[Congressional Record Volume 143, Number 23 (Thursday, February 27, 1997)]
[Senate]
[Pages S1755-S1759]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. BURNS (for himself, Mr. Leahy, Mr. Lott, Mr. Nickles, Mr. 
        Dorgan, Mrs. Hutchison, Mr. Craig, Mr. Wyden, Mr. Ashcroft, Mr. 
        Domenici, Mr. Thomas, Mr. Campbell, Mrs. Boxer, Mr. Brownback, 
        Mrs. Murray, Mr. Kempthorne, Mr. Inhofe, Mr. Faircloth, Mr. 
        Grams, and Mr. Allard):
  S. 377. A bill to promote electronic commerce by facilitating the use 
of strong encryption, and for other purposes; to the Committee on 
Commerce, Science, and Transportation.


THE PROMOTION OF COMMERCE ON-LINE IN THE DIGITAL ERA [PRO-CODE] ACT OF 
                                  1997

  Mr. BURNS. Mr. President, when I want to communicate, sometimes I 
send a postcard. In that case, I know not to say anything that I don't 
want printed on the front page of the newspaper. Somebody, anybody, can 
read it. When I buy an envelope and put a stamp on it, I am taking a 
step toward securing that information. I have a reasonable expectation 
that people will not open my mail.

  When I talk on the telephone--at least on a landline telephone--I 
have a reasonable expectation that nobody is listening in. Today, we 
are in a world that is characterized by the fact that nearly everyone 
has a computer and that those computers are, for the most part, 
connected to one another. In light of that fact, it is becoming more 
and more important to ensure that our communications over these 
computer networks are conducted in a secure way. It is no longer 
possible to say that when we move into the information age, we'll 
secure these networks, because we are already there. We use computers 
in our homes and businesses in a way that couldn't have been imagined 
10 years ago, and these computers are connected through networks, 
making it easier to communicate than ever before. This phenomenon holds 
the promise of transforming life in States like Montana, where health 
care and state-of-the-art education can be delivered over networks to 
people located away from population centers. These new technologies can 
improve the lives of real people, but only if the security of 
information that moves over these networks is safe and reliable.
  The problem today is that our computer networks are not as secure as 
they could be; it is fairly easy for amateur hackers to break into our 
networks. They can intercept information; they can steal trade secrets 
and intellectual property; they can alter medical records; the list is 
endless. Last Congress, FBI Director Freeh stated his profound concerns 
about the threat of economic espionage on a global basis. One solution 
to this, of course, is to let individuals and businesses alike to take 
steps to secure that information. Encryption is one technology that 
accomplishes that. Domestically, Americans are free to use strong 
encryption to secure their information--we are determined to make sure 
that that guarantee prevails.
  I rise today to introduce a bill, similar to one I introduced during 
the 104th Congress, which designed to promote electronic commerce, both 
domestically and globally, by facilitating the use of strong 
encryption. Last Congress, my bill was criticized for not acknowledging 
the legitimate law enforcement and national security interests raised 
by the widespread use of strong, or unbreakable encryption. In response 
to those criticisms, this Congress, working with Senator Leahy, Senator 
Dorgan, and Senator Lott, has modified this bill to address those 
concerns. Our approach, though, encourages Government officials to 
abandon the head-in-the-sand approach that they've taken for the past 7 
years, hoping that strong encryption would not become available 
globally, and take a proactive approach to addressing this technology. 
Because everyone agrees that this technology will eventually be widely 
available globally--many of us believe that the technology is already 
widely available globally--now is the time to get industry working with 
Government officials to teach them how to execute their duties in a 
global communications network where strong encryption is ubiquitous.
  We believe that this bill lays the most responsible course for 
addressing this technology, and I am pleased to announce that the 
following Senators have signed onto this bill as original cosponsors: 
Majority Leader Lott, Assistant Majority Leader Nickles, Senator 
Dorgan, Senator Wyden, Senator Kay Bailey Hutchison, Senator Craig, 
Senator Ashcroft, Senator Domenici, Senator Murray, Senator Brownback, 
Senator Kempthorne, Senator Inhofe, Senator Boxer, Senator Faircloth, 
Senator Thomas, Senator Grams, and Senator Allard. With such impressive 
bipartisan support, I am extremely optimistic that the bill will be 
reported out of the Commerce Committee quickly and will pass the Senate 
during this Congress.
  As I mentioned earlier, this legislation was drafted to not only 
address the concerns raised by industry but also to encourage law 
enforcement and national security officials to prepare themselves to do 
their job in an environment where strong, unbreakable encryption is 
everywhere. To date, the FBI/NSA/CIA have devoted their efforts in this 
area to maintaining the status quo and hoping that strong encryption 
does not become common worldwide. The evidence from a Commerce 
Department study conducted over a year ago, indicates that this has 
already taken place--the study identified 497 foreign-made products 
that were capable of offering encryption at a level in excess of that 
which domestic companies could export under the present export 
restrictions in 28 foreign countries. Therefore, this legislation 
encourages these officials to address this technology proactively. 
Essentially the bill was designed to accomplish the following:
  Ending the imposition of U.S. Government-designed encryption 
standards. This is accomplished by restricting the Department of 
Commerce [NIST] from imposing Government encryption standards intended 
for use by the private sector, and by prohibiting the Department of 
Commerce from setting de facto encryption standards through use of 
export controls.

