[Congressional Record Volume 142, Number 28 (Tuesday, March 5, 1996)]
[Senate]
[Pages S1516-S1522]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. LEAHY (for himself, Mr. Burns, Mr. Dole, Mr. Pressler, and 
        Mrs. Murray):
  S. 1587. A bill to affirm the rights of Americans to use and sell 
encryption products, to establish privacy standards for voluntary 
escrowed systems, and for other purposes; to the Committee on the 
Judiciary.


            The Encrypted Communications Privacy Act of 1996

  Mr. LEAHY. Mr. President, I am joined today by Senators Burns, Dole, 
Pressler, and Murray in introducing a bill that is pro-business, pro-
jobs and pro-privacy.
  The Encrypted Communications Privacy Act of 1996 would enhance the 
global competitiveness of our high-technology industries, protect the 
high-paying good jobs in those industries and maximize the choices in 
encryption technology available for businesses and individuals to 
protect the privacy, confidentiality and security of their computer, 
telephone, and other wire and electronic communications.
  The guiding principle for this bill can be summed up in one sentence: 
Encryption is good for American business and good business for 
Americans.
  FBI Director Louis Freeh testified last week at a hearing on economic 
espionage and quoted Secretary of State Warren Christopher as saying 
that ``Our national security is inseparable from our economic 
security.'' I could not agree more. Yet, American businesses are 
suffering a double blow from our current encryption policies. First, 
American firms lose billions of dollars each year due to the theft of 
proprietary economic information, which could be better protected if 
strong encryption were more widely used. Second, government export 
restrictions tie the hands of American high-technology businesses by 
barring the export of strong encryption technology. The size of these 
combined losses makes encryption one of the critical issues facing 
American businesses today.
  Moreover, the increasing use of and dependency on networked computers 
by Americans to obtain critical medical services, to conduct research, 
to be entertained, to go shopping and to communicate with friends and 
business associates, raises special concerns about the privacy and 
confidentiality of their computer transmissions. I have long been 
concerned about these issues, and have worked over the past decade to 
create a legal structure to foster privacy and security for our wire 
and electronic communications. Encryption technology provides an 
effective way to ensure that only the people we choose can read our 
communications.
  A leading encryption expert, Matt Blaze, told me in a recent letter 
that our current regulations governing the use and export of encryption 
are having a ``deleterious effect on our country's ability to develop a 
reliable and trustworthy information infrastructure.'' It is time for 
Congress to take steps to put our national encryption policy on the 
right course.
  The Encrypted Communications Privacy Act would accomplish three 
goals:
  First, the bill encourages the use of encryption by legislatively 
confirming that Americans have the freedom to use and sell here in the 
United States any encryption technology that they feel is most 
appropriate to meet their privacy and security needs. The bill bars any 
government-mandated use of any particular encryption system, such as a 
key escrow encryption system.
  Second, for those Americans who choose to use a key escrow encryption 
method, the bill establishes privacy standards for key holders and 
stringent procedures for how law enforcement can obtain access to 
decoding keys and decryption assistance. These standards would subject 
key holders to criminal and civil liability if they released the keys 
or divulged the identity and information about the user of the 
encryption system, without legal authorization. Commenting on these 
provisions, Bruce Schneir, who has literally written the textbook on 
encryption, said in a recent letter to me that the bill ``recognizes 
the special obligations of keyholders to be vigilant in safeguarding 
the information entrusted to them, without imposing hurtles on the use 
of cryptography.''

[[Page S1517]]

  Finally, the bill loosens export restrictions on encryption products. 
Under the bill, it would be lawful for American companies to export 
high-technology products with encryption capabilities when comparable 
encryption capabilities are available from foreign suppliers, and 
generally available encryption software, including mass market products 
and encryption that is in the public domain. According to Mr. Schneir, 
the bill ``removes the strangle-hold that has encumbered the 
development of mass-market security solutions'' which are so vital to 
the development of our information infrastructure.
  Senator Murray took a leading role in the last Congress on reforming 
our export restrictions on encryption, and I commend her for continuing 
to give this important issue her committed attention again in this 
Congress.
  Current export restrictions allow the export of primarily weak 
encryption software programs. So weak, in fact, that a January 1996 
report by an ad hoc group of world-renowned cryptographers and computer 
scientists estimated that it would take a pedestrian hacker a matter of 
hours to break and a foreign intelligence agency a matter of 
nanoseconds to break. No wonder that foreign buyers of encryption 
products are increasingly looking elsewhere for strong security. This 
hurts the competitiveness of our high-technology industry.
  A recent report by the Computer Systems Policy Project, which is a 
group of major American computer companies estimated that U.S. 
companies stand to lose between $30 and $60 billion in revenues and 
over 200,000 of high-technology jobs by the year 2000 because U.S. 
companies are handicapped in the global market by outdated export 
restrictions.
  Even the Commerce Department reported in January that U.S. export 
controls may have a ``negative effect on U.S. competitiveness'' and 
``may discourage'' the use of strong encryption domestically since 
manufacturers want to make only one product for export and for use 
here.
  Although American companies account for almost 75 percent of the 
global market for prepackaged software, the rest of the world is 
competing strongly in the market for encryption software. Shortsighted 
government policy is holding back American business. Almost 2 years 
ago, I chaired a hearing of the Judiciary Subcommittee on Technology 
and the Law on the administration's Clipper Chip key escrow encryption 
program. I heard testimony about 340 foreign encryption products that 
were available worldwide, 155 of them employing encryption in a 
strength that American firms were prohibited from exporting.
  In 2 short years, those numbers have increased. According to a survey 
of cryptographic products conducted by Trusted Information System, as 
of December 1995, 497 foreign products from 28 countries were available 
with encryption security. Almost 200 of these foreign products used 
strong encryption that American companies are barred from selling 
abroad. This study draws the obvious conclusion that ``As a result, 
U.S. Government restrictions may be succeeding only in crippling a 
vital American industry's exporting ability.''
  At the Clipper Chip hearing I chaired in 1994, I heard a number of 
reports about American companies losing business opportunities due to 
U.S. export restrictions. One data security company reported that 
despite its superior system, it had been unable to respond to requests 
from NATO and foreign telecommunications companies because it cannot 
export the encryption they demanded. This cost this single American 
company millions in foregone business. Another major computer company 
lost two sales in Western Europe in a single year totaling about $80 
million because the file and data encryption in the integrated system 
they offered was not exportable.
  Our current export restrictions on encryption technology are fencing 
off the global marketplace and hurting the competitiveness of this part 
of our high-technology industries. While national and domestic security 
concerns must weigh heavily, we need to do a better job of balancing 
these concerns with American business' need for encryption and the 
economic opportunities for our high-technology industries that 
encryption technology provides.
  American businesses are not only suffering lost sales because of our 
current export restrictions, but are also suffering staggering losses 
due to economic espionage. FBI Director Freeh testified that the White 
House Office of Science and Technology Policy puts the amount of that 
loss at $100 billion per year. At a hearing last week on economic 
espionage, we heard from one witness who had to close down his software 
company, with a loss of 25 jobs, after China bribed an employee to 
steal the source code for the company's software.
  We have bills pending before Congress to enact new criminal laws to 
punish people who steal trade secrets or other proprietary information 
and who break into computers to steal sensitive information. But new 
criminal laws are not the whole answer. Criminal laws often only come 
into play too late, after the theft has occurred or the injury 
inflicted.
  We must encourage American firms to take preventive measures to 
protect their vital economic information. That is where encryption 
comes in. Just as we have security systems to lock up our offices and 
file drawers, we need strong encryption systems to protect the security 
and confidentiality of business information.
  The Computer Systems Policy Project estimates that, without strong 
encryption, financial losses by the year 2000 from breaches of computer 
security systems to be from $40 to $80 billion. Unfortunately, some of 
these losses are already occurring. One U.S.-based manufacturer is 
quoted in the Project's report, saying:

       We had a multi-year, multi-billion dollar contract stolen 
     off our P.C. (while bidding in a foreign country). Had it 
     been encrypted, [the foreign competitor] could not have used 
     it in the bidding time frame.

  New technologies present enormous opportunities for Americans, but we 
must strive to safeguard our privacy if these technologies are to 
prosper in this information age. Otherwise, in the service of law 
enforcement and intelligence needs, we will dampen any enthusiasm 
Americans may have for taking advantage of the new technologies.
  I look forward to working with my colleagues on this important 
matter, and ask unanimous consent that the bill, a summary of the bill, 
and three letters of support from Matt Blaze, Bruce Schneir, and 
Business Software Alliance, be included in the Record.
  There being no objection, the material was ordered to be printed in 
the Record, as follows:

                                S. 1587

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Encrypted Communications 
     Privacy Act of 1996''.

     SEC. 2. PURPOSE.

       It is the purpose of this Act--
       (1) to ensure that Americans are able to have the maximum 
     possible choice in encryption methods to protect the 
     security, confidentiality, and privacy of their lawful wire 
     or electronic communications; and
       (2) to establish privacy standards for key holders who are 
     voluntarily entrusted with the means to decrypt such 
     communications, and procedures by which investigative or law 
     enforcement officers may obtain assistance in decrypting such 
     communications.

     SEC. 3. FINDINGS.

       The Congress finds that--
       (1) the digitization of information and the explosion in 
     the growth of computing and electronic networking offers 
     tremendous potential benefits to the way Americans live, 
     work, and are entertained, but also raises new threats to the 
     privacy of American citizens and the competitiveness of 
     American businesses;
       (2) a secure, private, and trusted national and global 
     information infrastructure is essential to promote economic 
     growth, protect citizens' privacy, and meet the needs of 
     American citizens and businesses;
       (3) the rights of Americans to the privacy and security of 
     their communications and in conducting their personal and 
     business affairs should be preserved and protected;
       (4) the authority and ability of investigative and law 
     enforcement officers to access and decipher, in a timely 
     manner and as provided by law, wire and electronic 
     communications necessary to provide for public safety and 
     national security should also be preserved;
       (5) individuals will not entrust their sensitive personal, 
     medical, financial, and other information to computers and 
     computer networks unless the security and privacy of that 
     information is assured;
       (6) business will not entrust their proprietary and 
     sensitive corporate information,

[[Page S1518]]

     including information about products, processes, customers, 
     finances, and employees, to computers and computer networks 
     unless the security and privacy of that information is 
     assured;
       (7) encryption technology can enhance the privacy, 
     security, confidentiality, integrity, and authenticity of 
     wire and electronic communications and stored electronic 
     information;
       (8) encryption techniques, technology, programs, and 
     products are widely available worldwide;
       (9) Americans should be free lawfully to use whatever 
     particular encryption techniques, technologies, programs, or 
     products developed in the marketplace they desire in order to 
     interact electronically worldwide in a secure, private, and 
     confidential manner;
       (10) American companies should be free to compete and to 
     sell encryption technology, programs, and products;
       (11) there is a need to develop a national encryption 
     policy that advances the development of the national and 
     global information infrastructure, and preserves Americans' 
     right to privacy and the Nation's public safety and national 
     security;
       (12) there is a need to clarify the legal rights and 
     responsibilities of key holders who are voluntarily entrusted 
     with the means to decrypt wire or electronic communications;
       (13) the Congress and the American people have recognized 
     the need to balance the right to privacy and the protection 
     of the public safety and national security;
       (14) the Congress has permitted lawful electronic 
     surveillance by investigative or law enforcement officers 
     only upon compliance with stringent statutory standards and 
     procedures; and
       (15) there is a need to clarify the standards and 
     procedures by which investigative or law enforcement officers 
     obtain assistance from key holders who are voluntarily 
     entrusted with the means to decrypt wire or electronic 
     communications, including such communications in electronic 
     storage.

     SEC. 4. FREEDOM TO USE ENCRYPTION.

       (a) Lawful Use of Encryption.--It shall be lawful for any 
     person within any State of the United States, the District of 
     Columbia, the Commonwealth of Puerto Rico, and any territory 
     or possession of the United States, and by United States 
     persons in a foreign country to use any encryption, 
     regardless of encryption algorithm selected, encryption key 
     length chosen, or implementation technique or medium used 
     except as provided in this Act and the amendments made by 
     this Act or in any other law.
       (b) General Construction.--Nothing in this Act or the 
     amendments made by this Act shall be construed to--
       (1) require the use by any person of any form of 
     encryption;
       (2) limit or affect the ability of any person to use 
     encryption without a key escrow function; or
       (3) limit or affect the ability of any person who chooses 
     to use encryption with a key escrow function not to use a key 
     holder.

