[Congressional Record Volume 143, Number 23 (Thursday, February 27, 1997)]
[Senate]
[Pages S1748-S1755]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. LEAHY (for himself, Mr. Burns, Mrs. Murray, and Mr. 
        Wyden):
  S. 376. A bill to affirm the rights of Americans to use and sell 
encryption products, to establish privacy standards for voluntary key 
recovery encryption systems, and for other purposes; to the Committee 
on the Judiciary.


            THE ENCRYPTED COMMUNICATION PRIVACY ACT OF 1997

  Mr. LEAHY. Mr. President, in the 104th Congress, a bipartisan group 
of Senators came together to overhaul our country's outdated export 
rules and bring some sense to our country's encryption policy. We are 
back at it again in this Congress. I am pleased to

[[Page S1750]]

introduce with Senator Burns, and others, two encryption bills, the 
Encrypted Communications Privacy Act [ECPA] and Promotion of Commerce 
On-Line in the Digital Era [PRO-CODE] Act.
  This legislation bars government-mandated key recovery, or key escrow 
encryption, and ensures that all computer users are free to choose any 
encryption method to protect the privacy of their online communications 
and computer files. These bills also roll back current restrictions on 
the export of strong cryptography so that high-tech U.S. firms are free 
to compete in the global marketplace and meet the demands of 
customers--both foreign and domestic--for strong encryption.
  As an avid Internet user myself, I care deeply about protecting 
individual privacy and encouraging the development of the Internet as a 
secure and trusted communications medium. As more Americans every year 
use the Internet and other computer networks to obtain critical medical 
services, to conduct business, to be entertained and communicate with 
their friends, maintaining the privacy and confidentiality of our 
computer communications both here and abroad has only grown in 
importance.
  Strong encryption also has an important use as a crime prevention 
shield, to stop hackers, industrial spies and thieves from snooping 
into private computer files and stealing valuable proprietary 
information. We should be encouraging the use of strong encryption to 
prevent certain types of computer and online crime.
  We made progress in the last Congress on encryption. The attention we 
gave to this issue in classified briefings and public hearings helped 
the administration recognize the need for reform. In fact, in the 
waning days of the last Congress, the administration took steps to 
adopt one element proposed in these bills by transferring export 
control authority for certain encryption products from the State 
Department to the Commerce Department. The administration also loosened 
export controls on 56-bit key length encryption--at least for 2 years. 
Although the administration is moving in the right direction by 
loosening some export controls, its unilateral regulatory reforms are 
not enough.

  Even under the current regime, popular browser software, such as 
Microsoft's Internet Explorer and Netscape Navigator, may not be 
exported in the form generally available here, since both software 
packages use 128-bit encryption. Lotus Notes shareware, which uses 64-
bit encryption, cannot be exported in the same version sold 
domestically.
  We need to loosen export restrictions on encryption products so that 
American companies are able to export any generally available or mass 
market encryption products without obtaining Government approval. ECPA 
would allow our companies to do that.
  We are mindful of the national security and law enforcement concerns 
that have dictated the administration's policy choices on encryption. 
Both bills contain important exceptions to restrict encryption exports 
for military end-uses, or to terrorist designated or embargoed 
countries, such as Cuba or North Korea. This is not enough to satisfy 
our national security and law enforcement agencies, who fear that the 
widespread use of strong encryption will undercut their ability to 
eavesdrop on terrorists or other criminals, or decipher computer files 
containing material evidence of a crime.
  Administration officials have made clear that they seek nothing less 
than a world-wide key recovery encryption scheme in which the U.S. 
Government is able to obtain decryption assistance to decipher 
encrypted communications and stored electronic files. I have 
significant concerns about the administration conditioning the export 
of 56-bit key encryption on companies moving forward with key recovery 
encryption systems. In aggressively promoting a global key recovery 
scheme the administration is ignoring the conclusion of the National 
Research Council in its thorough CRISIS report issued last year. 
Specifically, the report warned that ``Aggressive government promotion 
of escrowed encryption is not appropriate at this time.''
  The administration is putting the proverbial cart-before-the-horse by 
promoting key recovery without having in place privacy safeguards 
defining how and under what circumstances law enforcement and others 
may get access to decryption keys. Many users have legitimate concerns 
about investing in and using key recovery products without clear 
answers on how the law enforcement here, let alone other countries, 
including those with bad human rights records or a history of economic 
espionage, will get access to their keys.
  ECPA provides those answers with clear guidelines on how and when law 
enforcement and foreign countries may obtain decryption assistance from 
key holders, who are voluntarily entrusted with decryption keys or have 
the capability to provide decryption assistance.
  It is time for Congress to take steps to put our national encryption 
policy on the right course. Both the PRO-CODE bill and the Encrypted 
Communications Privacy Act reflect a bipartisan effort to reform our 
nation's cryptography policy in a constructive and positive manner.
  I ask unanimous consent that the Encrypted Communications Privacy Act 
and a section-by-section summary be printed in the Record.
  There being no objection, the material was ordered to be printed in 
the Record, as follows:

                                 S. 376

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Encrypted Communications 
     Privacy Act of 1997''.

     SEC. 2. PURPOSES.

       The purposes of this Act are--
       (1) to ensure that Americans have the maximum possible 
     choice in encryption methods to protect the security, 
     confidentiality, and privacy of their lawful wire and 
     electronic communications and stored electronic information; 
     and
       (2) to establish privacy standards for key holders who are 
     voluntarily entrusted with the means to decrypt such 
     communications and information, and procedures by which 
     investigative or law enforcement officers may obtain 
     assistance in decrypting such communications and information.

     SEC. 3. FINDINGS.

