EPIC logo

[White House Document]

A BILL

To protect the privacy, security and safety of the people of the United States through support for the widespread use of encryption, protection of the security of cryptographic keys, and facilitation of access to the plaintext of data for legitimate law enforcement purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

 

TITLE I--GENERAL PROVISIONS

 

SEC. 101. SHORT TITLE.

This Act may be cited as the "Cyberspace Electronic Security Act of 1999".

 

SEC. 102. FINDINGS.

The Congress finds the following:

(a) The development of the information superhighway is fundamentally changing the way we interact. The nation's commerce is moving to networking. Individuals, government entities, and other institutions are communicating across common links.

(b) The Internet has provided our society with a glimpse of what is possible in the information age, and the demand for information access and electronic commerce is rapidly increasing. This demand is arising from all elements of society, including individuals, banks, manufacturers, online merchants, service providers, State and local governments, and educational institutions.

(c) At the same time, society's increasing reliance on information systems in this new environment exposes U.S. citizens, institutions, and their information to unprecedented risks.

(d) In order for the global information infrastructure and electronic commerce to achieve their potential, information systems must overcome these risks and must provide trusted methods to identify users and keep data and communications confidential.

(e) Cryptography can meet these needs. In particular, cryptography, through the technique of encryption, is an important tool in protecting the confidentiality of wire and electronic communications and stored data. Thus, there is a national need to encourage the development, adoption, and use of cryptographic products that are consistent with the foregoing considerations and are appropriate for use by private parties and by the United States Government.

(f) While encryption is an important tool for protecting the privacy of legitimate communications and stored data, it has also been used to facilitate and hide unlawful activity by terrorists, drug traffickers, child pornographers, and other criminals.

(g) The advent and eventual widespread use of encryption poses significant and heretofore unseen challenges to law enforcement and public safety. While under existing law, both statutory and constitutional in nature, law enforcement is provided with different means to collect evidence of illegal activity -- in the form of communications, stored data on computers, etc. -- these means are rendered wholly insufficient when encryption is utilized to scramble the information in such a manner that law enforcement, acting pursuant to lawful authority, cannot decipher the evidence.

(h) Technology does not presently exist that allows law enforcement timely to decrypt such information. In the context of law enforcement operations, for example, stopping a terrorist attack or seeking to recover a kidnaped child, time is of the essence and may mean the difference between success and catastrophic failure. While existing means of obtaining evidence would remain applicable in a fully-encrypted world, the failure to provide law enforcement with the necessary ability to obtain the plaintext, or decrypted "readable" version, of the evidence makes existing authorities useless.

(i) A sound and effective public policy must support the development and use of encryption for legitimate purposes but allow access to plaintext by law enforcement when encryption is utilized by criminals. Law enforcement entities have a critical need to decrypt communications and stored data that they are lawfully authorized to access in order to obtain the plaintext that is necessary to conduct investigations and prosecutions of such unlawful activity, and there is a compelling national interest in preserving law enforcement entities' ability to obtain such plaintext. Appropriate means must be available to fulfill these law enforcement objectives, consistent with existing legal authorities and constitutional principles, in order to protect public safety. This requires an approach which properly balances critical privacy interests with the need to preserve public safety.

(j) While means to aid investigators' and prosecutors' efforts to obtain plaintext are needed, this Act is not intended to make it unlawful for any person to use encryption in the United States for otherwise lawful purposes, regardless of the encryption algorithm selected, key length chosen, or implementation technique or medium used. Similarly, this Act is not intended to require anyone to use third parties for storage of decryption keys, and this Act does not establish any regulatory regime for entities engaging in such an activity. Finally, this Act is not intended to affect export controls on cryptographic products.

TITLE II--ACCESS TO AND USE OF STORED RECOVERY INFORMATION HELD BY RECOVERY AGENTS, ACCESS TO RECOVERY INFORMATION, PROTECTION OF CONFIDENTIAL INFORMATION, AND FBI TECHNICAL SUPPORT

SEC. 201. REDESIGNATION OF DEFINITIONAL SECTION.

Section 2711 of title18, United States Code, is redesignated as section 2718.

 

SEC. 202. AMENDMENTS TO SECTIONS 2703 AND 2707 OF TITLE 18.

(a) Subsection 2703(d) of title 18, United States Code, is amended by striking "described in section 3127(2)(A) and".

