[Congressional Record Volume 143, Number 66 (Monday, May 19, 1997)]
[Senate]
[Pages S4684-S4686]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                     THE SECURE PUBLIC NETWORKS ACT

 Mr. KERREY. Mr. President, over the last several weeks, I have 
been meeting with colleagues about the need to aggressively pursue 
legislation to facilitate the creation of secure public networks for 
communication, commerce, education, research, telemedicine, and 
Government. There is an urgent need to enact legislation this year 
which can advance the creation of new networks and balance America's 
compelling interests in commerce and security.
  Secure networks are critical for the protection of personal privacy 
and the promotion of commerce on the Internet and other interactive 
computer systems.
  The Congress has been gridlocked for more than a year in a debate 
about the Nation's export policy for encryption software. I believe 
that meaningful compromise can be found on this issue which can clear 
the way for the consideration of broader legislation which fosters the 
creation of secure networks.
  If we are successful, a powerhouse of economic activity and 
opportunity can be unleashed.
  Senators Burns and Leahy as well as Congressman Goodlatte have 
introduced legislation which identifies a real problem with the current 
law on the export of encryption software. Thanks to their leadership, 
there is a growing consensus that reform is needed. In many ways, the 
introduction of their legislation has already motivated meaningful 
changes in the administration's policy on software exports. Yet, even 
with those changes, the underlying law needs to be changed and a 
broader agenda for secure networks needs to be adopted.
  What must happen in a relatively quick fashion is an agreement on a 
bipartisan, bicameral process to enact secure network legislation which 
includes a solution to the encryption export riddle. Our goal should be 
to enact legislation which the President can sign by October 1, 1997.
  The ability to use strong encryption is an important element in 
creating secure networks. Through encryption, messages are encoded and 
decoded. Encryption protects privacy and security. The American people 
need to know that their communications are safe and that the most 
private, confidential personal information can be confidentially 
communicated on computer networks.
  Encryption however, poses some very serious problems for law 
enforcement and national security which cannot be ignored. The 
challenge is to promote the use of encryption in a manner that does not 
unduly compromise national security or public safety and does not 
unnecessarily burden industry.

  What needs to be created is an electronic environment which gives 
users total confidence in the security of commercial transactions and 
personal communications. To do so, a largely private infrastructure 
must be developed to provide for authentication of messages, keys, and 
digital signatures and when necessary, the recovery of keys.
  As the largest purchaser of computer software and hardware, the 
Federal Government can create important incentives to help the market 
swiftly respond to this need.
  I see three big interests at stake--network commerce, network 
government, and network security. First, the need to facilitate 
commerce, both in advancing America's leading position as an exporter 
of software and in the

[[Page S4685]]

promotion of commerce on the Internet, grows in importance every day. 
Second, there is the civic interest of Government. The American people 
should be able to have secure access to their Government, for the 
resolution of problems, the communication of ideas and access to 
services via electronic networks. Third, there is a security interest 
of law enforcement and national defense. Defensively, that interest is 
to protect citizens from foreign or criminal violations of privacy. 
Offensively, there needs to be a means fully consistent with our 
Constitution for discreet access to communications. That digital access 
should be no more or less expansive than exists in the nondigital 
world.
  Mr. President, there needs to be a commitment to a process for 
resolving a host of issues. First and foremost what is needed is a 
commitment by the leadership of this Congress to work together in good 
faith to find a resolution that can be signed into law by the 
President.
  I have proposed a discussion outline for compromise. If there can be 
agreement on principle and process, I am confident good faith 
negotiations between all interested parties can meet the ambitious goal 
of new legislation before the end of this session of Congress. This 
outline is meant to spark discussion and facilitate compromise on some 
very challenging issues. It is by no means etched in stone and I 
welcome suggestions for improvement and additions.
  Mr. President, I ask that the text of the Secure Public Networks Act 
discussion outline be printed in the Record.
  The material follows:

            The Secure Public Network Act Discussion Points


                                Purpose

       To encourage and facilitate the creation of secure public 
     networks for communication, commerce, education, research, 
     tele-medicine and government.


                     A. DOMESTIC USES OF ENCRYPTION

       (1) Lawful Use of Encryption: Domestic use of encryption 
     for any lawful purpose shall be permitted. No mandatory third 
     party key escrow system for domestic encryption.
       (2) Unlawful Use of Encryption: Penalty for the use of 
     encryption technology in the furtherance of a crime--5 years 
     or fine for 1st offense, and 10 years or fine for 2nd 
     offense.
       (3) Privacy Protection:
       Penalties for:
       (a) Unauthorized use of keys, authentication or identity;
       (b) Unauthorized breaking of another's encryption codes;
       (c) Theft of intellectual property on line through 
     unauthorized interception of messages;
       (d) Issuing key to unauthorized person;
       (e) Impersonating another to obtain key;
       (f) Knowingly issuing key in furtherance of criminal 
     activity.
       (4) Access to Encrypted Messages by U.S. Government 
     Agencies: Access to encryption key by government entities 
     only through properly executed court order (or certification 
     under Foreign Intelligence Surveillance Act).
       (5) Access to Encrypted Messages by Foreign Governments: 
     Attorney General may seek a court order for a foreign 
     government pursuant to treaty and U.S. law.
       (6) Civil Recovery: Recovery against the USA when 
     information is improperly obtained or released.
       (7) Destruction of intercepted information: Once lawful use 
     of intercepted information is complete, intercepted 
     information shall be destroyed.
       (8) Illegal Disclosure: Violation of law to disclose 
     recovery of information or execution of order.


