[House Report 105-108]
[From the U.S. Government Publishing Office]
105th Congress Rept. 105-108
HOUSE OF REPRESENTATIVES
1st Session Part 4
_______________________________________________________________________
SECURITY AND FREEDOM THROUGH ENCRYPTION (``SAFE'') ACT OF 1997
_______
September 16, 1997.--Ordered to be printed
_______
Mr. Goss, from the Permanent Select Committee on Intelligence,
submitted the following
R E P O R T
together with
ADDITIONAL VIEWS
[To accompany H.R. 695]
[Including cost estimate of the Congressional Budget Office]
The Permanent Select Committee on Intelligence, to whom was
referred the bill (H.R. 695) to amend title 18, United States
Code, to affirm the rights of United States persons to use and
sell encryption and to relax export controls on encryption,
having considered the same, report favorably thereon with an
amendment and recommend that the bill as amended do pass.
The amendment is as follows:
Strike out all after the enacting clause and insert in lieu
thereof the following:
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Security and Freedom
Through Encryption (`SAFE') Act of 1997''.
(b) Table of Contents.--The table of contents is as follows:
Sec. 1. Short title; table of contents.
Sec. 2. Statement of policy.
TITLE I--DOMESTIC USES OF ENCRYPTION
Sec. 101. Definitions.
Sec. 102. Lawful use of encryption.
Sec. 103. Voluntary private sector participation in key management
infrastructure.
Sec. 104. Unlawful use of encryption.
TITLE II--GOVERNMENT PROCUREMENT
Sec. 201. Federal purchases of encryption products.
Sec. 202. Encryption products purchased with Federal funds.
Sec. 203. Networks established with Federal funds.
Sec. 204. Product labels.
Sec. 205. No private mandate.
Sec. 206. Implementation.
TITLE III--EXPORTS OF ENCRYPTION
Sec. 301. Exports of encryption.
Sec. 302. License exception for certain encryption products.
Sec. 303. License exception for telecommunications products.
Sec. 304. Review for certain institutions.
Sec. 305. Encryption industry and information security board.
TITLE IV--LIABILITY LIMITATIONS
Sec. 401. Compliance with court order.
Sec. 402. Compliance defense.
Sec. 403. Reasonable care defense.
Sec. 404. Good faith defense.
Sec. 405. Sovereign immunity.
Sec. 406. Civil action, generally.
TITLE V--INTERNATIONAL AGREEMENTS
Sec. 501. Sense of congress.
Sec. 502. Failure to negotiate.
Sec. 503. Report to congress.
TITLE VI--MISCELLANEOUS PROVISIONS
Sec. 601. Effect on law enforcement activities.
Sec. 602. Interpretation.
Sec. 603. Severability.
SEC. 2. STATEMENT OF POLICY.
It is the policy of the United States to protect public computer
networks through the use of strong encryption technology, to promote
and improve the export of encryption products developed and
manufactured in the United States, and to preserve public safety and
national security.
TITLE I--DOMESTIC USES OF ENCRYPTION
SEC. 101. DEFINITIONS.
For purposes of this Act:
(1) Attorney for the government.--The term ``attorney for the
Government'' has the meaning given such term in Rule 54(c) of
the Federal Rules of Criminal Procedure, and also includes any
duly authorized attorney of a State who is authorized to
prosecute criminal offenses within such State.
(2) Certificate authority.--The term ``certificate
authority'' means a person trusted by one or more persons to
create and assign public key certificates.
(3) Communications.--The term ``communications'' means any
wire communications or electronic communications as those terms
are defined in paragraphs (1) and (12) of section 2510 of title
18, United States Code.
(4) Court of competent jurisdiction.--The term ``court of
competent jurisdiction'' means any court of the United States
organized under Article III of the Constitution of the United
States, the court organized under the Foreign Intelligence
Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), or a court
of general criminal jurisdiction of a State authorized pursuant
to the laws of such State to enter orders authorizing searches
and seizures.
(5) Data network service provider.--The term ``data network
service provider'' means a person offering any service to the
general public that provides the users thereof with the ability
to transmit or receive data, including communications.
(6) Decryption.--The term ``decryption'' means the
retransformation or unscrambling of encrypted data, including
communications, to its readable plaintext version. To
``decrypt'' data, including communications, is to perform
decryption.
(7) Decryption information.--The term ``decryption
information'' means information or technology that enables one
to readily retransform or unscramble encrypted data from its
unreadable and incomprehensible format to its readable
plaintext version.
(8) Electronic storage.--The term ``electronic storage'' has
the meaning given that term in section 2510(17) of title 18,
United States Code.
(9) Encryption.--The term ``encryption'' means the
transformation or scrambling of data, including communications,
from plaintext to an unreadable or incomprehensible format,
regardless of the technique utilized for such transformation or
scrambling and irrespective of the medium in which such data,
including communications, occur or can be found, for the
purposes of protecting the content of such data, including
communications. To ``encrypt'' data, including communications,
is to perform encryption.
(10) Encryption product.--The term ``encryption product''
means any software, technology, or mechanism, that can be used
to encrypt or decrypt, or has the capability of encrypting or
decrypting any data, including communications.
(11) Foreign availability.--The term ``foreign availability''
has the meaning applied to foreign availability of encryption
products subject to controls under the Export Administration
Regulations, as in effect on September 1, 1997.
(12) Government.--The term ``Government'' means the
Government of the United States and any agency or
instrumentality thereof, or the government of any State.
(13) Investigative or law enforcement officer.--The term
``investigative or law enforcement officer'' has the meaning
given that term in section 2510(7) of title 18, United States
Code.
(14) Key recovery agent.--The term ``key recovery agent''
means a person trusted by another person or persons to hold and
maintain sufficient decryption information to allow for the
immediate decryption of the encrypted data or communications of
another person or persons for whom that information is held,
and who holds and maintains that information as a business or
governmental practice, whether or not for profit. The term
``key recovery agent'' includes any person who holds his or her
decryption information.
(15) National security.--The term ``national security'' means
the national defense, foreign relations, or economic interests
of the United States.
(16) Plaintext.--The term ``plaintext'' means the readable or
comprehensible format of data, including communications, prior
to its being encrypted or after it has been decrypted.
(17) Plainvoice.--The term ``plainvoice'' means communication
specific plaintext.
(18) Secretary.--The term ``Secretary'' means the Secretary
of Commerce, unless otherwise specifically identified.
(19) State.--The term ``State'' has the meaning given that
term in section 2510(3) of title 18, United States Code.
(20) Telecommunications carrier.--The term
``telecommunications carrier'' has the meaning given that term
in section 102(8) of the Communications Assistance for Law
Enforcement Act (47 U.S.C. 1001(8)).
(21) Telecommunications system.--The term
``telecommunications system'' means any equipment, technology,
or related software used in the movement, switching,
interchange, transmission, reception, or internal signaling of
data, including communications over wire, fiber optic, radio
frequency, or other medium.
(22) United states person.--The term ``United States person''
means--
(A) any citizen of the United States;
(B) any other person organized under the laws of any
State; and
(C) any person organized under the laws of any
foreign country who is owned or controlled by
individuals or persons described in subparagraphs (A)
and (B).
SEC. 102. LAWFUL USE OF ENCRYPTION.
Except as otherwise provided by this Act or otherwise provided by
law, it shall be lawful for any person within any State and for any
United States person to use any encryption product, regardless of
encryption algorithm selected, encryption key length chosen, or
implementation technique or medium used.
SEC. 103. VOLUNTARY PRIVATE SECTOR PARTICIPATION IN KEY MANAGEMENT
INFRASTRUCTURE.
(a) Use is Voluntary.--The use of certificate authorities or key
recovery agents is voluntary.
(b) Regulations.--The Secretary shall promulgate regulations
establishing standards for creating key management infrastructures.
Such regulations should--
(1) allow for the voluntary participation by private persons
and non-Federal entities; and
(2) promote the development of certificate authorities and
key recovery agents.
(c) Registration of Certificate Authorities and Key Recovery
Agents.--Certificate authorities and key recovery agents meeting the
standards established by the Secretary may be registered by the
Secretary if they so choose, and may identify themselves as meeting the
standards of the Secretary.
SEC. 104. UNLAWFUL USE OF ENCRYPTION.
(a) In General.--Part I of title 18, United States Code, is amended
by inserting after chapter 121 the following new chapter:
``CHAPTER 122--ENCRYPTED DATA, INCLUDING COMMUNICATIONS
``Sec.
``2801. Unlawful use of encryption in furtherance of a criminal act.
``2802. Privacy protection.
``2803. Unlawful sale of encryption.
``2804. Encryption products manufactured and intended for use in the
United States.
``2805. Injunctive relief and proceedings.
``2806. Court order access to plaintext.
``2807. Notification procedures.
``2808. Lawful use of plaintext or decryption information.
``2809. Identification of decryption information.
``2810. Unlawful export of certain encryption products.
``2811. Definitions.
``Sec. 2801. Unlawful use of encryption in furtherance of a criminal
act
``(a) Prohibited Acts.--Whoever knowingly uses encryption in
furtherance of the commission of a criminal offense for which the
person may be prosecuted in a district court of the United States
shall--
``(1) in the case of a first offense under this section, be
imprisoned for not more than 5 years, or fined under this
title, or both; and
``(2) in the case of a second or subsequent offense under
this section, be imprisoned for not more than 10 years, or
fined under this title, or both.
``(b) Consecutive Sentence.--Notwithstanding any other provision of
law, the court shall not place on probation any person convicted of a
violation of this section, nor shall the term of imprisonment imposed
under this section run concurrently with any other term of imprisonment
imposed for the underlying criminal offense.
``(c) Probable Cause Not Constituted By Use of Encryption.--The use
of encryption alone shall not constitute probable cause to believe that
a crime is being or has been committed.
``Sec. 2802. Privacy protection
``(a) In General.--It shall be unlawful for any person to
intentionally--
``(1) obtain or use decryption information without lawful
authority for the purpose of decrypting data, including
communications;
``(2) exceed lawful authority in decrypting data, including
communications;
``(3) break the encryption code of another person without
lawful authority for the purpose of violating the privacy or
security of that person or depriving that person of any
property rights;
``(4) impersonate another person for the purpose of obtaining
decryption information of that person without lawful authority;
``(5) facilitate or assist in the encryption of data,
including communications, knowing that such data, including
communications, are to be used in furtherance of a crime; or
``(6) disclose decryption information in violation of a
provision of this chapter.
``(b) Criminal Penalty.--Whoever violates this section shall be
imprisoned for not more than 10 years, or fined under this title, or
both.
``Sec. 2803. Unlawful sale of encryption
``Whoever, after January 31, 2000, sells in interstate or foreign
commerce any encryption product that does not include features or
functions permitting duly authorized persons immediate access to
plaintext or immediate decryption capabilities shall be imprisoned for
not more than 5 years, fined under this title, or both.
``Sec. 2804. Encryption products manufactured and intended for use in
the United States
``(a) Public Network Service Providers.--After January 31, 2000,
public network service providers offering encryption products or
encryption services shall ensure that such products or services enable
the immediate decryption or access to plaintext of the data, including
communications, encrypted by such products or services on the public
network upon receipt of a court order or warrant, pursuant to section
2806.
``(b) Manufacturers, Distributors, and Importers.--After January 31,
2000, it shall be unlawful for any person to manufacture for
distribution, distribute, or import encryption products intended for
sale or use in the United States, unless that product--
``(1) includes features or functions that provide an
immediate access to plaintext capability, through any means,
mechanism, or technological method that--
``(A) permits immediate decryption of the encrypted
data, including communications, upon the receipt of
decryption information by an authorized party in
possession of a facially valid order issued by a court
of competent jurisdiction; and
``(B) allows the decryption of encrypted data,
including communications, without the knowledge or
cooperation of the person being investigated, subject
to the requirements set forth in section 2806;
``(2) can be used only on systems or networks that include
features or functions that provide an immediate access to
plaintext capability, through any means, mechanism, or
technological method that--
``(A) permits immediate decryption of the encrypted
data, including communications, upon the receipt of
decryption information by an authorized party in
possession of a facially valid order issued by a court
of competent jurisdiction; and
``(B) allows the decryption of encrypted data,
including communications, without the knowledge or
cooperation of the person being investigated, subject
to the requirements set forth in section 2806; or
``(3) otherwise meets the technical requirements and
functional criteria promulgated by the Attorney General under
subsection (c).
``(c) Attorney General Criteria.--
``(1) Publication of requirements.--Within 180 days after the
date of the enactment of this chapter, the Attorney General
shall publish in the Federal Register technical requirements
and functional criteria for complying with the decryption
requirements set forth in this section.
``(2) Procedures for advisory opinions.--Within 180 days
after the date of the enactment of this chapter, the Attorney
General shall promulgate procedures by which data network
service providers and encryption product manufacturers,
sellers, re-sellers, distributors, and importers may obtain
advisory opinions as to whether an encryption product intended
for sale or use in the United States after January 31, 2000,
meets the requirements of this section and the technical
requirements and functional criteria promulgated pursuant to
paragraph (1).
``(3) Particular methodology not required.--Nothing in this
chapter or any other provision of law shall be construed as
requiring the implementation of any particular decryption
methodology in order to satisfy the requirements of subsections
(a) and (b), or the technical requirements and functional
criteria required by the Attorney General under paragraph (1).
``(d) Use of Prior Products Lawful.--After January 31, 2000, it shall
not be unlawful to use any encryption product purchased or in use prior
to such date.
``Sec. 2805. Injunctive relief and proceedings
``(a) Injunction.--Whenever it appears to the Secretary or the
Attorney General that any person is engaged in, or is about to engage
in, any act that constitutes, or would constitute, a violation of
section 2804, the Attorney General may initiate a civil action in a
district court of the United States to enjoin such violation. Upon the
filing of the complaint seeking injunctive relief by the Attorney
General, the court shall automatically issue a temporary restraining
order against the party being sued.
``(b) Burden of Proof.--In a suit brought by the Attorney General
under subsection (a), the burden shall be upon the Government to
establish by a preponderance of the evidence that the encryption
product involved does not comport with the requirements set forth by
the Attorney General pursuant to section 2804 providing for immediate
access to plaintext by Federal, State, or local authorities.
``(c) Closing of Proceedings.--(1) Upon motion of the party against
whom injunction is being sought--
``(A) any or all of the proceedings under this section shall
be closed to the public; and
``(B) public disclosure of the proceedings shall be treated
as contempt of court.
``(2) Upon a written finding by the court that public disclosure of
information relevant to the prosecution of the injunction or relevant
to a determination of thefactual or legal issues raised in the case
would cause irreparable or financial harm to the party against whom the
suit is brought, or would otherwise disclose proprietary information of
any party to the case, all proceedings shall be closed to members of
the public, except the parties to the suit, and all transcripts,
motions, and orders shall be placed under seal to protect their
disclosure to the general public.
``(d) Advisory Opinion as Defense.--It is an absolute defense to a
suit under this subsection that the party against whom suit is brought
obtained an advisory opinion from the Attorney General pursuant to
section 2804(c) and that the product at issue in the suit comports in
every aspect with the requirements announced in such advisory opinion.
``(e) Basis for Permanent Injunction.--The court shall issue a
permanent injunction against the distribution of, and any future
manufacture of, the encryption product at issue in the suit filed under
subsection (a) if the court finds by a preponderance of the evidence
that the product does not meet the requirements set forth by the
Attorney General pursuant to section 2804 providing for immediate
access to plaintext by Federal, State, or local authorities.
``(f) Appeals.--Either party may appeal, to the appellate court with
jurisdiction of the case, any adverse ruling by the district court
entered pursuant to this section. For the purposes of appeal, the
parties shall be governed by the Federal Rules of Appellate Procedure,
except that the Government shall file its notice of appeal not later
than 30 days after the entry of the final order on the docket of the
district court. The appeal of such matter shall be considered on an
expedited basis and resolved as soon as practicable.
``Sec. 2806. Court order access to plaintext
``(a) Court Order.--(1) A court of competent jurisdiction shall issue
an order, ex parte, granting an investigative or law enforcement
officer immediate access to the plaintext of encrypted data, including
communications, or requiring any person in possession of decryption
information to provide such information to a duly authorized
investigative or law enforcement officer--
``(A) upon the application by an attorney for the Government
that--
``(i) is made under oath or affirmation by the
attorney for the Government; and
``(ii) provides a factual basis establishing the
relevance that the plaintext or decryption information
being sought has to a law enforcement or foreign
counterintelligence investigation then being conducted
pursuant to lawful authorities; and
``(B) if the court finds, in writing, that the plaintext or
decryption information being sought is relevant to an ongoing
lawful law enforcement or foreign counterintelligence
investigation and the investigative or law enforcement officer
is entitled to such plaintext or decryption information.
``(2) The order issued by the court under this section shall be
placed under seal, except that a copy may be made available to the
investigative or law enforcement officer authorized to obtain access to
the plaintext of the encrypted information, or authorized to obtain the
decryption information sought in the application. Such order shall also
be made available to the person responsible for providing the plaintext
or the decryption information, pursuant to such order, to the
investigative or law enforcement officer.
``(3) Disclosure of an application made, or order issued, under this
section, is not authorized, except as may otherwise be specifically
permitted by this section or another order of the court.
``(b) Other Orders.--An attorney for the Government may make
application to a district court of the United States for an order under
subsection (a), upon a request from a foreign country pursuant to a
Mutual Legal Assistance Treaty with such country that is in effect at
the time of the request from such country.