       Congress finds that--
       (1) the digitization of information and the explosion in 
     the growth of computing and electronic networking offers 
     tremendous potential benefits to the way Americans live, 
     work, and are entertained, but also raises new threats to the 
     privacy of American citizens and the competitiveness of 
     American businesses;
       (2) a secure, private, and trusted national and global 
     information infrastructure is essential to promote economic 
     growth, protect privacy, and meet the needs of American 
     citizens and businesses;
       (3) the rights of Americans to the privacy and security of 
     their communications and in the conducting of personal and 
     business affairs should be preserved and protected;
       (4) the authority and ability of investigative and law 
     enforcement officers to access and decipher, in a timely 
     manner and as provided by law, wire and electronic 
     communications and stored electronic information necessary to 
     provide for public safety and national security should also 
     be preserved;
       (5) individuals will not entrust their sensitive personal, 
     medical, financial, and other information to computers and 
     computer networks unless the security and privacy of that 
     information is assured;
       (6) business will not entrust their proprietary and 
     sensitive corporate information, including information about 
     products, processes, customers, finances, and employees, to 
     computers and computer networks unless the security and 
     privacy of that information is assured;
       (7) encryption technology can enhance the privacy, 
     security, confidentiality, integrity, and authenticity of 
     wire and electronic communications and stored electronic 
     information;
       (8) encryption techniques, technology, programs, and 
     products are widely available worldwide;
       (9) Americans should be free to use lawfully whatever 
     particular encryption techniques, technologies, programs, or 
     products developed in the marketplace they desire to use in 
     order to interact electronically worldwide in a secure, 
     private, and confidential manner;
       (10) American companies should be free--
       (A) to compete and to sell encryption technology, programs, 
     and products; and
       (B) to exchange encryption technology, programs, and 
     products through the use of the Internet, as the Internet is 
     rapidly emerging as the preferred method of distribution of 
     computer software and related information;
       (11) there is a need to develop a national encryption 
     policy that advances the development of the national and 
     global information infrastructure, and preserves the right to 
     privacy of Americans and the public safety and national 
     security of the United States;
       (12) there is a need to clarify the legal rights and 
     responsibilities of key holders who are voluntarily entrusted 
     with the

[[Page S1751]]

     means to decrypt wire and electronic communications and 
     stored electronic information;
       (13) Congress and the American people have recognized the 
     need to balance the right to privacy and the protection of 
     the public safety with national security;
       (14) the Constitution permits lawful electronic 
     surveillance by investigative or law enforcement officers and 
     the seizure of stored electronic information only upon 
     compliance with stringent standards and procedures; and
       (15) there is a need to clarify the standards and 
     procedures by which investigative or law enforcement officers 
     obtain assistance from key holders who--
       (A) are voluntarily entrusted with the means to decrypt 
     wire and electronic communications and stored electronic 
     information; or
       (B) have information that enables the decryption of such 
     communications and information.

     SEC. 4. DEFINITIONS.

       As used in this Act, the terms ``decryption key'', 
     ``encryption'', ``key holder'', and ``State'' have the same 
     meanings as in section 2801 of title 18, United States Code, 
     as added by section 6 of this Act.

     SEC. 5. FREEDOM TO USE ENCRYPTION.

       (a) Lawful Use of Encryption.--Except as provided in this 
     Act and the amendments made by this Act, it shall be lawful 
     for any person within any State, and by any United States 
     person in a foreign country, to use any encryption, 
     regardless of encryption algorithm selected, encryption key 
     length chosen, or implementation technique or medium used.
       (b) Prohibition on Mandatory Key Recovery or Key Escrow 
     Encryption.--Neither the Federal Government nor a State may 
     require, as a condition of a sale in interstate commerce, 
     that a decryption key be given to another person.
       (c) General Construction.--Nothing in this Act or the 
     amendments made by this Act shall be construed to--
       (1) require the use by any person of any form of 
     encryption;
       (2) limit or affect the ability of any person to use 
     encryption without a key recovery function; or
       (3) limit or affect the ability of any person who chooses 
     to use encryption with a key recovery function to select the 
     key holder, if any, of the person's choice.

     SEC. 6. ENCRYPTED WIRE OR ELECTRONIC COMMUNICATIONS AND 
                   STORED ELECTRONIC COMMUNICATIONS.

       (a) In General.--Part I of title 18, United States Code, is 
     amended by inserting after chapter 123 the following new 
     chapter:

 ``CHAPTER 125--ENCRYPTED WIRE OR ELECTRONIC COMMUNICATIONS AND STORED 
                         ELECTRONIC INFORMATION

``Sec.
``2801. Definitions.
``2802. Prohibited acts by key holders.
``2803. Reporting requirements.
``2804. Unlawful use of encryption to obstruct justice.
``2805. Freedom to sell encryption products.
``2806. Requirements for release of decryption key or provision of 
              encryption assistance to a foreign country.

     ``Sec. 2801. Definitions

       ``In this chapter--
       ``(1) the term `decryption key' means the variable 
     information used in or produced by a mathematical formula, 
     code, or algorithm, or any component thereof, used to decrypt 
     a wire communication or electronic communication or stored 
     electronic information that has been encrypted;
       ``(2) the term `decryption assistance' means assistance 
     which provides or facilitates access to the plain text of an 
     encrypted wire communication or electronic communication or 
     stored electronic information;
       ``(3) the term `encryption' means the scrambling of wire 
     communications or electronic communications or stored 
     electronic information using mathematical formulas or 
     algorithms in order to preserve the confidentiality, 
     integrity, or authenticity of such communications or 
     information and prevent unauthorized recipients from 
     accessing or altering such communications or information;
       ``(4) the term `key holder' means a person (including a 
     Federal agency) located within the United States who--
       ``(A) is voluntarily entrusted by another independent 
     person with the means to decrypt that person's wire 
     communications or electronic communications or stored 
     electronic information for the purpose of subsequent 
     decryption of such communications or information; or
       ``(B) has information that enables the decryption of such 
     communications or information for such purpose; and
       ``(5) the terms `person', `State', `wire communication', 
     `electronic communication', `investigative or law enforcement 
     officer', `judge of competent jurisdiction', and `electronic 
     storage' have the same meanings given such terms in section 
     2510 of this title.

