[Congressional Record Volume 144, Number 59 (Tuesday, May 12, 1998)]
[Senate]
[Pages S4715-S4726]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. ASHCROFT (for himself, Mr. Leahy, Mr. Burns, Mr. Craig, 
        Mrs. Boxer, Mr. Faircloth, Mr. Wyden, Mr. Kempthorne, Mrs. 
        Murray, and Mrs. Hutchison):
  S. 2067. A bill to protect the privacy and constitutional rights of 
Americans, to establish standards and procedures regarding law 
enforcement access to decryption assistance for encrypted 
communications and stored electronic information, to affirm the rights 
of Americans to use and sell encryption products, and for other 
purposes; to the Committee on the Judiciary.


                           the e-privacy act

  Mr. ASHCROFT. Mr. President, I rise to speak today on an issue that I 
find very important to the future of this country's leading position in 
the technology, and that is encryption. This issue has been under 
consideration since I first came to Capitol Hill, and for more than 
three years nothing has been accomplished by way of assistance to law 
enforcement, or to industry, or most importantly to the users of 
encryption in this country.
  My first involvement in this entire discussion came about as a result 
of the need for protection and privacy. If we are to operate at our 
highest and best in the information age, instead of settling for 
something very far below our potential, we are going to need privacy 
and protection, and we are going to need the ability to operate with 
integrity on the Internet. The Internet has to be something more than 
speaking on the public square, it has to have the ability to allow 
individuals to communicate with each other. It has to have the same 
kind of rights and protections that are accorded to other aspects of 
communication. Without this privacy, the potential of the Internet is 
destroyed. In my judgment, the Internet would be destined to become 
just a sort of international bull session, nothing more than an 
international party line of commentary, or an international broadcast 
device. I do not believe it will fulfill its potential as a 
communication, entertainment, commercial and educational opportunity 
unless Internet communications are secure and the right of privacy is 
respected.
  The Internet allows for the most participatory form of communications 
ever. In order for us to be able to both invite participation by 
everyone, and to be able to take advantage of it, we have to be able to 
exclude some parties from a particular communication. I do not know of 
any more successful exclusion technique in the electronic world than 
encryption, especially when so much information is going to be 
transmitted digitally, much of it through space as well as over hard 
lines of communication.
  We have a tremendous potential for commerce on the Internet: 
everything from selling clothes, to real estate, to software itself. 
Electronic commerce has not reached its full potential, but it can. I 
think we've got a big agenda there, not just encryption but we've got 
to have legally binding signature legislation and therefore solid 
encryption.

[[Page S4716]]

  Resisting efforts for mandatory domestic key recovery is also 
crucial. We have to remind ourselves that the Internet is like so much 
of the rest of the culture--government can't solve all the problems. At 
least we have to plead for restraint by those who would harm this 
technology. As I have said before, now is the time to draw a bright 
line against federal regulation of the computer industry. Washington 
must not start down the road of dreaming up regulations to fix problems 
that may or may not exist. Two things can be predicted with confidence 
about congressional meddling in this sector of the economy. First, 
legislation will be obsolete on the day it is passed. Second, it will 
hurt consumers, workers, shareholders, and the economy. If Congress had 
helped set up the transportation industry, there still might be a 
livery stable in every town, and buggy whip factories in large cities.
  The irrationality of limiting the United States to levels of 
encryption which are far below what the world market is demanding and 
supplying in other settings, has been mind boggling. This legislation 
declares that American companies will be full and active participants 
in the encryption industry. Today, numerous editions of leading 
American designed and manufactured software bears the stamp, ``Not for 
sale outside the United States,'' because the software features robust 
encryption. That stamp does nothing to make Americans more secure, but 
it does provide aid and comfort to foreign competitors of American 
business. This legislation would eliminate that stamp once and for all.
  Encryption, of course, is the most important issue to the future of 
electronic commerce and if we are to foster the integrity of the 
Internet we must have the means of communication domestically and 
international. I have to reaffirm that we must allow the software 
industry to compete in an international market where robust encryption 
already takes place. Months ago I went to a Commerce Committee meeting 
and took with me an ad from the Internet, which was from Seimens 
company in Germany advertising robust 128 bit encryption, saying that 
you can't get this from a U.S. manufacturer. The advertisement also 
indicated, however, that if you buy this you can use it in the United 
States and you can use it overseas as well, and, so if you want to have 
robust encryption buy it from Seimens. The Administration has decided 
to tie the hands of the U.S. encryption industry. To me that's a 
disaster, but it is also compounded by people beginning to develop 
relationships with foreign software providers as a result of the 
unavailability of 128 bit or robust encryption on the part of U.S. 
providers.
  To see the Germans eagerly promoting this potential, and to have 
people from my own jurisdiction, from the state of Missouri, say, 
``John, we have an office in Singapore, we have to be able to speak 
with them confidentially and communicate with them, and the government 
is making it impossible for us to send the encryption that we can use 
domestically. We can't send it to our office in Singapore because we 
are ineligible to export it.'' I don't want the situation to be such 
that I have to say, ``Well, go to Seimens in Germany.'' From Seimens 
you can buy the encryption that can be sent into the United States and 
from Seimens in Germany it can be sent to Singapore and so you can have 
your cake and eat it too by dealing with a non-domestic firm. For us to 
have a policy which provides for the slitting of our own throats, in a 
technology arena, where we have held the lead and must continue to hold 
the lead, I think is foolhardy to say the least. If we are to mark the 
next century as an ``American Century,'' or even to celebrate this week 
as high technology week in the Senate, we must be forward thinking and 
acting. This bill moves us away from antiquated export laws to a future 
in which American companies will be able to compete in the 
international marketplace without having one hand tied behind their 
back by the federal government.
  This bill also clarifies the proper approach for encryption 
domestically as we move ahead in the digital age. The Administration 
and the FBI first indicated support for language that would mandate key 
recovery for all domestic encryption and now support several suggested 
approaches that would make using domestic key escrow a practical--
though not legal--necessity. Director Freeh has gone so far as to 
mention the need for a new Fourth Amendment that considers the 
realities of the digital age. I think we need a new and improved 
approach to domestic encryption, not a new updated version of the 
Fourth Amendment. I, for one, am not eagerly awaiting the FBI's new 
release of Fourth Amendment 2.0 or First Amendment '98.
  I think we have to work together to find a reasonable alternative to 
the current Administration policy and I think we have to ensure secure 
transactions. That's a clear responsibility. We can't have a situation 
where we don't have security and integrity in our business 
transactions. We have to be able to compete effectively in a worldwide 
marketplace. For us to limit our own potential in terms of competition 
makes no sense. We have to make sure that we don't allow those who 
would use information improperly or illegally to have access to it. 
That has to do with securing the transactions, and the integrity of the 
Internet as well.
  This legislation is the solution to the problem. It is well thought 
out and attempts to address the legitimate concerns of all affected 
parties. I will seek passage of this legislation in this Congress and 
will commit the resources of my office that may be needed to achieve 
this end.
  Business Week has recently reported that 61 percent of adults 
responded that they would be more likely to go on-line if the privacy 
of their information and communications would be protected. Mr. 
President, simply put, strong encryption means a strong economy. 
Mandatory access, by contrast, means weaker encryption and a less 
secure, and therefore less valuable, network.
  I ask for unanimous consent that the entire bill be printed in the 
Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                S. 2067

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the ``Encryption 
     Protects the Rights of Individuals from Violation and Abuse 
     in Cyberspace (E-PRIVACY) Act''.
       (b) Table of Contents.--The table of contents for this Act 
     is as follows:

Sec. 1. Short title; table of contents.
Sec. 2. Purposes.
Sec. 3. Findings. 
Sec. 4. Definitions.

     TITLE I--PRIVACY PROTECTION FOR COMMUNICATIONS AND ELECTRONIC 
                              INFORMATION

Sec. 101. Freedom to use encryption.
Sec. 102. Purchase and use of encryption products by the Federal 
              Government.
Sec. 103. Enhanced privacy protection for information on computer 
              networks. 
Sec. 104. Government access to location information.
Sec. 105. Enhanced privacy protection for transactional information 
              obtained from pen registers or trap and trace devices.

                  TITLE II--LAW ENFORCEMENT ASSISTANCE

Sec. 201. Encrypted wire or electronic communications and stored 
              electronic communications.

               TITLE III--EXPORTS OF ENCRYPTION PRODUCTS

Sec. 301. Commercial encryption products.
Sec. 302. License exception for mass market products.
Sec. 303. License exception for products without encryption capable of 
              working with encryption products.
Sec. 304. License exception for product support and consulting 
              services.
Sec. 305. License exception when comparable foreign products available.
Sec. 306. No export controls on encryption products used for 
              nonconfidentiality purposes.
Sec. 307. Applicability of general export controls.
Sec. 308. Foreign trade barriers to United States products.

     SEC. 2. PURPOSES.

       The purposes of this Act are--
       (1) to ensure that Americans have the maximum possible 
     choice in encryption methods to protect the security, 
     confidentiality, and privacy of their lawful wire and 
     electronic communications and stored electronic information;
       (2) to promote the privacy and constitutional rights of 
     individuals and organizations in networked computer systems 
     and other

[[Page S4717]]

     digital environments, protect the confidentiality of 
     information and security of critical infrastructure systems 
     relied on by individuals, businesses and government agencies, 
     and properly balance the needs of law enforcement to have the 
     same access to electronic communications and information as 
     under current law; and
       (3) to establish privacy standards and procedures by which 
     investigative or law enforcement officers may obtain 
     decryption assistance for encrypted communications and stored 
     electronic information.

     SEC. 3. FINDINGS.

