The attached bill may be of general interest:
Bob
FILE s1587.is
S 1587 IS
104th CONGRESS
2d Session
To affirm the rights of Americans to use and sell encryption
products, to establish privacy standards for voluntary escrowed
encryption systems, and for other purposes.
IN THE SENATE OF THE UNITED STATES
March 5, 1996
Mr. LEAHY (for himself, Mr. BURNS, Mr. DOLE, Mr. PRESSLER, and Mrs.
MURRAY) introduced the following bill; which was read twice and
referred to the Committee on the Judiciary
A BILL
To affirm the rights of Americans to use and sell encryption
products, to establish privacy standards for voluntary escrowed
encryption systems, and for other purposes.
[Italic->] Be it enacted by the Senate and House of
Representatives of the United States of America in Congress
assembled, [<-Italic]
SECTION 1. SHORT TITLE.
This Act may be cited as the `Encrypted Communications Privacy
Act of 1996'.
SEC. 2. PURPOSE.
It is the purpose of this Act--
(1) to ensure that Americans are able to have the maximum
possible choice in encryption methods to protect the security,
confidentiality, and privacy of their lawful wire or electronic
communications; and
(2) to establish privacy standards for key holders who are
voluntarily entrusted with the means to decrypt such
communications, and procedures by which investigative or law
enforcement officers may obtain assistance in decrypting such
communications.
SEC. 3. FINDINGS.
The Congress finds that--
(1) the digitization of information and the explosion in the
growth of computing and electronic networking offers tremendous
potential benefits to the way Americans live, work, and are
entertained, but also raises new threats to the privacy of
American citizens and the competitiveness of American businesses;
(2) a secure, private, and trusted national and global
information infrastructure is essential to promote economic
growth, protect citizens' privacy, and meet the needs of
American citizens and businesses;
(3) the rights of Americans to the privacy and security of
their communications and in conducting their personal and
business affairs should be preserved and protected;
(4) the authority and ability of investigative and law
enforcement officers to access and decipher, in a timely manner
and as provided by law, wire and electronic communications
necessary to provide for public safety and national security
should also be preserved;
(5) individuals will not entrust their sensitive personal,
medical, financial, and other information to computers and
computer networks unless the security and privacy of that
information is assured;
(6) business will not entrust their proprietary and sensitive
corporate information, including information about products,
processes, customers, finances, and employees, to computers and
computer networks unless the security and privacy of that
information is assured;
(7) encryption technology can enhance the privacy, security,
confidentiality, integrity, and authenticity of wire and
electronic communications and stored electronic information;
(8) encryption techniques, technology, programs, and products
are widely available worldwide;
(9) Americans should be free lawfully to use whatever
particular encryption techniques, technologies, programs, or
products developed in the marketplace they desire in order to
interact electronically worldwide in a secure, private, and
confidential manner;
(10) American companies should be free to compete and to sell
encryption technology, programs, and products;
(11) there is a need to develop a national encryption policy
that advances the development of the national and global
information infrastructure, and preserves Americans' right to
privacy and the Nation's public safety and national security;
(12) there is a need to clarify the legal rights and
responsibilities of key holders who are voluntarily entrusted
with the means to decrypt wire or electronic communications;
(13) the Congress and the American people have recognized the
need to balance the right to privacy and the protection of the
public safety and national security;
(14) the Congress has permitted lawful electronic
surveillance by investigative or law
enforcement officers only upon compliance with stringent statutory
standards and procedures; and
(15) there is a need to clarify the standards and procedures
by which investigative or law enforcement officers obtain
assistance from key holders who are voluntarily entrusted with
the means to decrypt wire or electronic communications,
including such communications in electronic storage.
SEC. 4. FREEDOM TO USE ENCRYPTION.
(a) LAWFUL USE OF ENCRYPTION- It shall be lawful for any person
within any State of the United States, the District of Columbia,
the Commonwealth of Puerto Rico, and any territory or possession of
the United States, and by United States persons in a foreign
country to use any encryption, regardless of encryption algorithm
selected, encryption key length chosen, or implementation technique
or medium used except as provided in this Act and the amendments
made by this Act or in any other law.
(b) GENERAL CONSTRUCTION- Nothing in this Act or the amendments
made by this Act shall be construed to--
(1) require the use by any person of any form of encryption;
(2) limit or affect the ability of any person to use
encryption without a key escrow function; or
(3) limit or affect the ability of any person who chooses to
use encryption with a key escrow function not to use a key
holder.
SEC. 5. ENCRYPTED WIRE AND ELECTRONIC COMMUNICATIONS.
