[Congressional Bills 104th Congress]
[From the U.S. Government Publishing Office]
[S. 1587 Introduced in Senate (IS)]
2d Session
S. 1587
To affirm the rights of Americans to use and sell encryption products,
to establish privacy standards for voluntary escrowed encryption
systems, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
March 5, 1996
Mr. Leahy (for himself, Mr. Burns, Mr. Dole, Mr. Pressler, and Mrs.
Murray) introduced the following bill; which was read twice and
referred to the Committee on the Judiciary
_______________________________________________________________________
A BILL
To affirm the rights of Americans to use and sell encryption products,
to establish privacy standards for voluntary escrowed encryption
systems, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Encrypted Communications Privacy Act
of 1996''.
SEC. 2. PURPOSE.
It is the purpose of this Act--
(1) to ensure that Americans are able to have the maximum
possible choice in encryption methods to protect the security,
confidentiality, and privacy of their lawful wire or electronic
communications; and
(2) to establish privacy standards for key holders who are
voluntarily entrusted with the means to decrypt such
communications, and procedures by which investigative or law
enforcement officers may obtain assistance in decrypting such
communications.
SEC. 3. FINDINGS.
The Congress finds that--
(1) the digitization of information and the explosion in
the growth of computing and electronic networking offers
tremendous potential benefits to the way Americans live, work,
and are entertained, but also raises new threats to the privacy
of American citizens and the competitiveness of American
businesses;
(2) a secure, private, and trusted national and global
information infrastructure is essential to promote economic
growth, protect citizens' privacy, and meet the needs of
American citizens and businesses;
(3) the rights of Americans to the privacy and security of
their communications and in conducting their personal and
business affairs should be preserved and protected;
(4) the authority and ability of investigative and law
enforcement officers to access and decipher, in a timely manner
and as provided by law, wire and electronic communications
necessary to provide for public safety and national security
should also be preserved;
(5) individuals will not entrust their sensitive personal,
medical, financial, and other information to computers and
computer networks unless the security and privacy of that
information is assured;
(6) business will not entrust their proprietary and
sensitive corporate information, including information about
products, processes, customers, finances, and employees, to
computers and computer networks unless the security and privacy
of that information is assured;
(7) encryption technology can enhance the privacy,
security, confidentiality, integrity, and authenticity of wire
and electronic communications and stored electronic
information;
(8) encryption techniques, technology, programs, and
products are widely available worldwide;
(9) Americans should be free lawfully to use whatever
particular encryption techniques, technologies, programs, or
products developed in the marketplace they desire in order to
interact electronically worldwide in a secure, private, and
confidential manner;
(10) American companies should be free to compete and to
sell encryption technology, programs, and products;
(11) there is a need to develop a national encryption
policy that advances the development of the national and global
information infrastructure, and preserves Americans' right to
privacy and the Nation's public safety and national security;
(12) there is a need to clarify the legal rights and
responsibilities of key holders who are voluntarily entrusted
with the means to decrypt wire or electronic communications;
(13) the Congress and the American people have recognized
the need to balance the right to privacy and the protection of
the public safety and national security;
(14) the Congress has permitted lawful electronic
surveillance by investigative or law enforcement officers only
upon compliance with stringent statutory standards and procedures; and
(15) there is a need to clarify the standards and
procedures by which investigative or law enforcement officers
obtain assistance from key holders who are voluntarily
entrusted with the means to decrypt wire or electronic
communications, including such communications in electronic
storage.
SEC. 4. FREEDOM TO USE ENCRYPTION.
(a) Lawful Use of Encryption.--It shall be lawful for any person
within any State of the United States, the District of Columbia, the
Commonwealth of Puerto Rico, and any territory or possession of the
United States, and by United States persons in a foreign country to use
any encryption, regardless of encryption algorithm selected, encryption
key length chosen, or implementation technique or medium used except as
provided in this Act and the amendments made by this Act or in any
other law.
(b) General Construction.--Nothing in this Act or the amendments
made by this Act shall be construed to--
(1) require the use by any person of any form of
encryption;
(2) limit or affect the ability of any person to use
encryption without a key escrow function; or
(3) limit or affect the ability of any person who chooses
to use encryption with a key escrow function not to use a key
holder.
SEC. 5. ENCRYPTED WIRE AND ELECTRONIC COMMUNICATIONS.
(a) In General.--Part I of title 18, United States Code, is amended
by inserting after chapter 121 the following new chapter:
``CHAPTER 122--ENCRYPTED WIRE AND ELECTRONIC COMMUNICATIONS
``2801. Definitions.