     ``Sec. 2802. Prohibited acts by key holders

       ``(a) Unauthorized Release of Key.--Except as provided in 
     subsection (b), any key holder who releases a decryption key 
     or provides decryption assistance shall be subject to the 
     criminal penalties provided in subsection (e) and to civil 
     liability as provided in subsection (f).
       ``(b) Authorized Release of Key.--A key holder shall only 
     release a decryption key in the possession or control of the 
     key holder or provide decryption assistance with respect to 
     the key--
       ``(1) with the lawful consent of the person whose key is 
     possessed or controlled by the key holder;
       ``(2) as may be necessarily incident to the provision of 
     service relating to the possession or control of the key by 
     the key holder; or
       ``(3) upon compliance with subsection (c)--
       ``(A) to investigative or law enforcement officers 
     authorized to intercept wire communications or electronic 
     communications under chapter 119 of this title;
       ``(B) to a governmental entity authorized to require access 
     to stored wire and electronic communications and 
     transactional records under chapter 121 of this title; or
       ``(C) to a governmental entity authorized to seize or 
     compel the production of stored electronic information.
       ``(c) Requirements for Release of Decryption Key or 
     Provision of Decryption Assistance.--
       ``(1) Wire and electronic communications.--(A) A key holder 
     may release a decryption key or provide decryption assistance 
     to an investigative or law enforcement officer if--
       ``(i) the key holder is given--
       ``(I) a court order--

       ``(aa) signed by a judge of competent jurisdiction 
     directing such release or assistance; and
       ``(bb) issued upon a finding that the decryption key or 
     decryption assistance sought is necessary for the decryption 
     of a communication that the investigative or law enforcement 
     officer is authorized to intercept pursuant to chapter 119 of 
     this title; or

       ``(II) a certification in writing by a person specified in 
     section 2518(7) of this title, or the Attorney General, 
     stating that--

       ``(aa) no court order is required by law;
       ``(bb) the conditions set forth in section 2518(7) of this 
     title have been met; and
       ``(cc) the release or assistance is required;

       ``(ii) the order or certification under clause (i)--
       ``(I) specifies the decryption key or decryption assistance 
     being sought; and
       ``(II) identifies the termination date of the period for 
     which the release or assistance is authorized; and
       ``(iii) in compliance with the order or certification, the 
     key holder provides only the release or decryption assistance 
     necessary for the access specified in the order or 
     certification.
       ``(B) If an investigative or law enforcement officer 
     receives a decryption key or decryption assistance under this 
     paragraph for purposes of decrypting wire communications or 
     electronic communications, the judge issuing the order 
     authorizing the interception of such communications shall, as 
     part of the inventory required to be served pursuant to 
     subsection (7)(b) or (8)(d) of section 2518 of this title, 
     cause to be served on the persons named in the order, or the 
     application for the order, and on such other parties as the 
     judge may determine in the interests of justice, notice of 
     the receipt of the key or decryption assistance, as the case 
     may be, by the officer.
       ``(2) Stored wire and electronic communications and stored 
     electronic information.--(A) A key holder may release a 
     decryption key or provide decryption assistance to a 
     governmental entity requiring disclosure of stored wire and 
     electronic communications and transactional records under 
     chapter 121 of this title only if the key holder is directed 
     to release the key or give such assistance pursuant to a 
     court order issued upon a finding that the decryption key or 
     decryption assistance sought is necessary for the decryption 
     of communications or records the disclosure of which the 
     governmental entity is authorized to require under section 
     2703 of this title.
       ``(B) A key holder may release a decryption key or provide 
     decryption assistance under this subsection to a governmental 
     entity seizing or compelling production of stored electronic 
     information only if the key holder is directed to release the 
     key or give such assistance pursuant to a court order issued 
     upon a finding that the decryption key or decryption 
     assistance sought is necessary for the decryption of stored 
     electronic information--
       ``(i) that the governmental entity is authorized to seize; 
     or
       ``(ii) the production of which the governmental entity is 
     authorized to compel.
       ``(C) A court order directing the release of a decryption 
     key or the provision of decryption assistance under 
     subparagraph (A) or (B) shall specify the decryption key or 
     decryption assistance being sought. A key holder may provide 
     only such release or decryption assistance as is necessary 
     for access to the communications, records, or information 
     covered by the court order.
       ``(D) If a governmental entity receives a decryption key or 
     decryption assistance under this paragraph for purposes of 
     obtaining access to stored wire and electronic communications 
     or transactional records under section 2703 of this title, 
     the notice required with respect to such access under 
     subsection (b) of such section shall include notice of the 
     receipt of the key or assistance, as the case may be, by the 
     entity.
       ``(3) Use of key.--(A) An investigative or law enforcement 
     officer or governmental entity to which a decryption key is 
     released under this subsection may use the key only in the 
     manner and for the purpose and period expressly provided for 
     in the certification or

[[Page S1752]]