(a) IN GENERAL- Part I of title 18, United States Code, is
amended by inserting after chapter 121 the following new chapter:
[BOLD->] `CHAPTER 122--ENCRYPTED WIRE AND ELECTRONIC
COMMUNICATIONS [<-BOLD]
`2801. Definitions.
`2802. Prohibited acts by key holders.
`2803. Reporting requirements.
`2804. Unlawful use of encryption to obstruct justice.
`2805. Freedom to sell encryption products.
`Sec. 2801. Definitions
`As used in this chapter--
`(1) the terms `person', `State', `wire communication',
`electronic communication', `investigative or law enforcement
officer', `judge of competent jurisdiction', and `electronic
storage' have the same meanings given such terms in section
2510 of this title;
`(2) the term `encryption' means the scrambling of wire or
electronic communications using mathematical formulas or
algorithms in order to preserve the confidentiality, integrity
or authenticity and prevent unauthorized recipients from
accessing or altering such communications;
`(3) the term `key holder' means a person located within the
United States (which may, but is not required to, be a Federal
agency) who is voluntarily entrusted by another independent
person with the means to decrypt that person's wire or
electronic communications for the purpose of subsequent
decryption of such communications;
`(4) the term `decryption key' means the variable information
used in a mathematical formula, code, or algorithm, or any
component thereof, used to decrypt wire or electronic
communications that have been encrypted; and
`(5) the term `decryption assistance' means providing access,
to the extent possible, to the plain text of encrypted wire or
electronic communications.
`Sec. 2802. Prohibited acts by key holders
`(a) UNAUTHORIZED RELEASE OF KEY- Except as provided in
subsection (b), any key holder who releases a decryption key or
provides decryption assistance shall be subject to the criminal
penalties provided in subsection (e) and to civil liability as
provided in subsection (f).
`(b) AUTHORIZED RELEASE OF KEY- A key holder shall only release a
decryption key in its possession or control or provide decryption
assistance--
`(1) with the lawful consent of the person whose key is being
held or managed by the key holder;
`(2) as may be necessarily incident to the holding or
management of the key by the key holder; or
`(3) to investigative or law enforcement officers authorized
by law to intercept wire or electronic communications under
chapter 119, to obtain access to stored wire and electronic
communications and transactional records under chapter 121, or
to conduct electronic surveillance, as defined in section 101
of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C.
1801), upon compliance with subsection (c) of this section.
`(c) REQUIREMENTS FOR RELEASE OF DECRYPTION KEY OR PROVISION OF
DECRYPTION ASSISTANCE TO INVESTIGATIVE OR LAW ENFORCEMENT OFFICER-
`(1) CONTENTS OF WIRE AND ELECTRONIC COMMUNICATIONS- A key
holder is authorized to release a decryption key or provide
decryption assistance to an investigative or law enforcement
officer
authorized by law to conduct electronic surveillance under chapter
119, only if--
`(A) the key holder is given--
`(i) a court order signed by a judge of competent
jurisdiction directing such release or assistance; or
`(ii) a certification in writing by a person
specified in section 2518(7) or the Attorney General
stating that--
`(I) no warrant or court order is required by law;
`(II) all requirements under section 2518(7) have been met; and
`(III) the specified release or assistance is required;
`(B) the order or certification under paragraph (A)--
`(i) specifies the decryption key or decryption
assistance which is being sought; and
`(ii) identifies the termination date of the period
for which release or assistance has been authorized; and
`(C) in compliance with an order or certification under
subparagraph (A), the key holder shall provide only such
key release or decryption assistance as is necessary for
access to communications covered by subparagraph (B).
`(2) STORED WIRE AND ELECTRONIC COMMUNICATIONS- (A) A key
holder is authorized to release a decryption key or provide
decryption assistance to an investigative or law enforcement
officer authorized by law to obtain access to stored wire and
electronic communications and transactional records under
chapter 121, only if the key holder is directed to give such
assistance pursuant to the same lawful process (court warrant,
order, subpoena, or certification) used to obtain access to the
stored wire and electronic communications and transactional
records.
`(B) The notification required under section 2703(b) shall,
in the event that encrypted wire or electronic communications
were obtained from electronic storage, include notice of the
fact that a key to such communications was or was not released
or decryption assistance was or was not provided by a key holder.
`(C) In compliance with the lawful process under subparagraph
(A), the key holder shall provide only such key release or
decryption assistance as is necessary for access to the
communications covered by such lawful process.
`(3) USE OF KEY- (A) An investigative or law enforcement
officer to whom a key has been released under this subsection
may use the key only in the manner and for the purpose and
duration that is expressly provided for in the court order or
other provision of law authorizing such release and use, not to
exceed the duration of the electronic surveillance for which
the key was released.
