[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[S. 798 Introduced in Senate (IS)]







106th CONGRESS
  1st Session
                                 S. 798

To promote electronic commerce by encouraging and facilitating the use 
of encryption in interstate commerce consistent with the protection of 
               national security, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             April 14, 1999

Mr. McCain (for himself, Mr. Burns, Mr. Wyden, Mr. Leahy, Mr. Abraham, 
and Mr. Kerry) introduced the following bill; which was read twice and 
   referred to the Committee on Commerce, Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
To promote electronic commerce by encouraging and facilitating the use 
of encryption in interstate commerce consistent with the protection of 
               national security, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Promote Reliable On-Line 
Transactions to Encourage Commerce and Trade (PROTECT) Act of 1999''.

SEC. 2. PURPOSES.

    The purposes of this Act are--
            (1) to promote electronic growth foster electronic 
        commerce;
            (2) create consumer confidence in electronic commerce;
            (3) meet the needs of businesses and individuals using 
        electronic networks;
            (4) prevent crime; and
            (5) improve national security
        by facilitating the widespread use of encryption and assisting 
        the United States Government in developing the capability to 
        respond to the challenges posed by new technological 
        developments.

SEC. 3. FINDINGS.

    Congress finds the following:
            (1) The ability to digitize information makes carrying out 
        tremendous amounts of commerce and personal communication 
        electronically possible.
            (2) Miniaturization, distributed computing, and reduced 
        transmission costs make communication via electronic networks a 
        reality.
            (3) The explosive growth in the Internet and other computer 
        networks reflects the potential growth of electronic commerce 
        and personal communication.
            (4) The Internet and the global information infrastructure 
        have the potential to revolutionize the way individuals and 
        businesses conduct business.
            (5) The full potential of the Internet for the conduct of 
        business cannot be realized as long as it is an insecure medium 
        in which confidential business information and sensitive 
        personal information remain at risk of unauthorized viewing, 
        alteration, and use.
            (6) The United States critical infrastructures increasingly 
        rely on vulnerable commercial information systems and 
        electronic networks and represent a growing risk to national 
        security and public safety because the security and privacy of 
        those systems and networks is not assured.
            (7) Encryption of information enables businesses and 
        individuals to protect themselves, their commercial information 
        and networks, and the United States critical infrastructures 
        against unauthorized viewing, alteration, and abuse ensuring 
        the security, confidentiality, authenticity, and integrity of 
        information.
            (8) American computer software and hardware, 
        communications, and electronics businesses are leading the 
        world technology revolution, and the American information 
        technology industry is a vital sector of the United States 
        economy. These businesses have developed in the commercial 
        marketplace, and are prepared to offer immediately to computer 
        users worldwide, a variety of communications and computer 
        hardware and software that provide strong, robust, and easy-to-
        use encryption.
            (9) Notwithstanding American preeminence in information 
        technology, many foreign companies currently manufacture 
        products and services that are comparable in quality and 
        capabilities to United States products and frequently provide 
        stronger encryption. These foreign companies are competing 
        fiercely with United States companies for sales not only of the 
        encryption product or service, but also for the ultimate 
        product that uses the encryption capability, including 
        applications ranging from online banking to electronic mail to 
        banking.
            (10) The leading survey of available encryption products 
        reports that, as of December, 1997, there were 656 foreign 
        encryption products (out of 1619 encryption products produced 
        worldwide) available from 474 vendors in 29 different foreign 
        countries.
            (11) To promote economic growth, foster electronic 
        commerce, meet the needs of businesses and individuals using 
electronic networks, prevent crime, and improve national security, 
Americans should be free to continue using lawfully any encryption 
products and programs, and American companies should be free to sell, 
license, or otherwise distribute such encryption products and programs 
worldwide so long as national security is not put at risk.
            (12) The United States government should promote the use of 
        the United States encryption products and expedite its work 
        with the industry to update the United States Data Encryption 
        Standard (DES).
            (13) NIST has proposed requirements and established 
        procedures for adopting a new, stronger, private sector--
        developed Advanced Encryption Standard (AES).
            (14) Similar to DES, it is anticipated that AES will become 
        an international encryption standard adopted by individuals and 
        companies worldwide.
            (15) NIST has requested candidate algorithms, evaluated 
        candidate algorithms, and encouraged public comment at each 
        step of the process. NIST's open and public process for 
        developing and testing the new AES should be applauded and 
        supported.
            (16) Further demonstrating the worldwide availability, use, 
        and sophistication of encryption abroad, only 5 of the 15 AES 
        candidate algorithms submitted to NIST for evaluation that 
        complied with all requirements and procedures for submission 
        were proposed by companies and individuals in the United 
        States. The remaining 10 candidate algorithms were proposed by 
        individuals and companies from 11 different countries 
        (Australia's LOKI97; Belgium's RIJNDAEL; Canada's CAST-256 and 
        DEAL; Costa Rica's FROG; France's DFC; Germany's MAGENTA; 
        Japan's E2; Korea's CRYPTON; and the United Kingdom, Israel, 
        and Norway's SERPENT algorithms).
            (17) NIST's efforts to create the AES to replace DES are 
        important to the development of adequate global information 
        security to a degree that Congress should explicitly authorize 
        and support NIST's efforts and establish a deadline of January 
        1, 2002, for finalizing the new standard.
            (18) Once NIST finalizes AES, the Federal Government should 
        permit all United States products meeting the new AES standards 
        or its equivalent to be exported worldwide to ensure global 
        security and to permit United States companies to compete 
        effectively with their foreign competitors consistent with the 
        national security requirements of the United States.
            (19) The United States Government has legitimate law 
        enforcement and national security objectives, which can be met 
        by permitting American companies to compete globally, while at 
        the same time recognizing the challenges to law enforcement and 
        national security posed by quickly advancing technological 
        developments and providing for research, development, and 
        adoption of new technology to respond to these challenges.
            (20) As part of its efforts to fight crime with technology 
        and ensure the safety of commercial networks, the United States 
        Government should establish a mechanism for facilitating 
        communications with experts in information security industries, 
        including cryptographers, engineers, software publishers, and 
        others involved in the design and development of information 
        security products and should ensure that such sums as necessary 
        are appropriated to ensure and enhance national security and 
        law enforcement.
            (21) The United States Government also should expand and 
        expedite its computer security research activities at NIST and 
        the Federal laboratories, work with industry to recommend 
        priority activities at university research facilities, and fund 
        scholarships in information security.

