[Congressional Bills 105th Congress]
[From the U.S. Government Publishing Office]
[S. 2067 Introduced in Senate (IS)]







105th CONGRESS
  2d Session
                                S. 2067

   To protect the privacy and constitutional rights of Americans, to 
establish standards and procedures regarding law enforcement access to 
     decryption assistance for encrypted communications and stored 
 electronic information, to affirm the rights of Americans to use and 
           sell encryption products, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                              May 12, 1998

Mr. Ashcroft (for himself, Mr. Leahy, Mr. Burns, Mr. Craig, Mrs. Boxer, 
    Mr. Faircloth, Mr. Wyden, Mr. Kempthorne, Mrs. Murray, and Mrs. 
  Hutchison) introduced the following bill; which was read twice and 
               referred to the Committee on the Judiciary

_______________________________________________________________________

                                 A BILL


 
   To protect the privacy and constitutional rights of Americans, to 
establish standards and procedures regarding law enforcement access to 
     decryption assistance for encrypted communications and stored 
 electronic information, to affirm the rights of Americans to use and 
           sell encryption products, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Encryption 
Protects the Rights of Individuals from Violation and Abuse in 
CYberspace (E-PRIVACY) Act''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Purposes.
Sec. 3. Findings. 
Sec. 4. Definitions.
     TITLE I--PRIVACY PROTECTION FOR COMMUNICATIONS AND ELECTRONIC 
                              INFORMATION

Sec. 101. Freedom to use encryption.
Sec. 102. Purchase and use of encryption products by the Federal 
                            Government.
Sec. 103. Enhanced privacy protection for information on computer 
                            networks. 
Sec. 104. Government access to location information.
Sec. 105. Enhanced privacy protection for transactional information 
                            obtained from pen registers or trap and 
                            trace devices.
                  TITLE II--LAW ENFORCEMENT ASSISTANCE

Sec. 201. Encrypted wire or electronic communications and stored 
                            electronic communications.
               TITLE III--EXPORTS OF ENCRYPTION PRODUCTS

Sec. 301. Commercial encryption products.
Sec. 302. License exception for mass market products.
Sec. 303. License exception for products without encryption capable of 
                            working with encryption products.
Sec. 304. License exception for product support and consulting 
                            services.
Sec. 305. License exception when comparable foreign products available.
Sec. 306. No export controls on encryption products used for 
                            nonconfidentiality purposes.
Sec. 307. Applicability of general export controls.
Sec. 308. Foreign trade barriers to United States products.

SEC. 2. PURPOSES.

    The purposes of this Act are--
            (1) to ensure that Americans have the maximum possible 
        choice in encryption methods to protect the security, 
        confidentiality, and privacy of their lawful wire and 
        electronic communications and stored electronic information;
            (2) to promote the privacy and constitutional rights of 
        individuals and organizations in networked computer systems and 
        other digital environments, protect the confidentiality of 
        information and security of critical infrastructure systems 
        relied on by individuals, businesses and government agencies, 
        and properly balance the needs of law enforcement to have the 
        same access to electronic communications and information as 
        under current law; and
            (3) to establish privacy standards and procedures by which 
        investigative or law enforcement officers may obtain decryption 
        assistance for encrypted communications and stored electronic 
        information.

SEC. 3. FINDINGS.

    Congress finds that--
            (1) the digitization of information and the explosion in 
        the growth of computing and electronic networking offers 
        tremendous potential benefits to the way Americans live, work, 
        and are entertained, but also raises new threats to the privacy 
        of American citizens and the competitiveness of American 
        businesses;
            (2) a secure, private, and trusted national and global 
        information infrastructure is essential to promote economic 
        growth, protect privacy, and meet the needs of American 
        citizens and businesses;
            (3) the rights of Americans to the privacy and security of 
        their communications and in the conducting of personal and 
        business affairs should be promoted and protected;
            (4) the authority and ability of investigative and law 
        enforcement officers to access and decipher, in a timely manner 
        and as provided by law, wire and electronic communications, and 
        stored electronic information necessary to provide for public 
        safety and national security should also be preserved;
            (5) individuals will not entrust their sensitive personal, 
        medical, financial, and other information to computers and 
        computer networks unless the security and privacy of that 
        information is assured;
            (6) businesses will not entrust their proprietary and 
        sensitive corporate information, including information about 
        products, processes, customers, finances, and employees, to 
        computers and computer networks unless the security and privacy 
        of that information is assured;
            (7) America's critical infrastructures, including its 
        telecommunications system, banking and financial 
        infrastructure, and power and transportation infrastructure, 
        increasingly rely on vulnerable information systems, and will 
        represent a growing risk to national security and public safety 
        unless the security and privacy of those information systems is 
        assured;
            (8) encryption technology is an essential tool to promote 
        and protect the privacy, security, confidentiality, integrity, 
        and authenticity of wire and electronic communications and 
        stored electronic information;
            (9) encryption techniques, technology, programs, and 
        products are widely available worldwide;
            (10) Americans should be free to use lawfully whatever 
        particular encryption techniques, technologies, programs, or 
        products developed in the marketplace that best suits their 
        needs in order to interact electronically with the government 
        and others worldwide in a secure, private, and confidential 
        manner;
            (11) government mandates for, or otherwise compelled use 
        of, third-party key recovery systems or other systems that 
        provide surreptitious access to encrypted data threatens the 
        security and privacy of information systems;
            (12) American companies should be free to compete and sell 
        encryption technology, programs, and products, and to exchange 
        encryption technology, programs, and products through the use 
        of the Internet, which is rapidly emerging as the preferred 
method of distribution of computer software and related information;
            (13) a national encryption policy is needed to advance the 
        development of the national and global information 
        infrastructure, and preserve the right to privacy of Americans 
        and the public safety and national security of the United 
        States;
            (14) Congress and the American people have recognized the 
        need to balance the right to privacy and the protection of the 
        public safety with national security;
            (15) the Constitution of the United States permits lawful 
        electronic surveillance by investigative or law enforcement 
        officers and the seizure of stored electronic information only 
        upon compliance with stringent standards and procedures; and
            (16) there is a need to clarify the standards and 
        procedures by which investigative or law enforcement officers 
        obtain decryption assistance from persons--
                    (A) who are voluntarily entrusted with the means to 
                decrypt wire and electronic communications and stored 
                electronic information; or
                    (B) have information that enables the decryption of 
                such communications and information.

