![[Join EFF]](/Icons/home/joineff.gif){kind=icon}
![[Act Now]](/Icons/home/actnow.gif){kind=icon}
![[Sign Up]](/Icons/home/signup.gif){kind=icon}
![[About EFF]](/Icons/home/abouteff.gif){kind=icon}
Union Calendar No. 149
To amend title 18, United States Code, to affirm the rights of United States persons to use and sell encryption and to relax export controls on encryption.
HR 850 RH
Mr. GOODLATTE (for himself, Ms. LOFGREN, Mr. ARMEY, Mr. DELAY, Mr. WATTS of Oklahoma, Mr. DAVIS of Virginia, Mr. COX, Ms. PRYCE of Ohio, Mr. BLUNT, Mr. GEPHARDT, Mr. BONIOR, Mr. FROST, Ms. DELAURO, Mr. LEWIS of Georgia, Mr. GEJDENSON, Mr. SENSENBRENNER, Mr. GEKAS, Mr. COBLE, Mr. SMITH of Texas, Mr. GALLEGLY, Mr. BRYANT, Mr. CHABOT, Mr. BARR of Georgia, Mr. HUTCHINSON, Mr. PEASE, Mr. CANNON, Mr. ROGAN, Mrs. BONO, Mr. BACHUS, Mr. CONYERS, Mr. FRANK of Massachusetts, Mr. BOUCHER, Mr. NADLER, Ms. JACKSON-LEE of Texas, Ms. WATERS, Mr. MEEHAN, Mr. DELAHUNT, Mr. WEXLER, Mr. ACKERMAN, Mr. ANDREWS, Mr. ARCHER, Mr. BALLENGER, Mr. BARCIA, Mr. BARRETT of Nebraska, Mr. BARRETT of Wisconsin, Mr. BARTON of Texas, Mr. BILBRAY, Mr. BLUMENAUER, Mr. BOEHNER, Mr. BRADY of Texas, Mr. BRADY of Pennsylvania, Ms. BROWN of Florida, Mr. BROWN of California, Mr. BURR of North Carolina, Mr. BURTON of Indiana, Mr. CAMP, Mr. CAMPBELL, Mrs. CAPPS, Mr. CHAMBLISS, Mrs. CHENOWETH, Mrs. CHRISTIAN-CHRISTENSEN, Mrs. CLAYTON, Mr. CLEMENT, Mr. CLYBURN, Mr. COLLINS, Mr. COOK, Mr. COOKSEY, Mrs. CUBIN, Mr. CUMMINGS, Mr. CUNNINGHAM, Mr. DAVIS of Illinois, Mr. DEAL of Georgia, Mr. DEFAZIO, Mr. DEUTSCH, Mr. DICKEY, Mr. DOOLEY of California, Mr. DOOLITTLE, Mr. DOYLE, Mr. DREIER, Mr. DUNCAN, Ms. DUNN, Mr. EHLERS, Mrs. EMERSON, Mr. ENGLISH, Ms. ESHOO, Mr. EWING, Mr. FARR of California, Mr. FILNER, Mr. FORD, Mr. FOSSELLA, Mr. FRANKS of New Jersey, Mr. GILLMOR, Mr. GOODE, Mr. GOODLING, Mr. GORDON, Mr. GREEN of Texas, Mr. GUTKNECHT, Mr. HALL of Texas, Mr. HASTINGS of Washington, Mr. HERGER, Mr. HILL of Montana, Mr. HOBSON, Mr. HOEKSTRA, Mr. HOLDEN, Ms. HOOLEY of Oregon, Mr. HORN, Mr. HOUGHTON, Mr. INSLEE, Mr. ISTOOK, Mr. JACKSON of Illinois, Mr. JEFFERSON, Ms. EDDIE BERNICE JOHNSON of Texas, Mrs. JOHNSON of Connecticut, Mr. KANJORSKI, Mr. KASICH, Mrs. KELLY, Ms. KIKPATRICK, Mr. KIND, Mr. KINGSTON, Mr. KNOLLENBERG, Mr. KOLBE, Mr. LAMPSON, Mr. LARGENT, Mr. LATHAM, Ms. LEE, Mr. LEWIS of Kentucky, Mr. LINDER, Mr. LUCAS of Oklahoma, Mr. LUTHER, Ms. MCCARTHY of Missouri, Mr. MCDERMOTT, Mr. MCGOVERN, Mr. MCINTOSH, Mr. MALONEY of Connecticut, Mr. MANZULLO, Mr. MARKEY, Mr. MARTINEZ, Mr. MATSUI, Mrs. MEEK of Florida, Mr. METCALF, Mr. MICA, Ms. MILLENDER-MCDONALD, Mr. GEORGE MILLER of California, Mr. MOAKLEY, Mr. MORAN of Virginia, Mrs. MORELLA, Mrs. MYRICK, Mrs. NAPOLITANO, Mr. NEAL of Massachusetts, Mr. NETHERCUTT, Mr. NORWOOD, Mr. NUSSLE, Mr. OLVER, Mr. PACKARD, Mr. PALLONE, Mr. PASTOR, Mr. PETERSON of Minnesota, Mr. PICKERING, Mr. POMBO, Mr. POMEROY, Mr. PRICE of North Carolina, Mr. QUINN, Mr. RADANOVICH, Mr. RAHALL, Mr. RANGEL, Mr. REYNOLDS, Ms. RIVERS, Mr. ROHRABACHER, Ms. ROS-LEHTINEN, Mr. RUSH, Mr. SALMON, Ms. SANCHEZ, Mr. SANDERS, Mr. SANFORD, Mr. SCARBOROUGH, Mr. SCHAFFER, Mr. SESSIONS, Mr. SHAYS, Mr. SHERMAN, Mr. SHIMKUS, Mr. SMITH of Washington, Mr. SMITH of New Jersey, Mr. SOUDER, Ms. STABENOW, Mr. STARK, Mr. SUNUNU, Mr. TANNER, Mrs. TAUSCHER, Mr. TAUZIN, Mr. TAYLOR of North Carolina, Mr. THOMAS, Mr. THOMPSON of Mississippi, Mr. THUNE, Mr. TIAHRT, Mr. TIERNEY, Mr. UPTON, Mr. VENTO, Mr. WALSH, Mr. WAMP, Mr. WATKINS, Mr. WELLER, Mr. WHITFIELD, Mr. WICKER, Ms. WOOLSEY, and Mr. WU) introduced the following bill; which was referred to the Committee on the Judiciary, and in addition to the Committee on International Relations, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned
Reported from the Committee on the Judiciary
Referral to the Committee on International Relations extended for a period ending not later than July 2, 1999
Referred to the Committees on Armed Services and Commerce and the Permanent Select Committee on Intelligence for a period ending not later than July 2, 1999
Reported from the Committee on Commerce with an amendment
Referral to the Committee on International Relations extended for a period ending not later than July 16, 1999
Referral to the Committee on Armed Services and the Permanent Select Committee on Intelligence extended for a period ending not later than July 23, 1999
Referral to the Committee on International Relations extended for a period ending not later than July 19, 1999
Reported from the Committee on International Relations with an amendment
Reported from the Committee on Armed Services with amendments
Additional sponsors: Mr. HALL of Ohio, Mr. FORBES, Mr. HOLT, Mr. GIBBONS, Mr. CALVERT, Ms. SLAUGHTER, Mr. BONILLA, Mr. DIAZ-BALART, Mr. ENGEL, Mr. HILLIARD, Mr. KING, Mr. LAHOOD, Ms. MCKINNEY, Mr. NEY, Mrs. NORTHUP, Mr. RILEY, Mr. SERRANO, Mr. STENHOLM, Mr. TANCREDO, Mr. HANSEN, Mr. MORAN of Kansas, Mr. SAM JOHNSON of Texas, Mr. HILLEARY, Mr. GARY MILLER of California, Ms. NORTON, Mr. SWEENEY, Mr. BAKER, Mr. CRANE, Mr. MCINNIS, Mr. WELDON of Florida, Mr. WISE, Mr. OSE, Mr. BALDACCI, Mr. MINGE, Mr. UNDERWOOD, Mr. DEMINT, Mr. WALDEN of Oregon, Mr. HAYES, Mr. FOLEY, Mr. TERRY, Mr. SHOWS, Mr. RYAN of Wisconsin, Mr. ETHERIDGE, Mr. WATT of North Carolina, Mr. CROWLEY, Mr. UDALL of Colorado, Mr. HOEFFEL, Mr. FLETCHER, Mr. BAIRD, Mr. TALENT, Mr. KENNEDY of Rhode Island, Mr. UDALL of New Mexico, Mr. SAWYER, Mr. MENENDEZ, and Mr. Hinchey
Deleted sponsors: Mr. HOLDEN (added February 25, 1999; deleted April 21, 1999), and Mr. HASTINGS of Florida (added March 16, 1999; deleted June 10, 1999)
Reported from the Permanent Select Committee on Intelligence with an amendment, committed to the Committee of the Whole House on the State of the Union, and ordered to be printed
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE. [<-Struck out] [Struck out->] This Act may be cited as the `Security And Freedom through Encryption (SAFE) Act'. [<-Struck out]
SEC. 2. SALE AND USE OF ENCRYPTION. [<-Struck out] [Struck out->] (a) IN GENERAL- Part I of title 18, United States Code, is amended by inserting after chapter 123 the following new chapter: [<-Struck out]
`CHAPTER 125--ENCRYPTED WIRE AND ELECTRONIC INFORMATION [<-Struck out] [Struck out->]`Sec.[<-Struck out]
[Struck out->]`2801. Definitions.[<-Struck out]
[Struck out->]`2802. Freedom to use encryption.[<-Struck out]
[Struck out->]`2803. Freedom to sell encryption.[<-Struck out]
[Struck out->]`2804. Prohibition on mandatory key escrow.[<-Struck out]
[Struck out->]`2805. Unlawful use of encryption in furtherance of a criminal act.[<-Struck out]
`Sec. 2801. Definitions [<-Struck out] [Struck out->] `As used in this chapter-- [<-Struck out]
[Struck out->]`(1) the terms `person', `State', `wire communication', `electronic communication', `investigative or law enforcement officer', and `judge of competent jurisdiction' have the meanings given those terms in section 2510 of this title;[<-Struck out]
[Struck out->]`(2) the term `decrypt' means to retransform or unscramble encrypted data, including communications, to its readable form;[<-Struck out]
[Struck out->]`(3) the terms `encrypt', `encrypted', and `encryption' mean the scrambling of wire communications, electronic communications, or electronically stored information, using mathematical formulas or algorithms in order to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering, such communications or information;[<-Struck out]
[Struck out->]`(4) the term `key' means the variable information used in a mathematical formula, code, or algorithm, or any component thereof, used to decrypt wire communications, electronic communications, or electronically stored information, that has been encrypted; and[<-Struck out]
[Struck out->]`(5) the term `key recovery information' means information that would enable obtaining the key of a user of encryption;[<-Struck out]
[Struck out->]`(6) the term `plaintext access capability' means any method or mechanism which would provide information in readable form prior to its being encrypted or after it has been decrypted;[<-Struck out]
[Struck out->]`(7) the term `United States person' means--[<-Struck out]
[Struck out->]`(A) any United States citizen;[<-Struck out]
[Struck out->]`(B) any other person organized under the laws of any State, the District of Columbia, or any commonwealth, territory, or possession of the United States; and[<-Struck out]
[Struck out->]`(C) any person organized under the laws of any foreign country who is owned or controlled by individuals or persons described in subparagraphs (A) and (B).[<-Struck out]
`Sec. 2802. Freedom to use encryption [<-Struck out] [Struck out->] `Subject to section 2805, it shall be lawful for any person within any State, and for any United States person in a foreign country, to use any encryption, regardless of the encryption algorithm selected, encryption key length chosen, or implementation technique or medium used. [<-Struck out]
`Sec. 2803. Freedom to sell encryption [<-Struck out] [Struck out->] `Subject to section 2805, it shall be lawful for any person within any State to sell in interstate commerce any encryption, regardless of the encryption algorithm selected, encryption key length chosen, or implementation technique or medium used. [<-Struck out]
`Sec. 2804. Prohibition on mandatory key escrow [<-Struck out] [Struck out->] `(a) GENERAL PROHIBITION- Neither the Federal Government nor a State may require that, or condition any approval on a requirement that, a key, access to a key, key recovery information, or any other plaintext access capability be-- [<-Struck out]
[Struck out->]`(1) built into computer hardware or software for any purpose;[<-Struck out]
[Struck out->]`(2) given to any other person, including a Federal Government agency or an entity in the private sector that may be certified or approved by the Federal Government or a State to receive it; or[<-Struck out]
[Struck out->]`(3) retained by the owner or user of an encryption key or any other person, other than for encryption products for use by the Federal Government or a State.[<-Struck out]
[Struck out->] `(b) PROHIBITION ON LINKAGE OF DIFFERENT USES OF ENCRYPTION- Neither the Federal Government nor a State may-- [<-Struck out]
[Struck out->]`(1) require the use of encryption products, standards, or services used for confidentiality purposes, as a condition of the use of such products, standards, or services for authenticity or integrity purposes; or[<-Struck out]
[Struck out->]`(2) require the use of encryption products, standards, or services used for authenticity or integrity purposes, as a condition of the use of such products, standards, or services for confidentiality purposes.[<-Struck out]
[Struck out->] `(c) EXCEPTION FOR ACCESS FOR LAW ENFORCEMENT PURPOSES- Subsection (a) shall not affect the authority of any investigative or law enforcement officer, or any member of the intelligence community as defined in section 3 of the National Security Act of 1947 (50 U.S.C. 401a), acting under any law in effect on the effective date of this chapter, to gain access to encrypted communications or information. [<-Struck out]
`Sec. 2805. Unlawful use of encryption in furtherance of a criminal act [<-Struck out] [Struck out->] `(a) ENCRYPTION OF INCRIMINATING COMMUNICATIONS OR INFORMATION UNLAWFUL- Any person who, in the commission of a felony under a criminal statute of the United States, knowingly and willfully encrypts incriminating communications or information relating to that felony with the intent to conceal such communications or information for the purpose of avoiding detection by law enforcement agencies or prosecution-- [<-Struck out]
[Struck out->]`(1) in the case of a first offense under this section, shall be imprisoned for not more than 5 years, or fined in the amount set forth in this title, or both; and[<-Struck out]
[Struck out->]`(2) in the case of a second or subsequent offense under this section, shall be imprisoned for not more than 10 years, or fined in the amount set forth in this title, or both.[<-Struck out]
[Struck out->] `(b) USE OF ENCRYPTION NOT A BASIS FOR PROBABLE CAUSE- The use of encryption by any person shall not be the sole basis for establishing probable cause with respect to a criminal offense or a search warrant.'. [<-Struck out]
[Struck out->] (b) CONFORMING AMENDMENT- The table of chapters for part I of title 18, United States Code, is amended by inserting after the item relating to chapter 123 the following new item: [<-Struck out]
[Struck out->] 2801'. [<-Struck out]
SEC. 3. EXPORTS OF ENCRYPTION. [<-Struck out] [Struck out->] (a) AMENDMENT TO EXPORT ADMINISTRATION ACT OF 1979- Section 17 of the Export Administration Act of 1979 (50 U.S.C. App. 2416) is amended by adding at the end thereof the following new subsection: [<-Struck out]
[Struck out->] `(g) CERTAIN CONSUMER PRODUCTS, COMPUTERS, AND RELATED EQUIPMENT- [<-Struck out]
[Struck out->]`(1) GENERAL RULE- Subject to paragraphs (2) and (3), the Secretary shall have exclusive authority to control exports of all computer hardware, software, computing devices, customer premises equipment, communications network equipment, and technology for information security (including encryption), except that which is specifically designed or modified for military use, including command, control, and intelligence applications.[<-Struck out]
[Struck out->]`(2) ITEMS NOT REQUIRING LICENSES- After a one-time, 15-day technical review by the Secretary, no export license may be required, except pursuant to the Trading with the enemy Act or the International Emergency Economic Powers Act (but only to the extent that the authority of such Act is not exercised to extend controls imposed under this Act), for the export or reexport of--[<-Struck out]