SEC. 4. DEFINITIONS.

    In this Act:
            (1) Computer hardware.--The term ``computer hardware'' 
        includes computer systems, equipment, application-specific 
        assemblies, smart cards, modules, integrated circuits, printed 
        circuit board assemblies, and devices that incorporate 1 or 
        more microprocessor-based central processing units that are 
        capable of accepting, storing, processing, or providing output 
        of data.
            (2) Encrypt and encryption.--The term ``encrypt'' and 
        ``encryption'' means the scrambling (and descrambling) of wire 
        communications, electronic communications, or electronically 
        stored information, using mathematical formulas or algorithms 
        to preserve the confidentiality, integrity, or authenticity of, 
        and prevent unauthorized recipients from accessing or altering, 
        such communications or information.
            (3) Encryption product.--The term ``encryption product''--
                    (A) means computer hardware, computer software, or 
                technology with encryption capabilities; and
                    (B) includes any subsequent version of or update to 
                an encryption product, if the encryption capabilities 
                are not changed.
            (4) Exportable.--The term ``exportable'' means the ability 
        to transfer, ship, or transmit to foreign users.
            (5) Generally available or general availability.--The terms 
        ``generally available'' or ``general availability'' mean--
                    (A) in the case of computer hardware or computer 
                software (including encryption products), computer 
                hardware, or computer software that is--
                            (i) distributed via the Internet;
                            (ii) widely offered for sale, license, or 
                        transfer (without regard to whether it is 
                        offered for consideration), including over-the-
                        counter retail sales, mail order transactions, 
                        telephone order transactions, electronic 
                        distribution, or sale on approval;
                            (iii) preloaded on computer hardware that 
                        is widely available; or
                            (iv) assembled from computer hardware or 
                        computer software components that are generally 
                        available;
                    (B) not designed, developed, or tailored by the 
                manufacturer for specific purchasers, except that the 
                purchaser or user may--
                            (i) supply certain installation parameters 
                        needed by the computer hardware or computer 
                        software to function properly with the computer 
                        system of the user or purchaser; or
                            (ii) select from among options contained in 
                        the computer hardware or computer software; and
                    (C) are available in more than 1 country through a 
                means described in subparagraph (A).
            (6) Key.--The term ``key'' means the variable information 
        used in a mathematical formula, code, or algorithm, or any 
        component thereof, used to decrypt wire communications, 
        electronic communications, or electronically stored 
        information, that has been encrypted.
            (7) License exception.--The term ``license exception'' 
        means an authorization by the Bureau of Export Administration 
        of the Department of Commerce that allows the export or re-
        export, under stated conditions, of items subject to the Export 
        Administration Regulations that otherwise would require a 
        license.
            (8) NIST.--The term ``NIST'' means the National Institute 
        of Standards and Technology in the Department of Commerce.
            (9) On-line merchant.--The term ``on-line merchant'' means 
        either a person or a company or other entity engaged in 
        commerce that, as part of its business, uses electronic means 
        to conduct commercial transactions in goods (including, but not 
        limited to, software and all other forms of digital content) or 
        services, whether delivered in tangible or electronic form.
            (10) Person.--The term ``person'' has the meaning given the 
        term in section 2510(1) of title 1, United States Code.
            (11) Publicly available or public availability.--The terms 
        ``publicly available'' or ``public availability'' mean--
                    (A) information that is generally accessible to the 
                interested public in any form; or
                    (B) technology and software that are already 
                published or will be published, arise during, or result 
                from fundamental research, are educational, or are 
                included in certain patent applications.