[[Page S1756]]

  Promoting the use of commercial encryption. This is accomplished by 
prohibiting the restrictions on the sale of commercial encryption 
programs and products in interstate commerce; by prohibiting 
governmental imposition, expressly or in practice, of mandatory key 
escrow; and by permitting the export of, first, generally available 
software with encryption capabilities, and second, other software and 
hardware with encryption capabilities if exports of products with 
similar security have been exported for use by foreign financial 
institutions.
  Protecting the national security and public safety. This is 
accomplished by, first, imposing industry reporting requirements upon 
companies wishing to export products with strong encryption; second, 
creating an Information Security Board whose purpose is to get industry 
experts and law enforcement/national security officers to work 
together--both publicly and privately--to address the execution of law 
enforcement/national security functions in an environment where strong 
encryption has widely proliferated; and third, by prohibiting exports 
of particular encryption software and hardware to identified 
individuals or organizations in specific foreign countries if there is 
substantial evidence that it will be diverted to, or modified for, 
military or terrorist end-use.
  We believe that getting law enforcement and national security 
officials to address this technology proactively is a more responsible 
and defensible position than mandating a key escrow or other key 
recovery system upon industry.
  This legislation is vitally important to a wide range of domestic 
industries. The export restriction poses serious commercial threats to 
three distinct classes of industry: first, the industry that 
manufacturers and sells encryption software and hardware; second, 
industries that purchase encryption hardware and software and 
incorporate that technology into their products; and third, all 
industries that communicate with subsidiaries or customers over the 
global communications network.


                 The Encryption Manufacturing Industry

  While domestic companies presently hold a position of global 
leadership in the manufacture of products that provide strong 
encryption, this leadership is threatened by the provisions restricting 
the export of this technology. Because there are no import restrictions 
on the sale of this technology and because there are no domestic 
restrictions on the sale of this technology, foreign manufacturers of 
encryption technology have seized the opportunity provided by the 
continued application of these export restrictions to steal market 
share from domestic companies. Because we are already seeing hundreds 
of different foreign-made products offering strong encryption in the 
global marketplace, the foreign companies who manufacture these 
products are not only cornering the foreign market for this technology, 
they are beginning to compete for the U.S. market--as the global export 
of their product increases, their per-unit cost decreases; thus, 
domestic companies may soon find themselves competing for the U.S. 
market against a foreign product which offers comparable security but 
at a lower cost. In effect, these export restrictions are effectively 
exporting the entire encryption manufacturing industry.