     SEC. 5. ENCRYPTED WIRE AND ELECTRONIC COMMUNICATIONS.

       (a) In General.--Part I of title 18, United States Code, is 
     amended by inserting after chapter 121 the following new 
     chapter:

      ``CHAPTER 122--ENCRYPTED WIRE AND ELECTRONIC COMMUNICATIONS

``2801. Definitions.
``2802. Prohibited acts by key holders.
``2803. Reporting requirements.
``2804. Unlawful use of encryption to obstruct justice.
``2805. Freedom to sell encryption products.

     ``Sec. 2801. Definitions

       ``As used in this chapter--
       ``(1) the terms `person', `State', `wire communication', 
     `electronic communication', `investigative or law enforcement 
     officer', `judge of competent jurisdiction', and `electronic 
     storage' have the same meanings given such terms in section 
     2510 of this title;
       ``(2) the term `encryption' means the scrambling of wire or 
     electronic communications using mathematical formulas or 
     algorithms in order to preserve the confidentiality, 
     integrity or authenticity and prevent unauthorized recipients 
     from accessing or altering such communications;
       ``(3) the term `key holder' means a person located within 
     the United States (which may, but is not required to, be a 
     Federal agency) who is voluntarily entrusted by another 
     independent person with the means to decrypt that person's 
     wire or electronic communications for the purpose of 
     subsequent decryption of such communications;
       ``(4) the term `decryption key' means the variable 
     information used in a mathematical formula, code, or 
     algorithm, or any component thereof, used to decrypt wire or 
     electronic communications that have been encrypted; and
       ``(5) the term `decryption assistance' means providing 
     access, to the extent possible, to the plain text of 
     encrypted wire or electronic communications.

     ``Sec. 2802. Prohibited acts by key holders

       ``(a) Unauthorized Release of Key.--Except as provided in 
     subsection (b), any key holder who releases a decryption key 
     or provides decryption assistance shall be subject to the 
     criminal penalties provided in subsection (e) and to civil 
     liability as provided in subsection (f).
       ``(b) Authorized Release of Key.--A key holder shall only 
     release a decryption key in its possession or control or 
     provide decryption assistance--
       ``(1) with the lawful consent of the person whose key is 
     being held or managed by the key holder;
       ``(2) as may be necessarily incident to the holding or 
     management of the key by the key holder; or
       ``(3) to investigative or law enforcement officers 
     authorized by law to intercept wire or electronic 
     communications under chapter 119, to obtain access to stored 
     wire and electronic communications and transactional records 
     under chapter 121, or to conduct electronic surveillance, as 
     defined in section 101 of the Foreign Intelligence 
     Surveillance Act of 1978 (50 U.S.C. 1801), upon compliance 
     with subsection (c) of this section.
       ``(c) Requirements for Release of Decryption Key or 
     Provision of Decryption Assistance to Investigative or Law 
     Enforcement Officer.--
       ``(1) Contents of wire and electronic communications.--A 
     key holder is authorized to release a decryption key or 
     provide decryption assistance to an investigative or law 
     enforcement officer authorized by law to conduct electronic 
     surveillance under chapter 119, only if--
       ``(A) the key holder is given--
       ``(i) a court order signed by a judge of competent 
     jurisdiction directing such release or assistance; or
       ``(ii) a certification in writing by a person specified in 
     section 2518(7) or the Attorney General stating that--

       ``(I) no warrant or court order is required by law;
       ``(II) all requirements under section 2518(7) have been 
     met; and
       ``(III) the specified release or assistance is required;

       ``(B) the order or certification under paragraph (A)--
       ``(i) specifies the decryption key or decryption assistance 
     which is being sought; and
       ``(ii) identifies the termination date of the period for 
     which release or assistance has been authorized; and
       ``(C) in compliance with an order or certification under 
     subparagraph (A), the key holder shall provide only such key 
     release or decryption assistance as is necessary for access 
     to communications covered by subparagraph (B).
       ``(2) Stored wire and electronic communications.--(A) A key 
     holder is authorized to release a decryption key or provide 
     decryption assistance to an investigative or law enforcement 
     officer authorized by law to obtain access to stored wire and 
     electronic communications and transactional records under 
     chapter 121, only if the key holder is directed to give such 
     assistance pursuant to the same lawful process (court 
     warrant, order, subpoena, or certification) used to obtain 
     access to the stored wire and electronic communications and 
     transactional records.
       ``(B) The notification required under section 2703(b) 
     shall, in the event that encrypted wire or electronic 
     communications were obtained from electronic storage, include 
     notice of the fact that a key to such communications was or 
     was not released or decryption assistance was or was not 
     provided by a key holder.
       ``(C) In compliance with the lawful process under 
     subparagraph (A), the key holder shall provide only such key 
     release or decryption assistance as is necessary for access 
     to the communications covered by such lawful process.
       ``(3) Use of key.--(A) An investigative or law enforcement 
     officer to whom a key has been released under this subsection 
     may use the key only in the manner and for the purpose and 
     duration that is expressly provided for in the court order or 
     other provision of law authorizing such release and use, not 
     to exceed the duration of the electronic surveillance for 
     which the key was released.
       ``(B) On or before completion of the authorized release 
     period, the investigative or law enforcement officer to whom 
     a key has been released shall destroy and not retain the 
     released key.
       ``(C) The inventory required to be served pursuant to 
     section 2518(8)(d) on persons named in the order or the 
     application under section 2518(7)(b), and such other parties 
     to intercepted communications as the judge may determine, in 
     the interest of justice, shall, in the event that encrypted 
     wire or electronic communications were intercepted, include 
     notice of the fact that during the period of the order or 
     extensions thereof a key to, or decryption assistance for, 
     any encrypted wire or electronic communications of the person 
     or party intercepted was or was not provided by a key holder.
       ``(4) Nondisclosure of release.--No key holder, officer, 
     employee, or agent thereof shall disclose the key release or 
     provision of decryption assistance pursuant to subsection 
     (b), except as may otherwise be required by legal process and 
     then only after prior notification to the Attorney General or 
     to the principal prosecuting attorney of a State or any 
     political subdivision of a State, as may be appropriate.
       ``(d) Records or Other Information Held by Key Holders.--A 
     key holder, shall not disclose a record or other information 
     (not including the key) pertaining to any person whose key is 
     being held or managed by the key holder, except--
       ``(1) with the lawful consent of the person whose key is 
     being held or managed by the key holder; or
       ``(2) to an investigative or law enforcement officer 
     pursuant to a subpoena authorized