``2802. Prohibited acts by key holders.
``2803. Reporting requirements.
``2804. Unlawful use of encryption to obstruct justice.
``2805. Freedom to sell encryption products.
``Sec. 2801. Definitions
``As used in this chapter--
``(1) the terms `person', `State', `wire communication',
`electronic communication', `investigative or law enforcement
officer', `judge of competent jurisdiction', and `electronic
storage' have the same meanings given such terms in section
2510 of this title;
``(2) the term `encryption' means the scrambling of wire or
electronic communications using mathematical formulas or
algorithms in order to preserve the confidentiality, integrity
or authenticity and prevent unauthorized recipients from
accessing or altering such communications;
``(3) the term `key holder' means a person located within
the United States (which may, but is not required to, be a
Federal agency) who is voluntarily entrusted by another
independent person with the means to decrypt that person's wire
or electronic communications for the purpose of subsequent
decryption of such communications;
``(4) the term `decryption key' means the variable
information used in a mathematical formula, code, or algorithm,
or any component thereof, used to decrypt wire or electronic
communications that have been encrypted; and
``(5) the term `decryption assistance' means providing
access, to the extent possible, to the plain text of encrypted
wire or electronic communications.
``Sec. 2802. Prohibited acts by key holders
``(a) Unauthorized Release of Key.--Except as provided in
subsection (b), any key holder who releases a decryption key or
provides decryption assistance shall be subject to the criminal
penalties provided in subsection (e) and to civil liability as provided
in subsection (f).
``(b) Authorized Release of Key.--A key holder shall only release a
decryption key in its possession or control or provide decryption
assistance--
``(1) with the lawful consent of the person whose key is
being held or managed by the key holder;
``(2) as may be necessarily incident to the holding or
management of the key by the key holder; or
``(3) to investigative or law enforcement officers
authorized by law to intercept wire or electronic
communications under chapter 119, to obtain access to stored
wire and electronic communications and transactional records
under chapter 121, or to conduct electronic surveillance, as
defined in section 101 of the Foreign Intelligence Surveillance
Act of 1978 (50 U.S.C. 1801), upon compliance with subsection
(c) of this section.
``(c) Requirements for Release of Decryption Key or Provision of
Decryption Assistance to Investigative or Law Enforcement Officer.--
``(1) Contents of wire and electronic communications.--A
key holder is authorized to release a decryption key or provide
decryption assistance to an investigative or law enforcement
officer authorized by law to conduct electronic surveillance
under chapter 119, only if--
``(A) the key holder is given--
``(i) a court order signed by a judge of
competent jurisdiction directing such release
or assistance; or
``(ii) a certification in writing by a
person specified in section 2518(7) or the
Attorney General stating that--
``(I) no warrant or court order is
required by law;
``(II) all requirements under
section 2518(7) have been met; and
``(III) the specified release or
assistance is required;
``(B) the order or certification under paragraph
(A)--
``(i) specifies the decryption key or
decryption assistance which is being sought;
and
``(ii) identifies the termination date of
the period for which release or assistance has
been authorized; and
``(C) in compliance with an order or certification
under subparagraph (A), the key holder shall provide
only such key release or decryption assistance as is
necessary for access to communications covered by
subparagraph (B).
``(2) Stored wire and electronic communications.--(A) A key
holder is authorized to release a decryption key or provide
decryption assistance to an investigative or law enforcement
officer authorized by law to obtain access to stored wire and
electronic communications and transactional records under
chapter 121, only if the key holder is directed to give such
assistance pursuant to the same lawful process (court warrant,
order, subpoena, or certification) used to obtain access to the
stored wire and electronic communications and transactional
records.
``(B) The notification required under section 2703(b)
shall, in the event that encrypted wire or electronic
communications were obtained from electronic storage, include
notice of the fact that a key to such communications was or was
not released or decryption assistance was or was not provided
by a key holder.
``(C) In compliance with the lawful process under
subparagraph (A), the key holder shall provide only such key
release or decryption assistance as is necessary for access to
the communications covered by such lawful process.
``(3) Use of key.--(A) An investigative or law enforcement
officer to whom a key has been released under this subsection
may use the key only in the manner and for the purpose and
duration that is expressly provided for in the court order or
other provision of law authorizing such release and use, not to
exceed the duration of the electronic surveillance for which
the key was released.
``(B) On or before completion of the authorized release
period, the investigative or law enforcement officer to whom a
key has been released shall destroy and not retain the released
key.