[Struck out->]`(A) any computer hardware or software or computing device, including computer hardware or software or computing devices with encryption capabilities--[<-Struck out]
[Struck out->]`(i) that is generally available;[<-Struck out]
[Struck out->]`(ii) that is in the public domain for which copyright or other protection is not available under title 17, United States Code, or that is available to the public because it is generally accessible to the interested public in any form; or[<-Struck out]
[Struck out->]`(iii) that is used in a commercial, off-the-shelf, consumer product or any component or subassembly designed for use in such a consumer product available within the United States or abroad which--[<-Struck out]
[Struck out->]`(I) includes encryption capabilities which are inaccessible to the end user; and[<-Struck out]
[Struck out->]`(II) is not designed for military or intelligence end use;[<-Struck out]
[Struck out->]`(B) any computing device solely because it incorporates or employs in any form--[<-Struck out]
[Struck out->]`(i) computer hardware or software (including computer hardware or software with encryption capabilities) that is exempted from any requirement for a license under subparagraph (A); or[<-Struck out]
[Struck out->]`(ii) computer hardware or software that is no more technically complex in its encryption capabilities than computer hardware or software that is exempted from any requirement for a license under subparagraph (A) but is not designed for installation by the purchaser;[<-Struck out]
[Struck out->]`(C) any computer hardware or software or computing device solely on the basis that it incorporates or employs in any form interface mechanisms for interaction with other computer hardware or software or computing devices, including computer hardware and software and computing devices with encryption capabilities;[<-Struck out]
[Struck out->]`(D) any computing or telecommunication device which incorporates or employs in any form computer hardware or software encryption capabilities which--[<-Struck out]
[Struck out->]`(i) are not directly available to the end user; or[<-Struck out]
[Struck out->]`(ii) limit the encryption to be point-to-point from the user to a central communications point or link and does not enable end-to-end user encryption;[<-Struck out]
[Struck out->]`(E) technical assistance and technical data used for the installation or maintenance of computer hardware or software or computing devices with encryption capabilities covered under this subsection; or[<-Struck out]
[Struck out->]`(F) any encryption hardware or software or computing device not used for confidentiality purposes, such as authentication, integrity, electronic signatures, nonrepudiation, or copy protection.[<-Struck out]
[Struck out->]`(3) COMPUTER HARDWARE OR SOFTWARE OR COMPUTING DEVICES WITH ENCRYPTION CAPABILITIES- After a one-time, 15-day technical review by the Secretary, the Secretary shall authorize the export or reexport of computer hardware or software or computing devices with encryption capabilities for nonmilitary end uses in any country--[<-Struck out]
[Struck out->]`(A) to which exports of computer hardware or software or computing devices of comparable strength are permitted for use by financial institutions not controlled in fact by United States persons, unless there is substantial evidence that such computer hardware or software or computing devices will be--[<-Struck out]
[Struck out->]`(i) diverted to a military end use or an end use supporting international terrorism;[<-Struck out]
[Struck out->]`(ii) modified for military or terrorist end use; or[<-Struck out]
[Struck out->]`(iii) reexported without any authorization by the United States that may be required under this Act; or[<-Struck out]
[Struck out->]`(B) if the Secretary determines that a computer hardware or software or computing device offering comparable security is commercially available outside the United States from a foreign supplier, without effective restrictions.[<-Struck out]
[Struck out->]`(4) DEFINITIONS- As used in this subsection--[<-Struck out]
[Struck out->]`(A)(i) the term `encryption' means the scrambling of wire communications, electronic communications, or electronically stored information, using mathematical formulas or algorithms in order to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering, such communications or information;[<-Struck out]
[Struck out->]`(ii) the terms `wire communication' and `electronic communication' have the meanings given those terms in section 2510 of title 18, United States Code;[<-Struck out]
[Struck out->]`(B) the term `generally available' means, in the case of computer hardware or computer software (including computer hardware or computer software with encryption capabilities)--[<-Struck out]
[Struck out->]`(i) computer hardware or computer software that is--[<-Struck out]
[Struck out->]`(I) distributed through the Internet;[<-Struck out]
[Struck out->]`(II) offered for sale, license, or transfer to any person without restriction, whether or not for consideration, including, but not limited to, over-the-counter retail sales, mail order transactions, phone order transactions, electronic distribution, or sale on approval;[<-Struck out]
[Struck out->]`(III) preloaded on computer hardware or computing devices that are widely available for sale to the public; or[<-Struck out]
[Struck out->]`(IV) assembled from computer hardware or computer software components that are widely available for sale to the public;[<-Struck out]
[Struck out->]`(ii) not designed, developed, or tailored by the manufacturer for specific purchasers or users, except that any such purchaser or user may--[<-Struck out]
[Struck out->]`(I) supply certain installation parameters needed by the computer hardware or software to function properly with the computer system of the user or purchaser; or[<-Struck out]
[Struck out->]`(II) select from among options contained in the computer hardware or computer software; and[<-Struck out]
[Struck out->]`(iii) with respect to which the manufacturer of that computer hardware or computer software--[<-Struck out]
[Struck out->]`(I) intended for the user or purchaser, including any licensee or transferee, to install the computer hardware or software and has supplied the necessary instructions to do so, except that the manufacturer of the computer hardware or software, or any agent of such manufacturer, may also provide telephone or electronic mail help line services for installation, electronic transmission, or basic operations; and[<-Struck out]
[Struck out->]`(II) the computer hardware or software is designed for such installation by the user or purchaser without further substantial support by the manufacturer;[<-Struck out]
[Struck out->]`(C) the term `computing device' means a device which incorporates one or more microprocessor-based central processing units that can accept, store, process, or provide output of data;[<-Struck out]
[Struck out->]`(D) the term `computer hardware' includes, but is not limited to, computer systems, equipment, application-specific assemblies, smart cards, modules, integrated circuits, and printed circuit board assemblies;[<-Struck out]
[Struck out->]`(E) the term `customer premises equipment' means equipment employed on the premises of a person to originate, route, or terminate communications;[<-Struck out]
[Struck out->]`(F) the term `technical assistance' includes instruction, skills training, working knowledge, consulting services, and the transfer of technical data;[<-Struck out]
[Struck out->]`(G) the term `technical data' includes blueprints, plans, diagrams, models, formulas, tables, engineering designs and specifications, and manuals and instructions written or recorded on other media or devices such as disks, tapes, or read-only memories; and[<-Struck out]
[Struck out->]`(H) the term `technical review' means a review by the Secretary of computer hardware or software or computing devices with encryption capabilities, based on information about the product's encryption capabilities supplied by the manufacturer, that the computer hardware or software or computing device works as represented.'.[<-Struck out]
[Struck out->] (b) NO REINSTATEMENT OF EXPORT CONTROLS ON PREVIOUSLY DECONTROLLED PRODUCTS- Any encryption product not requiring an export license as of the date of enactment of this Act, as a result of administrative decision or rulemaking, shall not require an export license on or after such date of enactment. [<-Struck out]
[Struck out->] (c) APPLICABILITY OF CERTAIN EXPORT CONTROLS- [<-Struck out]
[Struck out->](1) IN GENERAL- Nothing in this Act shall limit the authority of the President under the International Emergency Economic Powers Act, the Trading with the enemy Act, or the Export Administration Act of 1979, to--[<-Struck out]
[Struck out->](A) prohibit the export of encryption products to countries that have been determined to repeatedly provide support for acts of international terrorism; or[<-Struck out]
[Struck out->](B) impose an embargo on exports to, and imports from, a specific country.[<-Struck out]
[Struck out->](2) SPECIFIC DENIALS- The Secretary may prohibit the export of specific encryption products to an individual or organization in a specific foreign country identified by the Secretary, if the Secretary determines that there is substantial evidence that such encryption products will be used for military or terrorist end-use.[<-Struck out]
[Struck out->](3) DEFINITION- As used in this subsection and subsection (b), the term `encryption' has the meaning given that term in section 17(g)(5)(A) of the Export Administration Act of 1979, as added by subsection (a) of this section.[<-Struck out]
[Struck out->] (d) CONTINUATION OF EXPORT ADMINISTRATION ACT- For purposes of carrying out the amendment made by subsection (a), the Export Administration Act of 1979 shall be deemed to be in effect. [<-Struck out]
SEC. 4. EFFECT ON LAW ENFORCEMENT ACTIVITIES. [<-Struck out] [Struck out->] (a) COLLECTION OF INFORMATION BY ATTORNEY GENERAL- The Attorney General shall compile, and maintain in classified form, data on the instances in which encryption (as defined in section 2801 of title 18, United States Code) has interfered with, impeded, or obstructed the ability of the Department of Justice to enforce the criminal laws of the United States. [<-Struck out]
[Struck out->] (b) AVAILABILITY OF INFORMATION TO THE CONGRESS- The information compiled under subsection (a), including an unclassified summary thereof, shall be made available, upon request, to any Member of Congress. [<-Struck out]
This Act may be cited as the `Security And Freedom through Encryption (SAFE) Act'.
For purposes of this Act, the following definitions shall apply:
(1) COMPUTER HARDWARE- The term `computer hardware' includes computer systems, equipment, application-specific assemblies, smart cards, modules, integrated circuits, printed circuit board assemblies, and devices that incorporate 1 or more microprocessor-based central processing units that are capable of accepting, storing, processing, or providing output of data.
(2) ENCRYPT AND ENCRYPTION- The terms `encrypt' and `encryption' means the scrambling (and descrambling) of wire communications, electronic communications, or electronically stored information, using mathematical formulas or algorithms to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering, such communications or information.
(3) ENCRYPTION PRODUCT- The term `encryption product'--
(A) means computer hardware, computer software, or technology with encryption capabilities; and
(B) includes any subsequent version of or update to an encryption product, if the encryption capabilities are not changed.
(4) KEY- The term `key' means the variable information used in a mathematical formula, code, or algorithm, or any component thereof, used to decrypt wire communications, electronic communications, or electronically stored information, that has been encrypted.
(5) KEY RECOVERY INFORMATION- The term `key recovery information' means information that would enable obtaining the key of a user of encryption.
(6) PERSON- The term `person' has the meaning given the term in section 2510 of title 18, United States Code.
(7) SECRETARY- The term `Secretary' means the Secretary of Commerce.
(8) STATE- The term `State' means any State of the United States and includes the District of Columbia and any commonwealth, territory, or possessions of the United States.
(9) UNITED STATES PERSON- The term `United States person' means any--
(A) United States citizen; or
(B) legal entity that--
(i) is organized under the laws of the United States, or any States, the District of Columbia, or any commonwealth, territory, or possession of the United States; and
(ii) has its principal place of business in the United States.
(10) WIRE COMMUNICATION; ELECTRONIC COMMUNICATION- The terms `wire communication' and `electronic communication' have the meanings given such terms in section 2510 of title 18, United States Code.
(a) STATEMENT OF POLICY- It is the policy of the United States that the use, development, manufacture, sale, distribution, and importation of encryption products, standards, and services for purposes of assuring the confidentiality, authenticity, or integrity of electronic information shall be voluntary and market driven.
(b) LIMITATION ON REGULATION- Neither the Federal Government nor a State may establish any conditions, ties, or links between encryption products, standards, and services used for confidentiality, and those used for authenticity or integrity purposes.