[[Page S1519]]

     under Federal or State law, court order, or lawful process.
     An investigative or law enforcement officer receiving a 
     record or information under paragraph (2) is not required to 
     provide notice to the person to whom the record or 
     information pertains. Any disclosure in violation of this 
     subsection shall render the person committing the violation 
     liable for the civil damages provided for in subsection (f).
       ``(e) Criminal Penalties.--The punishment for an offense 
     under subsection (a) of this section is--
       ``(1) if the offense is committed for a tortious, 
     malicious, or illegal purpose, or for purposes of direct or 
     indirect commercial advantage or private commercial gain--
       ``(A) a fine under this title or imprisonment for not more 
     than 1 year, or both, in the case of a first offense under 
     this subparagraph; or
       ``(B) a fine under this title or imprisonment for not more 
     than 2 years, or both, for any second or subsequent offense; 
     and
       ``(2) in any other case where the offense is committed 
     recklessly or intentionally, a fine of not more than $5,000 
     or imprisonment for not more than 6 months, or both.
       ``(f) Civil Damages.--
       ``(1) In general.--Any person aggrieved by any act of a 
     person in violation of subsections (a) or (d) may in a civil 
     action recover from such person appropriate relief.
       ``(2) Relief.--In an action under this subsection, 
     appropriate relief includes--
       ``(A) such preliminary and other equitable or declaratory 
     relief as may be appropriate;
       ``(B) damages under paragraph (3) and punitive damages in 
     appropriate cases; and
       ``(C) a reasonable attorney's fee and other litigation 
     costs reasonably incurred.
       ``(3) Computation of damages.--The court may assess as 
     damages whichever is the greater of--
       ``(A) the sum of the actual damages suffered by the 
     plaintiff and any profits made by the violator as a result of 
     the violation; or
       ``(B) statutory damages in the amount of $5,000.
       ``(4) Limitation.--A civil action under this subsection 
     shall not be commenced later than 2 years after the date upon 
     which the plaintiff first knew or should have known of the 
     violation.
       ``(g) Defense.--It shall be a complete defense against any 
     civil or criminal action brought under this chapter that the 
     defendant acted in good faith reliance upon a court warrant 
     or order, grand jury or trial subpoena, or statutory 
     authorization.

     ``Sec. 2803. Reporting requirements

       ``(a) In General.--In reporting to the Administrative 
     Office of the United States Courts as required under section 
     2519(2) of this title, the Attorney General, an Assistant 
     Attorney General specially designated by the Attorney 
     General, the principal prosecuting attorney of a State, or 
     the principal prosecuting attorney of any political 
     subdivision of a State, shall report on the number of orders 
     and extensions served on key holders to obtain access to 
     decryption keys or decryption assistance.
       ``(b) Requirements.--The Director of the Administrative 
     Office of the United States Courts shall include as part of 
     the report transmitted to the Congress under section 2519(3) 
     of this title, the number of orders and extensions served on 
     key holders to obtain access to decryption keys or decryption 
     assistance and the offenses for which the orders were 
     obtained.

     ``Sec. 2804. Unlawful use of encryption to obstruct justice

       ``Whoever willfully endeavors by means of encryption to 
     obstruct, impede, or prevent the communication of information 
     in furtherance of a felony which may be prosecuted in a court 
     of the United States, to an investigative or law enforcement 
     officer shall--
       ``(1) in the case of a first conviction, be sentenced to 
     imprisonment for not more than 5 years, fined under this 
     title, or both; or
       ``(2) in the case of a second or subsequent conviction, be 
     sentenced to imprisonment for not more than 10 years, fined 
     under this title, or both.