       Congress finds that--
       (1) the digitization of information and the explosion in 
     the growth of computing and electronic networking offers 
     tremendous potential benefits to the way Americans live, 
     work, and are entertained, but also raises new threats to the 
     privacy of American citizens and the competitiveness of 
     American businesses;
       (2) a secure, private, and trusted national and global 
     information infrastructure is essential to promote economic 
     growth, protect privacy, and meet the needs of American 
     citizens and businesses;
       (3) the rights of Americans to the privacy and security of 
     their communications and in the conducting of personal and 
     business affairs should be promoted and protected;
       (4) the authority and ability of investigative and law 
     enforcement officers to access and decipher, in a timely 
     manner and as provided by law, wire and electronic 
     communications, and stored electronic information necessary 
     to provide for public safety and national security should 
     also be preserved;
       (5) individuals will not entrust their sensitive personal, 
     medical, financial, and other information to computers and 
     computer networks unless the security and privacy of that 
     information is assured;
       (6) businesses will not entrust their proprietary and 
     sensitive corporate information, including information about 
     products, processes, customers, finances, and employees, to 
     computers and computer networks unless the security and 
     privacy of that information is assured;
       (7) America's critical infrastructures, including its 
     telecommunications system, banking and financial 
     infrastructure, and power and transportation infrastructure, 
     increasingly rely on vulnerable information systems, and will 
     represent a growing risk to national security and public 
     safety unless the security and privacy of those information 
     systems is assured;
       (8) encryption technology is an essential tool to promote 
     and protect the privacy, security, confidentiality, 
     integrity, and authenticity of wire and electronic 
     communications and stored electronic information;
       (9) encryption techniques, technology, programs, and 
     products are widely available worldwide;
       (10) Americans should be free to use lawfully whatever 
     particular encryption techniques, technologies, programs, or 
     products developed in the marketplace that best suits their 
     needs in order to interact electronically with the government 
     and others worldwide in a secure, private, and confidential 
     manner;
       (11) government mandates for, or otherwise compelled use 
     of, third-party key recovery systems or other systems that 
     provide surreptitious access to encrypted data threatens the 
     security and privacy of information systems;
       (12) American companies should be free to compete and sell 
     encryption technology, programs, and products, and to 
     exchange encryption technology, programs, and products 
     through the use of the Internet, which is rapidly emerging as 
     the preferred method of distribution of computer software and 
     related information;
       (13) a national encryption policy is needed to advance the 
     development of the national and global information 
     infrastructure, and preserve the right to privacy of 
     Americans and the public safety and national security of the 
     United States;
       (14) Congress and the American people have recognized the 
     need to balance the right to privacy and the protection of 
     the public safety with national security;
       (15) the Constitution of the United States permits lawful 
     electronic surveillance by investigative or law enforcement 
     officers and the seizure of stored electronic information 
     only upon compliance with stringent standards and procedures; 
     and
       (16) there is a need to clarify the standards and 
     procedures by which investigative or law enforcement officers 
     obtain decryption assistance from persons--
       (A) who are voluntarily entrusted with the means to decrypt 
     wire and electronic communications and stored electronic 
     information; or
       (B) have information that enables the decryption of such 
     communications and information.

     SEC. 4. DEFINITIONS.

       In this Act:
       (1) Agency.--The term ``agency'' has the meaning given the 
     term in section 6 of title 18, United States Code.
       (2) Computer hardware.--The term ``computer hardware'' 
     includes computer systems, equipment, application-specific 
     assemblies, smart cards, modules, and integrated circuits.
       (3) Computing device.--The term ``computing device'' means 
     a device that incorporates 1 or more microprocessor-based 
     central processing units that are capable of accepting, 
     storing, processing, or providing output of data.
       (4) Encrypt and encryption.--The terms ``encrypt'' and 
     ``encryption'' refer to the scrambling (and descrambling) of 
     wire communications, electronic communications, or 
     electronically stored information, using mathematical 
     formulas or algorithms in order to preserve the 
     confidentiality, integrity, or authenticity of, and prevent 
     unauthorized recipients from accessing or altering, such 
     communications or information.
       (5) Encryption product.--The term ``encryption product''--
       (A) means a computing device, computer hardware, computer 
     software, or technology, with encryption capabilities; and
       (B) includes any subsequent version of or update to an 
     encryption product, if the encryption capabilities are not 
     changed.
       (6) Exportable.--The term ``exportable'' means the ability 
     to transfer, ship, or transmit to foreign users.
       (7) Key.--The term ``key'' means the variable information 
     used in or produced by a mathematical formula, code, or 
     algorithm, or any component thereof, used to encrypt or 
     decrypt wire communications, electronic communications, or 
     electronically stored information.
       (8) Person.--The term ``person'' has the meaning given the 
     term in section 2510(6) of title 18, United States Code.
       (9) Remote computing service.--The term ``remote computing 
     service'' has the meaning given the term in section 2711(2) 
     of title 18, United States Code.
       (10) State.--The term ``State'' has the meaning given the 
     term in section 3156(a)(5) of title 18, United States Code.
       (11) Technical review.--The term ``technical review'' means 
     a review by the Secretary, based on information about a 
     product's encryption capabilities supplied by the 
     manufacturer, that an encryption product works as 
     represented.
       (12) United states person.--The term ``United States 
     person'' means any--
       (A) United States citizen; or
       (B) any legal entity that--
       (i) is organized under the laws of the United States, or 
     any State, the District of Columbia, or any commonwealth, 
     territory, or possession of the United States; and
       (ii) has its principal place of business in the United 
     States.
     TITLE I--PRIVACY PROTECTION FOR COMMUNICATIONS AND ELECTRONIC 
                              INFORMATION

     SEC. 101. FREEDOM TO USE ENCRYPTION.

       (a) In General.--Except as otherwise provided by this Act 
     and the amendments made by this Act, it shall be lawful for 
     any person within the United States, and for any United 
     States person in a foreign country, to use, develop, 
     manufacture, sell, distribute, or import any encryption 
     product, regardless of the encryption algorithm selected, 
     encryption key length chosen, existence of key recovery or 
     other plaintext access capability, or implementation or 
     medium used.
       (b) Prohibition on Government-Compelled Key Escrow or Key 
     Recovery Encryption.--
       (1) In general.--Except as provided in paragraph (3), no 
     agency of the United States nor any State may require, 
     compel, set standards for, condition any approval on, or 
     condition the receipt of any benefit on, a requirement that a 
     decryption key, access to a decryption key, key recovery 
     information, or other plaintext access capability be--
       (A) given to any other person, including any agency of the 
     United States or a State, or any entity in the private 
     sector; or
       (B) retained by any person using encryption.
       (2) Use of particular products.--No agency of the United 
     States may require any person who is not an employee or agent 
     of the United States or a State to use any key recovery or 
     other plaintext access features for communicating or 
     transacting business with any agency of the United States.
       (3) Exception.--The prohibition in paragraph (1) does not 
     apply to encryption used by an agency of the United States or 
     a State, or the employees or agents of such an agency, solely 
     for the internal operations and telecommunications systems of 
     the United States or the State.
       (c) Use of Encryption for Authentication or Integrity 
     Purposes.--
       (1) In general.--The use, development, manufacture, sale, 
     distribution and import of encryption products, standards, 
     and services for purposes of assuring the confidentiality, 
     authenticity, or integrity or access control of electronic 
     information shall be voluntary and market driven.
       (2) Conditions.--No agency of the United States or a State 
     shall establish any condition, tie, or link between 
     encryption products, standards, and services used for 
     confidentiality, and those used for authentication, 
     integrity, or access control purposes.

     SEC. 102. PURCHASE AND USE OF ENCRYPTION PRODUCTS BY THE 
                   FEDERAL GOVERNMENT.

       (a) Purchases.--An agency of the United States may purchase 
     encryption products for--
       (1) the internal operations and telecommunications systems 
     of the agency; or
       (2) use by, among, and between that agency and any other 
     agency of the United States, the employees of the agency, or 
     persons operating under contract with the agency.
       (b) Interoperability.--To ensure that secure electronic 
     access to the Government is

[[Page S4718]]

     available to persons outside of and not operating under 
     contract with agencies of the United States, the United 
     States shall purchase no encryption product with a key 
     recovery or other plaintext access feature if such key 
     recovery or plaintext access feature would interfere with use 
     of the product's full encryption capabilities when 
     interoperating with other commercial encryption products.

     SEC. 103. ENHANCED PRIVACY PROTECTION FOR INFORMATION ON 
                   COMPUTER NETWORKS.

       Section 2703 of title 18, United States Code, is amended by 
     adding at the end the following:
       ``(g) Access to Stored Electronic Information.--
       ``(1) Disclosure.--
       ``(A) In general.--Subject to subparagraph (B), a 
     governmental entity may require the disclosure by a provider 
     of a remote computing service of the contents of an 
     electronic record in networked electronic storage only if the 
     person who created the record is accorded the same 
     protections that would be available if the record had 
     remained in that person's possession.
       ``(B) Networked electronic storage.--In addition to the 
     requirements of subparagraph (A) and subject to paragraph 
     (2), a governmental entity may require the disclosure of the 
     contents of an electronic record in networked electronic 
     storage only--
       ``(i) pursuant to a warrant issued under the Federal Rules 
     of Criminal Procedure or equivalent State warrant, a copy of 
     which warrant shall be served on the person who created the 
     record prior to or at the same time the warrant is served on 
     the provider of the remote computing service;
       ``(ii) pursuant to a subpoena issued under the Federal 
     Rules of Criminal Procedure or equivalent State warrant, a 
     copy of which subpoena shall be served on the person who 
     created the record, under circumstances allowing that person 
     a meaningful opportunity to challenge the subpoena; or
       ``(iii) upon the consent of the person who created the 
     record.
       ``(2) Definition.--In this subsection, an electronic record 
     is in `networked electronic storage' if--
       ``(A) it is not covered by subsection (a) of this section;
       ``(B) the person holding the record is not authorized to 
     access the contents of such record for any purposes other 
     than in connection with providing the service of storage; and
       ``(C) the person who created the record is able to access 
     and modify it remotely through electronic means.''.

     SEC. 104. GOVERNMENT ACCESS TO LOCATION INFORMATION.

       (a) Court Order Required.--Section 2703 of title 18, United 
     States Code, is amended by adding at the end the following:
       ``(h) Requirements for Disclosure of Location 
     Information.--A provider of mobile electronic communication 
     service shall provide to a governmental entity information 
     generated by and disclosing, on a real time basis, the 
     physical location of a subscriber's equipment only if the 
     governmental entity obtains a court order issued upon a 
     finding that there is probable cause to believe that an 
     individual using or possessing the subscriber equipment is 
     committing, has committed, or is about to commit a felony 
     offense.''.
       (b) Conforming Amendment.--Section 2703(c)(1)(B) of title 
     18, United States Code, is amended by inserting ``or wireless 
     location information covered by subsection (g) of this 
     section'' after ``(b) of this section''.

     SEC. 105. ENHANCED PRIVACY PROTECTION FOR TRANSACTIONAL 
                   INFORMATION OBTAINED FROM PEN REGISTERS OR TRAP 
                   AND TRACE DEVICES.