            (12) Recoverable product.--The term ``recoverable product'' 
        means an encryption product that--
                    (A) incorporates an operator-controlled management 
                interface enabling real-time access to specified 
                network traffic prior to encryption, or after 
                decryption, at a designated access point under the 
                control of the network owner or operator (utilizing a 
                protocol such as IPSec);
                    (B) permits access to data prior to encryption, or 
                after decryption, at a server under the control of a 
                network owner or operator (utilizing a protocol such as 
                SSL, TLS, or Kerberos);
                    (C) includes a key or data recovery system which, 
                when activated, enables a system administrator or user 
                to recover plaintext or keys to decrypt data 
                transmitted or stored in encrypted form; or
                    (D) offers the system administrator or end-user the 
                capability to create a duplicate key (or keys) for 
                archival and other purposes.
            (13) Secretary.--The term ``Secretary'' means the Secretary 
        of Commerce.
            (14) State.--The term ``State'' means any State of the 
        United States and includes the District of Columbia and any 
        commonwealth, territory, or possessions of the United States.
            (15) Strategic partners.--The term ``strategic partners'' 
        means 2 or more entities that--
                    (A) have a business need to share the proprietary 
                information of 1 or more United States companies; and
                    (B) are contractually bound to one another; or
                    (C) have an established pattern on continuing or 
                recurring contractual relations.
            (16) Technical assistance.--The term ``technical 
        assistance'' includes assistance such as instructions, skills 
        training, working knowledge, and consulting services, and may 
        involve transfer of technical data.
            (17) Technical data.--The term ``technical data'' may 
        include data such as blueprints, plans, diagrams, models, 
        formulae, tables, engineering designs and specifications, 
        manuals, and instructions written or recorded on other media or 
        devices such as disk, tape, or read-only memories.
            (18) Technical review.--The term ``technical review'' means 
        a review by the Secretary of an encryption product, based on 
        information about a product's encryption capabilities supplied 
        by the manufacturer, that an encryption product works as 
        represented.
            (19) United States person.--The term ``United States 
        person'' means any--
                    (A) United States citizen; or
                    (B) legal entity that--
                            (i) is organized under the laws of the 
                        United States, or any States, the District of 
                        Columbia, or any commonwealth, territory, or 
                        possession of the United States; and
                            (ii) has its principal place of business in 
                        the United States.
            (20) United States subsidiary.--The term ``United States 
        subsidiary'' means--
                    (A) a foreign branch of a United States company; or
                    (B) a foreign subsidiary or entity of a United 
                States entity in which--
                            (i) a United States company or entity 
                        beneficially owns or controls (whether directly 
                        or indirectly) 25 percent or more of the voting 
                        securities of the foreign subsidiary or entity, 
                        if no other person owns or controls (whether 
                        directly or indirectly) an equal or larger 
                        percentage;
                            (ii) the foreign subsidiary or entity is 
                        operated by a United States company or entity 
                        pursuant to the provisions of an exclusive 
                        management contract;
                            (iii) the majority of the members of the 
                        Board of Directors of the foreign subsidiary or 
                        entity also are members of the comparable 
                        governing body of the United States company or 
                        entity;
                            (iv) a United States company or entity has 
                        the authority to appoint the majority of the 
                        members of the Board of Directors of the 
                        foreign subsidiary; or
                            (v) a United States company or entity has 
                        the authority to appoint the Chief Operating 
                        officer of the foreign subsidiary or entity.