SEC. 4. DEFINITIONS.

    In this Act:
            (1) Agency.--The term ``agency'' has the meaning given the 
        term in section 6 of title 18, United States Code.
            (2) Computer hardware.--The term ``computer hardware'' 
        includes computer systems, equipment, application-specific 
        assemblies, smart cards, modules, and integrated circuits.
            (3) Computing device.--The term ``computing device'' means 
        a device that incorporates 1 or more microprocessor-based 
        central processing units that are capable of accepting, 
        storing, processing, or providing output of data.
            (4) Encrypt and encryption.--The terms ``encrypt'' and 
        ``encryption'' refer to the scrambling (and descrambling) of 
        wire communications, electronic communications, or 
        electronically stored information, using mathematical formulas 
        or algorithms in order to preserve the confidentiality, 
        integrity, or authenticity of, and prevent unauthorized 
        recipients from accessing or altering, such communications or 
        information.
            (5) Encryption product.--The term ``encryption product''--
                    (A) means a computing device, computer hardware, 
                computer software, or technology, with encryption 
                capabilities; and
                    (B) includes any subsequent version of or update to 
                an encryption product, if the encryption capabilities 
                are not changed.
            (6) Exportable.--The term ``exportable'' means the ability 
        to transfer, ship, or transmit to foreign users.
            (7) Key.--The term ``key'' means the variable information 
        used in or produced by a mathematical formula, code, or 
        algorithm, or any component thereof, used to encrypt or decrypt 
        wire communications, electronic communications, or 
        electronically stored information.
            (8) Person.--The term ``person'' has the meaning given the 
        term in section 2510(6) of title 18, United States Code.
            (9) Remote computing service.--The term ``remote computing 
        service'' has the meaning given the term in section 2711(2) of 
        title 18, United States Code.
            (10) State.--The term ``State'' has the meaning given the 
        term in section 3156(a)(5) of title 18, United States Code.
            (11) Technical review.--The term ``technical review'' means 
        a review by the Secretary, based on information about a 
        product's encryption capabilities supplied by the manufacturer, 
        that an encryption product works as represented.
            (12) United states person.--The term ``United States 
        person'' means any--
                    (A) United States citizen; or
                    (B) any legal entity that--
                            (i) is organized under the laws of the 
                        United States, or any State, the District of 
                        Columbia, or any commonwealth, territory, or 
                        possession of the United States; and
                            (ii) has its principal place of business in 
                        the United States.

     TITLE I--PRIVACY PROTECTION FOR COMMUNICATIONS AND ELECTRONIC 
                              INFORMATION

SEC. 101. FREEDOM TO USE ENCRYPTION.

    (a) In General.--Except as otherwise provided by this Act and the 
amendments made by this Act, it shall be lawful for any person within 
the United States, and for any United States person in a foreign 
country, to use, develop, manufacture, sell, distribute, or import any 
encryption product, regardless of the encryption algorithm selected, 
encryption key length chosen, existence of key recovery or other 
plaintext access capability, or implementation or medium used.
    (b) Prohibition on Government-Compelled Key Escrow or Key Recovery 
Encryption.--
            (1) In general.--Except as provided in paragraph (3), no 
        agency of the United States nor any State may require, compel, 
        set standards for, condition any approval on, or condition the 
        receipt of any benefit on, a requirement that a decryption key, 
        access to a decryption key, key recovery information, or other 
        plaintext access capability be--
                    (A) given to any other person, including any agency 
                of the United States or a State, or any entity in the 
                private sector; or
                    (B) retained by any person using encryption.
            (2) Use of particular products.--No agency of the United 
        States may require any person who is not an employee or agent 
        of the United States or a State to use any key recovery or 
        other plaintext access features for communicating or 
        transacting business with any agency of the United States.
            (3) Exception.--The prohibition in paragraph (1) does not 
        apply to encryption used by an agency of the United States or a 
        State, or the employees or agents of such an agency, solely for 
        the internal operations and telecommunications systems of the 
        United States or the State.
    (c) Use of Encryption for Authentication or Integrity Purposes.--
            (1) In general.--The use, development, manufacture, sale, 
        distribution and import of encryption products, standards, and 
        services for purposes of assuring the confidentiality, 
        authenticity, or integrity or access control of electronic 
        information shall be voluntary and market driven.
            (2) Conditions.--No agency of the United States or a State 
        shall establish any condition, tie, or link between encryption 
        products, standards, and services used for confidentiality, and 
        those used for authentication, integrity, or access control 
        purposes.