(b) Section 2707 of title 18, United States Code, is amended--

(1) in subsection (a) by striking "section 2703(e)" and inserting "sections 2703(e) and 2715"; and

(2) in subsection (e)

(i) by redesignating paragraphs (2) and (3) as paragraphs (3) and (4), respectively;

(ii) inserting after paragraph (1) the following:

"(2) a request of a governmental entity under section 2703(f) of this chapter;" and

(iii) in redesignated paragraph (e)(3), striking "section 2518(7)" and inserting "sections 2518(7) or 2712(a)(4)".

 

SEC. 203. AMENDMENTS OF CHAPTER121 OF TITLE18, UNITED STATES CODE, RELATED TO RECOVERY INFORMATION.

Chapter 121 of title18, United States Code, is amended by adding the following after section 2710:

"§ 2711. Disclosure or use of stored recovery information and customer information by recovery agents; notification of storage location

"(a) Prohibitions and requirements.--

"(1) Except as provided in subsections (b) and (d), a recovery agent shall not--
"(A) disclose stored recovery information;

"(B) use stored recovery information to decrypt data or communications; or

"(C) disclose any other information or record that identifies a person or entity for whom the recovery agent holds or has held stored recovery information.

"(2) No person or entity shall knowingly obtain stored recovery information from a recovery agent knowing or having reason to know he has no lawful authority to do so.

"(3) A recovery agent shall inform any person or entity who stores recovery information with the recovery agent of the location or locations where the recovery information is stored.

"(b) Authorizations for disclosure or use.--

(1) Recovery information.--A recovery agent may disclose stored recovery information, or use stored recovery information to decrypt data or communications, only --
"(A) in the case of disclosure to or use on behalf of any person or entity,including a governmental entity --
"(i) with the consent of the person or entity who stored such recovery information, or the agent of such person or entity; or

"(ii) pursuant to an order of a court of competent jurisdiction, if such court has found that another person or entity is legally entitled pursuant to generally applicable law to receive, possess, or use such recovery information and has, if practicable, provided the person or entity who has stored the recovery information with an opportunity to be heard; or

"(B) in the case of disclosure to or use on behalf of a governmental entity, as specified in section 2712 of this title.

 

"(2) Customer information.--A recovery agent may disclose information or a record, other than stored recovery information, that identifies a person or entity for whom the recovery agent holds or has held stored recovery information only --

"(A) with the consent of the person or entity who stored such recovery information, or the agent of such person or entity;

"(B) if the disclosure is necessarily incident to the rendition of the service provided to the person or entity who has stored such recovery information, or to the protection of the rights or property of the recovery agent;

"(C) pursuant to an order of a court of competent jurisdiction based upon a showing of compelling need for the information, if such court has, if practicable, provided the person or entity who has stored such recovery information with an opportunity to be heard; or

"(D) to a governmental entity pursuant to a warrant issued pursuant to the Federal Rules of Criminal Procedure or equivalent State warrant, a court order, or a federal or State subpoena; provided, however, that notice to the person or entity who stored such recovery information is not required under this subparagraph, and, furthermore, that a court of competent jurisdiction may for good cause order that the recovery agent not disclose the government request for 90 days, which period may be extended upon further showings of good cause.

"(c) Confidentiality. -- Except as otherwise provided by law, or by order of a court of competent jurisdiction, a recovery agent who is requested or ordered to disclose stored recovery information to, or to use stored recovery information on behalf of, a governmental entity pursuant to paragraph (b)(1) above shall not reveal to any person or entity the fact that the governmental entity has requested or received stored recovery information from, or has required the use of stored recovery information by, the recovery agent, and shall not disclose to any other person or entity any decrypted data or communications that are provided to the governmental entity.

"(d) Exclusions.--Nothing in this section or section 2712 of this title shall be construed to prohibit a recovery agent from:

"(1) except as provided in subsection (c), using or disclosing plaintext in its possession, custody, or control;

"(2) using or disclosing recovery information that is not stored recovery information held by it under the circumstances described in section2718(7); or

"(3) using stored recovery information in its possession, custody, or control to decrypt data or communications in its possession, custody, or control, if applicable statutes, regulations, or other legal authorities otherwise require the recovery agent to provide such data or communications to a governmental entity in plaintext or other form which can be readily understood by the governmental entity.