`(B) On or before completion of the authorized release
period, the investigative or law enforcement officer to whom a
key has been released shall destroy and not retain the
released key.
`(C) The inventory required to be served pursuant to section
2518(8)(d) on persons named in the order or the application
under section 2518(7)(b), and such other parties to intercepted
communications as the judge may determine, in the interest of
justice, shall, in the event that encrypted wire or electronic
communications were intercepted, include notice of the fact
that during the period of the order or extensions thereof a key
to, or decryption assistance for, any encrypted wire or
electronic communications of the person or party intercepted
was or was not provided by a key holder.
`(4) NONDISCLOSURE OF RELEASE- No key holder, officer,
employee, or agent thereof shall disclose the key release or
provision of decryption assistance pursuant to subsection (b),
except as may otherwise be required by legal process and then
only after prior notification to the Attorney General or to the
principal prosecuting attorney of a State or any political
subdivision of a State, as may be appropriate.
`(d) RECORDS OR OTHER INFORMATION HELD BY KEY HOLDERS- A key
holder, shall not disclose a record or other information (not
including the key) pertaining to any person whose key is being held
or managed by the key holder, except--
`(1) with the lawful consent of the person whose key is being
held or managed by the key holder; or
`(2) to an investigative or law enforcement officer pursuant
to a subpoena authorized under Federal or State law, court
order, or lawful process.
An investigative or law enforcement officer receiving a record or
information under paragraph (2) is not required to provide notice
to the person to whom the record or
information pertains. Any disclosure in violation of this
subsection shall render the person committing the violation liable
for the civil damages provided for in subsection (f).
`(e) CRIMINAL PENALTIES- The punishment for an offense under
subsection (a) of this section is--
`(1) if the offense is committed for a tortious, malicious,
or illegal purpose, or for purposes of direct or indirect
commercial advantage or private commercial gain--
`(A) a fine under this title or imprisonment for not more
than 1 year, or both, in the case of a first offense under
this subparagraph; or
`(B) a fine under this title or imprisonment for not more
than 2 years, or both, for any second or subsequent
offense; and
`(2) in any other case where the offense is committed
recklessly or intentionally, a fine of not more than $5,000 or
imprisonment for not more than 6 months, or both.
`(f) CIVIL DAMAGES-
`(1) IN GENERAL- Any person aggrieved by any act of a person
in violation of subsections (a) or (d) may in a civil action
recover from such person appropriate relief.
`(2) RELIEF- In an action under this subsection, appropriate
relief includes--
`(A) such preliminary and other equitable or declaratory
relief as may be appropriate;
`(B) damages under paragraph (3) and punitive damages in
appropriate cases; and
`(C) a reasonable attorney's fee and other litigation
costs reasonably incurred.
`(3) COMPUTATION OF DAMAGES- The court may assess as damages
whichever is the greater of--
`(A) the sum of the actual damages suffered by the
plaintiff and any profits made by the violator as a result
of the violation; or
`(B) statutory damages in the amount of $5,000.
`(4) LIMITATION- A civil action under this subsection shall
not be commenced later than 2 years after the date upon which
the plaintiff first knew or should have known of the violation.
`(g) DEFENSE- It shall be a complete defense against any civil or
criminal action brought under this chapter that the defendant acted
in good faith reliance upon a court warrant or order, grand jury or
trial subpoena, or statutory authorization.
`Sec. 2803. Reporting requirements
`(a) IN GENERAL- In reporting to the Administrative Office of the
United States Courts as required under section 2519(2) of this
title, the Attorney General, an Assistant Attorney General
specially designated by the Attorney General, the principal
prosecuting attorney of a State, or the principal prosecuting
attorney of any political subdivision of a State, shall report on
the number of orders and extensions served on key holders to obtain
access to decryption keys or decryption assistance.
`(b) REQUIREMENTS- The Director of the Administrative Office of
the United States Courts shall include as part of the report
transmitted to the Congress under section 2519(3) of this title,
the number of orders and extensions served on key holders to obtain
access to decryption keys or decryption assistance and the offenses
for which the orders were obtained.
`Sec. 2804. Unlawful use of encryption to obstruct justice
`Whoever willfully endeavors by means of encryption to obstruct,
impede, or prevent the communication of information in furtherance
of a felony which may be prosecuted in a court of the United
States, to an investigative or law enforcement officer shall--
`(1) in the case of a first conviction, be sentenced to
imprisonment for not more than 5 years, fined under this title,
or both; or
`(2) in the case of a second or subsequent conviction, be
sentenced to imprisonment for not more than 10 years, fined
under this title, or both.