     ``Sec. 2805. Freedom to sell encryption products

       ``(a) In General.--It shall be lawful for any person within 
     any State of the United States, the District of Columbia, the 
     Commonwealth of Puerto Rico, and any territory or possession 
     of the United States, to sell in interstate commerce any 
     encryption, regardless of encryption algorithm selected, 
     encryption key length chosen, or implementation technique or 
     medium used.
       ``(b) Control of Exports by Secretary of Commerce.--
       ``(1) General rule.--Notwithstanding any other law, subject 
     to paragraphs (2), (3), and (4), the Secretary of Commerce 
     shall have exclusive authority to control exports of all 
     computer hardware, software, and technology for information 
     security (including encryption), except computer hardware, 
     software, and technology that is specifically designed or 
     modified for military use, including command, control, and 
     intelligence applications.
       ``(2) Items not requiring licenses.--No validated license 
     may be required, except pursuant to the Trading With The 
     Enemy Act or the International Emergency Economic Powers Act 
     (IEEPA) (but only to the extent that the authority of the 
     IEEPA is not exercised to extend controls imposed under the 
     Export Administration Act of 1979), for the export or 
     reexport of--
       ``(A) any software, including software with encryption 
     capabilities, that is--
       ``(i) generally available, as is, and designed for 
     installation by the purchaser; or
       ``(ii) in the public domain or publicly available because 
     it is generally accessible to the interested public in any 
     form; or
       ``(B) any computing device solely because it incorporates 
     or employs in any form software (including software with 
     encryption capabilities) exempted from any requirement for a 
     validated license under subparagraph (A).
       ``(3) Software with encryption capabilities.--The Secretary 
     of Commerce shall authorize the export or reexport of 
     software with encryption capabilities for nonmilitary end-
     uses in any country to which exports of software of similar 
     capability are permitted for use by financial institutions 
     not controlled in fact by United States persons, unless there 
     is substantial evidence that such software will be--
       ``(A) diverted to a military end-use or an end-use 
     supporting international terrorism;
       ``(B) modified for military or terrorist end-use; or
       ``(C) reexported without requisite United States 
     authorization.
       ``(4) Hardware with encryption capabilities.--The Secretary 
     shall authorize the export or reexport of computer hardware 
     with encryption capabilities if the Secretary determines that 
     a product offering comparable security is commercially 
     available from a foreign supplier without effective 
     restrictions outside the United States.
       ``(5) Definitions.--As used in this subsection--
       ``(A) the term `generally available' means, in the case of 
     software (including software with encryption capabilities), 
     software that is widely offered for sale, license, or 
     transfer including, but not limited to, over-the-counter 
     retail sales, mail order transactions, phone order 
     transactions, electronic distribution, or sale on approval;
       ``(B) the term `as is' means, in the case of software 
     (including software with encryption capabilities), a software 
     program that is not designed, developed, or tailored by the 
     software company for specific purchasers, except that such 
     purchasers may supply certain installation parameters needed 
     by the software program to function properly with the 
     purchaser's system and may customize the software program by 
     choosing among options contained in the software program;
       ``(C) the term `is designed for installation by the 
     purchaser' means, in the case of software (including software 
     with encryption capabilities)--
       ``(i) the software company intends for the purchaser 
     (including any licensee or transferee), who may not be the 
     actual program user, to install the software program on a 
     computing device and has supplied the necessary instructions 
     to do so, except that the company may also provide telephone 
     help-line services for software installation, electronic 
     transmission, or basic operations; and
       ``(ii) that the software program is designed for 
     installation by the purchaser without further substantial 
     support by the supplier;
       ``(D) the term `computing device' means a device which 
     incorporates one or more microprocessor-based central 
     processing units that can accept, store, process, or provide 
     output of data; and
       ``(E) the term `computer hardware', when used in 
     conjunction with information security, includes, but is not 
     limited to, computer systems, equipment, application-specific 
     assemblies, modules, and integrated circuits.''.
       (b) Technical Amendment.--The table of chapters for part I 
     of title 18, United States Code, is amended by inserting 
     after the item relating to chapter 33, the following new 
     item:

``122. Encrypted wire and electronic communications.........2801''.....

     SEC. 6. INTELLIGENCE ACTIVITIES.

       (a) Construction.--Nothing in this Act or the amendments 
     made by this Act constitutes authority for the conduct of any 
     intelligence activity.
       (b) Certain Conduct.--Nothing in this Act or the amendments 
     made by this Act shall affect the conduct, by officers or 
     employees of the United States Government in accordance with 
     other applicable Federal law, under procedures approved by 
     the Attorney General, or activities intended to--
       (1) intercept encrypted or other official communications of 
     United States executive branch entities or United States 
     Government contractors for communications security purposes;
       (2) intercept radio communications transmitted between or 
     among foreign powers or agents of a foreign power as defined 
     by the Foreign Intelligence Surveillance Act of 1978; or
       (3) access an electronic communication system used 
     exclusively by a foreign power or agent of a foreign power as 
     defined by the Foreign Intelligence Surveillance Act of 1978.
                                                                    ____


         Encrypted Communications Privacy Act of 1996--Summary

       Sec. 1. Short Title. The Act many be cited as the 
     ``Encrypted Communications Privacy Act of 1996.''
       Sec. 2. Purpose. The Act would ensure that Americans have 
     the maximum possible choice in encryption methods to protect 
     the

[[Page S1520]]

