[House Report 106-117]
[From the U.S. Government Publishing Office]
106th Congress Rept. 106-117
HOUSE OF REPRESENTATIVES
1st Session Part 5
======================================================================
ENCRYPTION FOR THE NATIONAL INTEREST ACT
_______
July 23, 1999.--Committed to the Committee of the Whole House on the
State of the Union and ordered to be printed
_______
Mr. Goss, from the Permanent Select Committee on Intelligence,
submitted the following
R E P O R T
[To accompany H.R. 850]
[Including cost estimate of the Congressional Budget Office]
The Permanent Select Committee on Intelligence, to whom was
referred the bill (H.R. 850) to amend title 18, United States
Code, to affirm the rights of United States persons to use and
sell encryption and to relax export controls on encryption,
having considered the same, report favorably thereon with an
amendment and recommend that the bill as amended do pass.
The amendment is as follows:
Strike out all after the enacting clause and insert in lieu
thereof the following:
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Encryption for the
National Interest Act''.
(b) Table of Contents.--The table of contents is as follows:
Sec. 1. Short title; table of contents.
Sec. 2. Statement of policy.
Sec. 3. Congressional findings.
TITLE I--DOMESTIC USES OF ENCRYPTION
Sec. 101. Definitions.
Sec. 102. Lawful use of encryption.
Sec. 103. Unlawful use of encryption.
TITLE II--GOVERNMENT PROCUREMENT
Sec. 201. Federal purchases of encryption products.
Sec. 202. Networks established with Federal funds.
Sec. 203. Government contract authority.
Sec. 204. Product labels.
Sec. 205. No private mandate.
Sec. 206. Exclusion.
TITLE III--EXPORTS OF ENCRYPTION
Sec. 301. Exports of encryption.
Sec. 302. License exception for certain encryption products.
Sec. 303. Discretionary authority.
Sec. 304. Expedited review authority.
Sec. 305. Encryption licenses required.
Sec. 306. Encryption Industry and Information Security Board.
TITLE IV--LIABILITY LIMITATIONS
Sec. 401. Compliance with court order.
Sec. 402. Compliance defense.
Sec. 403. Good faith defense.
TITLE V--INTERNATIONAL AGREEMENTS
Sec. 501. Sense of Congress.
Sec. 502. Failure to negotiate.
Sec. 503. Report to Congress.
TITLE VI--MISCELLANEOUS PROVISIONS
Sec. 601. Effect on law enforcement activities.
Sec. 602. Interpretation.
Sec. 603. FBI technical support.
Sec. 604. Severability.
SEC. 2. STATEMENT OF POLICY.
It is the policy of the United States to protect public computer
networks through the use of strong encryption technology, to promote
the export of encryption products developed and manufactured in the
United States, and to preserve public safety and national security.
SEC. 3. CONGRESSIONAL FINDINGS.
The Congress finds the following:
(1) Information security technology, encryption, is--
(A) fundamental to secure the flow of intelligence
information to national policy makers;
(B) critical to the President and national command
authority of the United States;
(C) necessary to the Secretary of State for the
development and execution of the foreign policy of the
United States;
(D) essential to the Secretary of Defense's
responsibilities to ensure the effectiveness of the
Armed Forces of the United States;
(E) invaluable to the protection of the citizens of
the United States from fraud, theft, drug trafficking,
child pornography; kidnapping, and money laundering;
and
(F) basic to the protection of the nation's critical
infrastructures, including electrical grids, banking
and financial systems, telecommunications, water
supplies, and transportation.
(2) The goal of any encryption legislation should be to
enhance and promote the global market strength of United States
encryption manufacturers, while guaranteeing that national
security and public safety obligations of the Government can
still be accomplished.
(3) It is essential to the national security interests of the
United States that United States encryption products dominate
the global market.
(4) Widespread use of unregulated encryption products poses a
significant threat to the national security interests of the
United States.
(5) Leaving the national security and public safety
responsibilities of the Government to the marketplace alone is
not consistent with the obligations of the Government to
protect the public safety and to defend the Nation.
(6) In order for the United States position in the global
market to benefit the national security interests of the United
States, it is imperative that the export of encryption products
be subject to a dynamic and constructive export control regime.
(7) Export of commercial items are best managed through a
regulatory structure which has flexibility to address
constantly changing market conditions.
(8) Managing sensitive dual-use technologies, such as
encryption products, is challenging in any regulatory
environment due to the difficulty in balancing competing
interests in national security, public safety, privacy, fair
competition within the industry, and the dynamic nature of the
technology.
(9) There is a widespread perception that the executive
branch has not adequately balanced the equal and competing
interests of national security, public safety, privacy, and
industry.
(10) There is a perception that the current encryption export
control policy has done more to disadvantage United States
business interests than to promote and protect national
security and public safety interests.
(11) A balance can and must be achieved between industry
interests, national security, law enforcement requirements, and
privacy needs.
(12) A court order process should be required for access to
plaintext, where and when available, and criminal and civil
penalties should be imposed for misuse of decryption
information.
(13) Timely access to plaintext capability is--
(A) necessary to thwarting potential terrorist
activities;
(B) extremely useful in the collection of foreign
intelligence;
(C) indispensable to force protection requirements;
(D) critical to the investigation and prosecution of
criminals; and
(E) both technically and economically possible.
(14) The United States Government should encourage the
development of those products that would provide a capability
allowing law enforcement (Federal, State, and local), with a
court order only, to gain timely access to the plaintext of
either stored data or data in transit.
(15) Unless law enforcement has the benefit of such market
encouragement, drug traffickers, spies, child pornographers,
pedophiles, kidnappers, terrorists, mobsters, weapons
proliferators, fraud schemers, and other criminals will be able
to use encryption software to protect their criminal activity
and hinder the criminal justice system.
(16) An effective regulatory approach to manage the
proliferation of encryption products which have dual-use
capabilities must be maintained and greater confidence in the
ability of the executive branch to preserve and promote the
competitive advantage of the United States encryption industry
in the global market must be provided.
TITLE I--DOMESTIC USES OF ENCRYPTION
SEC. 101. DEFINITIONS.
For purposes of this Act:
(1) Attorney for the government.--The term ``attorney for the
Government'' has the meaning given such term in Rule 54(c) of
the Federal Rules of Criminal Procedure, and also includes any
duly authorized attorney of a State who is authorized to
prosecute criminal offenses within such State.
(2) Authorized party.--The term ``authorized party'' means
any person with the legal authority to obtain decryption
information or plaintext of encrypted data, including
communications.
(3) Communications.--The term ``communications'' means any
wire communications or electronic communications as those terms
are defined in paragraphs (1) and (12) of section 2510 of title
18, United States Code.
(4) Court of competent jurisdiction.--The term ``court of
competent jurisdiction'' means any court of the United States
organized under Article III of the Constitution of the United
States, the court organized under the Foreign Intelligence
Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), or a court
of general criminal jurisdiction of a State authorized pursuant
to the laws of such State to enter orders authorizing searches
and seizures.
(5) Data network service provider.--The term ``data network
service provider'' means a person offering any service to the
general public that provides the users thereof with the ability
to transmit or receive data, including communications.
(6) Decryption.--The term ``decryption'' means the
retransformation or unscrambling of encrypted data, including
communications, to its readable plaintext version. To
``decrypt'' data, including communications, is to perform
decryption.
(7) Decryption information.--The term ``decryption
information'' means information or technology that enables one
to readily retransform or unscramble encrypted data from its
unreadable and incomprehensible format to its readable
plaintext version.
(8) Electronic storage.--The term ``electronic storage'' has
the meaning given that term in section 2510(17) of title 18,
United States Code.
(9) Encryption.--The term ``encryption'' means the
transformation or scrambling of data, including communications,
from plaintext to an unreadable or incomprehensible format,
regardless of the technique utilized for such transformation or
scrambling and irrespective of the medium in which such data,
including communications, occur or can be found, for the
purposes of protecting the content of such data, including
communications. To ``encrypt'' data, including communications,
is to perform encryption.
(10) Encryption product.--The term ``encryption product''
means any software, technology, commodity, or mechanism, that
can be used to encrypt or decrypt or has the capability of
encrypting or decrypting any data, including communications.
(11) Foreign availability.--The term ``foreign availability''
has the meaning applied to foreign availability of encryption
products subject to controls under the Export Administration
Regulations, as in effect on July 1, 1999.
(12) Government.--The term ``Government'' means the
Government of the United States and any agency or
instrumentality thereof, or the government of any State, and
any of its political subdivisions.
(13) Investigative or law enforcement officer.--The term
``investigative or law enforcement officer'' has the meaning
given that term in section 2510(7) of title 18, United States
Code.
(14) National security.--The term ``national security'' means
the national defense, intelligence, or foreign policy interests
of the United States.
(15) Plaintext.--The term ``plaintext'' means the readable or
comprehensible format of that data, including communications,
which has been encrypted.
(16) Plainvoice.--The term ``plainvoice'' means communication
specific plaintext.
(17) Secretary.--The term ``Secretary'' means the Secretary
of Commerce, unless otherwise specifically identified.
(18) State.--The term ``State'' has the meaning given that
term in section 2510(3) of title 18, United States Code.
(19) Telecommunications carrier.--The term
``telecommunications carrier'' has the meaning given that term
in section 3 of the Communications Act of 1934 (47 U.S.C. 153).
(20) Telecommunications system.--The term
``telecommunications system'' means any equipment, technology,
or related software used in the movement, switching,
interchange, transmission, reception, or internal signaling of
data, including communications over wire, fiber optic, radio
frequency, or any other medium.
(21) United states person.--The term ``United States person''
means--
(A) any citizen of the United States;
(B) any other person organized under the laws of any
State; and
(C) any person organized under the laws of any
foreign country who is owned or controlled by
individuals or persons described in subparagraphs (A)
and (B).
SEC. 102. LAWFUL USE OF ENCRYPTION.
Except as otherwise provided by this Act or otherwise provided by
law, it shall be lawful for any person within any State and for any
United States person to use any encryption product, regardless of
encryption algorithm selected, encryption bit length chosen, or
implementation technique or medium used.
SEC. 103. UNLAWFUL USE OF ENCRYPTION.
(a) In General.--Part I of title 18, United States Code, is amended
by inserting after chapter 123 the following new chapter:
``CHAPTER 125--ENCRYPTED DATA, INCLUDING COMMUNICATIONS
``Sec.
``2801. Unlawful use of encryption in furtherance of a criminal act.
``2802. Privacy protection.
``2803. Court order access to plaintext or decryption information.
``2804. Notification procedures.
``2805. Lawful use of plaintext or decryption information.
``2806. Identification of decryption information.
``2807. Definitions.
``Sec. 2801. Unlawful use of encryption in furtherance of a criminal
act
``(a) Prohibited Acts.--Whoever knowingly uses encryption in
furtherance of the commission of a criminal offense for which the
person may be prosecuted in a district court of the United States
shall--
``(1) in the case of a first offense under this section, be
imprisoned for not more than 5 years, or fined under this
title, or both; and
``(2) in the case of a second or subsequent offense under
this section, be imprisoned for not more than 10 years, or
fined under this title, or both.
``(b) Consecutive Sentence.--Notwithstanding any other provision of
law, the court shall not place on probation any person convicted of a
violation of this section, nor shall the term of imprisonment imposed
under this section run concurrently with any other term of imprisonment
imposed for the underlying criminal offense.
``(c) Probable Cause Not Constituted by Use of Encryption.--The use
of encryption by itself shall not establish probable cause to believe
that a crime is being or has been committed.
``Sec. 2802. Privacy protection
``(a) In General.--It shall be unlawful for any person to
intentionally--
``(1) obtain or use decryption information without lawful
authority for the purpose of decrypting data, including
communications;
``(2) exceed lawful authority in decrypting data, including
communications;
``(3) break the encryption code of another person without
lawful authority for the purpose of violating the privacy or
security of that person or depriving that person of any
property rights;
``(4) impersonate another person for the purpose of obtaining
decryption information of that person without lawful authority;
``(5) facilitate or assist in the encryption of data,
including communications, knowing that such data, including
communications, are to be used in furtherance of a crime; or
``(6) disclose decryption information in violation of a
provision of this chapter.
``(b) Criminal Penalty.--Whoever violates this section shall be
imprisoned for not more than 10 years, or fined under this title, or
both.
``Sec. 2803. Court order access to plaintext or decryption information
``(a) Court Order.--(1) A court of competent jurisdiction shall issue
an order, ex parte, granting an investigative or law enforcement
officer timely access to the plaintext of encrypted data, including
communications, or requiring any person in possession of decryption
information to provide such information to a duly authorized
investigative or law enforcement officer--
``(A) upon the application by an attorney for the Government
that--
``(i) is made under oath or affirmation by the
attorney for the Government; and
``(ii) provides a factual basis establishing the
relevance that the plaintext or decryption information
being sought has to a law enforcement, foreign
counterintelligence, or international terrorism
investigation then being conducted pursuant to lawful
authorities; and
``(B) if the court finds, in writing, that the plaintext or
decryption information being sought is relevant to an ongoing
lawful law enforcement, foreign counterintelligence, or
international terrorism investigation and the investigative or
law enforcement officer is entitled to such plaintext or
decryption information.
``(2) The order issued by the court under this section shall be
placed under seal, except that a copy may be made available to the
investigative or law enforcement officer authorized to obtain access to
the plaintext of the encrypted information, or authorized to obtain the
decryption information sought in the application. Such order shall,
subject to the notification procedures set forth in section 2804, also
be made available to the person responsible for providing the plaintext
or the decryption information, pursuant to such order, to the
investigative or law enforcement officer.
``(3) Disclosure of an application made, or order issued, under this
section, is not authorized, except as may otherwise be specifically
permitted by this section or another order of the court.
``(b) Record of Access Required.--(1) There shall be created an
electronic record, or similar type record, of each instance in which an
investigative or law enforcement officer, pursuant to an order under
this section, gains access to the plaintext of otherwise encrypted
information, or is provided decryption information,without the
knowledge or consent of the owner of the data, including
communications, who is the user of the encryption product involved.
``(2) The court issuing the order under this section may require that
the electronic or similar type of record described in paragraph (1) is
maintained in a place and a manner that is not within the custody or
control of an investigative or law enforcement officer gaining the
access or provided the decryption information. The record shall be
tendered to the court, upon notice from the court.
``(3) The court receiving such electronic or similar type of record
described in paragraph (1) shall make the original and a certified copy
of the record available to the attorney for the Government making
application under this section, and to the attorney for, or directly
to, the owner of the data, including communications, who is the user of
the encryption product, pursuant to the notification procedures set
forth in section 2804.