 industries that incorporate encryption technology into their products

  The export restrictions apply not only to companies who are in the 
business of the manufacture and sale of encryption technology, but also 
to entire industries that purchase this technology and incorporate it 
into their products. The restrictions even apply to domestic industries 
who import encryption technology and incorporate it into their 
products. Furthermore, the restrictions prohibit export of products 
that are encryption-ready, that is, are designed to have the encryption 
package installed elsewhere. These industries suffer the same 
competition disadvantage in the global marketplace that our domestic 
encryption manufacturing companies face. Likewise, it will not be long 
before these industries find themselves (having already conceded all 
foreign markets to foreign competitors) competing for the U.S. market 
with foreign competitors offering similar products but at a lower 
price. Thus, continued application of the export restrictions on 
encryption technology could result in the export of a wide range of 
industries.
  As information security becomes an increasingly important 
consideration, we are seeing a broad range of products that are 
incorporating encryption technology. For example, the entire 
telecommunications manufacturing industry--from cellular telephones to 
switches--has a direct stake in this debate. Likewise, virtually all 
manufacturing concerns are impacted. I am in the process of collecting 
statements from 23 separate industries who see the speedy resolution of 
this problem as critical to their survival in the global marketplace.


                           nightmare scenario

  During the first hearing on Pro-Code last Congress, one of the 
witnesses, Jim Bidzos, the founder and owner of RSA Data Security, a 
prominent domestic encryption manufacturing company, pointed out that 
the United States is presently on the verge of exporting, industry by 
industry, the lion's share of our country's industry base. At that 
hearing, he pointed out that Nippon Telephone & Telegraph [NTT], the 
largest company on the planet with $600 billion in annual revenues and 
$300 million in annual subsidies from the Japanese Government has just 
announced the production--and intention to export globally--of a 
computer chip that provided unbreakable encryption, with a key of 1,024 
bit length. Thus, NTT is now in the position of cornering--quite 
easily, I might add--the global market on this technology and will soon 
be competing directly with RSA for the U.S. market with similar chips 
which, due to economies of scale, cost less to consumers. Once NTT has 
run all of its U.S. competitors out of business, it will be uniquely 
poised to take over every industry that incorporates the NTT chip into 
a product, in the exact same way as they took over the chips 
manufacturing industry.


    companies who transmit proprietary information over the global 
                         communications network

  Not only do the export restrictions pose commercial problems for 
industries that manufacture or incorporate encryption technology into 
their products, they also raise serious economic threats to any 
industry that transmits proprietary information over the global 
communications network. Because the public communications network is 
global, the export restrictions effectively prohibit companies who wish 
to communicate with subsidiaries, partners, or customers outside the 
United States in a secure way; transmitting the hardware or software to 
international associates to provide communications security in excess 
of that allowable under the export restrictions violate those 
restrictions. The economic implications arising from this application 
of the export restrictions is staggering: petroleum companies can't 
send exploration data to overseas subsidiaries; automotive companies 
can't send design information to factories abroad; Walt Disney can't 
send the digital package of the movie the Lion King to its distributor 
in England; the list is endless. Thus, all intellectual property or 
other proprietary information that travels over the public network is 
put at risk of economic espionage as a result of this application of 
these export restrictions.
  Finally, the controversy over this technology raises serious fourth 
amendment constitutional issues. In a new era where one's personal and 
economic information is increasingly rendered in digital form, the 
ability of the Government to peer into such data at will raises serious 
fourth amendment concerns.
  Further, it raises first amendment constitutional issues as well. 
Last month, a California Appellate Court affirmed a favorable ruling in 
the first amendment challenge to the Arms Export Control Act [AECA] and 
the International Traffic in Arms Regulations [ITAR] in Bernstein 
versus U.S. Department of State. Bernstein involved a graduate student, 
Daniel J. Bernstein, who developed an encryption algorithm called 
Snuffle. He had articulated his mathematical ideas in two ways: in an 
academic paper and in a source code. The State Department denied 
Bernstein's request to export his cryptographic product for the 
purposes