SEC. 102. PURCHASE AND USE OF ENCRYPTION PRODUCTS BY THE FEDERAL 
              GOVERNMENT.

    (a) Purchases.--An agency of the United States may purchase 
encryption products for--
            (1) the internal operations and telecommunications systems 
        of the agency; or
            (2) use by, among, and between that agency and any other 
        agency of the United States, the employees of the agency, or 
        persons operating under contract with the agency.
    (b) Interoperability.--To ensure that secure electronic access to 
the Government is available to persons outside of and not operating 
under contract with agencies of the United States, the United States 
shall purchase no encryption product with a key recovery or other 
plaintext access feature if such key recovery or plaintext access 
feature would interfere with use of the product's full encryption 
capabilities when interoperating with other commercial encryption 
products.

SEC. 103. ENHANCED PRIVACY PROTECTION FOR INFORMATION ON COMPUTER 
              NETWORKS.

    Section 2703 of title 18, United States Code, is amended by adding 
at the end the following:
    ``(g) Access to Stored Electronic Information.--
            ``(1) Disclosure.--
                    ``(A) In general.--Subject to subparagraph (B), a 
                governmental entity may require the disclosure by a 
                provider of a remote computing service of the contents 
                of an electronic record in networked electronic storage 
                only if the person who created the record is accorded 
                the same protections that would be available if the 
                record had remained in that person's possession.
                    ``(B) Networked electronic storage.--In addition to 
                the requirements of subparagraph (A) and subject to 
                paragraph (2), a governmental entity may require the 
                disclosure of the contents of an electronic record in 
                networked electronic storage only--
                            ``(i) pursuant to a warrant issued under 
                        the Federal Rules of Criminal Procedure or 
                        equivalent State warrant, a copy of which 
                        warrant shall be served on the person who 
                        created the record prior to or at the same time 
                        the warrant is served on the provider of the 
                        remote computing service;
                            ``(ii) pursuant to a subpoena issued under 
                        the Federal Rules of Criminal Procedure or 
                        equivalent State warrant, a copy of which 
                        subpoena shall be served on the person who 
                        created the record, under circumstances 
                        allowing that person a meaningful opportunity 
                        to challenge the subpoena; or
                            ``(iii) upon the consent of the person who 
                        created the record.
            ``(2) Definition.--In this subsection, an electronic record 
        is in `networked electronic storage' if--
                    ``(A) it is not covered by subsection (a) of this 
                section;
                    ``(B) the person holding the record is not 
                authorized to access the contents of such record for 
                any purposes other than in connection with providing 
                the service of storage; and
                    ``(C) the person who created the record is able to 
                access and modify it remotely through electronic 
                means.''.

SEC. 104. GOVERNMENT ACCESS TO LOCATION INFORMATION.

    (a) Court Order Required.--Section 2703 of title 18, United States 
Code, is amended by adding at the end the following:
    ``(h) Requirements for Disclosure of Location Information.--A 
provider of mobile electronic communication service shall provide to a 
governmental entity information generated by and disclosing, on a real 
time basis, the physical location of a subscriber's equipment only if 
the governmental entity obtains a court order issued upon a finding 
that there is probable cause to believe that an individual using or 
possessing the subscriber equipment is committing, has committed, or is 
about to commit a felony offense.''.
    (b) Conforming Amendment.--Section 2703(c)(1)(B) of title 18, 
United States Code, is amended by inserting ``or wireless location 
information covered by subsection (g) of this section'' after ``(b) of 
this section''.

SEC. 105. ENHANCED PRIVACY PROTECTION FOR TRANSACTIONAL INFORMATION 
              OBTAINED FROM PEN REGISTERS OR TRAP AND TRACE DEVICES.

    Subsection 3123(a) of title 18, United States Code, is amended to 
read as follows:
    ``(a) In General.--Upon an application made under section 3122, the 
court may enter an ex parte order--
            ``(1) authorizing the installation and use of a pen 
        register or a trap and trace device within the jurisdiction of 
        the court if the court finds, based on the certification by the 
        attorney for the Government or the State law enforcement or 
        investigative officer, that the information likely to be 
        obtained by such installation and use is relevant to an ongoing 
        criminal investigation; and
            ``(2) directing that the use of the pen register or trap 
        and trace device be conducted in such a way as to minimize the 
        recording or decoding of any electronic or other impulses that 
        are not related to the dialing and signaling information 
        utilized in call processing.''.

                  TITLE II--LAW ENFORCEMENT ASSISTANCE

SEC. 201. ENCRYPTED WIRE OR ELECTRONIC COMMUNICATIONS AND STORED 
              ELECTRONIC COMMUNICATIONS.

