Contents: Summary of the Ashcroft-Leahy E-Privacy Act Section-by-Section Analysis of E-Privacy Act WASHINGTON, TUESDAY, MAY 12, 1998 Senate Introduction Of The E-PRIVACY Act Mr. President, I am pleased to join Senator Ashcroft, and others, in introducing today the "Encryption Protects the Rights of Individuals from Violation and Abuse in Cyberspace," or E-PRIVACY Act, to reform our nation's cryptography policy in a constructive and positive manner. It is time the Administration woke up to the critical need for a common sense encryption policy in this country. I have been sounding the alarm bells about this issue for several years now, and have introduced encryption legislation, with bipartisan support, in the last Congress and again in this one, to balance the important privacy, economic, national security and law enforcement interests at stake. The volume of those alarm bells should be raised to emergency sirens. Hardly a month goes by without press reports of serious breaches of computer security that threaten our critical infrastructures, including Defense Department computer systems, the telephone network, or computer systems for airport control towers. The lesson of these computer breaches -- often committed by computer savvy teenagers -- is that all the physical barriers we might put in place can be circumvented using the wires that run into every building to support the computers and computer networks that are the mainstay of how we do business. A well-focused cyber-attack on the computer networks that support telecommunications, transportation, water supply, banking, electrical power and other critical infrastructure systems could wreak havoc on our national economy or even jeopardize our national defense or public safety. We have been aware of the vulnerabilities of our computer networks for some time. It became clear to me almost a decade ago, during hearings I chaired of the Judiciary Subcommittee on Technology and the Law on the risks of high-tech terrorism, that merely "hardening" our physical space from potential attack is not enough. We must also "harden" our critical infrastructures to ensure our security and our safety. That is where encryption technology comes in. Encryption can protect the security of our computer information and networks. Indeed, both former Senator Sam Nunn and former Deputy Attorney General Jamie Gorelick, who serve as co-chairs of the Advisory Committee to the President's Commission on Critical Infrastructure Protection, have testified that "encryption is essential for infrastructure protection." Yet U.S. encryption policy has acted as a deterrent to better security. As long ago as 1988, at the High-Tech Terrorism hearings I chaired, Jim Woolsey, who later became the director of the Central Intelligence Agency, testified about the need to do a better job of using encryption to protect our computer networks. Of particular concern is the recent testimony of former Senator Sam Nunn that the "continuing federal government-private sector deadlock over encryption and export policies" may pose an obstacle to the cooperation needed to protect our country's critical infrastructures. I have long advocated the use of strong encryption by individuals, government agencies and private companies to protect their valuable and confidential computer information. Moreover, as more Americans every year use the Internet and other computer networks to obtain critical medical services, and conduct their personal and business affairs, maintaining the privacy and confidentiality of our computer communications both here and abroad has only grown in importance. As an avid computer user and Internet surfer myself, I care deeply about protecting individual privacy and encouraging the development of the Internet as a secure and trusted communications medium. Encryption is the key to protecting the privacy of our online communications and electronic records by ensuring that only the people we choose can read those communications and records. That is why the primary thrust of the encryption legislation I have introduced is to encourage -- and not stand in the way of -- the widespread use of strong encryption. Strong encryption serves as a crime prevention shield to stop hackers, industrial spies and thieves from snooping into private computer files and stealing valuable proprietary information. Unfortunately, we still have a long away to go to reform our country's encryption policy to reflect that this technology is a significant crime and terrorism prevention tool. Even as our law enforcement and intelligence agencies try to slow down the widespread use of strong encryption, technology continues to move forward. Ironically, foot-dragging by the Administration on export controls is driving encryption technology, expertise and manufacturing overseas where we will lose even more control over its proliferation. Indeed, due to the sorry state of our export controls on encryption, we are seeing rising numbers of our high-tech companies turning to overseas firms as suppliers of the strong encryption demanded by their customers. For example, Network Associates recently announced that it will make strong encryption software developed in the United States available through a Swiss company. Other companies, including Sun Microsystems, are cooperating with foreign firms to manufacture and distribute overseas strong encryption software originally developed here at home. Encryption technology, invented with American ingenuity, will now be manufactured and distributed in Europe, and imported back into this country. Driving encryption expertise overseas is extremely short-sighted and poses a real threat to our