Home » Privacy » Key Escrow  
    Contents:     
        Summary of the Ashcroft-Leahy E-Privacy Act
        Section-by-Section Analysis of E-Privacy Act
                
   
   WASHINGTON, TUESDAY, MAY 12, 1998
   Senate
   Introduction Of The E-PRIVACY Act
   
Mr. President, I am pleased to join Senator Ashcroft, and others, in
introducing today the "Encryption Protects the Rights of Individuals
from Violation and Abuse in Cyberspace," or E-PRIVACY Act, to reform
our nation's cryptography policy in a constructive and positive
manner. It is time the Administration woke up to the critical need for
a common sense encryption policy in this country. I have been sounding
the alarm bells about this issue for several years now, and have
introduced encryption legislation, with bipartisan support, in the
last Congress and again in this one, to balance the important privacy,
economic, national security and law enforcement interests at stake.
The volume of those alarm bells should be raised to emergency sirens.

Hardly a month goes by without press reports of serious breaches of
computer security that threaten our critical infrastructures,
including Defense Department computer systems, the telephone network,
or computer systems for airport control towers. The lesson of these
computer breaches -- often committed by computer savvy teenagers -- is
that all the physical barriers we might put in place can be
circumvented using the wires that run into every building to support
the computers and computer networks that are the mainstay of how we do
business. A well-focused cyber-attack on the computer networks that
support telecommunications, transportation, water supply, banking,
electrical power and other critical infrastructure systems could wreak
havoc on our national economy or even jeopardize our national defense
or public safety.

We have been aware of the vulnerabilities of our computer networks for
some time. It became clear to me almost a decade ago, during hearings
I chaired of the Judiciary Subcommittee on Technology and the Law on
the risks of high-tech terrorism, that merely "hardening" our physical
space from potential attack is not enough. We must also "harden" our
critical infrastructures to ensure our security and our safety.

That is where encryption technology comes in. Encryption can protect
the security of our computer information and networks. Indeed, both
former Senator Sam Nunn and former Deputy Attorney General Jamie
Gorelick, who serve as co-chairs of the Advisory Committee to the
President's Commission on Critical Infrastructure Protection, have
testified that "encryption is essential for infrastructure
protection."

Yet U.S. encryption policy has acted as a deterrent to better
security. As long ago as 1988, at the High-Tech Terrorism hearings I
chaired, Jim Woolsey, who later became the director of the Central
Intelligence Agency, testified about the need to do a better job of
using encryption to protect our computer networks. Of particular
concern is the recent testimony of former Senator Sam Nunn that the
"continuing federal government-private sector deadlock over encryption
and export policies" may pose an obstacle to the cooperation needed to
protect our country's critical infrastructures.

I have long advocated the use of strong encryption by individuals,
government agencies and private companies to protect their valuable
and confidential computer information. Moreover, as more Americans
every year use the Internet and other computer networks to obtain
critical medical services, and conduct their personal and business
affairs, maintaining the privacy and confidentiality of our computer
communications both here and abroad has only grown in importance. As
an avid computer user and Internet surfer myself, I care deeply about
protecting individual privacy and encouraging the development of the
Internet as a secure and trusted communications medium.

Encryption is the key to protecting the privacy of our online
communications and electronic records by ensuring that only the people
we choose can read those communications and records. That is why the
primary thrust of the encryption legislation I have introduced is to
encourage -- and not stand in the way of -- the widespread use of
strong encryption.

Strong encryption serves as a crime prevention shield to stop hackers,
industrial spies and thieves from snooping into private computer files
and stealing valuable proprietary information. Unfortunately, we still
have a long away to go to reform our country's encryption policy to
reflect that this technology is a significant crime and terrorism
prevention tool.

Even as our law enforcement and intelligence agencies try to slow down
the widespread use of strong encryption, technology continues to move
forward. Ironically, foot-dragging by the Administration on export
controls is driving encryption technology, expertise and manufacturing
overseas where we will lose even more control over its proliferation.

Indeed, due to the sorry state of our export controls on encryption,
we are seeing rising numbers of our high-tech companies turning to
overseas firms as suppliers of the strong encryption demanded by their
customers. For example, Network Associates recently announced that it
will make strong encryption software developed in the United States
available through a Swiss company. Other companies, including Sun
Microsystems, are cooperating with foreign firms to manufacture and
distribute overseas strong encryption software originally developed
here at home.

Encryption technology, invented with American ingenuity, will now be
manufactured and distributed in Europe, and imported back into this
country.