     court order authorizing such release and use. Such period may 
     not exceed the duration of the interception for which the key 
     was released or such other period as the court, if any, may 
     allow.
       ``(B) Not later than the end of the period authorized for 
     the release of a decryption key, the investigative or law 
     enforcement officer or governmental entity to which the key 
     is released shall destroy and not retain the key and provide 
     a certification that the key has been destroyed to the 
     issuing court, if any.
       ``(4) Nondisclosure of release.--No key holder, officer, 
     employee, or agent thereof may disclose the release of an 
     encryption key or the provision of decryption assistance 
     under subsection (b)(3), except as otherwise required by law 
     or legal process and then only after prior notification to 
     the Attorney General or to the principal prosecuting attorney 
     of a State or of a political subdivision of a State, as 
     appropriate.
       ``(d) Records or Other Information Held by Key Holders.--
       ``(1) In general.--A key holder may not disclose a record 
     or other information (not including the key or the contents 
     of communications) pertaining to any person, which record or 
     information is held by the key holder in connection with its 
     control or possession of a decryption key, except--
       ``(A) with the lawful consent of the person whose key is 
     possessed or controlled by the key holder; or
       ``(B) to an investigative or law enforcement officer 
     pursuant to a warrant, subpoena, court order, or other lawful 
     process authorized by Federal or State law.
       ``(2) Certain notice not required.--An investigative or law 
     enforcement officer receiving a record or information under 
     paragraph (1)(B) is not required to provide notice of such 
     receipt to the person to whom the record or information 
     pertains.
       ``(3) Liability for civil damages.--Any disclosure in 
     violation of this subsection shall render the person 
     committing the violation liable for the civil damages 
     provided for in subsection (f).
       ``(e) Criminal Penalties.--The punishment for an offense 
     under subsection (a) is--
       ``(1) if the offense is committed for a tortious, 
     malicious, or illegal purpose, or for purposes of direct or 
     indirect commercial advantage or private commercial gain--
       ``(A) a fine under this title or imprisonment for not more 
     than 1 year, or both, in the case of a first offense; or
       ``(B) a fine under this title or imprisonment for not more 
     than 2 years, or both, in the case of a second or subsequent 
     offense; and
       ``(2) in any other case where the offense is committed 
     recklessly or intentionally, a fine of not more than $5,000 
     or imprisonment for not more than 6 months, or both.
       ``(f) Civil Damages.--
       ``(1) In general.--Any person aggrieved by any act of a 
     person in violation of subsection (a) or (d) may in a civil 
     action recover from such person appropriate relief.
       ``(2) Relief.--In an action under this subsection, 
     appropriate relief includes--
       ``(A) such preliminary and other equitable or declaratory 
     relief as may be appropriate;
       ``(B) damages under paragraph (3) and punitive damages in 
     appropriate cases; and
       ``(C) a reasonable attorney's fee and other litigation 
     costs reasonably incurred.
       ``(3) Computation of damages.--The court may assess as 
     damages the greater of--
       ``(A) the sum of the actual damages suffered by the 
     plaintiff and any profits made by the violator as a result of 
     the violation; or
       ``(B) statutory damages in the amount of $5,000.
       ``(4) Limitation.--A civil action under this subsection 
     shall be commenced not later than 2 years after the date on 
     which the plaintiff first knew or should have known of the 
     violation.
       ``(g) Defense.--It shall be a complete defense against any 
     civil or criminal action brought under this chapter that the 
     defendant acted in good faith reliance upon a warrant, 
     subpoena, or court order or other statutory authorization.

     ``Sec. 2803. Reporting requirements

       ``(a) In General.--In reporting to the Administrative 
     Office of the United States Courts as required under section 
     2519(2) of this title, the Attorney General, an Assistant 
     Attorney General specially designated by the Attorney 
     General, the principal prosecuting attorney of a State, or 
     the principal prosecuting attorney of any political 
     subdivision of a State shall report on the number of orders 
     and extensions served on key holders under this chapter to 
     obtain access to decryption keys or decryption assistance and 
     the offenses for which the orders and extensions were 
     obtained.
       ``(b) Requirements.--The Director of the Administrative 
     Office of the United States Courts shall include in the 
     report transmitted to Congress under section 2519(3) of this 
     title the number of orders and extensions served on key 
     holders to obtain access to decryption keys or decryption 
     assistance and the offenses for which the orders and 
     extensions were obtained.

     ``Sec. 2804. Unlawful use of encryption to obstruct justice

       ``Whoever willfully endeavors by means of encryption to 
     obstruct, impede, or prevent the communication to an 
     investigative or law enforcement officer of information in 
     furtherance of a felony that may be prosecuted in a court of 
     the United States shall--
       ``(1) in the case of a first conviction, be sentenced to 
     imprisonment for not more than 5 years, fined under this 
     title, or both; or
       ``(2) in the case of a second or subsequent conviction, be 
     sentenced to imprisonment for not more than 10 years, fined 
     under this title, or both.