national security. Driving high-tech jobs overseas is a threat to our economic security, and stifling the widespread, integrated use of strong encryption is a threat to our public safety. The E-PRIVACY Act would reverse the incentives for American companies to look abroad for strong encryption by relaxing our export controls. Specifically, the bill would grant export license exceptions, after a one-time technical review, for mass market products with encryption capabilities, products which do not themselves provide encryption but are capable of interoperating with encryption products, and customized hardware and software with encryption capabilities so long as foreign products with comparable encryption are available. At the same time, the bill retains important restrictions on encryption exports for military end-uses or to terrorist-designated or embargoed countries, such as Cuba and North Korea. It also affirms the continued authority of the Secretary of Commerce over encryption exports and assures that before export, the Secretary is able to conduct a one-time technical review of all encryption products to ensure that the product works as represented. The E-PRIVACY Act puts to rest the specter of domestic controls on encryption. This legislation bars government-mandated key recovery (or key escrow encryption) and ensures that all computer users are free to choose any encryption method to protect the privacy of their online communications and computer files. At the heart of the encryption debate is the power this technology gives computer users to choose who may access their communications and stored records, to the exclusion of all others. For the same reason that encryption is a powerful privacy enhancing tool, it also poses challenges for law enforcement. Law enforcement agencies want access even when we do not choose to give it. We are mindful of these national security and law enforcement concerns that have dictated the Administration's policy choices on encryption. With the appropriate procedural safeguards in place, law enforcement agencies should be able to get access to decryption assistance. The E-PRIVACY Act contains a number of provisions designed to address these concerns, including a new criminal offense for willful use of encryption to hide incriminating evidence from law enforcement detection, establishment of a NET Center to help federal, state and local law enforcement stay abreast of advanced technologies, and explicit procedures for law enforcement to obtain decryption assistance from third parties for encrypted communications or records to which law enforcement has lawful access. One of the starkest deficiencies in the Administration's key recovery proposals has always been the question of foreign government access. The Administration has sought reciprocal relationships with foreign governments as a critical part of an effective global key recovery system. Yet many Americans and American companies are rightfully concerned about the terms under which foreign governments would get access to decryption assistance. The E-PRIVACY Act makes clear what those terms will be and ensures that foreign governments will not get access to private decryption keys, but only, at most, plaintext. This is not just an important issue for the privacy and security of Americans; it also is a significant human rights issue. Today, human rights organizations worldwide are using encryption to protect their work and the lives of investigators, witnesses and victims overseas. Amnesty International uses it. Human Rights Watch uses it. The human rights program in the American Association for the Advancement of Science uses it. It is used to protect witnesses who report human rights abuses in the Balkans, in Burma, in Guatemala, in Tibet. I have been told about a number of other instances in which strong encryption has been used to further the causes of democracy and human rights. For example, in the ongoing trial of Argentinean military officers in Spain, on charges of genocide and terrorism arising out of the "dirty war," the human rights group Derechos uses the encryption program Pretty Good Privacy (PGP) -- which the United States government tried to keep out of the hands of foreigners -- to encrypt particularly confidential messages that go between Spain and Argentina, to stop the Argentinean intelligence forces from being able to read them and so try to jeopardize the trial. A group in Guatemala is using a computer database to track the names of witnesses to military massacres. A South African organization keeps the names of applicants for amnesty for political crimes carried out in South Africa during the apartheid regime. Workers at both groups could be subject to intimidation, harassment, or murder by those intent on preventing the public discussion and analysis of the claims. Both systems are protected by strong cryptography. A not-for-profit agency working for human rights in the Balkans uses PGP to protect all sensitive files. Its offices have been raided by various police forces looking for evidence of "subversive activities." Last year in Zagreb, security police raided its office and confiscated its computers in the hope of retrieving information about the identity of people who had complained about human rights abuses by the authorities. PGP allowed the group to communicate and protect its files from any attempt to gain access. The director of the organization spent 13 days in prison for not opening his encrypted files but has said "it was a very small price to pay for protecting our clients." The Iraqi National Congress, a group opposing Saddam Hussein with offices in London and supporters inside