Driving encryption expertise overseas is extremely short-sighted and
poses a real threat to our national security. Driving high-tech jobs
overseas is a threat to our economic security, and stifling the
widespread, integrated use of strong encryption is a threat to our
public safety. The E-PRIVACY Act would reverse the incentives for
American companies to look abroad for strong encryption by relaxing
our export controls.

Specifically, the bill would grant export license exceptions, after a
one-time technical review, for mass market products with encryption
capabilities, products which do not themselves provide encryption but
are capable of interoperating with encryption products, and customized
hardware and software with encryption capabilities so long as foreign
products with comparable encryption are available.

At the same time, the bill retains important restrictions on
encryption exports for military end-uses or to terrorist-designated or
embargoed countries, such as Cuba and North Korea. It also affirms the
continued authority of the Secretary of Commerce over encryption
exports and assures that before export, the Secretary is able to
conduct a one-time technical review of all encryption products to
ensure that the product works as represented.

The E-PRIVACY Act puts to rest the specter of domestic controls on
encryption. This legislation bars government-mandated key recovery (or
key escrow encryption) and ensures that all computer users are free to
choose any encryption method to protect the privacy of their online
communications and computer files.

At the heart of the encryption debate is the power this technology
gives computer users to choose who may access their communications and
stored records, to the exclusion of all others. For the same reason
that encryption is a powerful privacy enhancing tool, it also poses
challenges for law enforcement. Law enforcement agencies want access
even when we do not choose to give it. We are mindful of these
national security and law enforcement concerns that have dictated the
Administration's policy choices on encryption.

With the appropriate procedural safeguards in place, law enforcement
agencies should be able to get access to decryption assistance. The
E-PRIVACY Act contains a number of provisions designed to address
these concerns, including a new criminal offense for willful use of
encryption to hide incriminating evidence from law enforcement
detection, establishment of a NET Center to help federal, state and
local law enforcement stay abreast of advanced technologies, and
explicit procedures for law enforcement to obtain decryption
assistance from third parties for encrypted communications or records
to which law enforcement has lawful access.

One of the starkest deficiencies in the Administration's key recovery
proposals has always been the question of foreign government access.
The Administration has sought reciprocal relationships with foreign
governments as a critical part of an effective global key recovery
system. Yet many Americans and American companies are rightfully
concerned about the terms under which foreign governments would get
access to decryption assistance. The E-PRIVACY Act makes clear what
those terms will be and ensures that foreign governments will not get
access to private decryption keys, but only, at most, plaintext.

This is not just an important issue for the privacy and security of
Americans; it also is a significant human rights issue. Today, human
rights organizations worldwide are using encryption to protect their
work and the lives of investigators, witnesses and victims overseas.
Amnesty International uses it. Human Rights Watch uses it. The human
rights program in the American Association for the Advancement of
Science uses it. It is used to protect witnesses who report human
rights abuses in the Balkans, in Burma, in Guatemala, in Tibet. I have
been told about a number of other instances in which strong encryption
has been used to further the causes of democracy and human rights.

For example, in the ongoing trial of Argentinean military officers in
Spain, on charges of genocide and terrorism arising out of the "dirty
war," the human rights group Derechos uses the encryption program
Pretty Good Privacy (PGP) -- which the United States government tried
to keep out of the hands of foreigners -- to encrypt particularly
confidential messages that go between Spain and Argentina, to stop the
Argentinean intelligence forces from being able to read them and so
try to jeopardize the trial. A group in Guatemala is using a computer
database to track the names of witnesses to military massacres. A
South African organization keeps the names of applicants for amnesty
for political crimes carried out in South Africa during the apartheid
regime. Workers at both groups could be subject to intimidation,
harassment, or murder by those intent on preventing the public
discussion and analysis of the claims. Both systems are protected by
strong cryptography.

A not-for-profit agency working for human rights in the Balkans uses
PGP to protect all sensitive files. Its offices have been raided by
various police forces looking for evidence of "subversive activities."
Last year in Zagreb, security police raided its office and confiscated
its computers in the hope of retrieving information about the identity
of people who had complained about human rights abuses by the
authorities. PGP allowed the group to communicate and protect its
files from any attempt to gain access. The director of the
organization spent 13 days in prison for not opening his encrypted
files but has said "it was a very small price to pay for protecting
our clients."

The Iraqi National Congress, a group opposing Saddam Hussein with
offices in London and supporters inside Iraq, uses encrypted e-mail to
communicate with its supporters inside Iraq. (Non-governmental
Internet connections are banned in Iraq, but the dissidents within
Iraq access e-mail by dialing outside the country with satellite
telephones).