Except as otherwise provided by this Act, it is lawful for any person within any State, and for any United States person in a foreign country, to develop, manufacture, sell, distribute, import, or use any encryption product, regardless of the encryption algorithm selected, encryption key length chosen, existence of key recovery, or other plaintext access capability, or implementation or medium used.
(a) IN GENERAL- No department, agency, or instrumentality of the United States or of any State may require that, set standards for, condition any approval on, create incentives for, or tie any benefit to a requirement that, a decryption key, access to a key, key recovery information, or any other plaintext access capability be--
(1) required to be built into computer hardware or software for any purpose;
(2) given to any other person (including a department, agency, or instrumentality of the United States or an entity in the private sector that may be certified or approved by the United States or a State); or
(3) retained by the owner or user of an encryption key or any other person, other than for encryption products for the use of the United States Government or a State government.
(b) PROTECTION OF EXISTING ACCESS- Subsection (a) does not affect the authority of any investigative or law enforcement officer, or any member of the intelligence community (as defined in section 3 of the National Security Act of 1947 (50 U.S.C. 401a)), acting under any law in effect on the date of the enactment of this Act, to gain access to encrypted communications or information.
(a) ENCRYPTION OF INCRIMINATING COMMUNICATIONS OR INFORMATION UNLAWFUL- Any person who, in the commission of a felony under a criminal statute of the United States, knowingly and willfully encrypts incriminating communications or information relating to that felony with the intent to conceal such communications or information for the purpose of avoiding detection by law enforcement agencies or prosecution--
(1) in the case of a first offense under this section, shall be imprisoned for not more than 5 years, or fined under title 18, United States Code, or both; and
(2) in the case of a second or subsequent offense under this section, shall be imprisoned for not more than 10 years, or fined under title 18, United States Code, or both.
(b) USE OF ENCRYPTION NOT A BASIS FOR PROBABLE CAUSE- The use of encryption by any person shall not be the sole basis for establishing probable cause with respect to a criminal offense or a search warrant.
(a) AMENDMENT TO EXPORT ADMINISTRATION ACT OF 1979- Section 17 of the Export Administration Act of 1979 (50 U.S.C. App. 2416) is amended by adding at the end the following new subsection:
`(g) CERTAIN CONSUMER PRODUCTS, COMPUTERS, AND RELATED EQUIPMENT-
`(1) GENERAL RULE- Subject to paragraphs (2), (3), and (4), the Secretary shall have exclusive authority to control exports of all computer hardware, software, computing devices, customer premises equipment, communications network equipment, and technology for information security (including encryption), except that which is specifically designed or modified for military use, including command, control, and intelligence applications.
`(2) CRITICAL INFRASTRUCTURE PROTECTION PRODUCTS-
`(A) IDENTIFICATION- Not later than 90 days after the date of the enactment of the Security And Freedom through Encryption (SAFE) Act, the Assistant Secretary of Commerce for Communications and Information and the National Telecommunications and Information Administration shall issue regulations that identify, define, or determine which products and equipment described in paragraph (1) are designed for improvement of network security, network reliability, or data security.
`(B) NTIA RESPONSIBILITY- Not later than the expiration of the 2-year period beginning on the date of the enactment of the Security And Freedom through Encryption (SAFE) Act, all authority of the Secretary under this subsection and all determinations and reviews required by this section, with respect to products and equipment described in paragraph (1) that are designed for improvement of network security, network reliability, or data security through the use of encryption, shall be exercised through and made by the Assistant Secretary of Commerce for Communications and Information and the National Telecommunications and Information Administration. The Secretary may, at any time, assign to the Assistant Secretary and the NTIA authority of the Secretary under this section with respect to other products and equipment described in paragraph (1).
`(3) ITEMS NOT REQUIRING LICENSES- After a one-time technical review by the Secretary of not more than 30 working days, which shall include consultation with the Secretary of Defense, the Secretary of State, the Attorney General, and the Director of Central Intelligence, no export license may be required, except pursuant to the Trading with the Enemy Act or the International Emergency Economic Powers Act (but only to the extent that the authority of such Act is not exercised to extend controls imposed under this Act), for the export or reexport of--
`(A) any computer hardware or software or computing device, including computer hardware or software or computing devices with encryption capabilities--
`(i) that is generally available;
`(ii) that is in the public domain for which copyright or other protection is not available under title 17, United States Code, or that is available to the public because it is generally accessible to the interested public in any form; or
`(iii) that is used in a commercial, off-the-shelf, consumer product or any component or subassembly designed for use in such a consumer product available within the United States or abroad which--
`(I) includes encryption capabilities which are inaccessible to the end user; and
`(II) is not designed for military or intelligence end use;
`(B) any computing device solely because it incorporates or employs in any form--
`(i) computer hardware or software (including computer hardware or software with encryption capabilities) that is exempted from any requirement for a license under subparagraph (A); or
`(ii) computer hardware or software that is no more technically complex in its encryption capabilities than computer hardware or software that is exempted from any requirement for a license under subparagraph (A) but is not designed for installation by the purchaser;
`(C) any computer hardware or software or computing device solely on the basis that it incorporates or employs in any form interface mechanisms for interaction with other computer hardware or software or computing devices, including computer hardware and software and computing devices with encryption capabilities;
`(D) any computing or telecommunication device which incorporates or employs in any form computer hardware or software encryption capabilities which--
`(i) are not directly available to the end user; or
`(ii) limit the encryption to be point-to-point from the user to a central communications point or link and does not enable end-to-end user encryption;
`(E) technical assistance and technical data used for the installation or maintenance of computer hardware or software or computing devices with encryption capabilities covered under this subsection; or
`(F) any encryption hardware or software or computing device not used for confidentiality purposes, such as authentication, integrity, electronic signatures, nonrepudiation, or copy protection.
`(4) COMPUTER HARDWARE OR SOFTWARE OR COMPUTING DEVICES WITH ENCRYPTION CAPABILITIES- After a one-time technical review by the Secretary of not more than 30 working days, which shall include consultation with the Secretary of Defense, the Secretary of State, the Attorney General, and the Director of Central Intelligence, the Secretary shall authorize the export or reexport of computer hardware or software or computing devices with encryption capabilities for nonmilitary end uses in any country--
`(A) to which exports of computer hardware or software or computing devices of comparable strength are permitted for use by financial institutions not controlled in fact by United States persons, unless there is substantial evidence that such computer hardware or software or computing devices will be--
`(i) diverted to a military end use or an end use supporting international terrorism;
`(ii) modified for military or terrorist end use;
`(iii) reexported without any authorization by the United States that may be required under this Act; or
`(iv)(I) harmful to the national security of the United States, including capabilities of the United States in fighting drug trafficking, terrorism, or espionage, (II) used in illegal activities involving the sexual exploitation of, abuse of, or sexually explicit conduct with minors (including activities in violation of chapter 110 of title 18, United States Code, and section 2423 of such title), or (III) used in illegal activities involving organized crime; or
`(B) if the Secretary determines that a computer hardware or software or computing device offering comparable security is commercially available in such country from a foreign supplier, without effective restrictions.
`(5) DEFINITIONS- For purposes of this subsection--
`(A) the term `computer hardware' has the meaning given such term in section 2 of the Security And Freedom through Encryption (SAFE) Act;
`(B) the term `computing device' means a device which incorporates one or more microprocessor-based central processing units that can accept, store, process, or provide output of data;
`(C) the term `customer premises equipment' means equipment employed on the premises of a person to originate, route, or terminate communications;
`(D) the term `data security' means the protection, through techniques used by individual computer and communications users, of data from unauthorized penetration, manipulation, or disclosure;
`(E) the term `encryption' has the meaning given such term in section 2 of the Security And Freedom through Encryption (SAFE) Act;
`(F) the term `generally available' means, in the case of computer hardware or computer software (including computer hardware or computer software with encryption capabilities)--
`(i) computer hardware or computer software that is--
`(I) distributed through the Internet;
`(II) offered for sale, license, or transfer to any person without restriction, whether or not for consideration, including, but not limited to, over-the-counter retail sales, mail order transactions, phone order transactions, electronic distribution, or sale on approval;
`(III) preloaded on computer hardware or computing devices that are widely available for sale to the public; or
`(IV) assembled from computer hardware or computer software components that are widely available for sale to the public;
`(ii) not designed, developed, or tailored by the manufacturer for specific purchasers or users, except that any such purchaser or user may--
`(I) supply certain installation parameters needed by the computer hardware or software to function properly with the computer system of the user or purchaser; or
`(II) select from among options contained in the computer hardware or computer software; and
`(iii) with respect to which the manufacturer of that computer hardware or computer software--
`(I) intended for the user or purchaser, including any licensee or transferee, to install the computer hardware or software and has supplied the necessary instructions to do so, except that the manufacturer of the computer hardware or software, or any agent of such manufacturer, may also provide telephone or electronic mail help line services for installation, electronic transmission, or basic operations; and
`(II) the computer hardware or software is designed for such installation by the user or purchaser without further substantial support by the manufacturer;
`(G) the term `network reliability' means the prevention, through techniques used by providers of computer and communications services, of the malfunction, and the promotion of the continued operations, of computer or communications network;
`(H) the term `network security' means the prevention, through techniques used by providers of computer and communications services, of unauthorized penetration, manipulation, or disclosure of information of a computer or communications network;
`(I) the term `technical assistance' includes instruction, skills training, working knowledge, consulting services, and the transfer of technical data;
`(J) the term `technical data' includes blueprints, plans, diagrams, models, formulas, tables, engineering designs and specifications, and manuals and instructions written or recorded on other media or devices such as disks, tapes, or read-only memories; and
`(K) the term `technical review' means a review by the Secretary of computer hardware or software or computing devices with encryption capabilities, based on information about the product's encryption capabilities supplied by the manufacturer, that the computer hardware or software or computing device works as represented.'.
(b) TRANSFER OF AUTHORITY TO NATIONAL TELECOMMUNICATIONS AND INFORMATION ADMINISTRATION- Section 103(b) of the National Telecommunications and Information Administration Organization Act (47 U.S.C. 902(b)) is amended by adding at the end the following new paragraph:
`(4) EXPORT OF COMMUNICATIONS TRANSACTION TECHNOLOGIES- In accordance with section 17(g)(2) of the Export Administration Act of 1979 (50 U.S.C. App. 2416(g)(2)), the Secretary shall assign to the Assistant Secretary and the NTIA the authority of the Secretary under such section 17(g), with respect to products and equipment described in paragraph (1) of such section that are designed for improvement of network security, network reliability, or data security, that (after the expiration of the 2-year period beginning on the date of the enactment of the Security And Freedom through Encryption (SAFE) Act) is to be exercised by the Assistant Secretary and the NTIA.'.
(c) NO REINSTATEMENT OF EXPORT CONTROLS ON PREVIOUSLY DECONTROLLED PRODUCTS- Any encryption product not requiring an export license as of the date of enactment of this Act, as a result of administrative decision or rulemaking, shall not require an export license on or after such date of enactment.
(d) APPLICABILITY OF CERTAIN EXPORT CONTROLS-
(1) IN GENERAL- Nothing in this Act shall limit the authority of the President under the International Emergency Economic Powers Act, the Trading with the Enemy Act, or the Export Administration Act of 1979, to--
(A) prohibit the export of encryption products to countries that have been determined to repeatedly provide support for acts of international terrorism; or
(B) impose an embargo on exports to, and imports from, a specific country.
(2) SPECIFIC DENIALS- The Secretary of Commerce may prohibit the export of specific encryption products to an individual or organization in a specific foreign country identified by the Secretary, if the Secretary determines that there is substantial evidence that such encryption products will be--
(A) used for military or terrorist end-use or modified for military or terrorist end use;
(B) harmful to United States national security, including United States capabilities in fighting drug trafficking, terrorism, or espionage;
(C) used in illegal activities involving the sexual exploitation of, abuse of, or sexually explicit conduct with minors (including activities in violation of chapter 110 of title 18, United States Code, and section 2423 of such title); or
(D) used in illegal activities involving organized crime.
(3) OTHER EXPORT CONTROLS- An encryption product is subject to any export control imposed on that product for any reason other than the existence of encryption capability. Nothing in this Act or the amendments made by this Act alters the ability of the Secretary of Commerce to control exports of products for reasons other than encryption.
(e) CONTINUATION OF EXPORT ADMINISTRATION ACT- For purposes of carrying out the amendment made by subsection (a), the Export Administration Act of 1979 shall be deemed to be in effect.
(a) STATEMENT OF POLICY- It is the policy of the United States--
(1) to permit the public to interact with government through commercial networks and infrastructure; and
(2) to protect the privacy and security of any electronic communication from, or stored information obtained from, the public.
(b) PURCHASE OF ENCRYPTION PRODUCTS BY FEDERAL GOVERNMENT- Any department, agency, or instrumentality of the United States may purchase encryption products for internal use by officers and employees of the United States to the extent and in the manner authorized by law.
(c) PROHIBITION OF REQUIREMENT FOR CITIZENS TO PURCHASE SPECIFIED PRODUCTS- No department, agency, or instrumentality of the United States, nor any department, agency, or political subdivision of a State, may require any person in the private sector to use any particular encryption product or methodology, including products with a decryption key, access to a key, key recovery information, or any other plaintext access capability, to communicate with, or transact business with, the government.
Part A of the National Telecommunications and Information Administration Organization Act is amended by inserting after section 105 (47 U.S.C. 904) the following new section:
`(a) ESTABLISHMENT- There is established in the NTIA a National Electronic Technologies Center (in this section referred to as the `NET Center').