``(c) Authority To Intercept Communications Not Increased.--Nothing
in this chapter shall be construed to enlarge or modify the
circumstances or procedures under which a Government entity is entitled
to intercept or obtain oral, wire, or electronic communications or
information.
``(d) Construction.--This chapter shall be strictly construed to
apply only to a Government entity's ability to decrypt data, including
communications, for which it has previously obtained lawful authority
to intercept or obtain pursuant to other lawful authorities, which
without an order issued under this section would otherwise remain
encrypted.
``Sec. 2804. Notification procedures
``(a) In General.--Within a reasonable time, but not later than 90
days after the filing of an application for an order under section 2803
which is granted, the court shall cause to be served, on the persons
named in the order or the application, and such other parties whose
decryption information or whose plaintext has been provided to an
investigative or law enforcement officer pursuant to this chapter, as
the court may determine is in the interest of justice, an inventory
which shall include notice of--
``(1) the fact of the entry of the order or the application;
``(2) the date of the entry of the application and issuance
of the order; and
``(3) the fact that the person's decryption information or
plaintext data, including communications, has been provided or
accessed by an investigative or law enforcement officer.
The court, upon the filing of a motion, may make available to that
person or that person's counsel, for inspection, such portions of the
plaintext, applications, and orders as the court determines to be in
the interest of justice.
``(b) Postponement of Inventory for Good Cause.--(1) On an ex parte
showing of good cause by an attorney for the Government to a court of
competent jurisdiction, the serving of the inventory required by
subsection (a) may be postponed for an additional 30 days after the
granting of an order pursuant to the ex parte motion.
``(2) No more than 3 ex parte motions pursuant to paragraph (1) are
authorized.
``(c) Admission Into Evidence.--The content of any encrypted
information that has been obtained pursuant to this chapter or evidence
derived therefrom shall not be received in evidence or otherwise
disclosed in any trial, hearing, or other proceeding in a Federal or
State court, other than the court organized pursuant to the Foreign
Intelligence Surveillance Act of 1978, unless each party, not less than
10 days before the trial, hearing, or proceeding, has been furnished
with a copy of the order, and accompanying application, under which the
decryption or access to plaintext was authorized or approved. This 10-
day period may be waived by the court if the court finds that it was
not possible to furnish the party with the information described in the
preceding sentence within 10 days before the trial, hearing, or
proceeding and that the party will not be prejudiced by the delay in
receiving such information.
``(d) Construction.--The provisions of this chapter shall be
construed consistent with--
``(1) the Classified Information Procedures Act (18 U.S.C.
App.); and
``(2) the Foreign Intelligence Surveillance Act of 1978 (50
U.S.C. 1801 et seq.).
``(e) Contempt.--Any violation of the provisions of this section may
be punished by the court as a contempt thereof.
``(f) Motion To Suppress.--Any aggrieved person in any trial,
hearing, or proceeding in or before any court, department, officer,
agency, regulatory body, or other authority of the United States or a
State, other than the court organized pursuant to the Foreign
Intelligence Surveillance Act of 1978, may move to suppress the
contents of any decrypted data, including communications, obtained
pursuant to this chapter, or evidence derived therefrom, on the grounds
that --
``(1) the plaintext was decrypted or accessed in violation of
this chapter;
``(2) the order of authorization or approval under which it
was decrypted or accessed is insufficient on its face; or
``(3) the decryption was not made in conformity with the
order of authorization or approval.
Such motion shall be made before the trial, hearing, or proceeding
unless there was no opportunity to make such motion, or the person was
not aware of the grounds of the motion. If the motion is granted, the
plaintext of the decrypted data, including communications, or evidence
derived therefrom, shall be treated as having been obtained in
violation of this chapter. The court, upon the filing of such motion by
the aggrieved person, may make available to the aggrieved person or
that person's counsel for inspection such portions of the decrypted
plaintext, or evidence derived therefrom, as the court determines to be
in the interests of justice.
``(g) Appeal by United States.--In addition to any other right to
appeal, the United States shall have the right to appeal from an order
granting a motion to suppress made under subsection (f), or the denial
of an application for an order under section 2803, if the attorney for
the Government certifies to the court or other official granting such
motion or denying such application that the appeal is not taken for
purposes of delay. Such appeal shall be taken within 30 days after the
date the order was entered on the docket and shall be diligently
prosecuted.
``(h) Civil Action for Violation.--Except as otherwise provided in
this chapter, any person described in subsection (i) may, in a civil
action, recover from the United States Government the actual damages
suffered by the person as a result of a violation described in that
subsection, reasonable attorney's fees, and other litigation costs
reasonably incurred in prosecuting such claim.
``(i) Covered Persons.--Subsection (h) applies to any person whose
decryption information--
``(1) is knowingly obtained without lawful authority by an
investigative or law enforcement officer;
``(2) is obtained by an investigative or law enforcement
officer with lawful authority and is knowingly used or
disclosed by such officer unlawfully; or
``(3) is obtained by an investigative or law enforcement
officer with lawful authority and whose decryption information
is unlawfully used to disclose the plaintext of the data,
including communications.
``(j) Limitation.--A civil action under subsection (h) shall be
commenced not later than 2 years after the date on which the unlawful
action took place, or 2 years after the date on which the claimant
first discovers the violation, whichever is later.
``(k) Exclusive Remedies.--The remedies and sanctions described in
this chapter with respect to the decryption of data, including
communications, are the only judicial remedies and sanctions for
violations of this chapter involving such decryptions, other than
violations based on the deprivation of any rights, privileges, or
immunities secured by the Constitution.
``(l) Technical Assistance by Providers.--A provider of encryption
technology or network service that has received an order issued by a
court pursuant to this chapter shall provide to the investigative or
law enforcement officer concerned such technical assistance as is
necessary to execute the order. Such provider may, however, move the
court to modify or quash the order on the ground that its assistance
with respect to the decryption or access to plaintext cannot be
performed in fact, or in a timely or reasonable fashion. The court,
upon notice to the Government, shall decide such motion expeditiously.
``(m) Reports to Congress.--In May of each year, the Attorney
General, or an Assistant Attorney General specifically designated by
the Attorney General, shall report in writing to Congress on the number
of applications made and orders entered authorizing Federal, State, and
local law enforcement access to decryption information for the purposes
of reading the plaintext of otherwise encrypted data, including
communications, pursuant to this chapter. Such reports shall be
submitted to the Committees on the Judiciary of the House of
Representatives and of the Senate, and to the Permanent Select
Committee on Intelligence for the House of Representatives and the
Select Committee on Intelligence for the Senate.
``Sec. 2805. Lawful use of plaintext or decryption information
``(a) Authorized Use of Decryption Information.--
``(1) Criminal investigations.--An investigative or law
enforcement officer to whom plaintext or decryption information
is provided may only use such plaintext or decryption
information for the purposes of conducting a lawful criminal
investigation, foreign counterintelligence, or international
terrorism investigation, and for the purposes of preparing for
and prosecuting any criminal violation of law.
``(2) Civil redress.--Any plaintext or decryption information
provided under this chapter to an investigative or law
enforcement officer may not be disclosed, except by court
order, to any other person for use in a civil proceeding that
is unrelated to a criminal investigation and prosecution for
which the plaintext or decryption information is authorized
under paragraph (1). Such order shall only issue upon a showing
by the party seeking disclosure that there is no alternative
means of obtaining the plaintext, or decryption information,
being sought and the court also finds that the interests of
justice would not be served by nondisclosure.
``(b) Limitation.--An investigative or law enforcement officer may
not use decryption information obtained under this chapter to determine
the plaintext of any data, including communications, unless it has
obtained lawful authority to obtain such data, including
communications, under other lawful authorities.
``(c) Return of Decryption Information.--An attorney for the
Government shall, upon the issuance of an order of a court of competent
jurisdiction--
``(1)(A) return any decryption information to the person
responsible for providing it to an investigative or law
enforcement officer pursuant to this chapter; or
``(B) destroy such decryption information, if the court finds
that the interests of justice or public safety require that
such decryption information should not be returned to the
provider; and
``(2) within 10 days after execution of the court's order to
return or destroy the decryption information--
``(A) certify to the court that the decryption
information has either been returned or destroyed
consistent with the court's order; and
``(B) if applicable, notify the provider of the
decryption information of the destruction of such
information.
``(d) Other Disclosure of Decryption Information.--Except as
otherwise provided in section 2803, decryption information or the
plaintext of otherwise encrypted data, including communications, shall
not be disclosed by any person unless the disclosure is--
``(1) to the person encrypting the data, including
communications, or an authorized agent thereof;
``(2) with the consent of the person encrypting the data,
including pursuant to a contract entered into with the person;
``(3) pursuant to a court order upon a showing of compelling
need for the information that cannot be accommodated by any
other means if--
``(A) the person who supplied the information is
given reasonable notice, by the person seeking the
disclosure, of the court proceeding relevant to the
issuance of the court order; and
``(B) the person who supplied the information is
afforded the opportunity to appear in the court
proceeding and contest the claim of the person seeking
the disclosure;
``(4) pursuant to a determination by a court of competent
jurisdiction that another person is lawfully entitled to hold
such decryption information, including determinations arising
from legal proceedings associated with the incapacity, death,
or dissolution of any person; or
``(5) otherwise permitted by law.
``Sec. 2806. Identification of decryption information
``(a) Identification.--To avoid inadvertent disclosure of decryption
information, any person who provides decryption information to an
investigative or law enforcement officer pursuant to this chapter shall
specifically identify that part of the material that discloses
decryption information as such.
``(b) Responsibility of Investigative or Law Enforcement Officer.--
The investigative or law enforcement officer receiving any decryption
information under this chapter shall maintain such information in a
facility and in a method so as to reasonably assure that inadvertent
disclosure does not occur.
``Sec. 2807. Definitions
``The definitions set forth in section 101 of the Encryption for the
National Interest Act shall apply to this chapter.''.
(b) Conforming Amendment.--The table of chapters for part I of title
18, United States Code, is amended by inserting after the item relating
to chapter 121 the following new item:
``125. Encrypted data, including communications............. 2801''.
TITLE II--GOVERNMENT PROCUREMENT
SEC. 201. FEDERAL PURCHASES OF ENCRYPTION PRODUCTS.
(a) Decryption Capabilities.--The President may, consistent with the
provisions of subsection (b), direct that any encryption product or
service purchased or otherwise procured by the United States Government
to provide the security service of data confidentiality for a computer
system owned and operated by the United States Government shall include
recoverability features or functions that enable the timely decryption
of encrypted data, including communications, or timely access to
plaintext by an authorized party without the knowledge or cooperation
of the person using such encryption products or services.
(b) Consistency With Intelligence Services and Military Operations.--
The President shall ensure that all encryption products purchased or
used by the United States Government are supportive of, and consistent
with, all statutory obligations to protect sources and methods of
intelligence collection and activities, and supportive of, and
consistent with, those needs required for military operations and the
conduct of foreign policy.
SEC. 202. NETWORKS ESTABLISHED WITH FEDERAL FUNDS.
The President may direct that any communications network established
for the purpose of conducting the business of the Federal Government
shall use encryption products that--
(1) include features and functions that enable the timely
decryption of encrypted data, including communications, or
timely access to plaintext, by an authorized party without the
knowledge or cooperation of the person using such encryption
products or services; and
(2) are supportive of, and consistent with, all statutory
obligations to protect sources and methods of intelligence
collection and activities, and supportive of, and consistent
with, those needs required for military operations and the
conduct of foreign policy.
SEC. 203. GOVERNMENT CONTRACT AUTHORITY.
The President may require as a condition of any contract by the
Government with a private sector vendor that any encryption product
used by the vendor in carrying out the provisions of the contract with
the Government include features and functions that enable the timely
decryption of encrypted data, including communications, or timely
access to plaintext, by an authorized party without the knowledge or
cooperation of the person using such encryption products or services.
SEC. 204. PRODUCT LABELS.
An encryption product may be labeled to inform Government users that
the product is authorized for sale to or for use by Government agencies
or Government contractors in transactions and communications with the
United States Government under this title.
SEC. 205. NO PRIVATE MANDATE.
The United States Government may not require the use of encryption
standards for the private sector except as otherwise authorized by
section 204.
SEC. 206. EXCLUSION.
Nothing in this title shall apply to encryption products and services
used solely for access control, authentication, integrity,
nonrepudiation, digital signatures, or other similar purposes.
TITLE III--EXPORTS OF ENCRYPTION
SEC. 301. EXPORTS OF ENCRYPTION.
(a) Authority To Control Exports.--The President shall control the
export of all dual-use encryption products.
(b) Authority To Deny Export for National Security Reasons.--
Notwithstanding any provision of this title, the President may deny the
export of any encryption product on the basis that its export is
contrary to the national security.
(c) Decisions Not Subject to Judicial Review.--Any decision based on
national security that is made by the President or his designee with
respect to the export of encryption products under this title shall not
be subject to judicial review.
SEC. 302. LICENSE EXCEPTION FOR CERTAIN ENCRYPTION PRODUCTS.
(a) License Exception.--Upon the enactment of this Act, any
encryption product with an encryption strength of 64 bits or less shall
be eligible for export under a license exception if--
(1) such encryption product is submitted for a 1-time
technical review;
(2) such encryption product does not require licensing under
otherwise applicable regulations;
(3) such encryption product is not intended for a country,
end user, or end use that is by regulation ineligible to
receive such product, and the encryption product is otherwise
qualified for export;
(4) the exporter, within 180 days after the export of the
product, submits a certification identifying--
(A) the intended end use of the product; and
(B) the name and address of the intended recipient of
the product, where available;
(5) the exporter, within 180 days after the export of the
product, provides the names and addresses of its distribution
chain partners; and
(6) the exporter, at the time of submission of the product
for technical review, provides proof that its distribution
chain partners have contractually agreed to abide by all laws
and regulations of the United States concerning the export and
reexport of encryption products designed or manufactured within
the United States.
(b) One-Time Technical Review.--(1) The technical review referred to
in subsection (a) shall be completed within no longer than 45 days
after the submission of all of the information required under paragraph
(2).
(2) The President shall specify the information that must be
submitted for the 1-time technical review referred to in this section.
(3) An encryption product may not be exported during the technical
review of that product under this section.
(c) Periodic Review of License Exception Eligibility Level.--(1) Not
later than 180 days after the date of the enactment of this Act, the
President shall notify the Congress of the maximum level of encryption
strength, which may not be lower than 64-bit, that may be exported from
the United States under license exception pursuant to this section
consistent with the national security.