Burmese human rights activists working in the relative safe haven of
Thailand use encryption when communicating on-line, because the Thai
government maintains diplomatic relations with the Burmese government
and is expected to turn over information to the Burmese authorities.

The FBI has argued that lives may be lost in sensitive terrorist and
other investigations if government agencies do not have access to
private encryption keys. However, the reverse is equally true: weak
encryption or easy government access to decryption assistance could
jeopardize lives as well.

Finally, the E-PRIVACY Act contains provisions to enhance the privacy
protections for communications, even when encryption is not employed.
Specifically, the bill would require law enforcement to obtain a court
order based on probable cause before using a cellular telephone as a
tracking device. In addition, the bill would require law enforcement
agencies to obtain a court order or provide notice when seizing
electronic records that a person stores on a computer network rather
than on the hard drive of his or her own personal computer. Finally,
the bill grants Federal judges authority to evaluate the reasons
proffered by a prosecutor for issuance of an ex parte pen register or
trap and trace device order, by contrast to their mere ministerial
authority under current law.

In sum, the E-PRIVACY Act accomplishes the eight goals that Senator
Ashcroft and I set out during our April 2, 1998, colloquy on the
floor. Specifically, we sought to craft legislation that promotes the
following principles:

First, ensure the right of Americans to choose how to protect the
privacy and security of their communications and information;

Second, bar a government-mandated key escrow encryption system;

Third, establish both procedures and standards for access by law
enforcement to decryption keys or decryption assistance for both
encrypted communications and stored electronic information and only
permit such access upon court order authorization, with appropriate
notice and other procedural safeguards;

Fourth, establish both procedures and standards for access by foreign
governments and foreign law enforcement agencies to the plaintext of
encrypted communications and stored electronic information of United
States persons;

Fifth, modify the current export regime for encryption to promote the
global competitiveness of American companies;

Sixth, avoid linking the use of certificate authorities with key
recovery agents or, in other words, not link the use of encryption for
confidentiality purposes with use of encryption for authenticity and
integrity purposes;

Seventh, consistent with these goals of promoting privacy and the
global competitiveness of our high-tech industries, help our law
enforcement agencies and national security agencies deal with the
challenges posed by the use of encryption; and

Eighth, protect the security and privacy of information provided by
Americans to the government by ensuring that encryption products used
by the government interoperate with commercial encryption products.

Resolving the encryption debate is critical for our economy, our
national security and our privacy. This is not a partisan issue. This
is not a black-and-white issue of being either for law enforcement and
national security or for Internet freedom. Characterizing the debate
in these simplistic terms is neither productive nor accurate.

Delays in resolving the encryption debate hurt most the very public
safety and national security interests that are posed as obstacles to
resolving this issue. We need sensible solutions in legislation that
will not be subject to change at the whim of agency bureaucrats.

Every American, not just those in the software and high-tech
industries and not just those in law enforcement agencies, has a stake
in the outcome of this debate. We have a legislative stalemate right
now that needs to be resolved, and I hope to work closely with my
colleagues and the Administration on a solution. I ask unanimous
consent that the sectional summary for the "E-PRIVACY Act" be printed
in the Record following my statement.



Summary of the Ashcroft-Leahy E-Privacy Act

("Encryption Protects the Rights of Individuals from Violation and
Abuse in Cyberspace")



Protects Privacy of Communications and Electronic Information:
          
          
          
          + Affirms the rights of Americans to use and sell whatever
            encryption products they want at whatever strength they
            desire;
          + Prohibits government-compelled key escrow or key recovery
            encryption;
          + Prohibits indirect controls or ties to encryption used for
            authentication or integrity purposes;
          + Requires a court order to obtain decryption keys/assistance
            held by a third party that will be used to decrypt
            communications subject to a wiretap;
          + Extends to remotely-stored electronic information the same
            protections as exist under existing law (e.g., ECPA) for
            information stored in your home, thereby requiring a court
            order or subpoena to obtain either the plaintext or a
            decryption key/assistance from third party.
          + Requires a probable cause court order from a judge for law
            enforcement to get real time access to location information
            generated by mobile electronic services.
            
           
          
Assists Law Enforcement to Obtain Information Consistent with
Constitutional Protections:           
          
          
          + Makes the willful use of encryption to conceal incriminating
            communications or information a crime;
          + Clarifies that existing wiretap authority can be used to
            obtain decryption keys/assistance from third parties for
            communications that are the subject of a wiretap;
          + Provides that decryption keys/assistance for remotely-stored
            electronic information can be obtained from third parties
            with a court order or subpoena with notice;
          + Requires the court-ordered release of decryption
            keys/assistance to the Attorney General so that plaintext of
            encrypted communications or stored electronic information
            (but not the key) may be furnished to a foreign government
            under certain conditions; and
          + Creates a National Electronic Technology Center ("NET
            Center") to serve as a focal point for information and
            assistance to federal, state, and local law enforcement
            authorities to address the technical difficulties of
            obtaining plaintext of communications and electronic
            information because of encryption, steganography,
            compression, multiplexing, and other techniques.
            