`Sec. 2805. Freedom to sell encryption products
`(a) IN GENERAL- It shall be lawful for any person within any
State of the United States, the District of Columbia, the
Commonwealth of Puerto Rico, and any territory or possession of the
United States, to sell in interstate commerce any encryption,
regardless of encryption algorithm selected, encryption key length
chosen, or implementation technique or medium used.
`(b) CONTROL OF EXPORTS BY SECRETARY OF COMMERCE-
`(1) GENERAL RULE- Notwithstanding any other law, subject to
paragraphs (2), (3), and (4), the Secretary of Commerce shall
have exclusive authority to control exports of all computer
hardware, software, and technology for information security
(including encryption), except computer hardware, software, and
technology that is specifically designed or modified for
military use, including command, control, and intelligence
applications.
`(2) ITEMS NOT REQUIRING LICENSES- No validated license may
be required, except pursuant to the Trading With The Enemy Act
or the International Emergency Economic Powers Act (IEEPA) (but
only to the extent that the authority of the IEEPA is not
exercised to extend controls imposed under the Export
Administration Act of 1979), for the export or reexport of--
`(A) any software, including software with encryption
capabilities, that is--
`(i) generally available, as is, and designed for
installation by the purchaser; or
`(ii) in the public domain or publicly available
because it is generally accessible to the interested
public in any form; or
`(B) any computing device solely because it incorporates
or employs in any form software (including software with
encryption capabilities) exempted from any requirement for
a validated license under subparagraph (A).
`(3) SOFTWARE WITH ENCRYPTION CAPABILITIES- The Secretary of
Commerce shall authorize the export or reexport of software
with encryption capabilities for nonmilitary end-uses in any
country to which exports of software of similar capability are
permitted for use by financial institutions not controlled in
fact by United States persons, unless there is substantial
evidence that such software will be--
`(A) diverted to a military end-use or an end-use
supporting international terrorism;
`(B) modified for military or terrorist end-use; or
`(C) reexported without requisite United States
authorization.
`(4) HARDWARE WITH ENCRYPTION CAPABILITIES- The Secretary
shall authorize the export or reexport of computer hardware
with encryption capabilities if the Secretary determines that a
product offering comparable security is commercially available
from a foreign supplier without effective restrictions outside
the United States.
`(5) DEFINITIONS- As used in this subsection--
`(A) the term `generally available' means, in the case of
software (including software with encryption capabilities),
software that is widely offered for sale, license, or
transfer including, but not limited to, over-the-counter
retail sales, mail order transactions, phone order
transactions, electronic distribution, or sale on approval;
`(B) the term `as is' means, in the case of software
(including software with encryption capabilities), a
software program that is not designed, developed, or
tailored by the software company for specific purchasers,
except that such purchasers may supply certain installation
parameters needed by the software program to function
properly with the purchaser's system and may customize the
software program by choosing among options contained in the
software program;
`(C) the term `is designed for installation by the
purchaser' means, in the case of software (including
software with encryption capabilities)--
`(i) the software company intends for the purchaser
(including any licensee or transferee), who may not be
the actual program user, to install the software
program on a computing device and has supplied the
necessary instructions to do so, except that the
company may also provide telephone help-line services
for software installation, electronic transmission, or
basic operations; and
`(ii) that the software program is designed for
installation by the purchaser without further
substantial support by the supplier;
`(D) the term `computing device' means a device which
incorporates one or more microprocessor-based central
processing units that can accept, store, process, or
provide output of data; and
`(E) the term `computer hardware', when used in
conjunction with information security, includes, but is not
limited to, computer systems, equipment,
application-specific assemblies, modules, and integrated
circuits.'.
(b) TECHNICAL AMENDMENT- The table of chapters for part I of
title 18, United States Code, is amended by inserting after the
item relating to chapter 33, the following new item:
[Bold->] 2801'. [<-Bold]
SEC. 6. INTELLIGENCE ACTIVITIES.
(a) CONSTRUCTION- Nothing in this Act or the amendments made by
this Act constitutes authority for the conduct of any intelligence
activity.
(b) CERTAIN CONDUCT- Nothing in this Act or the amendments made
by this Act shall affect the conduct, by officers or employees of
the United States Government in accordance with other applicable
Federal law, under procedures approved by the Attorney General, or
activities intended to--
(1) intercept encrypted or other official communications of
United States executive branch entities or United States
Government contractors for communications security purposes;
(2) intercept radio communications transmitted between or
among foreign powers or agents of a foreign power as defined by
the Foreign Intelligence Surveillance Act of 1978; or
(3) access an electronic communication system used
exclusively by a foreign power or agent of a foreign power as
defined by the Foreign Intelligence Surveillance Act of 1978.