as a 
                result of the violation; or
                    ``(B) statutory damages in the amount of $5,000.
            ``(4) Limitation.--A civil action under this subsection 
        shall not be commenced later than 2 years after the date upon 
        which the plaintiff first knew or should have known of the 
        violation.
    ``(g) Defense.--It shall be a complete defense against any civil or 
criminal action brought under this chapter that the defendant acted in 
good faith reliance upon a court warrant or order, grand jury or trial 
subpoena, or statutory authorization.
``Sec. 2803. Reporting requirements
    ``(a) In General.--In reporting to the Administrative Office of the 
United States Courts as required under section 2519(2) of this title, 
the Attorney General, an Assistant Attorney General specially 
designated by the Attorney General, the principal prosecuting attorney 
of a State, or the principal prosecuting attorney of any political 
subdivision of a State, shall report on the number of orders and 
extensions served on key holders to obtain access to decryption keys or 
decryption assistance.
    ``(b) Requirements.--The Director of the Administrative Office of 
the United States Courts shall include as part of the report 
transmitted to the Congress under section 2519(3) of this title, the 
number of orders and extensions served on key holders to obtain access 
to decryption keys or decryption assistance and the offenses for which 
the orders were obtained.
``Sec. 2804. Unlawful use of encryption to obstruct justice
    ``Whoever willfully endeavors by means of encryption to obstruct, 
impede, or prevent the communication of information in furtherance of a 
felony which may be prosecuted in a court of the United States, to an 
investigative or law enforcement officer shall--
            ``(1) in the case of a first conviction, be sentenced to 
        imprisonment for not more than 5 years, fined under this title, 
        or both; or
            ``(2) in the case of a second or subsequent conviction, be 
        sentenced to imprisonment for not more than 10 years, fined 
        under this title, or both.
``Sec. 2805. Freedom to sell encryption products
    ``(a) In General.--It shall be lawful for any person within any 
State of the United States, the District of Columbia, the Commonwealth 
of Puerto Rico, and any territory or possession of the United States, 
to sell in interstate commerce any encryption, regardless of encryption 
algorithm selected, encryption key length chosen, or implementation 
technique or medium used.
    ``(b) Control of Exports by Secretary of Commerce.--
            ``(1) General rule.--Notwithstanding any other law, subject 
        to paragraphs (2), (3), and (4), the Secretary of Commerce 
        shall have exclusive authority to control exports of all 
        computer hardware, software, and technology for information 
        security (including encryption), except computer hardware, 
        software, and technology that is specifically designed or 
        modified for military use, including command, control, and 
        intelligence applications.
            ``(2) Items not requiring licenses.--No validated license 
        may be required, except pursuant to the Trading With The Enemy 
        Act or the International Emergency Economic Powers Act (IEEPA) 
        (but only to the extent that the authority of the IEEPA is not 
        exercised to extend controls imposed under the Export 
        Administration Act of 1979), for the export or reexport of--
                    ``(A) any software, including software with 
                encryption capabilities, that is--
                            ``(i) generally available, as is, and 
                        designed for installation by the purchaser; or
                            ``(ii) in the public domain or publicly 
                        available because it is generally accessible to 
                        the interested public in any form; or
                    ``(B) any computing device solely because it 
                incorporates or employs in any form software (including 
                software with encryption capabilities) exempted from 
                any requirement for a validated license under 
                subparagraph (A).
            ``(3) Software with encryption capabilities.--The Secretary 
        of Commerce shall authorize the export or reexport of software 
        with encryption capabilities for nonmilitary end-uses in any 
        country to which exports of software of similar capability are 
        permitted for use by financial institutions not controlled in 
        fact by United States persons, unless there is substantial 
        evidence that such software will be--
                    ``(A) diverted to a military end-use or an end-use 
                supporting international terrorism;
                    ``(B) modified for military or terrorist end-use; 
                or
                    ``(C) reexported without requisite United States 
                authorization.
            ``(4) Hardware with encryption capabilities.--The Secretary 
        shall authorize the export or reexport of computer hardware 
        with encryption capabilities if the Secretary determines that a 
        product offering comparable security is commercially available 
        from a foreign supplier without effective restrictions outside 
        the United States.
            ``(5) Definitions.--As used in this subsection--
                    ``(A) the term `generally available' means, in the 
                case of software (including software with encryption 
                capabilities), software that is widely offered for 
                sale, license, or transfer including, but not limited 
                to, over-the-counter retail sales, mail order 
                transactions, phone order transactions, electronic 
                distribution, or sale on approval;
                    ``(B) the term `as is' means, in the case of 
                software (including software with encryption 
                capabilities), a software program that is not designed, 
                developed, or tailored by the software company for 
                specific purchasers, except that such purchasers may 
                supply certain installation parameters needed by the 
                software program to function properly with the 
                purchaser's system and may customize the software 
                program by choosing among options contained in the 
                software program;
                    ``(C) the term `is designed for installation by the 
                purchaser' means, in the case of software (including 
                software with encryption capabilities)--
                            ``(i) the software company intends for the 
                        purchaser (including any licensee or 
                        transferee), who may not be the actual program 
                        user, to install the software program on a 
                        computing device and has supplied the necessary 
                        instructions to do so, except that the company 
                        may also provide telephone help-line services 
                        for software installation, electronic 
                        transmission, or basic operations; and
                            ``(ii) that the software program is 
                        designed for installation by the purchaser 
                        without further substantial support by the 
                        supplier;
                    ``(D) the term `computing device' means a device 
                which incorporates one or more microprocessor-based 
                central processing units that can accept, store, 
                process, or provide output of data; and
                    ``(E) the term `computer hardware', when used in 
                conjunction with information security, includes, but is 
                not limited to, computer systems, equipment, 
                application-specific assemblies, modules, and 
                integrated circuits.''.
    (b) Technical Amendment.--The table of chapters for part I of title 
18, United States Code, is amended by inserting after the item relating 
to chapter 33, the following new item:

``122. Encrypted wire and electronic communications.........    2801''.

SEC. 6. INTELLIGENCE ACTIVITIES.

    (a) Construction.--Nothing in this Act or the amendments made by 
this Act constitutes authority for the conduct of any intelligence 
activity.
    (b) Certain Conduct.--Nothing in this Act or the amendments made by 
this Act shall affect the conduct, by officers or employees of the 
United States Government in accordance with other applicable Federal 
law, under procedures approved by the Attorney General, or activities 
intended to--
            (1) intercept encrypted or other official communications of 
        United States executive branch entities or United States 
        Government contractors for communications security purposes;
            (2) intercept radio communications transmitted between or 
        among foreign powers or agents of a foreign power as defined by 
        the Foreign Intelligence Surveillance Act of 1978; or
            (3) access an electronic communication system used 
        exclusively by a foreign power or agent of a foreign power as 
        defined by the Foreign Intelligence Surveillance Act of 1978.
                                 <all>
S 1587 IS----2