           
          
Modernizes Export Controls on Commercial Encryption Products           
          
          
          + The E-Privacy Act does not allow for unrestricted export of
            any encryption product; exports to certain unfriendly nations
            (such as North Korea, Iraq, or Libya) are absolutely
            prohibited;
          + Permits exportability under a license exception for mass
            market products which, by their nature, are uncontrollable
            given the volume sold and ease of distribution;
          + Permits exportability under a license exception for products
            which do not themselves provide encryption, but are capable
            of working with encryption products;
          + Permits exportability under a license exception for product
            support and consulting services;
          + Permits exportability under a license exception for custom
            hardware and software (i.e., not mass market) when comparable
            foreign products are available-establishes a joint
            government-industry board to determine whether encryption
            products utilizing the same or greater key length or
            otherwise providing comparable security are, or will be,
            within the next 18 months commercially available outside the
            U.S. from a foreign supplier;
          + Affirms that there will be no export controls on encryption
            products used for non-confidentiality purposes, such as
            authentication, integrity, digital signatures,
            non-repudiation, and copy protection;
          + Assures that before export, all products undergo a one-time
            technical review to check that the encryption product works
            as represented; and
          + Affirms the continued applicability of general export
            controls-the government will continue to be able to limit
            exports to terrorist countries, as part of a general embargo,
            and with respect to particular encryption products that would
            be exported to an individual or organization in a specific
            foreign country.
            
       __________________________________________________________
            
            
          
Section-by-Section Analysis of E-Privacy Act

SEC. 1. SHORT TITLE. The Act may be cited as the "Encryption Protects
the Rights of Individuals from Violation and Abuse in CYberspace
(E-PRIVACY) Act."

SEC. 2. PURPOSES. The Act would ensure that Americans have the maximum
possible choice in encryption methods to protect the security,
confidentiality and privacy of their lawful wire and electronic
communications and stored electronic information. The Act would also
promote the privacy and constitutional rights of individuals and
organizations and the security of critical information
infrastructures. Finally, the Act would establish privacy standards
and procedures for law enforcement officers to follow to obtain
decryption assistance for encrypted communications and information.

SEC. 3. FINDINGS. The Act enumerates sixteen congressional findings,
including that a secure, private and trusted national and global
information infrastructure is essential to promote citizens' privacy,
economic growth and meet the needs of both American citizens and
businesses, that encryption technology widely available worldwide can
help meet those needs, that Americans should be free to use, and
American businesses free to compete and sell, encryption technology,
programs and products, and that there is a need to develop a national
encryption policy to advance the global information infrastructure and
preserve Americans' right to privacy and the Nation's public safety
and national security.

SEC. 4. DEFINITIONS.- The terms "agency", "person", "remote computing
service" and "state" have the same meaning given those terms in
specified sections of title 18, United States Code.

Additional definitions are provided for the following terms:

The terms "encrypt" and "encryption" mean the use of mathematical
formulas or algorithms to scramble or descramble electronic data or
communications for purposes of confidentiality, integrity, or
authenticity. As defined, the terms cover a broad range of scrambling
techniques and applications including cryptographic applications such
as PGP or RSA's encryption algorithms; stegonagraphy; authentication;
and winnowing and chafing.

The term "encryption product" includes any hardware, software,
devices, or other technology with encryption capabilities, whether or
not offered for sale or distribution. A particular encryption product
includes subsequent versions of the product, if the encryption
capabilities remain the same.

The term "exportable" means the ability to transfer, ship, or transmit
to foreign users. The term includes the ability to electronically
transmit via the Internet.

The term "key" means the variable information used in or produced by a
mathematical formula to encrypt or decrypt wire or electronic
communications, or electronically stored information.

The term "technical review" means a review by the Secretary of
Commerce based on information about a product's encryption
capabilities supplied by the manufacturer that an encryption product
works as represented.



TITLE I - PRIVACY PROTECTION FOR COMMUNICATIONS AND ELECTRONIC
INFORMATION

SEC. 101. FREEDOM TO USE ENCRYPTION.