``(c) Record of Access Required.--(1) There shall be created an
electronic record, or similar type record, of each instance in which an
investigative or law enforcement officer, pursuant to an order under
this section, gains access to the plaintext of otherwise encrypted
information, or is provided decryption information, without the
knowledge or consent of the owner of the data, including
communications, who is the user of the encryption product involved.
``(2) The court issuing the order under this section shall require
that the electronic or similar type of record described in paragraph
(1) is maintained in a place and a manner that is not within the
custody or control of an investigative or law enforcement officer
gaining the access or provided the decryption information. The record
shall be tendered to the court, upon notice from the court.
``(3) The court receiving such electronic or similar type of record
described in paragraph (1) shall make the original and a certified copy
of the record available to the attorney for the Government making
application under this section, and to the attorney for, or directly
to, the owner of the data, including communications, who is the user of
the encryption product.
``(d) Authority To Intercept Communications Not Increased.--Nothing
in this chapter shall be construed to enlarge or modify the
circumstances or procedures under which a Government entity is entitled
to intercept or obtain oral, wire, or electronic communications or
information.
``(e) Construction.--This chapter shall be strictly construed to
apply only to a Government entity's ability to decrypt data, including
communications, for which it has previously obtained lawful authority
to intercept or obtain pursuant to other lawful authorities that would
otherwise remain encrypted.
``Sec. 2807. Notification procedures
``(a) In General.--Within a reasonable time, but not later than 90
days after the filing of an application for an order under section 2806
which is granted, the court shall cause to be served, on the persons
named in the order or the application, and such other parties whose
decryption information or whose plaintext has been provided to an
investigative or law enforcement officer pursuant to this chapter as
the court may determine that is in the interest of justice, an
inventory which shall include notice of--
``(1) the fact of the entry of the order or the application;
``(2) the date of the entry of the application and issuance
of the order; and
``(3) the fact that the person's decryption information or
plaintext data, including communications, have been provided or
accessed by an investigative or law enforcement officer.
The court, upon the filing of a motion, may make available to that
person or that person's counsel, for inspection, such portions of the
plaintext, applications, and orders as the court determines to be in
the interest of justice. On an ex parte showing of good cause to a
court of competent jurisdiction, the serving of the inventory required
by this subsection may be postponed.
``(b) Admission Into Evidence.--The contents of any encrypted
information that has been obtained pursuant to this chapter or evidence
derived therefrom shall not be received in evidence or otherwise
disclosed in any trial, hearing, or other proceeding in a Federal or
State court unless each party, not less than 10 days before the trial,
hearing, or proceeding, has been furnished with a copy of the order,
and accompanying application, under which the decryption or access to
plaintext was authorized or approved. This 10-day period may be waived
by the court if the court finds that it was not possible to furnish the
party with the information described in the preceding sentence within
10 days before the trial, hearing, or proceeding and that the party
will not be prejudiced by the delay in receiving such information.
``(c) Contempt.--Any violation of the provisions of this section may
be punished by the court as a contempt thereof.
``(d) Motion To Suppress.--Any aggrieved person in any trial,
hearing, or proceeding in or before any court, department, officer,
agency, regulatory body, or other authority of the United States or a
State may move to suppress the contents of any decrypted data,
including communications, obtained pursuant to this chapter, or
evidence derived therefrom, on the grounds that--
``(1) the plaintext was unlawfully decrypted or accessed;
``(2) the order of authorization or approval under which it
was decrypted or accessed is insufficient on its face; or
``(3) the decryption was not made in conformity with the
order of authorization or approval.
Such motion shall be made before the trial, hearing, or proceeding
unless there was no opportunity to make such motion, or the person was
not aware of the grounds of the motion. If the motion is granted, the
plaintext of the decrypted data, including communications, or evidence
derived therefrom, shall be treated as having been obtained in
violation of this chapter. The court, upon the filing of such motion by
the aggrieved person, may make available to the aggrieved person or
that person's counsel for inspection such portions of the decrypted
plaintext, or evidence derived therefrom, as the court determines to be
in the interests of justice.
``(e) Appeal by United States.--In addition to any other right to
appeal, the United States shall have the right to appeal from an order
granting a motion to suppress made under subsection (d), or the denial
of an application for an order under section 2806, if the United States
attorney certifies to the court or other official granting such motion
or denying such application that the appeal is not taken for purposes
of delay. Such appeal shall be taken within 30 days after the date the
order was entered on the docket and shall be diligently prosecuted.
``(f) Civil Action for Violation.--Except as otherwise provided in
this chapter, any person described in subsection (g) may in a civil
action recover from the United States Government the actual damages
suffered by the person as a result of a violation described in that
subsection, reasonable attorney's fees, and other litigation costs
reasonably incurred in prosecuting such claim.
``(g) Covered Persons.--Subsection (f) applies to any person whose
decryption information--
``(1) is knowingly obtained without lawful authority by an
investigative or law enforcement officer;
``(2) is obtained by an investigative or law enforcement
officer with lawful authority and is knowingly used or
disclosed by such officer unlawfully; or
``(3) is obtained by an investigative or law enforcement
officer with lawful authority and whose decryption information
is unlawfully used to disclose the plaintext of the data,
including communications.
``(h) Limitation.--A civil action under subsection (f) shall be
commenced not later than 2 years after the date on which the unlawful
action took place, or 2 years after the date on which the claimant
first discovers the violation, whichever is later.
``(i) Exclusive Remedies.--The remedies and sanctions described in
this chapter with respect to the decryption of data, including
communications, are the only judicial remedies and sanctions for
violations of this chapter involving such decryptions, other than
violations based on the deprivation of any rights, privileges, or
immunities secured by the Constitution.
``(j) Technical Assistance by Providers.--A provider of encryption
technology or network service that has received an order issued by a
court pursuant to this chapter shall provide to the investigative or
law enforcement officer concerned such technical assistance as is
necessary to execute the order. Such provider may, however, move the
court to modify or quash the order on the ground that its assistance
with respect to the decryption or access to plaintext cannot be
performed in a timely or reasonable fashion. The court, upon notice to
the Government, shall decide such motion expeditiously.
``(k) Reports to Congress.--In May of each year, the Attorney
General, or an Assistant Attorney General specifically designated by
the Attorney General, shall report in writing to Congress on the number
of applications made and orders entered authorizing Federal, State, and
local law enforcement access to decryption information for the purposes
of reading the plaintext of otherwise encrypted data, including
communications, pursuant to this chapter. Such reports shall be
submitted to the Committees on the Judiciary of the House of
Representatives and of the Senate, and to the Permanent Select
Committee on Intelligence for the House of Representatives and the
Select Committee on Intelligence for the Senate.
``Sec. 2808. Lawful use of plaintext or decryption information
``(a) Authorized Use of Decryption Information.--
``(1) Criminal investigations.--An investigative or law
enforcement officer to whom plaintext or decryption information
is provided may use such plaintext or decryption information
for the purposes of conducting a lawful criminal investigation
or foreign counterintelligence investigation, and for the
purposes of preparing for and prosecuting any criminal
violation of law.
``(2) Civil redress.--Any plaintext or decryption information
provided under this chapter to an investigative or law
enforcement officer may not be disclosed, except by court
order, to any other person for use in a civil proceeding that
is unrelated to a criminal investigation and prosecution for
which the plaintext or decryption information is authorized
under paragraph (1). Such order shall only issue upon a showing
by the party seeking disclosure that there is no alternative
means of obtaining the plaintext, or decryption information,
being sought and the court also finds that the interests of
justice would not be served by nondisclosure.
``(b) Limitation.--An investigative or law enforcement officer may
not use decryption information obtained under this chapter to determine
the plaintext of any data, including communications, unless it has
obtained lawful authority to obtain such data, including
communications, under other lawful authorities.
``(c) Return of Decryption Information.--An attorney for the
Government shall, upon the issuance of an order of a court of competent
jurisdiction--
``(1)(A) return any decryption information to the person
responsible for providing it to an investigative or law
enforcement officer pursuant to this chapter; or
``(B) destroy such decryption information, if the court finds
that the interests of justice or public safety require that
such decryption information should not be returned to the
provider; and
``(2) within 10 days after execution of the court's order to
destroy the decryption information--
``(A) certify to the court that the decryption
information has either been returned or destroyed
consistent with the court's order; and
``(B) notify the provider of the decryption
information of the destruction of such information.
``(d) Other Disclosure of Decryption Information.--Except as
otherwise provided in section 2806, a key recovery agent may not
disclose decryption information stored with the key recovery agent by a
person unless the disclosure is--
``(1) to the person, or an authorized agent thereof;
``(2) with the consent of the person, including pursuant to a
contract entered into with the person;
``(3) pursuant to a court order upon a showing of compelling
need for the information that cannot be accommodated by any
other means if--
``(A) the person who supplied the information is
given reasonable notice, by the person seeking the
disclosure, of the court proceeding relevant to the
issuance of the court order; and
``(B) the person who supplied the information is
afforded the opportunity to appear in the court
proceeding and contest the claim of the person seeking
the disclosure;
``(4) pursuant to a determination by a court of competent
jurisdiction that another person is lawfully entitled to hold
such decryption information, including determinations arising
from legal proceedings associated with the incapacity, death,
or dissolution of any person; or
``(5) otherwise permitted by a provision of this chapter or
otherwise permitted by law.
``Sec. 2809. Identification of decryption information
``(a) Identification.--To avoid inadvertent disclosure, any person
who provides decryption information to an investigative or law
enforcement officer pursuant to this chapter shall specifically
identify that part of the material provided that discloses decryption
information as such.
``(b) Responsibility of Investigative or Law Enforcement Officer.--
The investigative or law enforcement officer receiving any decryption
information under this chapter shall maintain such information in
facilities and in a method so as to reasonably assure that inadvertent
disclosure does not occur.
``Sec. 2810. Unlawful export of certain encryption products
``Whoever, after January 31, 2000, knowingly exports an encryption
product that does not include features or functions providing duly
authorized persons immediate access to plaintext or immediate
decryption capabilities, as required under law, shall be imprisoned for
not more than 5 years, fined under this title, or both.
``Sec. 2811. Definitions
``The definitions set forth in section 101 of the Security and
Freedom through Encryption (`SAFE') Act of 1997 shall apply to this
chapter.''.
(b) Conforming Amendment.--The table of chapters for part I of title
18, United States Code, is amended by inserting after the item relating
to chapter 121 the following new item:
``122. Encrypted data, including communications............. 2801''.
TITLE II--GOVERNMENT PROCUREMENT
SEC. 201. FEDERAL PURCHASES OF ENCRYPTION PRODUCTS.
After January 1, 1999, any encryption product or service purchased or
otherwise procured by the United States Government to provide the
security service of data confidentiality for a Federal computer system
shall include a technique enabling immediate decryption by an
authorized party without the knowledge or cooperation of the person
using such encryption products or services.
SEC. 202. ENCRYPTION PRODUCTS PURCHASED WITH FEDERAL FUNDS.
After January 1, 1999, any encryption product or service purchased
directly with Federal funds to provide the security service of data
confidentiality shall include a technique enabling immediate decryption
by an authorized party without the knowledge or cooperation of the
person using such encryption product or service unless the Secretary,
with the concurrence of the Attorney General, determines implementing
this requirement would not promote the purposes of this Act.
SEC. 203. NETWORKS ESTABLISHED WITH FEDERAL FUNDS.
After January 1, 1999, any communications network established with
the use of Federal funds shall use encryption products which include
techniques enabling immediate decryption by an authorized party without
the knowledge or cooperation of the person using such encryption
products or services unless the Secretary, with the concurrence of the
Attorney General, determines implementing this requirement would not
promote the purposes of this Act.
SEC. 204. PRODUCT LABELS.
An encryption product may be labeled to inform users that the product
is authorized for sale to or for use in transactions and communications
with the United States Government under this title.
SEC. 205. NO PRIVATE MANDATE.
The United States Government may not mandate the use of encryption
standards for the private sector other than for use with computer
systems, networks, or other systems of the United States Government, or
systems or networks created using Federal funds.
SEC. 206. IMPLEMENTATION.
(a) Exclusion.--Nothing in this title shall apply to encryption
products and services used solely for access control, authentication,
integrity, nonrepudiation, digital signatures, or other similar
purposes.
(b) Rulemaking.--The Secretary, in consultation with the Attorney
General and other affected agencies, may through rules provide for the
orderly implementation of this title and the effective use of secure
public networks.
TITLE III--EXPORTS OF ENCRYPTION
SEC. 301. EXPORTS OF ENCRYPTION.
(a) Coordination of Executive Branch Agencies Required.--The
Secretary, in close coordination with the Secretary of Defense and any
other executive branch department or agency with responsibility for
protecting the national security, shall have the authority to control
the export of encryption products not controlled on the United States
Munitions List.
(b) Decisions Not Subject to Judicial Review.--Decisions made by the
Secretary pursuant to subsection (a) with respect to exports of
encryption products under this title shall not be subject to judicial
review.
SEC. 302. LICENSE EXCEPTION FOR CERTAIN ENCRYPTION PRODUCTS.
(a) License Exception.--After January 31, 2000, encryption products,
without regard to encryption strength, shall be eligible for export
under a license exception if such encryption product--
(1) is submitted to the Secretary for a 1-time product
review;
(2) does not include features or functions that would
otherwise require licensing under applicable regulations;
(3) is not destined for countries, end users, or end uses
that the Secretary, in coordination with the Secretary of
Defense and other executive branch departments or agencies with
responsibility for protecting the national security, by
regulation, has determined should be ineligible to receive such
products, and is otherwise qualified for export; and
(4)(A) includes features or functions providing an immediate
access to plaintext capability, if there is lawful authority
for such immediate access; or
(B) includes features or functions providing an immediate
decryption capability of the encrypted data, including
communications, upon the receipt of decryption information by
an authorized party, and such decryption can be accomplished
without unauthorized disclosure.
(b) Enabling of Decryption Capabilities.--The features or functions
described in subsection (a)(4) need not be enabled by the manufacturer
before or at the time of export for purposes of this title. Such
features or functions may be enabled by the purchaser or end user.
(c) Responsibilities of the Secretary.--The Secretary, in close
coordination with the Secretary of Defense and other executive branch
departments or agencies with responsibility for protecting the national
security, shall--
(1) specify, by regulation, the information that must be
submitted for the 1-time review referred to in this section;
and
(2) make all export determinations under this title within 30
days following the date of submission to the Secretary of--
(A) the completed application for a license
exception; and
(B) the encryption product intended for export that
is to be reviewed as required by this section.
(d) Exercise of Other Authorities.--The Secretary, and the Secretary
of Defense, may exercise the authorities they have under other
provisions of law, including the Export Administration Act of 1979, as
continued in effect under the International Emergency Economic Powers
Act, to carry out this section.
(e) Presumption in Favor of Exports.--There shall be a presumption in
favor of export of encryption products under this title.
(f) Waiver Authority.--The President may by Executive order waive any
provision of this title, or the applicability of any such provision to
a person or entity, if the President determines that the waiver is in
the interests of national security or public safety and security. The
President shall submit a report to the relevant committees of the
Congress not later than 15 days after such determination. The report
shall include the factual basis upon which such determination was made.
The report may be in classified format.
(g) Relevant Committees.--The relevant committees of the Congress
described in subsection (f) are the Committee on International
Relations, the Committee on the Judiciary, the Committee on National
Security, the Permanent Select Committee on Intelligence of the House
of Representatives, and the Committee on Foreign Relations, the
Committee on the Judiciary, the Committee on Armed Services, and the
Select Committee on Intelligence of the Senate.
SEC. 303. LICENSE EXCEPTION FOR TELECOMMUNICATIONS PRODUCTS.
After a 1-time review as described in section 302, the Secretary
shall authorize for export under a license exception voice encryption
products that do not contain decryption or access to plainvoice
features or functions otherwise required in section 302, if the
Secretary, after consultation with relevant executive branch
departments or agencies, determines that--
(1) information recovery requirements for such exports would
disadvantage United States exporters; and
(2) such exports under a license exception would not create a
risk to the foreign policy, non-proliferation, or national
security of the United States.
SEC. 304. REVIEW FOR CERTAIN INSTITUTIONS.
The Secretary, in consultation with other executive branch
departments or agencies, shall establish a procedure for expedited
review of export license applications involving encryption products for
use by qualified banks, financial institutions, subsidiaries of
companies owned or controlled by United States persons, or other users
specifically authorized by the Secretary.
SEC. 305. ENCRYPTION INDUSTRY AND INFORMATION SECURITY BOARD.
(a) Encryption Industry and Information Security Board Established.--
There is hereby established an Encryption Industry and Information
Security Board. The Board shall undertake an advisory role for the
President.
(b) Purposes.--The purposes of the Board are--
(1) to provide a forum to foster communication and
coordination between industry and the Federal Government on
matters relating to the use of encryption products;
(2) to promote the export of encryption products manufactured
in the United States;
(3) to encourage research and development of products that
will foster electronic commerce;
(4) to recommend policies enhancing the security of public
networks;
(5) to promote the protection of intellectual property and
privacy rights of individuals using public networks;
(6) to enable the United States to effectively and
continually understand the benefits and risks to its national
security, law enforcement, and public safety interests by
virtue of the proliferation of strong encryption on the global
market;
(7) to evaluate and make recommendations regarding the
further development and use of encryption;
(8) to advance the development of international standards
regarding interoperability and global use of encryption
products; and
(9) to evaluate the foreign availability of encryption
products and their threat to United States industry.
