[Congressional Bills 105th Congress]
[From the U.S. Government Publishing Office]
[S. 376 Introduced in Senate (IS)]
105th CONGRESS
1st Session
S. 376
To affirm the rights of Americans to use and sell encryption products,
to establish privacy standards for voluntary key recovery encryption
systems, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
February 27, 1997
Mr. Leahy (for himself, Mr. Burns, Mrs. Murray, and Mr. Wyden)
introduced the following bill; which was read twice and referred to the
Committee on the Judiciary
_______________________________________________________________________
A BILL
To affirm the rights of Americans to use and sell encryption products,
to establish privacy standards for voluntary key recovery encryption
systems, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Encrypted Communications Privacy Act
of 1997''.
SEC. 2. PURPOSES.
The purposes of this Act are--
(1) to ensure that Americans have the maximum possible
choice in encryption methods to protect the security,
confidentiality, and privacy of their lawful wire and
electronic communications and stored electronic information;
and
(2) to establish privacy standards for key holders who are
voluntarily entrusted with the means to decrypt such
communications and information, and procedures by which
investigative or law enforcement officers may obtain assistance
in decrypting such communications and information.
SEC. 3. FINDINGS.
Congress finds that--
(1) the digitization of information and the explosion in
the growth of computing and electronic networking offers
tremendous potential benefits to the way Americans live, work,
and are entertained, but also raises new threats to the privacy
of American citizens and the competitiveness of American
businesses;
(2) a secure, private, and trusted national and global
information infrastructure is essential to promote economic
growth, protect privacy, and meet the needs of American
citizens and businesses;
(3) the rights of Americans to the privacy and security of
their communications and in the conducting of personal and
business affairs should be preserved and protected;
(4) the authority and ability of investigative and law
enforcement officers to access and decipher, in a timely manner
and as provided by law, wire and electronic communications and
stored electronic information necessary to provide for public
safety and national security should also be preserved;
(5) individuals will not entrust their sensitive personal,
medical, financial, and other information to computers and
computer networks unless the security and privacy of that
information is assured;
(6) business will not entrust their proprietary and
sensitive corporate information, including information about
products, processes, customers, finances, and employees, to
computers and computer networks unless the security and privacy
of that information is assured;
(7) encryption technology can enhance the privacy,
security, confidentiality, integrity, and authenticity of wire
and electronic communications and stored electronic
information;
(8) encryption techniques, technology, programs, and
products are widely available worldwide;
(9) Americans should be free to use lawfully whatever
particular encryption techniques, technologies, programs, or
products developed in the marketplace they desire to use in
order to interact electronically worldwide in a secure,
private, and confidential manner;
(10) American companies should be free--
(A) to compete and to sell encryption technology,
programs, and products; and
(B) to exchange encryption technology, programs,
and products through the use of the Internet, as the
Internet is rapidly emerging as the preferred method of
distribution of computer software and related
information;
(11) there is a need to develop a national encryption
policy that advances the development of the national and global
information infrastructure, and preserves the right to privacy
of Americans and the public safety and national security of the
United States;
(12) there is a need to clarify the legal rights and
responsibilities of key holders who are voluntarily entrusted
with the means to decrypt wire and electronic communications
and stored electronic information;
(13) Congress and the American people have recognized the
need to balance the right to privacy and the protection of the
public safety with national security;
(14) the Constitution permits lawful electronic
surveillance by investigative or law enforcement officers and
the seizure of stored electronic information only upon
compliance with stringent standards and procedures; and
(15) there is a need to clarify the standards and
procedures by which investigative or law enforcement officers
obtain assistance from key holders who--
(A) are voluntarily entrusted with the means to
decrypt wire and electronic communications and stored
electronic information; or
(B) have information that enables the decryption of
such communications and information.
SEC. 4. DEFINITIONS.