       Subsection 3123(a) of title 18, United States Code, is 
     amended to read as follows:
       ``(a) In General.--Upon an application made under section 
     3122, the court may enter an ex parte order--
       ``(1) authorizing the installation and use of a pen 
     register or a trap and trace device within the jurisdiction 
     of the court if the court finds, based on the certification 
     by the attorney for the Government or the State law 
     enforcement or investigative officer, that the information 
     likely to be obtained by such installation and use is 
     relevant to an ongoing criminal investigation; and
       ``(2) directing that the use of the pen register or trap 
     and trace device be conducted in such a way as to minimize 
     the recording or decoding of any electronic or other impulses 
     that are not related to the dialing and signaling information 
     utilized in call processing.''.
                  TITLE II--LAW ENFORCEMENT ASSISTANCE

     SEC. 201. ENCRYPTED WIRE OR ELECTRONIC COMMUNICATIONS AND 
                   STORED ELECTRONIC COMMUNICATIONS.

       (a) In General.--Part I of title 18, United States Code, is 
     amended by inserting after chapter 123 the following:

 ``CHAPTER 124--ENCRYPTED WIRE OR ELECTRONIC COMMUNICATIONS AND STORED 
                         ELECTRONIC INFORMATION

``Sec.
``2801. Definitions.
``2802. Unlawful use of encryption.
``2803. Access to decryption assistance for communications.
``2804. Access to decryption assistance for stored electronic 
              communications or records.
``2805. Foreign government access to decryption assistance.
``2806. Establishment and operations of National Electronic 
              Technologies Center.

     ``Sec. 2801. Definitions

       ``In this chapter:
       ``(1) Decryption assistance.--The term `decryption 
     assistance' means assistance that provides or facilitates 
     access to the plaintext of an encrypted wire or electronic 
     communication or stored electronic information, including the 
     disclosure of a decryption key or the use of a decryption key 
     to produce plaintext.
       ``(2) Decryption key.--The term `decryption key' means the 
     variable information used in or produced by a mathematical 
     formula, code, or algorithm, or any component thereof, used 
     to decrypt a wire communication or electronic communication 
     or stored electronic information that has been encrypted.
       ``(3) Encrypt; encryption.--The terms `encrypt' and 
     `encryption' refer to the scrambling (and descrambling) of 
     wire communications, electronic communications, or 
     electronically stored information, using mathematical 
     formulas or algorithms in order to preserve the 
     confidentiality, integrity, or authenticity of, and prevent 
     unauthorized recipients from accessing or altering, such 
     communications or information.
       ``(4) Foreign government.--The term `foreign government' 
     has the meaning given the term in section 1116.
       ``(5) Official request.--The term `official request' has 
     the meaning given the term in section 3506(c).
       ``(6) Incorporated definitions.--Any term used in this 
     chapter that is not defined in this chapter and that is 
     defined in section 2510, has the meaning given the term in 
     section 2510.

     ``Sec. 2802. Unlawful use of encryption

       ``Any person who, during the commission of a felony under 
     Federal law, knowingly and willfully encrypts any 
     incriminating communication or information relating to that 
     felony, with the intent to conceal that communication or 
     information for the purpose of avoiding detection by a law 
     enforcement agency or prosecutor--
       ``(1) in the case of a first offense under this section, 
     shall be imprisoned not more than 5 years, fined under this 
     title, or both; and
       ``(2) in the case of a second or subsequent offense under 
     this section, shall be imprisoned not more than 10 years, 
     fined under this title, or both.

     ``Sec. 2803. Access to decryption assistance for 
       communications

       ``(a) Criminal Investigations.--
       ``(1) In general.--An order authorizing the interception of 
     a wire or electronic communication under section 2518 shall, 
     upon request of the applicant, direct that a provider of wire 
     or electronic communication service, or any other person 
     possessing information capable of decrypting that 
     communication, other than a person whose communications are 
     the subject of the interception, shall promptly furnish the 
     applicant with the necessary decryption assistance, if the 
     court finds that the decryption assistance sought is 
     necessary for the decryption of a communication intercepted 
     pursuant to the order.
       ``(2) Limitations.--Each order described in paragraph (1), 
     and any extension of such an order, shall--
       ``(A) contain a provision that the decryption assistance 
     provided shall involve disclosure of a private key only if no 
     other form of decryption assistance is available and 
     otherwise shall be limited to the minimum necessary to 
     decrypt the communications intercepted pursuant to this 
     chapter; and
       ``(B) terminate on the earlier of--
       ``(i) the date on which the authorized objective is 
     attained; or
       ``(ii) 30 days after the date on which the order or 
     extension, as applicable, is issued.
       ``(3) Notice.--If decryption assistance is provided 
     pursuant to an order under this subsection, the court issuing 
     the order described in paragraph (1)--
       ``(A) shall cause to be served on the person whose 
     communications are the subject of such decryption assistance, 
     as part of the inventory required to be served pursuant to 
     section 2518(8), notice of the receipt of the decryption 
     assistance and a specific description of the keys or other 
     assistance disclosed; and
       ``(B) upon the filing of a motion and for good cause shown, 
     shall make available to such person, or to counsel for that 
     person, for inspection, the intercepted communications to 
     which the decryption assistance related, except that on an ex 
     parte showing of good cause, the serving of the inventory 
     required by section 2518(8) may be postponed.
       ``(b) Foreign Intelligence Investigations.--
       ``(1) In general.--An order authorizing the interception of 
     a wire or electronic communication under section 105(b)(2) of 
     the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 
     1805(b)(2)) shall, upon request of the applicant, direct that 
     a provider of wire or electronic communication service or any 
     other person possessing information capable of decrypting 
     such communications, other than a person whose communications 
     are the subject of the interception, shall promptly furnish 
     the applicant with the necessary decryption assistance, if 
     the court finds that

[[Page S4719]]

     the decryption assistance sought is necessary for the 
     decryption of a communication intercepted pursuant to the 
     order.
       ``(2) Limitations.--Each order described in paragraph (1), 
     and any extension of such an order, shall--
       ``(A) contain a provision that the decryption assistance 
     provided shall be limited to the minimum necessary to decrypt 
     the communications intercepted pursuant to this chapter; and
       ``(B) terminate on the earlier of--
       ``(i) the date on which the authorized objective is 
     attained; or
       ``(ii) 30 days after the date on which the order or 
     extension, as applicable, is issued.
       ``(c) General Prohibition on Disclosure.--Other than 
     pursuant to an order under subsection (a) or (b) of this 
     section, no person possessing information capable of 
     decrypting a wire or electronic communication of another 
     person shall disclose that information or provide decryption 
     assistance to an investigative or law enforcement officer (as 
     defined in section 2510(7)).

     ``Sec. 2804. Access to decryption assistance for stored 
       electronic communications or records

       ``(a) Decryption Assistance.--No person may disclose a 
     decryption key or provide decryption assistance pertaining to 
     the contents of stored electronic communications or records, 
     including those disclosed pursuant to section 2703, to a 
     governmental entity, except--
       ``(1) pursuant to a warrant issued under the Federal Rules 
     of Criminal Procedure or an equivalent State warrant, a copy 
     of which warrant shall be served on the person who created 
     the electronic communication prior to or at the same time 
     service is made on the keyholder;
       ``(2) pursuant to a subpoena, a copy of which subpoena 
     shall be served on the person who created the electronic 
     communication or record, under circumstances allowing the 
     person meaningful opportunity to challenge the subpoena; or
       ``(3) upon the consent of the person who created the 
     electronic communication or record.
       ``(b) Delay of Notification.--In the case of communications 
     disclosed pursuant to section 2703(a), service of the copy of 
     the warrant or subpoena on the person who created the 
     electronic communication under subsection (a) may be delayed 
     for a period of not to exceed 90 days upon request to the 
     court by the governmental entity requiring the decryption 
     assistance, if the court determines that there is reason to 
     believe that notification of the existence of the court order 
     or subpoena may have an adverse result described in section 
     2705(a)(2).

     ``Sec. 2805. Foreign government access to decryption 
       assistance

       ``(a) In General.--No investigative or law enforcement 
     officer may--
       ``(1) release a decryption key to a foreign government or 
     to a law enforcement agency of a foreign government; or
       ``(2) except as provided in subsection (b), provide 
     decryption assistance to a foreign government or to a law 
     enforcement agency of a foreign government.
       ``(b) Conditions for Cooperation With Foreign Government.--
       ``(1) Application for an order.--In any case in which the 
     United States has entered into a treaty or convention with a 
     foreign government to provide mutual assistance with respect 
     to providing decryption assistance, the Attorney General (or 
     the designee of the Attorney General) may, upon an official 
     request to the United States from the foreign government, 
     apply for an order described in paragraph (2) from the 
     district court in which the person possessing information 
     capable of decrypting the communication or information at 
     issue resides--
       ``(A) directing that person to release a decryption key or 
     provide decryption assistance to the Attorney General (or the 
     designee of the Attorney General); and
       ``(B) authorizing the Attorney General (or the designee of 
     the Attorney General) to furnish the foreign government with 
     the plaintext of the encrypted communication or stored 
     electronic information at issue.
       ``(2) Contents of order.--An order is described in this 
     paragraph if it is an order directing the person possessing 
     information capable of decrypting the communication or 
     information at issue to
       ``(A) release a decryption key to the Attorney General (or 
     the designee of the Attorney General) so that the plaintext 
     of the communication or information may be furnished to the 
     foreign government; or
       ``(B) provide decryption assistance to the Attorney General 
     (or the designee of the Attorney General) so that the 
     plaintext of the communication or information may be 
     furnished to the foreign government.
       ``(3) Requirements for order.--The court described in 
     paragraph (1) may issue an order described in paragraph (2) 
     if the court finds, on the basis of an application made by 
     the Attorney General under this subsection, that--
       ``(A) the decryption key or decryption assistance sought is 
     necessary for the decryption of a communication or 
     information that the foreign government is authorized to 
     intercept or seize pursuant to the law of that foreign 
     country;
       ``(B) the law of the foreign country provides for adequate 
     protection against arbitrary interference with respect to 
     privacy rights; and
       ``(C) the decryption key or decryption assistance is being 
     sought in connection with a criminal investigation for 
     conduct that would constitute a violation of a criminal law 
     of the United States if committed within the jurisdiction of 
     the United States.