[[Page S1757]]

of teaching the Snuffle algorithm, to disclose it at academic 
conferences, or to publish it in journals or online discussion groups. 
Bernstein alleged that the restrictions were: an unconstitutional prior 
restraint on speech; an infringement on his free speech; and infringed 
the rights of association and equal protection. The State Department 
moved to dismiss the case of the grounds that these issues were 
nonjusticible, and the Court denied the motion finding that source code 
was considered to be speech for the purposes of the first amendment 
analysis.
  In light of the pressing commercial and constitutional impact of 
restricting the sale of this technology, both domestically and abroad, 
I believe that we must act now, before we effectively export entire 
industries. I encourage my colleagues to join me in supporting Pro-
Code.
  Mr. President, I ask unanimous consent that the text of the bill be 
printed in the Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                 S. 377

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Promotion of Commerce On-
     Line in the Digital Era (Pro-CODE) Act of 1997''.

     SEC. 2. FINDINGS; PURPOSE.

       (a) Findings.--The Congress finds the following:
       (1) The ability to digitize information makes carrying out 
     tremendous amounts of commerce and personal communication 
     electronically possible.
       (2) Miniaturization, distributed computing, and reduced 
     transmission costs make communication via electronic networks 
     a reality.
       (3) The explosive growth in the internet and other computer 
     networks reflects the potential growth of electronic commerce 
     and personal communication.
       (4) The internet and the global information infrastructure 
     have the potential to revolutionize the way individuals and 
     businesses conduct business.
       (5) The full potential of the internet for the conduct of 
     business cannot be realized as long as it is an insecure 
     medium in which confidential business information and 
     sensitive personal information remain at risk of unauthorized 
     viewing, alteration, and use.
       (6) Encryption of information enables businesses and 
     individuals to protect themselves against the unauthorized 
     viewing, alteration, and use of information by employing 
     widely understood and readily available science and 
     technology to ensure the confidentiality, authenticity, and 
     integrity of information.
       (7) In order to promote economic growth and meet the needs 
     of businesses and individuals in the United States, a variety 
     of encryption products and programs should be available to 
     promote strong, flexible, and commercially acceptable 
     encryption capabilities.
       (8) United States computer, computer software and hardware, 
     communications, and electronics businesses are leading the 
     world technology revolution, as those businesses have 
     developed and are prepared to offer immediately to computer 
     users worldwide a variety of communications and computer 
     hardware and computer software that provide strong, robust, 
     and easy-to-use encryption.
       (9) United States businesses seek to market the products 
     described in paragraph (8) in competition with scores of 
     foreign businesses in many countries that offer similar, and 
     frequently stronger, encryption products and programs.
       (10) The regulatory efforts by the Secretary of Commerce, 
     acting through the National Institute of Standards and 
     Technology, and other entities to promulgate standards and 
     guidelines in support of government-designed solutions to 
     encryption problems that--
       (A) were not developed in the private sector; and
       (B) have not received widespread commercial support,