(c) Membership.--(1) The Board shall be composed of 13 members, as
follows:
(A) The Secretary, or the Secretary's designee, who shall
chair the Board.
(B) The Attorney General, or the Director of the Federal
Bureau of Investigation, or a respective designee.
(C) The Secretary of Defense, or the Secretary's designee.
(D) the Director of Central Intelligence, or his or her
designee.
(E) The Special Assistant to the President for National
Security Affairs, or his or her designee.
(F) Two private sector individuals, appointed by the
President, who have expertise in consumer and privacy interests
relating to or affected by information security technology.
(G) Six representatives from the private sector who have
expertise in the development, operation, marketing, law, or
public policy relating to information security or technology.
(2) The six private sector representatives described in paragraph
(1)(G) shall be appointed as follows:
(A) Two by the Speaker of the House of Representatives.
(B) One by the Minority Leader of the House of
Representatives.
(C) Two by the Majority Leader of the Senate.
(D) One by the Minority Leader of the Senate.
(e) Meetings.--The Board shall meet at such times and in such places
as the Secretary may prescribe, but not less frequently than every four
months. The Federal Advisory Committee Act (5 U.S.C. App.) does not
apply to the Board or to meetings held by the Board under this section.
(f) Findings and Recommendations.--The chair of the Board shall
convey the findings and recommendations of the Board to the President
and to the Congress within 30 days after each meeting of the Board. The
recommendations of the Board are not binding upon the President.
(g) Foreign Availability.--The consideration of foreign availability
by the Board shall include computer software that is distributed over
the Internet or advertised for sale, license, or transfer, including
over-the-counter retail sales, mail order transactions, telephone order
transactions, electronic distribution, or sale on approval.
TITLE IV--LIABILITY LIMITATIONS
SEC. 401. COMPLIANCE WITH COURT ORDER.
(a) No Liability for Compliance.--Subject to subsection (b), no civil
or criminal liability under this Act, or under any other provision of
law, shall attach to any person for disclosing or providing--
(1) the plaintext of encrypted data, including
communications;
(2) the decryption information of such encrypted data,
including communications; or
(3) technical assistance for access to the plaintext of, or
decryption information for, encrypted data, including
communications.
(b) Exception.--Subsection (a) shall not apply to a person who
provides plaintext or decryption information to another and is not
authorized by court order to disclose such plaintext or decryption
information.
SEC. 402. COMPLIANCE DEFENSE.
Compliance with the provisions of sections 2806, 2807, 2808, or 2809
of title 18, United States Code, as added by section 104(a) of this
Act, or any regulations authorized thereunder, shall provide a complete
defense for any civil action for damages based upon activities covered
by this Act, other than an action founded on contract.
SEC. 403. REASONABLE CARE DEFENSE.
The participation by person in the key management infrastructure
established by regulation for United States Government information
security operations under section 103 shall be treated as evidence of
reasonable care or due diligence in any proceeding where the
reasonableness of one's actions is an element of the claim at issue.
SEC. 404. GOOD FAITH DEFENSE.
An objectively reasonable reliance on the legal authority provided by
this Act and the amendments made by this Act, requiring or authorizing
access to the plaintext of otherwise encrypted data, including
communications, or to the decryption information that will allow the
immediate decryption of data, including communications, that is
otherwise encrypted, shall be a complete defense to any criminal or
civil action that may be brought under the laws of the United States or
any State.
SEC. 405. SOVEREIGN IMMUNITY.
Except as otherwise specifically provided otherwise, nothing in this
Act or the amendments made by this Act, or any regulations promulgated
thereunder, modifies or amends the sovereign immunity of the United
States.
SEC. 406. CIVIL ACTION, GENERALLY.
A civil action may be brought against any person who, regardless of
that person's participation in the key management infrastructure to be
established by regulations promulgated by the Secretary pursuant to
section 103, violates or acts in a manner that is inconsistent with or
violates the provisions or intent of this Act or the amendments made by
this Act.
TITLE V--INTERNATIONAL AGREEMENTS
SEC. 501. SENSE OF CONGRESS.
It is the sense of Congress that--
(1) the President should conduct negotiations with foreign
governments for the purposes of mutual recognition of any key
management infrastructures, and their component parts, that
exist or are developed; and
(2) such mutual recognition agreements will safeguard the
privacy of the citizens of the United States, prevent economic
espionage, and enhance the information security needs of the
United States.
SEC. 502. FAILURE TO NEGOTIATE.
The President may consider a government's refusal to negotiate mutual
recognition agreements described in section 501 when considering the
participation of the United States in any cooperation or assistance
program with that country.
SEC. 503. REPORT TO CONGRESS.
(a) Report to Congress.--The President shall report annually to the
Congress on the status of the international effort outlined by section
501.
(b) First Report.--The first report required under subsection (a)
shall be submitted in unclassified form no later than December 15,
1998.
TITLE VI--MISCELLANEOUS PROVISIONS
SEC. 601. EFFECT ON LAW ENFORCEMENT ACTIVITIES.
(a) Collection of Information by Attorney General.--The Attorney
General shall compile, and maintain in classified form, data on the
instances in which encryption has interfered with, impeded, or
obstructed the ability of the Department of Justice to enforce the
criminal laws of the United States.
(b) Availability of Information to the Congress.--The information
compiled under subsection (a), including an unclassified summary
thereof, shall be made available, upon request, to any Member of
Congress.
SEC. 602. INTERPRETATION.
Nothing contained in this Act or the amendments made by this Act
shall be deemed to--
(1) preempt or otherwise affect the application of the Arms
Export Control Act (22 U.S.C. 2751 et seq.), the Export
Administration Act of 1979 (50 U.S.C. App. 2401 et seq.), or
the International Emergency Economic Powers Act (50 U.S.C. 1701
et seq.) or any regulations promulgated thereunder;
(2) affect foreign intelligence activities of the United
States; or
(3) negate or diminish any intellectual property protections
under the laws of the United States or of any State.
SEC. 603. SEVERABILITY.
If any provision of this Act or the amendments made by this Act, or
the application thereof, to any person or circumstances is held invalid
by a court of the United States, the remainder of this Act or such
amendments, and the application thereof, to other persons or
circumstances shall not be affected thereby.
Purpose
Americans expect their phone calls, electronic mail,
personal documents, and electronic commercial activities to be
secure and private. The rapid expansion of communication and
computer technology has created vulnerabilities that leave many
personal communications and commercial transactions potentially
exposed to fraud and misuse. The development and use of strong
encryption is essential to a thriving electronic communications
capability, and necessary to help safeguard privacy and protect
ourselves from crime. H.R. 695 promotes the development and
distribution of strong encryption technologies that are
intended to provide a heightened level of security and freedom
to engage in electronic commerce.
Chief among the government's obligations to its people is
the duty to protect them from threats of harm to their persons
or property. Similarly, in order to establish and maintain a
government that serves the common good and provides for the
common defense, which the Framers acknowledged was essential to
a free society, national security interests must be carefully
weighed against the people's inalienable rights of life,
liberty, and property. With this interest in maintaining the
balance between individual rights and our nation's security,
the Permanent Select Committee on Intelligence sought and
obtained referral of the bill, H.R. 695. The Committee's
consideration of H.R. 695 brought to light that the bill as
introduced and reported by the Committee on the Judiciary,
though certainly well-intentioned, left our intelligence and
intelligence-related capabilities at considerable risk.
Likewise, enacted without amendment, it might jeopardize the
nation's (including our state and local law enforcement
agencies) ability to investigate, apprehend, and prosecute
criminals of the most serious stripe.
The Committee received evidence that strong encryption has
already been used to facilitate drug trafficking, protect child
pornographers, shield terrorist plots and communications, and
hide evidence of credit card fraud, among other notable crimes.
Furthermore, the Committee is of the view that such a law
enforcement and national security risk should not be left to
the forces of the marketplace. Doing so abdicates the
responsibility of the government to protect its people from
enemies, both foreign and domestic.
Thus, the amendment in the nature of a substitute to H.R.
695, reported favorably by the Committee, seeks simply to
ensure that the critical national security and law enforcement
concerns at issue in this debate over the nature and direction
of encryption policy for the United States will be seriously
addressed.
Summary
section-by-section
Section 1.--Short title
This section provides the title of the bill as the
``Security and Freedom through Encryption (``SAFE'') Act of
1997.''
Section 2.--Statement of policy
This section sets forth the policy of the United States
with respect to encryption technology.
TITLE I--DOMESTIC USES OF ENCRYPTION
Section 101.--Definitions
This section establishes the definitions of specific terms
used throughout the bill.
Section 102.--Lawful use of encryption
This section makes clear that, except as otherwise
provided, it is lawful to use encryption products, regardless
of algorithm length selected, encryption key length chosen, or
implementation technique or medium used.
Section 103.--Voluntary private sector participation in key management
infrastructure
Subsection (a) clarifies that the use of certificate
authorities or key recovery agents is completely voluntary.
Subsection (b) provides the Secretary of Commerce with
regulatory authority to establish standards for creating
voluntary key management infrastructures. The Committee
believes that the development of key management infrastructures
is important to the interoperability that is necessary for the
further development of safe and secure electronic commerce. Any
regulations promulgated should allow the voluntary
participation of private persons and non-federal entities.
These regulations should also encourage the development of
certificate authorities and key recovery agents.
Subsection (c) will permit key recovery agents or
certificate authorities to register themselves with the
Commerce Department. In addition, such entities will be
allowed, if they choose, to identify themselves as meeting the
standards established by the Secretary.
Section 104.--Unlawful use of encryption
This section amends Title 18, United States Code, by new
sections 2801 through 2811 within a new chapter 122, which
bears the heading, ``Chapter 122-Encrypted Data, Including
Communications.''
New section 2801 of title 18, United States Code, would
make it a criminal offense to use encryption in furtherance of
the commission of a federal crime. The penalties attached to
such crimes would be in addition to any sentence imposed for
the underlying offense. For first time offenders, the potential
penalties are not more than 5 years in prison, a fine under
Title 18, United States Code,\1\ or both. For repeat offenders
of this provision, the jail time is potentially no more than an
additional 10 years. This section would apply equally to any
investigative or law enforcement officer who is found to have
violated these provisions.
---------------------------------------------------------------------------
\1\ Title 18, United States Code, Section 3571 establishes the fine
schedule for all Title 18 criminal violations. For an individual
convicted of a felony, the fine would, generally, be $250,000. For an
organization convicted of a felony, the fine would, generally, be
$500,000. Some specific criminal provisions may specify higher fine
amounts. Any criminal provision authorizing a lower fine amount is
nullified by enactment of subsection (e) of section 3571 of Title 18,
United States Code.
---------------------------------------------------------------------------
New section 2801 creates several new crimes. First, it
makes it illegal to intentionally obtain or use decryption
information without lawful authority in order to decrypt data,
including information. Next, it makes it a criminal offense to
exceed lawful authority in decrypting data, including
communications. This new section would make the breaking of the
encryption code of another without lawful authority and with
the purpose of violating that person's privacy or security, or
for the purpose of depriving that person of his or her property
a criminal violation of law. Likewise, it would be illegal to
impersonate another for the purpose of obtaining that person's
decryption information without lawful authority. Importantly,
it also makes it unlawful to facilitate or assist in the
encryption of data, including communications, that are to be
used in furtherance of a crime. Finally, it makes it illegal to
otherwise disclose decryption information in violation of the
provisions of new chapter 122 of Title 18, United States Code.
Each of these criminal violations is subject to a potential
penalty of not more than 10 years in prison, a fine under Title
18, United States Code, or both. This section would apply
equally to any investigative or law enforcement officer who is
found to have violated these provisions.
New section 2803 will make it unlawful after January 31,
2000, to sell in interstate or foreign commerce any encryption
product that does not provide duly authorized persons an
immediate access to plaintext capability, or immediate
decryption capability. Under this new chapter of Title 18,
United States Code, such duly authorized persons only include
those presenting an order from a court of competent
jurisdiction requiring that such access or provision of
decryption information be made. This section would apply
equally to any investigative or law enforcement officer who is
found to have violated these provisions.
New section 2804 establishes manufacturing and service
requirements on encryption products intended for distribution
and use after January 31, 2000. Subsection (a) requires all
public network service providers to offer encryption products
or services that ensure an immediate decryption capability or
an immediate access to plaintext capability.
Subsection (b) requires any person who manufactures for
distribution, distributes, or imports encryption products
intended for sale or use in the United States to include in
such products features or functions that provide an immediate
access to plaintext capability. These features or functions
must permit the immediate decryption of data, including
communications, without the knowledge or cooperation of the
person being investigated, but only upon the presentation of a
facially valid order issued by a court of competent
jurisdiction. Alternatively, encryption products may be
manufactured for distribution, distributed, or imported even if
they do not meet the requirements set forth above, so long as
they can be used only on systems or networks that include
features or functions that otherwise provide the immediate
access to plaintext capability previously discussed. Finally,
persons are free to manufacture encryption products that do not
comport with any of the requirements set forth here, so long as
they otherwise meet the technical requirements and functional
criteria established by the Attorney General, pursuant to
subsection (c).
Subsection (c) provides the Attorney General with
regulatory authority to promulgate technical requirements and
functional criteria for encryption products that will allow for
an immediate access to plaintext capability, or otherwise
enable the immediate decryption of the otherwise encrypted
data, including communications. This subsection provides
industry with an opportunity to seek an advisory opinion from
the Attorney General as to a particular product intended for
manufacturer or distribution. Such advisory opinions serve an
important function in that they will provide the industry with
clear guidance on products intended for sale. This procedure
will hopefully alleviate the need for lawsuits to enjoin the
distribution or manufacture of encryption products. This
subsection specifically provides that the Attorney General
cannot require a particular methodology to be used in meeting
her technical requirements or functional criteria.
Subsection (d) authorizes the use, even after January 31,
2000, of encryption products purchased or in use prior to that
date. This alleviates any ex post facto problem. The Committee
also recognizes that industry will need to develop new product
lines to comply with the provisions of this amendment. Thus, in
order to allow those manufacturers an opportunity to recoup
some of their research and development investment this
provision allows them to continue to sell their current product
line for the next two-plus years.
New section 2805 sets forth procedures whereby the onus is
on the government to prohibit the manufacture or distribution
of an encryption product, after January 31, 2000, that she or
the Secretary of Commerce believes does not meet the technical
requirements or functional criteria established by the Attorney
General. The Committee believes that it is appropriate for the
Attorney General to bear the burden, in a court of law, before
an independent arbiter of the facts, of keeping a particular
encryption product out of the market place. The provision
allows for the closure of such proceedings to protect the
proprietary interest in any information that might be disclosed
through a public proceeding. Furthermore, the provision will
provide those who obtained an advisory opinion with an absolute
defense to the lawsuit as long as the product at issue comports
in every aspect with the requirements announced in the Attorney
General's advisory opinion.
New section 2806 sets forth the standards and procedures
for the issuance of a court order granting an investigative or
law enforcement officer access to the plaintext of otherwise
encrypted data, including communications, or compelling the
provision of decryption information to an investigative or law
enforcement officer. The application for such order must be
made by an attorney for the government. That application must
establish facts supporting the finding that the plaintext or
decryption information is relevant to an on-going and
legitimate law enforcement or foreign counterintelligence
investigation. The application and any order issued thereon may
be made ex parte and placed under seal. Disclosure of the
application or order is not authorized by anyone, except as
otherwise permitted by this section, or another order of the
court. This section also comports with any obligation the
United States may have to any foreign government under any
effective Mutual Legal Assistance Treaties
This section also requires that the court granting access
to plaintext or the disclosure of decryption information, shall
also ensure that a verifiable audit trail of any access to
plaintext or decryption information be maintained. This record
shall not be maintained in a place or in a manner under the
custody or control of the investigative or law enforcement
officer gaining the access under this section. The record will
then be tendered to the court upon an order of the court.
Subsection (d) clarifies that nothing in this new chapter
shall be read to expand or modify any other constitutional or
statutory requirement under which a government entity is
entitled to intercept or obtain oral, wire, or electronic
communications, or information.
Subsection (e) mandates a strict construction of this new
chapter so that it is read only to apply to a government
entity's ability to decrypt or otherwise gain access to the
plaintext of data, including communications, for which it
previously obtained lawful authority to intercept or obtain.
New section 2807 provides the users of encryption products
with a statutory right to be notified when their decryption
information is provided to law enforcement, or when law
enforcement is granted access to the plaintext of their data,
including communications. This section does provide for a
delayed notification to the user so as not to jeopardize the
integrity of the on-going criminal investigation or foreign
counter-intelligence investigation. Basically, the user must be
notified within 90 days after the filing of an application for
the decryption information, or for access to the plaintext,
unless the judge finds good cause warranting the delay.
Specifically, however, none of the decrypted contents of the
encrypted information that has been obtained, nor any evidence
derived therefrom may be used in any proceeding unless the user
has been furnished with a copy of the order, application, and
the data, including communications. The user may move to
suppress the use of any of the plaintext or evidence derived
therefrom in any proceeding on the grounds that the plaintext
or the decryption information was unlawfully obtained. This
section also provides aggrieved persons with a civil cause of
action for any violations of this new chapter.
New section 2808 limits the lawful uses of any plaintext or
decryption information may be put. It may be used for the
purposes of conducting a lawful criminal or foreign
counterintelligence investigation, and for the purposes of
preparing for and prosecuting any criminal violation of law. It
may not be disclosed to any party to a civil suit that does not
arise from the criminal investigation or prosecution, unless a
court finds that there is no alternative means of obtaining the
plaintext, or decryption information and that the interests of
justice would not be served by nondisclosure. This section
further clarifies that decryption information may not be used
to determine the plaintext unless the officer possesses other
lawful authority to the plaintext.