`(b) DIRECTOR- The NET Center shall have a Director, who shall be appointed by the Assistant Secretary.
`(c) DUTIES- The duties of the NET Center shall be--
`(1) to serve as a center for industry and government entities to exchange information and methodology regarding data security techniques and technologies;
`(2) to examine encryption techniques and methods to facilitate the ability of law enforcement to gain efficient access to plaintext of communications and electronic information;
`(3) to conduct research to develop efficient methods, and improve the efficiency of existing methods, of accessing plaintext of communications and electronic information;
`(4) to investigate and research new and emerging techniques and technologies to facilitate access to communications and electronic information, including --
`(A) reverse-steganography;
`(B) decompression of information that previously has been compressed for transmission; and
`(C) de-multiplexing;
`(5) to obtain information regarding the most current computer hardware and software, telecommunications, and other capabilities to understand how to access information transmitted across computer and communications networks; and
`(6) to serve as a center for Federal, State, and local law enforcement authorities for information and assistance regarding decryption and other access requirements.
`(d) EQUAL ACCESS- State and local law enforcement agencies and authorities shall have access to information, services, resources, and assistance provided by the NET Center to the same extent that Federal law enforcement agencies and authorities have such access.
`(e) PERSONNEL- The Director may appoint such personnel as the Director considers appropriate to carry out the duties of the NET Center.
`(f) ASSISTANCE OF OTHER FEDERAL AGENCIES- Upon the request of the Director of the NET Center, the head of any department or agency of the Federal Government may, to assist the NET Center in carrying out its duties under this section--
`(1) detail, on a reimbursable basis, any of the personnel of such department or agency to the NET Center; and
`(2) provide to the NET Center facilities, information, and other non-personnel resources.
`(g) PRIVATE INDUSTRY ASSISTANCE- The NET Center may accept, use, and dispose of gifts, bequests, or devises of money, services, or property, both real and personal, for the purpose of aiding or facilitating the work of the Center. Gifts, bequests, or devises of money and proceeds from sales of other property received as gifts, bequests, or devises shall be deposited in the Treasury and shall be available for disbursement upon order of the Director of the NET Center.
`(h) ADVISORY BOARD-
`(1) ESTABLISHMENT- There is established the Advisory Board of the NET Center (in this subsection referred to as the `Advisory Board'), which shall be comprised of 11 members who shall have the qualifications described in paragraph (2) and who shall be appointed by the Assistant Secretary not later than 6 months after the date of the enactment of this Act. The chairman of the Advisory Board shall be designated by the Assistant Secretary at the time of appointment.
`(2) QUALIFICATIONS- Each member of the Advisory Board shall have experience or expertise in the field of encryption, decryption, electronic communication, information security, electronic commerce, or law enforcement.
`(3) DUTIES- The duty of the Advisory Board shall be to advise the NET Center and the Federal Government regarding new and emerging technologies relating to encryption and decryption of communications and electronic information.
`(i) IMPLEMENTATION PLAN- Within 2 months after the date of the enactment of this Act, the Assistant Secretary, in consultation and cooperation with other appropriate Federal agencies and appropriate industry participants, develop and cause to be published in the Federal Register a plan for establishing the NET Center. The plan shall--
`(1) specify the physical location of the NET Center and the equipment, software, and personnel resources necessary to carry out the duties of the NET Center under this section;
`(2) assess the amount of funding necessary to establish and operate the NET Center; and
`(3) identify sources of probable funding for the NET Center, including any sources of in-kind contributions from private industry.'.
Part C of the National Telecommunications and Information Administration Organization Act is amended by adding at the end the following new section:
`(a) IN GENERAL- The NTIA shall conduct an examination of--
`(1) the relationship between--
`(A) network reliability (for communications and computer networks), network security (for such networks), and data security issues; and
`(B) the conduct, in interstate commerce, of electronic commerce transactions, including through the medium of the telecommunications networks, the Internet, or other interactive computer systems;
`(2) the availability of various methods for encrypting communications; and
`(3) the effects of various methods of providing access to encrypted communications and to information to further law enforcement activities.
`(b) SPECIFIC ISSUES- In conducting the examination required by subsection (a), the NTIA shall--
`(1) analyze and evaluate the requirements under paragraphs (3) and (4) of section 17(g) of the Export Administration Act of 1979 (50 U.S.C. App. 2416(g); as added by section 7(a) of this Act) for products referred to in such paragraphs to qualify for the license exemption or mandatory export authorization under such paragraphs, and determine--
`(A) the scope and applicability of such requirements and the products that, at the time of the examination, qualify for such license exemption or export authorization; and
`(B) the products that will, 12 months after the examination is conducted, qualify for such license exemption or export authorization; and
`(2) assess possible methods for providing access to encrypted communications and to information to further law enforcement activities.
`(c) REPORTS- Within one year after the date of enactment of this section, the NTIA shall submit to the Congress and the President a detailed report on the examination required by subsections (a) and (b). Annually thereafter, the NTIA shall submit to the Congress and the President an update on such report.
`(d) DEFINITIONS- For purposes of this section--
`(1) the terms `data security', `encryption', `network reliability', and `network security' have the meanings given such terms in section 17(g)(5) of the Export Administration Act of 1979 (50 U.S.C. App. 2416(g)(5)); and
`(2) the terms `Internet' and `interactive computer systems' have the meanings provided by section 230(e) of the Communications Act of 1934 (47 U.S.C. 230(e)).'.
(a) INQUIRY REGARDING IMPEDIMENTS TO COMMERCE- Within 180 days after the date of the enactment of this Act, the Secretary of Commerce shall complete an inquiry to--
(1) identify any domestic and foreign impediments to trade in encryption products and services and the manners in which and extent to which such impediments inhibit the development of interstate and foreign commerce; and
(2) identify import restrictions imposed by foreign nations that constitute trade barriers to providers of encryption products or services.
The Secretary shall submit a report to the Congress regarding the results of such inquiry by such date.
(b) REMOVAL OF IMPEDIMENTS TO TRADE- Within 1 year after such date of enactment, the Secretary shall prescribe such regulations as may be necessary to reduce the impediments to trade in encryption products and services identified in the inquiry pursuant to subsection (a) for the purpose of facilitating the development of interstate and foreign commerce. Such regulations shall be designed to--
(1) promote the sale and distribution, including through electronic commerce, in foreign commerce of encryption products and services manufactured in the United States; and
(2) strengthen the competitiveness of domestic providers of encryption products and services in foreign commerce, including electronic commerce.
(c) INTERNATIONAL AGREEMENTS-
(1) REPORT TO PRESIDENT- Upon the completion of the inquiry under subsection (a), the Secretary shall submit a report to the President regarding reducing any impediments to trade in encryption products and services that are identified by the inquiry and could, in the determination of the Secretary, require international negotiations for such reduction.
(2) NEGOTIATIONS- The President shall take all actions necessary to conduct negotiations with other countries for the purposes of (A) concluding international agreements on the promotion of encryption products and services, and (B) achieving mutual recognition of countries' export controls, in order to meet the needs of countries to preserve national security, safeguard privacy, and prevent commercial espionage. The President may consider a country's refusal to negotiate such international export and mutual recognition agreements when considering the participation of the United States in any cooperation or assistance program with that country. The President shall submit a report to the Congress regarding the status of international efforts regarding cryptography not later than December 31, 2000.
(a) COLLECTION OF INFORMATION BY ATTORNEY GENERAL- The Attorney General shall compile, and maintain in classified form, data on the instances in which encryption (as defined in section 2801 of title 18, United States Code) has interfered with, impeded, or obstructed the ability of the Department of Justice to enforce the criminal laws of the United States.
(b) AVAILABILITY OF INFORMATION TO THE CONGRESS- The information compiled under subsection (a), including an unclassified summary thereof, shall be made available, upon request, to any Member of Congress.
(a) PROHIBITION- Whoever knowingly and willfully transfers to the People's Liberation Army or to any Communist Chinese military company any encryption product that utilizes a key length of more than 56 bits--
(1) in the case of a first offense under this section, shall be imprisoned for not more than 5 years, or fined under title 18, United States Code, or both; and
(2) in the case of second or subsequent offense under this section, shall be imprisoned for not more than 10 years, or fined under title 18, United States Code, or both.
(b) DEFINITIONS- For purposes of this section:
(1) COMMUNIST CHINESE MILITARY COMPANY- (A) Subject to subparagraph (B), the term `Communist Chinese military company' has the meaning given that term in section 1237(b)(4) of the Strom Thurmond National Defense Authorization Act for Fiscal Year 1999 (50 U.S.C. 1701 note).
(B) At such time as the determination and publication of persons are made under section 1237(b)(1) of the Strom Thurmond National Defense Authorization Act for Fiscal Year 1999, the term `Communist Chinese military company' shall mean the list of those persons so published, as revised under section 1237(b)(2) of that Act.
(2) PEOPLE'S LIBERATION ARMY- The term `People's Liberation Army' has the meaning given that term in section 1237(c) of the Strom Thurmond National Defense Authorization Act for Fiscal Year 1999.
Whoever is required by an order of any court to provide to the court or any other party any information in such person's possession which has been encrypted and who, having possession of the key or such other capability to decrypt such information into the readable or comprehensible format of such information prior to its encryption, fails to provide such information in accordance with the order in such readable or comprehensible form--
(1) in the case of a first offense under this section, shall be imprisoned for not more than 5 years, or fined under title 18, United States Code, or both; and
(2) in the case of second or subsequent offense under this section, shall be imprisoned for not more than 10 years, or fined under title 18 United States Code, or both.
This Act may be cited as the `Security And Freedom through Encryption (SAFE) Act'.
(a) IN GENERAL- Part I of title 18, United States Code, is amended by inserting after chapter 123 the following new chapter:
`Sec.
`2801. Definitions.
`2802. Freedom to use encryption.
`2803. Freedom to sell encryption.
`2804. Prohibition on mandatory key escrow.
`2805. Unlawful use of encryption in furtherance of a criminal act.
`As used in this chapter--
`(1) the terms `person', `State', `wire communication', `electronic communication', `investigative or law enforcement officer', and `judge of competent jurisdiction' have the meanings given those terms in section 2510 of this title;
`(2) the term `decrypt' means to retransform or unscramble encrypted data, including communications, to its readable form;
`(3) the terms `encrypt', `encrypted', and `encryption' mean the scrambling of wire communications, electronic communications, or electronically stored information, using mathematical formulas or algorithms in order to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering, such communications or information;
`(4) the term `key' means the variable information used in a mathematical formula, code, or algorithm, or any component thereof, used to decrypt wire communications, electronic communications, or electronically stored information, that has been encrypted; and
`(5) the term `key recovery information' means information that would enable obtaining the key of a user of encryption;
`(6) the term `plaintext access capability' means any method or mechanism which would provide information in readable form prior to its being encrypted or after it has been decrypted;
`(7) the term `United States person' means--
`(A) any United States citizen;
`(B) any other person organized under the laws of any State, the District of Columbia, or any commonwealth, territory, or possession of the United States; and
`(C) any person organized under the laws of any foreign country who is owned or controlled by individuals or persons described in subparagraphs (A) and (B).
`Subject to section 2805, it shall be lawful for any person within any State, and for any United States person in a foreign country, to use any encryption, regardless of the encryption algorithm selected, encryption key length chosen, or implementation technique or medium used.
`Subject to section 2805, it shall be lawful for any person within any State to sell in interstate commerce any encryption, regardless of the encryption algorithm selected, encryption key length chosen, or implementation technique or medium used.
`(a) GENERAL PROHIBITION- Neither the Federal Government nor a State may require that, or condition any approval on a requirement that, a key, access to a key, key recovery information, or any other plaintext access capability be--
`(1) built into computer hardware or software for any purpose;
`(2) given to any other person, including a Federal Government agency or an entity in the private sector that may be certified or approved by the Federal Government or a State to receive it; or
`(3) retained by the owner or user of an encryption key or any other person, other than for encryption products for use by the Federal Government or a State.
`(b) EXCEPTION FOR GOVERNMENT NATIONAL SECURITY AND LAW ENFORCEMENT PURPOSES- The prohibition contained in subsection (a) shall not apply to any department, agency, or instrumentality of the United States, or to any department, agency, or political subdivision of a State, that has a valid contract with a nongovernmental entity that is assisting in the performance of national security or law enforcement activity.
`(c) EXCEPTION FOR ACCESS FOR LAW ENFORCEMENT PURPOSES- Subsection (a) shall not affect the authority of any investigative or law enforcement officer, or any member of the intelligence community as defined in section 3 of the National Security Act of 1947 (50 U.S.C. 401a), acting under any law in effect on the effective date of this chapter, to gain access to encrypted communications or information.
`(a) ENCRYPTION OF INCRIMINATING COMMUNICATIONS OR INFORMATION UNLAWFUL- Any person who, in the commission of a felony under a criminal statute of the United States, knowingly and willfully encrypts incriminating communications or information relating to that felony with the intent to conceal such communications or information for the purpose of avoiding detection by law enforcement agencies or prosecution--
`(1) in the case of a first offense under this section, shall be imprisoned for not more than 5 years, or fined in the amount set forth in this title, or both; and
`(2) in the case of a second or subsequent offense under this section, shall be imprisoned for not more than 10 years, or fined in the amount set forth in this title, or both.
`(b) USE OF ENCRYPTION NOT A BASIS FOR PROBABLE CAUSE- The use of encryption by any person shall not be the sole basis for establishing probable cause with respect to a criminal offense or a search warrant.'.
(b) CONFORMING AMENDMENT- The table of chapters for part I of title 18, United States Code, is amended by inserting after the item relating to chapter 123 the following new item:
2801'.