     security, confidentiality and privacy of their lawful wire 
     and electronic communications. For those Americans who choose 
     an encryption method in which another person, called a ``key 
     holder,'' is voluntarily entrusted with the decryption key, 
     the Act would establish privacy standards for the key holder, 
     and procedures for law enforcement officers to follow to 
     obtain assistance from the key holder in decrypting encrypted 
     communications.
       Sec. 3. Findings. The Act enumerates fifteen congressional 
     findings, including that a secure, private and trusted 
     national and global information infrastructure is essential 
     to promote citizens' privacy and meet the needs of both 
     American citizens and businesses, that encryption technology 
     widely available worldwide can help meet those needs, that 
     Americans should be free to use, and American businesses free 
     to compete and sell, encryption technology, programs and 
     products, and that there is a need to develop a national 
     encryption policy to advance the global information 
     infrastructure and preserve Americans' right to privacy and 
     the Nation's public safety and national security.
     Sec. 4. Freedom to Use Encryption
       (a) Lawful Use of Encryption. The Act legislatively 
     confirms current practice in the United States that any 
     person in this country may lawfully use any encryption 
     method, regardless of encryption algorithm, key length or 
     implementation selected. The Act thereby prohibits any 
     government-mandated use of any particular encryption system, 
     such as a key escrow encryption system.
       The Act further makes lawful the use of any encryption 
     method by United States persons in a foreign country. This 
     provision is consistent with, though broader than, the 
     Department of State's new personal use exemption published in 
     the Federal Register on February 16, 1996, that permits the 
     export of cryptographic products by U.S. citizens and 
     permanent residents who have the need to temporarily export 
     the cryptographic products when leaving the U.S. for brief 
     periods of time. For example, under this new exemption, U.S. 
     citizens traveling abroad will be able to take their laptop 
     computers containing copies of Lotus Notes software, many 
     versions of which contain an encryption program otherwise not 
     exportable.
       (b) General Constructions. Nothing in the Act is to be 
     construed to require the use of encryption, a key escrow 
     encryption system, or a key holder if a person chooses to use 
     a key escrow encryption system.
       Sec. 5. Encrypted wire and electronic communications. This 
     section of the Act adds a new chapter 122, entitled 
     ``Encrypted Wire and Electronic Communications,'' to title 18 
     of the United States Code to establish privacy standards for 
     key holders and to set forth procedures that law enforcement 
     officers must follow to obtain decryption assistance from key 
     holders.
       (a) In General. New chapter 122 has five sections.
       Sec. 2801. Definitions. Generally, the terms used in the 
     new chapter have the same meanings as in the federal wiretap 
     statute in 18 U.S.C. Sec. 2510. Definitions are provided for 
     ``encryption'', ``key holder'', ``decryption key'', and 
     ``decryption assistance''. A ``key holder'' may, but is not 
     required to be, a Federal agency.
       This chapter applies only to wire or electronic 
     communications and communications in electronic storage, as 
     defined in 18 U.S.C. Sec. 2510, and not to stored electronic 
     data. For example, encrypted electronic mail messages, 
     encrypted telephone conversations, encrypted facsimile 
     transmissions, encrypted computer transmissions and encrypted 
     file transfers over the Internet would be covered, but not 
     encrypted data merely stored on computers.
     Sec. 2802. Prohibited acts by key holders
       (a) Unauthorized release of key.--Key holders will be 
     subject to both criminal and civil liability for the 
     unauthorized release of decryption keys or providing 
     unauthorized decryption assistance.
       (b) Authorized release of key.--Key holders are authorized 
     to release decryption keys or provide decryption assistance 
     with the consent of the key owner, as may be necessary for 
     the holding or management of the key, or to investigative or 
     law enforcement officers upon compliance with the procedures 
     set forth in subsection (c).
       (c) Requirements for release of decryption key to 
     investigative or law enforcement officer.--To obtain access 
     to a decryption key or decryption assistance from a key 
     holder, an investigative or law enforcement officer must 
     present to the key holder the same form of lawful process 
     used to obtain access to the encrypted content. For example, 
     to obtain the decryption key to, or decryption assistance 
     for, an encrypted telephone conversation that is the subject 
     of a court-ordered wiretap under 18 U.S.C. Sec. 2518, a law 
     enforcement agent must present a court order to the key 
     holder to obtain the decoding key. Likewise, to obtain the 
     decryption key to, or decryption assistance for, an encrypted 
     stored wire or electronic communication, a law enforcement 
     officer must present a court warrant, order, subpoena or 
     certification, depending upon what process was used to 
     obtain access to the stored communication.
       Key holders may only provide the minimal key release or 
     decryption assistance needed to access the particular 
     communications specified by court order or other legal 
     process. Released keys or other decryption assistance may 
     only be used in the manner and for the purpose and duration 
     expressly provided by court order or other legal process.
       A key holder who fails to provide the decryption key or 
     decryption assistance called for in the court order, subpoena 
     or other lawful process may be penalized under current 
     contempt or obstruction laws.
       (d) Records or other information held by key holders.--Key 
     holders are prohibited from disclosing records or other 
     information (not including decryption keys) pertaining to key 
     owners, except with the owner's consent or to an 
     investigative or law enforcement officer, pursuant to a 
     subpoena, court order or other lawful process.
       (e) Criminal penalties.--Key holders who violate this 
     section for a tortious, malicious or an illegal purpose, or 
     for direct or indirect commercial advantage or private 
     commercial gain, will be subject to a fine and up to 1 year 
     imprisonment for a first offense, and fine and up to 2 years' 
     imprisonment for a second offense. Other reckless and 
     intentional violations would subject the key holder to a fine 
     of up to $5,000 and up to 6 months' imprisonment.
       (f) Civil damages.--Persons aggrieved by key holder 
     violations may sue for injunctive relief, and actual damages 
     or statutory damages of $5,000, whichever is greater.
       (g) Defense.--A complete defense is provided if the 
     defendant acted in good faith reliance upon a court order, 
     warrant, grand jury or trial subpoena or statutory 
     authorization.
       Sec. 2803. Reporting requirements. The Attorney General is 
     required to include in her report to the Administrative 
     Office of the U.S. Courts under 18 U.S.C. Sec. 2519(2), the 
     number of orders and extensions served on key holders to 
     obtain access to decryption keys or decryption assistance. 
     The Director of the Administrative Office of the U.S. Courts 
     is required to include this information, and the offenses for 
     which the orders were obtained, in the report to Congress 
     under 18 U.S.C. Sec. 2519(3).
       Sec. 2804. Unlawful use of encryption to obstruct justice. 
     Persons who willfully use encryption in an effort and for the 
     purpose of obstructing, impeding, or prevent the 
     communication of information in furtherance of a federal 
     felony crime to a law enforcement officer, would be subject 
     to a fine and up to 5 years' imprisonment for a first 
     offense, and up to 10 years' imprisonment for a second or 
     subsequent offense.
     Sec. 2805. Freedom to sell encryption products
       (a) In general.--The Act, legislatively confirms that it is 
     lawful to sell any encryption, regardless of encryption 
     algorithm, key length or implementation used, domestically in 
     the United States or its territories.
       (b) Control of exports by Secretary of Commerce.--
     Notwithstanding any other law, the Act vests the Secretary of 
     Commerce with control of exports of hardware, software and 
     technology for information security, including encryption for 
     both communications and other stored data, except when the 
     hardware, software or technology is specifically designed or 
     modified for military use.
       No export license may be required for encryption software 
     and hardware with encryption capabilities that is generally 
     available, including mass market products (i.e., those 
     generally available, sold ``as is'', and designed for 
     installation by the purchaser) or encryption in the public 
     domain and generally accessible. For example, no licenses 
     would be required for encryption products commercially 
     available without restriction and sold ``as is'', such as 
     Netscape's commercially available World Wide Web Browser, 
     which cannot be exported. Similarly, no license would be 
     required to export software and corresponding hardware placed 
     in the public domain and generally accessible, such as Phil 
     Zimmerman's Pretty Good Privacy program, which has been 
     distributed to the public free of charge via the Internet.
       In addition, the Secretary of Commerce must authorize the 
     export of encryption software to commercial users in any 
     country to which exports of such software has been approved 
     for use by foreign financial institutions, except when there 
     is substantial evidence that the software will be diverted or 
     modified for military or terrorists' end-use or re-exported 
     without requisite U.S. authorization. Finally, the Secretary 
     of Commerce must authorize the export of computer hardware 
     with encryption capabilities if the Secretary determines that 
     a product with comparable security is commercially available 
     from foreign suppliers without effective restrictions outside 
     the United States.
       Significantly, the government is authorized to continue 
     controls on countries that pose terrorism concerns, such as 
     Libya, Syria and Iran, or other embargoes countries, such as 
     Cuba and North Korea, pursuant to the Trading With the Enemy 
     Act or the International Emergency Economic Powers Act.
       (b) Technical Amendment. The Act adds new chapter 122 and 
     the new title in the table of chapters in title 18 of the 
     United States Code.
       Sec. 6. Intelligence activities. The Act does not authorize 
     the conduct of intelligence activities, nor affect the 
     conduct by Federal government officers or employees in 
     intercepting (1) encrypted or other official communications 
     of Federal executive branch or Federal contractors for 
     communications security purposes; (2) radio communications 
     between or among foreign powers or agents, as defined by the 
     Foreign Intelligence Surveillance Act (FISA); or (3) 
     electronic communication systems used exclusively by foreign 
     powers or agents, as defined by FISA.
                                                                    ____