     have had a negative impact on the development and marketing 
     of products with encryption capabilities by United States 
     businesses.
       (11) Because of outdated Federal controls, United States 
     businesses have been prohibited from exporting strong 
     encryption products and programs.
       (12) In response to the desire of United States businesses 
     to sell commercial products to the United States Government 
     and to sell a single product worldwide, the Secretary of 
     Commerce, acting through the National Institute of Standards 
     and Technology, has sought to require them to include 
     features in products sold both in the United States and 
     foreign countries that will allow the Federal Government easy 
     access to the plain text of all electronic information and 
     communications.
       (13) The Secretary of Commerce, acting through the National 
     Institute of Standards and Technology, has proposed that 
     United States businesses be allowed to sell products and 
     programs offering strong encryption to the United States 
     Government and in foreign countries only if the products and 
     programs include a feature guaranteeing the Federal 
     Government access to a key that decrypts information 
     (hereafter in this section referred to as ``key escrow 
     encryption'').
       (14) The key escrow encryption approach to regulating 
     encryption is reflected in the approval in 1994 by the 
     National Institute of Standards and Technology of a Federal 
     information processing standard for a standard of escrowed 
     encryption, known as the ``clipper chip'', that was flawed 
     and controversial.
       (15) The current policy of the Federal Government to 
     require that keys to decrypt information be made available to 
     the Federal Government as a condition of exporting strong 
     encryption technology has had the effect of prohibiting the 
     exportation of strong encryption technology.
       (16) The Federal Government has legitimate law enforcement 
     and national security objectives which necessitate the 
     disclosure to the Federal Government of general information 
     that is neither proprietary nor confidential by experts in 
     information security industries, including cryptographers, 
     engineers, and others designated in the design and 
     development of information security products. By relaxing 
     export controls on encryption products and programs, this Act 
     creates an obligation on the part of representatives of 
     companies involved in the export of information security 
     products to share information about those products to 
     designated representatives of the Federal Government.
       (17) In order to promote electronic commerce in the twenty-
     first century and to realize the full potential of the 
     internet and other computer networks--
       (A) United States businesses should be encouraged to 
     develop and market products and programs offering encryption 
     capabilities; and
       (B) the Federal Government should be prohibited from 
     promulgating regulations and adopting policies that 
     discourage the use and sale of encryption.
       (b) Purpose.--The purpose of this Act is to promote 
     electronic commerce through the use of strong encryption by--
       (1) recognizing that businesses in the United States that 
     offer computer hardware and computer software made in the 
     United States that incorporate encryption technology are 
     ready and immediately able, with respect to electronic 
     information that will be essential to conducting business in 
     the twenty-first century to provide products that are 
     designed to--
       (A) protect the confidentiality of that information; and
       (B) ensure the authenticity and integrity of that 
     information;
       (2) restricting the Department of Commerce with respect to 
     the promulgation or enforcement of regulations, or the 
     application of policies, that impose government-designed 
     encryption standards; and
       (3) promoting the ability of United States businesses to 
     sell to computer users worldwide computer software and 
     computer hardware that provide the strong encryption demanded 
     by such users by--
       (A) restricting Federal or State regulation of the sale of 
     such products and programs in interstate commerce;
       (B) prohibiting mandatory key escrow encryption systems; 
     and
       (C) establishing conditions for the sale of encryption 
     products and programs in foreign commerce.

     SEC. 3. DEFINITIONS.

       For purposes of this Act, the following definitions shall 
     apply:
       (1) As Is.--The term ``as is'' means, in the case of 
     computer software (including computer software with 
     encryption capabilities), a computer software program that is 
     not designed, developed, or tailored by a producer of 
     computer software for specific users or purchasers, except 
     that such term may include computer software that--
       (A) is produced for users or purchasers that supply certain 
     installation parameters needed by the computer software 
     program to function properly with the computer system of the 
     user or purchaser; or
       (B) is customized by the user or purchaser by selecting 
     from among options contained in the computer software 
     program.
       (2) Computing Device.--The term ``computing device'' means 
     a device that incorporates one or more microprocessor-based 
     central processing units that are capable of accepting, 
     storing, processing, or providing output of data.
       (3) Computer Hardware.--The term ``computer hardware'' 
     includes computer systems, equipment, application-specific 
     assemblies, modules, and integrated circuits.
       (4) Decryption.--The term ``decryption'' means the 
     unscrambling of wire or electronic communications or 
     information using mathematical formulas, codes, or 
     algorithms.
       (5) Decryption Key.--The term ``decryption key'' means the 
     variable information used in a mathematical formula, code, or 
     algorithm, or any component thereof, used to decrypt wire or 
     electronic communications or information that has been 
     encrypted.
       (6) Designed for Installation by the User or Purchaser.--
     The term ``designed for installation by the user or 
     purchaser'' means, in the case of computer software 
     (including computer software with encryption capabilities) 
     computer software--

[[Page S1758]]