(a) AMENDMENT TO EXPORT ADMINISTRATION ACT OF 1979- Section 17 of the Export Administration Act of 1979 (50 U.S.C. App. 2416) is amended by adding at the end thereof the following new subsection:
`(g) CERTAIN CONSUMER PRODUCTS, COMPUTERS, AND RELATED EQUIPMENT-
`(1) GENERAL RULE- Subject to paragraphs (2) and (3), the Secretary shall have exclusive authority to control exports of all computer hardware, software, computing devices, customer premises equipment, communications network equipment, and technology for information security (including encryption), except that which is specifically designed or modified for military use, including command, control, and intelligence applications.
`(2) ITEMS NOT REQUIRING LICENSES- After a 1-time technical review by the Secretary, which shall be completed not later than 30 working days after submission of the product concerned for such technical review, no export license may be required, except pursuant to the Trading with the enemy Act or the International Emergency Economic Powers Act (but only to the extent that the authority of such Act is not exercised to extend controls imposed under this Act), for the export or reexport of--
`(A) any computer hardware or software or computing device, including computer hardware or software or computing devices with encryption capabilities--
`(i) that is generally available;
`(ii) that is in the public domain for which copyright or other protection is not available under title 17, United States Code, or that is available to the public because it is generally accessible to the interested public in any form; or
`(iii) that is used in a commercial, off-the-shelf, consumer product or any component or subassembly designed for use in such a consumer product available within the United States or abroad which--
`(I) includes encryption capabilities which are inaccessible to the end user; and
`(II) is not designed for military or intelligence end use;
`(B) any computing device solely because it incorporates or employs in any form--
`(i) computer hardware or software (including computer hardware or software with encryption capabilities) that is exempted from any requirement for a license under subparagraph (A); or
`(ii) computer hardware or software that is no more technically complex in its encryption capabilities than computer hardware or software that is exempted from any requirement for a license under subparagraph (A) but is not designed for installation by the purchaser;
`(C) any computer hardware or software or computing device solely on the basis that it incorporates or employs in any form interface mechanisms for interaction with other computer hardware or software or computing devices, including computer hardware and software and computing devices with encryption capabilities;
`(D) any computing or telecommunication device which incorporates or employs in any form computer hardware or software encryption capabilities which--
`(i) are not directly available to the end user; or
`(ii) limit the encryption to be point-to-point from the user to a central communications point or link and does not enable end-to-end user encryption;
`(E) technical assistance and technical data used for the installation or maintenance of computer hardware or software or computing devices with encryption capabilities covered under this subsection; or
`(F) any encryption hardware or software or computing device not used for confidentiality purposes, such as authentication, integrity, electronic signatures, nonrepudiation, or copy protection.
`(3) COMPUTER HARDWARE OR SOFTWARE OR COMPUTING DEVICES WITH ENCRYPTION CAPABILITIES- After a 1-time technical review by the Secretary, which shall be completed not later than 30 working days after submission of the product concerned for such technical review, the Secretary shall authorize the export or reexport of computer hardware or software or computing devices with encryption capabilities for nonmilitary end uses in any country--
`(A) to which exports of computer hardware or software or computing devices of comparable strength are permitted for use by financial institutions not controlled in fact by United States persons, unless there is credible evidence that such computer hardware or software or computing devices will be--
`(i) diverted to a military end use or an end use supporting international terrorism;
`(ii) modified for military or terrorist end use; or
`(iii) reexported without any authorization by the United States that may be required under this Act; or
`(B) if the Secretary determines that a computer hardware or software or computing device offering comparable security is commercially available outside the United States from a foreign supplier, without effective restrictions.
`(4) EXPORTS TO MAJOR DRUG-TRANSIT AND ILLICIT DRUG PRODUCING COUNTRIES- The Secretary, before approving any export or reexport of encryption products to any major drug-transit country or major illicit drug producing country identified under section 490(h) of the Foreign Assistance Act of 1961, shall consult with the Attorney General of the United States, the Director of the Federal Bureau of Investigation, and the Administrator of the Drug Enforcement Administration on the potential impact of such export or reexport on the flow of illicit drugs into the United States. This paragraph shall not authorize the denial of an export of an encryption product, or of the issuance of a specific export license, for which such denial is not otherwise appropriate, solely because the country of destination is a major drug-transit country or major illicit drug producing country.
`(5) DEFINITIONS- As used in this subsection--
`(A)(i) the term `encryption' means the scrambling of wire communications, electronic communications, or electronically stored information, using mathematical formulas or algorithms in order to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering, such communications or information;
`(ii) the terms `wire communication' and `electronic communication' have the meanings given those terms in section 2510 of title 18, United States Code;
`(B) the term `generally available' means, in the case of computer hardware or computer software (including computer hardware or computer software with encryption capabilities)--
`(i) computer hardware or computer software that is--
`(I) distributed through the Internet;
`(II) offered for sale, license, or transfer to any person without restriction, whether or not for consideration, including, but not limited to, over-the-counter retail sales, mail order transactions, phone order transactions, electronic distribution, or sale on approval;
`(III) preloaded on computer hardware or computing devices that are widely available for sale to the public; or
`(IV) assembled from computer hardware or computer software components that are widely available for sale to the public;
`(ii) not designed, developed, or tailored by the manufacturer for specific purchasers or users, except that any such purchaser or user may--
`(I) supply certain installation parameters needed by the computer hardware or software to function properly with the computer system of the user or purchaser; or
`(II) select from among options contained in the computer hardware or computer software;
`(iii) with respect to which the manufacturer of that computer hardware or computer software--
`(I) intended for the user or purchaser, including any licensee or transferee, to install the computer hardware or software and has supplied the necessary instructions to do so, except that the manufacturer of the computer hardware or software, or any agent of such manufacturer, may also provide telephone or electronic mail help line services for installation, electronic transmission, or basic operations; and
`(II) the computer hardware or software is designed for such installation by the user or purchaser without further substantial support by the manufacturer; and
`(iv) offered for sale, license, or transfer to any person without restriction, whether or not for consideration, including, but not limited to, over-the-counter retail sales, mail order transactions, phone order transactions, electronic distribution, or sale on approval;
`(C) the term `computing device' means a device which incorporates one or more microprocessor-based central processing units that can accept, store, process, or provide output of data;
`(D) the term `computer hardware' includes, but is not limited to, computer systems, equipment, application-specific assemblies, smart cards, modules, integrated circuits, and printed circuit board assemblies;
`(E) the term `customer premises equipment' means equipment employed on the premises of a person to originate, route, or terminate communications;
`(F) the term `technical assistance' includes instruction, skills training, working knowledge, consulting services, and the transfer of technical data;
`(G) the term `technical data' includes blueprints, plans, diagrams, models, formulas, tables, engineering designs and specifications, and manuals and instructions written or recorded on other media or devices such as disks, tapes, or read-only memories; and
`(H) the term `technical review' means a review by the Secretary of computer hardware or software or computing devices with encryption capabilities, based on information about the product's encryption capabilities supplied by the manufacturer, that the computer hardware or software or computing device works as represented.'.
(b) NO REINSTATEMENT OF EXPORT CONTROLS ON PREVIOUSLY DECONTROLLED PRODUCTS- Any encryption product not requiring an export license as of the date of enactment of this Act, as a result of administrative decision or rulemaking, shall not require an export license on or after such date of enactment.
(c) APPLICABILITY OF CERTAIN EXPORT CONTROLS-
(1) IN GENERAL- Nothing in this Act shall limit the authority of the President under the International Emergency Economic Powers Act, the Trading with the enemy Act, or the Export Administration Act of 1979, to--
(A) prohibit the export of encryption products to countries that have been determined to repeatedly provide support for acts of international terrorism;
(B) prohibit the export or reexport of any encryption product with an encryption strength of more than 56 bits to any military unit of the People's Republic of China, including the People's Liberation Army (as defined in section 1237(c) of the Strom Thurmond National Defense Authorization Act for Fiscal Year 1999 (50 U.S.C. 1701 note)); or
(C) impose an embargo on exports to, and imports from, a specific country.
(2) SPECIFIC DENIALS- The Secretary of Commerce may prohibit the export of specific encryption products to an individual or organization in a specific foreign country or countries identified by the Secretary, if the Secretary, in consultation with the Secretary of Defense, the Secretary of State, the Attorney General, the Director of the Federal Bureau of Investigation, the Administrator of the Drug Enforcement Administration, and the Director of Central Intelligence, determines that there is credible evidence that such encryption products will be used--
(A) for military or terrorist end-use;
(B) to facilitate the import of illicit drugs into the United States;
(C) in the manufacture of weapons of mass destruction or otherwise to assist in the proliferation of weapons of mass destruction; or
(D) for illegal activities involving the sexual exploitation of, abuse of, or sexually explicit conduct with minors.
(3) OTHER EXPORT CONTROLS- Any encryption product is subject to export controls for any reason other than the existence of encryption capability, including export controls imposed on high performance computers. Nothing in this Act or the amendments made by this Act alters the ability of the Secretary of Commerce to control exports for reasons other than encryption capabilities.
(4) DEFINITION- As used in this subsection and subsection (b), the term `encryption' has the meaning given that term in section 17(g)(5)(A) of the Export Administration Act of 1979, as added by subsection (a) of this section.
(d) CONTINUATION OF EXPORT ADMINISTRATION ACT- For purposes of carrying out the amendment made by subsection (a), the Export Administration Act of 1979 shall be deemed to be in effect.
(a) COLLECTION OF INFORMATION BY ATTORNEY GENERAL- The Attorney General shall compile, and maintain in classified form, data on the instances in which encryption (as defined in section 2801 of title 18, United States Code) has interfered with, impeded, or obstructed the ability of the Department of Justice to enforce the criminal laws of the United States.
(b) AVAILABILITY OF INFORMATION TO THE CONGRESS- The information compiled under subsection (a), including an unclassified summary thereof, shall be made available, upon request, to any Member of Congress.
[ SECTION 1. SHORT TITLE. [Struck out->][ This Act may be cited as the `Protection of National Security and Public Safety Act'.
[ SEC. 2. EXPORTS OF ENCRYPTION. [Struck out->][ (a) AUTHORITY TO CONTROL EXPORTS- The President shall control the export of all dual-use encryption products.
[Struck out->][ (b) AUTHORITY TO DENY EXPORT FOR NATIONAL SECURITY REASONS- Notwithstanding any provision of this Act, the President may deny the export of any encryption product on the basis that its export is contrary to the national security interests of the United States.
[Struck out->][ (c) DECISIONS NOT SUBJECT TO JUDICIAL REVIEW- Any decision made by the President or his designee with respect to the export of encryption products under this Act shall not be subject to judicial review.
[ SEC. 3. LICENSE EXCEPTION FOR CERTAIN ENCRYPTION PRODUCTS. [Struck out->][ Encryption products with encryption strength equal to or less than the level identified in section 5 shall be eligible for export under a license exception if--
[Struck out->][ (1) such encryption product is submitted for a 1-time technical review;
[Struck out->][ (2) such encryption product does not require licensing under otherwise applicable regulations;
[Struck out->][ (3) such encryption product is not intended for a country, end user, or end use that is by regulation ineligible to receive such product, and the encryption product is otherwise qualified for export; and
[Struck out->][ (4) the exporter, at the time of submission of the product for technical review, provides the names and addresses of its distribution chain partners.
[ SEC. 4. ONE-TIME PRODUCT REVIEW. [Struck out->][ The President shall specify the information that must be submitted for the 1-time review referred to in section 3.
[ SEC. 5. ELIGIBILITY LEVELS. [Struck out->][ (a) INITIAL ELIGIBILITY LEVEL- Not later than 180 days after the date of the enactment of this Act, the President shall notify the Congress of the maximum level of encryption strength that may be exported from the United States under license exception pursuant to section 3 without harm to the national security interests of the United States. Such level shall not become effective until 30 days after such notification.
[Struck out->][ (b) PERIODIC REVIEW OF ELIGIBILITY LEVEL- The President shall, at the end of each successive 180-day period after the notice provided to the Congress under subsection (a), notify the Congress of the maximum level of encryption strength, which may not be lower than that in effect under this section during that 180-day period, that may be exported from the United States under a license exception pursuant to section 3 without harm to the national security interests of the United States. Such level shall not become effective until 30 days after such notification.
[ SEC. 6. ENCRYPTION LICENSES REQUIRED. [Struck out->][ (a) UNITED STATES PRODUCTS EXCEEDING CERTAIN BIT LENGTH- An export license is required for the export of any encryption product designed or manufactured within the United States with an encryption strength exceeding the maximum level eligible for a license exception under section 3.
[Struck out->][ (b) REQUIREMENTS FOR EXPORT LICENSE APPLICATION- To apply for an export license, the applicant shall submit--
[Struck out->][ (1) the product for technical review;
[Struck out->][ (2) a certification identifying--
[Struck out->][ (A) the intended end use of the product; and
[Struck out->][ (B) the expected end user of the product;
[Struck out->][ (3) in instances where the export is to a distribution chain partner--
[Struck out->][ (A) proof that the distribution chain partner has contractually agreed to abide by all laws and regulations of the United States concerning the export and reexport of encryption products designed or manufactured within the United States; and
[Struck out->][ (B) the name and address of the distribution chain partner; and
[Struck out->][ (4) any other information required by the President.
[Struck out->][ (c) POST-EXPORT REPORTING-
[Struck out->][ (1) UNAUTHORIZED USE- Any exporter of encryption products that are designed or manufactured within the United States shall submit a report to the Secretary at any time the exporter has reason to believe that any such product exported pursuant to this section is being diverted to a use or user not approved at the time of export.