This section also outlines the procedures for returning or
destroying any decryption information upon the conclusion of
the investigation, trial, or proceeding.
This section also places limitations upon any person acting
as a key recovery agent. It specifies to whom and under what
circumstances decryption information may be provided to another
person by a key recovery agent.
New section 2809 requires those who are providing
decryption information to an investigative or law enforcement
officer to so identify that information in order to avoid any
inadvertent disclosure. The officer is responsible for
maintaining the decryption information in such a manner so as
to reasonably assure against inadvertent disclosure.
New section 2810 makes it a crime to knowingly export an
encryption product after January 31, 2000 that does not include
an immediate access to plaintext capability, or that does not
provide an immediate decryption capability. This criminal
provision carries a potential prison term of not more than 5
years.
New section 2811 incorporates the definitions set forth at
section 101 of this Act as the definitions to be utilized for
new chapter 122 of Title 18, United States Code.
TITLE II--GOVERNMENT PROCUREMENT
Section 201.--Federal purchases of encryption products
This section requires the United States Government, after
January 1, 1999, to purchase only those encryption products
enabling the immediate decryption by an authorized party,
without the knowledge or cooperation of the person using the
encryption product. This requirement only applies to those
products or services obtained for providing security service
for a federal computer system.
Section 202.--Encryption products purchased with Federal funds
This section requires that any encryption product or
service purchased directly with federal funds after January 1,
1999, shall enable the immediate decryption by an authorized
party, without the knowledge or cooperation of the person using
the encryption product. The Committee does not intend that this
provision applies to any product purchased by institutions
receiving federal grants or other funding, if such institution
does not require interoperability with the United States
government, such as universities or public libraries.
Section 203.--Networks established with Federal funds
This section requires that any communications network that
is established directly with federal funds after January 1,
1999, must use encryption products that include techniques
enabling the immediate decryption of data, including
communications, without the knowledge or cooperation of the
person using the encryption product or service. It is not
intended that private communications networks that might
benefit from federal grants satisfy this requirement. Rather,
the Committee intends that this provision apply solely to those
communication networks established for the purpose of
communication with the United States government, either on a
contractual basis, or as an element of the government.
Section 204.--Product labels
This section allows for the labeling of encryption products
so that purchasers and users are aware that the product is
authorized for sale to, or for use in transactions with, the
United States government.
Section 205.--No private mandate
This section articulates the policy that the United States
government shall not require the use of particular encryption
standards for the private sector.
Section 206.--Implementation
This section specifically states that encryption products
used solely for access control, authentication, integrity,
nonrepudiation, or digital signatures are not covered by the
provisions of this title. Moreover, this section grants the
Secretary of Commerce regulatory authority to effectuate the
provisions of this title.
TITLE III--EXPORTS OF ENCRYPTION
Section 301.--Exports of encryption
Subsection (a) establishes that the Secretary of Commerce,
acting in close coordination with the Secretary of Defense, and
other executive branch agencies with responsibility for
protecting the national security, has the authority to exercise
control over the export of encryption products.
Subsection (b) clarifies that export control decisions made
by the Secretary are not subject to judicial review.
Section 302.--License exception for certain encryption products
Subsection (a) sets criteria for export license exceptions
of encryption products after January 31, 2000. Specifically,
products eligible for exemptions must: be submitted to the
Secretary of Commerce for a 1-time product review; not include
features that would require licensing under other applicable
regulations; not be destined for countries that are determined
ineligible on national security grounds. In addition, the
product must include a means of obtaining immediate access to
plaintext capability if there is lawful authority for such
access.
Subsection (b) clarifies that the immediate access to
plaintext capability need not be enabled by the manufacturer
before or at the time of export.
Subsection (c) requires the Secretary, in close
coordination with the Secretary of Defense and other relevant
executive branch agency heads, to promulgate regulations for
the 1-time review process; and sets a time limit of 30 days for
that review process. This subsection establishes that the 30-
day time clock starts when the Secretary has received a
completed application for license exception and the encryption
product intended for export.
Subsection (d) clarifies that the Secretary of Commerce and
the Secretary of Defense still maintain any authorities they
currently possess under any other provisions of law, including
the Export Administration Act of 1979, as continued in effect
under the International Emergency Economic Powers Act.
Subsection (e) establishes a presumption in favor of
exporting products submitted to the Secretary under this
section. The burden will be on the Secretary of Commerce to
deny export.
Subsection (f) provides the President with the authority to
waive any portion of this title for national security purposes.
Requires the President to report to the relevant committees of
Congress within 15 days after this authority is used.
Subsection (g) lists the committees in the House and Senate
that would receive a report under the previous subsection.
Section 303.--License exception for telecommunications products
This section provides a specific exemption for certain
voice encryption products. Products will be eligible for this
exemption if, after a 1-time review, the Secretary of Commerce
determines that the inclusion of information recovery
capability would disadvantage U.S. exporters; and the export of
the voice encryption product would not pose a risk to foreign
policy, nonproliferation, or national security.
Section 304.--Review for certain institutions
This section requires the Secretary of Commerce to
establish an expedited export license exception review process
for encryption products to be used by qualified banks,
financial institutions, U.S. businesses, and other users
specifically authorized by the Secretary.
Section 305.--Encryption Industry and Information Security Board
This section establishes an Encryption Industry and
Information Security Board (``EIISB'') to advise the President
on future encryption policy and technological advancements that
would serve to alter the United States policy on encryption
products. This section also defines the purposes of the board.
It further specifies that the Board shall be composed of 13
members, and how those members shall be appointed. In addition
to the Secretaries of Commerce and Defense, the Attorney
General or the FBI Director, the Director of Central
Intelligence, and the National Security Advisor to the
President, or their designees will sit on the EIIS Board. The
board shall include two individuals appointed by the President
who should have no ties to the industry, but who can represent
the interests of consumer groups and civil liberties advocacy
groups. There will also be appointed six representatives from
the private sector who together have expertise in the many
facets of information security, including the technical and
legal issues surrounding the use of information security
technology. The Board will report to the President and
Congress, and their recommendations are not binding.
TITLE IV--LIABILITY LIMITATIONS
Section 401.--Compliance with court order
This section states that a person shall not be held civilly
or criminally liable under this Act, or under any other
provision of law, for acting in compliance with a court order
compelling the disclosure of plaintext or decryption
information.
Section 402.--Compliance defense
This section provides a complete defense for any non-
contract action for damages based upon activities covered by
the Act as long as the person complies with the provisions of
sections 2806, 2807, 2808, or 2809 of title 18, United States
Code, as added by section 104(a) of this Act, or any
regulations authorized thereunder.
Section 403.--Reasonable care defense
This provision encourages the participation in a key
management infrastructure that meets the standards suggested by
the Secretary of Commerce under section 103 of this Act. This
section authorizes the use of one's participation in such key
management infrastructure as evidence of reasonable care in a
case where the reasonableness of one's actions is at issue.
Section 404.--Good faith defense
This section provides anyone who relies on the legal
authority provided under this Act as the basis for providing an
investigative or law enforcement officer with access to the
plaintext of otherwise encrypted data, including
communications, or for providing such officer with decryption
information, with a complete defense to any criminal or civil
action arising therefrom.
Section 405.--Sovereign immunity
This section clarifies that nothing in this Act modifies or
amends the sovereign immunity of the United States.
Section 406.--Civil action, generally
This section allows a civil action to be brought against
any person who violates or acts in a way that is inconsistent
with the provisions or intent of this Act.
TITLE V--INTERNATIONAL AGREEMENTS
Section 501.--Sense of Congress
This section expresses the Sense of Congress that the
President should negotiate with foreign governments to
establish mutual recognition of key management infrastructures.
Section 502.--Failure to negotiate
This section permits the President to take a country's
refusal to negotiate into consideration when making decisions
about U.S. participation in any cooperation or assistance
program with that country.
Section 503.--Report to Congress
This section requires an annual report to Congress on the
status of the negotiations, with the first report due December
15, 1998.
TITLE VI--MISCELLANEOUS PROVISIONS
Section 601.--Effect on law enforcement activities
This section requires the Attorney General to compile, and
maintain in classified form, information on those instances
where encryption has posed problems in the enforcement of
federal laws. This information will be available to any Member
of Congress upon request.
Section 602.--Interpretation
This section clarifies the relationship of the bill to the
interpretation of certain laws: the bill does not preempt the
application of other important export control acts, including:
the Arms Export Control Act, the Export Administration Act, or
the International Emergency Economic Powers Act; it does not
affect foreign intelligence activities of the United States;
nor does it diminish US or State intellectual property
protections.
Section 603.--Severability
This section permits any court reviewing this Act to sever
any provision from the remainder of the Act, so as not to find
the Act invalid in its entirety.
Background and Need for Legislation
H.R. 695, as amended by the Committee on the Judiciary, has
broad implications on the intelligence and intelligence-related
activities of the United States. The Intelligence Committee has
jurisdiction over legislation relating to the intelligence and
intelligence-related capabilities of the United States,
including the FBI's domestic counter-intelligence and counter-
terrorism functions. Thus, upon the Chairman's request, the
Speaker referred the bill to the Committee for its
consideration.
Primary among the Committee's concerns was how the
development of strong and unbreakable encryption technology
would affect the national security of the United States. The
Defense Department's need for information security technology
is essential to its force protection and war fighting
functions. Likewise, information security is critical to the
President and his advisors. It is necessary to the Department
of State in its development of sound foreign policy. Encryption
technology that does not provide for access points to
plaintext, or the re-capture of communications and data, puts
these needs at considerable risk.
The development of encryption technologies that does not
take into consideration society's desire to prevent,
investigate, and prosecute crimes, is of no sizable benefit to
society. Such encryption technology would allow criminals to
act with impunity, without concern that their actions might be
subject to exposure by lawful authorities. The FBI, the agency
primarily responsible for counter-terrorism and domestic
counter-espionage efforts, and the investigation of child
pornography and kidnapping, could find itself especially
handicapped in these areas. Likewise, the Drug Enforcement
Administration, which is responsible to the nation for counter-
narcotics operations, could be negatively affected by H.R. 695.
Similarly, the Committee was greatly concerned that State and
local law enforcement agencies' ability to provide their
citizenry with a free and peaceful place to live and work would
be seriously jeopardized.
As considered by the Permanent Select Committee on
Intelligence, H.R. 695 left the public's safety and our
nation's security to the forces of the marketplace. The
``SAFE'' Act provided no mechanism or technological capability
for law enforcement or national security to access the
plaintext of data, including communications. It would
ultimately have rendered meaningless any other law, including
the Fourth Amendment,entitling law enforcement to such
evidence. It would have negated our intelligence collectors' abilities
to perform their vital national security functions. The Committee found
that, to the detriment of the national security and law enforcement
equities of the United States, H.R. 695 encouraged the development of
unbreakable encryption technologies, seeming based upon an absolutist's
view of the First Amendment and one's ``right of privacy.''
H.R. 695 did nothing to encourage the development of
systems or software that would meet the crucial needs of
national security or law enforcement. The bill placed the
determination of whether a particular export of encryption
technology affected the national security interests of the
United States solely in the hands of the Secretary of Commerce,
with no role whatsoever for the national security apparatus of
the United States government. This, despite the proponents
acknowledgment of the national security benefit that encryption
technology can provide to the government.
The proponents of H.R. 695 argue that the legislation
enhances the needs of law enforcement. They contend that strong
encryption software, widely available to the public, will
secure our computer networks, defeat fraud, and instill trust
in the already booming Internet. This trust, they assert, is
necessary to release the opportunities available through
electronic commerce.
None of this is disputed.
Congress has on many occasions accepted the premise that
the use of electronic surveillance is a tool of utmost
importance in many criminal investigations, especially those
involving serious and violent crime, terrorism, espionage,
organized crime, drug-trafficking, corruption, and fraud. There
have been numerous cases where law enforcement, through the use
of electronic surveillance, has not only solved and
successfully prosecuted serious crimes and dangerous criminals,
but has also been able to prevent serious and life-threatening
criminal acts. For example, terrorists in New York were
plotting to bomb the United Nations building, the Lincoln and
Holland tunnels, and 26 Federal Plaza as well as conduct
assassinations of political figures. Court-authorized
electronic surveillance enabled the FBI to disrupt the plot as
explosives were being mixed. Ultimately, the evidence obtained
was used to convict the conspirators. In another example,
electronic surveillance was used to prevent and then convict
two men who intended to kidnap, molest and then kill a male
child.
The supporters of the bill insist that the problem for law
enforcement is a narrow problem, only affecting approximately
1,100 wiretaps per year, while encryption provides great
security benefits to the electronic marketplace.\2\ The
Committee is concerned that the problems posed by H.R. 695 are
not as narrow as the bill's supporters claim. The problem that
some see as ``narrow'' is in fact the entirety of the problem.
Were the 1,100 or so wiretaps conducted by federal, state, and
local law enforcement agencies across the country in the last
year protected with unbreakable encryption, the scores of drug
traffickers, child pornographers, kidnappers, Mafiosi,
terrorists, and spies that were identified, investigated, and
prosecuted, through the use of those wiretaps, would still be
at large.
---------------------------------------------------------------------------
\2\ Mr. Jerry Berman, Executive Director of the Center for
Technology and Democracy before the House Judiciary Committee, March
20, 1997.
---------------------------------------------------------------------------
The Committee notes, with considerable concern, that the
threat such encryption creates is not limited to the FBI alone.
From a national security perspective, this is not a problem
that will begin sometime in the future; we are already
encountering the effects of encryption today. For example:
Convicted spy Aldrich Ames was told by the Russian
intelligence service to encrypt computer file
information that was to be passed to them;
An international terrorist was plotting to blow up 11
U.S.-owned commercial airliners in the far east. His
laptop computer which was seized during his arrest in
Manila contained encrypted files concerning this
terrorist plot; and
A major international drug trafficking subject
recently used a telephone encryption device to
frustrate court-approved electronic surveillance.
H.R. 695 did little to facilitate or promote technological
development of access points for interception, or provide for
an immediate decryption capability, through a court order
process. The Committee is of the view that these requirements
can be fashioned in a way that does not undermine a citizen's
right against unreasonable searches and seizures or
unnecessarily abridge his or her freedom of speech. There is
considerable precedent in statute for a regime that balances
privacy, law enforcement concerns, and national security.\3\
---------------------------------------------------------------------------
\3\ Title III of the Omnibus Crime Control Act of 1968 codified the
government's authority to require service providers to supply technical
assistance to enable law enforcement (Federal, state, and local) to
intercept oral, electronic, and wire communications, upon the
presentment of a court order. That Act balanced the competing rights of
the individual and the government under the 4th Amendment by setting
out in the statute judicial oversight, minimization, and delayed
notification procedures that have met the test of time. That Act
established the constitutionality of a government mandate upon
technology for the societal benefit of public safety and national
security.
The Communications Assistance to Law Enforcement Act (``CALEA''),
building on the wiretap statutes, and considering the advancement of
digital telecommunications capabilities, specifically required
telecommunications common carriers to provide technical assistance and
to develop software that will enable the government to maintain its
capability to intercept communications, where otherwise allowable under
the law. Furthermore, CALEA established the precedent that
telecommunications companies that provide digital telephony to their
customers must provide law enforcement with an access point to such
communications so that the conversations occurring over such digital
telecommunication devices are comprehensible.
The Committee also considered those statutes governing pen
registers and trap and trace devices (18 U.S.C. sec. 3121-27), the use
of classified information in the prosecution of criminal violations of
federal law (18 U.S.C. App. 3, sec. 1, et seq.), and considered the
practice of law enforcement in gaining access to bank records and other
records held by third parties. The Committee also reviewed the fine
balancing of interests that is manifest in the Foreign Intelligence
Surveillance Act, 50 U.S.C.
---------------------------------------------------------------------------
The benefit that strong encryption, without access to
plaintext capabilities, provides to the individual encryption
user is equally provided to the person with criminal intent.
The child pornographer will be able to operate with impunity.
If there is no mechanism, no technological way of decrypting
his files without his permission, there will be no way for the
law to break his code, to access his computer files, to develop
evidence of his criminal acts and bring him to justice. This is
the world without a statutory requirement for access to
plaintext capability for stored data, or communications.
Likewise, without access to plaintext capability for our
intelligence collectors, international terrorists communicating
across the Internet, or through digital communications, sending
encrypted messages to their comrades discussing their plans to
attack United States interests, can rest assured that their
conspiracy will not be discovered, penetrated, frustrated, nor
prosecuted by law enforcement authorities.
To be sure, as envisioned by the authors of the Bill of
Rights, the Fourth Amendment stands as a bulwark against
unreasonable government intrusion into the lives of its
citizens. That freedom is jealously guarded by the people,
through the power and authority of the Judicial Branch of our
governmental structure. Certainly, the use of encryption
technology to protect electronic data and communication
accesses the same right to privacy as the use of a safe to
protect paper documents.
Nothing in our constitutional framework, however, provides
for absolutes. There is no absolute freedom of expression.
There is no absolute freedom from search and seizure. Nothing
about computer technology alters this constitutional truism.