                TITLE I--DOMESTIC ENCRYPTION PROVISIONS

SEC. 101. DEVELOPMENT AND DEPLOYMENT OF ENCRYPTION A VOLUNTARY PRIVATE 
              SECTOR ACTIVITY.

    (a) Statement of Policy.--The use, development, manufacture, sale, 
distribution, and importation of encryption products, standards, and 
services for purposes of assuring the confidentiality, authenticity, or 
integrity of electronic information shall be voluntary and market 
driven.
    (b) Limitation on Regulation.--Neither the Federal Government nor a 
State may establish any conditions, ties, or links between encryption 
products, standards, and services used for confidentiality, and those 
used for authenticity or integrity purposes.

SEC. 102. SALE AND USE OF ENCRYPTION LAWFUL.

    Except as otherwise provided by this Act, it is lawful for any 
person within any State, and for any United States person in a foreign 
country, to develop, manufacture, sell, distribute, import, or use any 
encryption product, regardless of the encryption algorithm selected, 
encryption length chosen, existence of key recovery, or other plaintext 
access capability, or implementation or medium used.

SEC. 103. MANDATORY GOVERNMENT ACCESS TO PLAINTEXT PROHIBITED.

    (a) In General.--No department, agency, or instrumentality of the 
United States or of any State may--
            (1) require that;
            (2) set standards for;
            (3) condition any approval on;
            (4) create incentives for; or
            (5) tie any benefit to,
        a requirement that, a decryption key, access to a key, key 
        recovery information, or any other plaintext access capability 
        be--
                    (A) required to be built into computers hardware or 
                software for any purpose;
                    (B) given to any other person (including a 
                department, agency, or instrumentality of the United 
                States or an entity in the private sector that may be 
                certified or approved by the United States or a State); 
                or
                    (C) retained by the owner or user of an encryption 
                key or any other person, other than for encryption 
                products for the use of the United States Government or 
                a State government.
    (b) Existing Access Protected.--Subsection (a) does not affect the 
authority of any investigative or law enforcement officer, or any 
member of the intelligence community (as defined in section 3 of the 
National Security Act of 1947 (50 U.S.C. 401a)), acting under any law 
in effect on the date of enactment of this Act, to gain access to 
encrypted communications or information.