                       B. GOVERNMENT PROCUREMENT

       (1) Policy: It is the policy of the U.S. Government to 
     create secure networks which permit public to interact with 
     government through networks which protect privacy, 
     intellectual property and personal security of network users.
       (2) Government Purchases of Software: All encryption 
     software purchased by the U.S. Government for use in secure 
     government networks shall be software based on a system of 
     key recovery.
       (3) Software Purchased With Federal Funds: All encryption 
     software purchased with federal funds shall be software based 
     on a system of key recovery.
       (4) U.S. Government Networks: All networks established by 
     the U.S. Government which use encryption shall use encryption 
     based on a system of key recovery.
       (5) Networks Established With Federal Funds: All encrypted 
     networks established with the use of federal funds shall 
     use encryption based on a system of key recovery.
       (6) Product Labels: Products may be labeled to inform user 
     such product is authorized for sale or use in transactions 
     with the U.S. Government.
       (7) No Private Mandate: No federal mandate of private 
     sector encryption standards other than for use in federal 
     computer systems, networks or systems created with federal 
     funds.


                        C. EXPORT OF ENCRYPTION

       (1) Department of Commerce: The Department of Commerce 
     shall be the lead agency on encryption software exports and 
     have sole duty to issue export licenses on commercial 
     encryption products and technologies.
       (2) General License: Exports of encryption software up to * 
     * * and software with encryption capabilities up to * * * 
     shall be subject to a general license (license exception) 
     provided, the product, or software being exported:
       (a) Is otherwise qualified for export;
       (b) Is otherwise legal;
       (c) Does not violate U.S. law;
       (d) Does not violate the intellectual property rights of 
     another; and
       (e) The recipient individual is otherwise qualified to 
     receive such product or software.
       The President may by executive order increase permissible 
     encryption strength which is exportable under general license 
     (license exception).
       (3) General License (license exception)--Unlimited 
     Strength: Exports of encryption software with unlimited 
     strength permitted under general license (license exception) 
     provided there is a qualified key recovery system or trusted 
     third party system for encryption product.
       (4) Fast Track Review: Fast Track consideration of licenses 
     for certain institutions:
       (a) Banks;
       (b) Financial Institutions; and
       (c) Health Care Providers
       (5) Prohibited Exports: Export shall be prohibited when 
     Secretary of Commerce finds significant evidence that product 
     for export would be used in acts against the national 
     security, public safety, integrity of transportation, 
     communications, financial institutions or other essential 
     systems of interstate commerce; diverted to a military, 
     terrorist or criminal use, or re-exported w/o US 
     authorization.
       (6) License Review: In evaluating requests for export 
     licenses for products with encryption capabilities, (in 
     strengths above the level described in (C)(2)), the following 
     factors shall be among those considered by the Secretary:
       (a) Whether a product is generally available and is 
     designed for installation without alteration by purchaser;
       (b) Whether the product is generally available in the 
     country to which the product would be exported; and
       (c) Whether products offering comparable security and level 
     of encryption is available in the country to which the 
     product would be exported.
       Licenses will be granted at the Secretary's discretion.


                    D. VOLUNTARY REGISTRATION SYSTEM

       (1) Certificate Authorities: Secretary may establish 
     procedures to register certificate authorities. Certificate 
     authorities shall verify use of public keys and digital 
     signatures.
       (2) Agent Registry: Secretary may establish procedures to 
     register key recovery agents.
       (3) Public Key Certificates: Secretary or Certificate 
     Authority may issue public key certificates.
       (4) Voluntary System: Use of key management system is 
     voluntary.
       (5) Incentive to Use Voluntary System: Use of registered 
     key management system shall be treated as evidence of due 
     diligence and reasonable care in any civil or criminal 
     proceeding.


                        E. LIABILITY LIMITATIONS

       (1) Compliance with request: No liability for disclosing 
     recovery information to government agency with properly 
     executed order;
       (2) Compliance defense: No liability for complying with 
     Act.
       (3) Good Faith Defense: Good faith reliance on court order 
     is a complete defense.


                      F. INTERNATIONAL AGREEMENTS

       The President shall conduct negotiations with other 
     countries for the purpose of mutual recognition of Key 
     Recovery and Certificate Authorities registered in USA.


                           G. CIVIL PENALTIES

       (1) Civil Penalties: In addition to criminal penalties, 
     Secretary shall establish civil penalties for violations of 
     this act.
       (2) Injunctive Relief: Attorney General may bring action to 
     enjoin violations of act and enforce recovery of civil 
     penalties.
       (3) Jurisdiction: Original Jurisdiction of Federal District 
     Courts for actions under this section.


                              H. RESEARCH

       (1) Information Security Board: The Information Security 
     Board shall be established to make recommendations to 
     President and Congress on measures to establish secure 
     networks, protect intellectual property on computer networks; 
     promote exports of software, protect national security and 
     public safety.
       (2) Coordination: Coordination between federal, state and 
     local law enforcement shall be encouraged.
       (3) Network Research: Secure network research shall be 
     encouraged.
       (4) Annual Report: The NTIA in consultation with other 
     federal agencies shall issue an annual report on secure 
     network developments. The report shall review available 
     information and report to the Congress and the President on 
     developments in encryption, authentication, identification 
     and security

[[Page S4686]]

     on communications networks and make policy recommendations to 
     the President and Congress.


                         I. PRESIDENTIAL POWER

       The President may waive provisions of this Act with a 
     finding of danger to national security, public safety, 
     economic security, or public interest. President must report 
     waiver to Congress in classified or unclassified form w/I 30 
     days of Presidential action.


                                J. MISC

       (1) Severability.
       (2) Interpretation: Will not affect intelligence activities 
     outside USA; and will not weaken intellectual property 
     protection.
       (3) Definitions.
       (4) Dates of regulations.
       (5) Authority for fees.

                          ____________________