[Struck out->][ (2) DISTRIBUTION CHAIN PARTNERS- All exporters of encryption products that are designed and manufactured within the United States, and all distribution chain partners of such exporters, shall submit to the Secretary a report which shall specify--
[Struck out->][ (A) the particular product sold;
[Struck out->][ (B) the name and address of the end user of the product; and
[Struck out->][ (C) the intended use of the product sold.
[ SEC. 7. WAIVER AUTHORITY. [Struck out->][ (a) IN GENERAL- The President may by Executive order waive the applicability of any provision of section 3 to a person or entity if the President determines that the waiver is necessary to protect the national security interests of the United States. The President shall, not later than 15 days after making such determination, submit a report to the committees referred to in subsection (c) that includes the factual basis upon which such determination was made. The report may be in classified format.
[Struck out->][ (b) WAIVERS FOR CERTAIN CLASSES OF END USERS- The President may by Executive order waive the licensing requirements of section 6 for specific classes of end users identified as being eligible for receipt of encryption commodities and software under license exception in section 740.17 of title 15, Code of Federal Regulations, as in effect on July 17, 1999. The President shall, not later than 15 days after issuing such a waiver, submit a report to the committees referred to in subsection (c) that includes the factual basis upon which such waiver was made. The report may be in classified format.
[Struck out->][ (c) COMMITTEES- The committees referred to in subsections (a) and (b) are the Committee on International Relations, the Committee on Armed Services, and the Permanent Select Committee on Intelligence of the House of Representatives, and the Committee on Foreign Relations, the Committee on Armed Services, and the Select Committee on Intelligence of the Senate.
[ SEC. 8. ENCRYPTION INDUSTRY AND INFORMATION SECURITY BOARD. [Struck out->][ (a) ENCRYPTION INDUSTRY AND INFORMATION SECURITY BOARD ESTABLISHED- There is hereby established an Encryption Industry and Information Security Board. The Board shall undertake an advisory role for the President on the matter of foreign availability of encryption products.
[Struck out->][ (b) MEMBERSHIP- (1) The Board shall be composed of 12 members, as follows:
[Struck out->][ (A) The Secretary, or the Secretary's designee.
[Struck out->][ (B) The Attorney General, or his or her designee.
[Struck out->][ (C) The Secretary of Defense, or his or her designee.
[Struck out->][ (D) The Director of Central Intelligence, or his or her designee.
[Struck out->][ (E) The Director of the Federal Bureau of Investigation, or his or her designee.
[Struck out->][ (F) The Special Assistant to the President for National Security Affairs, or his or her designee, who shall chair the Board.
[Struck out->][ (G) Six representatives from the private sector who have expertise in the development, operation, marketing, law, or public policy relating to information security or technology. Members under this subparagraph shall each serve for 5-year terms.
[Struck out->][ (2) The six private sector representatives described in paragraph (1)(G) shall be appointed as follows:
[Struck out->][ (A) Two by the Speaker of the House of Representatives.
[Struck out->][ (B) One by the Minority Leader of the House of Representatives.
[Struck out->][ (C) Two by the Majority Leader of the Senate.
[Struck out->][ (D) One by the Minority Leader of the Senate.
[Struck out->][ (c) MEETINGS- The Board shall meet at such times and in such places as the Secretary may prescribe, but not less frequently than every four months.
[Struck out->][ (d) FINDINGS AND RECOMMENDATIONS- The chair of the Board shall convey the findings and recommendations of the Board to the President and to the Congress within 30 days after each meeting of the Board. The recommendations of the Board are not binding upon the President.
[Struck out->][ (e) LIMITATION- The Board shall have no authority to review any export determination made pursuant to this Act.
[Struck out->][ (f) TERMINATION- This section shall cease to be effective 10 years after the date of the enactment of this Act.
[ SEC. 9. MARKET SHARE SURVEY. [Struck out->][ The Secretary shall, at least once every 6 months, conduct a market share survey of foreign markets for encryption products. The Secretary shall publish the results of the survey in the Federal Register. The publication shall include an assessment of the market share of each foreign encryption product in each market surveyed and a description of the general characteristics of each encryption product.
[ SEC. 10. DEFINITIONS. [Struck out->][ In this Act:
[Struck out->][ (1) ENCRYPTION- The term `encryption' means the transformation or scrambling of data, for the purpose of protecting such data, from plaintext to an unreadable or incomprehensible format, regardless of the techniques used for such transformation or scrambling and regardless of the medium in which such data occur or can be found.
[Struck out->][ (2) EXPORT AND EXPORTER- The term `export' includes reexport, the term `exporter' includes `reexporter'.
[Struck out->][ (3) SECRETARY- The term `Secretary' means the Secretary of Commerce. ][<-Struck out]
(a) SHORT TITLE- This Act may be cited as the `Encryption for the National Interest Act'.
(b) TABLE OF CONTENTS- The table of contents is as follows:
Sec. 1. Short title; table of contents.
Sec. 2. Statement of policy.
Sec. 3. Congressional findings.
Sec. 101. Definitions.
Sec. 102. Lawful use of encryption.
Sec. 103. Unlawful use of encryption.
Sec. 201. Federal purchases of encryption products.
Sec. 202. Networks established with Federal funds.
Sec. 203. Government contract authority.
Sec. 204. Product labels.
Sec. 205. No private mandate.
Sec. 206. Exclusion.
Sec. 301. Exports of encryption.
Sec. 302. License exception for certain encryption products.
Sec. 303. Discretionary authority.
Sec. 304. Expedited review authority.
Sec. 305. Encryption licenses required.
Sec. 306. Encryption Industry and Information Security Board.
Sec. 401. Compliance with court order.
Sec. 402. Compliance defense.
Sec. 403. Good faith defense.
Sec. 501. Sense of Congress.
Sec. 502. Failure to negotiate.
Sec. 503. Report to Congress.
Sec. 601. Effect on law enforcement activities.
Sec. 602. Interpretation.
Sec. 603. FBI technical support.
Sec. 604. Severability.
It is the policy of the United States to protect public computer networks through the use of strong encryption technology, to promote the export of encryption products developed and manufactured in the United States, and to preserve public safety and national security.
The Congress finds the following:
(1) Information security technology, encryption, is--
(A) fundamental to secure the flow of intelligence information to national policy makers;
(B) critical to the President and national command authority of the United States;
(C) necessary to the Secretary of State for the development and execution of the foreign policy of the United States;
(D) essential to the Secretary of Defense's responsibilities to ensure the effectiveness of the Armed Forces of the United States;
(E) invaluable to the protection of the citizens of the United States from fraud, theft, drug trafficking, child pornography; kidnapping, and money laundering; and
(F) basic to the protection of the nation's critical infrastructures, including electrical grids, banking and financial systems, telecommunications, water supplies, and transportation.
(2) The goal of any encryption legislation should be to enhance and promote the global market strength of United States encryption manufacturers, while guaranteeing that national security and public safety obligations of the Government can still be accomplished.
(3) It is essential to the national security interests of the United States that United States encryption products dominate the global market.
(4) Widespread use of unregulated encryption products poses a significant threat to the national security interests of the United States.
(5) Leaving the national security and public safety responsibilities of the Government to the marketplace alone is not consistent with the obligations of the Government to protect the public safety and to defend the Nation.
(6) In order for the United States position in the global market to benefit the national security interests of the United States, it is imperative that the export of encryption products be subject to a dynamic and constructive export control regime.
(7) Export of commercial items are best managed through a regulatory structure which has flexibility to address constantly changing market conditions.
(8) Managing sensitive dual-use technologies, such as encryption products, is challenging in any regulatory environment due to the difficulty in balancing competing interests in national security, public safety, privacy, fair competition within the industry, and the dynamic nature of the technology.
(9) There is a widespread perception that the executive branch has not adequately balanced the equal and competing interests of national security, public safety, privacy, and industry.
(10) There is a perception that the current encryption export control policy has done more to disadvantage United States business interests than to promote and protect national security and public safety interests.
(11) A balance can and must be achieved between industry interests, national security, law enforcement requirements, and privacy needs.
(12) A court order process should be required for access to plaintext, where and when available, and criminal and civil penalties should be imposed for misuse of decryption information.
(13) Timely access to plaintext capability is--
(A) necessary to thwarting potential terrorist activities;
(B) extremely useful in the collection of foreign intelligence;
(C) indispensable to force protection requirements;
(D) critical to the investigation and prosecution of criminals; and
(E) both technically and economically possible.
(14) The United States Government should encourage the development of those products that would provide a capability allowing law enforcement (Federal, State, and local), with a court order only, to gain timely access to the plaintext of either stored data or data in transit.
(15) Unless law enforcement has the benefit of such market encouragement, drug traffickers, spies, child pornographers, pedophiles, kidnappers, terrorists, mobsters, weapons proliferators, fraud schemers, and other criminals will be able to use encryption software to protect their criminal activity and hinder the criminal justice system.
(16) An effective regulatory approach to manage the proliferation of encryption products which have dual-use capabilities must be maintained and greater confidence in the ability of the executive branch to preserve and promote the competitive advantage of the United States encryption industry in the global market must be provided.
For purposes of this Act:
(1) ATTORNEY FOR THE GOVERNMENT- The term `attorney for the Government' has the meaning given such term in Rule 54(c) of the Federal Rules of Criminal Procedure, and also includes any duly authorized attorney of a State who is authorized to prosecute criminal offenses within such State.
(2) AUTHORIZED PARTY- The term `authorized party' means any person with the legal authority to obtain decryption information or plaintext of encrypted data, including communications.
(3) COMMUNICATIONS- The term `communications' means any wire communications or electronic communications as those terms are defined in paragraphs (1) and (12) of section 2510 of title 18, United States Code.
(4) COURT OF COMPETENT JURISDICTION- The term `court of competent jurisdiction' means any court of the United States organized under Article III of the Constitution of the United States, the court organized under the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), or a court of general criminal jurisdiction of a State authorized pursuant to the laws of such State to enter orders authorizing searches and seizures.
(5) DATA NETWORK SERVICE PROVIDER- The term `data network service provider' means a person offering any service to the general public that provides the users thereof with the ability to transmit or receive data, including communications.
(6) DECRYPTION- The term `decryption' means the retransformation or unscrambling of encrypted data, including communications, to its readable plaintext version. To `decrypt' data, including communications, is to perform decryption.
(7) DECRYPTION INFORMATION- The term `decryption information' means information or technology that enables one to readily retransform or unscramble encrypted data from its unreadable and incomprehensible format to its readable plaintext version.
(8) ELECTRONIC STORAGE- The term `electronic storage' has the meaning given that term in section 2510(17) of title 18, United States Code.
(9) ENCRYPTION- The term `encryption' means the transformation or scrambling of data, including communications, from plaintext to an unreadable or incomprehensible format, regardless of the technique utilized for such transformation or scrambling and irrespective of the medium in which such data, including communications, occur or can be found, for the purposes of protecting the content of such data, including communications. To `encrypt' data, including communications, is to perform encryption.
(10) ENCRYPTION PRODUCT- The term `encryption product' means any software, technology, commodity, or mechanism, that can be used to encrypt or decrypt or has the capability of encrypting or decrypting any data, including communications.
(11) FOREIGN AVAILABILITY- The term `foreign availability' has the meaning applied to foreign availability of encryption products subject to controls under the Export Administration Regulations, as in effect on July 1, 1999.
(12) GOVERNMENT- The term `Government' means the Government of the United States and any agency or instrumentality thereof, or the government of any State, and any of its political subdivisions.
(13) INVESTIGATIVE OR LAW ENFORCEMENT OFFICER- The term `investigative or law enforcement officer' has the meaning given that term in section 2510(7) of title 18, United States Code.
(14) NATIONAL SECURITY- The term `national security' means the national defense, intelligence, or foreign policy interests of the United States.
(15) PLAINTEXT- The term `plaintext' means the readable or comprehensible format of that data, including communications, which has been encrypted.
(16) PLAINVOICE- The term `plainvoice' means communication specific plaintext.
(17) SECRETARY- The term `Secretary' means the Secretary of Commerce, unless otherwise specifically identified.
(18) STATE- The term `State' has the meaning given that term in section 2510(3) of title 18, United States Code.
(19) TELECOMMUNICATIONS CARRIER- The term `telecommunications carrier' has the meaning given that term in section 3 of the Communications Act of 1934 (47 U.S.C. 153).
(20) TELECOMMUNICATIONS SYSTEM- The term `telecommunications system' means any equipment, technology, or related software used in the movement, switching, interchange, transmission, reception, or internal signaling of data, including communications over wire, fiber optic, radio frequency, or any other medium.
(21) UNITED STATES PERSON- The term `United States person' means--
(A) any citizen of the United States;
(B) any other person organized under the laws of any State; and
(C) any person organized under the laws of any foreign country who is owned or controlled by individuals or persons described in subparagraphs (A) and (B).
Except as otherwise provided by this Act or otherwise provided by law, it shall be lawful for any person within any State and for any United States person to use any encryption product, regardless of encryption algorithm selected, encryption bit length chosen, or implementation technique or medium used.
(a) IN GENERAL- Part I of title 18, United States Code, is amended by inserting after chapter 123 the following new chapter:
`2801. Unlawful use of encryption in furtherance of a criminal act.
`2802. Privacy protection.
`2803. Court order access to plaintext or decryption information.
`2804. Notification procedures.
`2805. Lawful use of plaintext or decryption information.
`2806. Identification of decryption information.
`2807. Definitions.
`(a) PROHIBITED ACTS- Whoever knowingly uses encryption in furtherance of the commission of a criminal offense for which the person may be prosecuted in a district court of the United States shall--
`(1) in the case of a first offense under this section, be imprisoned for not more than 5 years, or fined under this title, or both; and
`(2) in the case of a second or subsequent offense under this section, be imprisoned for not more than 10 years, or fined under this title, or both.