Iraq, uses encrypted e-mail to communicate with its supporters inside Iraq. (Non-governmental Internet connections are banned in Iraq, but the dissidents within Iraq access e-mail by dialing outside the country with satellite telephones). Burmese human rights activists working in the relative safe haven of Thailand use encryption when communicating on-line, because the Thai government maintains diplomatic relations with the Burmese government and is expected to turn over information to the Burmese authorities. The FBI has argued that lives may be lost in sensitive terrorist and other investigations if government agencies do not have access to private encryption keys. However, the reverse is equally true: weak encryption or easy government access to decryption assistance could jeopardize lives as well. Finally, the E-PRIVACY Act contains provisions to enhance the privacy protections for communications, even when encryption is not employed. Specifically, the bill would require law enforcement to obtain a court order based on probable cause before using a cellular telephone as a tracking device. In addition, the bill would require law enforcement agencies to obtain a court order or provide notice when seizing electronic records that a person stores on a computer network rather than on the hard drive of his or her own personal computer. Finally, the bill grants Federal judges authority to evaluate the reasons proffered by a prosecutor for issuance of an ex parte pen register or trap and trace device order, by contrast to their mere ministerial authority under current law. In sum, the E-PRIVACY Act accomplishes the eight goals that Senator Ashcroft and I set out during our April 2, 1998, colloquy on the floor. Specifically, we sought to craft legislation that promotes the following principles: First, ensure the right of Americans to choose how to protect the privacy and security of their communications and information; Second, bar a government-mandated key escrow encryption system; Third, establish both procedures and standards for access by law enforcement to decryption keys or decryption assistance for both encrypted communications and stored electronic information and only permit such access upon court order authorization, with appropriate notice and other procedural safeguards; Fourth, establish both procedures and standards for access by foreign governments and foreign law enforcement agencies to the plaintext of encrypted communications and stored electronic information of United States persons; Fifth, modify the current export regime for encryption to promote the global competitiveness of American companies; Sixth, avoid linking the use of certificate authorities with key recovery agents or, in other words, not link the use of encryption for confidentiality purposes with use of encryption for authenticity and integrity purposes; Seventh, consistent with these goals of promoting privacy and the global competitiveness of our high-tech industries, help our law enforcement agencies and national security agencies deal with the challenges posed by the use of encryption; and Eighth, protect the security and privacy of information provided by Americans to the government by ensuring that encryption products used by the government interoperate with commercial encryption products. Resolving the encryption debate is critical for our economy, our national security and our privacy. This is not a partisan issue. This is not a black-and-white issue of being either for law enforcement and national security or for Internet freedom. Characterizing the debate in these simplistic terms is neither productive nor accurate. Delays in resolving the encryption debate hurt most the very public safety and national security interests that are posed as obstacles to resolving this issue. We need sensible solutions in legislation that will not be subject to change at the whim of agency bureaucrats. Every American, not just those in the software and high-tech industries and not just those in law enforcement agencies, has a stake in the outcome of this debate. We have a legislative stalemate right now that needs to be resolved, and I hope to work closely with my colleagues and the Administration on a solution. I ask unanimous consent that the sectional summary for the "E-PRIVACY Act" be printed in the Record following my statement. Summary of the Ashcroft-Leahy E-Privacy Act ("Encryption Protects the Rights of Individuals from Violation and Abuse in Cyberspace") Protects Privacy of Communications and Electronic Information: + Affirms the rights of Americans to use and sell whatever encryption products they want at whatever strength they desire; + Prohibits government-compelled key escrow or key recovery encryption; + Prohibits indirect controls or ties to encryption used for authentication or integrity purposes; + Requires a court order to obtain decryption keys/assistance held by a third party that will be used to decrypt communications subject to a wiretap; + Extends to remotely-stored electronic information the same protections as exist under existing law (e.g., ECPA) for information stored in your home, thereby requiring a court order or subpoena to obtain either the plaintext or a decryption key/assistance from third party. + Requires a probable cause court order from a judge for law enforcement to get real time access to location information generated by mobile electronic services. Assists Law Enforcement to Obtain Information Consistent with Constitutional Protections: + Makes the willful use of encryption to conceal incriminating communications or information a crime; + Clarifies that existing wiretap authority can be used to