The Bill of Rights delicately balances the competing interests
of the people and the nation. The Constitution recognizes that
the freedoms embodied in the Bill of Rights are joined with
responsibilities. The people are responsible for acting within
the bounds of the law. The government, on the other hand, is
responsible for acting reasonably. When a citizen violates the
law, the Constitution permits reasonable government action to
discover and expose that criminal activity. This is the essence
of the Fourth Amendment. The Committee notes with concern that
encryption technology, which will have enormous benefits, can
also threaten the underpinnings of the Constitutional balance
struck in the text of the Fourth Amendment if the technology is
allowed to develop unchecked and without regard to one's civic
responsibilities.
The privacy interests of encryption users should not be
minimized, nor given absolute value. A balance must be
established. It is true that access to decryption information
could give the government an opportunity for mischief.
Statutory safeguards against the impermissible use of
decryption information can be employed to adequately deter such
violations of privacy. Additionally, users of encryption should
be notified that their decryption information has been
accessed. But, the timing of this notification, like that
permitted by the wiretap statute, is very important to the
integrity of any criminal or counter-intelligence
investigation.
With respect to export controls over encryption products,
including software, hardware, and technology, it is important
to the country's security interests to permit the export only
of those encryption products that fulfill the goals of
promoting and securing information systems of American
citizens, while at the same time enabling the intelligence
community to continue to support our policy makers, deployed
forces, and U.S. interests at home and overseas.
Currently, the Administration regulates the export of
encryption products and requires a license prior to export. On
October 1, 1996, the Vice President announced for the
Administration that it would begin allowing 56-bit DES
encryption products, or its equivalent, under a general license
upon the presentment of the product for a one-time review so
long as the exporting company committed to building and
marketing future products that were supportive of key recovery.
On November 1, 1996, President Clinton issued Executive Order
13026, 61 Fed. Reg. 58767 (November 19, 1996) implementing the
policy outlined by the Vice President the month before. The
Administration, through Ambassador Aaron, the U.S. Special
Envoy for Encryption Policy, is also currently engaged in a
multi-lateral effort to reach agreement in the international
community on export standards supportive of key recovery
products.
Proponents of H.R. 695 argue that export barriers need to
be removed to enhance and improve the already superior position
of American encryption manufacturers in foreign markets. They
contend that our software industry will in a matter of years,
under the current regulatory regime, suffer substantial losses
in terms of jobs and profits. They argue that there are
encryption products already widely available in foreign
countries and on the Internet that are competing with U.S.
manufactured encryption products and in the near term could
strip U.S. industry of its preeminence in this field.
Foreign availability is an issue that is repeatedly raised
in the encryption debate. Industry claims that encryption
products are widely available overseas, that other countries do
not control their export, and that American firms are suffering
significant losses. A study of this issue found that claims of
widespread foreign availability of encryption products were not
entirely accurate. According to industry experts, widespread
use of foreign encryption has not become manifest, although the
pace of change and the market for information technology is
rapid and a growing number of strong encryption products exist.
Only a few countries, other than the United States, produce
encryption products at this time. Some, like Switzerland,
produce only specialized products for a small segment of the
market. Others, like Japan, produce primarily hardware
products. These countries all have export controls on
encryption. As noted, Ambassador Aaron is engaged in regular
discussions with them. The Committee believes that the issue of
foreign availability is one which the Administration must
closely monitor as we move toward a permanent policy on
encryption.
The Committee shares the concern that American encryption
products could be replaced by foreign competitors. It notes,
however, that the American grip on the market is remarkable,
not just for its share of the market, but for its longevity.
American technology manufacturers control no less than 75% of
the global market, despite what many consider to be a
``restrictive'' policy on encryption products. It is
acknowledged on both sides of this issue that American
encryption technology is the best in the world. There is no
desire to undermine that position, nor diminish the U.S.
preeminence in this regard.
conclusion
The encryption policy of the United States requires a
comprehensive approach that takes into account the equities and
prerogatives of the intelligence community; federal, state, and
local law enforcement; industry; and the citizens of the United
States. The Committee's amendment in the nature of a substitute
to the bill as reported by the Committee on the Judiciary,
which is further explained in the section-by-section analysis,
makes an effort at balancing the important national security,
public safety, and privacy interests that are at stake in this
debate.
Committee Proceedings
The Committee was briefed on the subject of encryption on
May 6, 1997 by the Hon. William Reinsch, Under Secretary,
Bureau of Export Administration, Department of Commerce; Hon.
William Crowell, Deputy Director, National Security Agency; and
Hon. Robert Litt, Deputy Assistant Attorney General, Criminal
Division, United States Department of Justice.
The Committee held a hearing on September 9, 1997 in which
it heard testimony from: the Hon. Bob Goodlatte, United States
Representative, 6th District of Virginia; Hon. Zoe Lofgren,
United States Representative, 16th District of California; Hon.
Louis J. Freeh, Director, Federal Bureau of Investigation; Hon.
William Reinsch, Under Secretary, Bureau of Export
Administration, Department of Commerce; and Hon. William
Crowell, Deputy Director, National Security Agency.
The Committee extensively reviewed additional testimony and
written materials relating to encryption policy in general and
H.R. 695 in particular, including: ``Terrorism in the Next
Millennium: Enter the Cyberterrorist,'' by George R. Barth,
National Counterintelligence Center; ``Deciphering the
Cryptography Debate,'' by Kenneth Flamm, The Brookings
Institution; Hon. Michelle Van Cleave, Assistant Director for
National Security, White House Office of Science and Technology
Policy, remarks before AFCEA Convention, June 25, 1992; Hon.
Janet Reno, United States Attorney General, letter to Members
of Congress, July 18, 1997; Hon. Louis J. Freeh, Director,
Federal Bureau of Investigation, testimony before the United
States Senate Committee on Commerce, Science and
Transportation, March 19, 1997; Hon. Louis J. Freeh, testimony
before the United States Senate Committee on the Judiciary,
June 25, 1997; Hon. John Kyl, United States Senator, Arizona,
remarks before the Heritage Foundation, July 28, 1997;
Testimony before the United States Senate Judiciary
Subcommittee on Technology, Terrorism and Government
Information, September 3, 1997: Hon. Louis J. Freeh, Director,
Federal Bureau of Investigation; Dorothy E. Denning, Georgetown
University; Jeffery A. Herig, Special Agent, Florida Department
of Law Enforcement; Robert R. Burke, Director of Corporate
Services and Security, Monsanto Company, and Chairman of the
Subcommittee for Protection of Information and Technology,
Overseas Security Advisory Council, United States Department of
State; Ken Lieberman, Senior Vice President for Corporate Risk
Management, Visa USA; R. Patrick Watson, Director, Worldwide
Corporate Security, Eastman Kodak Company;
Testimony before the United States House of Representatives
Commerce Subcommittee on Telecommunications, Trade, and
Consumer Protection, September 4, 1997: Hon. Bob Goodlatte,
United States Representative, 6th District of Virginia; Hon.
William Reinsch, Under Secretary, Bureau of Export
Administration, Department of Commerce; Hon. Robert Litt,
Deputy Assistant Attorney General, Criminal Division,
Department of Justice; Stephen T. Walker, President and CEO,
Trusted Information Systems, Inc.; Thomas Parenty, Director of
Data/Communications Security, Sybase, Inc.; George A. Keyworth,
II, Ph.D., Chairman, Progress & Freedom Foundation; Jerry
Berman, Executive Director, Center for Democracy and
Technology;
Hearing records of: Hearing on H.R. 3011 (104th Congress),
before the United States House of Representatives Committee on
the Judiciary, September 25, 1996; Hearing on H.R. 695, before
the United States House of Representatives Judiciary
Subcommittee on Courts and Intellectual Property, March 20,
1997; and the redacted released transcript of the United States
House of Representatives International Relations Committee
Members' briefing, June 26, 1997.
In addition, the Committee staff was briefed on the subject
of encryption from representatives of IBM, ORACLE, Center for
Technology and Democracy, Netscape, and Motorola.
Committee Consideration
The Committee met on September 11, 1997, and in open
session approved, by voice vote, the Goss/Dicks amendment in
the nature of a substitute to H.R. 695, as amended and reported
by the Committee on the Judiciary. The Committee, in open
session, ordered H.R. 695, as amended, reported favorably by
voice vote, a quorum being present.
Vote of the Committee
During its consideration of H.R. 695, the Committee took no
rollcall votes.
Findings and Recommendations of the Committee on Government Reform and
Oversight
With respect to clause 2(l)(3)(D) of rule XI of the Rules
of the House of Representatives, the Committee has not received
a report form the Committee on Government Reform and Oversight
pertaining to the subject of the bill.
Oversight Findings
In compliance with clause 2(l)(3)(A) of rule XI of the
Rules of the House of Representatives, the Committee reports
that the findings and recommendations of the Committee, based
on oversight activities under clause 2(b)(1) of rule X of the
Rules of the House of Representatives, are incorporated in the
descriptive portions of this report.
New Budget Authority and Tax Expenditures
Clause 2(l)(3)(B) of House rule XI does not apply because
this legislation does not provide new budgetary authority or
increased tax expenditures.
Congressional Budget Office Estimates
U.S. Congress,
Congressional Budget Office,
Washington, DC, September 16, 1997.
Hon. Porter J. Goss,
Chairman, Committee on Intelligence,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 695, the Security
and Freedom Through Encryption (SAFE) Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contacts are Rachel
Forward (for federal costs); Alyssa Trzeszkowski (for
revenues); Pepper Santalucia (for the state and local impact);
and Jean Wooster (for the private-sector impact).
Sincerely,
James L. Blum
(For June E. O'Neill, Director).
Enclosure.
H.R. 695--Security and Freedom Through Encryption (SAFE) Act of 1997
Summary: H.R. 695 would establish policies for the domestic
use and export of encryption products that facilitate the
creation of secure computer networks.
Assuming appropriation of the necessary amounts, CBO
estimates that enacting this bill would result in additional
discretionary spending of between $4.5 million and $7.1 million
over the 1998-2002 period by the Bureau of Export
Administration (BXA) and the Department of Justice (DOJ).
Spending by BXA and DOJ for activities required by H.R. 695
would total between $9 million and $11.6 million over the next
five years--as compared to spending by BXA of about $4.5
million over the same period under current policies. (Spending
related to monitor encryption products by DOJ is negligible
under current law.)
Enacting H.R. 695 also would affect direct spending and
receipts beginning in fiscal year 1998 through the imposition
of criminal fines and the resulting spending from the Crime
Victims Fund. Therefore, pay-as-you-go procedures would apply.
CBO estimates, however, that the amounts of direct spending or
receipts would not be significant.
H.R. 695 contains an intergovernmental mandate as defined
in the Unfunded Mandates Reform Act (UMRA), but CBO cannot
estimate the cost of complying with that mandate at this time.
The bill also would impose a private-sector mandate on public
network service providers and manufacturers, distributors, and
importers of encryption products. CBO estimates that the total
direct cost of complying with this mandate would exceed the
statutory threshold ($100 million in 1996, adjusted annually
for inflation) for private-sector mandates established in UMRA.
CBO's full analysis of the cost of the intergovernmental and
the private-sector mandates will be provided under separate
cover.
Description of the bill's major provisions: H.R. 695 would
establish controls for the domestic use and export of
encryption technologies. The bill would allow individuals in
the United States to use any form of encryption but would
prevent the sale of encryption products without plaintext
recovery systems after January 31, 2000. (The term
``plaintext'' means the readable or comprehensible format of
information.) The bill would authorize the Department of
Commerce to exempt encryption products with plaintext recovery
systems from certain export licensing requirements after the
same date. In addition, H.R. 695 would require the Secretary of
Commerce to establish a key management system for use by the
federal government and private-sector organizations. A key
management system enables agencies or companies to entrust the
code to encryption products to a third party.
H.R. 695 would establish procedures to enable law
enforcement officials to gain access to plaintext recovery
systems upon presentation of a court order. The bill would
direct the Attorney General to maintain data on the instances
in which encryption impedes or obstructs the ability of DOJ to
enforce criminal laws. Finally, the bill would establish
criminal penalties and fines for the use of encryption
technologies to further a crime, for the unlawful access of
encrypted information, or for the unlawful sale of encryption
technologies.
Estimated cost to the Federal Government
Spending Subject to Appropriation
Under current policy, BXA would likely spend about $900,000
a year, totaling $4.5 million over the 1998-2002 period, to
monitor exports of encryption products. Assuming appropriation
of the necessary amounts, CBO estimates that enacting H.R. 695
would increase BXA's encryption-related costs to about $6.6
million over the same period. That cost consists of two
components: (1) costs to monitor encryption exports, and (2)
costs for the new key management system. H.R. 695 would
authorize the Department of Commerce through BXA to exempt
encryption products with plaintext recovery systems from
certain export licensing requirements after January 31, 2000.
As a result, CBO estimates that the agency's cost to monitor
encryption exports would decrease from about $900,000 in fiscal
years 1998 and 1999 to about $650,000 in fiscal year 2000 and
$500,000 in each year thereafter, for a five-year total of
about $3.5 million. H.R. 695 also would require the agency to
establish and maintain a key management system. Based on
information from BXA, CBO estimates that establishing and
maintaining this system would cost BXA about $500,000 in fiscal
year 1998 and $600,000 in each year thereafter, for a five-year
total of about $3.1 million.
H.R. 695 would require the Department of Justice to collect
and maintain data on the instances in which encryption impedes
or obstructs the ability of the agency to enforce criminal
laws. The agency is uncertain as to how much it would cost to
track such classified information nationwide. For the purposes
of this estimate, CBO projects that collecting and maintaining
the data would cost DOJ between $500,000 and $1 million a year,
assuming appropriation of the necessary amounts.
Direct Spending and Revenues
Enacting H.R. 695 would affect direct spending and receipts
through the imposition of criminal fines for the use of
encryption technologies to further a crime, for the unlawful
access of encrypted information, and for the unlawful sale of
encryption technologies. CBO estimates that collections from
such fines are likely to be negligible, however, because the
federal government would probably not pursue many cases under
the bill. Any such collections would be deposited in the Crime
Victims Fund and spent the following year. Because the increase
in direct spending would be the same amount as the amount of
fines collected with a one-year lag, the additional direct
spending also would be negligible.
The costs of this legislation fall within budget functions
370 (commerce and housing credit) and 750 (administration of
justice).
Pay-as-you-go considerations: Section 252 of the Balanced
Budget and Emergency Deficit Control Act of 1985 sets up pay-
as-you-go procedures for legislation affecting direct spending
or receipts. H.R. 695 would affect direct spending and receipts
through the imposition of criminal fines and the resulting
spending from the Crime Victims Fund. CBO estimates, however,
that any collections and spending resulting from such fines
would not be significant.
Estimated impact on State, local, and tribal governments:
H.R. 695 contains an intergovernmental mandate as defined in
UMRA, because state and local governments that offer Internet
access to their citizens would meet the bill's definition of
``network service provider.'' As such, they would be required
to ensure that any encryption products or services they provide
enable the immediate decryption or access to the plaintext of
encrypted data. At the present time, CBO is unsure of how many
states and localities offer Internet access, as well as the
steps these governments would take to comply with the mandate.
CBO therefore cannot estimate the cost of complying with the
mandate at this time and cannot determine whether the threshold
established in UMRA would be exceeded.
Estimated impact on the private sector: H.R. 695 would
establish controls on domestic encryption technology.
Specifically, the bill would require sellers of encryption
products to include features or functions that permit duly
authorized individuals to gain immediate access to the
encrypted material without the knowledge or cooperation of the
user of those products. Thus, it would impose a federal
private-sector mandate on network service providers and
manufacturers, distributors, and importers of encryption
products. CBO estimates that the total direct cost of complying
with this mandate would exceed the statutory threshold ($100
million in 1996, adjusted annually for inflation) for private-
sector mandates established in UMRA.
Section 4 of UMRA excludes from consideration any
provisions that are considered necessary for national security
purposes. Such provisions are found in Title III, Exports of
Encryption.
CBO's full analysis of the costs of the intergovernmental
and private-sector mandates will be provided under separate
cover.
Previous CBO estimate: CBO provided cost estimates for H.R.
695 as ordered reported by the House Committee on the Judiciary
on May 14, 1997, by the House Committee on International
Relations on July 22, 1997, and by the House Committee on
National Security on September 9, 1997. Assuming appropriation
of the necessary amounts, CBO estimates that costs over the
1998-2002 period would total between $5 million and $7 million
for the Judiciary Committee's version, about $2.2 million for
the International Relations Committee's version, and about $4.5
million for the National Security Committee's version. In
comparison, CBO estimates that enacting this version of the
bill would cost between $9 million and $11.6 million and that
spending under current policies would total $4.5 million.
Estimate prepared by: Federal Costs: Rachel Forward;
Revenues: Alyssa Trzeszkowski; Impact on State, Local, and
Tribal Governments; Pepper Santalucia; and Impact on the
Private Sector: Jean Wooster.
Estimate approved by: Paul N. Van de Water, Assistant
Director for Budget Analysis.
Committee Cost Estimates
The Committee agrees with the estimate of the Congressional
Budget Office.
Specific Constitutional Authority for Congressional Enactment of This
Legislation
The intelligence and intelligence-related activities of the
United States government are carried out to support the
national security interests of the United States, to support
and assist the armed forces of the United States, and to
support the President in the execution of the foreign policy of
the United States. Article 1, section 8, of the Constitution of
the United States provides, in pertinent part, that ``Congress
shall have power * * * to pay the debts and provide for the
common defence and general welfare of the United States; * *
*''; ``to raise and support Armies, * * *''; ``to provide and
maintain a Navy; * * *'' and ``to make all laws which shall be
necessary and proper for the carrying into execution * * * all
other powers vested by this Constitution in the Government of
the United States, or in any Department or Officer thereof.''