`(b) CONSECUTIVE SENTENCE- Notwithstanding any other provision of law, the court shall not place on probation any person convicted of a violation of this section, nor shall the term of imprisonment imposed under this section run concurrently with any other term of imprisonment imposed for the underlying criminal offense.
`(c) PROBABLE CAUSE NOT CONSTITUTED BY USE OF ENCRYPTION- The use of encryption by itself shall not establish probable cause to believe that a crime is being or has been committed.
`(a) IN GENERAL- It shall be unlawful for any person to intentionally--
`(1) obtain or use decryption information without lawful authority for the purpose of decrypting data, including communications;
`(2) exceed lawful authority in decrypting data, including communications;
`(3) break the encryption code of another person without lawful authority for the purpose of violating the privacy or security of that person or depriving that person of any property rights;
`(4) impersonate another person for the purpose of obtaining decryption information of that person without lawful authority;
`(5) facilitate or assist in the encryption of data, including communications, knowing that such data, including communications, are to be used in furtherance of a crime; or
`(6) disclose decryption information in violation of a provision of this chapter.
`(b) CRIMINAL PENALTY- Whoever violates this section shall be imprisoned for not more than 10 years, or fined under this title, or both.
`(a) COURT ORDER- (1) A court of competent jurisdiction shall issue an order, ex parte, granting an investigative or law enforcement officer timely access to the plaintext of encrypted data, including communications, or requiring any person in possession of decryption information to provide such information to a duly authorized investigative or law enforcement officer--
`(A) upon the application by an attorney for the Government that--
`(i) is made under oath or affirmation by the attorney for the Government; and
`(ii) provides a factual basis establishing the relevance that the plaintext or decryption information being sought has to a law enforcement, foreign counterintelligence, or international terrorism investigation then being conducted pursuant to lawful authorities; and
`(B) if the court finds, in writing, that the plaintext or decryption information being sought is relevant to an ongoing lawful law enforcement, foreign counterintelligence, or international terrorism investigation and the investigative or law enforcement officer is entitled to such plaintext or decryption information.
`(2) The order issued by the court under this section shall be placed under seal, except that a copy may be made available to the investigative or law enforcement officer authorized to obtain access to the plaintext of the encrypted information, or authorized to obtain the decryption information sought in the application. Such order shall, subject to the notification procedures set forth in section 2804, also be made available to the person responsible for providing the plaintext or the decryption information, pursuant to such order, to the investigative or law enforcement officer.
`(3) Disclosure of an application made, or order issued, under this section, is not authorized, except as may otherwise be specifically permitted by this section or another order of the court.
`(b) RECORD OF ACCESS REQUIRED- (1) There shall be created an electronic record, or similar type record, of each instance in which an investigative or law enforcement officer, pursuant to an order under this section, gains access to the plaintext of otherwise encrypted information, or is provided decryption information, without the knowledge or consent of the owner of the data, including communications, who is the user of the encryption product involved.
`(2) The court issuing the order under this section may require that the electronic or similar type of record described in paragraph (1) is maintained in a place and a manner that is not within the custody or control of an investigative or law enforcement officer gaining the access or provided the decryption information. The record shall be tendered to the court, upon notice from the court.
`(3) The court receiving such electronic or similar type of record described in paragraph (1) shall make the original and a certified copy of the record available to the attorney for the Government making application under this section, and to the attorney for, or directly to, the owner of the data, including communications, who is the user of the encryption product, pursuant to the notification procedures set forth in section 2804.
`(c) AUTHORITY TO INTERCEPT COMMUNICATIONS NOT INCREASED- Nothing in this chapter shall be construed to enlarge or modify the circumstances or procedures under which a Government entity is entitled to intercept or obtain oral, wire, or electronic communications or information.
`(d) CONSTRUCTION- This chapter shall be strictly construed to apply only to a Government entity's ability to decrypt data, including communications, for which it has previously obtained lawful authority to intercept or obtain pursuant to other lawful authorities, which without an order issued under this section would otherwise remain encrypted.
`(a) IN GENERAL- Within a reasonable time, but not later than 90 days after the filing of an application for an order under section 2803 which is granted, the court shall cause to be served, on the persons named in the order or the application, and such other parties whose decryption information or whose plaintext has been provided to an investigative or law enforcement officer pursuant to this chapter, as the court may determine is in the interest of justice, an inventory which shall include notice of--
`(1) the fact of the entry of the order or the application;
`(2) the date of the entry of the application and issuance of the order; and
`(3) the fact that the person's decryption information or plaintext data, including communications, has been provided or accessed by an investigative or law enforcement officer.
The court, upon the filing of a motion, may make available to that person or that person's counsel, for inspection, such portions of the plaintext, applications, and orders as the court determines to be in the interest of justice.
`(b) POSTPONEMENT OF INVENTORY FOR GOOD CAUSE- (1) On an ex parte showing of good cause by an attorney for the Government to a court of competent jurisdiction, the serving of the inventory required by subsection (a) may be postponed for an additional 30 days after the granting of an order pursuant to the ex parte motion.
`(2) No more than 3 ex parte motions pursuant to paragraph (1) are authorized.
`(c) ADMISSION INTO EVIDENCE- The content of any encrypted information that has been obtained pursuant to this chapter or evidence derived therefrom shall not be received in evidence or otherwise disclosed in any trial, hearing, or other proceeding in a Federal or State court, other than the court organized pursuant to the Foreign Intelligence Surveillance Act of 1978, unless each party, not less than 10 days before the trial, hearing, or proceeding, has been furnished with a copy of the order, and accompanying application, under which the decryption or access to plaintext was authorized or approved. This 10-day period may be waived by the court if the court finds that it was not possible to furnish the party with the information described in the preceding sentence within 10 days before the trial, hearing, or proceeding and that the party will not be prejudiced by the delay in receiving such information.
`(d) CONSTRUCTION- The provisions of this chapter shall be construed consistent with--
`(1) the Classified Information Procedures Act (18 U.S.C. App.); and
`(2) the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.).
`(e) CONTEMPT- Any violation of the provisions of this section may be punished by the court as a contempt thereof.
`(f) MOTION TO SUPPRESS- Any aggrieved person in any trial, hearing, or proceeding in or before any court, department, officer, agency, regulatory body, or other authority of the United States or a State, other than the court organized pursuant to the Foreign Intelligence Surveillance Act of 1978, may move to suppress the contents of any decrypted data, including communications, obtained pursuant to this chapter, or evidence derived therefrom, on the grounds that --
`(1) the plaintext was decrypted or accessed in violation of this chapter;
`(2) the order of authorization or approval under which it was decrypted or accessed is insufficient on its face; or
`(3) the decryption was not made in conformity with the order of authorization or approval.
Such motion shall be made before the trial, hearing, or proceeding unless there was no opportunity to make such motion, or the person was not aware of the grounds of the motion. If the motion is granted, the plaintext of the decrypted data, including communications, or evidence derived therefrom, shall be treated as having been obtained in violation of this chapter. The court, upon the filing of such motion by the aggrieved person, may make available to the aggrieved person or that person's counsel for inspection such portions of the decrypted plaintext, or evidence derived therefrom, as the court determines to be in the interests of justice.
`(g) APPEAL BY UNITED STATES- In addition to any other right to appeal, the United States shall have the right to appeal from an order granting a motion to suppress made under subsection (f), or the denial of an application for an order under section 2803, if the attorney for the Government certifies to the court or other official granting such motion or denying such application that the appeal is not taken for purposes of delay. Such appeal shall be taken within 30 days after the date the order was entered on the docket and shall be diligently prosecuted.
`(h) CIVIL ACTION FOR VIOLATION- Except as otherwise provided in this chapter, any person described in subsection (i) may, in a civil action, recover from the United States Government the actual damages suffered by the person as a result of a violation described in that subsection, reasonable attorney's fees, and other litigation costs reasonably incurred in prosecuting such claim.
`(i) COVERED PERSONS- Subsection (h) applies to any person whose decryption information--
`(1) is knowingly obtained without lawful authority by an investigative or law enforcement officer;
`(2) is obtained by an investigative or law enforcement officer with lawful authority and is knowingly used or disclosed by such officer unlawfully; or
`(3) is obtained by an investigative or law enforcement officer with lawful authority and whose decryption information is unlawfully used to disclose the plaintext of the data, including communications.
`(j) LIMITATION- A civil action under subsection (h) shall be commenced not later than 2 years after the date on which the unlawful action took place, or 2 years after the date on which the claimant first discovers the violation, whichever is later.
`(k) EXCLUSIVE REMEDIES- The remedies and sanctions described in this chapter with respect to the decryption of data, including communications, are the only judicial remedies and sanctions for violations of this chapter involving such decryptions, other than violations based on the deprivation of any rights, privileges, or immunities secured by the Constitution.
`(l) TECHNICAL ASSISTANCE BY PROVIDERS- A provider of encryption technology or network service that has received an order issued by a court pursuant to this chapter shall provide to the investigative or law enforcement officer concerned such technical assistance as is necessary to execute the order. Such provider may, however, move the court to modify or quash the order on the ground that its assistance with respect to the decryption or access to plaintext cannot be performed in fact, or in a timely or reasonable fashion. The court, upon notice to the Government, shall decide such motion expeditiously.
`(m) REPORTS TO CONGRESS- In May of each year, the Attorney General, or an Assistant Attorney General specifically designated by the Attorney General, shall report in writing to Congress on the number of applications made and orders entered authorizing Federal, State, and local law enforcement access to decryption information for the purposes of reading the plaintext of otherwise encrypted data, including communications, pursuant to this chapter. Such reports shall be submitted to the Committees on the Judiciary of the House of Representatives and of the Senate, and to the Permanent Select Committee on Intelligence for the House of Representatives and the Select Committee on Intelligence for the Senate.
`(a) AUTHORIZED USE OF DECRYPTION INFORMATION-
`(1) CRIMINAL INVESTIGATIONS- An investigative or law enforcement officer to whom plaintext or decryption information is provided may only use such plaintext or decryption information for the purposes of conducting a lawful criminal investigation, foreign counterintelligence, or international terrorism investigation, and for the purposes of preparing for and prosecuting any criminal violation of law.
`(2) CIVIL REDRESS- Any plaintext or decryption information provided under this chapter to an investigative or law enforcement officer may not be disclosed, except by court order, to any other person for use in a civil proceeding that is unrelated to a criminal investigation and prosecution for which the plaintext or decryption information is authorized under paragraph (1). Such order shall only issue upon a showing by the party seeking disclosure that there is no alternative means of obtaining the plaintext, or decryption information, being sought and the court also finds that the interests of justice would not be served by nondisclosure.
`(b) LIMITATION- An investigative or law enforcement officer may not use decryption information obtained under this chapter to determine the plaintext of any data, including communications, unless it has obtained lawful authority to obtain such data, including communications, under other lawful authorities.
`(c) RETURN OF DECRYPTION INFORMATION- An attorney for the Government shall, upon the issuance of an order of a court of competent jurisdiction--
`(1)(A) return any decryption information to the person responsible for providing it to an investigative or law enforcement officer pursuant to this chapter; or
`(B) destroy such decryption information, if the court finds that the interests of justice or public safety require that such decryption information should not be returned to the provider; and
`(2) within 10 days after execution of the court's order to return or destroy the decryption information--
`(A) certify to the court that the decryption information has either been returned or destroyed consistent with the court's order; and
`(B) if applicable, notify the provider of the decryption information of the destruction of such information.
`(d) OTHER DISCLOSURE OF DECRYPTION INFORMATION- Except as otherwise provided in section 2803, decryption information or the plaintext of otherwise encrypted data, including communications, shall not be disclosed by any person unless the disclosure is--
`(1) to the person encrypting the data, including communications, or an authorized agent thereof;
`(2) with the consent of the person encrypting the data, including pursuant to a contract entered into with the person;
`(3) pursuant to a court order upon a showing of compelling need for the information that cannot be accommodated by any other means if--
`(A) the person who supplied the information is given reasonable notice, by the person seeking the disclosure, of the court proceeding relevant to the issuance of the court order; and
`(B) the person who supplied the information is afforded the opportunity to appear in the court proceeding and contest the claim of the person seeking the disclosure;
`(4) pursuant to a determination by a court of competent jurisdiction that another person is lawfully entitled to hold such decryption information, including determinations arising from legal proceedings associated with the incapacity, death, or dissolution of any person; or
`(5) otherwise permitted by law.
`(a) IDENTIFICATION- To avoid inadvertent disclosure of decryption information, any person who provides decryption information to an investigative or law enforcement officer pursuant to this chapter shall specifically identify that part of the material that discloses decryption information as such.
`(b) RESPONSIBILITY OF INVESTIGATIVE OR LAW ENFORCEMENT OFFICER- The investigative or law enforcement officer receiving any decryption information under this chapter shall maintain such information in a facility and in a method so as to reasonably assure that inadvertent disclosure does not occur.
`The definitions set forth in section 101 of the Encryption for the National Interest Act shall apply to this chapter.'.
(b) CONFORMING AMENDMENT- The table of chapters for part I of title 18, United States Code, is amended by inserting after the item relating to chapter 121 the following new item:
2801'.
(a) DECRYPTION CAPABILITIES- The President may, consistent with the provisions of subsection (b), direct that any encryption product or service purchased or otherwise procured by the United States Government to provide the security service of data confidentiality for a computer system owned and operated by the United States Government shall include recoverability features or functions that enable the timely decryption of encrypted data, including communications, or timely access to plaintext by an authorized party without the knowledge or cooperation of the person using such encryption products or services.