    (a) In General.--Part I of title 18, United States Code, is amended 
by inserting after chapter 123 the following:

 ``CHAPTER 124--ENCRYPTED WIRE OR ELECTRONIC COMMUNICATIONS AND STORED 
                         ELECTRONIC INFORMATION

``Sec.
``2801. Definitions.
``2802. Unlawful use of encryption.
``2803. Access to decryption assistance for communications.
``2804. Access to decryption assistance for stored electronic 
                            communications or records.
``2805. Foreign government access to decryption assistance.
``2806. Establishment and operations of National Electronic 
                            Technologies Center.
``Sec. 2801. Definitions
    ``In this chapter:
            ``(1) Decryption assistance.--The term `decryption 
        assistance' means assistance that provides or facilitates 
        access to the plaintext of an encrypted wire or electronic 
        communication or stored electronic information, including the 
        disclosure of a decryption key or the use of a decryption key 
        to produce plaintext.
            ``(2) Decryption key.--The term `decryption key' means the 
        variable information used in or produced by a mathematical 
        formula, code, or algorithm, or any component thereof, used to 
        decrypt a wire communication or electronic communication or 
        stored electronic information that has been encrypted.
            ``(3) Encrypt; encryption.--The terms `encrypt' and 
        `encryption' refer to the scrambling (and descrambling) of wire 
        communications, electronic communications, or electronically 
        stored information, using mathematical formulas or algorithms 
        in order to preserve the confidentiality, integrity, or 
        authenticity of, and prevent unauthorized recipients from 
        accessing or altering, such communications or information.
            ``(4) Foreign government.--The term `foreign government' 
        has the meaning given the term in section 1116.
            ``(5) Official request.--The term `official request' has 
        the meaning given the term in section 3506(c).
            ``(6) Incorporated definitions.--Any term used in this 
        chapter that is not defined in this chapter and that is defined 
        in section 2510, has the meaning given the term in section 
        2510.
``Sec. 2802. Unlawful use of encryption
    ``Any person who, during the commission of a felony under Federal 
law, knowingly and willfully encrypts any incriminating communication 
or information relating to that felony, with the intent to conceal that 
communication or information for the purpose of avoiding detection by a 
law enforcement agency or prosecutor--
            ``(1) in the case of a first offense under this section, 
        shall be imprisoned not more than 5 years, fined under this 
        title, or both; and
            ``(2) in the case of a second or subsequent offense under 
        this section, shall be imprisoned not more than 10 years, fined 
        under this title, or both.
``Sec. 2803. Access to decryption assistance for communications
    ``(a) Criminal Investigations.--
            ``(1) In general.--An order authorizing the interception of 
        a wire or electronic communication under section 2518 shall, 
        upon request of the applicant, direct that a provider of wire 
        or electronic communication service, or any other person 
        possessing information capable of decrypting that 
        communication, other than a person whose communications are the 
        subject of the interception, shall promptly furnish the 
        applicant with the necessary decryption assistance, if the 
        court finds that the decryption assistance sought is necessary 
        for the decryption of a communication intercepted pursuant to 
        the order.
            ``(2) Limitations.--Each order described in paragraph (1), 
        and any extension of such an order, shall--
                    ``(A) contain a provision that the decryption 
                assistance provided shall involve disclosure of a 
                private key only if no other form of decryption 
                assistance is available and otherwise shall be limited 
                to the minimum necessary to decrypt the communications 
                intercepted pursuant to this chapter; and
                    ``(B) terminate on the earlier of--
                            ``(i) the date on which the authorized 
                        objective is attained; or
                            ``(ii) 30 days after the date on which the 
                        order or extension, as applicable, is issued.
            ``(3) Notice.--If decryption assistance is provided 
        pursuant to an order under this subsection, the court issuing 
        the order described in paragraph (1)--
                    ``(A) shall cause to be served on the person whose 
                communications are the subject of such decryption 
                assistance, as part of the inventory required to be 
                served pursuant to section 2518(8), notice of the 
                receipt of the decryption assistance and a specific 
                description of the keys or other assistance disclosed; 
                and
                    ``(B) upon the filing of a motion and for good 
                cause shown, shall make available to such person, or to 
                counsel for that person, for inspection, the 
                intercepted communications to which the decryption 
                assistance related, except that on an ex parte showing 
                of good cause, the serving of the inventory required by 
                section 2518(8) may be postponed.
    ``(b) Foreign Intelligence Investigations.--
            ``(1) In general.--An order authorizing the interception of 
        a wire or electronic communication under section 105(b)(2) of 
        the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 
        1805(b)(2)) shall, upon request of the applicant, direct that a 
        provider of wire or electronic communication service or any 
        other person possessing information capable of decrypting such 
        communications, other than a person whose communications are 
        the subject of the interception, shall promptly furnish the 
        applicant with the necessary decryption assistance, if the 
        court finds that the decryption assistance sought is necessary 
        for the decryption of a communication intercepted pursuant to 
        the order.
            ``(2) Limitations.--Each order described in paragraph (1), 
        and any extension of such an order, shall--