obtain decryption keys/assistance from third parties for communications that are the subject of a wiretap; + Provides that decryption keys/assistance for remotely-stored electronic information can be obtained from third parties with a court order or subpoena with notice; + Requires the court-ordered release of decryption keys/assistance to the Attorney General so that plaintext of encrypted communications or stored electronic information (but not the key) may be furnished to a foreign government under certain conditions; and + Creates a National Electronic Technology Center ("NET Center") to serve as a focal point for information and assistance to federal, state, and local law enforcement authorities to address the technical difficulties of obtaining plaintext of communications and electronic information because of encryption, steganography, compression, multiplexing, and other techniques. Modernizes Export Controls on Commercial Encryption Products + The E-Privacy Act does not allow for unrestricted export of any encryption product; exports to certain unfriendly nations (such as North Korea, Iraq, or Libya) are absolutely prohibited; + Permits exportability under a license exception for mass market products which, by their nature, are uncontrollable given the volume sold and ease of distribution; + Permits exportability under a license exception for products which do not themselves provide encryption, but are capable of working with encryption products; + Permits exportability under a license exception for product support and consulting services; + Permits exportability under a license exception for custom hardware and software (i.e., not mass market) when comparable foreign products are available-establishes a joint government-industry board to determine whether encryption products utilizing the same or greater key length or otherwise providing comparable security are, or will be, within the next 18 months commercially available outside the U.S. from a foreign supplier; + Affirms that there will be no export controls on encryption products used for non-confidentiality purposes, such as authentication, integrity, digital signatures, non-repudiation, and copy protection; + Assures that before export, all products undergo a one-time technical review to check that the encryption product works as represented; and + Affirms the continued applicability of general export controls-the government will continue to be able to limit exports to terrorist countries, as part of a general embargo, and with respect to particular encryption products that would be exported to an individual or organization in a specific foreign country. __________________________________________________________ Section-by-Section Analysis of E-Privacy Act SEC. 1. SHORT TITLE. The Act may be cited as the "Encryption Protects the Rights of Individuals from Violation and Abuse in CYberspace (E-PRIVACY) Act." SEC. 2. PURPOSES. The Act would ensure that Americans have the maximum possible choice in encryption methods to protect the security, confidentiality and privacy of their lawful wire and electronic communications and stored electronic information. The Act would also promote the privacy and constitutional rights of individuals and organizations and the security of critical information infrastructures. Finally, the Act would establish privacy standards and procedures for law enforcement officers to follow to obtain decryption assistance for encrypted communications and information. SEC. 3. FINDINGS. The Act enumerates sixteen congressional findings, including that a secure, private and trusted national and global information infrastructure is essential to promote citizens' privacy, economic growth and meet the needs of both American citizens and businesses, that encryption technology widely available worldwide can help meet those needs, that Americans should be free to use, and American businesses free to compete and sell, encryption technology, programs and products, and that there is a need to develop a national encryption policy to advance the global information infrastructure and preserve Americans' right to privacy and the Nation's public safety and national security. SEC. 4. DEFINITIONS.- The terms "agency", "person", "remote computing service" and "state" have the same meaning given those terms in specified sections of title 18, United States Code. Additional definitions are provided for the following terms: The terms "encrypt" and "encryption" mean the use of mathematical formulas or algorithms to scramble or descramble electronic data or communications for purposes of confidentiality, integrity, or authenticity. As defined, the terms cover a broad range of scrambling techniques and applications including cryptographic applications such as PGP or RSA's encryption algorithms; stegonagraphy; authentication; and winnowing and chafing. The term "encryption product" includes any hardware, software, devices, or other technology with encryption capabilities, whether or not offered for sale or distribution. A particular encryption product includes subsequent versions of the product, if the encryption capabilities remain the same. The term "exportable" means the ability to transfer, ship, or transmit to foreign users. The term includes the ability to electronically transmit via the Internet. The term "key" means the variable information used in or produced by a mathematical formula to encrypt or decrypt wire or electronic communications, or electronically stored information. The term "technical review" means a review by the Secretary of Commerce based on information about a product's encryption capabilities supplied by the manufacturer that an encryption product works as represented. TITLE I - PRIVACY PROTECTION FOR COMMUNICATIONS AND ELECTRONIC INFORMATION SEC. 101. FREEDOM TO USE ENCRYPTION. (a) IN GENERAL.