(2) The President shall, at the end of each successive 180-day period
after the notice provided to the Congress under paragraph (1), notify
the Congress of the maximum level of encryption strength, which may not
be lower than that in effect under this section during that 180-day
period, that may be exported from the United States under a license
exception pursuant to this section consistent with the national
security.
(d) Factors Not To Be Considered.--A license exception for the
exports of an encryption product under this section may be allowed
whether or not the product contains a method of decrypting encrypted
data.
SEC. 303. DISCRETIONARY AUTHORITY.
Notwithstanding the requirements of section 305, the President may
permit the export, under a license exception pursuant to the conditions
of section 302, of encryption products with an encryption strength
exceeding the maximum level eligible for a license exception under
section 302, if the export is consistent with the national security.
SEC. 304. EXPEDITED REVIEW AUTHORITY.
The President shall establish procedures for the expedited review of
commodity classification requests, or export license applications,
involving encryption products that are specifically approved, by
regulation, for export.
SEC. 305. ENCRYPTION LICENSES REQUIRED.
(a) United States Products Exceeding Certain Bit Length.--Except as
permitted under section 303, in the case of all encryption products
with an encryption strength exceeding the maximum level eligible for a
license exception under section 302, which are designed or manufactured
within the United States, the Presidentmay grant a license for export
of such encryption products, under the following conditions:
(1) There shall not be any requirement, as a basis for an
export license, that a product contains a method of--
(A) gaining timely access to plaintext; or
(B) gaining timely access to decryption information.
(2) The export license applicant shall submit--
(A) the product for technical review;
(B) a certification, under oath, identifying--
(i) the intended end use of the product; and
(ii) the expected end user or class of end
users of the product;
(C) proof that its distribution chain partners have
contractually agreed to abide by all laws and
regulations of the United States concerning the export
and reexport of encryption products designed or
manufactured within the United States; and
(D) the names and addresses of its distribution chain
partners.
(b) Technical Review for License Applicants.--(1) The technical
review described in subsection (a)(3)(A) shall be completed within 45
days after the submission of all the information required under
paragraph (2).
(2) The information to be submitted for the technical review shall be
the same as that required to be submitted pursuant to section
302(b)(2).
(3) An encryption product may not be exported during the technical
review of that product under this section.
(c) Post-Export Reporting.--
(1) Unauthorized use.--All exporters of encryption products
that are designed or manufactured within the United States
shall submit a report to the Secretary at any time the exporter
has reason to believe any such exported product is being
diverted to a use or a user not approved at the time of export.
(2) Pirating.--All exporters of encryption products that are
designed or manufactured within the United States shall report
any pirating of their technology or intellectual property to
the Secretary as soon as practicable after discovery.
(3) Distribution chain partners.--All exporters of encryption
products that are designed or manufactured within the United
States, and all distribution chain partners of such exporters,
shall submit to the Secretary a report which shall specify--
(A) the particular product sold;
(B) the name and address of--
(i) the ultimate end user of the product, if
known; or
(ii) the name and address of the next purchaser
in the distribution chain; and
(C) the intended use of the product sold.
(d) Exercise of Other Authorities.--The Secretary, the Secretary of
Defense, and the Secretary of State may exercise the authorities they
have under other provisions of law, including the Export Administration
Act of 1979, as continued in effect under the International Emergency
Economic Powers Act, to carry out this title.
(e) Waiver Authority.--
(1) In general.--The President may by Executive order waive
any provision of this title, or the applicability of any such
provision to a person or entity, if the President determines
that the waiver is necessary to advance the national security.
The President shall, not later than 15 days after making such
determination, submit a report to the committees referred to in
paragraph (2) that includes the factual basis upon which such
determination was made. The report may be in classified format.
(2) Committees.--The committees referred to in paragraph (1)
are the Committee on International Relations, the Committee on
Armed Services, and the Permanent Select Committee on
Intelligence of the House of Representatives, and the Committee
on Foreign Relations, the Committee on Armed Services, and the
Select Committee on Intelligence of the Senate.
(3) Decisions not subject to judicial review.--Any
determination made by the President under this subsection shall
not be subject to judicial review.
SEC. 306. ENCRYPTION INDUSTRY AND INFORMATION SECURITY BOARD.
(a) Encryption Industry and Information Security Board Established.--
There is hereby established an Encryption Industry and Information
Security Board. The Board shall undertake an advisory role for the
President.
(b) Purposes.--The purposes of the Board are--
(1) to provide a forum to foster communication and
coordination between industry and the Federal Government on
matters relating to the use of encryption products;
(2) to enable the United States to effectively and
continually understand the benefits and risks to its national
security, law enforcement, and public safety interests by
virtue of the proliferation of strong encryption on the global
market;
(3) to evaluate and make recommendations regarding the
further development and use of encryption;
(4) to advance the development of international standards
regarding interoperability and global use of encryption
products;
(5) to promote the export of encryption products manufactured
in the United States;
(6) to recommend policies enhancing the security of public
networks;
(7) to encourage research and development of products that
will foster electronic commerce;
(8) to promote the protection of intellectual property and
privacy rights of individuals using public networks; and
(9) to evaluate the availability and market share of foreign
encryption products and their threat to United States industry.
(c) Membership.--(1) The Board shall be composed of 12 members, as
follows:
(A) The Secretary, or the Secretary's designee.
(B) The Attorney General, or his or her designee.
(C) The Secretary of Defense, or the Secretary's designee.
(D) The Director of Central Intelligence, or his or her
designee.
(E) The Director of the Federal Bureau of Investigation, or
his or her designee.
(F) The Special Assistant to the President for National
Security Affairs, or his or her designee, who shall chair the
Board.
(G) Six representatives from the private sector who have
expertise in the development, operation, marketing, law, or
public policy relating to information security or technology.
Members under this subparagraph shall each serve for 5-year
terms.
(2) The six private sector representatives described in paragraph
(1)(G) shall be appointed as follows:
(A) Two by the Speaker of the House of
Representatives.
(B) One by the Minority Leader of the House of
Representatives.
(C) Two by the Majority Leader of the Senate.
(D) One by the Minority Leader of the Senate.
(e) Meetings.--The Board shall meet at such times and in such places
as the Secretary may prescribe, but not less frequently than every four
months. The Federal Advisory Committee Act (5 U.S.C. App.) does not
apply to the Board or to meetings held by the Board under this section.
(f) Findings and Recommendations.--The chair of the Board shall
convey the findings and recommendations of the Board to the President
and to the Congress within 30 days after each meeting of the Board. The
recommendations of the Board are not binding upon the President.
(g) Limitation.--The Board shall have no authority to review any
export determination made pursuant to this title.
(h) Foreign Availability.--The consideration of foreign availability
by the Board shall include computer software that is distributed over
the Internet or advertised for sale, license, or transfer, including
over-the-counter retail sales, mail order transactions, telephone order
transactions, electronic distribution, or sale on approval and its
comparability with United States products and its use in United States
and foreign markets.
(i) Termination.--This section shall cease to be effective 10 years
after the date of the enactment of this Act.
TITLE IV--LIABILITY LIMITATIONS
SEC. 401. COMPLIANCE WITH COURT ORDER.
(a) No Liability for Compliance.--Subject to subsection (b), no civil
or criminal liability under this Act, or under any other provision of
law, shall attach to any person for disclosing or providing--
(1) the plaintext of encrypted data, including
communications;
(2) the decryption information of such encrypted data,
including communications; or
(3) technical assistance for access to the plaintext of, or
decryption information for, encrypted data, including
communications.
(b) Exception.--Subsection (a) shall not apply to a person who
provides plaintext or decryption information to another in violation of
the provisions of this Act.
SEC. 402. COMPLIANCE DEFENSE.
Compliance with the provisions of sections 2803, 2804, 2805, or 2806
of title 18, United States Code, as added by section 103(a) of this
Act, or any regulations authorized by this Act, shall provide a
complete defense for any civil action for damages based upon activities
covered by this Act, other than an action founded on contract.
SEC. 403. GOOD FAITH DEFENSE.
An objectively reasonable reliance on the legal authority provided by
this Act and the amendments made by this Act, authorizing access to the
plaintext of otherwise encrypted data, including communications, or to
decryption information that will allow the timely decryption of data,
including communications, that is otherwise encrypted, shall be an
affirmative defense to any criminal or civil action that may be brought
under the laws of the United States or any State.
TITLE V--INTERNATIONAL AGREEMENTS
SEC. 501. SENSE OF CONGRESS.
It is the sense of Congress that--
(1) the President should conduct negotiations with foreign
governments for the purposes of establishing binding export
control requirements on strong nonrecoverable encryption
products; and
(2) such agreements should safeguard the privacy of the
citizens of the United States, prevent economic espionage, and
enhance the information security needs of the United States.
SEC. 502. FAILURE TO NEGOTIATE.
The President may consider a government's refusal to negotiate
agreements described in section 501 when considering the participation
of the United States in any cooperation or assistance program with that
country.
SEC. 503. REPORT TO CONGRESS.
(a) Report to Congress.--The President shall report annually to the
Congress on the status of the international effort outlined by section
501.
(b) First Report.--The first report required under subsection (a)
shall be submitted in unclassified form no later than September 1,
2000.
TITLE VI--MISCELLANEOUS PROVISIONS
SEC. 601. EFFECT ON LAW ENFORCEMENT ACTIVITIES.
(a) Collection of Information by Attorney General.--The Attorney
General shall compile, and maintain in classified form, data on--
(1) the instances in which encryption has interfered with,
impeded, or obstructed the ability of the Department of Justice
to enforce the laws of the United States; and
(2) the instances where the Department of Justice has been
successful in overcoming any encryption encountered in an
investigation.
(b) Availability of Information to the Congress.--The information
compiled under subsection (a), including an unclassified summary
thereof, shall be submitted to Congress annually beginning October 1,
2000.
SEC. 602. INTERPRETATION.
Nothing contained in this Act or the amendments made by this Act
shall be deemed to--
(1) preempt or otherwise affect the application of the Arms
Export Control Act (22 U.S.C. 2751 et seq.), the Export
Administration Act of 1979 (50 U.S.C. App. 2401 et seq.), or
the International Emergency Economic Powers Act (50 U.S.C. 1701
et seq.) or any regulations promulgated thereunder;
(2) affect foreign intelligence activities of the United
States; or
(3) negate or diminish any intellectual property protections
under the laws of the United States or of any State.
SEC. 603. FBI TECHNICAL SUPPORT.
There are authorized to be appropriated for the Technical Support
Center in the Federal Bureau of Investigation, established pursuant to
section 811(a)(1) of the Antiterrorism and Effective Death Penalty Act
of 1996 (Public Law 104-132)--
(1) $25,000,000 for fiscal year 2000 for building and
personnel costs;
(2) $20,000,000 for fiscal year 2001 for personnel and
equipment costs;
(3) $15,000,000 for fiscal year 2002; and
(4) $15,000,000 for fiscal year 2003.
SEC. 604. SEVERABILITY.
If any provision of this Act or the amendments made by this Act, or
the application thereof, to any person or circumstances is held invalid
by a court of the United States, the remainder of this Act or such
amendments, and the application thereof, to other persons or
circumstances shall not be affected thereby.
Purpose
The House Permanent Select Committee on Intelligence sought
referral of H.R. 850, the ``Security and Freedom through
Encryption (SAFE) Act,'' as reported by the House Committee on
the Judiciary, because the bill impacts directly upon matters
relating to the intelligence and intelligence-related
activities and national security capabilities of the
Intelligence Community. Specifically, the bill will have a
profound effect on the intelligence, counter-intelligence, and
counter-terrorism responsibilities of the Department of
Defense, the National Security Agency, the Department of
Justice, and the Federal Bureau of Investigation, to name but a
few of those Intelligence Community agencies within this
Committee's jurisdiction. The legislation as introduced or
reported by the Committees on the Judiciary, International
Relations, and Commerce, raises serious issues of great
significance to our national security and public safety.
Because of the significant risk to the intelligence and
intelligence-related activities and capabilities of the United
States the Committee determined that it needed to act in a
comprehensive manner.
The paramount duty of government is to protect its citizens
from harm to their persons or property. Fundamental to a free
society, however, is a delicate balance between the need to
defend the nation's security and preserving the liberties of
the people endowed by their Creator. The balance achieved in
the Constitution and the Bill of Rights provides a clear
backdrop against which the Committee's legislative action
should be considered.
During the Committee's consideration of H.R. 850 it was
determined that the SAFE Act did not adequately address the
national security and public safety interests at stake in the
public policy debate over encryption legislation. Government
official, after government official, advised the Committee that
strong encryption is being used to facilitate drug trafficking,
child pornography, terrorism, espionage, and myriad other
crimes. Proponents of the SAFE Act urged the Committee to
ignore the concern of these witnesses and to leave the
management of encryption policy to the marketplace. They argued
that it was too late to do anything about the widespread use of
strong encryption. They asserted that the ``genie was out of
the bottle'' and could not be put back in. They claimed that
any effort to continue control of encryption technology would
be a losing proposition that would harm industry. They rejected
the enormous consequences described by the government officials
charged with the duty to protect the national security and
defend the public safety.
The Committee considered the arguments of the SAFE Act
proponents and the administration officials and struck a
balance. The Committee's amendment, the ``Encryption for the
National Interest Act,'' gives the government the authority:
To access the plaintext of encrypted
information, through the use of court orders, during
lawful criminal, foreign intelligence, and
international terrorist investigations;
To control encryption exports in defense of
the national security;
To procure and use encryption products with
recoverability features; and
To improve their technical capabilities
against the widespread use of strong encryption.
But, at the same time, the Encryption for the National
Interest Act assures the industry and the cyber-libertarians
that their concerns have too been heeded. The bill provides
that:
U.S. persons can use any encryption product
of any strength regardless of whether it contains
access to plaintext capabilities;
All access to plaintext or decryption
information will be upon the order of a judge after an
appropriate showing by the government;
Civil and criminal sanctions can be imposed
upon those who misuse the decryption information of any
other person; and
Electronic audit trails are required
whenever law enforcement accesses the plaintext or
decryption information of an encryption user.
The Encryption for the National Interest Act asserts that
the nation's security and the protection of its citizens are
worthy objectives of the federal government and its principal
obligation. The Encryption for the National Interest Act also,
however, seeks to establish a dynamic and constructive
framework for continued cooperation between government and
industry to achieve a workable solution to this extremely
vexing issue facing the nation. It does not preclude continued
American competitiveness in an increasingly competitive global
market, yet secures the right of the Commander-in-Chief to
defend our interests against those who wish us harm. It does
not turn national security and public security over to the
random behavior of the marketplace.