Therefore, pursuant to such authority, Congress is empowered to
enact this legislation.
Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3 of rule XIII of the Rules of the
House of Representatives, changes in existing law made by the
bill, as reported, are shown as follows (new matter is printed
in italic and existing law in which no change is proposed is
shown in roman):
TITLE 18, UNITED STATES CODE
* * * * * * *
PART I--CRIMES
* * * * * * *
Chap. Sec.
1. General provisions......................................... 1
* * * * * * *
121. Stored wire and electronic communications and transactional
records access...................................... 2701
122. Encrypted data, including communications.................... 2801
* * * * * * *
CHAPTER 122--ENCRYPTED DATA, INCLUDING COMMUNICATIONS
Sec.
2801. Unlawful use of encryption in furtherance of a criminal act.
2802. Privacy protection.
2803. Unlawful sale of encryption.
2804. Encryption products manufactured and intended for use in the
United States.
2805. Injunctive relief and proceedings.
2806. Court order access to plaintext.
2807. Notification procedures.
2808. Lawful use of plaintext or decryption information.
2809. Identification of decryption information.
2810. Unlawful export of certain encryption products.
2811. Definitions.
Sec. 2801. Unlawful use of encryption in furtherance of a criminal act
(a) Prohibited Acts.--Whoever knowingly uses encryption in
furtherance of the commission of a criminal offense for which
the person may be prosecuted in a district court of the United
States shall--
(1) in the case of a first offense under this
section, be imprisoned for not more than 5 years, or
fined under this title, or both; and
(2) in the case of a second or subsequent offense
under this section, be imprisoned for not more than 10
years, or fined under this title, or both.
(b) Consecutive Sentence.--Notwithstanding any other
provision of law, the court shall not place on probation any
person convicted of a violation of this section, nor shall the
term of imprisonment imposed under this section run
concurrently with any other term of imprisonment imposed for
the underlying criminal offense.
(c) Probable Cause Not Constituted by Use of Encryption.--The
use of encryption alone shall not constitute probable cause to
believe that a crime is being or has been committed.
Sec. 2802. Privacy protection
(a) In General.--It shall be unlawful for any person to
intentionally--
(1) obtain or use decryption information without
lawful authority for the purpose of decrypting data,
including communications;
(2) exceed lawful authority in decrypting data,
including communications;
(3) break the encryption code of another person
without lawful authority for the purpose of violating
the privacy or security of that person or depriving
that person of any property rights;
(4) impersonate another person for the purpose of
obtaining decryption information of that person without
lawful authority;
(5) facilitate or assist in the encryption of data,
including communications, knowing that such data,
including communications, are to be used in furtherance
of a crime; or
(6) disclose decryption information in violation of a
provision of this chapter.
(b) Criminal Penalty.--Whoever violates this section shall be
imprisoned for not more than 10 years, or fined under this
title, or both.
Sec. 2803. Unlawful sale of encryption
Whoever, after January 31, 2000, sells in interstate or
foreign commerce any encryption product that does not include
features or functions permitting duly authorized persons
immediate access to plaintext or immediate decryption
capabilities shall be imprisoned for not more than 5 years,
fined under this title, or both.
Sec. 2804. Encryption products manufactured and intended for use in the
United States
(a) Public Network Service Providers.--After January 31,
2000, public network service providers offering encryption
products or encryption services shall ensure that such products
or services enable the immediate decryption or access to
plaintext of the data, including communications, encrypted by
such products or services on the public network upon receipt of
a court order or warrant, pursuant to section 2806.
(b) Manufacturers, Distributors, and Importers.--After
January 31, 2000, it shall be unlawful for any person to
manufacture for distribution, distribute, or import encryption
products intended for sale or use in the United States, unless
that product--
(1) includes features or functions that provide an
immediate access to plaintext capability, through any
means, mechanism, or technological method that--
(A) permits immediate decryption of the
encrypted data, including communications, upon
the receipt ofdecryption information by an
authorized party in possession of a facially valid order issued by a
court of competent jurisdiction; and
(B) allows the decryption of encrypted data,
including communications, without the knowledge
or cooperation of the person being
investigated, subject to the requirements set
forth in section 2806;
(2) can be used only on systems or networks that
include features or functions that provide an immediate
access to plaintext capability, through any means,
mechanism, or technological method that--
(A) permits immediate decryption of the
encrypted data, including communications, upon
the receipt of decryption information by an
authorized party in possession of a facially
valid order issued by a court of competent
jurisdiction; and
(B) allows the decryption of encrypted data,
including communications, without the knowledge
or cooperation of the person being
investigated, subject to the requirements set
forth in section 2806; or
(3) otherwise meets the technical requirements and
functional criteria promulgated by the Attorney General
under subsection (c).
(c) Attorney General Criteria.--
(1) Publication of requirements.--Within 180 days
after the date of the enactment of this chapter, the
Attorney General shall publish in the Federal Register
technical requirements and functional criteria for
complying with the decryption requirements set forth in
this section.
(2) Procedures for advisory opinions.--Within 180
days after the date of the enactment of this chapter,
the Attorney General shall promulgate procedures by
which data network service providers and encryption
product manufacturers, sellers, re-sellers,
distributors, and importers may obtain advisory
opinions as to whether an encryption product intended
for sale or use in the United States after January 31,
2000, meets the requirements of this section and the
technical requirements and functional criteria
promulgated pursuant to paragraph (1).
(3) Particular methodology not required.--Nothing in
this chapter or any other provision of law shall be
construed as requiring the implementation of any
particular decryption methodology in order to satisfy
the requirements of subsections (a) and (b), or the
technical requirements and functional criteria required
by the Attorney General under paragraph (1).
(d) Use of Prior Products Lawful.--After January 31, 2000, it
shall not be unlawful to use any encryption product purchased
or in use prior to such date.
Sec. 2805. Injunctive relief and proceedings
(a) Injunction.--Whenever it appears to the Secretary or the
Attorney General that any person is engaged in, or is about to
engage in, any act that constitutes, or would constitute, a
violation of section 2804, the Attorney General may initiate a
civil action in a district court of the United States to enjoin
such violation. Upon the filing of the complaint seeking
injunctive relief by the Attorney General, the court shall
automatically issue a temporary restraining order against the
party being sued.
(b) Burden of Proof.--In a suit brought by the Attorney
General under subsection (a), the burden shall be upon the
Government to establish by a preponderance of the evidence that
the encryption product involved does not comport with the
requirements set forth by the Attorney General pursuant to
section 2804 providing for immediate access to plaintext by
Federal, State, or local authorities.
(c) Closing of Proceedings.--(1) Upon motion of the party
against whom injunction is being sought--
(A) any or all of the proceedings under this section
shall be closed to the public; and
(B) public disclosure of the proceedings shall be
treated as contempt of court.
(2) Upon a written finding by the court that public
disclosure of information relevant to the prosecution of the
injunction or relevant to a determination of the factual or
legal issues raised in the case would cause irreparable or
financial harm to the party against whom the suit is brought,
or would otherwise disclose proprietary information of any
party to the case, all proceedings shall be closed to members
of the public, except the parties to the suit, and all
transcripts, motions, and orders shall be placed under seal to
protect their disclosure to the general public.
(d) Advisory Opinion as Defense.--It is an absolute defense
to a suit under this subsection that the party against whom
suit is brought obtained an advisory opinion from the Attorney
General pursuant to section 2804(c) and that the product at
issue in the suit comports in every aspect with the
requirements announced in such advisory opinion.
(e) Basis for Permanent Injunction.--The court shall issue a
permanent injunction against the distribution of, and any
future manufacture of, the encryption product at issue in the
suit filed under subsection (a) if the court finds by a
preponderance of the evidence that the product does not meet
the requirements set forth by the Attorney General pursuant to
section 2804 providing for immediate access to plaintext by
Federal, State, or local authorities.
(f) Appeals.--Either party may appeal, to the appellate court
with jurisdiction of the case, any adverse ruling by the
district court entered pursuant to this section. For the
purposes of appeal, the parties shall be governed by the
Federal Rules of Appellate Procedure, except that the
Government shall file its notice of appeal not later than 30
days after the entry of the final order on the docket of the
district court. The appeal of such matter shall be considered
on an expedited basis and resolved as soon as practicable.
Sec. 2806. Court order access to plaintext
(a) Court Order.--(1) A court of competent jurisdiction shall
issue an order, ex parte, granting an investigative or law
enforcement officer immediate access to the plaintext of
encrypted data, including communications, or requiring any
person in possession of decryption information to provide such
information to a duly authorized investigative or law
enforcement officer--
(A) upon the application by an attorney for the
Government that--
(i) is made under oath or affirmation by the
attorney for the Government; and
(ii) provides a factual basis establishing
the relevance that the plaintext or decryption
information being sought has to a law
enforcement or foreign counterintelligence
investigation then being conducted pursuant to
lawful authorities; and
(B) if the court finds, in writing, that the
plaintext or decryption information being sought is
relevant to an ongoing lawful law enforcement or
foreign counterintelligence investigation and the
investigative or law enforcement officer is entitled to
such plaintext or decryption information.
(2) The order issued by the court under this section shall be
placed under seal, except that a copy may be made available to
the investigative or law enforcement officer authorized to
obtain access to the plaintext of the encrypted information, or
authorized to obtain the decryption information sought in the
application. Such order shall also be made available to the
person responsible for providing the plaintext or the
decryption information, pursuant to such order, to the
investigative or law enforcement officer.
(3) Disclosure of an application made, or order issued, under
this section, is not authorized, except as may otherwise be
specifically permitted by this section or another order of the
court.
(b) Other Orders.--An attorney for the Government may make
application to a district court of the United States for an
order under subsection (a), upon a request from a foreign
country pursuant to a Mutual Legal Assistance Treaty with such
country that is in effect at the time of the request from such
country.
(c) Record of Access Required.--(1) There shall be created an
electronic record, or similar type record, of each instance in
which an investigative or law enforcement officer, pursuant to
an order under this section, gains access to the plaintext of
otherwise encrypted information, or is provided decryption
information, without the knowledge or consent of the owner of
the data, including communications, who is the user of the
encryption product involved.
(2) The court issuing the order under this section shall
require that the electronic or similar type of record described
in paragraph (1) is maintained in a place and a manner that is
not within the custody or control of an investigative or law
enforcement officer gaining the access or provided the
decryption information. The record shall be tendered to the
court, upon notice from the court.
(3) The court receiving such electronic or similar type of
record described in paragraph (1) shall make the original and a
certified copy of the record available to the attorney for the
Government making application under this section, and to the
attorney for, or directly to, the owner of the data, including
communications, who is the user of the encryption product.
(d) Authority To Intercept Communications Not Increased.--
Nothing in this chapter shall be construed to enlarge or modify
the circumstances or procedures under which a Government entity
is entitled to intercept or obtain oral, wire, or electronic
communications or information.
(e) Construction.--This chapter shall be strictly construed
to apply only to a Government entity's ability to decrypt data,
including communications, for which it has previously obtained
lawful authority to intercept or obtain pursuant to other
lawful authorities that would otherwise remain encrypted.
Sec. 2807. Notification procedures
(a) In General.--Within a reasonable time, but not later than
90 days after the filing of an application for an order under
section 2806 which is granted, the court shall cause to be
served, on the persons named in the order or the application,
and such other parties whose decryption information or whose
plaintext has been provided to an investigative or law
enforcement officer pursuant to this chapter as the court may
determine that is in the interest of justice, an inventory
which shall include notice of--
(1) the fact of the entry of the order or the
application;
(2) the date of the entry of the application and
issuance of the order; and
(3) the fact that the person's decryption information
or plaintext data, including communications, have been
provided or accessed by an investigative or law
enforcement officer.
The court, upon the filing of a motion, may make available to
that person or that person's counsel, for inspection, such
portions of the plaintext, applications, and orders as the
court determines to be in the interest of justice. On an ex
parte showing of good cause to a court of competent
jurisdiction, the serving of the inventory required by this
subsection may be postponed.
(b) Admission Into Evidence.--The contents of any encrypted
information that has been obtained pursuant to this chapter or
evidence derived therefrom shall not be received in evidence or
otherwise disclosed in any trial, hearing, or other proceeding
in a Federal or State court unless each party, not less than 10
days before the trial, hearing, or proceeding, has been
furnished with a copy of the order, and accompanying
application, under which the decryption or access to plaintext
was authorized or approved. This 10-day period may be waived by
the court if the court finds that it was not possible to
furnish the party with the information described in the
preceding sentence within 10 days before the trial, hearing, or
proceeding and that the party will not be prejudiced by the
delay in receiving such information.
(c) Contempt.--Any violation of the provisions of this
section may be punished by the court as a contempt thereof.
(d) Motion To Suppress.--Any aggrieved person in any trial,
hearing, or proceeding in or before any court, department,
officer, agency, regulatory body, or other authority of the
United States or a State may move to suppress the contents of
any decrypted data, including communications, obtained pursuant
to this chapter, or evidence derived therefrom, on the grounds
that --
(1) the plaintext was unlawfully decrypted or
accessed;
(2) the order of authorization or approval under
which it was decrypted or accessed is insufficient on
its face; or
(3) the decryption was not made in conformity with
the order of authorization or approval.
Such motion shall be made before the trial, hearing, or
proceeding unless there was no opportunity to make such motion,
or the person was not aware of the grounds of the motion. If
the motion is granted, the plaintext of the decrypted data,
including communications, or evidence derived therefrom, shall
be treated as having been obtained in violation of this
chapter. The court, upon the filing of such motion by the
aggrieved person, may make available to the aggrieved person or
that person's counsel for inspection such portions of the
decrypted plaintext, or evidence derived therefrom, as the
court determines to be in the interests of justice.
(e) Appeal by United States.--In addition to any other right
to appeal, the United States shall have the right to appeal
from an order granting a motion to suppress made under
subsection (d), or the denial of an application for an order
under section 2806, if the United States attorney certifies to
the court or other official granting such motion or denying
such application that the appeal is not taken for purposes of
delay. Such appeal shall be taken within 30 days after the date
the order was entered on the docket and shall be diligently
prosecuted.
(f) Civil Action for Violation.--Except as otherwise provided
in this chapter, any person described in subsection (g) may in
a civil action recover from the United States Government the
actual damages suffered by the person as a result of a
violation described in that subsection, reasonable attorney's
fees, and other litigation costs reasonably incurred in
prosecuting such claim.
(g) Covered Persons.--Subsection (f) applies to any person
whose decryption information--
(1) is knowingly obtained without lawful authority by
an investigative or law enforcement officer;
(2) is obtained by an investigative or law
enforcement officer with lawful authority and is
knowingly used or disclosed by such officer unlawfully;
or
(3) is obtained by an investigative or law
enforcement officer with lawful authority and whose
decryption information is unlawfully used to disclose
the plaintext of the data, including communications.
(h) Limitation.--A civil action under subsection (f) shall be
commenced not later than 2 years after the date on which the
unlawful action took place, or 2 years after the date on which
the claimant first discovers the violation, whichever is later.
(i) Exclusive Remedies.--The remedies and sanctions described
in this chapter with respect to the decryption of data,
including communications, are the only judicial remedies and
sanctions for violations of this chapter involving such
decryptions, other than violations based on the deprivation of
any rights, privileges, or immunities secured by the
Constitution.
(j) Technical Assistance by Providers.--A provider of
encryption technology or network service that has received an
order issued by a court pursuant to this chapter shall provide
to the investigative or law enforcement officer concerned such
technical assistance as is necessary to execute the order. Such
provider may, however, move the court to modify or quash the
order on the ground that its assistance with respect to the
decryption or access to plaintext cannot be performed in a
timely or reasonable fashion. The court, upon notice to the
Government, shall decide such motion expeditiously.
(k) Reports to Congress.--In May of each year, the Attorney
General, or an Assistant Attorney General specifically
designated by the Attorney General, shall report in writing to
Congress on the number of applications made and orders entered
authorizing Federal, State, and local law enforcement access to
decryption information for the purposes of reading the
plaintext of otherwise encrypted data, including
communications, pursuant to this chapter. Such reports shall be
submitted to the Committees on the Judiciary of the House of
Representatives and of the Senate, and to the Permanent Select
Committee on Intelligence for the House of Representatives and
the Select Committee on Intelligence for the Senate.
Sec. 2808. Lawful use of plaintext or decryption information
(a) Authorized Use of Decryption Information.--
(1) Criminal investigations.--An investigative or law
enforcement officer to whom plaintext or decryption
information is provided may use such plaintext or
decryption information for the purposes of conducting a
lawful criminal investigation or foreign
counterintelligence investigation, and for the purposes
of preparing for and prosecuting any criminal violation
of law.
(2) Civil redress.--Any plaintext or decryption
information provided under this chapter to an
investigative or law enforcement officer may not be
disclosed, except by court order, to any other person
for use in a civil proceeding that is unrelated to a
criminal investigation and prosecution for which the
plaintext or decryption information is authorized under
paragraph (1). Such order shall only issue upon a
showing by the party seeking disclosure that there is
no alternative means of obtaining the plaintext, or
decryption information, being sought and the court also
finds that the interests of justice would not be served
by nondisclosure.
(b) Limitation.--An investigative or law enforcement officer
may not use decryption information obtained under this chapter
to determine the plaintext of any data, including
communications, unless it has obtained lawful authority to
obtain such data, including communications, under other lawful
authorities.