- The Act legislatively confirms current practice in the United States that any person in this country may lawfully use any encryption method, regardless of encryption algorithm, key length, existence of key recovery or other plaintext access capability, or implementation selected. Specifically, the Act states the freedom of any person in the U.S., as well as U.S. persons in a foreign country, to make, use, import, and distribute any encryption product without regard to its strength or the use of key recovery, subject to the other provisions of the Act. (b) PROHIBITION ON GOVERNMENT-COMPELLED KEY ESCROW OR KEY RECOVERY ENCRYPTION.- The Act prohibits any federal or state agency from compelling the use of key recovery systems or other plaintext access systems. Agencies may not set standards, or condition approval or benefits, to compel use of these systems. U.S. agencies may not require persons to use particular key recovery products for interaction with the government. These prohibitions do not apply to systems for use solely for the internal operations and telecommunications systems of a U.S. or a State government agency. (c) USE OF ENCRYPTION FOR AUTHENTICATION OR INTEGRITY PURPOSES.- The Act requires that the use of encryption products shall be voluntary and market-driven, and no federal or state agency may link the use of encryption for authentication or identity (such as through certificate authority and digital signature systems) to the use of encryption for confidentiality purposes. For example, some Administration proposals would condition receipt of a digital certificate from a licensed certificate authority on the use of key recovery. Such conditions would be prohibited. SEC. 102. PURCHASE AND USE OF ENCRYPTION PRODUCTS BY THE FEDERAL GOVERNMENT. The Act authorizes agencies of the United States to purchase encryption products for internal governmental operations and telecommunications systems. To ensure that secure electronic access to the Government is available to persons outside of and not operating under contract with Federal agencies, the Act requires that any key recovery features in encryption products used by the Government interoperate with commercial encryption products. SEC. 103. ENHANCED PRIVACY PROTECTION FOR ELECTRONIC RECORDS ON COMPUTER NETWORKS. The Act adds a new subsection (g) to section 2703 of title 18, United States Code, to extend privacy protections to electronic information stored on computer networks. Under United States v. Miller, 425 U.S. 435 (1976)(customer has no standing to object to bank disclosure of customer records), and its progeny, records in the possession of third parties do not receive Fourth Amendment protection. When held in a person's home, such records can only be seized pursuant to a warrant based upon probable cause, or compelled under a subpoena which can be challenged and quashed. In both those instances, the record owner has notice of the search and an opportunity to challenge it. By contrast, production of records held by third parties can be compelled by a governmental agent with a subpoena to the third party holding the information, without notice to the person to whom the records belong or pertain. The record owner may never receive notice or any meaningful opportunity to challenge the production. This lack of protection for records held by third parties presents new privacy problems in the information age. With the rise of network computing, electronic information that was previously held on a person's own computer is increasingly stored elsewhere, such as on a network server or an ISP's computers. In many cases the location of such information is not even known to the record's owner. The Act amends section 2703 to extend the same privacy protections to a person's records whether storage takes place on that person's personal computer in their possession or in networked electronic storage. The term "networked electronic storage" applies to electronic records held by a third party, who is not authorized to access the contents of the record except in connection with providing storage services, and where the person who created the record is able to access and modify the record remotely through electronic means. Electronic data stored incident to transmission (such as e-mail) and covered under 2703(a) is not included. The new section 2703(g) requires that a governmental entity may only require disclosure of electronic records in "networked electronic storage" pursuant to (i) a state or federal warrant (based upon probable cause), with a copy to be served on the record owner at the same time the warrant is served on the record holder; (ii) a subpoena that must also be served on the record owner with a meaningful opportunity to challenge the subpoena; or (iii) the consent of the record owner. SEC. 104. GOVERNMENT ACCESS TO LOCATION INFORMATION. The Act adds a new subsection (h) to section 2703 of title 18, United States Code, to extend privacy protections for physical location information generated on a real time basis by mobile electronic communications services, such as cellular telephones. This section requires that when cellular telephones are used as contemporaneous tracking devices, the physical location information generated by the service provider may only be released to a governmental entity pursuant to a court order based upon probable cause. SEC. 105. ENHANCED PRIVACY PROTECTION FOR TRANSACTIONAL INFORMATION OBTAINED FROM PEN REGISTERS OR TRAP AND TRACE DEVICES. The Act