       (A) with respect to which the producer of that computer 
     software--
       (i) intends for the user or purchaser (including any 
     licensee or transferee), to install the computer software 
     program on a computing device; and
       (ii) has supplied the necessary instructions to do so, 
     except that the producer or distributor of the computer 
     software program (or any agent of such producer or 
     distributor) may also provide telephone help-line or onsite 
     services for computer software installation, electronic 
     transmission, or basic operations; and
       (B) that is designed for installation by the user or 
     purchaser without further substantial support by the 
     supplier.
       (7) Encryption.--The term ``encryption'' means the 
     scrambling of wire or electronic communications or 
     information using mathematical formulas, codes, or algorithms 
     in order to preserve the confidentiality, integrity, or 
     authenticity of such communications or information and 
     prevent unauthorized recipients from accessing or altering 
     such communications or information.
       (8) General License.--The term ``general license'' means a 
     general authorization that is applicable to a type of export 
     that does not require an exporter of that type of export to, 
     as a condition to exporting--
       (A) submit a written application to the Secretary; or
       (B) receive prior written authorization by the Secretary.
       (9) Generally Available.--The term ``generally available'' 
     means, in the case of computer software (including software 
     with encryption capabilities), computer software that--
       (A) is distributed via the internet or that is widely 
     offered for sale, license, or transfer (without regard to 
     whether it is offered for consideration), including over-the-
     counter retail sales, mail order transactions, telephone 
     order transactions, electronic distribution, or sale on 
     approval; or
       (B) preloaded on computer hardware that is widely 
     available.
       (10) Internet.--The term ``internet'' means the 
     international computer network of both Federal and non-
     Federal interconnected packet-switched data networks.
       (11) Secretary.--The term ``Secretary'' means the Secretary 
     of Commerce.
       (12) State.--The term ``State'' means each of the several 
     States of the United States, the District of Columbia, the 
     Commonwealth of Puerto Rico, and any Territory or Possession 
     of the United States.

     SEC. 4. RESTRICTION OF DEPARTMENT OF COMMERCE ENCRYPTION 
                   ACTIVITIES IMPOSING GOVERNMENT ENCRYPTION 
                   SYSTEMS.

       (a) Limitation on Regulatory Authority Concerning 
     Encryption Standards.--The Secretary may not (acting through 
     the National Institute of Standards and Technology or 
     otherwise) promulgate, or enforce regulations, or otherwise 
     adopt standards or carry out policies that result in 
     encryption standards intended for use by businesses or 
     entities other than Federal computer systems.
       (b) Limitation on Authority Concerning Exports of Computer 
     Hardware and Computer Software with Encryption 
     Capabilities.--Except as provided in section 5(c)(3)(B), the 
     Secretary may not promulgate or enforce regulations, or adopt 
     or carry out policies in a manner inconsistent with this act, 
     or that have the effect of imposing government-designed 
     encryption standards on the private sector by restricting the 
     export of computer hardware and computer software with 
     encryption capabilities.

     SEC. 5. PROMOTION OF COMMERCIAL ENCRYPTION PRODUCTS.

