ENCRYPTED COMMUNICATIONS PRIVACY ACT OF 1996 Summary SEC. 1. SHORT TITLE. The Act may be cited as the "Encrypted Communications Privacy Act of 1996." SEC. 2. PURPOSE. The Act would ensure that Americans have the maximum possible choice in encryption methods to protect the security, confidentiality and privacy of their lawful wire and electronic communications. For those Americans who choose an encryption method in which another person, called a "key holder," is voluntarily entrusted with the decryption key, the Act would establish privacy standards for the key holder, and procedures for law enforcement officers to follow to obtain assistance from the key holder in decrypting encrypted communications. SEC. 3. FINDINGS. The Act enumerates fifteen congressional findings, including that a secure, private and trusted national and global information infrastructure is essential to promote citizens' privacy and meet the needs of both American citizens and businesses, that encryption technology widely available worldwide can help meet those needs, that Americans should be free to use, and American businesses free to compete and sell, encryption technology, programs and products, and that there is a need to develop a national encryption policy to advance the global information infrastructure and preserve Americans' right to privacy and the Nation's public safety and national security. SEC. 4. FREEDOM TO USE ENCRYPTION. (a) Lawful Use of Encryption. The Act legislatively confirms current practice in the United States that any person in this country may lawfully use any encryption method, regardless of encryption algorithm, key length or implementation selected. The Act thereby prohibits any government-mandated use of any particular encryption system, such as a key escrow encryption system. The Act further makes lawful the use of any encryption method by United States persons in a foreign country. This provision is consistent with, though broader than, the Department of State's new personal use exemption published in the Federal Register on February 16, 1996, that permits the export of cryptographic products by U.S. citizens and permanent residents who have the need to temporarily export the cryptographic products when leaving the U.S. for brief periods of time. For example, under this new exemption, U.S. citizens traveling abroad will be able to take their laptop computers containing copies of Lotus Notes software, many versions of which contain an encryption program otherwise not exportable. (b) General Constructions. Nothing in the Act is to be construed to require the use of encryption, a key escrow encryption system, or a key holder if a person chooses to use a key escrow encryption system. SEC. 5. ENCRYPTED WIRE AND ELECTRONIC COMMUNICATIONS. This section of the Act adds a new chapter 122, entitled "Encrypted Wire and Electronic Communications," to title 18 of the United States Code to establish privacy standards for key holders and to set forth procedures that law enforcement officers must follow to obtain decryption assistance from key holders. (a) In General. New chapter 122 has five sections. § 2801. Definitions. Generally, the terms used in the new chapter have the same meanings as in the federal wiretap statute in 18 U.S.C. § 2510. Definitions are provided for "encryption", "key holder", "decryption key", and "decryption assistance". A "key holder" may, but is not required to be, a Federal agency. This chapter applies only to wire or electronic communications and communications in electronic storage, as defined in 18 U.S.C. § 2510, and not to stored electronic data. For example, encrypted electronic mail messages, encrypted telephone conversations, encrypted facsimile transmissions, encrypted computer transmissions and encrypted file transfers over the Internet would be covered, but not encrypted data merely stored on computers. § 2802. Prohibited acts by key holders. (a) UNAUTHORIZED RELEASE OF KEY.- Key holders will be subject to both criminal and civil liability for the unauthorized release of decryption keys or providing unauthorized decryption assistance. (b) AUTHORIZED RELEASE OF KEY.- Key holders are authorized to release decryption keys or provide decryption assistance with the consent of the key owner, as may be necessary for the holding or management of the key, or to investigative or law enforcement officers upon compliance with the procedures set forth in subsection (c). (c) REQUIREMENTS FOR RELEASE OF DECRYPTION KEY TO INVESTIGATIVE OR LAW ENFORCEMENT OFFICER.- To obtain access to a decryption key or decryption assistance from a key holder, an investigative or law enforcement officer must present to the key holder the same form of lawful process used to obtain access to the encrypted content. For example, to obtain the decryption key to, or decryption assistance for, an encrypted telephone conversation that is the subject of a court-ordered wiretap under 18 U.S.C. § 2518, a law enforcement agent must present a court order to the key holder to obtain the decoding key. Likewise, to obtain the decryption key to, or decryption assistance for, an encrypted stored wire or electronic communication, a law enforcement officer must present a court warrant, order, subpoena or certification, depending upon what process was used to obtain access to the stored communication. Key holders may only provide the minimal key release or decryption assistance needed to access the particular communications specified by court order or other legal process. Released keys or other decryption assistance may only be used in the manner and for the purpose and duration expressly provided by court order or other legal process. A key holder who fails to provide the decryption key or decryption assistance called for in the court order, subpoena or other lawful process may be penalized under current contempt or obstruction laws. (d) RECORDS OR OTHER INFORMATION HELD BY KEY HOLDERS.