``(C) The inventory required to be served pursuant to
section 2518(8)(d) on persons named in the order or the
application under section 2518(7)(b), and such other parties to
intercepted communications as the judge may determine, in the
interest of justice, shall, in the event that encrypted wire or
electronic communications were intercepted, include notice of
the fact that during the period of the order or extensions
thereof a key to, or decryption assistance for, any encrypted
wire or electronic communications of the person or party
intercepted was or was not provided by a key holder.
``(4) Nondisclosure of release.--No key holder, officer,
employee, or agent thereof shall disclose the key release or
provision of decryption assistance pursuant to subsection (b),
except as may otherwise be required by legal process and then
only after prior notification to the Attorney General or to the
principal prosecuting attorney of a State or any political
subdivision of a State, as may be appropriate.
``(d) Records or Other Information Held by Key Holders.--A key
holder, shall not disclose a record or other information (not including
the key) pertaining to any person whose key is being held or managed by
the key holder, except--
``(1) with the lawful consent of the person whose key is
being held or managed by the key holder; or
``(2) to an investigative or law enforcement officer
pursuant to a subpoena authorized under Federal or State law,
court order, or lawful process.
An investigative or law enforcement officer receiving a record or
information under paragraph (2) is not required to provide notice to
the person to whom the record or information pertains. Any disclosure
in violation of this subsection shall render the person committing the
violation liable for the civil damages provided for in subsection (f).
``(e) Criminal Penalties.--The punishment for an offense under
subsection (a) of this section is--
``(1) if the offense is committed for a tortious,
malicious, or illegal purpose, or for purposes of direct or
indirect commercial advantage or private commercial gain--
``(A) a fine under this title or imprisonment for
not more than 1 year, or both, in the case of a first
offense under this subparagraph; or
``(B) a fine under this title or imprisonment for
not more than 2 years, or both, for any second or
subsequent offense; and
``(2) in any other case where the offense is committed
recklessly or intentionally, a fine of not more than $5,000 or
imprisonment for not more than 6 months, or both.
``(f) Civil Damages.--
``(1) In general.--Any person aggrieved by any act of a
person in violation of subsections (a) or (d) may in a civil
action recover from such person appropriate relief.
``(2) Relief.--In an action under this subsection,
appropriate relief includes--
``(A) such preliminary and other equitable or
declaratory relief as may be appropriate;
``(B) damages under paragraph (3) and punitive
damages in appropriate cases; and
``(C) a reasonable attorney's fee and other
litigation costs reasonably incurred.
``(3) Computation of damages.--The court may assess as
damages whichever is the greater of--
``(A) the sum of the actual damages suffered by the
plaintiff and any profits made by the violator as a
result of the violation; or
``(B) statutory damages in the amount of $5,000.
``(4) Limitation.--A civil action under this subsection
shall not be commenced later than 2 years after the date upon
which the plaintiff first knew or should have known of the
violation.
``(g) Defense.--It shall be a complete defense against any civil or
criminal action brought under this chapter that the defendant acted in
good faith reliance upon a court warrant or order, grand jury or trial
subpoena, or statutory authorization.
``Sec. 2803. Reporting requirements
``(a) In General.--In reporting to the Administrative Office of the
United States Courts as required under section 2519(2) of this title,
the Attorney General, an Assistant Attorney General specially
designated by the Attorney General, the principal prosecuting attorney
of a State, or the principal prosecuting attorney of any political
subdivision of a State, shall report on the number of orders and
extensions served on key holders to obtain access to decryption keys or
decryption assistance.
``(b) Requirements.--The Director of the Administrative Office of
the United States Courts shall include as part of the report
transmitted to the Congress under section 2519(3) of this title, the
number of orders and extensions served on key holders to obtain access
to decryption keys or decryption assistance and the offenses for which
the orders were obtained.
``Sec. 2804. Unlawful use of encryption to obstruct justice
``Whoever willfully endeavors by means of encryption to obstruct,
impede, or prevent the communication of information in furtherance of a
felony which may be prosecuted in a court of the United States, to an
investigative or law enforcement officer shall--
``(1) in the case of a first conviction, be sentenced to
imprisonment for not more than 5 years, fined under this title,
or both; or
``(2) in the case of a second or subsequent conviction, be
sentenced to imprisonment for not more than 10 years, fined
under this title, or both.