       (a) Prohibition on Restrictions on Sale or Distribution in 
     Interstate Commerce.--
       (1) In General.--Except as provided in this Act, neither 
     the Federal government nor any State may restrict or regulate 
     the sale in interstate commerce by any person of any product 
     or program designed to provide encryption capabilities solely 
     because such product or program has encryption capabilities. 
     Nothing in this paragraph may be construed to preempt any 
     provision of Federal or State law applicable to contraband or 
     regulated substances.
       (2) Applicability.--Paragraph (1) shall apply without 
     regard to the encryption algorithm selected, encryption key 
     length chosen, or implementation technique or medium used for 
     a product or program with encryption capabilities.
       (b) Prohibition on Mandatory Key Escrow.--Neither the 
     Federal government nor any State may require, as a condition 
     of sale in interstate commerce, that a decryption key, or 
     access to a decryption key, be given to any other person 
     (including a Federal agency or an entity in the private 
     sector that may be certified or approved by the Federal 
     government or a State).
       (c) Control of Exports by Secretary.--
       (1) General Rule.--Notwithstanding any other provision of 
     law and subject to paragraphs (2), (3), and (4), the 
     Secretary shall have exclusive authority to control exports 
     of all computer hardware, computer software, and technology 
     with encryption capabilities, except computer hardware, 
     computer software, and technology that is specifically 
     designed or modified for military use, including command, 
     control, and intelligence applications.
       (2) Items That Do Not Require Individual Licenses.--Except 
     as provided in paragraph (3)(b) of this subsection, only a 
     general license may be required, except as otherwise provided 
     under the Trading with the Enemy Act (50 U.S.C. App. 1 et 
     seq.) or the International Emergency Economic Powers Act (50 
     U.S.C. 1701 et seq.) (but only to the extent that the 
     authority of the International Emergency Economic Powers Act 
     is not exercised to extend controls imposed under the Export 
     Administration Act of 1979), for the export or reexport of--
       (A) any computer software, including software with 
     encryption capabilities, that--
       (i) is generally available, as is, and designed for 
     installation by the user or purchaser; or
       (ii) is available on the date of enactment of this Act, or 
     becomes legally available thereafter, in the public domain 
     (including on the internet) or publicly available because it 
     is generally accessible to the interested public in any form; 
     or
       (B) any computing device or computer hardware solely 
     because it incorporates or employs in any form computer 
     software (including computer software with encryption 
     capabilities) that is described in subparagraph (A).
       (3) Computer Software and Computer Hardware with Encryption 
     Capabilities.--
       (A) In General.--Except as provided in subparagraph (B), 
     the Secretary shall authorize the export or reexport of 
     computer software and computer hardware with encryption 
     capabilities under a general license for nonmilitary end-uses 
     in any foreign country to which those exports of computer 
     software and computer hardware of similar capability are 
     permitted for use by financial institutions that the 
     Secretary determines not to be controlled in fact by United 
     States persons.
       (B) Exception.--The Secretary shall prohibit the export or 
     reexport of particular computer software and computer 
     hardware described in this subsection to an identified 
     individual or organization in a specific foreign country if 
     the Secretary determines that there is substantial evidence 
     that such software and computer hardware will be--
       (i) diverted to a military end-use or an end-use supporting 
     international or domestic terrorism;
       (ii) modified for military or terrorist end-use, including 
     acts against the national security, public safety, or the 
     integrity of the transportation, communications, or other 
     essential systems of interstate commerce in the United 
     States;
       (iii) reexported without the authorization required under 
     Federal law; or
       (iv) intentionally used to evade enforcement of United 
     States law or taxation by the United States or by any State 
     or local government.
       (4) Reporting.--
       (A) Exports.--The publisher or manufacturer of computer 
     software or hardware with encryption capabilities shall 
     disclose (for reporting purposes only) within 30 days after 
     export to the Secretary such information regarding a 
     program's or product's encryption capabilities as would be 
     required for an individual license to export that program or 
     product.
       (B) Report Not an Export Precondition.--Nothing in this 
     paragraph shall be construed to require, or to permit the 
     Secretary to impose any conditions or reporting requirements, 
     including reporting under subparagraph (A), as a precondition 
     to the exportation of any such product or program.

     SEC. 6. INFORMATION SECURITY BOARD.