- Key holders are prohibited from disclosing records or other information (not including decryption keys) pertaining to key owners, except with the owner's consent or to an investigative or law enforcement officer, pursuant to a subpoena, court order or other lawful process. (e) CRIMINAL PENALTIES.- Key holders who violate this section for a tortious, malicious or an illegal purpose, or for direct or indirect commercial advantage or private commercial gain, will be subject to a fine and up to 1 year imprisonment for a first offense, and fine and up to 2 years' imprisonment for a second offense. Other reckless and intentional violations would subject the key holder to a fine of up to $5000 and up to 6 months' imprisonment. (f) CIVIL DAMAGES.- Persons aggrieved by key holder violations may sue for injunctive relief, and actual damages or statutory damages of $5,000, whichever is greater. (g) DEFENSE.- A complete defense is provided if the defendant acted in good faith reliance upon a court order, warrant, grand jury or trial subpoena or statutory authorization. § 2803. Reporting requirements. The Attorney General is required to include in her report to the Administrative Office of the U.S. Courts under 18 U.S.C. § 2519(2), the number of orders and extensions served on key holders to obtain access to decryption keys or decryption assistance. The Director of the Administrative Office of the U.S. Courts is required to include this information, and the offenses for which the orders were obtained, in the report to Congress under 18 U.S.C. § 2519(3). § 2804. Unlawful use of encryption to obstruct justice. Persons who willfully use encryption in an effort and for the purpose of obstructing, impeding, or prevent the communication of information in furtherance of a federal felony crime to a law enforcement officer, would be subject to a fine and up to 5 years' imprisonment for a first offense, and up to 10 years' imprisonment for a second or subsequent offense. § 2805. Freedom to sell encryption products. (a) IN GENERAL.- The Act legislatively confirms that it is lawful to sell any encryption, regardless of encryption algorithm, key length or implementation used, domestically in the United States or its territories. (b) CONTROL OF EXPORTS BY SECRETARY OF COMMERCE.- Notwithstanding any other law, the Act vests the Secretary of Commerce with control of exports of hardware, software and technology for information security, including encryption for both communications and other stored data, except when the hardware, software or technology is specifically designed or modified for military use. No export license may be required for encryption software and hardware with encryption capabilities that is generally available, including mass market products (i.e., those generally available, sold "as is", and designed for installation by the purchaser) or encryption in the public domain and generally accessible. For example, no licenses would be required for encryption products commercially available without restriction and sold "as is", such as Netscape's commercially available World Wide Web Browser, which can not be exported. Similarly, no license would be required to export software and corresponding hardware placed in the public domain and generally accessible, such as Phil Zimmermann's Pretty Good Privacy program, which has been distributed to the public free of charge via the Internet. In addition, the Secretary of Commerce must authorize the export of encryption software to commercial users in any country to which exports of such software has been approved for use by foreign financial institutions, except when there is substantial evidence that the software will be diverted or modified for military or terrorists' end-use or re-exported without requisite U.S. authorization. Finally, the Secretary of Commerce must authorize the export of computer hardware with encryption capabilities if the Secretary determines that a product with comparable security is commercially available from foreign suppliers without effective restrictions outside the United States. Significantly, the government is authorized to continue controls on countries that pose terrorism concerns, such as Libya, Syria and Iran, or other embargoed countries, such as Cuba and North Korea, pursuant to the Trading With the Enemy Act or the International Emergency Economic Powers Act. (b) Technical Amendment. The Act adds new chapter 122 and the new title in the table of chapters in title 18 of the United States Code. SEC. 6. INTELLIGENCE ACTIVITIES. The Act does not authorize the conduct of intelligence activities, nor affect the conduct by Federal government officers or employees in intercepting (1) encrypted or other official communications of Federal executive branch or Federal contractors for communications security purposes; (2) radio communications between or among foreign powers or agents, as defined by the Foreign Intelligence Surveillance Act (FISA); or (3) electronic communication systems used exclusively by foreign powers or agents, as defined by FISA. _________________________________________________________________ Return to CDT Cryptography Page Return to CDT Home Page