As used in this Act, the terms ``decryption key'', ``encryption'',
``key holder'', and ``State'' have the same meanings as in section 2801
of title 18, United States Code, as added by section 6 of this Act.
SEC. 5. FREEDOM TO USE ENCRYPTION.
(a) Lawful Use of Encryption.--Except as provided in this Act and
the amendments made by this Act, it shall be lawful for any person
within any State, and by any United States person in a foreign country,
to use any encryption, regardless of encryption algorithm selected,
encryption key length chosen, or implementation technique or medium
used.
(b) Prohibition on Mandatory Key Recovery or Key Escrow
Encryption.--Neither the Federal Government nor a State may require, as
a condition of a sale in interstate commerce, that a decryption key be
given to another person.
(c) General Construction.--Nothing in this Act or the amendments
made by this Act shall be construed to--
(1) require the use by any person of any form of
encryption;
(2) limit or affect the ability of any person to use
encryption without a key recovery function; or
(3) limit or affect the ability of any person who chooses
to use encryption with a key recovery function to select the
key holder, if any, of the person's choice.
SEC. 6. ENCRYPTED WIRE OR ELECTRONIC COMMUNICATIONS AND STORED
ELECTRONIC COMMUNICATIONS.
(a) In General.--Part I of title 18, United States Code, is amended
by inserting after chapter 123 the following new chapter:
``CHAPTER 125--ENCRYPTED WIRE OR ELECTRONIC COMMUNICATIONS AND STORED
ELECTRONIC INFORMATION
``Sec.
``2801. Definitions.
``2802. Prohibited acts by key holders.
``2803. Reporting requirements.
``2804. Unlawful use of encryption to obstruct justice.
``2805. Freedom to sell encryption products.
``2806. Requirements for release of decryption key or provision of
encryption assistance to a foreign country.
``Sec. 2801. Definitions
``In this chapter--
``(1) the term `decryption key' means the variable
information used in or produced by a mathematical formula,
code, or algorithm, or any component thereof, used to decrypt a
wire communication or electronic communication or stored
electronic information that has been encrypted;
``(2) the term `decryption assistance' means assistance
which provides or facilitates access to the plain text of an
encrypted wire communication or electronic communication or
stored electronic information;
``(3) the term `encryption' means the scrambling of wire
communications or electronic communications or stored
electronic information using mathematical formulas or
algorithms in order to preserve the confidentiality, integrity,
or authenticity of such communications or information and
prevent unauthorized recipients from accessing or altering such
communications or information;
``(4) the term `key holder' means a person (including a
Federal agency) located within the United States who--
``(A) is voluntarily entrusted by another
independent person with the means to decrypt that
person's wire communications or electronic
communications or stored electronic information for the
purpose of subsequent decryption of such communications
or information; or
``(B) has information that enables the decryption
of such communications or information for such purpose;
and
``(5) the terms `person', `State', `wire communication',
`electronic communication', `investigative or law enforcement
officer', `judge of competent jurisdiction', and `electronic
storage' have the same meanings given such terms in section
2510 of this title.
``Sec. 2802. Prohibited acts by key holders
``(a) Unauthorized Release of Key.--Except as provided in
subsection (b), any key holder who releases a decryption key or
provides decryption assistance shall be subject to the criminal
penalties provided in subsection (e) and to civil liability as provided
in subsection (f).
``(b) Authorized Release of Key.--A key holder shall only release a
decryption key in the possession or control of the key holder or
provide decryption assistance with respect to the key--
``(1) with the lawful consent of the person whose key is
possessed or controlled by the key holder;
``(2) as may be necessarily incident to the provision of
service relating to the possession or control of the key by the
key holder; or
``(3) upon compliance with subsection (c)--
``(A) to investigative or law enforcement officers
authorized to intercept wire communications or
electronic communications under chapter 119 of this
title;
``(B) to a governmental entity authorized to
require access to stored wire and electronic
communications and transactional records under chapter
121 of this title; or
``(C) to a governmental entity authorized to seize
or compel the production of stored electronic
information.