     ``Sec. 2805. Freedom to sell encryption products

       ``(a) In General.--It shall be lawful for any person within 
     any State to sell in interstate commerce any encryption, 
     regardless of encryption algorithm selected, encryption key 
     length chosen, or implementation technique or medium used.
       ``(b) Control of Exports by Secretary of Commerce.--
       ``(1) General rule.--Notwithstanding any other law and 
     subject to paragraphs (2), (3), and (4), the Secretary of 
     Commerce shall have exclusive authority to control exports of 
     all computer hardware, computer software, and technology for 
     information security (including encryption), except computer 
     hardware, software, and technology that is specifically 
     designed or modified for military use, including command, 
     control, and intelligence applications.
       ``(2) Items subject to license exception.--Except as 
     otherwise provided under the Trading With The Enemy Act (50 
     U.S.C. App. 1 et seq.) or the International Emergency 
     Economic Powers Act (50 U.S.C. 1701 et seq.) (but only to the 
     extent that the authority of the International Emergency 
     Economic Powers Act is not exercised to extend controls 
     imposed under the Export Administration Act of 1979), a 
     license exception shall be made available for the export or 
     reexport of--
       ``(A) any computer software, including computer software 
     with encryption capabilities, that is--
       ``(i) generally available, as is, and designed for 
     installation by the user or purchaser; or
       ``(ii) in the public domain (including computer software 
     available through the Internet or another interactive 
     computer service) or publicly available because the computer 
     software is generally accessible to the interested public in 
     any form;
       ``(B) any computing device or computer hardware that 
     otherwise would be restricted solely on the basis that it 
     incorporates or employs in any form computer software 
     (including computer software with encryption capabilities) 
     that is described in subparagraph (A);
       ``(C) any computer software or computer hardware that is 
     otherwise restricted solely on the basis that it incorporates 
     or employs in any form interface mechanisms for interaction 
     with other hardware and software, including encryption 
     hardware and software; or
       ``(D) any encryption technology related or ancillary to a 
     device, software, or hardware described in subparagraph (A), 
     (B), or (C).
       ``(3) Computer software, computer hardware, and technology 
     with encryption capabilities.--(A) Except as provided in 
     subparagraph (B), the Secretary of Commerce shall authorize 
     the export or reexport of computer software, computer 
     hardware, and technology with encryption capabilities under a 
     license exception if--
       ``(i) a product offering comparable security is 
     commercially available from a foreign supplier without 
     effective restrictions;
       ``(ii) a product offering comparable security is generally 
     available in a foreign country; or
       ``(iii) the sole basis for otherwise withholding the 
     license exception is the employment in the software, 
     hardware, or technology of encryption from a foreign source.
       ``(B) The Secretary of Commerce shall prohibit the export 
     or reexport of computer software, computer hardware, and 
     technology described in subparagraph (A) to a foreign country 
     if the Secretary determines that there is substantial 
     evidence that such software, hardware, or technology will 
     be--
       ``(i) diverted to a military end-use or an end-use 
     supporting international terrorism;
       ``(ii) modified for military or terrorist end-use; or
       ``(iii) reexported without requisite United States 
     authorization.
       ``(4) Definitions.--As used in this subsection--
       ``(A) the term `as is' means, in the case of computer 
     software (including computer software with encryption 
     capabilities), a computer software program that is not 
     designed, developed, or tailored by the computer software 
     company for specific purchasers, except that such purchasers 
     may supply certain installation parameters needed by the 
     computer software program to function properly with the 
     purchaser's system and may customize the computer software 
     program by choosing among options contained in the computer 
     software program;
       ``(B) the term `computing device' means a device which 
     incorporates one or more microprocessor-based central 
     processing units that can accept, store, process, or provide 
     output of data;
       ``(C) the term `computer hardware', when used in 
     conjunction with information security, includes computer 
     systems, equipment, application-specific assemblies, modules, 
     and integrated circuits;
       ``(D) the term `generally available' means, in the case of 
     computer software (including computer software with 
     encryption capabilities), computer software that is widely 
     offered for sale, license, or transfer including over-the-
     counter retail sales, mail order

[[Page S1753]]

     transactions, telephone order transactions, electronic 
     distribution, and sale on approval;
       ``(E) the term `interactive computer service' has the 
     meaning provided that term in section 230(e)(2) of the 
     Communications Act of 1934 (47 U.S.C. 230(e)(2));
       ``(F) the term `Internet' has the meaning provided that 
     term in section 230(e)(1) of the Communications Act of 1934 
     (47 U.S.C. 230(e)(1));
       ``(G) the term `is designed for installation by the 
     purchaser' means, in the case of computer software (including 
     computer software with encryption capabilities)--
       ``(i) that the computer software company intends for the 
     purchaser (including any licensee or transferee), who may not 
     be the actual program user, to install the computer software 
     program on a computing device and has supplied the necessary 
     instructions to do so, except that the company may also 
     provide telephone help-line services for software 
     installation, electronic transmission, or basic operations; 
     and
       ``(ii) that the computer software program is designed for 
     installation by the purchaser without further substantial 
     support by the supplier;
       ``(H) the term `license exception' means a general 
     authorization applicable to a type of export that does not 
     require an exporter to, as a condition of exporting--
       ``(i) submit a written application to the Secretary of 
     Commerce; or
       ``(ii) receive prior written authorization by the Secretary 
     of Commerce; and
       ``(I) the term `technology' means specific information 
     necessary for the development, production, or use of a 
     product.

     ``Sec. 2806. Requirements for release of decryption key or 
       provision of decryption assistance to a foreign country

       ``(a) In General.--Except as provided in subsection (b), no 
     investigative or law enforcement officer or key holder may 
     release a decryption key or provide decryption assistance to 
     a foreign country.
       ``(b) Conditions for Cooperation With Foreign Country.--
       ``(1) In general.--In any case in which the United States 
     has entered into a treaty or convention with a foreign 
     country to provide mutual assistance with respect to 
     decryption, the Attorney General (or the designee of the 
     Attorney General) may, upon an official request to the United 
     States from the foreign country, apply for an order described 
     in paragraph (2) from the district court in which a key 
     holder resides for--
       ``(A) assistance in obtaining the release of a decryption 
     key from the key holder; or
       ``(B) obtaining decryption assistance from the key holder.
       ``(2) Contents of order.--An order described in this 
     paragraph is an order that directs the key holder involved 
     to--
       ``(A) release a decryption key to the Attorney General (or 
     the designee of the Attorney General) for furnishing to the 
     foreign country; or
       ``(B) provide decryption assistance to the Attorney General 
     (or the designee of the Attorney General) for furnishing to 
     the foreign country.
       ``(3) Requirements for order.--A judge of a court described 
     in paragraph (1) may issue an order described in paragraph 
     (2) if the judge finds, on the basis on an application made 
     by the Attorney General under this subsection, that--
       ``(A) the decryption key or decryption assistance sought is 
     necessary for the decryption of a communication or 
     information that the foreign country is authorized to 
     intercept or seize pursuant to the law of the foreign 
     country;
       ``(B) the law of the foreign county provides for adequate 
     protection against arbitrary interference with respect to 
     privacy rights; and
       ``(C) the decryption key or decryption assistance is being 
     sought in connection with a criminal investigation for 
     conduct that would constitute a violation of a criminal law 
     of the United States if committed within the jurisdiction of 
     the United States.
       ``(c) Definition.--As used in this section, the term 
     `official request' has the meaning given that term in section 
     3506(c) of this title.''.
       (b) Clerical Amendment.--The chapter analysis for part I of 
     title 18, United States Code, is amended by inserting after 
     the item relating to chapter 123 the following new item:

``125. Encrypted wire or electronic communications and stored 
    electronic information..................................2801''.....