     ``Sec. 2806. Establishment and operations of National 
       Electronic Technologies Center

       ``(a) National Electronic Technologies Center.--
       ``(1) Establishment.--There is established in the 
     Department of Justice a National Electronic Technologies 
     Center (referred to in this section as the `NET Center').
       ``(2) Director.--The NET Center shall be administered by a 
     Director (referred to in this section as the `Director'), who 
     shall be appointed by the Attorney General.
       ``(3) Duties.--The NET Center shall--
       ``(A) serve as a center for Federal, State, and local law 
     enforcement authorities for information and assistance 
     regarding decryption and other access requirements;
       ``(B) serve as a center for industry and government 
     entities to exchange information and methodology regarding 
     information security techniques and technologies;
       ``(C) support and share information and methodology 
     regarding information security techniques and technologies 
     with the Computer Investigations and Infrastructure Threat 
     Assessment Center (CITAC) and Field Computer Investigations 
     and Infrastructure Threat Assessment (CITA) Squads of the 
     Federal Bureau of Investigation;
       ``(D) examine encryption techniques and methods to 
     facilitate the ability of law enforcement to gain efficient 
     access to plaintext of communications and electronic 
     information;
       ``(E) conduct research to develop efficient methods, and 
     improve the efficiency of existing methods, of accessing 
     plaintext of communications and electronic information;
       ``(F) investigate and research new and emerging techniques 
     and technologies to facilitate access to communications and 
     electronic information, including--
       ``(i) reverse-stenography;
       ``(ii) decompression of information that previously has 
     been compressed for transmission; and
       ``(iii) demultiplexing;
       ``(G) investigate and research interception and access 
     techniques that preserve the privacy and security of 
     information not authorized to be intercepted; and
       ``(H) obtain information regarding the most current 
     hardware, software, telecommunications, and other 
     capabilities to understand how to access digitized 
     information transmitted across networks.
       ``(4) Equal access.--State and local law enforcement 
     agencies and authorities shall have access to information, 
     services, resources, and assistance provided by the NET 
     Center to the same extent that Federal law enforcement 
     agencies and authorities have such access.
       ``(5) Personnel.--The Director may appoint such personnel 
     as the Director considers appropriate to carry out the duties 
     of the NET Center.
       ``(6) Assistance of other federal agencies.--Upon the 
     request of the Director of the NET Center, the head of any 
     department or agency of the Federal Government may, to assist 
     the NET Center in carrying out its duties under this 
     subsection--
       ``(A) detail, on a reimbursable basis, any of the personnel 
     of such department or agency to the NET Center; and
       ``(B) provide to the NET Center facilities, information, 
     and other nonpersonnel resources.
       ``(7) Private industry assistance.--The NET Center may 
     accept, use, and dispose of gifts, bequests, or devises of 
     money, services, or property, both real and personal, for the 
     purpose of aiding or facilitating the work of the Center. 
     Gifts, bequests, or devises of money and proceeds from sales 
     of other property received as gifts, bequests, or devises 
     shall be deposited in the Treasury and shall be available for 
     disbursement upon order of the Director of the NET Center.
       ``(8) Advisory board.--
       ``(A) Establishment.--There is established in the NET 
     Center an Advisory Board for Excellence in Information 
     Security (in this paragraph referred to as the `Advisory 
     Board'), which shall be comprised of members who have the 
     qualifications described in subparagraph (B) and who are 
     appointed by the Attorney General. The Attorney General shall 
     appoint a chairman of the Advisory Board.
       ``(B) Qualifications.--Each member of the Advisory Board 
     shall have experience or expertise in the field of 
     encryption, decryption, electronic communication, information 
     security, electronic commerce, privacy protection, or law 
     enforcement.
       ``(C) Duties.--The duty of the Advisory Board shall be to 
     advise the NET Center and the Federal Government regarding 
     new and emerging technologies relating to encryption and 
     decryption of communications and electronic information.
       ``(9) Implementation plan.--
       ``(A) In general.--Not later than 2 months after the date 
     of enactment of this chapter, the Attorney General shall, in 
     consultation and cooperation with other appropriate Federal 
     agencies and appropriate industry participants, develop and 
     cause to be published in the Federal Register a plan for 
     establishing the NET Center.
       ``(B) Contents of plan.--The plan published under 
     subparagraph (A) shall--
       ``(i) specify the physical location of the NET Center and 
     the equipment, software,

[[Page S4720]]

     and personnel resources necessary to carry out the duties of 
     the NET Center under this subsection;
       ``(ii) assess the amount of funding necessary to establish 
     and operate the NET Center; and
       ``(iii) identify sources of probable funding for the NET 
     Center, including any sources of in-kind contributions from 
     private industry.
       ``(b) Authorization.--There are authorized to be 
     appropriated such sums as may be necessary for the 
     establishment and operation of the NET Center.''.
       (b) Technical and Conforming Amendment.--The analysis for 
     part I of title 18, United States Code, is amended by adding 
     at the end the following:

``124. Encrypted wire or electronic communications and stored 
    electronic information..................................2801''.....

               TITLE III--EXPORTS OF ENCRYPTION PRODUCTS

     SEC. 301. COMMERCIAL ENCRYPTION PRODUCTS.

       (a) Provisions Applicable to Commercial Products.--The 
     provisions of this title apply to all encryption products, 
     regardless of the encryption algorithm selected, encryption 
     key length chosen, exclusion of key recovery or other 
     plaintext access capability, or implementation or medium 
     used, except those specifically designed or modified for 
     military use, including command, control, and intelligence 
     applications.
       (b) Control by Secretary of Commerce.--Subject to the 
     provisions of this title, and notwithstanding any other 
     provision of law, the Secretary of Commerce shall have 
     exclusive authority to control exports of encryption products 
     covered under subsection (a).

     SEC. 302. LICENSE EXCEPTION FOR MASS MARKET PRODUCTS.

       (a) Export Control Relief.--Subject to section 307, an 
     encryption product that is generally available, or 
     incorporates or employs in any form, implementation, or 
     medium, an encryption product that is generally available, 
     shall be exportable without the need for an export license, 
     and without restrictions other than those permitted under 
     this Act, after a 1-time 15-day technical review by the 
     Secretary of Commerce.
       (b) Definitions.--In this section, the term ``generally 
     available'' means an encryption product that is--
       (1) offered for sale, license, or transfer to any person 
     without restriction, whether or not for consideration, 
     including, but not limited to, over-the-counter retail sales, 
     mail order transactions, phone order transactions, electronic 
     distribution, or sale on approval; and
       (2) not designed, developed, or customized by the 
     manufacturer for specific purchasers except for user or 
     purchaser selection among installation or configuration 
     parameters.
       (c) Commerce Department Assurance.--
       (1) In general.--The manufacturer or exporter of an 
     encryption product may request written assurance from the 
     Secretary of Commerce that an encryption product is 
     considered generally available for purposes of this section.
       (2) Response.--Not later than 30 days after receiving a 
     request under paragraph (1), the Secretary shall make a 
     determination regarding whether to issue a written assurance 
     under that paragraph, and shall notify the person making the 
     request, in writing, of that determination.
       (3) Effect on manufacturers and exporters.--A manufacturer 
     or exporter who obtains a written assurance under this 
     subsection shall not be held liable, responsible, or subject 
     to sanctions for failing to obtain an export license for the 
     encryption product at issue.

     SEC. 303. LICENSE EXCEPTION FOR PRODUCTS WITHOUT ENCRYPTION 
                   CAPABLE OF WORKING WITH ENCRYPTION PRODUCTS.

       Subject to section 307, any product that does not itself 
     provide encryption capabilities, but that incorporates or 
     employs in any form cryptographic application programming 
     interfaces or other interface mechanisms for interaction with 
     other encryption products covered by section 301(a), shall be 
     exportable without the need for an export license, and 
     without restrictions other than those permitted under this 
     Act, after a 1-time, 15-day technical review by the Secretary 
     of Commerce.

     SEC. 304. LICENSE EXCEPTION FOR PRODUCT SUPPORT AND 
                   CONSULTING SERVICES.

       (a) No Additional Export Controls Imposed if Underlying 
     Product Covered by License Exception.--Technical assistance 
     and technical data associated with the installation and 
     maintenance of encryption products covered by sections 302 
     and 303 shall be exportable without the need for an export 
     license, and without restrictions other than those permitted 
     under this Act.
       (b) Definitions.--In this section:
       (1) Technical assistance.--The term ``technical 
     assistance'' means services, including instruction, skills 
     training, working knowledge, and consulting services, and the 
     transfer of technical data.
       (2) Technical data.--The term ``technical data'' means 
     information including blueprints, plans, diagrams, models, 
     formulae, tables, engineering designs and specifications, 
     manuals and instructions written or recorded on other media 
     or devices such as disk, tape, or read-only memories.

     SEC. 305. LICENSE EXCEPTION WHEN COMPARABLE FOREIGN PRODUCTS 
                   AVAILABLE.

       (a) Foreign Availability Standard.--An encryption product 
     not qualifying under section 302 shall be exportable without 
     the need for an export license, and without restrictions 
     other than those permitted under this Act, after a 1-time 15-
     day technical review by the Secretary of Commerce, if an 
     encryption product utilizing the same or greater key length 
     or otherwise providing comparable security to such encryption 
     product is, or will be within the next 18 months, 
     commercially available outside the United States from a 
     foreign supplier.
       (b) Determination of Foreign Availability.--
       (1) Encryption export advisory board established.--There is 
     hereby established a board to be known as the ``Encryption 
     Export Advisory Board'' (in this section referred to as the 
     ``Board'').
       (2) Membership.--The Board shall be comprised of--
       (A) the Under Secretary of Commerce for Export 
     Administration, who shall be Chairman;
       (B) seven individuals appointed by the President, of whom--
       (i) one shall be a representative from each of--

       (I) the National Security Agency;
       (II) the Central Intelligence Agency; and
       (III) the Office of the President; and