The Encryption for the National Interest Act achieves a
compromise in the best interests of all protagonists in this
public debate: industry, national security, public safety, and
privacy. The Committee's amendment was adopted upon a unanimous
voice vote of the Committee, and H.R. 850 was ordered reported
favorably to the House, as amended by the Committee.
Summary
SECTION-BY-SECTION ANALYSIS
Section 1.--Short title and table of contents
This section provides the title of the bill as the
``Encryption for the National Interest Act'' and a table of
contents.
Section 2.--Statement of policy
This section sets forth the policy of the United States
with respect to encryption technology.
Section 3.--Congressional findings
This section sets forth the findings of Congress as to the
important role information security technology, encryption,
plays in relaying and protecting intelligence information,
linking policy makers, establishing an effective foreign
policy, protecting United States banking and financial systems
and critical infrastructure, and citizens from such crimes as
fraud, theft, drug trafficking, espionage, terrorism, money
laundering, and child pornography, among other serious
offenses.
TITLE I--DOMESTIC USE OF ENCRYPTION
Section 101.--Definitions
This section establishes the definitions of specific terms
used throughout the bill.
Section 102.--Lawful use of encryption
This section makes clear that, except as otherwise
provided, it is lawful to use encryption products, regardless
of algorithm length selected, encryption key length chosen, or
implementation technique or medium used.
Section 103.--Unlawful use of encryption
This section amends Title 18, United States Code, by new
sections 2801 through 2807 within new chapter 122, which bears
the heading, ``Chapter 122-Encrypted Data, Including
Communications.''
New section 2801 of Title 18, United States Code, would
make it a criminal offense to use encryption in furtherance of
the commission of a federal crime. The penalties attached to
such crimes would be in addition to any sentence imposed for
the underlying offense. For first time offenders, a fine under
Title 18, United States Code, or both. For repeat offenders of
this provision, the jail time is potentially no more than 10
years. This section also makes clear that merely using
encryption, without additional facts, cannot be the basis for a
probable cause determination.
New section 2802 creates several new crimes. First, it
makes it illegal to intentionally obtain or use decryption
information without lawful authority in order to decrypt data,
including information. In addition, it makes it a criminal
offense to exceed lawful authority in decrypting data,
including communications. This new section would make the
breaking of encryption code of another without lawful authority
and with the purpose of violating that person's privacy or
security, or for the purpose of depriving that person of his or
her property a criminal violation of law. Furthermore this
section would make it a criminal offense to assist in the
encryption of data knowing that such data, including
communications are to be used in furtherance of a crime.
New section 2803 sets forth the standards and procedures
for the issuance of a court order granting an investigative or
law enforcement officer timely access to the plaintext of
otherwise encrypted data, including communications, or
compelling the provision of decryption information to an
investigative or law enforcement officer that has a lawful
basis to obtain that data. The application for such order must
be made by an attorney for the government. That application
must establish facts supporting the finding that the plaintext
of decrypted information is relevant to an on-going lawful law
enforcement, foreign counterintelligence, or international
terrorist investigation. The application and any order issued
thereon shall be made ex parte and placed under seal.
Disclosure of the application or order is not authorized,
except as may be otherwise permitted by this section or another
order of the court.
This section also requires that the court granting access
to plaintext or the disclosure of decryption information, shall
also ensure that a verifiableaudit trail of any access to
plaintext or decrypted information be maintained.
The record will be tendered to the court upon an order of
the court.
Subsection (d) clarifies that nothing in this new chapter
shall be read to expand or modify any other constitutional or
statutory requirement under which a government entity is
entitled to intercept or obtain oral, wire, or electronic
communications or information.
Subsection (e) mandates a strict construction of this new
chapter so that it is read only to apply to a government
entity's ability to decrypt or otherwise gain access to the
plaintext data, including communications, for which it
previously obtained lawful authority to intercept or obtain.
New section 2804 provides the users of encryption products
with a statutory right to be notified when their decryption
information is provided to law enforcement, or when law
enforcement is granted access to the plaintext of their data,
including communications. This section provides for a delayed
notification to the user so as not to jeopardize the integrity
of the on-going criminal investigation, foreign
counterintelligence, or international terrorist investigation.
Basically, the user must be notified within 90 days after the
filing of an application for the decryption information, or for
access to the plaintext, unless the judge finds good cause
warranting delay. Specifically, however, neither any of the
decrypted contents of the encrypted information that has been
obtained, nor any evidence derived therefrom may be used in any
proceeding unless the user has been furnished with a copy of
the order, application, and the data, including communications.
The user may move to suppress the use of any of the plaintext
or evidence derived therefrom in any proceeding on the grounds
that the plaintext or the decryption information was unlawfully
obtained. This section also provides aggrieved persons with a
civil cause of action for any violations of this new chapter.
New section 2805 limits the lawful uses of plaintext or
decryption information obtained under this chapter. It may be
used for the purposes of conducting a lawful criminal or
foreign counterintelligence or terrorist investigation and for
the purposes of preparing for and prosecuting any criminal
violation of law. It may not be disclosed to any party to a
civil suit that does not arise from criminal investigation or
prosecution, unless a court finds that there is no alternative
means of obtaining the plaintext, or decryption information and
that the interests of justice would not be served by
nondisclosure. This section further clarifies that decryption
information may not be used to determine the plaintext unless
the officer possesses other lawful authority to plaintext.
This section also outlines the procedures for returning or
destroying any decryption information upon the conclusion of
the investigation, trial, or proceeding. This section also
places limitations upon any person acting as a key recovery
agent. It specifies whom and under what circumstances a key
recovery agent may provide decryption information to another
person.
New section 2806 requires those who are providing
decryption information to an investigative or law enforcement
officer to so identify that information in order to avoid any
inadvertent disclosure. The officer is responsible for
maintaining the decryption information in such a manner so as
reasonably to ensure against inadvertent disclosure.
New section 2807 states that the same definitions set forth
in section 101 of the ``Encryption for the National Interest
Act'' shall apply to this chapter.
TITLE II--GOVERNMENT PROCUREMENT
Section 201.--Federal purchases of encryption products
This section permits the United States government to
purchase encryption products enabling the timely decryption by
an authorized party, without the knowledge or cooperation of
the person using the encryption product. This requirement only
applies to those products or services purchased or procured by
the United States government for data confidentiality for
computer systems armed or operated by the United States.
The Committee believes that a ``National Information
Assurance Plan'' is needed to ensure that the data, including
communications, of the United States government are secure. To
this end the Committee requests that the President submit to
the Permanent Select Committee on Intelligence and the
Committee on Armed Services of the House of Representatives and
the Select Committee on Intelligence and the Committee on Armed
Services of the Senate within 120 days after enactment of this
Act a report that outlines the national information assurance
plan and policy for the United States government.
The Committee believes that any plan or policy developed
should include the following goals, which should be addressed
in the report to be submitted to the congressional committees:
(1) The protection of the Federal Government's
information infrastructure against hostile penetration
by ensuring the Federal Government's use of the
strongest possible information assurance products,
including encryption, in secure configurations and
applications;
(2) A requirement that the Federal Government use
products designed or manufactured in the United States
enabling the recovery of information pursuant to lawful
authority; and
(3) A requirement that the Federal Government use
reliable authentication products designed or
manufactured in the United States so that the Federal
Government knows who is accessing its systems.
Section 202.--Networks established with federal funds
This section permits the President to require that any
communications network that is established for the purpose of
conducting the business of the Federal Government must use
encryption products that include techniques enabling the timely
decryption of data, including communications, without the
knowledge or cooperation of the person using the encryption
product or service. It is not intended that private
communications networks that might benefit from federal grants
fall within this requirement. Nor is it intended that this
section include the Internet, although it is understood that
there may be government business that is conducted via the
Internet.
Section 203.--Government contract authority
This section grants to the President of the United States
the authority to require, as a condition of any contract by the
United States government with a private vendor that any
encryption product used by the vendor in carrying out the
provisions of the contract include features and functions that
enable the decryption of encrypted data, including
communications, or timely access to plaintext by an authorized
party without the knowledge or cooperation of the person using
such encryption products or services.
Section 204.--Product labels
This section allows for the labeling of encryption products
so that purchasers and users are aware that the product is
authorized for sale to, or for use in transactions with, the
United States government.
Section 205.--No private mandate
This section specifies that the United States government
may not require the use of encryption standards for the private
sector except as otherwise authorized by section 203.
Section 206.--Exclusion
This section clarifies that nothing in this title shall
apply to encryption products and services used solely for
access control, authentication, integrity, non-repudiation,
digital signatures, or other similar purposes.
TITLE III--EXPORTS OF ENCRYPTION
Section 301.--Exports of encryption
Subsection (a) authorizes the President to control the
export of all dual-use encryption products.
Subsection (b) grants the President the authority to deny
the export of any encryption product on the basis that its
exportation would be contrary to the national security
interests of the United States.
Subsection (c) specifies that all national security
decisions made by the President, or his designee, under this
title shall not be subject to judicial review.
Section 302.--License exception for certain encryption products
Subsection (a) sets forth criteria for the export of those
encryption products with an encryption strength of 64 bits or
less under a license exception. The product must be submitted
for a 1-time technical review, not require licensing under
otherwise applicable regulations, and not be intended for a
country, end-user, or end use that is otherwise ineligible to
receive such products. In addition, the exporter must within
six months after export supply the names and addresses of its
distribution chain partners, and identify the intended end user
(if available) or use of the product. The exporter must provide
proof that its distribution chain partners have contractually
agreed to abide by all laws and regulations of the United
States regarding export and re-export of encryption products.
Subsection (b) sets a time limit of 45 days after
submission for all information required for the technical
review for the completion of the review referred to in
subsection (a).
Subsection (c) requires that the President notify Congress
every six months of the maximum strength level encryption that
may be exported under a license exception pursuant to this
section without harm to national security. The initial maximum
bit level for which products can be exported under this
exception shall not be less than 64 bits. This brings U.S.
policy in line with Waasenaar Arrangement commitments. At the
end of each successive 180-day period, the President shall
notify Congress of the maximum encryption bit level that may be
exported under license exception. The levels cannot be reduced
once raised by the President. This report will ensure that the
Administration review on a regular, short-term basis, which is
necessary given the dynamic nature of technology, the
appropriate level to allow products out under a license
exception.
Subsection (d) enables the export of a product under a
license exception that meets the criteria set forth in section
302(a), regardless of whether the product contains a method of
decrypting encrypted data. There is no requirement that
recoverability features be included in the product for this
section to apply.
Section 303.--Discretionary authority
Section 303 authorizes the President to allow the export,
under a license exception, of encryption products with bit
lengths greater than that level set through operation of
section 302, subject to the conditions of section 302, if the
export would be consistent with the national security interest
of the United States.
This provision ensures that export of those 128-bit
encryption products currently allowed under a license exception
may continue after enactment of the Act.
Section 304.--Expedited authority
This section grants the President authority to establish
procedures for expediting the review of commodity
classification requests, or export license applications
involving encryption products that are specifically approved,
by regulation, for export.
Section 305.--Encryption licenses required
Subsection (a) establishes criteria the President shall
employ in the review and granting of a license for export of
encryption products exceeding the maximum level eligible for
license exception under section 302. Products beingconsidered
for export determinations shall not be required to contain features or
functions for the timely access to plaintext or decryption information.
In addition, any bit length encryption product is eligible for export
under this section. The license applicant is responsible for submitting
the product for technical review, certifying under oath the intended
end user, the end use of the product, and providing the names and
addresses of its distribution chain partners. The exporter must certify
that these distributors are contractually obligated to abide by all
laws and regulations of the United States concerning the export and re-
export of encryption products and services.
Subsection (b) further clarifies that the technical review
described in subsection (a) to be completed within 45 days
after product submission and no export shall occur during the
technical review.
Subsection (c) sets forth post-export reporting
requirements to be submitted to the Secretary of Commerce.
Reports shall be filed specifically when the exporter believes
the exported encryption products or services are being diverted
to a user or use not approved for export, or the exporter has
detected pirating of their technology or intellectual property.
In addition, all exporters and their distribution chain
partners shall report the names and addresses of the next
purchaser in the distribution chain.
Subsection (d) clarifies that the Secretaries of Commerce,
Defense, and State may exercise the authority they have under
other provisions of law, specifically the International
Emergency Economic Powers Act.
Subsection (e) provides the President with the authority to
waive any provision of this title for national security
purposes. Requires the President to report to the relevant
committees of Congress within 15 days after this authority is
used. The determination made by the President shall not be
subject to judicial review.
Section 306.--Encryption industry and information security board
This section establishes an Encryption Industry and
Information Security Board (``EIIS'') to advise the President
on future encryption policy and technological advancements that
might serve to alter the United States policy on encryption
products. This section also defines the purposes of the board.
It further specifies that the Board shall be composed of 12
members, and how those members shall be appointed. In addition
to the Secretary of Commerce, Secretary of Defense, Attorney
General, the Director of Central Intelligence, the Director of
the Federal Bureau of Investigation, and the Special Assistant
to the President for National Security Affairs, or their
designees; six representatives from the private sector who have
expertise in development, operation, marketing, law, and public
policy relating to information security or technology shall be
appointed by Congressional Leadership. The Board will have no
authority to challenge or review an export determination made
pursuant to this Act. The Board will report to the President
and the Congress. This section will cease to be effective 10
years after the date of enactment.
TITLE IV--LIABILITY LIMITATIONS
Section 401.--Compliance with court order
This section states that a person shall not be subject to
civil or criminal liability under this Act, or under any other
provision of law, for acting in compliance with a court order
compelling the disclosure of plaintext or decryption
information.
Section 402.--Compliance defense
This section provides a complete defense for any non-
contract action for damages based upon activities covered by
the Act as long as the person complies with the provisions of
sections 2803, 2804, 2805, and 2806 of Title 18, United States
Code, as amended by section 103(a) of this Act, or any
regulations authorized by this Act.
Section 403.--Good faith defense
This section provides anyone who relies on the legal
authority provided under this Act as the basis for providing an
investigative or law enforcement officer with access to the
plaintext of otherwise encrypted data, including
communications, or for providing such officer with decryption
information, a complete defense to any criminal or civil action
arising therefrom.
TITLE V--INTERNATIONAL AGREEMENTS
Section 501.--Sense of Congress
This section expresses the Sense of Congress that the
President should negotiate with foreign governments to
establish binding export control requirements on nonrecoverable
encryption products. Any agreement should safeguard the privacy
of U.S. persons, prevent economic espionage, and enhance the
information security needs of the United States.