(c) Return of Decryption Information.--An attorney for the
Government shall, upon the issuance of an order of a court of
competent jurisdiction--
(1)(A) return any decryption information to the
person responsible for providing it to an investigative
or law enforcement officer pursuant to this chapter; or
(B) destroy such decryption information, if the court
finds that the interests of justice or public safety
require that such decryption information should not be
returned to the provider; and
(2) within 10 days after execution of the court's
order to destroy the decryption information--
(A) certify to the court that the decryption
information has either been returned or
destroyed consistent with the court's order;
and
(B) notify the provider of the decryption
information of the destruction of such
information.
(d) Other Disclosure of Decryption Information.--Except as
otherwise provided in section 2806, a key recovery agent may
not disclose decryption information stored with the key
recovery agent by a person unless the disclosure is--
(1) to the person, or an authorized agent thereof;
(2) with the consent of the person, including
pursuant to a contract entered into with the person;
(3) pursuant to a court order upon a showing of
compelling need for the information that cannot be
accommodated by any other means if--
(A) the person who supplied the information
is given reasonable notice, by the person
seeking the disclosure, of the court proceeding
relevant to the issuance of the court order;
and
(B) the person who supplied the information
is afforded the opportunity to appear in the
court proceeding and contest the claim of the
person seeking the disclosure;
(4) pursuant to a determination by a court of
competent jurisdiction that another person is lawfully
entitled to hold such decryption information, including
determinations arising from legal proceedings
associated with the incapacity, death, or dissolution
of any person; or
(5) otherwise permitted by a provision of this
chapter or otherwise permitted by law.
Sec. 2809. Identification of decryption information
(a) Identification.--To avoid inadvertent disclosure, any
person who provides decryption information to an investigative
or law enforcement officer pursuant to this chapter shall
specifically identify that part of the material provided that
discloses decryption information as such.
(b) Responsibility of Investigative or Law Enforcement
Officer.--The investigative or law enforcement officer
receiving any decryption information under this chapter shall
maintain such information in facilities and in a method so as
to reasonably assure that inadvertent disclosure does not
occur.
Sec. 2810. Unlawful export of certain encryption products
Whoever, after January 31, 2000, knowingly exports an
encryption product that does not include features or functions
providing duly authorized persons immediate access to plaintext
or immediate decryption capabilities, as required under law,
shall be imprisoned for not more than 5 years, fined under this
title, or both.
Sec. 2811. Definitions
The definitions set forth in section 101 of the Security and
Freedom through Encryption (``SAFE'') Act of 1997 shall apply
to this chapter.
* * * * * * *
ADDITIONAL VIEWS OF REPRESENTATIVES DICKS, SKELTON, AND BISHOP
In considering H.R. 695, we used six principles as a guide
through the difficult and complex issues posed by encryption
technology.
First, Congress should take no action to impair or abridge
the rights, liberties, and privacy of the American people
guaranteed by our constitution.
Second, Congress has an obligation to ensure that the
ability of law enforcement agencies to provide protection
against violent criminals, terrorists, narcotics dealers,
organized crime syndicates, and espionage is not unwisely
diminished.
Third, there is an equally compelling need to guarantee the
protection of electronic information for the security of the
nation, for the privacy and protection of our citizens and
their property, and for the prosperity of the country through a
new form of commerce.
Fourth, Congress must protect our ability to collect
intelligence to support national defense, diplomacy, and law
enforcement.
Fifth, we must not disadvantage, and should as best we can
promote, American workers and companies seeking to maintain
dominance in information technologies.
Finally, our domestic and foreign policy in this area
should, to the maximum extent possible, be consistent and
reinforcing.
It is commonly asserted that these principles are
substantially at odds with one another, such that any
consistent policy position must entail compromises among them--
perhaps fatal ones. We do not believe that is true and am
convinced that the substitute the Committee adopted is faithful
to all these principles.
In contrast, H.R. 695 as referred to the Committee is in
conflict with several of the foregoing principles. H.R. 695 is
incompatible with national security because it essentially does
away with the export control process. Gutting the export
control process would also have serious foreign policy
consequences, undermining administration attempts to develop an
international consensus on encryption policy and perhaps
prompting other countries to erect import barriers to U.S.
encryption products and associated hardware and software
systems. The bill would do nothing to foster a domestic key
management infrastructure, which the administration, the
Committee, and much of industry believe is important for the
rapid expansion of electronic commerce. The bill is deficient
also in that it would not help law enforcement overcome the
negative consequences of the inevitable proliferation of strong
encryption.
Without legislative intervention, in the near future the
nation's police departments and the FBI will not need to bother
to install wiretaps because everything they hear will be
encrypted. Proponents of H.R. 695 as referred to the Committee
acknowledge this problem but argue that the law enforcement
interest is a narrow one and should be sacrificed. Others
assert that it is futile to try to protect law enforcement
equities either because unbreakable encryption will proliferate
no matter what the government does, or that any government
regulatory actions will do much more harm than good. With
regard to export controls, proponents of H.R. 695 contend that
without an inclusive international compact to regulate
encryption, it is pointless, crippling to U.S. industry, to
maintain a rigid export control regime. They assert that there
is no reason to believe that any international consensus is
likely, and that U.S. industry already faces an imminent
competitive threat.
We reject these arguments. Communications intercepts are a
critically important and effective law enforcement tool. While
it is true that the government cannot hope to prevent
determined and resourceful criminals, terrorists, and others
from using unbreakable encryption to hide their activities,
these elements must interact with society at large, and
therefore must conduct most of their business using standard
forms of electronic commerce and communication. If the latter
provide lawful access to the plaintext of encrypted
information, or to decryption information pursuant to court
order, law enforcement will be able to conduct investigations
effectively. Thus it is neither necessary nor expected that the
Committee substitute would eradicate unapproved encryption
capabilities.
In terms of the practicality of regulating encryption
products, we recognize also that it is not a certainty that the
burden the substitute would place on the marketplace to provide
some form of access for communications will prove to be
marginally costly or inconvenient. We acknowledge the
possibility that critics could be right--that these
requirements will be unwieldy or expensive, or both. But it is
far from clear today that the critics are right, and the
administration predicts modest annual user costs. If the law is
to err, however, we strongly favor doing it on the side of
ensuring that our public safety and national security officials
can continue to do their jobs effectively.
We recognize that there is no certainty of success in the
attempt to convince the other advanced nations of the need to
control encryption to protect law enforcement as we propose to
do. The United States cannot hope to convince others to take
this path, however, if it decides first to flood the world with
unbreakable encryption, and second to proclaim that domestic
controls are somewhat incompatible with liberty.
Furthermore, any fair assessment of the status of
discussions with other advanced nations on this issue would
conclude that success is quite feasible. Similarly, claims
about the availability of truly strong encryption products on
the world market that users can readily access and employ are
clearly exaggerated. Finally, as the section-by-section
analysis in this report explains, the Committee substitute
provides for the export of encryption products with an access
``on-off switch,'' in effect allowing industry to export
unbreakable encryption to countries that have no requirement
for law enforcement access to plaintext.
Critics also assert that it is unreasonable for Congress to
consider levying a mandate on the private sector in information
technology to provide a means for lawful access to encrypted
information. In fact, there is an important precedent for such
action. Just a few years ago, law enforcement agencies were
similarly faced with the prospect of loosing the ability to
intercept communications because of the astonishing complexity
of the nation's emerging digital telecommunications networks--
even when the underlying information is unencrypted. Congress
met the political challenge of supporting law enforcement in
this instance by requiring communications service providers to
install capabilities to permit effective wiretaps. This digital
telephony act also required telephone communications service
providers to provide access to plaintext to duly authorized law
enforcement agencies where the service providers offered their
customers encryption capabilities that could be decrypted. The
point is that Congress was willing to do what was right when
the issue was clear.
We face another such challenge today. We believe that my
colleagues will respond appropriately once they realize what is
at stake. The place to start that educational process is here,
with the Committee substitute. We do not think that a fair
analysis of the substitute could conclude that it would
compromise the rights of our citizens by insisting that law
enforcement agencies merely retain their current ability to
gather evidence through judicially sanctioned electronic
surveillance.
Norm Dicks.
Ike Skelton.
Sanford D. Bishop, Jr.
ADDITIONAL VIEWS OF REPRESENTATIVES HARMAN, SKAGGS, AND DIXON
The issue of encryption is one of the most difficult we
have faced in our careers in the Congress. The technical
complexities of algorithms and bit strength are the least of
the problem. What is most challenging is discovering a way to
balance competing policy concerns in the face of a rapidly
evolving electronic infrastructure.
We are convinced that H.R. 695 as introduced and reported
from the Committees on Judiciary and International Relations is
neither the right answer, nor a comprehensive approach to the
challenges we face. As members of the Permanent Select
Committee on Intelligence we believe U.S. policy should balance
sometimes conflicting goals: protecting public computer
networks from the threats of terrorists and other criminals
through the use of strong encryption; promoting the economic
competitiveness and the research and development breakthroughs
of our vital information technology industry; encouraging the
legal framework necessary for robust and reliable electronic
commerce; and helping preserve public safety and national
security.
H.R. 695 as introduced was intended to promote economic
competitiveness but it does little to address the strongly
expressed concerns of law enforcement officials from around the
country that the legislation would eliminate the possibility of
electronic surveillance under lawful court order.
The substitute the Committee has ordered reported is an
attempt to address all of the issues in the debate
comprehensively. Yet, it has been developed under an extremely
short time frame, subject to a limited referral. We believe the
legislation is too sweeping, particularly in placing new
requirements on the manufacture, sale, and import of encryption
products in the United States.
While we want United States law enforcement and national
security agencies, working under proper oversight, to have the
tools they need to respond to threats to the public safety and
national security, the requirement in the legislation that
encryption products manufactured and distributed for sale or
use, or imported for sale or use after January 31, 2000,
include features or functions that provide, upon presentment of
a court order, immediate access to plaintext data or decryption
information from the encryption provider, raises a host of new
questions and issues that need further exploration. We are
worried less about the narrow question of technical feasibility
than how such a requirement would implicate valid concerns
about privacy, abuse of official authority, and the inherent
security of data security services. We are concerned whether
the legislation's provision on imports might be interpreted to
mean an individual on the Internet downloading encryption from
a foreign country was violating the law and about where the
line would be drawn on the prohibited distribution of
encryption products not meeting the bill's legal requirements.
The substitute is intended to put in place a legal
framework for, and safeguards on, law enforcement access to
encrypted electronic information. This is positive. Imposing
new criminal penalties for the invasion of privacy relating to
the misuse of decryption information is appropriate to ensure
that government officials who gain access to information on the
electronic network do not exceed their lawful authority.
Likewise, we support requiring a verifiable audit trail
whenever government officials obtain access to plaintext and
decrypted information, regardless of whether or not a recovery-
capable mandate on encryption is enacted. We are fast
approaching what Kenneth Flamm of the Brookings Institution
calls ``a digital future in which almost everything * * * is
stored or communicated electronically, connected to or
accessible through some computer network.'' It is time to take
action on these issues.
In addition, we recognize that the issues raised in this
debate are international in scope. Given the availability of
encryption technology abroad, and the ease of its
dissemination, a unilateral export control policy on encryption
will not work. Therefore, we must encourage, if not direct, the
Administration to monitor closely international developments
and to engage other countries in working out a multilateral
approach to this issue.
Recent events suggest passage of H.R. 695 as originally
conceived is highly unlikely in the House of Representatives.
We believe there now needs to be a very careful and
deliberative effort to fashion balanced legislation. The
information technology industry should suggest targeted
legislative and regulatory amendments which will meet its need
for fewer uncertainties in the export control process, while
still allowing for regulatory flexibility as technology
advances. Privacy advocates should recognize that government
access to information residing on the electronic infrastructure
in order to protect public safety is legitimate within
reasonable constraints, and should propose what those
reasonable constraints should be. Law enforcement officials
should carefully evaluate where their highest priorities lie in
protecting the public safety and preventing crime. The
Administration should redouble its efforts to secure
international agreements of mutual recognition of encryption
management infrastructures to safeguard the privacy of United
States citizens and enhance U.S. information security needs in
electronic commerce. Continued stalemate on balancing the
competing policy concerns is not in the interests of industry,
law enforcement or the American people.
Jane Harman.
David E. Skaggs.
Julian C. Dixon.
ADDITIONAL VIEWS OF REPRESENTATIVE NANCY PELOSI
I oppose the substitute to H.R. 695 ordered reported from
the Permanent Select Committee on Intelligence. While there are
indeed serious national security and law enforcement issues at
stake in this debate, there are also serious questions about
the impact of this legislation on the civil liberties on which
this nation is based. A balance must be struck. The bill passed
by the Committee does not strike the requisite balance.
I was very concerned about the lack of an audit mechanism
in the Committee's substitute as proposed and am pleased that
the bill was amended to require an electronic audit trail, to
ensure that there is accountability when an investigative or
law enforcement officer obtains access to the plaintext of
otherwise encrypted information or the provision of decryption
information.
Among the reasons I oppose the bill are the following:
With respect to domestic controls, the ramifications of
enacting a requirement that encryption products manufactured,
distributed or imported in the United States after January 2000
contain features that provide, upon presentment of a court
order, immediate plaintext access or decryption information,
are not well understood. It is not clear such a requirement
could pass constitutional muster, particularly where it might
place restrictions on the distribution of encryption algorithms
or the free flow of ideas among scientists working in the area
of information technology. Indeed imposing domestic controls
runs counter to the first recommendation of the National
Research Council's widely-respected CRISIS report
(``Cryptography's Role in Security in the Information
Society,'' June 1996) that no law bar the manufacture, sale or
use of any form of encryption in the United States. Despite the
many provisions of the legislation designed to place civil and
criminal penalties on official misuse of decryption
information, and provide privacy protections to those who
encrypt information, further debate is needed on whether the
legal framework governing lawful wiretaps is the appropriate
model for the 21st Century as so much information concerning
our personal and economic lives is connected and accessible on-
line.
With respect to export controls, the legislation would
force U.S. manufacturers to include features that could provide
plaintext access or decryption information in encryption
products exported overseas. Although the legislation allows
these features to be enabled at the foreign purchaser's option,
and does not require any keys or recovery information be held
in escrow in the United States, demanding recovery capable
features in exportable U.S. technology may provide repressive
totalitarian regimes a new method of control over dissidents
and human rights advocates who today evade surveillance by
utilizing unbreakable encryption on the Internet.
Also of concern is the impact of certain of the
substitute's provisions on human rights activists in
authoritarian countries. Human rights activists worldwide are
using cryptography to protect their sources from reprisals by
governments that violate human rights. Under the Committee
substitute, the U.S. government can get a court order for
violating the security of communications ``upon a request from
a foreign country pursuant to a Mutual Legal Assistance
Treaty.'' This provision will permit governments to breach the
protection of confidential sources, thereby both endangering
human rights activists using electronic communications and
discouraging people who know of human rights violations to
speak about them, even in private. Authoritarian governments
often define the activities of those who dare to speak out
against them as ``treason'' or ``revealing classified
information,'' crimes recognized by the U.S. government. Under
the Committee substitute, legitimate human rights activists,
who now communicate safely through the Internet with strong
encryption protection, will no longer have that safety.
In addition, the legislation enshrines the broad concept
that all decisions of the Secretary of Commerce with respect to
the export of encryption products are not subject to judicial
review. If the question at hand has to do with national
security implications, the President could waive judicial
review on a case-by-case basis as needed, rather than Congress
acting to grant a blanket waiver of a citizen's right to
recourse to the legal system.
The serious issues involving national security and public
safety could have been resolved with a more narrowly targeted
approach. I hope efforts will be made to craft a consensus
measure before H.R. 695 is considered on the floor of the House
of Representatives.
Nancy Pelosi.
Letters From Law Enforcement Officers and the Secretary of Defense
The Secretary of Defense,
Washington, DC, July 21, 1997.
Dear Member of Congress: Recently you received a letter
from the nation's senior law enforcement officials regarding
U.S. encryption policies. I am writing today to express my
strong support for their views on their important issue.
As you know, the Department of Defense is involved on a
daily basis in countering international terrorism, narcotics
trafficking, and the proliferation of weapons of mass
destruction. The spread of unbreakable encryption, as a
standard feature of mass market communication products,
presents a significant threat to the ability of the U.S. and
its allies to monitor the dangerous groups and individuals
involved in these activities. Passage of legislation which
effectively decontrols commercial encryption exports would
undermine U.S. efforts to foster the use of strong key recovery
encryption domestically and abroad. Key recovery products will
preserve governments' abilities to counter worldwide terrorism,
narcotics trafficking and proliferation.
It is also important to note that the Department of Defense
relies on the Federal Bureau of Investigation for the
apprehension and prosecution of spies. Sadly, there have been
over 60 espionage convictions of federal employees over the
last decade. While these individuals represent a tiny minority
of government employees, the impact of espionage activities on
our nation's security can be enormous. As the recent arrests of
Nicholson, Pitts and Kim clearly indicate, espionage remains a
very serious problem. Any policies that detract from the FBI's
ability to perform its vital counterintelligence function,
including the ability to perform wiretaps, inevitably detract
from the security of the Department of Defense and the nation.
Encryption legislation must also address the nation's
domestic information security needs. Today, approximately 95%
of DoD communications rely on public networks; other parts of
government, and industry, are even more dependent on the
trustworthiness of such networks. Clearly, we must ensure that
encryption legislation addresses these needs. An approach such
as the one contained in S. 909 can go a long way toward
balancing the need for strong encryption with the need to
preserve national security and public safety. I hope that you
will work with the Administration to enact legislation that
addresses these national security concerns as well as the
rights of the American people.