(a) IN GENERAL.- The Act legislatively confirms current practice in
the United States that any person in this country may lawfully use any
encryption method, regardless of encryption algorithm, key length,
existence of key recovery or other plaintext access capability, or
implementation selected. Specifically, the Act states the freedom of
any person in the U.S., as well as U.S. persons in a foreign country,
to make, use, import, and distribute any encryption product without
regard to its strength or the use of key recovery, subject to the
other provisions of the Act.

(b) PROHIBITION ON GOVERNMENT-COMPELLED KEY ESCROW OR KEY RECOVERY
ENCRYPTION.- The Act prohibits any federal or state agency from
compelling the use of key recovery systems or other plaintext access
systems. Agencies may not set standards, or condition approval or
benefits, to compel use of these systems. U.S. agencies may not
require persons to use particular key recovery products for
interaction with the government. These prohibitions do not apply to
systems for use solely for the internal operations and
telecommunications systems of a U.S. or a State government agency.

(c) USE OF ENCRYPTION FOR AUTHENTICATION OR INTEGRITY PURPOSES.- The
Act requires that the use of encryption products shall be voluntary
and market-driven, and no federal or state agency may link the use of
encryption for authentication or identity (such as through certificate
authority and digital signature systems) to the use of encryption for
confidentiality purposes. For example, some Administration proposals
would condition receipt of a digital certificate from a licensed
certificate authority on the use of key recovery. Such conditions
would be prohibited.

SEC. 102. PURCHASE AND USE OF ENCRYPTION PRODUCTS BY THE FEDERAL
GOVERNMENT. The Act authorizes agencies of the United States to
purchase encryption products for internal governmental operations and
telecommunications systems. To ensure that secure electronic access to
the Government is available to persons outside of and not operating
under contract with Federal agencies, the Act requires that any key
recovery features in encryption products used by the Government
interoperate with commercial encryption products.

SEC. 103. ENHANCED PRIVACY PROTECTION FOR ELECTRONIC RECORDS ON
COMPUTER NETWORKS. The Act adds a new subsection (g) to section 2703
of title 18, United States Code, to extend privacy protections to
electronic information stored on computer networks.

Under United States v. Miller, 425 U.S. 435 (1976)(customer has no
standing to object to bank disclosure of customer records), and its
progeny, records in the possession of third parties do not receive
Fourth Amendment protection. When held in a person's home, such
records can only be seized pursuant to a warrant based upon probable
cause, or compelled under a subpoena which can be challenged and
quashed. In both those instances, the record owner has notice of the
search and an opportunity to challenge it. By contrast, production of
records held by third parties can be compelled by a governmental agent
with a subpoena to the third party holding the information, without
notice to the person to whom the records belong or pertain. The record
owner may never receive notice or any meaningful opportunity to
challenge the production.

This lack of protection for records held by third parties presents new
privacy problems in the information age. With the rise of network
computing, electronic information that was previously held on a
person's own computer is increasingly stored elsewhere, such as on a
network server or an ISP's computers. In many cases the location of
such information is not even known to the record's owner.

The Act amends section 2703 to extend the same privacy protections to
a person's records whether storage takes place on that person's
personal computer in their possession or in networked electronic
storage. The term "networked electronic storage" applies to electronic
records held by a third party, who is not authorized to access the
contents of the record except in connection with providing storage
services, and where the person who created the record is able to
access and modify the record remotely through electronic means.
Electronic data stored incident to transmission (such as e-mail) and
covered under 2703(a) is not included.

The new section 2703(g) requires that a governmental entity may only
require disclosure of electronic records in "networked electronic
storage" pursuant to (i) a state or federal warrant (based upon
probable cause), with a copy to be served on the record owner at the
same time the warrant is served on the record holder; (ii) a subpoena
that must also be served on the record owner with a meaningful
opportunity to challenge the subpoena; or (iii) the consent of the
record owner.

SEC. 104. GOVERNMENT ACCESS TO LOCATION INFORMATION. The Act adds a
new subsection (h) to section 2703 of title 18, United States Code, to
extend privacy protections for physical location information generated
on a real time basis by mobile electronic communications services,
such as cellular telephones. This section requires that when cellular
telephones are used as contemporaneous tracking devices, the physical
location information generated by the service provider may only be
released to a governmental entity pursuant to a court order based upon
probable cause.

SEC. 105. ENHANCED PRIVACY PROTECTION FOR TRANSACTIONAL INFORMATION
OBTAINED FROM PEN REGISTERS OR TRAP AND TRACE DEVICES. The Act
enhances privacy protections for information obtained from pen
register and trap and trace devices by amending section 3123(a) of
title 18, United States Code. This amendment would not change the
standard for issuance of an ex parte order authorizing use of a pen
register or trap and trace device, but would grant a court authority
to review the information presented in a certification by the
prosecuting attorney to determine whether the information likely to be
obtained is relevant to an ongoing criminal investigation. Under
current law, the court is relegated to a mere ministerial function and
must issue the order upon presentation of a certification.