``(c) Requirements for Release of Decryption Key or Provision of
Decryption Assistance.--
``(1) Wire and electronic communications.--(A) A key holder
may release a decryption key or provide decryption assistance
to an investigative or law enforcement officer if--
``(i) the key holder is given--
``(I) a court order--
``(aa) signed by a judge of
competent jurisdiction directing such
release or assistance; and
``(bb) issued upon a finding that
the decryption key or decryption
assistance sought is necessary for the
decryption of a communication that the
investigative or law enforcement
officer is authorized to intercept
pursuant to chapter 119 of this title;
or
``(II) a certification in writing by a
person specified in section 2518(7) of this
title, or the Attorney General, stating that--
``(aa) no court order is required
by law;
``(bb) the conditions set forth in
section 2518(7) of this title have been
met; and
``(cc) the release or assistance is
required;
``(ii) the order or certification under clause
(i)--
``(I) specifies the decryption key or
decryption assistance being sought; and
``(II) identifies the termination date of
the period for which the release or assistance
is authorized; and
``(iii) in compliance with the order or
certification, the key holder provides only the release
or decryption assistance necessary for the access
specified in the order or certification.
``(B) If an investigative or law enforcement officer
receives a decryption key or decryption assistance under this
paragraph for purposes of decrypting wire communications or
electronic communications, the judge issuing the order
authorizing the interception of such communications shall, as
part of the inventory required to be served pursuant to
subsection (7)(b) or (8)(d) of section 2518 of this title,
cause to be served on the persons named in the order, or the
application for the order, and on such other parties as the
judge may determine in the interests of justice, notice of the
receipt of the key or decryption assistance, as the case may
be, by the officer.
``(2) Stored wire and electronic communications and stored
electronic information.--(A) A key holder may release a
decryption key or provide decryption assistance to a
governmental entity requiring disclosure of stored wire and
electronic communications and transactional records under
chapter 121 of this title only if the key holder is directed to
release the key or give such assistance pursuant to a court
order issued upon a finding that the decryption key or
decryption assistance sought is necessary for the decryption of
communications or records the disclosure of which the
governmental entity is authorized to require under section 2703
of this title.
``(B) A key holder may release a decryption key or provide
decryption assistance under this subsection to a governmental
entity seizing or compelling production of stored electronic
information only if the key holder is directed to release the
key or give such assistance pursuant to a court order issued
upon a finding that the decryption key or decryption assistance
sought is necessary for the decryption of stored electronic
information--
``(i) that the governmental entity is authorized to
seize; or
``(ii) the production of which the governmental
entity is authorized to compel.
``(C) A court order directing the release of a decryption
key or the provision of decryption assistance under
subparagraph (A) or (B) shall specify the decryption key or
decryption assistance being sought. A key holder may provide
only such release or decryption assistance as is necessary for
access to the communications, records, or information covered
by the court order.
``(D) If a governmental entity receives a decryption key or
decryption assistance under this paragraph for purposes of
obtaining access to stored wire and electronic communications
or transactional records under section 2703 of this title, the
notice required with respect to such access under subsection
(b) of such section shall include notice of the receipt of the
key or assistance, as the case may be, by the entity.
``(3) Use of key.--(A) An investigative or law enforcement
officer or governmental entity to which a decryption key is
released under this subsection may use the key only in the
manner and for the purpose and period expressly provided for in
the certification or court order authorizing such release and
use. Such period may not exceed the duration of the
interception for which the key was released or such other
period as the court, if any, may allow.
``(B) Not later than the end of the period authorized for
the release of a decryption key, the investigative or law
enforcement officer or governmental entity to which the key is
released shall destroy and not retain the key and provide a
certification that the key has been destroyed to the issuing
court, if any.