[[Page S1521]]

                                              Murray Hill, NJ,

                                                    March 1, 1996.
     Hon. Patrick Leahy,
     U.S. Senate.
       Dear Senator Leahy: Thank you for introducing the Encrypted 
     Communications Privacy Act of 1996. As a member of the 
     computer security and cryptology research community, I have 
     observed firsthand the deleterious effect that the current 
     regulations governing the use and export of cryptography are 
     having on our country's ability to develop a reliable and 
     trustworthy information infrastructure. Your bill takes an 
     important first step toward creating regulations that reflect 
     the modern realities of this increasingly critical 
     technology.
       Unlike previous government encryption initiatives such as 
     the technically-flawed and unworkable ``Clipper'' chip, your 
     bill re-affirms the role of the marketplace in providing 
     ordinary citizens and businesses with a full range of choices 
     for securing their private information. In particular by 
     freeing mass-market cryptographic software and hardware from 
     the burdensome export controls that govern the international 
     arms trade, the bill will help the American software industry 
     compete, for the first time, in the international market for 
     high-quality security products.
       Law enforcement need not fear the widespread availability 
     of encryption; indeed, they should welcome and promote it. 
     Encryption thwarts electronic predators by preventing 
     unauthorized access to private data and computer systems, and 
     the use of strong cryptography to protect computer networks 
     is becoming as natural and necessary as the use of locks and 
     burglar alarms to protect our homes and businesses. While 
     criminals, too, might occasionally derive some advantage from 
     the use of cryptography, the benefits of widely-available 
     encryption technology overwhelmingly favor the honest user. 
     By recognizing that those who hold decryption keys on behalf 
     of others are in a special position of trust, your bill is 
     respectful of the privacy of law-abiding citizens without 
     introducing impediments to the government's ability to 
     investigate and prevent crime.
       I have also examined the new provision designed to 
     discourage the use of cryptography by criminals in the 
     furtherance of a felony, and hope to see your carefully-
     worded language reinforced by a narrow interpretation in the 
     courts, consistent with your intent.
       Again, thank you for your continued leadership in this 
     area, and I look forward to doing whatever I can to help you 
     bring encryption regulations in line with the fast-changing 
     reality of this emerging technology.
           Sincerely,
     Matt Blaze.
                                                                    ____

                                                    March 1, 1996.
     Hon. Patrick Leahy,
     U.S. Senate.
       Dear Senator Leahy. I would like to thank you for 
     introducing the Encrypted Communications Privacy Act. As a 
     member of the computer and information security research 
     community, I am keenly aware of the vital role of 
     cryptography in fostering the development of our information 
     infrastructure.
       As the author of the book, ``Applied Cryptography'', I have 
     unusual insights into the absurdity of cryptography export 
     restrictions. It is not without irony that one may export my 
     book in paper format, but not electronically. Presumably no 
     rational person believes that the current restrictions 
     actually prevent the spread of cryptography. I believe you 
     recognize this, as evidenced from the strong stance taken in 
     your bill.
       As the bill recognizes, we can no longer afford to hold on 
     to the obsolete notion that cryptography is the sole province 
     of government communications; the growth of modern networks 
     has irrevocably pushed it into the mainstream. I applaud your 
     leadership towards codifying these principles in a balanced 
     and responsible way. In particular, the bill:
       Removes the regulatory strangle-hold that has encumbered 
     the development of mass-market security solutions; Recognizes 
     the futility of applying regulations intended to control the 
     international arms trade to even the most mundane and 
     commonly available software; Encourages public confidence in 
     encryption by allowing the marketplace to provide a full 
     range of choices for privacy and security needs; Recognizes 
     the special obligations of keyholders to be vigilant in 
     safeguarding the information entrusted to them, without 
     imposing hurtles on the use of cryptography; Allows the 
     United States to continue its leadership role as a 
     technological innovator; Acknowledges the pivotal role of 
     cryptography in electronic commerce.
       I continue to have concerns that the new criminal 
     obstruction provision will discourage law abiding citizens 
     from using cryptography. I hope that legislative history and 
     further discussion will demonstrate the narrow intent of this 
     crime.
       Overall, your bill takes very necessary strides towards 
     ensuring that the protections we take for granted in 
     traditional media keep pace with technology, and I commend 
     your efforts.
           Sincerely,
     Bruce Schneier.
                                                                    ____