In addition, the amendment requires law enforcement to minimize the
information obtained from the pen register or trap and trace device
that is not related to the dialing and signaling information utilized
in call processing. Currently, such devices capture not just such
dialing information but also any other dialed digits after a call has
been completed.



TITLE II - LAW ENFORCEMENT ASSISTANCE

SEC. 201. ENCRYPTED WIRE OR ELECTRONIC COMMUNICATIONS AND STORED
ELECTRONIC COMMUNICATIONS. The Act adds a new chapter 124 to Title 18,
Part I, governing the unlawful use of encryption, protections and
standards for governmental access, including foreign governments, to
decryption assistance from third parties, and establishment of a "Net
Center" to assist law enforcement in dealing with advanced
technologies, such as encryption.

(a) IN GENERAL.- New chapter 124 has six sections. This chapter
applies to wire or electronic communications and communications in
electronic storage, as defined in 18 U.S.C. Para. 2510, and to stored
electronic data. Thus, this chapter describes procedures for law
enforcement to obtain assistance in decrypting encrypted electronic
mail messages, encrypted telephone conversations, encrypted facsimile
transmissions, encrypted computer transmissions and encrypted file
transfers over the Internet that are lawfully intercepted pursuant to
a wiretap order, under 18 U.S.C. Para. 2518, or obtained pursuant to
lawful process, under 18 U.S.C. Para. 2703, and encrypted information
stored on computers that are seized pursuant to a search warrant or
other lawful process.

Para. 2801. Definitions. Generally, the terms used in the new chapter
have the same meanings as in the federal wiretap statute, 18 U.S.C.
Para. 2510. Definitions are provided for "decryption assistance",
"decryption key", "encrypt; encryption", "foreign government" and
"official request".

Para. 2802. Unlawful use of encryption. This section creates a new
federal crime for knowingly and willfully using encryption during the
commission of a Federal felony offense, with the intent to conceal
that information for the purpose of avoiding detection by law
enforcement. This new offense would be subject to a fine and up to 5
years' imprisonment for a first offense, and up to 10 years'
imprisonment for a second or subsequent offense.

Para. 2803. Access to decryption assistance for communications.

In the United States today, decryption keys and other decryption
assistance held by third parties constitute third party records and
may be disclosed to a governmental entity with a subpoena or an
administrative request, and without any notice to the owner of the
encrypted data. Such a low standard of access creates new problems in
the information age because encryption users rely heavily on the
integrity of keys to protect personal information or sensitive trade
secrets, even when those keys are placed in the hands of trusted
agents for recovery purposes.

Under new section 2803, in criminal investigations a third party
holding decryption keys or other decryption assistance for wire or
electronic communications may be required to release such assistance
pursuant to a court order, if the court issuing the order finds that
such assistance is needed for the decryption of communications covered
by the order. Specifically, such an order for decryption assistance
may be issued upon a finding that the key or assistance is necessary
to decrypt communications or stored data lawfully intercepted or
seized. The standard for release of the key or provision of decryption
assistance is tied directly to the problem at hand: the need to
decrypt a message or information that the government is otherwise
authorized to intercept or obtain.

This will ensure that third parties holding decryption keys or
decryption information need respond to only one type of compulsory
process--a court order. Moreover, this Act will set a single standard
for law enforcement, removing any extra burden on law enforcement to
demonstrate, for example, probable cause for two separate orders
(i.e., for the encrypted communications or information and for
decryption assistance) and possibly before two different judges (i.e.,
the judge issuing the order for the encrypted communications or
information and the judge issuing the order to the third party able to
provide decryption assistance).

The Act reinforces the principle of minimization. The decryption
assistance provided is limited to the minimum necessary to access the
particular communications or information specified by court order.
Under some key recovery schemes, release of a key holder's private
key--rather than an individual session key--might provide the ability
to decrypt every communication or stored file ever encrypted by a
particular key owner, or by every user in an entire corporation, or by
every user who was ever a customer of the key holder. The Act protects
against such over broad releases of keys by requiring the court
issuing the order to find that the decryption assistance being sought
is necessary. Private keys may only be released if no other form of
decryption assistance is available.

Notice of the assistance given will be included as part of the
inventory provided to subjects of the interception pursuant to current
wiretap law standards.

For foreign intelligence investigations, new section 2803 allows FISA
orders to direct third-party holders to release decryption assistance
if the court finds the assistance is needed to decrypt covered
communications. Minimization is also required, though no notice is
provided to the target of the investigation.