``Sec. 2805. Freedom to sell encryption products
``(a) In General.--It shall be lawful for any person within any
State of the United States, the District of Columbia, the Commonwealth
of Puerto Rico, and any territory or possession of the United States,
to sell in interstate commerce any encryption, regardless of encryption
algorithm selected, encryption key length chosen, or implementation
technique or medium used.
``(b) Control of Exports by Secretary of Commerce.--
``(1) General rule.--Notwithstanding any other law, subject
to paragraphs (2), (3), and (4), the Secretary of Commerce
shall have exclusive authority to control exports of all
computer hardware, software, and technology for information
security (including encryption), except computer hardware,
software, and technology that is specifically designed or
modified for military use, including command, control, and
intelligence applications.
``(2) Items not requiring licenses.--No validated license
may be required, except pursuant to the Trading With The Enemy
Act or the International Emergency Economic Powers Act (IEEPA)
(but only to the extent that the authority of the IEEPA is not
exercised to extend controls imposed under the Export
Administration Act of 1979), for the export or reexport of--
``(A) any software, including software with
encryption capabilities, that is--
``(i) generally available, as is, and
designed for installation by the purchaser; or
``(ii) in the public domain or publicly
available because it is generally accessible to
the interested public in any form; or
``(B) any computing device solely because it
incorporates or employs in any form software (including
software with encryption capabilities) exempted from
any requirement for a validated license under
subparagraph (A).
``(3) Software with encryption capabilities.--The Secretary
of Commerce shall authorize the export or reexport of software
with encryption capabilities for nonmilitary end-uses in any
country to which exports of software of similar capability are
permitted for use by financial institutions not controlled in
fact by United States persons, unless there is substantial
evidence that such software will be--
``(A) diverted to a military end-use or an end-use
supporting international terrorism;
``(B) modified for military or terrorist end-use;
or
``(C) reexported without requisite United States
authorization.
``(4) Hardware with encryption capabilities.--The Secretary
shall authorize the export or reexport of computer hardware
with encryption capabilities if the Secretary determines that a
product offering comparable security is commercially available
from a foreign supplier without effective restrictions outside
the United States.
``(5) Definitions.--As used in this subsection--
``(A) the term `generally available' means, in the
case of software (including software with encryption
capabilities), software that is widely offered for
sale, license, or transfer including, but not limited
to, over-the-counter retail sales, mail order
transactions, phone order transactions, electronic
distribution, or sale on approval;
``(B) the term `as is' means, in the case of
software (including software with encryption
capabilities), a software program that is not designed,
developed, or tailored by the software company for
specific purchasers, except that such purchasers may
supply certain installation parameters needed by the
software program to function properly with the
purchaser's system and may customize the software
program by choosing among options contained in the
software program;
``(C) the term `is designed for installation by the
purchaser' means, in the case of software (including
software with encryption capabilities)--
``(i) the software company intends for the
purchaser (including any licensee or
transferee), who may not be the actual program
user, to install the software program on a
computing device and has supplied the necessary
instructions to do so, except that the company
may also provide telephone help-line services
for software installation, electronic
transmission, or basic operations; and
``(ii) that the software program is
designed for installation by the purchaser
without further substantial support by the
supplier;
``(D) the term `computing device' means a device
which incorporates one or more microprocessor-based
central processing units that can accept, store,
process, or provide output of data; and
``(E) the term `computer hardware', when used in
conjunction with information security, includes, but is
not limited to, computer systems, equipment,
application-specific assemblies, modules, and
integrated circuits.''.
(b) Technical Amendment.--The table of chapters for part I of title
18, United States Code, is amended by inserting after the item relating
to chapter 33, the following new item:
``122. Encrypted wire and electronic communications......... 2801''.
SEC. 6. INTELLIGENCE ACTIVITIES.
(a) Construction.--Nothing in this Act or the amendments made by
this Act constitutes authority for the conduct of any intelligence
activity.
(b) Certain Conduct.--Nothing in this Act or the amendments made by
this Act shall affect the conduct, by officers or employees of the
United States Government in accordance with other applicable Federal
law, under procedures approved by the Attorney General, or activities
intended to--
(1) intercept encrypted or other official communications of
United States executive branch entities or United States
Government contractors for communications security purposes;
(2) intercept radio communications transmitted between or
among foreign powers or agents of a foreign power as defined by
the Foreign Intelligence Surveillance Act of 1978; or
(3) access an electronic communication system used
exclusively by a foreign power or agent of a foreign power as
defined by the Foreign Intelligence Surveillance Act of 1978.
<all>
S 1587 IS----2