       (ii) four shall be individuals from the private sector who 
     have expertise in the development, operation, or marketing of 
     information technology products; and
       (C) four individuals appointed by Congress from among 
     individuals in the private sector who have expertise in the 
     development, operation, or marketing of information 
     technology products, of whom--
       (i) one shall be appointed by the Majority Leader of the 
     Senate;
       (ii) one shall be appointed by the Minority Leader of the 
     Senate;
       (iii) one shall be appointed by the Speaker of the House of 
     Representatives; and
       (iv) one shall be appointed by the Minority Leader of the 
     House of Representatives.
       (3) Meetings.--
       (A) In general.--Subject to subparagraph (B), the Board 
     shall meet at the call of the Under Secretary of Commerce for 
     Export Administration.
       (B) Meetings when applications pending.--If any application 
     referred to in paragraph (4)(A) is pending, the Board shall 
     meet not less than once every 30 days.
       (4) Duties.--
       (A) In general.--Whenever an application for a license 
     exception for an encryption product under this section is 
     submitted to the Secretary of Commerce, the Board shall 
     determine whether a comparable encryption product is 
     commercially available outside the United States from a 
     foreign supplier as specified in subsection (a).
       (B) Majority vote required.--The Board shall make a 
     determination under this paragraph upon a vote of the 
     majority of the members of the Board.
       (C) Deadline.--The Board shall make a determination with 
     respect to an encryption product under this paragraph not 
     later than 30 days after receipt by the Secretary of an 
     application for a license exception under this subsection 
     based on the encryption product.
       (D) Notice of determinations.--The Board shall notify the 
     Secretary of Commerce of each determination under this 
     paragraph.
       (E) Reports to president.--Not later than 30 days after a 
     meeting under this paragraph, the Board shall submit to the 
     President a report on the meeting.
       (F) Applicability of faca.--The provisions of the Federal 
     Advisory Committee Act (5 U.S.C. App.) shall not apply to the 
     Board or to meetings held by the Board under this paragraph.
       (5) Action by secretary of commerce.--
       (A) Approval or disapproval.--The Secretary of Commerce 
     shall specifically approve or disapprove each determination 
     of the Board under paragraph (5) not later than 30 days of 
     the submittal of such determination to the Secretary under 
     that paragraph.
       (B) Notification and publication of decision.--The 
     Secretary of Commerce shall--
       (i) notify the Board of each approval or disapproval under 
     this paragraph; and
       (ii) publish a notice of the approval or disapproval in the 
     Federal Register.
       (C) Contents of notice.--Each notice of a decision of 
     disapproval by the Secretary of Commerce under subparagraph 
     (B) of a determination of the Board under paragraph (4) that 
     an encryption product is commercially available outside the 
     United States from a foreign supplier shall set forth an 
     explanation in detail of the reasons for the decision, 
     including why and how continued export control of the 
     encryption product which the determination concerned will be 
     effective in achieving its purpose and the amount of lost 
     sales and loss in market share of United States encryption 
     products as a result of the decision.
       (6) Judicial review.--Notwithstanding any other provision 
     of law, a decision of disapproval by the Secretary of 
     Commerce under paragraph (5) of a determination of the Board 
     under paragraph (4) that an encryption product is 
     commercially available outside the United States from a 
     foreign supplier shall be subject to judicial review under 
     the provisions of subchapter II of chapter 5 of title 5, 
     United States Code (commonly referred to as the 
     ``Administrative Procedures Act'').
       (c) Inclusion of Comparable Foreign Encryption Product in a 
     United States Product Not Basis for Export Controls.--A 
     product that incorporates or employs a

[[Page S4721]]

     foreign encryption product, in the way it was intended to be 
     used and that the Board has determined to be commercially 
     available outside the United States, shall be exportable 
     without the need for an export license and without 
     restrictions other than those permitted under this Act, after 
     a 1-time 15-day technical review by the Secretary of 
     Commerce.

     SEC. 306. NO EXPORT CONTROLS ON ENCRYPTION PRODUCTS USED FOR 
                   NONCONFIDENTIALITY PURPOSES.

       (a) Prohibition on New Controls.--The Federal Government 
     shall not restrict the export of encryption products used for 
     nonconfidentiality purposes such as authentication, 
     integrity, digital signatures, nonrepudiation, and copy 
     protection.
       (b) No Reinstatement of Controls on Previously Decontrolled 
     Products.--Those encryption products previously decontrolled 
     and not requiring an export license as of January 1, 1998, as 
     a result of administrative decision or rulemaking shall not 
     require an export license.

     SEC. 307. APPLICABILITY OF GENERAL EXPORT CONTROLS.

       (a) Subject to Terrorist and Embargo Controls.--Nothing in 
     this Act shall be construed to limit the authority of the 
     President under the International Emergency Economic Powers 
     Act, the Trading with the Enemy Act, or the Export 
     Administration Act, to--
       (1) prohibit the export of encryption products to countries 
     that have been determined to repeatedly provide support for 
     acts of international terrorism; or
       (2) impose an embargo on exports to, and imports from, a 
     specific country.
       (b) Subject to Specific Denials for Specific Reasons.--The 
     Secretary of Commerce shall prohibit the export of particular 
     encryption products to an individual or organization in a 
     specific foreign country identified by the Secretary if the 
     Secretary determines that there is substantial evidence that 
     such encryption products will be used for military or 
     terrorist end-use, including acts against the national 
     security, public safety, or the integrity of the 
     transportation, communications, or other essential systems of 
     interstate commerce in the United States.
       (c) Other Export Controls Remain Applicable.--(1) 
     Encryption products shall remain subject to all export 
     controls imposed on such products for reasons other than the 
     existence of encryption capabilities.
       (2) Nothing in this Act alters the Secretary's ability to 
     control exports of products for reasons other than 
     encryption.

     SEC. 308. FOREIGN TRADE BARRIERS TO UNITED STATES PRODUCTS.

       Not later than 180 days after the date of enactment of this 
     Act, the Secretary of Commerce, in consultation with the 
     United States Trade Representative, shall--
       (1) identify foreign barriers to exports of United States 
     encryption products;
       (2) initiate appropriate actions to address such barriers; 
     and
       (3) submit to Congress a report on the actions taken under 
     this section.

  Mr. LEAHY. Mr. President, I am pleased to join Senator Ashcroft, and 
others, in introducing today the ``Encryption Protects the Rights of 
Individuals from Violation and Abuse in Cyberspace,'' or E-PRIVACY Act, 
to reform our nation's cryptography policy in a constructive and 
positive manner. It is time the Administration woke up to the critical 
need for a common sense encryption policy in this country.
  I have been sounding the alarm bells about this issue for several 
years now, and have introduced encryption legislation, with bipartisan 
support, in the last Congress and again in this one, to balance the 
important privacy, economic, national security and law enforcement 
interests at stake. The volume of those alarm bells should be raised to 
emergency sirens.
  Hardly a month goes by without press reports of serious breaches of 
computer security that threaten our critical infrastructures, including 
Defense Department computer systems, the telephone network, or computer 
systems for airport control towers. The lesson of these computer 
breaches--often committed by computer savvy teenagers--is that all the 
physical barriers we might put in place can be circumvented using the 
wires that run into every building to support the computers and 
computer networks that are the mainstay of how we do business. A well-
focused cyber-attack on the computer networks that support 
telecommunications, transportation, water supply, banking, electrical 
power and other critical infrastructure systems could wreak havoc on 
our national economy or even jeopardize our national defense or public 
safety.
  We have been aware of the vulnerabilities of our computer networks 
for some time. It became clear to me almost a decade ago, during 
hearings I chaired of the Judiciary Subcommittee on Technology and the 
Law on the risks of high-tech terrorism, that merely ``hardening'' our 
physical space from potential attack is not enough. We must also 
``harden'' our critical infrastructures to ensure our security and our 
safety.
  That is where encryption technology comes in. Encryption can protect 
the security of our computer information and networks. Indeed, both 
former Senator Sam Nunn and former Deputy Attorney General Jamie 
Gorelick, who serve as co-chairs of the Advisory Committee to the 
President's Commission on Critical Infrastructure Protection, have 
testified that ``encryption is essential for infrastructure 
protection.''
  Yet U.S. encryption policy has acted as a deterrent to better 
security. As long ago as 1988, at the High-Tech Terrorism hearings I 
chaired, Jim Woolsey, who later became the director of the Central 
Intelligence Agency, testified about the need to do a better job of 
using encryption to protect our computer networks. Of particular 
concern is the recent testimony of former Senator Sam Nunn that the 
``continuing federal government-private sector deadlock over encryption 
and export policies'' may pose an obstacle to the cooperation needed to 
protect our country's critical infrastructures.
  I have long advocated the use of strong encryption by individuals, 
government agencies and private companies to protect their valuable and 
confidential computer information. Moreover, as more Americans every 
year use the Internet and other computer networks to obtain critical 
medical services, and conduct their personal and business affairs, 
maintaining the privacy and confidentiality of our computer 
communications both here and abroad has only grown in importance. As an 
avid computer user and Internet surfer myself, I care deeply about 
protecting individual privacy and encouraging the development of the 
Internet as a secure and trusted communications medium.
  Encryption is the key to protecting the privacy of our online 
communications and electronic records by ensuring that only the people 
we choose can read those communications and records. That is why the 
primary thrust of the encryption legislation I have introduced is to 
encourage--and not stand in the way of--the widespread use of strong 
encryption.
  Strong encryption serves as a crime prevention shield to stop 
hackers, industrial spies and thieves from snooping into private 
computer files and stealing valuable proprietary information. 
Unfortunately, we still have a long away to go to reform our country's 
encryption policy to reflect that this technology is a significant 
crime and terrorism prevention tool.
  Even as our law enforcement and intelligence agencies try to slow 
down the widespread use of strong encryption, technology continues to 
move forward. Ironically, foot-dragging by the Administration on export 
controls is driving encryption technology, expertise and manufacturing 
overseas where we will lose even more control over its proliferation.
  Indeed, due to the sorry state of our export controls on encryption, 
we are seeing rising numbers of our high-tech companies turning to 
overseas firms as suppliers of the strong encryption demanded by their 
customers. For example, Network Associates recently announced that it 
will make strong encryption software developed in the United States 
available through a Swiss company. Other companies, including Sun 
Microsystems, are cooperating with foreign firms to manufacture and 
distribute overseas strong encryption software originally developed 
here at home.
  Encryption technology, invented with American ingenuity, will now be 
manufactured and distributed in Europe, and imported back into this 
country.
  Driving encryption expertise overseas is extremely short-sighted and 
poses a real threat to our national security. Driving high-tech jobs 
overseas is a threat to our economic security, and stifling the 
widespread, integrated use of strong encryption is a threat to our 
public safety. The E-PRIVACY Act would reverse the incentives for 
American companies to look abroad for strong encryption by relaxing our 
export controls.
  Specifically, the bill would grant export license exceptions, after a 
one-time technical review, for mass market products with encryption 
capabilities,