``(4) Nondisclosure of release.--No key holder, officer,
employee, or agent thereof may disclose the release of an
encryption key or the provision of decryption assistance under
subsection (b)(3), except as otherwise required by law or legal
process and then only after prior notification to the Attorney
General or to the principal prosecuting attorney of a State or
of a political subdivision of a State, as appropriate.
``(d) Records or Other Information Held by Key Holders.--
``(1) In general.--A key holder may not disclose a record
or other information (not including the key or the contents of
communications) pertaining to any person, which record or
information is held by the key holder in connection with its
control or possession of a decryption key, except--
``(A) with the lawful consent of the person whose
key is possessed or controlled by the key holder; or
``(B) to an investigative or law enforcement
officer pursuant to a warrant, subpoena, court order,
or other lawful process authorized by Federal or State
law.
``(2) Certain notice not required.--An investigative or law
enforcement officer receiving a record or information under
paragraph (1)(B) is not required to provide notice of such
receipt to the person to whom the record or information
pertains.
``(3) Liability for civil damages.--Any disclosure in
violation of this subsection shall render the person committing
the violation liable for the civil damages provided for in
subsection (f).
``(e) Criminal Penalties.--The punishment for an offense under
subsection (a) is--
``(1) if the offense is committed for a tortious,
malicious, or illegal purpose, or for purposes of direct or
indirect commercial advantage or private commercial gain--
``(A) a fine under this title or imprisonment for
not more than 1 year, or both, in the case of a first
offense; or
``(B) a fine under this title or imprisonment for
not more than 2 years, or both, in the case of a second
or subsequent offense; and
``(2) in any other case where the offense is committed
recklessly or intentionally, a fine of not more than $5,000 or
imprisonment for not more than 6 months, or both.
``(f) Civil Damages.--
``(1) In general.--Any person aggrieved by any act of a
person in violation of subsection (a) or (d) may in a civil
action recover from such person appropriate relief.
``(2) Relief.--In an action under this subsection,
appropriate relief includes--
``(A) such preliminary and other equitable or
declaratory relief as may be appropriate;
``(B) damages under paragraph (3) and punitive
damages in appropriate cases; and
``(C) a reasonable attorney's fee and other
litigation costs reasonably incurred.
``(3) Computation of damages.--The court may assess as
damages the greater of--
``(A) the sum of the actual damages suffered by the
plaintiff and any profits made by the violator as a
result of the violation; or
``(B) statutory damages in the amount of $5,000.
``(4) Limitation.--A civil action under this subsection
shall be commenced not later than 2 years after the date on
which the plaintiff first knew or should have known of the
violation.
``(g) Defense.--It shall be a complete defense against any civil or
criminal action brought under this chapter that the defendant acted in
good faith reliance upon a warrant, subpoena, or court order or other
statutory authorization.
``Sec. 2803. Reporting requirements
``(a) In General.--In reporting to the Administrative Office of the
United States Courts as required under section 2519(2) of this title,
the Attorney General, an Assistant Attorney General specially
designated by the Attorney General, the principal prosecuting attorney
of a State, or the principal prosecuting attorney of any political
subdivision of a State shall report on the number of orders and
extensions served on key holders under this chapter to obtain access to
decryption keys or decryption assistance and the offenses for which the
orders and extensions were obtained.
``(b) Requirements.--The Director of the Administrative Office of
the United States Courts shall include in the report transmitted to
Congress under section 2519(3) of this title the number of orders and
extensions served on key holders to obtain access to decryption keys or
decryption assistance and the offenses for which the orders and
extensions were obtained.
``Sec. 2804. Unlawful use of encryption to obstruct justice
``Whoever willfully endeavors by means of encryption to obstruct,
impede, or prevent the communication to an investigative or law
enforcement officer of information in furtherance of a felony that may
be prosecuted in a court of the United States shall--
``(1) in the case of a first conviction, be sentenced to
imprisonment for not more than 5 years, fined under this title,
or both; or
``(2) in the case of a second or subsequent conviction, be
sentenced to imprisonment for not more than 10 years, fined
under this title, or both.