I appreciate your consideration of these views.
Sincerely,
Bill Cohen.
------
Office of the Attorney General,
Washington, DC, July 18, 1997.
Dear Member of Congress: Congress is considering a variety
of legislative proposals concerning encryption. Some of these
proposals would, in effect, make it impossible for the Federal
Bureau of Investigation (FBI), Drug Enforcement Administration
(DEA), Secret Service, Customs Service, Bureau of Alcohol,
Tobacco and Firearms, and other federal, state, and local law
enforcement agencies to lawfully gain access to criminal
telephone conversations or electronically stored evidence
possessed by terrorists, child pornographers, drug kingpins,
spies and other criminals. Since the impact of these proposals
would seriously jeopardize public safety and national security,
we collectively urge you to support a different, balanced
approach that strongly supports commercial and privacy
interests but maintains our ability to investigate and
prosecute serious crimes.
We fully recognize that encryption is critical to
communications security and privacy, and that substantial
commercial interests are at stake. Perhaps in recognition of
these facts, all the bills being considered allow market forces
to shape the development of encryption products. We, too, place
substantial reliance on market forces to promote electronic
security and privacy, but believe that we cannot rely solely on
market forces to protect the public safety and national
security. Obviously, the government cannot abdicate its solemn
responsibility to protect public safety and national security.
Currently, of course, encryption is not widely used, and
most data is stored, and transmitted, in the clear. As we move
from a plaintext world to an encrypted one, we have a critical
choice to make: we can either (1) choose robust, unbreakable
encryption that protects commerce and privacy but gives
criminals a powerful new weapon, or (2) choose robust,
unbreakable encryption that protects commerce and privacy and
gives law enforcement the ability to protect public safety. The
choice should be obvious and it would be a mistake of historic
proportions to do nothing about the dangers to public safety
posed by encryption without adequate safeguards for law
enforcement.
Let there be no doubt: without encryption safeguards, all
Americans will be endangered. No one disputes this fact; not
industry, not encryption users, no one. We need to take
definitive actions to protect the safety of the public and
security of the nation. That is why law enforcement at all
levels of government--including the Justice Department,
Treasury Department, the National Association of Attorneys
General, International Association of Chiefs of Police, the
Major City Chiefs, the National Sheriffs' Association, and the
National District Attorneys Association--are so concerned about
this issue.
We all agree that without adequate legislation, law
enforcement in the United States will be severely limited in
its ability to combat the worst criminals and terrorists.
Further, law enforcement agrees that the widespread use of
robust non-key recovery encryption ultimately will devastate
our ability to fight crime and prevent terrorism.
Simply stated, technology is rapidly developing to the
point where powerful encryption will become commonplace both
for routine telephone communications and for stored computer
data. Without legislation that accommodates public safety and
national security concerns, society's most dangerous criminals
will be able to communicate safely and electronically store
data without fear of discovery. Court orders to conduct
electronic surveillance and court-authorized search warrants
will be ineffectual, and the Fourth Amendment's carefully-
struck balance between ensuring privacy and protecting public
safety will be forever altered by technology. Technology should
not dictate public policy, and it should promote, rather than
defeat, public safety.
We are not suggesting the balance of the Fourth Amendment
be tipped toward law enforcement either. To the contrary, we
only seek the status quo, not the lessening of any legal
standard or the expansion of any law enforcement authority. The
Fourth Amendment protects the privacy and liberties of our
citizens but permits law enforcement to use tightly controlled
investigative techniques to obtain evidence of crimes. The
result has been the freest country in the world with the
strongest economy.
Law enforcement has already confronted encryption in high-
profile espionage, terrorist, and criminal cases. For example:
An international terrorist was plotting to blow up 11
U.S.-owned commercial airliners in the Far East. His
laptop computer, which was seized in Manila, contained
encrypted files concerning this terrorist plot;
A subject in a child pornography case used encryption
in transmitting obscene and pornographic images of
children over the Internet; and
A major international drug trafficking subject
recently used a telephone encryption device to
frustrate court-approved electronic surveillance.
And this is just the tip of the iceberg. Convicted spy Aldrich
Ames, for example, was told by the Russian Intelligence Service
to encrypt computer file information that was to be passed to
them.
Further, today's international drug trafficking
organizations are the most powerful, ruthless and affluent
criminal enterprises we have ever faced. We know from numerous
past investigations that they have utilized their virtually
unlimited wealth to purchase sophisticated electronic equipment
to facilitate their illegal activities. This has included state
of the art communication and encryption devices. They have used
this equipment as part of their command and control process for
their international criminal operations. We believe you share
our concern that criminals will increasingly take advantage of
developing technology to further insulate their violent and
destructive activities.
Requests for cryptographic support pertaining to electronic
surveillance interceptions from FBI Field Offices and other law
enforcement agencies have steadily risen over the past several
years. There has been an increase in the number of instances
where the FBI's and DEA's court-authorized electronic efforts
were frustrated by the use of encryption that did not allow for
law enforcement access.
There have also been numerous other cases where law
enforcement, through the use of electronic surveillance, has
not only solved and successfully prosecuted serious crimes but
has also been able to prevent life-threatening criminal acts.
For example, terrorists in New York were plotting to bomb the
United Nations building, the Lincoln and Holland Tunnels, and
26 Federal Plaza as well as conduct assassinations of political
figures. Court-authorized electronic surveillance enabled the
FBI to disrupt the plot as explosives were being mixed.
Ultimately, the evidence obtained was used to convict the
conspirators. In another example, electronic surveillance was
used to stop and then convict two men who intended to kidnap,
molest, and kill a child. In all of these cases, the use of
encryption might have seriously jeopardized public safety and
resulted in the loss of life.
To preserve law enforcement's abilities, and to preserve
the balance so carefully established by the Constitution, we
believe any encryption legislation must accomplish three goals
in addition to promoting the widespread use of strong
encryption. It must establish:
A viable key management infrastructure that promotes
electronic commerce and enjoys the confidence of
encryption users;
A key management infrastructure that supports a key
recovery scheme that will allow encryption users access
to their own data should the need arise, and that will
permit law enforcement to obtain lawful access to the
plaintext of encrypted communications and data; and
An enforcement mechanism that criminalizes both
improper use of encryption key recovery information and
the use of encryption for criminal purposes.
Only one bill, S. 909 (the McCain/Kerrey/Hollings bill),
comes close to meeting these core public safety, law
enforcement, and national security needs. The other bills being
considered by Congress, as currently written, risk great harm
to our ability to enforce the laws and protect our citizens. We
look forward to working to improve the McCain/Kerrey/Hollings
bill.
In sum, while encryption is certainly a commercial interest
of great importance to this Nation, it is not solely a
commercial or business issue. Those of us charged with the
protection of public safety and national security, believe that
the misuse of encryption
technology will become a matter of life and death in many
instances. That is why we urge you to adopt a balanced approach
that accomplishes the goals mentioned above. Only this approach
will allow police departments, attorneys general, district
attorneys, sheriffs, and federal authorities to continue to use
their most effective investigative techniques, with court
approval, to fight crime and espionage and prevent terrorism.
Sincerely yours,
Janet Reno,
Attorney General.
Louis Freeh,
Director, Federal Bureau of
Investigation.
Thomas A. Constantine,
Director, Drug Enforcement
Administration.
Raymond W. Kelly,
Undersecretary for
Enforcement, U.S.
Department of the
Treasury.
John W. Magaw,
Director, Bureau of Alcohol,
Tobacco and Firearms.
Barry McCaffrey,
Director, Office of National
Drug Control Policy.
Lewis C. Merletti,
Director, United States
Secret Service.
George J. Weise,
Commissioner, United States
Customs Service.
------
International Association of
Chiefs of Police,
Alexandria, VA, July 21, 1997.
Dear Member of Congress: Enclosed is a letter sent to you
by the Attorney General, the Director of National Drug Control
Policy and all the federal law enforcement heads concerning
encryption legislation being considered by congress.
Collectively we, the undersigned, represent over 17,000 police
departments including every major city police department, over
3,000 sheriffs departments, nearly every district attorney in
the United States and all of the state Attorneys General. We
fully endorse the position taken by our federal counterparts in
the enclosed letter. As we have stated many times, Congress
must adopt a balanced approach to encryption that fully
addresses public safety concerns or the ability of state and
local law enforcement to fight crime and drugs will be severely
damaged.
Any encryption legislation that does not ensure that law
enforcement can gain timely access to the plaintext of
encrypted conversations and information by established legal
procedures will cause grave harm to public safety. The risk
cannot be left to the uncertainty of market forces or
commercial interests as the current legislative proposals would
require. Without adequate safeguards, the unbridled use of
powerful encryption soon will deprive law enforcement of two of
its most effective tools, court authorized electronic
surveillance and the search and seizure of information stored
in computers. This will substantially tip the balance in the
fight against crime towards society's most dangerous criminals
as the information age develops.
We are in unanimous agreement that congress must adopt
encryption legislation that requires the development,
manufacture, distribution and sale of only key recovery
products and we are opposed to the bills that do not do so.
Only the key recovery approach will ensure that law enforcement
can continue to gain timely access to the plaintext of
encrypted conversations and other evidence of crimes when
authorized by a court to do so. If we lose this ability--and
the bills you are considering will have this result--it will be
a substantial setback for law enforcement at the direct expense
of public safety.
Sincerely yours,
Darrell L. Sanders,
President, International
Association of Chiefs of
Police.
James E. Doyle,
President, National
Association of Attorneys
General.
Fred Scoralie,
President, National
Sheriffs' Association.
William L. Murphy,
President, National District
Attorneys Association.
------
Major Cities Chiefs,
Chicago IL, July 24, 1997.
Hon. Orrin G. Hatch,
Chairman, Judiciary Committee, Senate Hart Office Building, Washington,
DC.
Dear Mr. Chairman: The Major Cities Chiefs is a
professional association of police executives representing the
largest jurisdictions in the United States. The association
provides a forum for urban police chiefs, sheriffs and other
law enforcement chief executives to discuss common problems
associated with protecting cites with populations exceeding
500,000 people.
Congress is considering a variety of legislative proposals
concerning encryption. Some of these proposals would, in
effect, make it impossible for law enforcement agencies across
the country, both on the federal, state and local level, to
lawfully gain access to criminal telephone conversations or
electronically stored evidence. Since the impact of these
proposals would seriously jeopardize public safety, our
association urges you to support a balanced approach that
strongly supports commercial and private interests but also
maintains law enforcements ability to investigate and prosecute
serious crime.
While we recognize that encryption is critical to
communications security and privacy and that commercial
interests are at stake, we all agree that without adequate
legislation, law enforcement across the country will be
severely limited in its ability to combat serious crime. The
widespread use of non-key recovery encryption ultimately will
eliminate our ability to obtain valuable evidence of criminal
activity. The legitimate and lawful interception of
communications, pursuant to a court order, for the most serious
criminal acts will be meaningless because of our inability to
decipher the evidence.
Encryption is certainly of great importance to the
commercial interests across this country. However, public
safety concerns are just as critical and we must not loose
sight of this. The need to preserve an invaluable investigative
tool is of the utmost importance in law enforcements ability to
protect the public against serious crime.
Sincerely yours,
Matt L. Rodriguez, Chairman.
------
National District
Attorneys Association,
Alexandria, VA.
Resolution
Encryption
Whereas, the introduction of digitally-based
telecommunications technologies as well as the widespread use
of computers and computer networks having encryption
capabilities are facilitating the development and production of
strong, affordable encryption products and services for private
sector use; and
Whereas, on one hand the use of strong encryption products
and services are extremely beneficial when used legitimately to
protect commercially sensitive information and communications.
On the other hand, the potential use of strong encryption
products and services that do not allow for timely law
enforcement decryption by a vast array of criminals and
terrorist to conceal their criminal communications and
information from law enforcement poses an extremely serious
threat to public safety: and
Whereas, the law enforcement community is extremely
concerned about the serious threat posed by the use of these
strong encryption products and services that do not allow for
authorization (court-authorized wiretaps or court-authorized
search and seizure); and
Whereas, law enforcement fully supports a balanced
encryption policy that satisfies both the commercial needs of
industry for strong encryption while at the same time
satisfying law enforcement's public safety needs for the timely
decryption of encrypted criminal communications and
information; and
Whereas, law enforcement has found that strong key recovery
encryption products and services are clearly the best way, and
perhaps the only way, to achieve both the goals of industry and
law enforcement; and
Whereas, government representatives have been working with
industry to encourage the voluntary development, sale, and use
of key recovery encryption products and services in its pursuit
of a balanced encryption policy;
Be it resolved, That the National District Attorneys
Association supports and encourages the development and
adoption of a balanced encryption policy that encourages the
development, sale, and use of key recovery encryption products
and services, both domestically and abroad. We believe that
this approach represents a policy that appropriately addresses
both the commercial needs of industry while at the same time
satisfying law enforcement's public safety needs.
------
Encryption
Whereas, the introduction of digitally-based
telecommunications technologies, as well as the widespread use
of computers and computer networks having encryption
capabilities are facilitating the development and production of
affordable and robust encryption products for private sector
use; and
Whereas, on one hand encryption is extremely beneficial
when used legitimately to protect commercially sensitive
information and communications. On the other hand, the
potential use of such encryption products by a vast array of
criminals and terrorists to conceal their criminal
communications and information from law enforcement poses an
extremely serious threat to public safety; and
Whereas, the law enforcement community is extremely
concerned about the serious threat posed by the use of robust
encryption products that do not allow for law enforcement
access and its timely decryption, pursuant to lawful
authorization (court-authorized wiretaps or court-authorized
search and seizure); and
Whereas, law enforcement fully supports a balanced
encryption policy that satisfies both the commercial needs of
industry for robust encryption while at the same time
satisfying law enforcement's public safety needs; and
Whereas, law enforcement has found that robust key-escrow
encryption is clearly the best way, and perhaps the only way,
to achieve both the goals of industry and law enforcement; and
Whereas, government representatives have been working with
industry to encourage the voluntary development, sale, and use
of key-escrow encryption in its pursuit of a balanced
encryption policy: Now, therefore, be it
Resolved, that the International Association of Chiefs of
Police, duly assembled at its 103rd annual conference in
Phoenix, Arizona supports and encourages the development and
adoption of a key-escrow encryption policy, which we believe
represents a policy that appropriately addresses both the
commercial needs of industry while at the same time satisfying
law enforcement's public safety needs and that we oppose any
efforts, legislatively or otherwise, that would undercut the
adoption of such a balanced encryption policy.
------
National Sheriffs' Association
Chiefs of Police,
Resolution
digital telecommunications encryption
Whereas, the introduction of digitally-based
telecommunications technologies as well as the widespread use
of computers and computer networks having encryption
capabilities are facilitating the development and production of
affordable and robust encryption products for private sector
use: and
Whereas, on one hand, encryption is extremely beneficial
when used legitimately to protect commercially sensitive
information and communications. On the other hand, the
potential use of such encryption products by a vast array of
criminals and terrorists to conceal their criminal
communications and information from law enforcement poses an
extremely serious threat to public safety; and
Whereas, the law enforcement community is extremely
concerned about the serious threat posed by the use of robust
encryption products that do not allow for court authorized law
enforcement access and its timely decryption, pursuant to
lawful authorization; and
Whereas, law enforcement fully supports a balanced
encryption policy that satisfies both the commercial needs of
industry for robust encryption while at the same time
satisfying law enforcement's public safety needs; and
Whereas, law enforcement has found that robust key-escrow
encryption is clearly the best way, and perhaps the only way,
to achieve both the goals of industry and law enforcement; and
Whereas, government representatives have been working with
industry to encourage the voluntary development, sale and use
of key-escrow encryption in its pursuit of a balanced
encryption policy; and therefore, be it
Resolved That the National Sheriffs' Association supports
and encourages the development and adoption of a key-escrow
encryption policy which we believe represents a policy that
appropriately addresses both the commercial needs of industry
while at the same time satisfying law enforcement's public
safety needs and that we oppose any efforts, legislatively or
otherwise, that would undercut the adoption of such a balanced
encryption policy.
------
Imperial County Sheriff,
Coroner's Office,
El Centro, CA, August 26, 1997.
Re Key recovery of encrypted data.
Hon. Porter J. Goss,
Chairman, Permanent Select Committee on Intelligence, Washington, DC.
Dear Chairman Goss: I join my associates in Federal law
enforcement, as well as the International Association of Chiefs
of Police, the National Sheriff's Association, and the National
District Attorney's Association, in urging you to make
provisions for key recovery of encrypted data. Both of you and
your Committee are familiar with the technology and the issues,
and I won't waste your time or attention in a lengthy discourse
on what encryption or key recovery is. You know as much about
the technology as I do.
Of particular interest to me is the ability of
international drug cartels to thwart legitimate, court-
sanctioned interception of criminal communications here along
the border. Drug trafficking organizations are sophisticated,
aggressive, and well-funded. They certainly are taking
advantage today of encryption technology in our own country.
Without provisions for key recovery, it will be virtually
impossible for law enforcement to conduct criminal
investigations of telecommunications activity or electronic
data files. A simple solution is to require a provision in
trade agreements which requires a trustworthy key agent to
maintain the key to encrypted data. Such a requirement would
still allow legitimate safeguarding of data, but would also
allow law enforcement to crack coded information in criminal
investigations and national security matters.
I would be pleased to discuss this vital matter with you
and I will be appreciative of any consideration you may give
this issue.
Sincerely,
Oren R. Fox, Sheriff-Coroner.