"(e) Criminal sanctions.--Whoever knowingly violates or attempts to violate subsection (a) or subsection (c) of this section shall be fined under this title, or imprisoned for not more than one year, or both.

"§ 2712. Requirements for governmental access to, use of, and disclosure of stored recovery information

"(a) Compelled disclosure and use of stored recovery information in the possession of recovery agents.--A governmental entity may require a recovery agent to disclose stored recovery information to the governmental entity, or to use stored recovery information to decrypt data or communications --

"(1) pursuant to a warrant issued pursuant to the Federal Rules of Criminal Procedure or an equivalent State warrant, or an order issued under section 2518 of this title;

"(2) pursuant to any process under federal or State law to compel disclosure that is permitted by section2711(b)(1)(A)(i);

"(3) pursuant to a court order issued under subsection (b); or

"(4) when an investigative or law enforcement officer, specially designated by the Attorney General, the Deputy Attorney General, the Associate Attorney General, any Assistant Attorney General, any acting Assistant Attorney General, or any Deputy Assistant Attorney General, or by the principal prosecuting attorney of any State or subdivision thereof acting pursuant to a statute of that State, reasonably determines that--

"(A) an emergency situation exists that involves--
"(i) immediate danger of death or serious physical injury to any person,

"(ii) conspiratorial activities threatening the national security interest, or

"(iii) conspiratorial activities characteristic of organized crime or terrorism, requiring that recovery information be obtained or used before an order authorizing the same can, with due diligence, be obtained; and

"(B) there are grounds upon which an order could be entered under this section to authorize such disclosure by a recovery agent of stored recovery information, or the decryption of data or communications by a recovery agent using stored recovery information;

but an order under this section must be sought within forty-eight hours after the stored recovery information has been released or the decryption has occurred. In the event no order is requested within that time or the request for an order is denied, the governmental entity shall not further use or disclose the recovery information received or plaintext recovered, shall seal such information or plaintext under the direction of a court of competent jurisdiction, and shall serve notice as provided for in subsection (c) of this section;

A federal governmental entity may require a recovery agent to disclose stored recovery information to it or another federal governmental entity, or to use stored recovery information to decrypt data or communications, under paragraphs (1), (2), (3), or (4) for the benefit of a foreign government, pursuant to a request of a foreign government under applicable legislation, treaties, or other international agreements.

"(b) Requirements for court order for disclosure or use of stored recovery information by a recovery agent.--A court order requiring a recovery agent to disclose stored recovery information to a governmental entity or to use stored recovery information to decrypt data or communications on behalf of a governmental entity shall be issued by a court of competent jurisdiction upon a finding, based on specific and articulable facts, that --

"(1) the use of the stored recovery information is reasonably necessary to allow access to the plaintext of data or communications;

"(2) such access is otherwise lawful;

"(3) the governmental entity will seek such access within a reasonable time; and

"(4) there is no constitutionally protected expectation of privacy in such plaintext, or the privacy interest created by such expectation has been overcome by consent, warrant, order, or other authority.

An order under this section directing the disclosure of stored recovery information shall be limited to the extent practicable to directing the disclosure of only that stored recovery information that is necessary to allow access to the plaintext of the relevant data and communications.

"(c) Notice.--Within 90 days after receiving stored recovery information or decrypted data or communications from a recovery agent, the governmental entity shall notify the person or entity, if known, who stored the recovery information that stored recovery information was disclosed or used by the recovery agent, and such notice shall state the date on which the stored recovery information or decrypted data and communications were disclosed. On the government's ex parte showing of good cause, the giving of notice may be postponed by a court of competent jurisdiction. Notice under this section shall be provided by personal service, or by delivery by registered or first-class mail.

"(d) Cost reimbursement.--A governmental entity obtaining stored recovery information from a recovery agent or directing a recovery agent to decrypt the data or communications pursuant to subsection (b) shall pay to the recovery agent a fee for reimbursement for such costs as are reasonably necessary and which have been directly incurred in providing such information or decrypting such data and communications. The amount of the fee shall be as mutually agreed by the governmental entity and the recovery agent, or, in the absence of agreement, shall be as determined by the court which issued the order pursuant to subsection (b).

 

 

"§ 2713. Use, disclosure, and destruction of recovery information obtained by a governmental entity by compulsory process.