                    ``(A) contain a provision that the decryption 
                assistance provided shall be limited to the minimum 
                necessary to decrypt the communications intercepted 
                pursuant to this chapter; and
                    ``(B) terminate on the earlier of--
                            ``(i) the date on which the authorized 
                        objective is attained; or
                            ``(ii) 30 days after the date on which the 
                        order or extension, as applicable, is issued.
    ``(c) General Prohibition on Disclosure.--Other than pursuant to an 
order under subsection (a) or (b) of this section, no person possessing 
information capable of decrypting a wire or electronic communication of 
another person shall disclose that information or provide decryption 
assistance to an investigative or law enforcement officer (as defined 
in section 2510(7)).
``Sec. 2804. Access to decryption assistance for stored electronic 
              communications or records
    ``(a) Decryption Assistance.--No person may disclose a decryption 
key or provide decryption assistance pertaining to the contents of 
stored electronic communications or records, including those disclosed 
pursuant to section 2703, to a governmental entity, except--
            ``(1) pursuant to a warrant issued under the Federal Rules 
        of Criminal Procedure or an equivalent State warrant, a copy of 
        which warrant shall be served on the person who created the 
        electronic communication prior to or at the same time service 
        is made on the keyholder;
            ``(2) pursuant to a subpoena, a copy of which subpoena 
        shall be served on the person who created the electronic 
        communication or record, under circumstances allowing the 
        person meaningful opportunity to challenge the subpoena; or
            ``(3) upon the consent of the person who created the 
        electronic communication or record.
    ``(b) Delay of Notification.--In the case of communications 
disclosed pursuant to section 2703(a), service of the copy of the 
warrant or subpoena on the person who created the electronic 
communication under subsection (a) may be delayed for a period of not 
to exceed 90 days upon request to the court by the governmental entity 
requiring the decryption assistance, if the court determines that there 
is reason to believe that notification of the existence of the court 
order or subpoena may have an adverse result described in section 
2705(a)(2).
``Sec. 2805. Foreign government access to decryption assistance
    ``(a) In General.--No investigative or law enforcement officer 
may--
            ``(1) release a decryption key to a foreign government or 
        to a law enforcement agency of a foreign government; or
            ``(2) except as provided in subsection (b), provide 
        decryption assistance to a foreign government or to a law 
        enforcement agency of a foreign government.
    ``(b) Conditions for Cooperation With Foreign Government.--
            ``(1) Application for an order.--In any case in which the 
        United States has entered into a treaty or convention with a 
        foreign government to provide mutual assistance with respect to 
        providing decryption assistance, the Attorney General (or the 
        designee of the Attorney General) may, upon an official request 
        to the United States from the foreign government, apply for an 
        order described in paragraph (2) from the district court in 
        which the person possessing information capable of decrypting 
        the communication or information at issue resides--
                    ``(A) directing that person to release a decryption 
                key or provide decryption assistance to the Attorney 
                General (or the designee of the Attorney General); and
                    ``(B) authorizing the Attorney General (or the 
                designee of the Attorney General) to furnish the 
                foreign government with the plaintext of the encrypted 
                communication or stored electronic information at 
                issue.
            ``(2) Contents of order.--An order is described in this 
        paragraph if it is an order directing the person possessing 
        information capable of decrypting the communication or 
        information at issue to--
                    ``(A) release a decryption key to the Attorney 
                General (or the designee of the Attorney General) so 
                that the plaintext of the communication or information 
                may be furnished to the foreign government; or
                    ``(B) provide decryption assistance to the Attorney 
                General (or the designee of the Attorney General) so 
                that the plaintext of the communication or information 
                may be furnished to the foreign government.
            ``(3) Requirements for order.--The court described in 
        paragraph (1) may issue an order described in paragraph (2) if 
        the court finds, on the basis of an application made by the 
        Attorney General under this subsection, that--
                    ``(A) the decryption key or decryption assistance 
                sought is necessary for the decryption of a 
                communication or information that the foreign 
                government is authorized to intercept or seize pursuant 
                to the law of that foreign country;
                    ``(B) the law of the foreign country provides for 
                adequate protection against arbitrary interference with 
                respect to privacy rights; and
                    ``(C) the decryption key or decryption assistance 
                is being sought in connection with a criminal 
                investigation for conduct that would constitute a 
                violation of a criminal law of the United States if 
                committed within the jurisdiction of the United States.
``Sec. 2806. Establishment and operations of National Electronic 
              Technologies Center
    ``(a) National Electronic Technologies Center.--
            ``(1) Establishment.--There is established in the 
        Department of Justice a National Electronic Technologies Center 
        (referred to in this section as the `NET Center').
            ``(2) Director.--The NET Center shall be administered by a 
        Director (referred to in this section as the `Director'), who 
        shall be appointed by the Attorney General.
            ``(3) Duties.--The NET Center shall--