     SEC. 7. INTELLIGENCE ACTIVITIES.

       (a) Construction.--Nothing in this Act or the amendments 
     made by this Act constitutes authority for the conduct of any 
     intelligence activity.
       (b) Certain Conduct.--Nothing in this Act or the amendments 
     made by this Act shall affect the conduct, by officers or 
     employees of the United States Government in accordance with 
     other applicable Federal law, under procedures approved by 
     the Attorney General, of activities intended to--
       (1) intercept encrypted or other official communications of 
     United States executive branch entities or United States 
     Government contractors for communications security purposes;
       (2) intercept radio communications transmitted between or 
     among foreign powers or agents of a foreign power as defined 
     by the Foreign Intelligence Surveillance Act of 1978 (50 
     U.S.C. 1801 et seq.); or
       (3) access an electronic communication system used 
     exclusively by a foreign power or agent of a foreign power as 
     so defined.
                                  ____


         Encrypted Communications Privacy Act of 1997--Summary

       Sec. 1. Short Title. The Act may be cited as the 
     ``Encrypted Communications Privacy Act of 1997.''
       Sec. 2. Purpose. The Act would ensure that Americans have 
     the maximum possible choice in encryption methods to protect 
     the security, confidentiality and privacy of their lawful 
     wire and electronic communications and stored electronic 
     information. Americans are free to choose an encryption 
     method with a key recovery feature, in which another person, 
     called a ``key holder,'' is voluntarily entrusted with a 
     decryption key or with the means to decrypt, or has 
     information that would enable the decryption of, encrypted 
     communications or information. The Act would establish 
     privacy standards for the key holder, and procedures for law 
     enforcement officers and foreign countries to follow to 
     obtain assistance from the key holder in decrypting encrypted 
     communications and information.
       Sec. 3. Findings. The Act enumerates fifteen congressional 
     findings, including that a secure, private and trusted 
     national and global information infrastructure is essential 
     to promote citizens' privacy and meet the needs of both 
     American citizens and businesses, that encryption technology 
     widely available worldwide can help meet those needs, that 
     Americans should be free to use, and American businesses free 
     to compete and sell, encryption technology, programs and 
     products, and that there is a need to develop a national 
     encryption policy to advance the global information 
     infrastructure and preserve Americans' right to privacy and 
     the Nation's public safety and national security.
       Sec. 4. Definitions. The terms ``decryption key'', 
     ``encryption'', ``key holder'', and ``State'' as used in the 
     Act are defined in section 6 of the Act.
       Sec. 5. Freedom to Use Encryption.
       (a) Lawful Use of Encryption. The Act legislatively 
     confirms current practice in the United States that any 
     person in this country may lawfully use any encryption 
     method, regardless of encryption algorithm, key length or 
     implementation selected.
       The Act further makes clear that it is lawful under U.S. 
     law for by any United States persons in a foreign country to 
     use any encryption method. This provision is consistent with, 
     though broader than, the Commerce Department's license 
     exceptions published in the Federal Register on December 30, 
     1996, for temporary encryption exports that effectively 
     replace the Department of State's personal use exemption. 
     This personal use exemption that permits the export of 
     cryptographic products by U.S. citizens and permanent 
     residents who have the need to temporarily export the 
     cryptographic products when leaving the U.S. for brief 
     periods of time. For example, under this exemption, U.S. 
     citizens traveling abroad are able to take their laptop 
     computers containing copies of Lotus Notes software, many 
     versions of which contain an encryption program otherwise 
     not exportable.
       (b) Prohibition on Mandatory Key Recovery or Key Escrow 
     Encryption. The Act expressly bars the government from 
     mandating that encryption technology or products be sold in 
     interstate commerce with a key recovery feature.
       (c) General Construction. Nothing in the Act is to be 
     construed to require the use of encryption, the use of 
     encryption with or without a key recovery feature, or the use 
     of a key holder if a person chooses to use encryption with a 
     key recovery feature.
       Sec. 6. Encrypted Wire or Electronic Communications and 
     Stored Electronic Information. This section of the act adds a 
     new chapter 125, entitled ``Encrypted Wire or Electronic 
     Communications and Stored Electronic Information,'' to title 
     18 of the United States Code to establish privacy standards 
     for key holders and to set forth procedures that law 
     enforcement officers, governmental entities and foreign 
     countries must follow to obtain release of decryption keys or 
     decryption assistance from key holders.
       (a) In General. New chapter 125 has six sections.
       Sec. 2801.  Definitions. Generally, the terms used in the 
     new chapter have the same meanings as in the federal wiretap 
     statute, 18 U.S.C. 2510. Definitions are provided for 
     ``decryption key'', ``decryption assistance'', ``encryption'' 
     and ``key holder''. A ``key holder'' is a person located 
     within the United States who is voluntarily entrusted by 
     another independent person with the means to decrypt, or who 
     has information that would enable the decryption of, that 
     person's encrypted wire or electronic communications or 
     stored electronic information. A key holder may, but is not 
     required to be, a Federal agency.
       This chapter applies to wire or electronic communications 
     and communications in electronic storage, as defined in 18 
     U.S.C. 2510, and to stored electronic data. Thus, this 
     chapter describes procedures for law enforcement to obtain 
     assistance in decrypting encrypted electronic mail messages, 
     encrypted telephone conversations, encrypted facsimile 
     transmissions, encrypted computer transmissions and encrypted 
     file transfers over the Internet that are lawfully 
     intercepted pursuant to a wiretap order, under 18 U.S.C. 
     2518, or obtained pursuant to lawful process, under 18 U.S.C. 
     2703, and encrypted information stored on computers that is 
     seized pursuant to a search warrant or other lawful process.