                    TITLE II--GOVERNMENT PROCUREMENT

SEC. 201. POLICY.

    It is the policy of the United States--
            (1) to permit the public to interact with government 
        through commercial networks and infrastructure; and
            (2) to protect the privacy and security of any electronic 
        communication from, or stored information obtained from, the 
        public.

SEC. 202. FEDERAL PURCHASES OF ENCRYPTION PRODUCTS.

    (a) In General.--Any department, agency, or instrumentality of the 
United States may purchase encryption products for use by officers and 
employees of the United States to the extent and in the manner 
authorized by law.
    (b) Interoperability Required.--No department, agency, or 
instrumentality of the United States, nor any department, agency, or 
political subdivision of a State, may purchase an encryption product 
for its use unless the product will interoperate with other 
commercially-available encryption products, including products without 
a decryption key, access to a key, key recovery information, or any 
other plaintext access capability.
    (c) Citizens Not Required To Purchase Specified Product.--No 
department, agency, or instrumentality of the United States, nor any 
department, agency, or political subdivision of a State, may require 
any person in the private sector to use any particular encryption 
product or methodology, including products with a decryption key, 
access to a key, key recovery information, or any other plaintext 
access capability, to communicate with, or transact business with, the 
government.

                TITLE III--ADVANCED ENCRYPTION STANDARD

SEC. 301. DEADLINE FOR FINAL SELECTION OF ALGORITHM OR ALGORITHMS BY 
              NIST.

    (a) AES Process.--The NIST shall continue and complete the AES 
process initiated on January 2, 1997, including--
            (1) establishing performance requirements,
            (2) setting procedures for submitting, testing, evaluating, 
        and judging proposals; and
            (3) finally selecting one or more new private sector-
        developed encryption algorithms.
    (b) Deadline.--Notwithstanding subsection (a), NIST shall make a 
final selection of one or more new private sector-developed encryption 
algorithms by January 1, 2002.

SEC. 302. COMMERCE DEPARTMENT ENCRYPTION STANDARDS AND EXPORTS 
              AUTHORITY RESTRICTED.

    (a) Regulatory Authority.--Except as otherwise provided in this 
Act, the Secretary of Commerce may not promulgate or enforce any 
regulation, adopt any standard, or carry out any policy that 
establishes an encryption standard for use by businesses or other 
entities other than for computer systems operated by a department, 
agency, or other entity of the United States government.
    (b) Export Authority.--Except as otherwise provided in this Act, 
the Secretary of Commerce may not promulgate or enforce any regulation, 
adopt any standard, or carry out any policy relating to encryption that 
has the effect of imposing government-designed encryption standards on 
the private sector by restricting the export of encryption products.

     TITLE IV--IMPROVEMENT OF GOVERNMENTAL TECHNOLOGICAL CAPABILITY

SEC. 401. INFORMATION TECHNOLOGY LABORATORY.

    Section 20(b) of the National Institute oF Standards and Technology 
Act (15 U.S.C. 278g-3(b)) is amended--
            (1) by striking ``and'' at the end of paragraph (4);
            (2) by striking ``policy.'' in paragraph (5) and inserting 
        ``policy;''; and
            (3) by adding at the end thereof the following:
            ``(6) to obtain information regarding the most current 
        information security hardware, software, telecommunications, 
        and other electronic capabilities;
            ``(7) to research and develop new and emerging techniques 
        and technologies to facilitate lawful access to communications 
        and electronic information;
            ``(8) to research and develop methods to detect and prevent 
        unwanted intrusions into commercial computer networks, 
        particularly those interconnected with computer systems of the 
        United States government;
            ``(9) to provide assistance in responding to information 
        security threats and vulnerabilities at the request of other 
        departments, agencies, and instrumentalities of the United 
        States and State governments; and
            ``(10) to facilitate the development and adoption of the 
        best information security practices by departments, agencies, 
        and instrumentalities of the United States, the States, and the 
        private sector.''.