                                   Business Software Alliance,

                                    Washington, DC, March 4, 1996,
     Hon. Patrick J. Leahy,
     Russell Senate Office Building,
     Washington, DC.
       Dear Senator Leahy: As President of the Business Software 
     Alliance (BSA), I am writing to express our strong support 
     for the Encryption Communications Privacy Act of 1996 which I 
     understand you will introduce tomorrow. BSA represents the 
     leading publishers of software for personal computers and the 
     client server environment including Adobe, Autodesk, Bentley, 
     Lotus Development, Microsoft, Novell, Sybase, Symantec and 
     the Santa Cruz Operation.
       We have had an opportunity to review the legislation and 
     find it a significant step toward placing the U.S. software 
     industry on a level playing field with our foreign 
     competitors. Currently, we are only allowed to export weak 
     (40-bit) encryption. Your legislation would allow us to 
     export generally available software which offers security at 
     prevailing world levels. While many would prefer export 
     restrictions being lifted in their entirety, this legislation 
     at least would place us on an equal footing with our foreign 
     competitors which is critical to the continued success of the 
     U.S. software industry in the global market place.
       As you well know, today, America's software industry is the 
     envy of the world. U.S. software companies hold an estimated 
     75% worldwide market share for mass market software with 
     exports accounting for more than one-half of revenues for our 
     companies. According to a 1993 study by Economists Inc., the 
     American mass market software industry was the fastest 
     growing industry in the U.S. between 1982 and 1992 and had 
     become larger than all but five manufacturing industries. 
     This translates into jobs here in the U.S.
       The continued growth and success of our industry is 
     directly threatened by existing U.S. government export 
     controls. For that reason, our companies have consistently 
     made this one of its top policy issues. As importantly, the 
     availability of easy to use, affordable encryption will be 
     essential to the successful development of the Global 
     Information Infrastructure (GII). As more and more 
     transactions are being done on-line, consumers are 
     increasingly demanding software with strong encryption 
     capabilities. In two studies, 90% of the respondents believe 
     information security is important. In one study 37% of the 
     respondents said that they would consider purchasing foreign 
     software with otherwise less desirable features if that 
     software offered data security not available in a U.S. 
     program. Additionally, a recent study shows there are nearly 
     500 foreign encryption products from 28 countries currently 
     available. U.S. export restrictions simply put U.S. industry 
     at a competitive disadvantage. Your bill would address this 
     issue by allowing U.S. industry to export generally available 
     software with strong security features.
       As you may know, the Administration has attempted to 
     address this issue with a ``64-bit key escrow encryption 
     proposal.'' Under that proposal, in order to be allowed to 
     export software with strong security features, U.S. industry 
     would be required to build a back door into the program with 
     a spare key held by a U.S. government certified agent. After 
     careful and serious deliberation by our members, we concluded 
     that the Administration's approach is fatally flawed and 
     cannot be the basis for progress in this area. We simply have 
     not found a market for such a product. Any resolution must be 
     market driven. Your bill takes a very different approach. It 
     reaffirms Americans right to chose the encryption they use, 
     either with key escrow or without. For those who chose 
     voluntarily to use key holders, your legislation provides 
     standards so that their privacy is not violated. Your 
     legislation allows the market to work. We wholeheartedly 
     endorse this market driven approach.
       The digital information age and the Global Information 
     Infrastructure present opportunities and challenges to 
     computer users concerned about privacy at home and in their 
     businesses, as well as for the U.S. government. From that 
     point of view, we are all in a similar position. Information 
     security policies for the electronic world are fundamental to 
     the success of the GII and we are pleased to support your 
     legislation which is pro-market, pro-competition, pro-privacy 
     and pro-progress.
       We look forward to working with you toward the enactment of 
     this legislation.
           Sincerely,
                                           Robert W. Holleyman II,
                                                        President.

  Mrs. MURRAY. Mr. President, I am pleased to join Senator Leahy today 
as an original cosponsor of the Encrypted Communications Privacy Act. 
Senator Leahy is truly a leader on this issue, and I've had the 
pleasure of working on encryption policy with him over the past 3 
years. I'm excited to once again join him in this effort to make sense 
out of our national export control policies, and to promote export 
opportunities for American software and hardware producers.
  As many of my colleagues know, with help from Congresswoman Cantwell 
in the 103d Congress, I was able to persuade the administration to 
study the extent to which U.S. companies are stymied by our country's 
current encryption and export control policies.
  The Department of Commerce released that report last month. And let

[[Page S1522]]

me just say that there are some findings in this report that we should 
be aware of, and concerned about. For instance, the report acknowledges 
there are tremendous international growth opportunities for software 
exporters in the next 5 to 10 years. Unfortunately, the report also 
finds that most U.S. companies don't pursue international sales because 
our export control laws are too cost prohibitive.
  Mr. President, there are legitimate national security concerns 
underpinning the Export Administration Act. However, these outdated 
laws are no longer relevant to the post-cold-war world we now lived in. 
Today's national security controls should target those items that 
really need to be controlled in order to maintain national security. 
Simply, they should make better sense; it doesn't make sense to tell a 
U.S. software producer they can't export a product that is already 
widely available on the world market.
  Senator Leahy's bill seeks a balanced approach to implementing 
viable, safe, and secure encryption technology on both domestically 
sold products and exported products. It protects our privacy concerns, 
and it lays out the appropriate procedures law enforcement officials 
should use when obtaining encrypted materials. And, most important, it 
protects industry ingenuity and prohibits mandatory key escrow.
  Mr. President, I introduced the Commercial Export Administration Act 
in the 103d Congress. I am pleased Senator Leahy is incorporating my 
language into his bill. My language reduces regulatory redtape and 
makes it easier to export generally available mass-marketed commercial 
software. Washington State is home to some of the most innovative 
software producers in the world, and they are eager to export their 
goods. Unfortunately, our export controls keep Washington State's 
companies from penetrating the world market. Senator Leahy's bill, 
however will fix this problem.
  We are hearing a lot on the Presidential campaign trail about the 
damage that comes from trade--how trade hurts our economy and our 
workers. That's nonsense. My Washington State friends and neighbors 
know full-well that trade is essential to our State's success. One out 
of every five jobs in Washington State is trade related; and these are 
highly skilled, family wage jobs that pay 15 percent higher than the 
national average. Moreover, Washington State's small- and mid-sized 
high-technology companies provided over 98,000 jobs in 1995.
  Mr. President, I mention this because our bill will increase exports 
and enable our high-technology companies to grow further. Higher growth 
means more jobs--plain and simple. A recent study revealed that in 1995 
U.S. exporters lost $60 billion in international sales, and it 
estimates the industry will lose 200,000 potential jobs by the year 
2000. Given the increase in international competition, we can no longer 
afford to persist in holding U.S. companies back from potential world 
sales.
  This legislation makes good sense. First and foremost, it ensures 
every American's right to use any appropriate encryption available on 
the market. It also sets out necessary guidelines that should accompany 
any policy regarding the use of key escrow. And finally, it paves the 
way for new, streamlined export policies.
  Mr. President, this legislation is badly needed, and I urge my 
colleagues to join Senator Leahy and me in supporting it.
                                 ______