[[Page S1754]]

       Sec. 2802.  Prohibited acts by key holders
       (a) Unauthorized Release of Key.--Key holders will be 
     subject to both criminal and civil liability for the 
     unauthorized release of decryption keys or providing 
     unauthorized decryption assistance.
       (b) Authorized Release of Key.--Key holders are authorized 
     to release decryption keys or provide decryption assistance 
     (1) with the consent of the key owner, (2) as may be 
     necessarily incident to the provision of the key holder's 
     service in possessing or controlling the key, or (3) to 
     investigative or law enforcement officers authorized to 
     conduct wiretaps and intercept wire or electronic 
     communications, governmental entities authorized to access 
     stored wire or electronic communications and transactional 
     records, and governmental entities authorized to seize or 
     compel production of stored electronic records, and upon 
     compliance with the procedures set forth in subsection (c).
       (c) Requirements for Release of Decryption Key or Provision 
     of Decryption Assistance.--Generally decryption keys may be 
     released and decryption assistance provided only pursuant to 
     a court order issued upon a finding that the key or 
     assistance is necessary to decrypt communications or stored 
     data lawfully intercepted or seized. The standard for release 
     of the key or provision of decryption assistance is tied 
     directly to the problem at hand: the need to decrypt a 
     message or information that the government is otherwise 
     authorized to intercept or obtain. This will ensure that key 
     holders need respond to only one type of compulsory process--
     a court order. Moreover, this Act will set a single standard 
     for law enforcement, removing any extra burden on law 
     enforcement to demonstrate, for example, probable cause for 
     two separate orders (i.e., for the encrypted communications 
     or information and for decryption assistance) and possibly 
     before two different judges (i.e., the judge issuing the 
     order for the encrypted communications or information and the 
     judge issuing the order to the key holder).
       (1) Wire and electronic communications.--To obtain access 
     to a decryption key or decryption assistance from a key 
     holder, an investigative or law enforcement officer must 
     present to the key holder a court order (or a certification 
     issued under the emergency situation procedures in 18 U.S.C. 
     2518(7)) issued upon a finding that the decryption key or 
     decryption assistance is necessary for the decryption of a 
     communication that the officer is authorized to intercept. 
     The order or certification shall specify the key or 
     assistance being sought and identify the termination date of 
     the period for which the release or assistance is authorized. 
     Released keys or other decryption assistance may only be 
     used in the manner and for the purpose and duration 
     expressly provided by the court order.
       The Act reinforces the principle of minimization. A key 
     holder may only provide the minimal key release or decryption 
     assistance needed to access the particular communications or 
     information specified by court order. Under some key recovery 
     schemes, release of a key holder's private key--rather than 
     an individual session key--might provide the ability to 
     decrypt every communication or stored file ever encrypted by 
     a particular key owner, or by every user in an entire 
     corporation, or by every user who was ever a customer of the 
     key holder. The Act protects against such over broad releases 
     of keys by requiring the court issuing the order to find the 
     keys or decryption assistance being sought are necessary.
       A key holder who fails to comply with the court order to 
     provide a decryption key or decryption assistance may be 
     penalized under current contempt or obstruction laws.
       (2) Stored wire and electronic communications and stored 
     electronic information.--
       (A) A key holder is authorized to release a decryption key 
     or provide decryption assistance to a governmental entity 
     when directed to do so by a court order issued upon a finding 
     that the key or assistance sought is necessary for the 
     decryption of stored wire and electronic communications and 
     transactional records, which a governmental entity is 
     authorized to obtain under 18 U.S.C. Sec. 2703. The notice 
     required to be given to subscribers or customers, under 18 
     U.S.C. Sec. 2703(b), shall include notice of the receipt of 
     the key or assistance, as the case may be, by the 
     governmental entity.
       (B) A key holder is authorized to release a decryption key 
     or provide decryption assistance to a governmental entity 
     when directed to do so by a court order issued upon a finding 
     that the key or assistance sought is necessary for the 
     decryption of stored electronic information, which a 
     governmental entity is authorized to seize or for which the 
     governmental entity is authorized to compel production.
       (C) A court order issued under either (A) or (B) must 
     specify the decryption key or decryption assistance being 
     sought, and the key holder may provide only such release or 
     assistance as is necessary for access to the communications, 
     records or information covered by the court order.
       (3) Use of key.--An investigative or law enforcement 
     officer or governmental entity to which a decryption key has 
     been released may use the key only in the manner, for the 
     purpose and for the period expressly provided for in the 
     court order or certification authorizing the release and 
     use. At the end of the period for authorized release of 
     the decryption key, the investigative or law enforcement 
     officer or governmental entity must destroy and not retain 
     the key and certify this has been done to the issuing 
     court, if any.
       (4) Nondisclosure of Release.--A key holder may not 
     disclose the release of a decryption key or provision of 
     decryption assistance unless otherwise ordered to do so by 
     law or legal process and then only after prior notification 
     to the Attorney General or principal prosecuting attorney of 
     a State or of a political subdivision of a State, as 
     appropriate.
       (d) Records or Other Information Held by Key Holders.--Key 
     holders are prohibited from disclosing records or other 
     information (not including decryption keys or the contents of 
     communications) pertaining to key owners, except with the 
     owner's consent or to an investigative or law enforcement 
     officer, pursuant to a subpoena, court order or other lawful 
     process. Investigative or law enforcement officers receiving 
     such information are not required to notify the person to 
     whom such information pertains. Key holders who violate this 
     section are liable for civil damages as provided in 
     subsection (f).
       (e) Criminal Penalties.--Key holders who violate this 
     section for a tortuous, malicious or an illegal purpose, or 
     for direct or indirect commercial advantage or private 
     commercial gain, will be subject to a fine and up to 1 year 
     imprisonment for a first offense, and fine and up to 2 years' 
     imprisonment for a second offense. Other reckless and 
     intentional violations would subject the key holder to a fine 
     of not more than $5,000 and not more than 6 months' 
     imprisonment.
       (f) Civil Damages.--Persons aggrieved by key holder 
     violations may sue for injunctive relief, and actual damages 
     or statutory damages of $5,000, whichever is greater. A civil 
     action must be commenced not later than 2 years after the 
     date on which the plaintiff first knew or should have known 
     of the offense.
       (g) Defense.--A complete defense against any civil or 
     criminal action is provided if the defendant acted in good 
     faith reliance upon a court order, warrant, grand jury or 
     trial subpoena or other statutory authorization.
       Sec. 2803.  Reporting requirements. The Attorney General is 
     required to include in his or her report to the 
     Administrative Office of the U.S. Courts, under 18 U.S.C. 
     Sec. 2519(2), the number of orders and extensions served on 
     key holders to obtain access to decryption keys or decryption 
     assistance. The Director of the Administrative Office of the 
     U.S. Courts is required to include this information, and the 
     offenses for which the orders were obtained, in the report to 
     Congress under 18 U.S.C. Sec. 2519(3).
       Sec. 2804.  Unlawful use of encryption to obstruct justice
       Persons who willfully use encryption in an effort and for 
     the purpose of obstructing, impeding, or prevent the 
     communication of information in furtherance of a federal 
     felony crime to a law enforcement officer, would be subject 
     to a fine and up to 5 years' imprisonment for a first 
     offense, and up to 10 years' imprisonment for a second or 
     subsequent offense.
       Sec. 2805.  Freedom to sell encryption products
       (a) In General.--The Act legislatively confirms that it is 
     lawful to sell any encryption, regardless of encryption 
     algorithm, key length or implementation used, domestically in 
     the United States or its territories.
       (b) Control of Exports by Secretary of Commerce.--
     Notwithstanding any other law, the Act vests the Secretary of 
     Commerce with control of exports of hardware, software and 
     technology for information security, including encryption for 
     both communications and other stored data, except when the 
     hardware, software or technology is specifically designed or 
     modified for military use. Under the Act, the Secretary must 
     grant export license exceptions to computer software, 
     computer hardware and technology with encryption capabilities 
     if the Secretary determines that a product with comparable 
     security is commercially available from a foreign supplier 
     without effective restrictions, is generally available in a 
     foreign country, or if the product employs encryption from a 
     foreign source that otherwise would be the sole basis for 
     restriction.
       The Secretary of Commerce would be required to grant a 
     license exception for the export of computer software with 
     encryption capabilities that is generally available, 
     including mass market products (i.e., those generally 
     available, sold ``as is'', and designed for installation by 
     the purchaser) or in the public domain and generally 
     accessible. For example, no license would be required for 
     encryption products commercially available without 
     restriction and sold ``as is'', such as Netscape's 
     commercially available World Wide Web Browser with strong 
     encryption, which can not be exported. Similarly, a license 
     exception would be granted to export encryption software 
     placed in the public domain and generally accessible, such as 
     Phil Zimmermann's Pretty Good Privacy program, which has been 
     distributed to the public free of charge via the Internet.
       The Secretary of Commerce would also be required to grant a 
     license exception for the export of computer hardware that 
     would otherwise be restricted solely on the basis that it 
     incorporates computer software with encryption capabilities 
     described above, or so-called ``crypto-ready'' computer 
     software or hardware incorporating an interface mechanism for 
     interaction with encryption hardware or software. Finally, 
     the Secretary