SEC. 402. ADVISORY BOARD ON COMPUTER SYSTEM SECURITY AND PRIVACY.

    Section 21(b) of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-4(b)) is amended--
            (1) by redesignating paragraphs (2) and (3) as paragraphs 
        (4) and (5), respectively; and
            (2) by inserting after paragraph (1) the following:
            ``(2) to provide a forum for communication and coordination 
        between industry and the Federal Government regarding 
        information security issues;
            ``(3) to foster the aggregation and dissemination of 
        general, nonproprietary, and non-confidential developments in 
        important information security technologies, including 
        encryption, by regularly reporting that information to 
        appropriate Federal agencies to keep law enforcement and 
        national security agencies abreast of emerging technologies so 
        they are able effectively to meet their responsibilities;''.

SEC. 403. AUTHORIZATION OF APPROPRIATIONS.

    There are authorized to be appropriated to such departments and 
agencies as may be appropriate such sums as may be necessary to ensure 
that United States law enforcement agencies and agencies responsible 
for national security are able to complete any missions or goals 
authorized in law regardless of technological advancements in 
encryption and digital technology.

                TITLE V--EXPORT OF ENCRYPTION PRODUCTS.

SEC. 501. COMMERCIAL ENCRYPTION PRODUCTS.

    (a) In General.--This title applies to all encryption products, 
without regard to the encryption algorithm selected, encryption key 
chosen, exclusion of plaintext access capability, or implementation or 
medium used, except those encryption products specifically designed or 
modified for military use (including command, control, and intelligence 
applications).
    (b) Authority of Secretary of Commerce.--Subject to the other 
provisions of this title, and notwithstanding any other provision of 
law, the Secretary of Commerce has exclusive authority to control the 
exportation of encryption products described in subsection (a). In 
exercising that authority, the Secretary shall consult with the 
Secretary of State and the Secretary of Defense.

SEC. 502. PRESIDENTIAL AUTHORITY.

    (a) Terrorist and Embargo Controls.--Nothing in this Act limits the 
authority of the President under--
            (1) the Trading with the Enemy Act (50 U.S.C. App. 1 et 
        seq.); or
            (2) the International Emergency Economic Powers Act (50 
        U.S.C. 1701 et seq.), but only to the extent that the authority 
        of that Act is not exercised to extend controls imposed under 
        the Export Administration Act of 1979 (50 U.S.C. 2401 et 
        seq.)--
                    (A) to prohibit the export of encryption products 
                to any country, corporation, or other entity that has 
                been determined to--
                            (i) provide support for acts of terrorism; 
                        or
                            (ii) pose an immediate threat to national 
                        security; or
                    (B) to impose an embargo on exports to, or imports 
                from, a specific country, corporation, or entity.
    (b) Special Denials for Specific Reasons.--The Secretary of 
Commerce shall prohibit the exportation of particular encryption 
products to an individual or organization in a foreign country 
identified by the Secretary if the Secretary determines that there is 
substantial evidence that the encryption products may be used or 
modified for military or terrorist use, including acts against the 
national security of, public safety of, or the integrity of the 
transportation, communications, or other essential systems of 
interstate commerce in, the United States.
    (c) Other Export Controls.--An encryption product is subject to any 
export control imposed on that product for any reason other than the 
existence of encryption capability. Nothing in this title alters the 
Secretary of Commerce's ability to control exports of products for 
reasons other than encryption.

SEC. 503. EXPORTATION OF ENCRYPTION PRODUCTS WITH NOT MORE THAN 64-BIT 
              KEY LENGTH.

    An encryption product that utilizes a key length or 64 bits or 
less, may be exported without an export license or an export license 
exception, and without any other restriction (other than a restriction 
imposed under this title).