enhances privacy protections for information obtained from pen register and trap and trace devices by amending section 3123(a) of title 18, United States Code. This amendment would not change the standard for issuance of an ex parte order authorizing use of a pen register or trap and trace device, but would grant a court authority to review the information presented in a certification by the prosecuting attorney to determine whether the information likely to be obtained is relevant to an ongoing criminal investigation. Under current law, the court is relegated to a mere ministerial function and must issue the order upon presentation of a certification. In addition, the amendment requires law enforcement to minimize the information obtained from the pen register or trap and trace device that is not related to the dialing and signaling information utilized in call processing. Currently, such devices capture not just such dialing information but also any other dialed digits after a call has been completed. TITLE II - LAW ENFORCEMENT ASSISTANCE SEC. 201. ENCRYPTED WIRE OR ELECTRONIC COMMUNICATIONS AND STORED ELECTRONIC COMMUNICATIONS. The Act adds a new chapter 124 to Title 18, Part I, governing the unlawful use of encryption, protections and standards for governmental access, including foreign governments, to decryption assistance from third parties, and establishment of a "Net Center" to assist law enforcement in dealing with advanced technologies, such as encryption. (a) IN GENERAL.- New chapter 124 has six sections. This chapter applies to wire or electronic communications and communications in electronic storage, as defined in 18 U.S.C. Para. 2510, and to stored electronic data. Thus, this chapter describes procedures for law enforcement to obtain assistance in decrypting encrypted electronic mail messages, encrypted telephone conversations, encrypted facsimile transmissions, encrypted computer transmissions and encrypted file transfers over the Internet that are lawfully intercepted pursuant to a wiretap order, under 18 U.S.C. Para. 2518, or obtained pursuant to lawful process, under 18 U.S.C. Para. 2703, and encrypted information stored on computers that are seized pursuant to a search warrant or other lawful process. Para. 2801. Definitions. Generally, the terms used in the new chapter have the same meanings as in the federal wiretap statute, 18 U.S.C. Para. 2510. Definitions are provided for "decryption assistance", "decryption key", "encrypt; encryption", "foreign government" and "official request". Para. 2802. Unlawful use of encryption. This section creates a new federal crime for knowingly and willfully using encryption during the commission of a Federal felony offense, with the intent to conceal that information for the purpose of avoiding detection by law enforcement. This new offense would be subject to a fine and up to 5 years' imprisonment for a first offense, and up to 10 years' imprisonment for a second or subsequent offense. Para. 2803. Access to decryption assistance for communications. In the United States today, decryption keys and other decryption assistance held by third parties constitute third party records and may be disclosed to a governmental entity with a subpoena or an administrative request, and without any notice to the owner of the encrypted data. Such a low standard of access creates new problems in the information age because encryption users rely heavily on the integrity of keys to protect personal information or sensitive trade secrets, even when those keys are placed in the hands of trusted agents for recovery purposes. Under new section 2803, in criminal investigations a third party holding decryption keys or other decryption assistance for wire or electronic communications may be required to release such assistance pursuant to a court order, if the court issuing the order finds that such assistance is needed for the decryption of communications covered by the order. Specifically, such an order for decryption assistance may be issued upon a finding that the key or assistance is necessary to decrypt communications or stored data lawfully intercepted or seized. The standard for release of the key or provision of decryption assistance is tied directly to the problem at hand: the need to decrypt a message or information that the government is otherwise authorized to intercept or obtain. This will ensure that third parties holding decryption keys or decryption information need respond to only one type of compulsory process--a court order. Moreover, this Act will set a single standard for law enforcement, removing any extra burden on law enforcement to demonstrate, for example, probable cause for two separate orders (i.e., for the encrypted communications or information and for decryption assistance) and possibly before two different judges (i.e., the judge issuing the order for the encrypted communications or information and the judge issuing the order to the third party able to provide decryption assistance). The Act reinforces the principle of minimization. The decryption assistance provided is limited to the minimum necessary to access the particular communications or information specified by court order. Under some key recovery schemes, release of a key holder's private key--rather than an individual session key--might provide the ability to decrypt every communication or stored file ever encrypted by a particular key owner, or by every user in an entire corporation, or by every user who was ever a customer of the key holder. The Act protects against such over broad releases of keys by requiring the court issuing the order to find that the decryption assistance being