``Sec. 2805. Freedom to sell encryption products
``(a) In General.--It shall be lawful for any person within any
State to sell in interstate commerce any encryption, regardless of
encryption algorithm selected, encryption key length chosen, or
implementation technique or medium used.
``(b) Control of Exports by Secretary of Commerce.--
``(1) General rule.--Notwithstanding any other law and
subject to paragraphs (2), (3), and (4), the Secretary of
Commerce shall have exclusive authority to control exports of
all computer hardware, computer software, and technology for
information security (including encryption), except computer
hardware, software, and technology that is specifically
designed or modified for military use, including command,
control, and intelligence applications.
``(2) Items subject to license exception.--Except as
otherwise provided under the Trading With The Enemy Act (50
U.S.C. App. 1 et seq.) or the International Emergency Economic
Powers Act (50 U.S.C. 1701 et seq.) (but only to the extent
that the authority of the International Emergency Economic
Powers Act is not exercised to extend controls imposed under
the Export Administration Act of 1979), a license exception
shall be made available for the export or reexport of--
``(A) any computer software, including computer
software with encryption capabilities, that is--
``(i) generally available, as is, and
designed for installation by the user or
purchaser; or
``(ii) in the public domain (including
computer software available through the
Internet or another interactive computer
service) or publicly available because the
computer software is generally accessible to
the interested public in any form;
``(B) any computing device or computer hardware
that otherwise would be restricted solely on the basis
that it incorporates or employs in any form computer
software (including computer software with encryption
capabilities) that is described in subparagraph (A);
``(C) any computer software or computer hardware
that is otherwise restricted solely on the basis that
it incorporates or employs in any form interface
mechanisms for interaction with other hardware and
software, including encryption hardware and software;
or
``(D) any encryption technology related or
ancillary to a device, software, or hardware described
in subparagraph (A), (B), or (C).
``(3) Computer software, computer hardware, and technology
with encryption capabilities.--(A) Except as provided in
subparagraph (B), the Secretary of Commerce shall authorize the
export or reexport of computer software, computer hardware, and
technology with encryption capabilities under a license
exception if--
``(i) a product offering comparable security is
commercially available from a foreign supplier without
effective restrictions;
``(ii) a product offering comparable security is
generally available in a foreign country; or
``(iii) the sole basis for otherwise withholding
the license exception is the employment in the
software, hardware, or technology of encryption from a
foreign source.
``(B) The Secretary of Commerce shall prohibit the export
or reexport of computer software, computer hardware, and
technology described in subparagraph (A) to a foreign country
if the Secretary determines that there is substantial evidence
that such software, hardware, or technology will be--
``(i) diverted to a military end-use or an end-use
supporting international terrorism;
``(ii) modified for military or terrorist end-use;
or
``(iii) reexported without requisite United States
authorization.