[[Page S4722]]

products which do not themselves provide encryption but are capable of 
interoperating with encryption products, and customized hardware and 
software with encryption capabilities so long as foreign products with 
comparable encryption are available.
  At the same time, the bill retains important restrictions on 
encryption exports for military end-uses or to terrorist-designated or 
embargoed countries, such as Cuba and North Korea. It also affirms the 
continued authority of the Secretary of Commerce over encryption 
exports and assures that before export, the Secretary is able to 
conduct a one-time technical review of all encryption products to 
ensure that the product works as represented.
  The E-PRIVACY Act puts to rest the specter of domestic controls on 
encryption. This legislation bars government-mandated key recovery (or 
key escrow encryption) and ensures that all computer users are free to 
choose any encryption method to protect the privacy of their online 
communications and computer files.
  At the heart of the encryption debate is the power this technology 
gives computer users to choose who may access their communications and 
stored records, to the exclusion of all others. For the same reason 
that encryption is a powerful privacy enhancing tool, it also poses 
challenges for law enforcement. Law enforcement agencies want access 
even when we do not choose to give it. We are mindful of these national 
security and law enforcement concerns that have dictated the 
Administration's policy choices on encryption.
  With the appropriate procedural safeguards in place, law enforcement 
agencies should be able to get access to decryption assistance. The E-
PRIVACY Act contains a number of provisions designed to address these 
concerns, including a new criminal offense for willful use of 
encryption to hide incriminating evidence from law enforcement 
detection, establishment of a NET Center to help federal, state and 
local law enforcement stay abreast of advanced technologies, and 
explicit procedures for law enforcement to obtain decryption assistance 
from third parties for encrypted communications or records to which law 
enforcement has lawful access.
  One of the starkest deficiencies in the Administration's key recovery 
proposals has always been the question of foreign government access. 
The Administration has sought reciprocal relationships with foreign 
governments as a critical part of an effective global key recovery 
system. Yet many Americans and American companies are rightfully 
concerned about the terms under which foreign governments would get 
access to decryption assistance. The E-PRIVACY Act makes clear what 
those terms will be and ensures that foreign governments will not get 
access to private decryption keys, but only, at most, plaintext.
  This is not just an important issue for the privacy and security of 
Americans; it also is a significant human rights issue. Today, human 
rights organizations worldwide are using encryption to protect their 
work and the lives of investigators, witnesses and victims overseas. 
Amnesty International uses it. Human Rights Watch uses it. The human 
rights program in the American Association for the Advancement of 
Science uses it. It is used to protect witnesses who report human 
rights abuses in the Balkans, in Burma, in Guatemala, in Tibet. I have 
been told about a number of other instances in which strong encryption 
has been used to further the causes of democracy and human rights.

  For example, in the ongoing trial of Argentinean military officers in 
Spain, on charges of genocide and terrorism arising out of the ``dirty 
war,'' the human rights group Derechos uses the encryption program 
Pretty Good Privacy (PGP)--which the United States government tried to 
keep out of the hands of foreigners--to encrypt particularly 
confidential messages that go between Spain and Argentina, to stop the 
Argentinean intelligence forces from being able to read them and so try 
to jeopardize the trial.
  A group in Guatemala is using a computer database to track the names 
of witnesses to military massacres. A South African organization keeps 
the names of applicants for amnesty for political crimes carried out in 
South Africa during the apartheid regime. Workers at both groups could 
be subject to intimidation, harassment, or murder by those intent on 
preventing the public discussion and analysis of the claims. Both 
systems are protected by strong cryptography.
  A not-for-profit agency working for human rights in the Balkans uses 
PGP to protect all sensitive files. Its offices have been raided by 
various police forces looking for evidence of ``subversive 
activities.'' Last year in Zagreb, security police raided its office 
and confiscated its computers in the hope of retrieving information 
about the identity of people who had complained about human rights 
abuses by the authorities. PGP allowed the group to communicate and 
protect its files from any attempt to gain access. The director of the 
organization spent 13 days in prison for not opening his encrypted 
files but has said ``it was a very small price to pay for protecting 
our clients.''
  The Iraqi National Congress, a group opposing Saddam Hussein with 
offices in London and supporters inside Iraq, uses encrypted e-mail to 
communicate with its supporters inside Iraq. (Non-governmental Internet 
connections are banned in Iraq, but the dissidents within Iraq access 
e-mail by dialing outside the country with satellite telephones).
  Burmese human rights activists working in the relative safe haven of 
Thailand use encryption when communicating on-line, because the Thai 
government maintains diplomatic relations with the Burmese government 
and is expected to turn over information to the Burmese authorities.
  The FBI has argued that lives may be lost in sensitive terrorist and 
other investigations if government agencies do not have access to 
private encryption keys. However, the reverse is equally true: weak 
encryption or easy government access to decryption assistance could 
jeopardize lives as well.
  Finally, the E-PRIVACY Act contains provisions to enhance the privacy 
protections for communications, even when encryption is not employed. 
Specifically, the bill would require law enforcement to obtain a court 
order based on probable cause before using a cellular telephone as a 
tracking device. In addition, the bill would require law enforcement 
agencies to obtain a court order or provide notice when seizing 
electronic records that a person stores on a computer network rather 
than on the hard drive of his or her own personal computer. Finally, 
the bill grants Federal judges authority to evaluate the reasons 
proffered by a prosecutor for issuance of an ex parte pen register or 
trap and trace device order, by contrast to their mere ministerial 
authority under current law.
  In sum, the E-PRIVACY Act accomplishes the eight goals that Senator 
Ashcroft and I set out during our April 2, 1998, colloquy on the floor. 
Specifically, we sought to craft legislation that promotes the 
following principles:
  First, ensure the right of Americans to choose how to protect the 
privacy and security of their communications and information;
  Second, bar a government-mandated key escrow encryption system;
  Third, establish both procedures and standards for access by law 
enforcement to decryption keys or decryption assistance for both 
encrypted communications and stored electronic information and only 
permit such access upon court order authorization, with appropriate 
notice and other procedural safeguards;
  Fourth, establish both procedures and standards for access by foreign 
governments and foreign law enforcement agencies to the plaintext of 
encrypted communications and stored electronic information of United 
States persons;
  Fifth, modify the current export regime for encryption to promote the 
global competitiveness of American companies;
  Sixth, avoid linking the use of certificate authorities with key 
recovery agents or, in other words, not link the use of encryption for 
confidentiality purposes with use of encryption for authenticity and 
integrity purposes;
  Seventh, consistent with these goals of promoting privacy and the 
global competitiveness of our high-tech industries, help our law 
enforcement agencies and national security agencies deal with the 
challenges posed by the use of encryption; and

[[Page S4723]]

  Eighth, protect the security and privacy of information provided by 
Americans to the government by ensuring that encryption products used 
by the government interoperate with commercial encryption products.
  Resolving the encryption debate is critical for our economy, our 
national security and our privacy. This is not a partisan issue. This 
is not a black-and-white issue of being either for law enforcement and 
national security or for Internet freedom. Characterizing the debate in 
these simplistic terms is neither productive nor accurate.
  Delays in resolving the encryption debate hurt most the very public 
safety and national security interests that are posed as obstacles to 
resolving this issue. We need sensible solutions in legislation that 
will not be subject to change at the whim of agency bureaucrats.
  Every American, not just those in the software and high-tech 
industries and not just those in law enforcement agencies, has a stake 
in the outcome of this debate. We have a legislative stalemate right 
now that needs to be resolved, and I hope to work closely with my 
colleagues and the Administration on a solution.
  I ask unanimous consent that the sectional summary for the ``E-
PRIVACY Act'' be printed in the Record.
  There being no objection, the summary was ordered to be printed in 
the Record, as follows:

              Section-by-Section Analysis of E-Privacy Act

       Sec. 1. Short Title.--The Act may be cited as the 
     ``Encryption Protects the Rights of Individuals from 
     Violation and Abuse in CYberspace (E-PRIVACY) Act.''
       Sec. 2 Purposes.--The Act would ensure that Americans have 
     the maximum possible choice in encryption methods to protect 
     the security, confidentiality and privacy of their lawful 
     wire and electronic communications and stored electronic 
     information. The Act would also promote the privacy and 
     constitutional rights of individuals and organizations and 
     the security of critical information infrastructures. 
     Finally, the Act would establish privacy standards and 
     procedures for law enforcement officers to follow to obtain 
     decryption assistance for encrypted communications and 
     information.
       Sec. 3 Findings.--The Act enumerates sixteen congressional 
     findings, including that a secure, private and trusted 
     national and global information infrastructure is essential 
     to promote citizens' privacy, economic growth and meet the 
     needs of both American citizens and businesses, that 
     encryption technology widely available worldwide can help 
     meet those needs, that Americans should be free to use, and 
     American businesses free to compete and sell, encryption 
     technology, programs and products, and that there is a need 
     to develop a national encryption policy to advance the global 
     information infrastructure and preserve Americans' right to 
     privacy and the Nation's public safety and national security.
       Sec. 4 Definitions.--The terms ``agency'', ``person'', 
     ``remote computing service'' and ``state'' have the same 
     meaning given those terms in specified sections of title 18, 
     United States Code.
       Additional definitions are provided for the following 
     terms:
       The terms ``encrypt'' and ``encryption'' mean the use of 
     mathematical formulas or algorithms to scramble or descramble 
     electronic data or communications for purposes of 
     confidentiality, integrity, or authenticity. As defined, the 
     terms cover a broad range of scrambling techniques and 
     applications including cryptographic applications such as PGP 
     or RSA's encryption algorithms; stegonagraphy; 
     authentication; and winnowing and chafing.
       The term ``encryption product'' includes any hardware, 
     software, devices, or other technology with encryption 
     capabilities, whether or not offered for sale or 
     distribution. A particular encryption product includes 
     subsequent versions of the product, if the encryption 
     capabilities remain the same.
       The term ``exportable'' means the ability to transfer, 
     ship, or transmit to foreign users. The term includes the 
     ability to electronically transmit via the Internet.
       The term ``key'' means the variable information used in or 
     produced by a mathematical formula to encrypt or decrypt wire 
     or electronic communications, or electronically stored 
     information.
       The term ``technical review'' means a review by the 
     Secretary of Commerce based on information about a product's 
     encryption capabilities supplied by the manufacturer that an 
     encryption product works as represented.


     title i--privacy protection for communications and electronic 
                              information