Section 502.--Failure to negotiate
This section permits the President to take a country's
refusal to negotiate into consideration when making decisions
about U.S. participation in any cooperation or assistance
program with that country.
Section 503.--Report to Congress
This section requires an annual report to Congress on the
status of the negotiations, with the first report due September
1, 2000.
TITLE VI--MISCELLANEOUS PROVISIONS
Section 601.--Effect on law enforcement activities
This section requires the Attorney General to compile, and
maintain in classified form, information on those instances
where encryption has posed problems in the enforcement of
federal laws. This information will be available to any Member
of Congress upon request.
Section 602.--Interpretation
This section clarifies the relationship of the bill to the
interpretation of certain laws: the bill does not preempt the
application of other important export control acts, including:
the Arms Export Control Act, the Export Administration Act, or
the International Emergency Powers Act. It shall not affect
foreign intelligence activities of the United States; nor does
it diminish the intellectual property protections provided by
the laws of the U.S. or of any State.
Section 603.--FBI technical support
This section authorizes appropriations totaling $75 million
for fiscal years 2000 through 2003 to the Federal Bureau of
Investigation for the Technical Support Center established
pursuant to section 811(a)(1) of the Antiterrorism and
Effective Death Penalty Act of 1996. (P.L. 104-132)
Section 604.--Severability
This section permits any court reviewing this Act to sever
any provision from the remainder of the Act, so as not to find
the Act invalid in its entirety.
Background and Need for Legislation
benefits of strong encryption
There is little doubt that strong encryption has enormous
benefits for society. For our national security apparatus, it
is invaluable and essential to secure the flow of intelligence
information, enhance our ability to execute foreign policy, and
ensure the protection of the 1.4 million men and women of our
armed forces deployed around the world. It is fundamental to
protecting the Nation's critical infrastructures, such as power
grids, telecommunications, and transportation facilities.
Strong encryption is a remarkable tool that has aided the
advancement of the Internet. It has been one factor in the
explosive growth of on-line commerce, banking, investments,
telemedicine, and legal services, to name only a few areas
where the Internet has changed our daily lives.
Encryption also advances the interests of law enforcement
where it is used for legitimate purposes, because it can and
does shield on-line activities from criminals interested in
stealing personal financial data, credit card information, or
national secrets, for example. But, as crucial as it is to the
protection of information, it can be equally harmful to our
Nation's security and the public's safety.
problems with h.r. 850, as referred to the committee
After all, the benefit that strong encryption provides to
the individual legitimate encryption user is equally provided
to the person with criminal intent. Our laws should not
preclude lawful investigation of criminal activity. Our laws
should enhance the Nation's security and public safety. The
SAFE Act (H.R. 850), as reported by the Committee on the
Judiciary, would deny law enforcement authorities the
opportunity to obtain evidence--evidence to which they are
statutorily authorized to obtain--simply because a criminal
decided to encrypt it. Under that bill, the child pornographer
will be able to operate with impunity. The terrorist will be
able to communicate with his comrades. He will be able to plan
and execute his cowardly acts without fear that he will be
identified or brought to justice. Spies would operate without
fear of discovery. The drug trafficker will be able to arrange
for distribution of his poison and collection of the thousands
or millions of dollars made in the deal. He will be able to
launder his proceeds unconcerned that his activities have
caught the attention of the law enforcement authorities. Those
that engage in the proliferation of weapons of mass destruction
will be able to continue their menacing activities unhindered
by our national security apparatus or intelligence collectors.
Allowing the unchecked export of unbreakable encryption to
all markets and all users across the globe presents a series of
challenges that the national security agencies of the United
States cannot meet or overcome simply by employing faster and
more powerful computers. The consequences of such a policy
would be devastating. Criminals and international thugs wishing
to do harm to the people of the United States would have
available to them an ``electronic sanctuary.''
Legislation that precludes the federal government from
using encryption products that permit the recovery of data or
communications is irresponsible. The SAFE Act has been read to
do just this. With the time it would take to break just one
128-bit encrypted message (many times the age of the universe),
annihilation would be quicker than our ability to protect
ourselves.
Without an ability to undo quickly an encryption code, the
people of this country could suffer unfathomable harm.
Similarly, child pornographers could distribute their filth
unimpeded. Pedophiles could secretly entice the children of
America into their clutches. Drug traffickers will make their
plans to deliver larger and larger amounts of cocaine, heroin,
marijuana, and other narcotics without the slightest concern
that they will be detected. Terrorists and spies can cause
unspeakable damage without even the possibility of being
stopped before it is too late. In a world governed by policies
espoused by the SAFE Act, protecting America, her interests,
and her citizens becomes a far riskier endeavor.
While the SAFE Act does not on its face remove export
controls, the regime it would establish is so fraught with
exceptions and limitations on government authority that control
might as well be non-existent. The SAFE Act does acknowledge,
however, that the nation's security should override an ability
to export on occasion. Yet, the circumstances under which the
SAFE Act would authorize denial of exports are limited only to
those instances where the Secretary of Commerce has
``substantial evidence'' that the product intended for export
was going to Iran, Iraq, North Korea, Libya, Sudan, Cuba, and
Syria, or has ``substantial evidence'' that a specific product
would be used by foreign militaries or terrorists. First, there
is no role under the SAFE Act for the participation of the
national security apparatus of the United States in such
decisions not to export. Secondly, there can be no doubt that
these two factors cover only a fraction of all situations that
present threats to our national security interests. A broader
authority to deny exports must be provided in order to ensure
the nation's security in an age of constantly changing
political realities.
Expert witnesses before the Committee and Congress have
provided compelling and sobering testimony about the lack of
balance in H.R. 850 as reported from the Judiciary Committee.
The administration opposes any encryption legislation that is
not balanced. ``The current version [of H.R. 850] does not
balance the needs of privacy and business, public safety, and
national security, * * *.'' Testimony of Janet Reno, Attorney
General of the United States, before the House Permanent Select
Committee on Intelligence on July 14, 1999. ``The proposed SAFE
Act does not include any provisions aimed at improving law
enforcement's ability to perform its public safety mission in
an encrypted world.'' Id. ``The objective of the legislation is
unfettered encryption which has no concern for public safety
and, in all reality, eliminates any concerns for public safety
in the future.'' Testimony of Thomas A. Constantine, former
Administrator, Drug Enforcement Administration, before the
House Permanent Select Committee on Intelligence on July 14,
1999 (hereinafter ``Constantine Test.''). ``The [SAFE Act] * *
* will harm law enforcement, will harm public safety, will harm
national security, and lives will be lost * * *.'' Testimony of
Louis J. Freeh, Director, Federal Bureau of Investigation,
before the House Committee on Armed Services on July 13, 1999.
``[R]ather than a SAFE Act * * * I would call it the `Drug
Lords Protection Act.' '' Constantine Test. ``[T]he SAFE Act
will harm national security by making [NSA's] job of providing
critical, actionable intelligence to our leaders and military
commanders difficult, if not impossible, thus putting our
nation's security at considerable risk.'' Testimony of Barbara
A. McNamara, Deputy Director, National Security Agency, before
the House Committee on Armed Services on July 13, 1999. ``H.R.
850 * * * would be a tidal wave that would crush your national
security and law enforcement agencies that are protecting this
country.'' Testimony of John J. Hamre, Deputy Secretary,
Department of Defense, before the House Committee on Armed
Services on July 13, 1999. ``[T]here are real national security
and law enforcement costs to the policy that is articulated by
the [SAFE Act]. * * *'' Testimony of William Reinsch,
Undersecretary of Commerce for Export Administration,
Department of Commerce (hereinafter ``Reinsch Test.''), before
the House Committee on Armed Services on July 13, 1999. ``[T]he
bill in letter and spirit would destroy the balance we have
worked so hard to achieve and would jeopardize our law
enforcement and national security interests.'' Reinsch Test.
before the House Permanent Select Committee on Intelligence on
June 9, 1999.
Importantly, during his appearance before the HPSCI on June
9, 1999, Mr. Goodlatte, the author of the SAFE Act, conceded
that a balance needed to be achieved on this issue. Mr.
Goodlatte stated that he shared the serious national security
and law enforcement concerns at stake in this debate. Testimony
of Representative Bob Goodlatte (hereinafter ``Goodlatte
Test.'') before the House Permanent Select Committee on
Intelligence on June 9, 1999,at pp. 26, 27, 28, 52. He claimed
his bill was not designed to eliminate all export controls, which was a
significant concession. Goodlatte Test. at pp. 21, 30. It is a
testament to the notion that we cannot place market share and larger
profits ahead of the nation's security and the public's safety. It
further reemphasizes the concept that there must be accommodation in
the encryption export control policy to assure the national security
and the interests of the industry. Mr. Goodlatte's support for export
controls in certain circumstances extends to the foundational concept
that export controls can be used to protect against threats to the
national security of the United States. Goodlatte Test. at pp. 31, 44.
He also testified that it was not the intent of his legislation to deny
law enforcement the ability to gain access to plaintext or decryption
information, where it was available. Goodlatte Test. at pp. 34, 53, 77.
See also Report of the Committee on the Judiciary to Accompany H.R.
850, House Report 106-117, Part 1, at p. 8 (April 27, 1999) (``Just as
new technology should not take away the longstanding rights of citizens
against government, it also should not take away the traditional means
for legitimate law enforcement and national security investigations.'')
He was open to modification of the ``substantial evidence'' standard
his bill uses to preclude an export of encryption to terrorists and
militaries in order to alleviate the risks attendant to the export of
encryption throughout the world. Goodlatte Test. at pp. 38, 43, 44. He
further contended that it was not the intent of his legislative
proposal to preclude the federal government, or state and local
governments, from using encryption products that have features or
functions that permit the recovery of data when those government
entities find it necessary to use such products. Goodlatte Test. at pp.
77. Although not included anywhere in his legislation, Mr. Goodlatte
also supports the provision of more and better resources to federal,
state, and local law enforcement so they can more adequately meet the
challenges of widespread use of strong encryption. Goodlatte Test. at
pp. 25, 28, 53, 54.
BALANCED APPROACH IS NEEDED
The HPSCI reported amendment, the ``Encryption for the
National Interest Act,'' strives to balance the needs of law
enforcement, national security, industry, and privacy. It
advances the interests of all sectors engaged in this debate,
yet requires some sacrifice on the part of each, as well.
The Committee amendment preserves law enforcement's crime
fighting and public safety capabilities by providing clear
authority through judicial processes to access the plaintext or
decryption information, without the target of the
investigation's knowledge or cooperation. It does not, however,
require key escrow, or mandate key recovery. Key recovery is a
non-factor for domestic use and for export considerations.
In addition to laying the framework for a national
information assurance program, the Committee's amendment will
relax the current export control policy of the United States on
encryption products to bring the policy in line with the
government's commitments under the Waasenaar Arrangement. In
other words, where now only those products of 56-bit strength
and lower can be exported under a license exception, upon
enactment of the HPSCI amendment, all products of 64-bit
strength and lower will be allowed for export in this manner.
All products in excess of 64-bits will require a license prior
to export, unless granted a waiver. This will permit the export
of any bit-length encryption product under license exception
conditions to those sectors that pose little or no risk to
national security. Of course, prior to the first export of any
encryption product, the Committee's amendment will still
require a technical review to be conducted.
Furthermore, the Committee's amendment requires the
administration to review its encryption export policies on a
more regularized basis than is currently done. The amendment
requires a semi-annual look at export policy and certifications
to Congress with respect to the results of this review.
The Committee's amendment also streamlines export reporting
requirements in an effort to reduce the burdensome and costly
paperwork that is the bane of the industry. It does not remove
these requirements completely, as the SAFE Act does, because
there is significant national security utility in such
reporting and the Committee determined it should continue in
some form.
Importantly, the Encryption for the National Interest Act
preserves the President's authority to protect national
security by authorizing him, or his designee, to deny an export
of an encryption product based on national security grounds.
This is an acknowledgement that the conduct of foreign policy
and the protection of the citizens of the United States cannot
be tied to only a couple of particular threats. The exigencies
of our role as the world's only superpower must be accommodated
and our export control regime must reflect the need for such
flexibility.
The Committee's amendment permits the federal government to
procure and utilize encryption products with recoverability
features for the conduct of the government's business.
Likewise, the federal government will be permitted to require
that its contractors use recoverable encryption products for
the conduct of the government's business pursuant to the
government contract. This authority does not permit, however,
the government to require contractors to use such products in
the course of their private sector, non-governmental business
activities.
Finally, the Committee's amendment establishes an advisory
board to assist the President in his determination of
appropriate encryption export policies and to foster
government-industry cooperation on this important issue with
significant ramifications for national security and public
safety. Moreover, the Committee's legislative initiative
authorizes the appropriation of $75 million to build, equip,
and maintain the FBI's Technical Support Center. This Center
will help move law enforcement at all levels forward in this
age of high technology. It will help law enforcement meet and
overcome the substantial challenges presented in a world where
strong encryption will be commonplace.
The Committee's Ranking Democrat, Representative Julian C.
Dixon, put the matter succinctly after the Committee adopted
its amendment in the nature of a substitute, when he stated:
The encryption compromise adopted by the Intelligence
Committee achieves two important goals: it recognizes
that government access to information on the electronic
infrastructure--when necessary to protect public safety
and national security--is legitimate within reasonable,
lawful constraints; and, it provides greater certainty
in the export control process while allowing for
regulatory flexibility as technology advances. The
balance between commercial interests and public safety
achieved by the Intelligence Committee substitute has
improved greatly the encryption legislation with which
the Committee was asked to deal.
The Committee believes that the United States government
should encourage the development of encryption products that
are responsive to the needs and obligations of government to
ensure public safety, and that are viable in the commercial
marketplace, without resorting to mandated key recovery or key
escrow. For certain, law enforcement would have no difficulty
obtaining decrypted evidence of criminality were Congress to
impose mandatory requirements on the encryption industry to
develop products with access to plaintext functions or
features. Such an approach, however, does not advance the
debate on comprehensive encryption policy for the United States
in the fast approaching 21st Century.
The Committee determined that the SAFE Act, as reported by
the Judiciary, the International Relations, and the Commerce
Committees did not adequately address national security and
public safety concerns. In fact, the Committee found, based on
the testimony of various witnesses before the Committee, that
the SAFE Act actually would disadvantage our national security
apparatus and federal, state, and local law enforcement in the
conduct of their very serious obligations. To correct these
faults, the Committee decided that an amendment in the nature
of a substitute was necessary rather than merely ``tinkering
around the edges'' of the SAFE Act, in order to ensure that the
appropriate and desired balance could be achieved. Thus, the
Committee adopted by unanimous voice vote the ``Encryption for
the National Interest Act.''