[[Page S1755]]

     of Commerce would be required to grant a license exception 
     for the export of encryption technology related or 
     ancillary to the items described above, to enable American 
     companies to license their technology for production, use 
     and sale abroad.
       Significantly, the government is authorized to continue 
     export controls on countries that pose terrorism concerns, 
     such as Libya, Syria and Iran, or other embargoed countries, 
     such as Cuba and North Korea, pursuant to the Trading With 
     the Enemy Act or the International Emergency Economic Powers 
     Act.
     Sec. 2806.  Requirements for release of decryption key or 
         provision of decryption assistance to a foreign country
       The Act bars investigative or law enforcement officers and 
     key holders from releasing a decryption key or providing 
     decryption assistance to a foreign country except when 
     certain conditions are satisfied. First, the foreign country 
     must have entered into a treaty or convention to provide 
     mutual assistance with respect to decryption. Second, the 
     foreign country must make a formal request to the United 
     States for such assistance. Third, the Attorney General or 
     the Attorney General's designee must obtain an order from the 
     district court in which the key holder resides directing the 
     key holder to release the decryption key or provide 
     decryption assistance. Finally, the order may only be issued 
     if the judge finds that (1) the decryption key or decryption 
     assistance being sought is necessary for the decryption of a 
     communication or information that the foreign country is 
     authorized to intercept or seize pursuant to its own domestic 
     law; (2) the law of the foreign country provides adequate 
     protection against the arbitrary interference of privacy 
     rights; and (3) the decryption key or decryption assistance 
     being sought is in connection with a criminal investigation 
     for conduct that would constitute a violation of a criminal 
     law of the United States if committed within the jurisdiction 
     of the United States.
       The grounds for issuance of the court order ensure that a 
     U.S. court will examine the quality of legal protections in 
     place in the foreign country on whose behalf of request for 
     decryption assistance is made and that the United States does 
     not facilitate the provision of decryption assistance to 
     legal system that do not meet minimum international human 
     rights standards or in cases that would violate American 
     constitutional standards.
       (b) Technical Amendment.--The Act adds new chapter 125 and 
     the new title in the table of chapters in title 18 of the 
     United States Code.
       Sec. 6. Intelligence Activities.--The Act does not 
     authorize the conduct of intelligence activities, nor affect 
     the conduct by Federal government officers or employees in 
     intercepting (1) encrypted or other official communications 
     of Federal executive branch or Federal contractors for 
     communications security purposes; (2) radio communications 
     between or among foreign powers or agents, as defined by the 
     Foreign Intelligence Surveillance Act (FISA); or (3) 
     electronic communication systems used exclusively by foreign 
     powers or agents, as defined by FISA.
                                 ______