       Sec. 101. Freedom to use Encryption.
       (a) In General.--The Act legislatively confirms current 
     practice in the United States that any person in this country 
     may lawfully use any encryption method, regardless of 
     encryption algorithm, key length, existence of key recovery 
     or other plaintext access capability, or implementation 
     selected. Specifically, the Act states the freedom of any 
     person in the U.S., as well as U.S. persons in a foreign 
     country, to make, use, import, and distribute any encryption 
     product without regard to its strength or the use of key 
     recovery, subject to the other provisions of the Act.
       (b) Prohibition on Government-Compelled Key Escrow or Key 
     Recovery Encryption.--The Act prohibits any federal or state 
     agency from compelling the use of key recovery systems or 
     other plaintext access systems. Agencies may not set 
     standards, or condition approval or benefits, to compel use 
     of these systems. U.S. agencies may not require persons to 
     use particular key recovery products for interaction with the 
     government. These prohibitions do not apply to systems for 
     use solely for the internal operations and telecommunications 
     systems of a U.S. or a State government agency.
       (c) Use of Encryption For Authentication or Integrity 
     Purposes.--The Act requires that the use of encryption 
     products shall be voluntary and market-driven, and no federal 
     or state agency may link the use of encryption for 
     authentication or identity (such as through certificate 
     authority and digital signature systems) to the use of 
     encryption for confidentiality purposes. For example, some 
     Administration proposals would condition receipt of a digital 
     certificate from a licensed certificate authority on the use 
     of key recovery. Such conditions would be prohibited.
       Sec. 102. Purchase and Use of Encryption Products by the 
     Federal Government.--The Act authorizes agencies of the 
     United States to purchase encryption products for internal 
     governmental operations and telecommunications systems. To 
     ensure that secure electronic access to the Government is 
     available to persons outside of and not operating under 
     contract with Federal agencies, the Act requires that any key 
     recovery features in encryption products used by the 
     Government interoperate with commercial encryption products.
       Sec. 103. Enhanced Privacy Protection For Electronic 
     Records on Computer Networks.--The Act adds a new subsection 
     (g) to section 2703 of title 18, United States Code, to 
     extend privacy protections to electronic information stored 
     on computer networks.
       Under United States v. Miller, 425 U.S. 435 (1976) 
     (customer has no standing to object to bank disclosure of 
     customer records) and its progeny, records in the possession 
     of third parties do not receive Fourth Amendment protection. 
     When held in a person's home, such records can only be seized 
     pursuant to a warrant based upon probable cause, or compelled 
     under a subpoena which can be challenged and quashed. In both 
     these instances, the record owner has notice of the search 
     and an opportunity to challenge it. By contrast, production 
     of records held by third parties can be compelled by a 
     governmental agent with a subpoena to the third party holding 
     the information, without notice to the person to whom the 
     records belong or pertain. The record owner may never receive 
     notice or any meaningful opportunity to challenge the 
     production.
       This lack of protection for records held by third parties 
     presents new privacy problems in the information age. With 
     the rise of network computing, electronic information that 
     was previously held on a person's own computer is 
     increasingly stored elsewhere, such as on a network server or 
     an ISP's computers. In many cases the location of such 
     information is not even known to the record's owner.
       The Act amends section 2703 to extend the same privacy 
     protections to a person's records whether storage takes place 
     on that person's personal computer in their possession or in 
     networked electronic storage. The term ``networked electronic 
     storage'' applies to electronic records held by a third 
     party, who is not authorized to access the contents of the 
     record except in connection with providing storage services, 
     and where the person who created the record is able to access 
     and modify the record remotely through electronic means. 
     Electronic data stored incident to transmission (such as e-
     mail) and covered under 2703(a) is not included.
       The new section 2703(g) requires that a governmental entity 
     may only require disclosure of electronic records in 
     ``networked electronic storage'' pursuant to (i) a state or 
     federal warrant (based upon probable cause), with a copy to 
     be served on the record owner at the same time the warrant 
     is served on the record holder; (ii) a subpoena that must 
     also be served on the record owner with a meaningful 
     opportunity to challenge the subpoena; or (iii) the 
     consent of the record owner.
       Sec. 104. Government Access to Location Information.--The 
     Act adds a new subsection (h) to section 2703 of title 18, 
     United States Code, to extend privacy protections for 
     physical location information generated on a real time basis 
     by mobile electronic communications services, such as 
     cellular telephones. This section requires that when cellular 
     telephones are used as contemporaneous tracking devices, the 
     physical location information generated by the service 
     provider may only be released to a governmental entity 
     pursuant to a court order based upon probable cause.
       Sec. 105. Enhanced Privacy Protection for Transactional 
     Information Obtained From Pen Registers or Trap and Trace 
     Devices.--The Act enhances privacy protections for 
     information obtained from pen register and trap and trace 
     devices by amending section 3123(a) of title 18, United 
     States

[[Page S4724]]

     Code. This amendment would not change the standard for 
     issuance of an ex parte order authorizing use of a pen 
     register or trap and trace device, but would grant a court 
     authority to review the information presented in a 
     certification by the prosecuting attorney to determine 
     whether the information likely to be obtained is relevant to 
     an ongoing criminal investigation. Under current law, the 
     court is relegated to a mere ministerial function and must 
     issue the order upon presentation of a certification.
       In addition, the amendment requires law enforcement to 
     minimize the information obtained from the pen register or 
     trap and trace device that is not related to the dialing and 
     signaling information utilized in call processing. Currently, 
     such devices capture not just such dialing information but 
     also any other dialed digits after a call has been completed.


                  TITLE II--LAW ENFORCEMENT ASSISTANCE

       Sec. 201. Encrypted Wire or Electronic Communications and 
     Stored Electronic Communications.--The Act adds a new chapter 
     124 to Title 18, Part I, governing the unlawful use of 
     encryption, protections and standards for governmental 
     access, including foreign governments, to decryption 
     assistance from third parties, and establishment of a ``Net 
     Center'' to assist law enforcement in dealing with advanced 
     technologies, such as encryption.
       (a) In General.--New chapter 124 has six sections. This 
     chapter applies to wire or electronic communications and 
     communications in electronic storage, as defined in 18 U.S.C. 
     Sec. 2510, and to stored electronic data. Thus, this chapter 
     describes procedures for law enforcement to obtain assistance 
     in decrypting encrypted electronic mail messages, encrypted 
     telephone conversations, encrypted facsimile transmissions, 
     encrypted computer transmissions and encrypted file transfers 
     over the Internet that are lawfully intercepted pursuant to a 
     wiretap order, under 18 U.S.C. Sec. 2518, or obtained 
     pursuant to lawful process, under 18 U.S.C. Sec. 2703, and 
     encrypted information stored on computers that are seized 
     pursuant to a search warrant or other lawful process.
       Sec. 2801. Definitions.--Generally, the terms used in the 
     new chapter have the same meanings as in the federal wiretap 
     statute, 18 U.S.C. Sec. 2510. Definitions are provided for 
     ``decryption assistance'', ``decryption key'', ``encrypt; 
     encryption'', ``foreign government'' and ``official 
     request''.
       Sec. 2802. Unlawful use of encryption.--This section 
     creates a new federal crime for knowingly and willfully using 
     encryption during the commission of a Federal felony offense, 
     with the intent to conceal that information for the purpose 
     of avoiding detection by law enforcement. This new offense 
     would be subject to a fine and up to 5 years' imprisonment 
     for a first offense, and up to 10 years' imprisonment for a 
     second or subsequent offense.
       Sec. 2803. Access to decryption assistance for 
     communications.--In the United States today, decryption keys 
     and other decryption assistance held by third parties 
     constitute third party records and may be disclosed to a 
     governmental entity with a subpoena or an administrative 
     request, and without any notice to the owner of the encrypted 
     data. Such a low standard of access creates new problems in 
     the information age because encryption users rely heavily on 
     the integrity of keys to protect personal information or 
     sensitive trade secrets, even when those keys are placed in 
     the hands of trusted agents for recovery purposes.
       Under new section 2803, in criminal investigations a third 
     party holding decryption keys or other decryption assistance 
     for wire or electronic communications may be required to 
     release such assistance pursuant to a court order, if the 
     court issuing the order finds that such assistance is needed 
     for the decryption of communications covered by the order. 
     Specifically, such an order for decryption assistance may be 
     issued upon a finding that the key or assistance is necessary 
     to decrypt communications or stored data lawfully intercepted 
     or seized. The standard for release of the key or provision 
     of decryption assistance is tied directly to the problem at 
     hand: the need to decrypt a message or information that the 
     government is otherwise authorized to intercept or obtain.
       This will ensure that third parties holding decryption keys 
     or decryption information need respond to only one type of 
     compulsory process--a court order. Moreover, this Act will 
     set a single standard for law enforcement, removing any extra 
     burden on law enforcement to demonstrate, for example, 
     probable cause for two separate orders (i.e., for the 
     encrypted communications or information and for decryption 
     assistance) and possibly before two different judges (i.e., 
     the judge issuing the order for the encrypted communications 
     or information and the judge issuing the order to the third 
     party able to provide decryption assistance).
       The Act reinforces the principle of minimization. The 
     decryption assistance provided is limited to the minimum 
     necessary to access the particular communications or 
     information specified by court order. Under some key recovery 
     schemes, release of a key holder's private key--rather than 
     an individual session key--might provide the ability to 
     decrypt every communication or stored file ever encrypted by 
     a particular key owner, or by every user in an entire 
     corporation, or by every user who was ever a customer of the 
     key holder. The Act protects against such over broad releases 
     of keys by requiring the court issuing the order to find that 
     the decryption assistance being sought is necessary. Private 
     keys may only be released if no other form of decryption 
     assistance is available.
       Notice of the assistance given will be included as part of 
     the inventory provided to subjects of the interception 
     pursuant to current wiretap law standards.
       For foreign intelligence investigations, new section 2803 
     allows FISA orders to direct third-party holders to release 
     decryption assistance if the court finds the assistance is 
     needed to decrypt covered communications. Minimization is 
     also required, though no notice is provided to the target of 
     the investigation.
       Under new section 2803, decryption assistance is only 
     required under third-parties (i.e., other than those whose 
     communications are the subject of interception), thereby 
     avoiding self-incrimination problems.
       Finally, new section 2803 generally prohibits any person 
     from providing decryption assistance for another person's 
     communications to a governmental entity, except pursuant to 
     the orders described.
       Sec. 2804. Access to decryption assistance for stored 
     electronic communications or records.--New section 2804 
     governs access to decryption assistance for stored electronic 
     communications and records.
       As noted above, under current law third party decryption 
     assistance may be disclosed to a governmental entity with a 
     subpoena or even a mere request and without notice. This 
     standard is particularly problematic for stored encrypted 
     data, which may exist in insecure media but rely on 
     encryption to maintain security; in such cases easy access to 
     keys destroys the encryption security so heavily relied upon.
       Under new section 2804, third parties holding decryption 
     keys or other decryption assistance for stored electronic 
     communications may only release such assistance to a 
     governmental entity pursuant to (1) a state or federal 
     warrant (based upon probable cause), with a copy to be served 
     on the record owner at the same time the warrant is served on 
     the record holder; (2) a subpoena that must also be served on 
     the record owner with a meaningful opportunity to challenge 
     the subpoena; or (3) the consent of the record owner. This 
     standard closely mirrors the protection that would be 
     afforded to encryption keys that are actually kept in the 
     possession of those whose records were encrypted. In the 
     specific case of decryption assistance for communications 
     stored incident to transit (such as e-mail), notice may be 
     delayed under the standards laid out for delayed notice under 
     current law in section 2705(a)(2) of title 18, United States 
     Code.
       Sec. 2805. Foreign government access to decryption 
     assistance.--New section 2805 creates standards for the U.S. 
     government to provide decryption assistance to foreign 
     governments. No law enforcement officer would be permitted to 
     release decryption keys to a foreign government, but only to 
     provide decryption assistance in the form of producing 
     plaintext. No officer would be permitted to provide 
     decryption assistance except upon an order requested by the 
     Attorney General or designee. Such an order could require the 
     production of decryption keys or assistance to the Attorney 
     General only if the court finds that (1) the assistance is 
     necessary to decrypt data the foreign government is 
     authorized to intercept under foreign law; (2) the foreign 
     country's laws provide ``adequate protection against 
     arbitrary interference with respect to privacy rights''; and 
     (3) the assistance is sought for a criminal investigation of 
     conduct that would violate U.S. criminal law if committed in 
     the United States.
       Sec. 2806. Establishment and operations of National 
     Electronic Technologies Center.--This section establishes a 
     National Electronic Technologies Center (``NET Center'') to 
     serve as a focal point for information and assistance to 
     federal, state, and local law enforcement authorities to 
     address the technical difficulties of obtaining plaintext of 
     communications and electronic information through the use of 
     encryption, steganography, compression, multiplexing, and 
     other techniques.