THE ``ENCRYPTION FOR THE NATIONAL INTEREST ACT''
A. Establishes government encryption procurement policies
As noted, the Committee amendment, the Encryption for the
National Interest Act, permits the United States government to
procure and use encryption products that include recoverability
or comparable features to allow authorized parties to have
access to plaintext. The SAFE Act forbids the government and
the States from using such products; and the SAFE Act would
deny the government the opportunity to encourage the
development of products with features that might help catch
spies, thieves, child pornographers, and embezzlers, among
others. Thus, specifically, the Encryption for the National
Interest Act would authorize the United States government to
include as a condition of any government contract a requirement
that any encryption employed by the contractor in the execution
of the contract with the government will include features
permitting access to plaintext or decryption information. This
amendment would not require that federal government contractors
use recoverable encryption products in the conduct of non-
federal government business. The Committee amendment also does
not preclude the States from employing recoverable encryption
products. The SAFE Act, however, includes such a prohibition.
B. Preserves law enforcement's investigative capabilities
The Encryption for the National Interest Act also
establishes definite procedures to be followed by federal,
state, and local law enforcement when seeking access to the
plaintext or decryption information of data, including
communications, that is otherwise encrypted. Without expanding
current wiretap or search and seizure authorities, the
amendment allows law enforcement, through judicially authorized
court orders, to gain access to decryption information, or to
plaintext, where it is available, for use in criminal, foreign
counterintelligence, and international terrorism
investigations. A close reading of the SAFE Act would deny law
enforcement this critical capability. The SAFE Act would deny
law enforcement the ability to decrypt any encrypted
communications that are intercepted through legitimate court
issued wiretap orders.
Many proponents of the SAFE Act routinely assert that
wiretaps are of limited utility to law enforcement, and that
the lack of this capability would cause no egregious harm to
public safety. The Committee's extensive experience and the
testimony on this matter indicate otherwise.
Some have concluded that the effort to enact the SAFE Act
is a not-so- subtle attempt to render the government's wiretap
authority void. As the distinguished Chairman of the House
Committee on the Judiciary, Chairman Henry Hyde wrote in
October 1996, ``Without a remedy, America will effectively
disarm itself of one of its most potent weapons in the fight
against two particularly pernicious crimes: international
terrorism and drug smuggling.'' Washington Times, p. B3,
October 27, 1996. Mr. Hyde made the point that ``efforts to
prevent or eliminate this important law enforcement tool are
both naie and dangerous.'' Id. He concluded, by asserting,
``Our Constitution requires the federal government to provide
for the common security of the people. Wiretaps, used sparingly
and with court authorization, are indispensable in safeguarding
both our liberties and our security in an age of dangerous
uncertainty.'' Id. Although Chairman Hyde was expressing his
concern about digital telephony, his logic and arguments are
entirely apt within the context of this public debate over
encryption policy, and should be heeded.
C. Protects civil liberties
It is apparent to the Committee that the use of encryption
to protect the security of one's data or communications would
be indicative of an individual's heightened expectation of
privacy with respect to that data or communication. Although
this does not raise the search and seizure probable cause
standard of the Fourth Amendment to the Constitution of the
United States, Congress can provide additional procedural
protections that will recognize this heightened expectation of
privacy. In fact, the Encryption for the National Interest Act
does exactly this while allowing law enforcement agencies to
conduct their investigations in this computer age. The
Committee amendment provides a judicially supervised mechanism
for accessing the plaintext or decryption information. It
likewise permits all U.S. persons to purchase and use any
encryption technology that is available anywhere in the world,
whether it contains access to plaintext capabilities, or not.
Most proponents of the SAFE Act speak of the need to
protect our privacy from the ``abuses'' of government,
particularly law enforcement. They assert that any access
capability to the plaintext of communications or stored data
will leave law abiding Americans vulnerable to government
prying and abusive intrusion into our private lives. In making
these claims, the supporters of the SAFE Act ignore the bulwark
of our freedoms, the guarantor of our liberties: the
Constitution.
The Framers, brilliant in their foresight, understood
that--at times--there might happen an occasion where government
misunderstood its mission, where government intruded on the
liberties of its citizenry. It was due to this foresight that
the Constitution requires neutral, detached magistrates to
approve the search or seizure of the people's papers and
effects. The judicial branch protects the people from the
excesses of the state. We cannot forget that there are lawful
processes to redress abuses that might be committed. But,
simply because speculative abuses might occur at some unknown
time in the future under unknowable circumstances is no reason
to deny law enforcement the legal authority to obtain evidence
of criminal activity that might be encrypted today. The
Committee's amendment, in an effort to further encourage the
appropriate handling of one's decryption information, permits
civil and criminal sanctions for those who exceed their lawful
authority, who misuse the information, or who violate any
provision of title I of the Act.
D. Maintains but streamlines export controls on encryption products
The Committee believes that increased market share for
United States industry is a societal good that should be
supported, and that trends in market share for U.S. information
technology products should be one factor--but only one factor--
in the design of export controls for sensitive technologies.
Providing tools to our malefactors, who want to invade our
privacy and confound our law enforcement or intelligence
professionals, makes no sense at any price. Thus, any
legislation on encryption policy must be balanced.
Unfortunately, some in the information technology industry have
argued that anything short of the Judiciary Committee's
approach to encryption export control legislation is
unacceptable.
The Encryption for the National Interest Act maintains a
meaningful export control regime that places national security
as the premium interest to be considered when contemplating the
export of strong encryption products from the United States.
But, at the same time, it relaxes current export control
policies where appropriate and streamlines end use and end user
reporting. Although it authorizes the President to control
exports of encryption products, and to deny an export on
national security grounds, it allows for more products to be
exported under license exceptions and under specially granted
Presidential waivers for products above 64-bit length strength.
It also requires the executive branch to more routinely review
the level at which products can be exported by license
exception. This will add regularity to what has beendescribed
as an inconsistent method by which the executive branch has reviewed
encryption export control policy.
The current policy was issued nearly one year ago, and many
believe it was only produced as a result of pressure brought to
bear upon the executive branch by the industry and Congress.
This seems to be an ad hoc method of addressing a critical
national security issue of this magnitude. So, the Committee
amendment attempts to inject order into the regulatory process
and to create a dynamic and constructive regulatory structure
that will address the needs of industry, though not losing
sight of the serious national security and public safety
implications of any export of encryption products.
The Intelligence Committee amendment seeks to lighten this
burdensome responsibility for industry while at the same time
obtaining important national security information. The
Encryption for the National Interest Act provides for a
meaningful technical review period that will provide the United
States government with an opportunity to make well informed and
rational national security determinations under the Act, when
necessary. Additionally, the Committee amendment would
eliminate recoverability features as a condition for export;
indeed, the amendment would eliminate recovery features as a
factor in reaching any export determination.
The Encryption for the National Interest Act does not try
to return the proverbial ``genie to the bottle,'' but rather
merely seeks to manage the spread of encryption in a manner
that is consistent with national security and public safety
interests and in a way that will foster the continued dominance
of the American encryption industry in the global marketplace.
The Committee believes it would be a mistake of catastrophic
proportions to allow indecipherable encryption to be exported
without restriction. Public safety and national security are
not matters that should be left to the ebb and flow of
technological advances and breakthroughs, or to the random
fluctuations of the marketplace.
It is important to note that no one doubts that U.S.
manufactured encryption products are facing competition from
foreign providers. But, simply because a product of purported
capability is available in a country with dubious reliability
at controlling terrorists or drug traffickers, for instance, is
not a sufficient reason for removing virtually all limitations
on the export of encryption of the strongest sort. Rather, it
seems it would be wise for the President to consider whether
U.S. industry stands to lose market share in a particular
market if not permitted to export to that market and whether
export to that market sector presents undue risks to the
national security. It cannot be overstated: the Committee
shares the concern of American industry that its products could
be replaced by foreign competitors. It notes, however, that the
grip of the U.S. industry on the global market is truly
remarkable. Testimony before the Committee indicates U.S.
industry controls approximately 75-80% of the global encryption
market. Goodlatte Test. at p. 50. This ``full-nelson'' hold by
U.S. encryption manufacturers and designers on the global
market is noteworthy given what many have described as
restrictive export controls. On this point, it is worth
highlighting that in 1997 only 25 of 1,850 applications for
encryption export licenses were denied; in 1998, the numbers
were 13 of 1,895; and thus far in 1999, only 1 of 508
applications has been denied.
Interesting to note, too, is that despite the alarmist
rhetoric put forward in support of the SAFE Act, to wit: ``many
hundreds of thousands of American jobs are at stake here,'' see
Goodlatte Test. at p. 32, Congress last year authorized an
additional 50,000 non-immigrant H-1B work visas, P.L. 105-277,
because there are not enough Americans with the skills needed
to fill the available computer industry jobs. Similarly,
Congress is currently debating another increase to the number
of H-1B work visas to be allowed. The claims that hundred of
thousands of American jobs are at risk appears to be a bit of
hyperbole.
Moreover, all sides of this issue acknowledge that U.S.
encryption technology is the best in the world. There is no
wish on the part of the Committee to undermine that position,
nor diminish the U.S. preeminence in this regard. Indeed, it is
the national security interest for U.S. industry to dominate
this market, but only under proper circumstances and with the
appropriate degree of regulation.
conclusion
The encryption policy of the United States requires a
comprehensive approach that takes into account the interests of
national security; federal, state, and local law enforcement;
industry; and the citizens of the United States. The
Committee's amendment in the nature of a substitute to H.R. 850
as reported by the Committee on the Judiciary, renamed by the
amendment as the Encryption for the National Interest Act,
strikes the well-measured balance that so many have sought
since this national policy debate began.
Committee Proceedings
The Committee met several times in executive session where
it was briefed on the topic of encryption and the serious
national security and public safety consequences resulting from
pending encryption legislation. Witnessesbefore the Committee
at these briefings included: the President's Special Envoy on
Encryption Policy, Ambassador David Aaron; the Honorable Louis J.
Freeh, Director, Federal Bureau of Investigation; the Honorable Thomas
A. Constantine, Administrator, Drug Enforcement Administration; the
Honorable John J. Hamre, Deputy Secretary of Defense; and the Honorable
Barbara A. McNamara, Deputy Director, National Security Agency.
The Committee held three closed briefings for Members of
the Committee and three hearings on H.R. 850. The first
briefing was held on June 8, 1999. That was followed by the
first hearing, which was held on June 9, 1999, in open session.
The second hearing was held on June 15, 1999, in closed
session. The second briefing was held on June 16, 1999. The
final briefing was held on July 13, 1999. The final hearing was
held July 14, 1999, in open session.
On June 8, 1999, the Deputy Director of the NSA, the
Honorable Barbara A. McNamara, briefed the Members of the
Committee in closed session on the equities of the intelligence
community that are impacted by the SAFE Act.
Witnesses before the Committee at the June 9, 1999, hearing
were: the Honorable Bob Goodlatte, United States
Representative, 6th District of Virginia, and author of the
``Security and Freedom through Encryption (SAFE) Act'' (H.R.
80); the Honorable William Reinsch, Under Secretary, Bureau of
Export Administration, Department of Commerce; Mr. Christopher
G. Caine, Vice President of Governmental Affairs, IBM
Corporation; Ms. Elizabeth Kaufman, Senior Director and General
Manager for Security, Cisco Systems, Inc.; Colonel Michael D.
Robinson, First Vice President, International Association of
Chiefs of Police (IACP); Mr. Alan Davidson, Counsel, Center for
Democracy and Technology; Mr. Ramon Marks, Board Member,
Business Executives for National Security (BENS); the Honorable
John Kaye, former President, National District Attorney's
Association; Mr. Richard D. Heideman, President, B'nai B'rith
International. In addition to this testimony presented live to
the Committee, the following submissions for the record were
also received and considered: Statement of Jeffrey H. Smith,
Counsel, Americans for Computer Privacy; Statement of Security
Dynamics Technologies, Inc.; and the Statement of Mr. Patrick
P. Gelsinger, Vice President for Desktop Productions, Intel
Corporation.
At the June 15, 1999, closed hearing on H.R. 850, the
Committee took testimony from the Honorable Louis J. Freeh,
Director, Federal Bureau of Investigation; the Honorable Thomas
A. Constantine, Administrator, Drug Enforcement Administration;
and the Honorable John J. Hamre, Deputy Secretary of Defense.
On June 16, 1999, the Members of the Committee were briefed
by the President's Special Envoy for Encryption Policy,
Ambassador David Aaron, on the administration's efforts to
achieve international agreement or consensus on the appropriate
approach to encryption policy and export controls.
Members of the Committee received another briefing on July
13, 1999, from the Honorable Barbara A. McNamara, Deputy
Director of NSA, concerning the SAFE Act. The focus of the
briefing included the effect of removal of export controls on
national security and intelligence, as well as questions
surrounding the issue of foreign availability and foreign
market share.
The witnesses appearing before the Committee at the July
14, 1999, open hearing were: the Honorable Janet Reno, Attorney
General of the United States; the Honorable Louis J. Freeh,
Director, Federal Bureau of Investigation; Thomas A.
Constantine, former Administrator of the Drug Enforcement
Administration; and the Honorable John J. Hamre, Deputy
Secretary of Defense.
The Committee extensively reviewed additional testimony,
reports, and other written materials relating to encryption
policy in general, and H.R. 850 in particular. Among the
documents reviewed by the Committee are House Report 106-117,
Part 1, Committee on the Judiciary Report on H.R. 850, April
27, 1999; House Report 106-117, Part 2, Committee on Commerce
Report on H.R. 850, July 2, 1999; Senate Report 106-48, Senate
Select Committee on Intelligence Report on Fiscal S. 1009, the
Intelligence Authorization Act for Fiscal Year 2000, May 11,
1999; House Report 105-108, Part 1, Committee on the Judiciary
Report on H.R. 695, May 22, 1997; House Report 105-108, Part 2,
Committee on International Relations Report on H.R. 695, July
25, 1997; House Report 105-108, Part 3, Committee on National
Security Report on H.R. 65, September 12, 1997; House Report
105-108, Part 4, Permanent Select Committee on Intelligence
Report on H.R. 695, September 16, 1997; House Report 105-108,
Part 5, Committee on Commerce Report on H.R. 695, September 29,
1997; Hiding Crimes in Cyberspace, Dorothy E. Denning and
William E. Baugh, Jr., to appear in Information, Communication
and Society, vol. 2, no. 3 (Autumn 1999) and in Cybercrime,
B.D. Loader and D. Thomas (eds.) Routledge, 1999; Growing
Development of Foreign Encryption Products in the Face of U.S.