                    ``(A) serve as a center for Federal, State, and 
                local law enforcement authorities for information and 
                assistance regarding decryption and other access 
                requirements;
                    ``(B) serve as a center for industry and government 
                entities to exchange information and methodology 
                regarding information security techniques and 
                technologies;
                    ``(C) support and share information and methodology 
                regarding information security techniques and 
                technologies with the Computer Investigations and 
                Infrastructure Threat Assessment Center (CITAC) and 
                Field Computer Investigations and Infrastructure Threat 
                Assessment (CITA) Squads of the Federal Bureau of 
                Investigation;
                    ``(D) examine encryption techniques and methods to 
                facilitate the ability of law enforcement to gain 
                efficient access to plaintext of communications and 
                electronic information;
                    ``(E) conduct research to develop efficient 
                methods, and improve the efficiency of existing 
                methods, of accessing plaintext of communications and 
                electronic information;
                    ``(F) investigate and research new and emerging 
                techniques and technologies to facilitate access to 
                communications and electronic information, including--
                            ``(i) reverse-stenography;
                            ``(ii) decompression of information that 
                        previously has been compressed for 
                        transmission; and
                            ``(iii) demultiplexing;
                    ``(G) investigate and research interception and 
                access techniques that preserve the privacy and 
                security of information not authorized to be 
                intercepted; and
                    ``(H) obtain information regarding the most current 
                hardware, software, telecommunications, and other 
                capabilities to understand how to access digitized 
                information transmitted across networks.
            ``(4) Equal access.--State and local law enforcement 
        agencies and authorities shall have access to information, 
        services, resources, and assistance provided by the NET Center 
        to the same extent that Federal law enforcement agencies and 
        authorities have such access.
            ``(5) Personnel.--The Director may appoint such personnel 
        as the Director considers appropriate to carry out the duties 
        of the NET Center.
            ``(6) Assistance of other federal agencies.--Upon the 
        request of the Director of the NET Center, the head of any 
        department or agency of the Federal Government may, to assist 
        the NET Center in carrying out its duties under this 
        subsection--
                    ``(A) detail, on a reimbursable basis, any of the 
                personnel of such department or agency to the NET 
                Center; and
                    ``(B) provide to the NET Center facilities, 
                information, and other nonpersonnel resources.
            ``(7) Private industry assistance.--The NET Center may 
        accept, use, and dispose of gifts, bequests, or devises of 
        money, services, or property, both real and personal, for the 
        purpose of aiding or facilitating the work of the Center. 
        Gifts, bequests, or devises of money and proceeds from sales of 
        other property received as gifts, bequests, or devises shall be 
        deposited in the Treasury and shall be available for 
        disbursement upon order of the Director of the NET Center.
            ``(8) Advisory board.--
                    ``(A) Establishment.--There is established in the 
                NET Center an Advisory Board for Excellence in 
                Information Security (in this paragraph referred to as 
                the `Advisory Board'), which shall be comprised of 
                members who have the qualifications described in 
                subparagraph (B) and who are appointed by the Attorney 
                General. The Attorney General shall appoint a chairman 
                of the Advisory Board.
                    ``(B) Qualifications.--Each member of the Advisory 
                Board shall have experience or expertise in the field 
                of encryption, decryption, electronic communication, 
                information security, electronic commerce, privacy 
                protection, or law enforcement.
                    ``(C) Duties.--The duty of the Advisory Board shall 
                be to advise the NET Center and the Federal Government 
                regarding new and emerging technologies relating to 
                encryption and decryption of communications and 
                electronic information.
            ``(9) Implementation plan.--
                    ``(A) In general.--Not later than 2 months after 
                the date of enactment of this chapter, the Attorney 
                General shall, in consultation and cooperation with 
                other appropriate Federal agencies and appropriate 
                industry participants, develop and cause to be 
                published in the Federal Register a plan for 
                establishing the NET Center.
                    ``(B) Contents of plan.--The plan published under 
                subparagraph (A) shall--
                            ``(i) specify the physical location of the 
                        NET Center and the equipment, software, and 
                        personnel resources necessary to carry out the 
                        duties of the NET Center under this subsection;
                            ``(ii) assess the amount of funding 
                        necessary to establish and operate the NET 
                        Center; and
                            ``(iii) identify sources of probable 
                        funding for the NET Center, including any 
                        sources of in-kind contributions from private 
                        industry.
    ``(b) Authorization.--There are authorized to be appropriated such 
sums as may be necessary for the establishment and operation of the NET 
Center.''.
    (b) Technical and Conforming Amendment.--The analysis for part I of 
title 18, United States Code, is amended by adding at the end the 
following:

``124. Encrypted wire or electronic communications and          2801''.
                            stored electronic information.

               TITLE III--EXPORTS OF ENCRYPTION PRODUCTS

SEC. 301. COMMERCIAL ENCRYPTION PRODUCTS.

    (a) Provisions Applicable to Commercial Products.--The provisions 
of this title apply to all encryption products, regardless of the 
encryption algorithm selected, encryption key length chosen, exclusion 
of key recovery or other plaintext access capability, or implementation 
or medium used, except those specifically designed or modified for 
military use, including command, control, and intelligence 
applications.
    (b) Control by Secretary of Commerce.--Subject to the provisions of 
this title, and notwithstanding any other provision of law, the 
Secretary of Commerce shall have exclusive authority to control exports 
of encryption products covered under subsection (a).

SEC. 302. LICENSE EXCEPTION FOR MASS MARKET PRODUCTS.

    (a) Export Control Relief.--Subject to section 307, an encryption 
product that is generally available, or incorporates or employs in any 
form, implementation, or medium, an encryption product that is 
generally available, shall be exportable without the need for an export 
license, and without restrictions other than those permitted under this 
Act, after a 1-time 15-day technical review by the Secretary of 
Commerce.
    (b) Definitions.--In this section, the term ``generally available'' 
means an encryption product that is--
            (1) offered for sale, license, or transfer to any person 
        without restriction, whether or not for consideration, 
        including, but not limited to, over-the-counter retail sales, 
        mail order transactions, phone order transactions, electronic 
        distribution, or sale on approval; and
            (2) not designed, developed, or customized by the 
        manufacturer for specific purchasers except for user or 
        purchaser selection among installation or configuration 
        parameters.
    (c) Commerce Department Assurance.--
            (1) In general.--The manufacturer or exporter of an 
        encryption product may request written assurance from the 
        Secretary of Commerce that an encryption product is considered 
        generally available for purposes of this section.
            (2) Response.--Not later than 30 days after receiving a 
        request under paragraph (1), the Secretary shall make a 
        determination regarding whether to issue a written assurance 
        under that paragraph, and shall notify the person making the 
        request, in writing, of that determination.
            (3) Effect on manufacturers and exporters.--A manufacturer 
        or exporter who obtains a written assurance under this 
        subsection shall not be held liable, responsible, or subject to 
        sanctions for failing to obtain an export license for the 
        encryption product at issue.

SEC. 303. LICENSE EXCEPTION FOR PRODUCTS WITHOUT ENCRYPTION CAPABLE OF 
              WORKING WITH ENCRYPTION PRODUCTS.

    Subject to section 307, any product that does not itself provide 
encryption capabilities, but that incorporates or employs in any form 
cryptographic application programming interfaces or other interface 
mechanisms for interaction with other encryption products covered by 
section 301(a), shall be exportable without the need for an export 
license, and without restrictions other than those permitted under this 
Act, after a 1-time, 15-day technical review by the Secretary of 
Commerce.

SEC. 304. LICENSE EXCEPTION FOR PRODUCT SUPPORT AND CONSULTING 
              SERVICES.

    (a) No Additional Export Controls Imposed if Underlying Product 
Covered by License Exception.--Technical assistance and technical data 
associated with the installation and maintenance of encryption products 
covered by sections 302 and 303 shall be exportable without the need 
for an export license, and without restrictions other than those 
permitted under this Act.
    (b) Definitions.--In this section:
            (1) Technical assistance.--The term ``technical 
        assistance'' means services, including instruction, skills 
        training, working knowledge, and consulting services, and the 
        transfer of technical data.
            (2) Technical data.--The term ``technical data'' means 
        information including blueprints, plans, diagrams, models, 
        formulae, tables, engineering designs and specifications, 
        manuals and instructions written or recorded on other media or 
        devices such as disk, tape, or read-only memories.

SEC. 305. LICENSE EXCEPTION WHEN COMPARABLE FOREIGN PRODUCTS AVAILABLE.