               title iii--exports of encryption products

       Sec. 301. Commercial Encryption Products.
       (a) Provisions Applicable to Commercial Products.--This 
     title applies to all encryption products other than those 
     specifically designed or modified for military use.
       (b) Control by Secretary of Commerce.--This section grants 
     exclusive authority to the Secretary of Commerce (the 
     ``Secretary'') to control commercial encryption product 
     exports.
       Sec. 302. License Exception for Mass Market Products.
       (a) Export Control Relief.--The Act permits export under a 
     license exception of generally available, mass market, 
     encryption products, which by their nature are uncontrollable 
     given the volume sold and ease of distribution, without a 
     license or restrictions, other than those permitted under 
     this Act, after a 1-time 15-day technical review by the 
     Secretary.
       (b) Definitions.--This section defines ``generally 
     available'' as a product offered for sale, license, or 
     transfer, including over-the-counter sales, mail or phone 
     order transactions, electronic distribution, or sale on 
     approval and not designed, developed or customized by the 
     manufacturer for specific purchasers (except for installation 
     or configuration parameters).

[[Page S4725]]

       (c) Commerce Department Assurance.--This section permits 
     requests from manufacturers or exporters to the Secretary for 
     written assurance that a product is ``generally available,'' 
     and requires that the Secretary notify the petitioner of a 
     decision within 30 days. This section prohibits imposition of 
     liability or sanctions on petitioners who receive such a 
     written assurance for failing to obtain an export license.
       Sec. 303. License Exception for Products Without Encryption 
     Capable of Working With Encryption Products.
       This section permits export under a license exception of 
     products, which do not provide any encryption themselves, but 
     that are capable of working with encryption products, without 
     restriction other than those permitted under this Act, after 
     a 1-time, 15 day technical review by the Secretary.
       Sec. 304. License Exception For Product Support and 
     Consulting Services.
       (a) No Additional Export Controls Imposed if Underlying 
     Product Covered by License Exception.--This section permits 
     export of product support and consulting services, including 
     technical assistance and technical data associated with the 
     installation and maintenance of mass market encryption 
     products or products capable of working with encryption 
     products without an export license and without restrictions 
     other than those permitted under this Act.
       (b) Definitions.--This section defines technical assistance 
     as services, such as instruction, skills training, working 
     knowledge, consulting services and transfer of technical 
     data. ``Technical data'' is defined as information, including 
     blueprints, plans, diagrams, models, formulae, table, 
     engineering designs and specifications, manuals and 
     instructions.
       Sec. 304. License Exception When Comparable Foreign 
     Products Available.
       (a) Foreign Availability Standard.--This section permits 
     unrestricted export of customized encryption hardware and 
     software products (i.e., not generally available mass market 
     products) if a foreign encryption product using the same or 
     greater key length or providing comparable security is, or 
     will within 18 months, be commercially available outside the 
     United States.
       (b) Determination of Foreign Availability.--This section 
     establishes an Encryption Export Advisory Board (the 
     ``Board''), which is chaired by the Under Secretary of 
     Commerce for Export Administration, with seven Presidential 
     appointees (3 government and 4 private sector 
     representatives); and four Congressional appointees from the 
     private sector. The Board is required to meet at the call of 
     the Chairman, or if there are any pending applications for a 
     license exception, the Board shall meet at least once every 
     30 days.
       The primary duties of the Board shall be to determine 
     whether comparable foreign encryption products are 
     commercially available outside the United States. The 
     decision is by majority vote, and must be made within 30 days 
     of receipt of application for a license exception. The Board 
     must notify the Secretary of its determination, and submit a 
     report to the President within 30 days. Board meetings are 
     exempt from the Federal Advisory Committee Act.
       The Secretary is required to approve or disapprove each 
     Board determination within 30 days of receipt of that 
     determination, notify the Board of the approval or 
     disapproval, and publish notice of the approval or 
     disapproval in the Federal Register. The notice shall include 
     an explanation in detail of the reasons for the decision, 
     including why and how continued export controls will be 
     effective and the amount of lost sales and market share of 
     U.S. encryption product which resulted. Judicial review of 
     the Secretary's decision to disapprove a Board decision that 
     a product is commercially available is permitted.
       (c) Inclusion of Comparable Foreign Encryption Products in 
     a United States Product Not Baiss for Export Controls.--This 
     section permits export under a license exception of products 
     incorporating or employing a foreign encryption product in 
     the way it was intended to be used and that the Board has 
     determined to be commercially available outside the United 
     States, without an export license and without restrictions 
     other than those under the Act, after a 1-time 15 day review 
     by the Secretary.
       Sec. 306. No Export Controls on Encryption Products Used 
     For Nonconfidentiality Purposes.
       (a) Prohibition on New Controls.--This section prohibits 
     restrictions on encryption exports used for 
     nonconfidentiality purposes such as authentication, 
     integrity, digital signatures, nonrepudiation and copy 
     protection.
       (b) No Reinstatement of Controls on Previously Decontrolled 
     products.--This section prohibits administratively imposed 
     encryption controls on previously decontrolled products not 
     requiring an export license as of January 1, 1998.
       Sec. 307. Applicability of General Export Controls.
       (a) Subject to Terrorists and Embargo Controls.--Nothing in 
     the Act shall limit the President's authority under the 
     International Emergency Economic Powers Act, the Trading With 
     the Enemy Act, or the Export Administration Act to prohibit 
     export of encryption products to countries that have 
     repeatedly provided support for international terrorism, or 
     impose an embargo on exports or imports from a specific 
     country.
       (b) Subject to Specific Denials for Specific Reasons.--The 
     Secretary is required to prohibit export of encryption 
     products to an individual or organization in a specific 
     foreign country identified by the Secretary, if the Secretary 
     determines that there is substantial evidence that such 
     encryption product will be used for military or terrorist 
     end-use, including acts against the critical infrastructure 
     of the United States.
       (c) Other Export Controls Remain Applicable.--Encryption 
     products remain subject to all export controls imposed for 
     reasons other than the existence of encryption capabilities, 
     and the Secretary retains the authority to control exports of 
     products for reasons other than encryption.
       Sec. 308. Foreign Trade Barriers to United States Products.
       The Secretary, in consultation with the United States Trade 
     Representative, is required within 180 days of enactment of 
     the Act to: (1) identify foreign barriers to the export of 
     U.S. encryption products; (2) initiate appropriate actions to 
     address such barriers; and (3) submit to Congress a report on 
     the actions taken under this section.
  Mr. BURNS. Mr. President, I stand before the chamber today in support 
of the e-Privacy Act because the very future of electronic commerce on 
the Internet is being held hostage to cold-war era export controls. 
These outdated regulations tie the hands of the U.S. high technology 
industry and pose a threat to privacy and security of all Americans who 
use the Internet. Despite some small concessions by the Administration, 
the competitive advantage of the U.S. high technology industries and 
the privacy and security of our citizens remain trapped by the Clinton 
Administration's outdated policy.
  The e-Privacy Act will relax current export controls on encryption 
technologies so that U.S. companies can effectively compete in the 
global marketplace. The bill will also prevent the government from 
mandating risky and expensive ``key-recovery'' or ``key-escrow'' 
encryption systems domestically. It's a good bill, it has broad support 
from the computer and communications industry, Internet users, and 
privacy advocates from both the left and right of the political 
spectrum.
  The Clinton Administration has expressed concerns about the impact 
the e-Privacy Act would have on the legitimate needs of law enforcement 
and national security. My colleagues and I do not take their concerns 
lightly. Several provisions in the e-Privacy Act address the 
Administration's valid concerns while at the same time freeing U.S. 
companies to effectively compete in the global marketplace, and 
ensuring that the American people can trust the Internet as a secure 
means of commerce, education, and free expression of ideas.
  The e-Privacy Act would create a National Electronic Technology 
Center (``NET Center'') to serve as a central point for information and 
assistance to federal, state, and local law enforcement authorities to 
address the technical difficulties of obtaining electronic information 
because of encryption. National security and law enforcement would be 
given seats at the table in making these determinations. Once again, I 
am very sensitive to the legitimate needs of national security and law 
enforcement, and I think the provisions made in the e-Privacy Act 
address them.
  The e-Privacy Act also extends to citizens that same privacy rights 
that they have in their homes to their digital property in cyberspace. 
The bill would require a court order or subpoena to obtain either the 
plaintext or decryption key from their parties. I believe that this is 
the correct approach.
  Citizens are also specifically given the right to use whatever kind 
of encryption software at whatever strength they choose. The bill 
recognizes the folly of requiring the government to create procedures 
to license ``key certificate authorities'' and ``key-recovery agents,'' 
as well as require the development of a massive and complicated 
infrastructure to ensure that the government could recover the right 
key out of the hundreds of millions of keys in real time.
  On many occasions, the world's leading cryptographers concluded that 
building such a key recovery infrastructure would be prohibitively 
expensive and would create a less secure network. The bill recognizes 
that mandatory key escrow will never work, no one will use it and 
certainly no criminals or other bad actors will use a system that is 
immediately accessible by the government.
  I urge my colleagues to support the e-Privacy Act, which I feel is 
the true compromise package. We all have the same goals in mind--
allowing for the

[[Page S4726]]

continued growth of high tech industries while not harming national 
security. If we move forward with the compromise bill being offered 
today, I am confident we can do both.
                                 ______