Export Regulations, Lance J. Hoffman, et al, Cyberspace Policy
Institute, School of Engineering and Applied Science, George
Washington University, Washington, D.C., June 1999;
Cryptography & Liberty 1999: An International Survey of
Encryption Policy, Electronic Privacy Information Center,
Washington, DC, June 1999; Congressional Research Service Issue
Brief Encryption Technology: Congressional Issues, produced by
Mr. Richard M.Nunno, February 25, 1999; Terrorism in the Next
Millennium: Enter the Cyberterrorist, by George R. Barth, National
Counterintelligence Center; Access With Trust, Federal Public Key
Infrastructure Steering Committee, Government Information Technology
Services Board, Office of Management and Budget, Washington, DC,
September 1998; Cryptography Policy: the Guidelines and the Issues,
Organization for Economic Cooperation and Development, Washington, DC,
March 1998; Deciphering the Cryptography Debate, by Kenneth Flamm, The
Brookings Institution; The Risks of Key Recovery, Key Escrow, & Trusted
Third Party Encryption: A Report by an Ad Hoc Group of Cryptographers
and Computer Scientists, produced by Center for Democracy and
Technology, June 1998; ``Opening the Lines for Criminal Conversation,''
Robert D. Novak, Washington Post, June 28, 1999; and ``Wiretap
Technology. Updating an effective tool,'' by the Honorable Henry J.
Hyde, Washington Times, October 1996.
Testimony before the United States House of Representative
Judiciary Subcommittee on Courts and Intellectual Property,
March 4, 1999: The Honorable William A. Reinsch, Under
Secretary for Export Administration, Department of Commerce;
Mr. Dave McCurdy, President, Electronic Industries Alliance;
the Honorable Ron Lee, Associate Deputy Attorney General,
Department of Justice; Mr. Craig McLaughlin, Chief Technology
Officer, Privada, Inc.; Mr. Edward Gillespie, Executive
Director, Americans for Computer Privacy; Mr. Thomas Parenty,
Director, Data and Communications Security Sybase, Inc. on
behalf of Business Software Alliance; Ms. Dorothy E. Denning,
Computer Science Department, Georgetown University; and
Statement of the Honorable Howard Coble, United States
Representative, 6th District of North Carolina.
Testimony before the United States House of Representatives
Commerce Subcommittee on Telecommunications Trade and Consumer
Protection, May 25, 1999: The Honorable Ronald D. Lee,
Associate Deputy Attorney General, Department of Justice; the
Honorable Barbara A. McNamara, Deputy Director, National
Security Agency; the Honorable William A. Reinsch,
Undersecretary Bureau of Export Administration, Department of
Commerce, Executive Director, Americans for Computer Privacy;
Mr. Richard Hornstein, General Counsel, Network Associates; Mr.
Tom Arnold, Vice President and Chief Technology Officer,
CyberSource Corporation; Dr. Gene Schultz, Trusted Security
Advisor, Global Integrity Corporation; Mr. Paddy Holohan,
Executive Vice President, Marketing, Baltimore Technologies
International Finance Services Centre; and Mr. David Dawson,
Chairman and CEO, V-One Corporation.
Testimony before the United States House of Representatives
Armed Services Committee, July 13, 1999: the Honorable Janet
Reno, Attorney General; the Honorable William A. Reinsch,
Undersecretary for Export Administration, Department of
Commerce; the Honorable Louis J. Freeh, Director, Federal
Bureau of Investigation; Ms. Elizabeth Kaufman, Senior Director
and General Manager for Security, Cisco Systems, Inc; and Mr.
Matthew Bowcock, Executive Vice President of Cooperate
Development, Baltimore Technologies.
In addition, the Committee staff was briefed on the subject
of encryption from representatives of Cisco Systems, Inc.; IBM;
Nortel; 3Com; Center for Technology and Democracy; Netscape;
Motorola; the Alliance for Network Security; the Business
Software Alliance; and Americans for Computer Privacy.
Committee Consideration
The Committee met on July 15, 1999, to mark up H.R. 850. In
closed session, the Committee approved by unanimous voice vote
the amendment in the nature of a substitute to H.R. 850 as
amended and reported by the Committee on the Judiciary (House
Report No. 106-117, Part 1, (April 27, 1999)), which was
offered by Chairman Goss and Mr. Dixon and further amended by
Ms. Pelosi. Upon adoption of the Goss and Dixon amendment as
amended, the Committee, in open session, by unanimous voice
vote, ordered H.R. 850, the ``Encryption for the National
Interest Act,'' as amended by the Committee, reported favorably
to the House, a quorum being present.
Vote of the Committee
During its consideration of H.R. 850, the Committee took no
roll call votes.
Findings and Recommendations of the Committee on Government Reform and
Oversight
With respect to clause 3(c)(4) of rule XIII of the Rules of
the House of Representatives, the Committee has not received a
report from the Committee on Government Reform pertaining to
the subject of the bill.
Oversight Findings
In compliance with clause 3(c)(1) of rule XIII of the Rules
of the House of Representatives, the bill as reported by the
Committee reflects the conclusions, findings, and
recommendations of the Committee in light of its oversight
activity.
Congressional Budget Office Estimates
In compliance with clause 3(c)(2) and (3) of rule XIII of
the Rules of the House of Representatives, and pursuant to
sections 308 and 402 of the Congressional Budget Act of 1974,
the Committee submits the following estimate prepared by the
Congressional Budget Office:
U.S. Congress,
Congressional Budget Office,
Washington, DC, July 23, 1999.
Hon. Porter J. Goss,
Chairman, Committee on Intelligence, House of Representatives,
Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 850, the
Encryption for the National Interest Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contacts are Mark Hadley
and Mark Grabowicz.
Sincerely,
Barry B. Anderson
(For Dan L. Crippen, Director).
Enclosure.
H.R. 850--Encryption for the National Interest Act
Summary: H.R. 850 would clarify the President's authority
to control the export of encryption products. The effectiveness
or strength of contemporary encryption products is measured by
the number of bits that make up the key for the encryption
algorithm. (The term ``key'' refers to the mathematical code
used to translate encrypted information back into its original,
unencrypted format.) Under current policy, domestic producers
may export encryption products with key lengths of up to 56
bits and stronger products for specified industries.
H.R. 850 would generally allow domestic producers to export
encryption products with key lengths of up to 64 bits. The
President would determine the maximum strength of encryption
products that may be exported (with a review and potential
update of that maximum every 180 days). The bill would
establish a board to advise the President on the export of
encryption products. H.R. 850 also would establish two federal
crimes relating to the improper use of encryption technology
and would require the Attorney General to issue numerous
reports and maintain data on the instances in which encryption
impedes or obstructs the ability of the Department of Justice
(DOJ) to enforce the criminal laws. Finally, the bill would
authorize appropriations of $75 million over the 2000-2003
period to establish a technical support center within the
Federal Bureau of Investigation (FBI).
Assuming the appropriation of the necessary amounts, CBO
estimates that enacting this bill would result in additional
discretionary spending by DOJ of about $80 million over the
2000-2004 period. Enacting H.R. 850 also would affect direct
spending and receipts. Therefore, pay-as-you-go procedures
would apply. CBO estimates, however, that the amounts of
additional direct spending and receipts would not be
significant.
CBO is uncertain whether H.R. 850 contains
intergovernmental mandates as defined in the Unfunded Mandates
Reform Act (UMRA), but we estimate that any costs to state,
local, or tribal governments would not be significant and would
not meet the threshold established by that act ($50 million in
1996, adjusted annually for inflation).
This bill would impose no new private-sector mandates as
defined in UMRA.
Estimated cost to the Federal Government: The estimated
budgetary impact of H.R. 850 is shown in the following table.
For purpose of this estimate, CBO assumes H.R. 850 will be
enacted by the beginning of fiscal year 2000 and that the
authorized amounts will be provided for each year. The costs of
this legislation fall within budget function 750
(administration of justice).
----------------------------------------------------------------------------------------------------------------
By fiscal years, in millions of dollars--
--------------------------------------------
2000 2001 2002 2003 2004
----------------------------------------------------------------------------------------------------------------
SPENDING SUBJECT TO APPROPRIATION
Estimated Authorization Level...................................... 26 21 16 16 1
Estimated Outlays.................................................. 19 25 16 16 4
----------------------------------------------------------------------------------------------------------------
Basis of Estimate
Spending subject to appropriation
H.R. 850 would establish a technical support center within
the FBI and authorize appropriations of $75 million over the
2000-2003 period. Based on the historical spending patterns of
FBI funds, CBO estimates that implementing this provision would
result in outlays of $74 million over the 2000-2004 period.
In addition, CBO estimates that complying with the bill's
data collection and reporting requirements would cost DOJ about
$1 million a year, assuming appropriation of the necessary
amounts. The expense of compiling and maintaining data on the
instances in which encryption impedes or obstructs the ability
of the department to enforce the criminal laws is difficult to
ascertain because the number of such instances is unknown--but
DOJ believes that if H.R. 850 were enacted they would be
numerous.
Under current policy, the Department of Commerce's (DOC's)
Bureau of Export Administration (BXA) would likely spend about
$500,000 a year reviewing exports of encryption products. If
H.R. 850 were enacted, BXA would still be required to review
requests to export encryption products. Thus, CBO estimates
that implementing H.R. 850 would not significantly change the
costs to control exports of nonmilitary encryption products.
H.R. 850 would establish a new federal crime for using
encryption technologies to conceal incriminating information
relating to a felony from law enforcement officials and for
illegally decrypting private information. The bill would also
create a new federal crime for violating privacy by decrypting
someone's private information. Because H.R. 850 would establish
new federal crimes, CBO anticipates that the U.S. government
would be able to pursue cases that it otherwise would be unable
to prosecute. Based on information from DOJ, however, we do not
expect the government to pursue many additional cases. Thus,
CBO estimates that implementing these provisions would not have
a significant impact on the cost of federal law enforcement
activity.
Direct spending and revenues
Enacting H.R. 850 would affect direct spending and receipts
by imposing criminal fines. Collections of such fines are
recorded in the budget as governmental receipts (i.e.,
revenues), which are deposited in the Crime Victims Fund and
spent in subsequent years. Any additional collections as a
result of this bill are likely to be negligible, however,
because the federal government would probably not pursue many
cases under the bill. Because any increase in direct spending
would equal the fines collected (with a lag of one year or
more), the additional direct spending would be negligible.
Direct spending also could result from the provision that
would allow the government to be sued for decrypting private
information without a court order. CBO expects that this
provision is not likely to result in any significant spending.
Pay-as-you-go considerations: The Balanced Budget and
Emergency Control Act sets up pay-as-you-go procedures for
legislation affecting direct spending or receipts. H.R. 850
would affect direct spending and receipts by imposing criminal
fines and by allowing civil actions against the United States
government. CBO estimates that the amount of additional direct
spending and receipts would not be significant.
Estimated impact on State, local, and tribal governments:
H.R. 850 would require state and local law enforcement agencies
to follow specified procedures in order to obtain access to the
decryption keys of suspected criminals and would require state
courts to undertake additional administrative duties in
processing such requests. In addition, the bill would limit the
liability of anyone who provides access to a decryption key to
law enforcement officials who follow the procedures prescribed
by the bill. We cannot determine if the requirements of H.R.
850 would constitute new intergovernmental mandates because it
is unclear how these requirements would interact with the
current wiretap, search, and seizure laws. CBO estimates that
the costs of those requirements would be small because they are
similar to current laws and procedures and because the burden
of the bill's requirements would fall predominantly on federal
entities. We therefore estimate that the bill would not impose
significant costs on state, local, or tribal governments and
that such costs would not exceed the threshold established by
UMRA ($50 million in 1996), adjusted annually for inflation.)
Estimated impact on the private sector: This bill would
impose no new private-sector mandates as defined in UMRA.
Previous CBO estimates: CBO has completed numerous other
estimates of bills affecting the export of encryption products,
including three versions of H.R. 850. Differences between this
estimate and our previous estimates reflect differences between
the bills. On April 21, 1999, CBO transmitted a cost estimate
for H.R. 850 as ordered reported by the House Committee on the
Judiciary on March 24, 1999. On July 1, 1999, CBO transmitted
an estimate for H.R. 850 as ordered reported by the House
Committee on Commerce on June 23, 1999. On July 16, 1999, CBO
transmitted an estimate of H.R. 850 as ordered reported by the
House Committee on International Relations on July 13, 1999. On
July 9, 1999, CBO transmitted an estimate for S. 798, the
Promote Online Transactions to Encourage Commerce and Trade
(PROTECT) Act of 1999, as ordered reported by the Senate
Committee on Commerce, Science, and Transportation on June 23,
1999. And on July 22, 1999, CBO transmitted an estimate for
H.R. 850 as ordered reported by the House Committee on Armed
Services on July 21, 1999.
CBO estimated that the versions of H.R. 850 reported by the
Judiciary Committee and the International Relations Committee
would each cost between $3 million and $5 million over the
2000-2004 period, that the version reported by the Armed
Services Committee would cost $5 million over the 2000-2004
period, and that the House Commerce Committee's version of H.R.
850 and the Senate bill (S. 798) would each increase costs by
at least $25 million over the same period. None of those
previously estimated bills contain authorizations for a new
technical support center within the FBI.
Estimate prepared by: Federal costs: Mark Hadley and Mark
Grabowicz. Impact on State, local, and tribal governments:
Shelley Finlayson.
Estimate approved by: Robert A. Sunshine, Deputy Assistant
Director for Budget Analysis.
Committee Cost Estimates
The Committee agrees with the estimate of the Congressional
Budget Office.
Specific Constitutional Authority for Congressional Enactment of this
Legislation
The intelligence and intelligence-related activities of the
United States government are carried out to support the
national security interests of the United States, to support
and assist the armed forces of the United States, and to
support the President in the execution of the foreign policy of
the United States. Article 1, section 8, of the Constitution of
the United States provides, in pertinent part, that ``Congress
shall have power * * * to pay the debts and provide for the
common defense and general welfare of the United States; * * *
''; ``to raise and support Armies, * * * ''; ``to provide and
maintain a Navy; * * * '' and ``to make all laws which shall be
necessary and proper for the carrying into execution . . . all
other powers vested by this Constitution in the Government of
the United States, or in any Department or Officer thereof.''