(b) CONSISTENCY WITH INTELLIGENCE SERVICES AND MILITARY OPERATIONS- The President shall ensure that all encryption products purchased or used by the United States Government are supportive of, and consistent with, all statutory obligations to protect sources and methods of intelligence collection and activities, and supportive of, and consistent with, those needs required for military operations and the conduct of foreign policy.
The President may direct that any communications network established for the purpose of conducting the business of the Federal Government shall use encryption products that--
(1) include features and functions that enable the timely decryption of encrypted data, including communications, or timely access to plaintext, by an authorized party without the knowledge or cooperation of the person using such encryption products or services; and
(2) are supportive of, and consistent with, all statutory obligations to protect sources and methods of intelligence collection and activities, and supportive of, and consistent with, those needs required for military operations and the conduct of foreign policy.
The President may require as a condition of any contract by the Government with a private sector vendor that any encryption product used by the vendor in carrying out the provisions of the contract with the Government include features and functions that enable the timely decryption of encrypted data, including communications, or timely access to plaintext, by an authorized party without the knowledge or cooperation of the person using such encryption products or services.
An encryption product may be labeled to inform Government users that the product is authorized for sale to or for use by Government agencies or Government contractors in transactions and communications with the United States Government under this title.
The United States Government may not require the use of encryption standards for the private sector except as otherwise authorized by section 204.
Nothing in this title shall apply to encryption products and services used solely for access control, authentication, integrity, nonrepudiation, digital signatures, or other similar purposes.
(a) AUTHORITY TO CONTROL EXPORTS- The President shall control the export of all dual-use encryption products.
(b) AUTHORITY TO DENY EXPORT FOR NATIONAL SECURITY REASONS- Notwithstanding any provision of this title, the President may deny the export of any encryption product on the basis that its export is contrary to the national security.
(c) DECISIONS NOT SUBJECT TO JUDICIAL REVIEW- Any decision made by the President or his designee with respect to the export of encryption products under this title shall not be subject to judicial review.
(a) LICENSE EXCEPTION- Upon the enactment of this Act, any encryption product with an encryption strength of 64 bits or less shall be eligible for export under a license exception if--
(1) such encryption product is submitted for a 1-time technical review;
(2) such encryption product does not require licensing under otherwise applicable regulations;
(3) such encryption product is not intended for a country, end user, or end use that is by regulation ineligible to receive such product, and the encryption product is otherwise qualified for export;
(4) the exporter, within 180 days after the export of the product, submits a certification identifying--
(A) the intended end use of the product; and
(B) the name and address of the intended recipient of the product, where available;
(5) the exporter, within 180 days of the export of the product, provides the names and addresses of its distribution chain partners; and
(6) the exporter, at the time of submission of the product for technical review, provides proof that its distribution chain partners have contractually agreed to abide by all laws and regulations of the United States concerning the export and reexport of encryption products designed or manufactured within the United States.
(b) ONE-TIME TECHNICAL REVIEW- (1) The technical review referred to in subsection (a) shall be completed within no longer than 45 days after the submission of all of the information required under paragraph (2).
(2) The President shall specify the information that must be submitted for the 1-time technical review referred to in this section.
(3) An encryption product may not be exported during the technical review of that product under this section.
(c) PERIODIC REVIEW OF LICENSE EXCEPTION ELIGIBILITY LEVEL- (1) Not later than 180 days after the date of the enactment of this Act, the President shall notify the Congress of the maximum level of encryption strength, which may not be lower than 64-bit, that may be exported from the United States under license exception pursuant to this section consistent with the national security.
(2) The President shall, at the end of each successive 180-day period after the notice provided to the Congress under paragraph (1), notify the Congress of the maximum level of encryption strength, which may not be lower than that in effect under this section during that 180-day period, that may be exported from the United States under a license exception pursuant to this section consistent with the national security.
(d) FACTORS NOT TO BE CONSIDERED- A license exception for the exports of an encryption product under this section may be allowed whether or not the product contains a method of decrypting encrypted data.
Notwithstanding the requirements of section 305, the President may permit the export, under a license exception pursuant to the conditions of section 302, of encryption products with an encryption strength exceeding the maximum level eligible for a license exception under section 302, if the export is consistent with the national security.
The President shall establish procedures for the expedited review of commodity classification requests, or export license applications, involving encryption products that are specifically approved, by regulation, for export.
(a) UNITED STATES PRODUCTS EXCEEDING CERTAIN BIT LENGTH- Except as permitted under section 303, in the case of all encryption products with an encryption strength exceeding the maximum level eligible for a license exception under section 302, which are designed or manufactured within the United States, the President may grant a license for export of such encryption products, under the following conditions:
(1) There shall not be any requirement, as a basis for an export license, that a product contains a method of--
(A) gaining timely access to plaintext; or
(B) gaining timely access to decryption information.
(2) The export license applicant shall submit--
(A) the product for technical review;
(B) a certification, under oath, identifying--
(i) the intended end use of the product; and
(ii) the expected end user or class of end users of the product;
(C) proof that its distribution chain partners have contractually agreed to abide by all laws and regulations of the United States concerning the export and reexport of encryption products designed or manufactured within the United States; and
(D) the names and addresses of its distribution chain partners.
(b) TECHNICAL REVIEW FOR LICENSE APPLICANTS- (1) The technical review described in subsection (a)(3)(A) shall be completed within 45 days after the submission of all the information required under paragraph (2).
(2) The information to be submitted for the technical review shall be the same as that required to be submitted pursuant to section 302(b)(2).
(3) An encryption product may not be exported during the technical review of that product under this section.
(c) POST-EXPORT REPORTING-
(1) UNAUTHORIZED USE- All exporters of encryption products that are designed or manufactured within the United States shall submit a report to the Secretary at any time the exporter has reason to believe any such exported product is being diverted to a use or a user not approved at the time of export.
(2) PIRATING- All exporters of encryption products that are designed or manufactured within the United States shall report any pirating of their technology or intellectual property to the Secretary as soon as practicable after discovery.
(3) DISTRIBUTION CHAIN PARTNERS- All exporters of encryption products that are designed or manufactured within the United States, and all distribution chain partners of such exporters, shall submit to the Secretary a report which shall specify--
(A) the particular product sold;
(B) the name and address of--
(i) the ultimate end user of the product, if known; or
(ii) the name and address of the next purchaser in the distribution chain; and
(C) the intended use of the product sold.
(d) EXERCISE OF OTHER AUTHORITIES- The Secretary, the Secretary of Defense, and the Secretary of State may exercise the authorities they have under other provisions of law, including the Export Administration Act of 1979, as continued in effect under the International Emergency Economic Powers Act, to carry out this title.
(e) WAIVER AUTHORITY-
(1) IN GENERAL- The President may by Executive order waive any provision of this title, or the applicability of any such provision to a person or entity, if the President determines that the waiver is necessary to advance the national security. The President shall, not later than 15 days after making such determination, submit a report to the committees referred to in paragraph (2) that includes the factual basis upon which such determination was made. The report may be in classified format.
(2) COMMITTEES- The committees referred to in paragraph (1) are the Committee on International Relations, the Committee on Armed Services, and the Permanent Select Committee on Intelligence of the House of Representatives, and the Committee on Foreign Relations, the Committee on Armed Services, and the Select Committee on Intelligence of the Senate.
(3) DECISIONS NOT SUBJECT TO JUDICIAL REVIEW- Any determination made by the President under this subsection shall not be subject to judicial review.
(a) ENCRYPTION INDUSTRY AND INFORMATION SECURITY BOARD ESTABLISHED- There is hereby established an Encryption Industry and Information Security Board. The Board shall undertake an advisory role for the President.
(b) PURPOSES- The purposes of the Board are--
(1) to provide a forum to foster communication and coordination between industry and the Federal Government on matters relating to the use of encryption products;
(2) to enable the United States to effectively and continually understand the benefits and risks to its national security, law enforcement, and public safety interests by virtue of the proliferation of strong encryption on the global market;
(3) to evaluate and make recommendations regarding the further development and use of encryption;
(4) to advance the development of international standards regarding interoperability and global use of encryption products;
(5) to promote the export of encryption products manufactured in the United States;
(6) to recommend policies enhancing the security of public networks;
(7) to encourage research and development of products that will foster electronic commerce;
(8) to promote the protection of intellectual property and privacy rights of individuals using public networks; and
(9) to evaluate the availability and market share of foreign encryption products and their threat to United States industry.
(c) MEMBERSHIP- (1) The Board shall be composed of 12 members, as follows:
(A) The Secretary, or the Secretary's designee.
(B) The Attorney General, or his or her designee.
(C) The Secretary of Defense, or the Secretary's designee.
(D) The Director of Central Intelligence, or his or her designee.
(E) The Director of the Federal Bureau of Investigation, or his or her designee.
(F) The Special Assistant to the President for National Security Affairs, or his or her designee, who shall chair the Board.
(G) Six representatives from the private sector who have expertise in the development, operation, marketing, law, or public policy relating to information security or technology. Members under this subparagraph shall each serve for 5-year terms.
(2) The six private sector representatives described in paragraph (1)(G) shall be appointed as follows:
(A) Two by the Speaker of the House of Representatives.
(B) One by the Minority Leader of the House of Representatives.
(C) Two by the Majority Leader of the Senate.
(D) One by the Minority Leader of the Senate.
(e) MEETINGS- The Board shall meet at such times and in such places as the Secretary may prescribe, but not less frequently than every four months. The Federal Advisory Committee Act (5 U.S.C. App.) does not apply to the Board or to meetings held by the Board under this section.
(f) FINDINGS AND RECOMMENDATIONS- The chair of the Board shall convey the findings and recommendations of the Board to the President and to the Congress within 30 days after each meeting of the Board. The recommendations of the Board are not binding upon the President.
(g) LIMITATION- The Board shall have no authority to review any export determination made pursuant to this title.
(h) FOREIGN AVAILABILITY- The consideration of foreign availability by the Board shall include computer software that is distributed over the Internet or advertised for sale, license, or transfer, including over-the-counter retail sales, mail order transactions, telephone order transactions, electronic distribution, or sale on approval and its comparability with United States products and its use in United States and foreign markets.
(i) TERMINATION- This section shall cease to be effective 10 years after the date of the enactment of this Act.
(a) NO LIABILITY FOR COMPLIANCE- Subject to subsection (b), no civil or criminal liability under this Act, or under any other provision of law, shall attach to any person for disclosing or providing--
(1) the plaintext of encrypted data, including communications;
(2) the decryption information of such encrypted data, including communications; or
(3) technical assistance for access to the plaintext of, or decryption information for, encrypted data, including communications.
(b) EXCEPTION- Subsection (a) shall not apply to a person who provides plaintext or decryption information to another in violation of the provisions of this Act.
Compliance with the provisions of sections 2803, 2804, 2805, or 2806 of title 18, United States Code, as added by section 103(a) of this Act, or any regulations authorized by this Act, shall provide a complete defense for any civil action for damages based upon activities covered by this Act, other than an action founded on contract.
An objectively reasonable reliance on the legal authority provided by this Act and the amendments made by this Act, authorizing access to the plaintext of otherwise encrypted data, including communications, or to decryption information that will allow the timely decryption of data, including communications, that is otherwise encrypted, shall be an affirmative defense to any criminal or civil action that may be brought under the laws of the United States or any State.
It is the sense of Congress that--
(1) the President should conduct negotiations with foreign governments for the purposes of establishing binding export control requirements on strong nonrecoverable encryption products; and
(2) such agreements should safeguard the privacy of the citizens of the United States, prevent economic espionage, and enhance the information security needs of the United States.
The President may consider a government's refusal to negotiate agreements described in section 501 when considering the participation of the United States in any cooperation or assistance program with that country.
(a) REPORT TO CONGRESS- The President shall report annually to the Congress on the status of the international effort outlined by section 501.
(b) FIRST REPORT- The first report required under subsection (a) shall be submitted in unclassified form no later than September 1, 2000.
(a) COLLECTION OF INFORMATION BY ATTORNEY GENERAL- The Attorney General shall compile, and maintain in classified form, data on--
(1) the instances in which encryption has interfered with, impeded, or obstructed the ability of the Department of Justice to enforce the laws of the United States; and
(2) the instances where the Department of Justice has been successful in overcoming any encryption encountered in an investigation.
(b) AVAILABILITY OF INFORMATION TO THE CONGRESS- The information compiled under subsection (a), including an unclassified summary thereof, shall be submitted to Congress annually beginning October 1, 2000.
Nothing contained in this Act or the amendments made by this Act shall be deemed to--
(1) preempt or otherwise affect the application of the Arms Export Control Act (22 U.S.C. 2751 et seq.), the Export Administration Act of 1979 (50 U.S.C. App. 2401 et seq.), or the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) or any regulations promulgated thereunder;
(2) affect foreign intelligence activities of the United States; or
(3) negate or diminish any intellectual property protections under the laws of the United States or of any State.
There are authorized to be appropriated for the Technical Support Center in the Federal Bureau of Investigation, established pursuant to section 811(a)(1) of the Antiterrorism and Effective Death Penalty Act of 1996 (Public Law 104-132)--
(1) $25,000,000 for fiscal year 2000 for building and personnel costs;
(2) $20,000,000 for fiscal year 2001 for personnel and equipment costs;
(3) $15,000,000 for fiscal year 2002; and
(4) $15,000,000 for fiscal year 2003.
If any provision of this Act or the amendments made by this Act, or the application thereof, to any person or circumstances is held invalid by a court of the United States, the remainder of this Act or such amendments, and the application thereof, to other persons or circumstances shall not be affected thereby.
Amend the title so as to read: `A bill to protect national security and public safety through the balanced use of export controls on encryption products.'.
END
Please send any questions or comments to webmaster@eff.org