SEC. 504. EXPORTABILITY OF CERTAIN ENCRYPTION PRODUCTS UNDER A LICENSE 
              EXCEPTION.

    (a) License Exceptions.--Except as otherwise provided under this 
title, the export or re-export of the following products shall be 
exportable under license exception:
            (1) Recoverable products.
            (2) Encryption products to legitimate and responsible 
        entities or organizations and their strategic partners, 
        including--
                    (A) firms whose shares are publicly traded in 
                global markets;
                    (B) firms subject to a governmental regulatory 
                scheme;
                    (C) United States subsidiaries or affiliates of 
                United States corporations;
                    (D) firms or organizations that are required by law 
                to maintain plaintext records of communications or 
                otherwise maintain such records as part of their normal 
                business practice;
                    (E) firms or organizations that are audited 
                annually under widely accepted accounting principles;
                    (F) strategic partners of United States companies; 
                and
                    (G) on-line merchants who use encryption products 
                to support electronic commerce, including protecting 
                commercial transactions as well as non-public 
                information exchange necessary to support such 
                transactions.
            (3) Encryption products sold or licensed to foreign 
        governments that are members of the North Atlantic Treaty 
        Organization, Organization for Economic Cooperation and 
        Development, and Association of Southeast Asian Nations.
            (4) Any computer hardware or computer software that does 
        not itself provide encryption capabilities, but that 
        incorporates or employs in any form interface mechanisms for 
        interaction with other computer hardware and computer software, 
        including encryption products.
            (5) Any technical assistance or technical data associated 
        with the installation and maintenance of encryption products, 
        or products incorporating, enabling, or employing encryption 
        products, if such products are exportable under this title.
    (b) License Exception Processing Period Including One-Time 
Technical Review.--Encryption products and related computer services 
shall be made eligible for a license exception after a one-time 
technical review. Exporters' requests for license exceptions, including 
the one-time technical review, must be processed within 15 working days 
from receipt of a request. If the exporter is not contacted within this 
15-day processing period, the exporter's request for a license 
exception will be deemed granted, and the exporter may export the 
encryption products or related computer services under the license 
exception.

SEC. 505. EXPORTABILITY OF ENCRYPTION PRODUCTS EMPLOYING A KEY LENGTH 
              GREATER THAN 64-BITS.