Therefore, pursuant to such authority, Congress is empowered to
enact this legislation.
Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
matter is printed in italic, existing law in which no change is
proposed is shown in roman):
TITLE 18, UNITED STATES CODE
* * * * * * *
Chap. Sec.
1. General provisions......................................... 1
* * * * * * *
2801 Encrypted data, including communications..................
* * * * * * *
CHAPTER 125--ENCRYPTED DATA, INCLUDING COMMUNICATIONS
Sec.
2801. Unlawful use of encryption in furtherance of a criminal act.
2802. Privacy protection.
2803. Court order access to plaintext or decryption information.
2804. Notification procedures.
2805. Lawful use of plaintext or decryption information.
2806. Identification of decryption information.
2807. Definitions.
Sec. 2801. Unlawful use of encryption in furtherance of a criminal act
(a) Prohibited Acts.--Whoever knowingly uses encryption in
furtherance of the commission of a criminal offense for which
the person may be prosecuted in a district court of the United
States shall--
(1) in the case of a first offense under this
section, be imprisoned for not more than 5 years, or
fined under this title, or both; and
(2) in the case of a second or subsequent offense
under this section, be imprisoned for not more than 10
years, or fined under this title, or both.
(b) Consecutive Sentence.--Notwithstanding any other
provision of law, the court shall not place on probation any
person convicted of a violation of this section, nor shall the
term of imprisonment imposed under this section run
concurrently with any other term of imprisonment imposed for
the underlying criminal offense.
(c) Probable Cause Not Constituted by Use of Encryption.--The
use of encryption by itself shall not establish probable cause
to believe that a crime is being or has been committed.
Sec. 2802. Privacy protection
(a) In General.--It shall be unlawful for any person to
intentionally--
(1) obtain or use decryption information without
lawful authority for the purpose of decrypting data,
including communications;
(2) exceed lawful authority in decrypting data,
including communications;
(3) break the encryption code of another person
without lawful authority for the purpose of violating
the privacy or security of that person or depriving
that person of any property rights;
(4) impersonate another person for the purpose of
obtaining decryption information of that person without
lawful authority;
(5) facilitate or assist in the encryption of data,
including communications, knowing that such data,
including communications, are to be used in furtherance
of a crime; or
(6) disclose decryption information in violation of a
provision of this chapter.
(b) Criminal Penalty.--Whoever violates this section shall
be imprisoned for not more than 10 years, or fined under this
title, or both.
Sec. 2803. Court order access to plaintext or decryption information
(a) Court Order.--(1) A court of competent jurisdiction shall
issue an order, ex parte, granting an investigative or law
enforcement officer timely access to the plaintext of encrypted
data, including communications, or requiring any person in
possession of decryption information to provide such
information to a duly authorized investigative or law
enforcement officer--
(A) upon the application by an attorney for the
Government that--
(i) is made under oath or affirmation by the
attorney for the Government; and
(ii) provides a factual basis establishing
the relevance that the plaintext or decryption
information being sought has to a law
enforcement, foreign counterintelligence, or
international terrorism investigation then
being conducted pursuant to lawful authorities;
and
(B) if the court finds, in writing, that the
plaintext or decryption information being sought is
relevant to an ongoing lawful law enforcement, foreign
counterintelligence, or international terrorism
investigation and the investigative or law enforcement
officer is entitled to such plaintext or decryption
information.
(2) The order issued by the court under this section shall be
placed under seal, except that a copy may be made available to
the investigative or law enforcement officer authorized to
obtain access to the plaintext of the encrypted information, or
authorized to obtain the decryption information sought in the
application. Such order shall, subject to the notification
procedures set forth in section 2804, also be made available to
the person responsible for providing the plaintext or the
decryption information, pursuant to such order, to the
investigative or law enforcement officer.
(3) Disclosure of an application made, or order issued, under
this section, is not authorized, except as may otherwise be
specifically permitted by this section or another order of the
court.
(b) Record of Access Required.--(1) There shall be created an
electronic record, or similar type record, of each instance in
which an investigative or law enforcement officer, pursuant to
an order under this section, gains access to the plaintext of
otherwise encrypted information, or is provided decryption
information, without the knowledge or consent of the owner of
the data, including communications, who is the user of the
encryption product involved.
(2) The court issuing the order under this section may
require that the electronic or similar type of record described
in paragraph (1) is maintained in a place and a manner that is
not within the custody or control of an investigative or law
enforcement officer gaining the access or provided the
decryption information. The record shall be tendered to the
court, upon notice from the court.
(3) The court receiving such electronic or similar type of
record described in paragraph (1) shall make the original and a
certified copy of the record available to the attorney for the
Government making application under this section, and to the
attorney for, or directly to, the owner of the data, including
communications, who is the user of the encryption product,
pursuant to the notification procedures set forth in section
2804.
(c) Authority To Intercept Communications Not Increased.--
Nothing in this chapter shall be construed to enlarge or modify
the circumstances or procedures under which a Government entity
is entitled to intercept or obtain oral, wire, or electronic
communications or information.
(d) Construction.--This chapter shall be strictly construed
to apply only to a Government entity's ability to decrypt data,
including communications, for which it has previously obtained
lawful authority to intercept or obtain pursuant to other
lawful authorities, which without an order issued under this
section would otherwise remain encrypted.
Sec. 2804. Notification procedures
(a) In General.--Within a reasonable time, but not later
than 90 days after the filing of an application for an order
under section 2803 which is granted, the court shall cause to
be served, on the persons named in the order or the
application, and such other parties whose decryption
information or whose plaintext has been provided to an
investigative or law enforcement officer pursuant to this
chapter, as the court may determine is in the interest of
justice, an inventory which shall include notice of--
(1) the fact of the entry of the order or the
application;
(2) the date of the entry of the application and
issuance of the order; and
(3) the fact that the person's decryption information
or plaintext data, including communications, has been
provided or accessed by an investigative or law
enforcement officer.
The court, upon the filing of a motion, may make available to
that person or that person's counsel, for inspection, such
portions of the plaintext, applications, and orders as the
court determines to be in the interest of justice.
(b) Postponement of Inventory for Good Cause.--(1) On an ex
parte showing of good cause by an attorney for the Government
to a court of competent jurisdiction, the serving of the
inventory required by subsection (a) may be postponed for an
additional 30 days after the granting of an order pursuant to
the ex parte motion.
(2) No more than 3 ex parte motions pursuant to paragraph (1)
are authorized.
(c) Admission Into Evidence.--The content of any encrypted
information that has been obtained pursuant to this chapter or
evidence derived therefrom shall not be received in evidence or
otherwise disclosed in any trial, hearing, or other proceeding
in a Federal or State court, other than the court organized
pursuant to the Foreign Intelligence Surveillance Act of 1978,
unless each party, not less than 10 days before the trial,
hearing, or proceeding, has been furnished with a copy of the
order, and accompanying application, under which the decryption
or access to plaintext was authorized or approved. This 10-day
period may be waived by the court if the court finds that it
was not possible to furnish the party with the information
described in the preceding sentence within 10 days before the
trial, hearing, or proceeding and that the party will not be
prejudiced by the delay in receiving such information.
(d) Construction.--The provisions of this chapter shall be
construed consistent with--
(1) the Classified Information Procedures Act (18
U.S.C. App.); and
(2) the Foreign Intelligence Surveillance Act of 1978
(50 U.S.C. 1801 et seq.).
(e) Contempt.--Any violation of the provisions of this
section may be punished by the court as a contempt thereof.
(f) Motion To Suppress.--Any aggrieved person in any trial,
hearing, or proceeding in or before any court, department,
officer, agency, regulatory body, or other authority of the
United States or a State, other than the court organized
pursuant to the Foreign Intelligence Surveillance Act of 1978,
may move to suppress the contents of any decrypted data,
including communications, obtained pursuant to this chapter, or
evidence derived therefrom, on the grounds that--
(1) the plaintext was decrypted or accessed in
violation of this chapter;
(2) the order of authorization or approval under
which it was decrypted or accessed is insufficient on
its face; or
(3) the decryption was not made in conformity with
the order of authorization or approval.
Such motion shall be made before the trial, hearing, or
proceeding unless there was no opportunity to make such motion,
or the person was not aware of the grounds of the motion. If
the motion is granted, the plaintext of the decrypted data,
including communications, or evidence derived therefrom, shall
be treated as having been obtained in violation of this
chapter. The court, upon the filing of such motion by the
aggrieved person, may make available to the aggrieved person or
that person's counsel for inspection such portions of the
decrypted plaintext, or evidence derived therefrom, as the
court determines to be in the interests of justice.
(g) Appeal by United States.--In addition to any other right
to appeal, the United States shall have the right to appeal
from an order granting a motion to suppress made under
subsection (f), or the denial of an application for an order
under section 2803, if the attorney for the Government
certifies to the court or other official granting such motion
or denying such application that the appeal is not taken for
purposes of delay. Such appeal shall be taken within 30 days
after the date the order was entered on the docket and shall be
diligently prosecuted.
(h) Civil Action for Violation.--Except as otherwise provided
in this chapter, any person described in subsection (i) may, in
a civil action, recover from the United States Government the
actual damages suffered by the person as a result of a
violation described in that subsection, reasonable attorney's
fees, and other litigation costs reasonably incurred in
prosecuting such claim.
(i) Covered Persons.--Subsection (h) applies to any person
whose decryption information--
(1) is knowingly obtained without lawful authority by
an investigative or law enforcement officer;
(2) is obtained by an investigative or law
enforcement officer with lawful authority and is
knowingly used or disclosed by such officer unlawfully;
or
(3) is obtained by an investigative or law
enforcement officer with lawful authority and whose
decryption information is unlawfully used to disclose
the plaintext of the data, including communications.
(j) Limitation.--A civil action under subsection (h) shall be
commenced not later than 2 years after the date on which the
unlawful action took place, or 2 years after the date on which
the claimant first discovers the violation, whichever is later.
(k) Exclusive Remedies.--The remedies and sanctions described
in this chapter with respect to the decryption of data,
including communications, are the only judicial remedies and
sanctions for violations of this chapter involving such
decryptions, other than violations based on the deprivation of
any rights, privileges, or immunities secured by the
Constitution.
(l) Technical Assistance by Providers.--A provider of
encryption technology or network service that has received an
order issued by a court pursuant to this chapter shall provide
to the investigative or law enforcement officer concerned such
technical assistance as is necessary to execute the order. Such
provider may, however, move the court to modify or quash the
order on the ground that its assistance with respect to the
decryption or access to plaintext cannot be performed in fact,
or in a timely or reasonable fashion. The court, upon notice to
the Government, shall decide such motion expeditiously.
(m) Reports to Congress.--In May of each year, the Attorney
General, or an Assistant Attorney General specifically
designated by the Attorney General, shall report in writing to
Congress on the number of applications made and orders entered
authorizing Federal, State, and local law enforcement access to
decryption information for the purposes of reading the
plaintext of otherwise encrypted data, including
communications, pursuant to this chapter. Such reports shall be
submitted to the Committees on the Judiciary of theHouse of
Representatives and of the Senate, and to the Permanent Select
Committee on Intelligence for the House of Representatives and the
Select Committee on Intelligence for the Senate.
Sec. 2805. Lawful use of plaintext or decryption information
(a) Authorized Use of Decryption Information.--
(1) Criminal investigations.--An investigative or law
enforcement officer to whom plaintext or decryption
information is provided may only use such plaintext or
decryption information for the purposes of conducting a
lawful criminal investigation, foreign
counterintelligence, or international terrorism
investigation, and for the purposes of preparing for
and prosecuting any criminal violation of law.
(2) Civil redress.--Any plaintext or decryption
information provided under this chapter to an
investigative or law enforcement officer may not be
disclosed, except by court order, to any other person
for use in a civil proceeding that is unrelated to a
criminal investigation and prosecution for which the
plaintext or decryption information is authorized under
paragraph (1). Such order shall only issue upon a
showing by the party seeking disclosure that there is
no alternative means of obtaining the plaintext, or
decryption information, being sought and the court also
finds that the interests of justice would not be served
by nondisclosure.
(b) Limitation.--An investigative or law enforcement officer
may not use decryption information obtained under this chapter
to determine the plaintext of any data, including
communications, unless it has obtained lawful authority to
obtain such data, including communications, under other lawful
authorities.
(c) Return of Decryption Information.--An attorney for the
Government shall, upon the issuance of an order of a court of
competent jurisdiction--
(1)(A) return any decryption information to the
person responsible for providing it to an investigative
or law enforcement officer pursuant to this chapter; or
(B) destroy such decryption information, if the court
finds that the interests of justice or public safety
require that such decryption information should not be
returned to the provider; and
(2) within 10 days after execution of the court's
order to return or destroy the decryption information--
(A) certify to the court that the decryption
information has either been returned or
destroyed consistent with the court's order;
and
(B) if applicable, notify the provider of the
decryption information of the destruction of
such information.
(d) Other Disclosure of Decryption Information.--Except as
otherwise provided in section 2803, decryption information or
the plaintext of otherwise encrypted data, including
communications, shall not be disclosed by any person unless the
disclosure is--
(1) to the person encrypting the data, including
communications, or an authorized agent thereof;
(2) with the consent of the person encrypting the
data, including pursuant to a contract entered into
with the person;
(3) pursuant to a court order upon a showing of
compelling need for the information that cannot be
accommodated by any other means if--
(A) the person who supplied the information
is given reasonable notice, by the person
seeking the disclosure, of the court proceeding
relevant to the issuance of the court order;
and
(B) the person who supplied the information
is afforded the opportunity to appear in the
court proceeding and contest the claim of the
person seeking the disclosure;
(4) pursuant to a determination by a court of
competent jurisdiction that another person is lawfully
entitled to hold such decryption information, including
determinations arising from legal proceedings
associated with the incapacity, death, or dissolution
of any person; or
(5) otherwise permitted by law.
Sec. 2806. Identification of decryption information
(a) Identification.--To avoid inadvertent disclosure of
decryption information, any person who provides decryption
information to an investigative or law enforcement officer
pursuant to this chapter shall specifically identify that part
of the material that discloses decryption information as such.
(b) Responsibility of Investigative or Law Enforcement
Officer.--The investigative or law enforcement officer
receiving any decryption information under this chapter shall
maintain such information in a facility and in a method so as
to reasonably assure that inadvertent disclosure does not
occur.
Sec. 2807. Definitions
The definitions set forth in section 101 of the Encryption
for the National Interest Act shall apply to this chapter.
* * * * * * *