``(4) Definitions.--As used in this subsection--
``(A) the term `as is' means, in the case of
computer software (including computer software with
encryption capabilities), a computer software program
that is not designed, developed, or tailored by the
computer software company for specific purchasers,
except that such purchasers may supply certain
installation parameters needed by the computer software
program to function properly with the purchaser's
system and may customize the computer software program
by choosing among options contained in the computer
software program;
``(B) the term `computing device' means a device
which incorporates one or more microprocessor-based
central processing units that can accept, store,
process, or provide output of data;
``(C) the term `computer hardware', when used in
conjunction with information security, includes
computer systems, equipment, application-specific
assemblies, modules, and integrated circuits;
``(D) the term `generally available' means, in the
case of computer software (including computer software
with encryption capabilities), computer software that
is widely offered for sale, license, or transfer
including over-the-counter retail sales, mail order
transactions, telephone order transactions, electronic
distribution, and sale on approval;
``(E) the term `interactive computer service' has
the meaning provided that term in section 230(e)(2) of
the Communications Act of 1934 (47 U.S.C. 230(e)(2));
``(F) the term `Internet' has the meaning provided
that term in section 230(e)(1) of the Communications
Act of 1934 (47 U.S.C. 230(e)(1));
``(G) the term `is designed for installation by the
purchaser' means, in the case of computer software
(including computer software with encryption
capabilities)--
``(i) that the computer software company
intends for the purchaser (including any
licensee or transferee), who may not be the
actual program user, to install the computer
software program on a computing device and has
supplied the necessary instructions to do so,
except that the company may also provide
telephone help-line services for software
installation, electronic transmission, or basic
operations; and
``(ii) that the computer software program
is designed for installation by the purchaser
without further substantial support by the
supplier;
``(H) the term `license exception' means a general
authorization applicable to a type of export that does
not require an exporter to, as a condition of
exporting--
``(i) submit a written application to the
Secretary of Commerce; or
``(ii) receive prior written authorization
by the Secretary of Commerce; and
``(I) the term `technology' means specific
information necessary for the development, production,
or use of a product.
``Sec. 2806. Requirements for release of decryption key or provision of
decryption assistance to a foreign country
``(a) In General.--Except as provided in subsection (b), no
investigative or law enforcement officer or key holder may release a
decryption key or provide decryption assistance to a foreign country.
``(b) Conditions for Cooperation With Foreign Country.--
``(1) In general.--In any case in which the United States
has entered into a treaty or convention with a foreign country
to provide mutual assistance with respect to decryption, the
Attorney General (or the designee of the Attorney General) may,
upon an official request to the United States from the foreign
country, apply for an order described in paragraph (2) from the
district court in which a key holder resides for--
``(A) assistance in obtaining the release of a
decryption key from the key holder; or
``(B) obtaining decryption assistance from the key
holder.
``(2) Contents of order.--An order described in this
paragraph is an order that directs the key holder involved to--
``(A) release a decryption key to the Attorney
General (or the designee of the Attorney General) for
furnishing to the foreign country; or
``(B) provide decryption assistance to the Attorney
General (or the designee of the Attorney General) for
furnishing to the foreign country.
``(3) Requirements for order.--A judge of a court described
in paragraph (1) may issue an order described in paragraph (2)
if the judge finds, on the basis on an application made by the
Attorney General under this subsection, that--
``(A) the decryption key or decryption assistance
sought is necessary for the decryption of a
communication or information that the foreign country
is authorized to intercept or seize pursuant to the law
of the foreign country;
``(B) the law of the foreign country provides for
adequate protection against arbitrary interference with
respect to privacy rights; and
``(C) the decryption key or decryption assistance
is being sought in connection with a criminal
investigation for conduct that would constitute a
violation of a criminal law of the United States if
committed within the jurisdiction of the United States.
``(c) Definition.--As used in this section, the term `official
request' has the meaning given that term in section 3506(c) of this
title.''.
(b) Clerical Amendment.--The chapter analysis for part I of title
18, United States Code, is amended by inserting after the item relating
to chapter 123 the following new item:
``125. Encrypted wire or electronic communications and 2801''.
stored electronic information.
SEC. 7. INTELLIGENCE ACTIVITIES.
(a) Construction.--Nothing in this Act or the amendments made by
this Act constitutes authority for the conduct of any intelligence
activity.
(b) Certain Conduct.--Nothing in this Act or the amendments made by
this Act shall affect the conduct, by officers or employees of the
United States Government in accordance with other applicable Federal
law, under procedures approved by the Attorney General, of activities
intended to--
(1) intercept encrypted or other official communications of
United States executive branch entities or United States
Government contractors for communications security purposes;
(2) intercept radio communications transmitted between or
among foreign powers or agents of a foreign power as defined by
the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C.
1801 et seq.); or
(3) access an electronic communication system used
exclusively by a foreign power or agent of a foreign power as
so defined.
<all>