sought is necessary. Private keys may only be released if no other form of decryption assistance is available. Notice of the assistance given will be included as part of the inventory provided to subjects of the interception pursuant to current wiretap law standards. For foreign intelligence investigations, new section 2803 allows FISA orders to direct third-party holders to release decryption assistance if the court finds the assistance is needed to decrypt covered communications. Minimization is also required, though no notice is provided to the target of the investigation. Under new section 2803, decryption assistance is only required from third-parties (i.e., other than those whose communications are the subject of interception), thereby avoiding self-incrimination problems. Finally, new section 2803 generally prohibits any person from providing decryption assistance for another person's communications to a governmental entity, except pursuant to the orders described. Para. 2804. Access to decryption assistance for stored electronic communications or records. New section 2804 governs access to decryption assistance for stored electronic communications and records. As noted above, under current law third party decryption assistance may be disclosed to a governmental entity with a subpoena or even a mere request and without notice. This standard is particularly problematic for stored encrypted data, which may exist in insecure media but rely on encryption to maintain security; in such cases easy access to keys destroys the encryption security so heavily relied upon. Under new section 2804, third parties holding decryption keys or other decryption assistance for stored electronic communications may only release such assistance to a governmental entity pursuant to (1) a state or federal warrant (based upon probable cause), with a copy to be served on the record owner at the same time the warrant is served on the record holder; (2) a subpoena that must also be served on the record owner with a meaningful opportunity to challenge the subpoena; or (3) the consent of the record owner. This standard closely mirrors the protection that would be afforded to encryption keys that are actually kept in the possession of those whose records were encrypted. In the specific case of decryption assistance for communications stored incident to transit (such as e-mail), notice may be delayed under the standards laid out for delayed notice under current law in section 2705(a)(2) of title 18, United States Code. Para. 2805. Foreign government access to decryption assistance. New section 2805 creates standards for the U.S. government to provide decryption assistance to foreign governments. No law enforcement officer would be permitted to release decryption keys to a foreign government, but only to provide decryption assistance in the form of producing plaintext. No officer would be permitted to provide decryption assistance except upon an order requested by the Attorney General or designee. Such an order could require the production of decryption keys or assistance to the Attorney General only if the court finds that (1) the assistance is necessary to decrypt data the foreign government is authorized to intercept under foreign law; (2) the foreign country's laws provide "adequate protection against arbitrary interference with respect to privacy rights"; and (3) the assistance is sought for a criminal investigation of conduct that would violate U.S. criminal law if committed in the United States. Para. 2806. Establishment and operations of National Electronic Technologies Center. This section establishes a National Electronic Technologies Center ("NET Center") to serve as a focal point for information and assistance to federal, state, and local law enforcement authorities to address the technical difficulties of obtaining plaintext of communications and electronic information through the use of encryption, steganography, compression, multiplexing, and other techniques. TITLE III - EXPORTS OF ENCRYPTION PRODUCTS SEC. 301. COMMERCIAL ENCRYPTION PRODUCTS. (a) PROVISIONS APPLICABLE TO COMMERCIAL PRODUCTS.- This title applies to all encryption products other than those specifically designed or modified for military use. (b) CONTROL BY SECRETARY OF COMMERCE.- This section grants exclusive authority to the Secretary of Commerce (the "Secretary") to control commercial encryption product exports. SEC. 302. LICENSE EXCEPTION FOR MASS MARKET PRODUCTS. (a) EXPORT CONTROL RELIEF.- The Act permits export under a license exception of generally available, mass market, encryption products, which by their nature are uncontrollable given the volume sold and ease of distribution, without a license or restrictions, other than those permitted under this Act, after a 1-time 15-day technical review by the Secretary. (b) DEFINITIONS.- This section defines "generally available" as a product offered for sale, license or transfer, including over-the counter sales, mail or phone order transactions, electronic distribution, or sale on approval and not designed, developed or customized by the manufacturer for specific purchasers (except for installation or configuration parameters). (c) COMMERCE DEPARTMENT ASSURANCE.- This section permits requests from manufacturers or exporters to the Secretary for written assurance that a product is "generally available," and requires that the Secretary notify the petitioner of a decision within 30 days. This section prohibits imposition of liability or sanctions on petitioners who receive such a written assurance for failing to obtain an export license. SEC. 303. LICENSE EXCEPTION FOR PRODUCTS WITHOUT ENCRYPTION CAPABLE OF WORKING WITH ENCRYPTION PRODUCTS. This section permits export under a license exception of products, which do not provide any encryption themselves, but that are capable of working with encryption products, without restriction other than those permitted under this Act after a 1-time, 15 day technical review by the Secretary. (a) NO ADDITIONAL EXPORT CONTROLS IMPOSED IF UNDERLYING PRODUCT COVERED BY LICENSE EXCEPTION.