       (a) Information Security Board to be Established.--The 
     Secretary shall establish an Information Security Board 
     comprised of representatives of agencies within the Federal 
     Government responsible for or involved in the formulation of 
     information security policy, including export controls on 
     products with information security features (including 
     encryption). The Board shall meet at such times and in such 
     places as the Secretary may prescribe, but not less 
     frequently than quarterly. The Federal Advisory Committee Act 
     (5 U.S.C. App.) does not apply to the Board or to meetings 
     held by the Board under subsection (d).
       (b) Purposes.--The purposes of the Board are--
       (1) to provide a forum to foster communication and 
     coordination between industry and the Federal government; and
       (2) to foster the aggregation and dissemination of general, 
     nonproprietary, and nonconfidential developments in important 
     information security technologies, including encryption.
       (c) Requirements.--
       (1) Reports to agencies.--The Board shall regularly report 
     general, nonproprietary, and nonconfidential information to 
     appropriate Federal agencies to keep law enforcement and 
     national security agencies abreast of emerging technologies 
     so they are able effectively to execute their 
     responsibilities.
       (2) Publications.--The Board shall cause such information 
     (other than classified, proprietary, or confidential 
     information) as it deems appropriate, consistent with its 
     purposes, to be published from time to time through any 
     appropriate medium and to be made available to the public.
       (d) Meetings.--The Secretary shall establish a process for 
     quarterly meetings between the Board and representatives from 
     the private sector with interest or expertise in information 
     security, including cryptographers, engineers, and product 
     managers. The Board may meet at anytime with one or more 
     representatives of any person involved in the development, 
     production, or distribution of encryption technology or of 
     computing devices that contain encryption technology.

[[Page S1759]]

     SEC. 7. STATUTORY CONSTRUCTION.

       Nothing in this Act may be construed to affect any law 
     intended to prevent the--
       (1) distribution of descramblers or any other equipment for 
     illegal interceptions of cable and satellite television 
     signals;
       (2) illegal or unauthorized distribution or release of 
     classified, confidential, or proprietary information; or
       (3) enforcement of Federal or State criminal law.

  Mr. GRAMS. Mr. President, I rise in support of Senator Burns' 
legislation, the Promotion of Commerce On-Line in the Digital Era (Pro-
CODE) Act of 1997 and am pleased to be an original co-sponsor of the 
bill.
  This is important legislation which will create the proper balance 
between encryption technology export interests as well as national 
security interests. The administration's encryption policy was 
disappointing to me, since it tipped the balance too far in the 
direction of security and law enforcement concerns, risking important 
privacy rights of producers and users of cncryption technology.
  Again our Government has found itself in the position of creating 
unilateral export controls that will do only one thing--essentially 
terminate export opportunities for U.S. companies. To limit U.S. 
companies from exporting encyrption technology at 56 bits without a 
costly key recovery system will simply price us out of the market. Many 
of our allies are ready to sell far more sophisticated technology 
without a key recovery system. It's not hard to see who will pick up 
most of a growing encryption technology global market.
  Also, key recovery is not needed for encryption technology sold 
domestically or imported. If U.S. companies are forced to sell only the 
technology including the key recovery for cost savings reasons, it's 
also not hard to see how quickly the domestic market will dry up in 
favor of imports. The solution is not import controls. The Burns bill 
is the solution that 18 Senators of both parties have supported today.
  Senator Burns' bill protects national security interests. It would 
not allow exports over what is available from our allies. It also 
allows Commerce to prohibit specific exports where there is substantial 
evidence the technology will be diverted or used by terrorists, drug 
dealers and other criminals. Further, it creates an Information 
Security Board designed to get industry and law enforcement interests 
together to address this important issue.
  I am sensitive to law enforcement and national security concerns, but 
the holes in the administration's policy are enormous and smack of 
politics more than sound policy. Criminals and terrorists will simply 
not use U.S. technology, or they will find a way to circumvent the key 
recovery system. Also, they can use encryption technology within the 
U.S. without the same scrutiny.
  Senator Burns has described the many problems and questions raised by 
a key recovery system held by a third party, so I won't belabor them. 
But the privacy concerns are real. I can't imagine why users would want 
to buy a product that simply puts at risk unwarranted release of the 
encrypted material. No matter how many protections can be built into 
the key escrow system, there is no way to avoid some misuse or abuse of 
the system.
  Senator Burns should be congratulated for his effort to correct this 
policy. I applaud his efforts and strongly support them as chairman of 
the International Finance Subcommittee of the Banking Committee which 
has jurisdiction over many export control issues.
                                 ______