    (a) Foreign Availability Standard.--An encryption product not 
qualifying under section 302 shall be exportable without the need for 
an export license, and without restrictions other than those permitted 
under this Act, after a 1-time 15-day technical review by the Secretary 
of Commerce, if an encryption product utilizing the same or greater key 
length or otherwise providing comparable security to such encryption 
product is, or will be within the next 18 months, commercially 
available outside the United States from a foreign supplier.
    (b) Determination of Foreign Availability.--
            (1) Encryption export advisory board established.--There is 
        hereby established a board to be known as the ``Encryption 
        Export Advisory Board'' (in this section referred to as the 
        ``Board'').
            (2) Membership.--The Board shall be comprised of--
                    (A) the Under Secretary of Commerce for Export 
                Administration, who shall be Chairman;
                    (B) seven individuals appointed by the President, 
                of whom--
                            (i) one shall be a representative from each 
                        of--
                                    (I) the National Security Agency;
                                    (II) the Central Intelligence 
                                Agency; and
                                    (III) the Office of the President; 
                                and
                            (ii) four shall be individuals from the 
                        private sector who have expertise in the 
                        development, operation, or marketing of 
                        information technology products; and
                    (C) four individuals appointed by Congress from 
                among individuals in the private sector who have 
                expertise in the development, operation, or marketing 
                of information technology products, of whom--
                            (i) one shall be appointed by the Majority 
                        Leader of the Senate;
                            (ii) one shall be appointed by the Minority 
                        Leader of the Senate;
                            (iii) one shall be appointed by the Speaker 
                        of the House of Representatives; and
                            (iv) one shall be appointed by the Minority 
                        Leader of the House of Representatives.
            (3) Meetings.--
                    (A) In general.--Subject to subparagraph (B), the 
                Board shall meet at the call of the Under Secretary of 
                Commerce for Export Administration.
                    (B) Meetings when applications pending.--If any 
                application referred to in paragraph (4)(A) is pending, 
                the Board shall meet not less than once every 30 days.
            (4) Duties.--
                    (A) In general.--Whenever an application for a 
                license exception for an encryption product under this 
                section is submitted to the Secretary of Commerce, the 
                Board shall determine whether a comparable encryption 
                product is commercially available outside the United 
                States from a foreign supplier as specified in 
                subsection (a).
                    (B) Majority vote required.--The Board shall make a 
                determination under this paragraph upon a vote of the 
                majority of the members of the Board.
                    (C) Deadline.--The Board shall make a determination 
                with respect to an encryption product under this 
                paragraph not later than 30 days after receipt by the 
                Secretary of an application for a license exception 
                under this subsection based on the encryption product.
                    (D) Notice of determinations.--The Board shall 
                notify the Secretary of Commerce of each determination 
                under this paragraph.
                    (E) Reports to president.--Not later than 30 days 
                after a meeting under this paragraph, the Board shall 
                submit to the President a report on the meeting.
                    (F) Applicability of faca.--The provisions of the 
                Federal Advisory Committee Act (5 U.S.C. App.) shall 
                not apply to the Board or to meetings held by the Board 
                under this paragraph.
            (5) Action by secretary of commerce.--
                    (A) Approval or disapproval.--The Secretary of 
                Commerce shall specifically approve or disapprove each 
                determination of the Board under paragraph (5) not 
                later than 30 days of the submittal of such 
                determination to the Secretary under that paragraph.
                    (B) Notification and publication of decision.--The 
                Secretary of Commerce shall--
                            (i) notify the Board of each approval or 
                        disapproval under this paragraph; and
                            (ii) publish a notice of the approval or 
                        disapproval in the Federal Register.
                    (C) Contents of notice.--Each notice of a decision 
                of disapproval by the Secretary of Commerce under 
                subparagraph (B) of a determination of the Board under 
                paragraph (4) that an encryption product is 
                commercially available outside the United States from a 
                foreign supplier shall set forth an explanation in 
                detail of the reasons for the decision, including why 
                and how continued export control of the encryption 
                product which the determination concerned will be 
                effective in achieving its purpose and the amount of 
                lost sales and loss in market share of United States 
                encryption products as a result of the decision.
            (6) Judicial review.--Notwithstanding any other provision 
        of law, a decision of disapproval by the Secretary of Commerce 
        under paragraph (5) of a determination of the Board under 
        paragraph (4) that an encryption product is commercially 
        available outside the United States from a foreign supplier 
shall be subject to judicial review under the provisions of subchapter 
II of chapter 5 of title 5, United States Code (commonly referred to as 
the ``Administrative Procedures Act'').
    (c) Inclusion of Comparable Foreign Encryption Product in a United 
States Product Not Basis for Export Controls.--A product that 
incorporates or employs a foreign encryption product, in the way it was 
intended to be used and that the Board has determined to be 
commercially available outside the United States, shall be exportable 
without the need for an export license and without restrictions other 
than those permitted under this Act, after a 1-time 15-day technical 
review by the Secretary of Commerce.

SEC. 306. NO EXPORT CONTROLS ON ENCRYPTION PRODUCTS USED FOR 
              NONCONFIDENTIALITY PURPOSES.

    (a) Prohibition on New Controls.--The Federal Government shall not 
restrict the export of encryption products used for nonconfidentiality 
purposes such as authentication, integrity, digital signatures, 
nonrepudiation, and copy protection.
    (b) No Reinstatement of Controls on Previously Decontrolled 
Products.--Those encryption products previously decontrolled and not 
requiring an export license as of January 1, 1998, as a result of 
administrative decision or rulemaking shall not require an export 
license.

SEC. 307. APPLICABILITY OF GENERAL EXPORT CONTROLS.

    (a) Subject to Terrorist and Embargo Controls.--Nothing in this Act 
shall be construed to limit the authority of the President under the 
International Emergency Economic Powers Act, the Trading with the Enemy 
Act, or the Export Administration Act, to--
            (1) prohibit the export of encryption products to countries 
        that have been determined to repeatedly provide support for 
        acts of international terrorism; or
            (2) impose an embargo on exports to, and imports from, a 
        specific country.
    (b) Subject to Specific Denials for Specific Reasons.--The 
Secretary of Commerce shall prohibit the export of particular 
encryption products to an individual or organization in a specific 
foreign country identified by the Secretary if the Secretary determines 
that there is substantial evidence that such encryption products will 
be used for military or terrorist end-use, including acts against the 
national security, public safety, or the integrity of the 
transportation, communications, or other essential systems of 
interstate commerce in the United States.
    (c) Other Export Controls Remain Applicable.--(1) Encryption 
products shall remain subject to all export controls imposed on such 
products for reasons other than the existence of encryption 
capabilities.
    (2) Nothing in this Act alters the Secretary's ability to control 
exports of products for reasons other than encryption.

SEC. 308. FOREIGN TRADE BARRIERS TO UNITED STATES PRODUCTS.

    Not later than 180 days after the date of enactment of this Act, 
the Secretary of Commerce, in consultation with the United States Trade 
Representative, shall--
            (1) identify foreign barriers to exports of United States 
        encryption products;
            (2) initiate appropriate actions to address such barriers; 
        and
            (3) submit to Congress a report on the actions taken under 
        this section.
                                 <all>