- This section permits export of product support and consulting services, including technical assistance and technical data associated with the installation and maintenance of mass market encryption products or products capable of working with encryption products without an export license and without restrictions other than those permitted under this Act. (b) DEFINITIONS.- This section defines technical assistance as services, such as instruction, skills training, working knowledge, consulting services and transfer of technical data. "Technical data" is defined as information, including blueprints, plans, diagrams, models, formulae, table, engineering designs and specifications, manuals and instructions. (a) FOREIGN AVAILABILITY STANDARD.- This section permits unrestricted export of customized encryption hardware and software products (i.e., not generally available mass market products) if a foreign encryption product using the same or greater key length or providing comparable security is, or will within 18 months, be commercially available outside the United States. (b) DETERMINATION OF FOREIGN AVAILABILITY.- This section establishes an Encryption Export Advisory Board (the "Board"), which is chaired by the Under Secretary of Commerce for Export Administration, with seven Presidential appointees (3 government and 4 private sector representatives); and four Congressional appointees from the private sector. The Board is required to meet at the call of the Chairman, or if there are any pending applications for a license exception, the Board shall meet at least once every 30 days. The primary duties of the Board shall be to determine whether comparable foreign encryption products are commercially available outside the United States. The decision is by majority vote, and must be made within 30 days of receipt of application for a license exception. The Board must notify the Secretary of its determination, and submit a report to the President within 30 days. Board meetings are exempt from the Federal Advisory Committee Act. The Secretary is required to approve or disapprove each Board determination within 30 days of receipt of that determination, notify the Board of the approval or disapproval, and publish notice of the approval or disapproval in the Federal Register. The notice shall include an explanation in detail of the reasons for the decision, including why and how continued export controls will be effective and the amount of lost sales and market share of U.S. encryption product which resulted. Judicial review of the Secretary's decision to disapprove a Board decision that a product is commercially available is permitted. (c) INCLUSION OF COMPARABLE FOREIGN ENCRYPTION PRODUCTS IN A UNITED STATES PRODUCT NOT BAISS FOR EXPORT CONTROLS.- This section permits export under a license exception of products incorporating or employing a foreign encryption product in the way it was intended to be used and that the Board has determined to be commercially available outside the United States, without an export license and without restrictions other than those under the Act, after a 1-time 15 day review by the Secretary. SEC. 306. NO EXPORT CONTROLS ON ENCRYPTION PRODUCTS USED FOR NONCONFIDENTIALITY PURPOSES. (a) PROHIBITION ON NEW CONTROLS.- This section prohibits restrictions on encryption exports used for nonconfidentiality purposes such as authentication, integrity, digital signatures, nonrepudiation and copy protection. (b) NO REINSTATEMENT OF CONTROLS ON PREVIOUSLY DECONTROLLED PRODUCTS. - This section prohibits administratively imposed encryption controls on previously decontrolled products not requiring an export license as of January 1, 1998. SEC. 307. APPLICABILITY OF GENERAL EXPORT CONTROLS. (a) SUBJECT TO TERRORISTS AND EMBARGO CONTROLS.- Nothing in the Act shall limit the President's authority under the International Emergency Economic Powers Act, the Trading With the Enemy Act, or the Export Administration Act to prohibit export of encryption products to countries that have repeatedly provided support for international terrorism, or impose an embargo on exports or imports from a specific country. (b) SUBJECT TO SPECIFIC DENIALS FOR SPECIFIC REASONS.- The Secretary is required to prohibit export of encryption products to an individual or organization in a specific foreign country identified by the Secretary, if the Secretary determines that there is substantial evidence that such encryption product will be used for military or terrorist end-use, including acts against the critical infrastructure of the United States. (c) OTHER EXPORT CONTROLS REMAIN APPLICABLE.- Encryption products remain subject to all export controls imposed for reasons other than the existence of encryption capabilities, and the Secretary retains the authority to control exports of products for reasons other than encryption. SEC. 308. FOREIGN TRADE BARRIERS TO UNITED STATES PRODUCTS. The Secretary, in consultation with the United States Trade Representative, is required within 180 days of enactment of the Act to: (1) identify foreign barriers to the export of U.S. encryption products; (2) initiate appropriate actions to address such barriers; and (3) submit to Congress a report on the actions taken under this section.