    (a) Export Relief for Encryption Products.--Encryption products, or 
products that incorporate or employ in any form, implementation, or 
medium an encryption product, are exportable under a license exception 
if--
            (1) the Secretary determines that the product or service is 
        exportable under the Export Administration Act of 1979 (50 
        U.S.C. 2401 et seq.); or
            (2) the Encryption Export Advisory Board described in 
        subsection (b) determines, and the Secretary agrees, that the 
        product or service is--
                    (A) generally available;
                    (B) publicly available; or
                    (C) an encryption product utilizing the same or 
                greater key length or otherwise providing comparable 
                security is, or will be within the next 12 months 
                generally or widely available outside the United States 
                from a foreign supplier.
    (b) Board Determination of Exportability.--
            (1) Encryption export advisory board.--There is hereby 
        established an Encryption Export Advisory Board comprised of--
                    (A) a Chairman, who shall be the Under Secretary of 
                Commerce for Export Administration;
                    (B) 7 individuals appointed by the President, as 
                follows--
                            (i) 1 representative from the National 
                        Security Agency;
                            (ii) 1 representative from the Central 
                        Intelligence Agency;
                            (iii) 1 representative from the Office of 
                        the President; and
                            (iv) 4 representatives from the private 
                        sector who have expertise in the development, 
                        operation, or marketing of information 
                        technology products; and
                    (C) 4 representatives from the private sector who 
                have expertise in the development, operation, or 
                marketing of information technology products appointed 
                by the Congress, as follows--
                            (i) 1 representative appointed by the 
                        Majority Leader of the Senate;
                            (ii) 1 representative appointed by the 
                        Minority Leader of the Senate;
                            (iii) 1 representative appointed by the 
                        Speaker of the House of Representatives; and
                            (iv) 1 representative appointed by the 
                        Minority Leader of the House of 
                        Representatives.
            (2) Purpose.--The Board shall evaluate and make 
        recommendations by majority vote within 30 days with respect to 
        general availability, public availability, or foreign 
        availability whenever an application for a license exception 
        based on general availability, public availability, or foreign 
        availability has been submitted to the Secretary.
            (3) Meetings.--The Board shall meet at the call of the 
        Under Secretary upon a request for a determination, but at 
        least every 30 days if a request is pending. The Federal 
        Advisory Committee Act (5 U.S.C. App.) does not apply to the 
        Board or to meetings held by the Board under this subsection.
            (4) Action by the secretary.--The Board shall make 
        recommendations to the Secretary. The Secretary shall 
        specifically approve or disapprove of each finding of 
        availability within 30 days of receiving the recommendation and 
        shall notify the Board and publish the finding in the Federal 
        Register. The Secretary shall explain in detail the reasons for 
        any disapproval, including why and how continued controls will 
        be effective in achieving their purpose and the amount of lost 
        sales and loss in market share of United States encryption 
        products.
            (5) Judicial review.--Notwithstanding any other provision 
        of law, a decision by the Secretary disapproving of a Board 
        finding of availability shall be subject to judicial review 
        under the Administrative Procedure Act (5 U.S.C. 551 et seq.).
            (6) Presidential override.--The Board shall report to the 
        President within 30 days after each meeting. The President may 
        override any Board determination of exportability and control 
        the export and re-export of specified encryption products to 
        specific countries or individuals if he determines that such 
        exports or re-exports would harm United States national 
        security, including United States capabilities in fighting drug 
        trafficking, terrorism, or espionage. If the President 
        overrides a Board determination of exportability and decides to 
        control the export or re-export of any encryption product, the 
        President must inform the Board and Congress and detail the 
        reasons for such controls within 30 days of the determination. 
        The action of the president under this paragraph is not subject 
        to judicial review.
    (c) Rely on Determination of Board.--The manufacturer or exporter 
of an encryption product or a product incorporating or employing an 
encryption product may rely upon the Board's determination that the 
product is generally available or publicly available or if a comparable 
foreign encryption product is available, and shall not be held liable 
or responsible or subject to sanctions for any export of such products 
under the license exception.
    (d) License Exception Processing Period Including One-Time 
Technical Review.--Encryption products and related computer services 
shall be made eligible for a license exception after a one-time 
technical review. Exporters' requests for license exceptions, including 
the one-time technical review, must be processed within 15 working days 
from receipt of a request. If the exporter is not contacted within this 
15-day processing period, the exporter's request for a license 
exception will be deemed granted, and the exporter may export the 
encryption products or related computer services under the license 
exception.
    (e) Grandfathering of Prior Determinations.--Any determination by 
the Secretary prior to enactment of this Act that an encryption product 
with greater than a 64-bit key length, or product incorporating or 
employing such an encryption product, and related services, is eligible 
for export and re-export either without a license or under a license, a 
license exception, or an encryption licensing arrangement will remain 
in effect after passage of this Act.

SEC. 506. EXPORTABILITY OF ENCRYPTION PRODUCTS EMPLOYING AES OR ITS 
              EQUIVALENT.

    Upon adoption of the AES, but not later than January 1, 2002, the 
Secretary may no longer impose United States encryption export controls 
on encryption products if the encryption algorithm and key length 
employed were incorporated in the AES, or have an equivalent strength, 
and such product shall be exportable without the need for an export 
license or license exception, and without restrictions other than those 
permitted under this Act.

SEC. 507. ELIMINATION OF REPORTING REQUIREMENTS.

    The Secretary may not impose any reporting requirements on any 
encryption product not subject to United States export controls or 
exported under a license exception.
                                 <all>