Under new section 2803, decryption assistance is only required from
third-parties (i.e., other than those whose communications are the
subject of interception), thereby avoiding self-incrimination
problems.

Finally, new section 2803 generally prohibits any person from
providing decryption assistance for another person's communications to
a governmental entity, except pursuant to the orders described.

Para. 2804. Access to decryption assistance for stored electronic
communications or records. New section 2804 governs access to
decryption assistance for stored electronic communications and
records.

As noted above, under current law third party decryption assistance
may be disclosed to a governmental entity with a subpoena or even a
mere request and without notice. This standard is particularly
problematic for stored encrypted data, which may exist in insecure
media but rely on encryption to maintain security; in such cases easy
access to keys destroys the encryption security so heavily relied
upon.

Under new section 2804, third parties holding decryption keys or other
decryption assistance for stored electronic communications may only
release such assistance to a governmental entity pursuant to (1) a
state or federal warrant (based upon probable cause), with a copy to
be served on the record owner at the same time the warrant is served
on the record holder; (2) a subpoena that must also be served on the
record owner with a meaningful opportunity to challenge the subpoena;
or (3) the consent of the record owner. This standard closely mirrors
the protection that would be afforded to encryption keys that are
actually kept in the possession of those whose records were encrypted.
In the specific case of decryption assistance for communications
stored incident to transit (such as e-mail), notice may be delayed
under the standards laid out for delayed notice under current law in
section 2705(a)(2) of title 18, United States Code.

Para. 2805. Foreign government access to decryption assistance. New
section 2805 creates standards for the U.S. government to provide
decryption assistance to foreign governments. No law enforcement
officer would be permitted to release decryption keys to a foreign
government, but only to provide decryption assistance in the form of
producing plaintext. No officer would be permitted to provide
decryption assistance except upon an order requested by the Attorney
General or designee. Such an order could require the production of
decryption keys or assistance to the Attorney General only if the
court finds that (1) the assistance is necessary to decrypt data the
foreign government is authorized to intercept under foreign law; (2)
the foreign country's laws provide "adequate protection against
arbitrary interference with respect to privacy rights"; and (3) the
assistance is sought for a criminal investigation of conduct that
would violate U.S. criminal law if committed in the United States.

Para. 2806. Establishment and operations of National Electronic
Technologies Center. This section establishes a National Electronic
Technologies Center ("NET Center") to serve as a focal point for
information and assistance to federal, state, and local law
enforcement authorities to address the technical difficulties of
obtaining plaintext of communications and electronic information
through the use of encryption, steganography, compression,
multiplexing, and other techniques.



TITLE III - EXPORTS OF ENCRYPTION PRODUCTS

SEC. 301. COMMERCIAL ENCRYPTION PRODUCTS.

(a) PROVISIONS APPLICABLE TO COMMERCIAL PRODUCTS.- This title applies
to all encryption products other than those specifically designed or
modified for military use.

(b) CONTROL BY SECRETARY OF COMMERCE.- This section grants exclusive
authority to the Secretary of Commerce (the "Secretary") to control
commercial encryption product exports.

SEC. 302. LICENSE EXCEPTION FOR MASS MARKET PRODUCTS.

(a) EXPORT CONTROL RELIEF.- The Act permits export under a license
exception of generally available, mass market, encryption products,
which by their nature are uncontrollable given the volume sold and
ease of distribution, without a license or restrictions, other than
those permitted under this Act, after a 1-time 15-day technical review
by the Secretary.

(b) DEFINITIONS.- This section defines "generally available" as a
product offered for sale, license or transfer, including over-the
counter sales, mail or phone order transactions, electronic
distribution, or sale on approval and not designed, developed or
customized by the manufacturer for specific purchasers (except for
installation or configuration parameters).

(c) COMMERCE DEPARTMENT ASSURANCE.- This section permits requests from
manufacturers or exporters to the Secretary for written assurance that
a product is "generally available," and requires that the Secretary
notify the petitioner of a decision within 30 days. This section
prohibits imposition of liability or sanctions on petitioners who
receive such a written assurance for failing to obtain an export
license.

SEC. 303. LICENSE EXCEPTION FOR PRODUCTS WITHOUT ENCRYPTION CAPABLE OF
WORKING WITH ENCRYPTION PRODUCTS.

This section permits export under a license exception of products,
which do not provide any encryption themselves, but that are capable
of working with encryption products, without restriction other than
those permitted under this Act after a 1-time, 15 day technical review
by the Secretary.

(a) NO ADDITIONAL EXPORT CONTROLS IMPOSED IF UNDERLYING PRODUCT
COVERED BY LICENSE EXCEPTION.- This section permits export of product
support and consulting services, including technical assistance and
technical data associated with the installation and maintenance of
mass market encryption products or products capable of working with
encryption products without an export license and without restrictions
other than those permitted under this Act.

(b) DEFINITIONS.- This section defines technical assistance as
services, such as instruction, skills training, working knowledge,
consulting services and transfer of technical data. "Technical data"
is defined as information, including blueprints, plans, diagrams,
models, formulae, table, engineering designs and specifications,
manuals and instructions.

(a) FOREIGN AVAILABILITY STANDARD.- This section permits unrestricted
export of customized encryption hardware and software products (i.e.,
not generally available mass market products) if a foreign encryption
product using the same or greater key length or providing comparable
security is, or will within 18 months, be commercially available
outside the United States.

(b) DETERMINATION OF FOREIGN AVAILABILITY.- This section establishes
an Encryption Export Advisory Board (the "Board"), which is chaired by
the Under Secretary of Commerce for Export Administration, with seven
Presidential appointees (3 government and 4 private sector
representatives); and four Congressional appointees from the private
sector. The Board is required to meet at the call of the Chairman, or
if there are any pending applications for a license exception, the
Board shall meet at least once every 30 days.

The primary duties of the Board shall be to determine whether
comparable foreign encryption products are commercially available
outside the United States. The decision is by majority vote, and must
be made within 30 days of receipt of application for a license
exception. The Board must notify the Secretary of its determination,
and submit a report to the President within 30 days. Board meetings
are exempt from the Federal Advisory Committee Act.

The Secretary is required to approve or disapprove each Board
determination within 30 days of receipt of that determination, notify
the Board of the approval or disapproval, and publish notice of the
approval or disapproval in the Federal Register. The notice shall
include an explanation in detail of the reasons for the decision,
including why and how continued export controls will be effective and
the amount of lost sales and market share of U.S. encryption product
which resulted. Judicial review of the Secretary's decision to
disapprove a Board decision that a product is commercially available
is permitted.

(c) INCLUSION OF COMPARABLE FOREIGN ENCRYPTION PRODUCTS IN A UNITED
STATES PRODUCT NOT BAISS FOR EXPORT CONTROLS.- This section permits
export under a license exception of products incorporating or
employing a foreign encryption product in the way it was intended to
be used and that the Board has determined to be commercially available
outside the United States, without an export license and without
restrictions other than those under the Act, after a 1-time 15 day
review by the Secretary.

SEC. 306. NO EXPORT CONTROLS ON ENCRYPTION PRODUCTS USED FOR
NONCONFIDENTIALITY PURPOSES.

(a) PROHIBITION ON NEW CONTROLS.- This section prohibits restrictions
on encryption exports used for nonconfidentiality purposes such as
authentication, integrity, digital signatures, nonrepudiation and copy
protection.

(b) NO REINSTATEMENT OF CONTROLS ON PREVIOUSLY DECONTROLLED PRODUCTS.
- This section prohibits administratively imposed encryption controls
on previously decontrolled products not requiring an export license as
of January 1, 1998.

SEC. 307. APPLICABILITY OF GENERAL EXPORT CONTROLS.

(a) SUBJECT TO TERRORISTS AND EMBARGO CONTROLS.- Nothing in the Act
shall limit the President's authority under the International
Emergency Economic Powers Act, the Trading With the Enemy Act, or the
Export Administration Act to prohibit export of encryption products to
countries that have repeatedly provided support for international
terrorism, or impose an embargo on exports or imports from a specific
country.

(b) SUBJECT TO SPECIFIC DENIALS FOR SPECIFIC REASONS.- The Secretary
is required to prohibit export of encryption products to an individual
or organization in a specific foreign country identified by the
Secretary, if the Secretary determines that there is substantial
evidence that such encryption product will be used for military or
terrorist end-use, including acts against the critical infrastructure
of the United States.

(c) OTHER EXPORT CONTROLS REMAIN APPLICABLE.- Encryption products
remain subject to all export controls imposed for reasons other than
the existence of encryption capabilities, and the Secretary retains
the authority to control exports of products for reasons other than
encryption.

SEC. 308. FOREIGN TRADE BARRIERS TO UNITED STATES PRODUCTS.

The Secretary, in consultation with the United States Trade
Representative, is required within 180 days of enactment of the Act
to: (1) identify foreign barriers to the export of U.S. encryption
products; (2) initiate appropriate actions to address such barriers;
and (3) submit to Congress a report on the actions taken under this
section.