"(a) Limitations on use.--

"(1) Authorized use in orders under section 2712.--Any order, warrant, or determination under section 2712 of this title granting a governmental entity access to stored recovery information, or authorizing a recovery agent to decrypt data or communications on behalf of a governmental entity, shall, either in its text or in a separate document that is served only on the governmental entity, specify the categories of data and communications that may be decrypted using such stored recovery information. Unless otherwise specified in a further order of a court of competent jurisdiction, such stored recovery information shall be used to decrypt data and communications only as specified in the order, warrant, or other determination.

"(2) Limitations on use in other circumstances.--Unless otherwise specified in an order of a court of competent jurisdiction, a governmental entity that has obtained recovery information by compulsory process other than under section 2712 of this title may use such recovery information to decrypt data or communications only in connection with the matter for which the recovery information was obtained and related matters, and only if the decryption is appropriate to the proper performance of the official functions of the governmental entity.

"(b) Limitations on disclosure and subsequent use.--Unless otherwise specified in an order of a court of competent jurisdiction, a governmental entity that has obtained recovery information by compulsory process may knowingly disclose recovery information only to the extent that such disclosure is in connection with the matter for which the recovery information was obtained and any related matters, and only if the disclosure is appropriate to the proper performance of the official functions of the governmental entity making the disclosure. Unless otherwise specified in an order of a court of competent jurisdiction, any person or entity receiving a disclosure under this section shall not further disclose the recovery information, and shall be subject to the limitations on the use of the recovery information imposed by subsection (a).

"(c) Destruction of recovery information.---Unless otherwise specified in an order of a court of competent jurisdiction, once the authorized use of recovery information obtained by compulsory process, and all investigations, trials, and appeals related to that use are completed, after the time period for filing a request for post-conviction relief has expired, and after any statutory period for retention of records has expired, a governmental entity, a recovery agent assisting a governmental entity, or other person or entity who has received a disclosure under this section, shall destroy such recovery information in its possession and the governmental entity shall make a record documenting the destruction of such recovery information that is in its possession and shall maintain that record for at least 10 years.

 

"§ 2714. Notice of access to recovery information held by third parties and obtained by a governmental entity

A governmental entity that has knowingly obtained recovery information by compulsory process other than under section 2712 of this title, shall, if such recovery information is held by the compelled party on behalf of another person or entity, notify such person or entity, if known, that the recovery information was obtained. Such notice shall be provided within 90 days of the date on which the government obtains the recovery information, and shall state the date on which the recovery information was disclosed. On the government's ex parte showing of good cause, the giving of notice may be postponed by a court of competent jurisdiction. Notice under this section shall be provided by personal service, or by delivery by registered or first-class mail.

 

"§ 2715. No cause of action against a provider or recovery agent for compliance with legal demands

"No cause of action shall lie in any court against any provider of wire or electronic communications service or recovery agent, its officers, employees, agents, or other specified persons for providing information, facilities, or assistance in accordance with the terms of a court order, emergency request, warrant, or other process under sections 2711 or 2712 of this title, or against any person or entity for disclosing information to a governmental entity to assist it in obtaining lawful access to data and communications protected by encryption or other security techniques or devices unless the disclosure is otherwise prohibited by this chapter.

 

"§2716. Protection of confidential information

"(a) Confidentiality of access techniques.--In any civil or criminal case where a party seeks (1) to discover or introduce plaintext that had been encrypted or protected by other security techniques or devices, and which plaintext had been obtained by or for a governmental entity using government methods of access to such protected information, or (2) to discover or introduce evidence or information concerning government methods of access to such protected information, if such evidence or information is sought or obtained from a governmental entity or a past or present agent thereof, an attorney for the government (as that term is defined in the Federal Rules of Criminal Procedure), whether or not the government is a party, may file an application requesting that the court enter an order pursuant to subsection (b) protecting the confidentiality of the technique or mechanism that provided access to that evidence or information.

"(b) Confidentiality orders.--If the court finds that disclosure of a technique or mechanism used by a governmental entity to obtain access to information protected by encryption or other security techniques or devices, or of a trade secret relating to such technique or mechanism --

"(1) is likely to:
"(A) jeopardize an on-going investigation;

"(B) compromise the technique or mechanism for the purposes of future investigations;

"(C) result in physical injury to any individual; or

"(D) seriously jeopardize public health and safety; or

"(2) could reasonably be expected to affect the national security;

then the court shall enter such orders and take such other action as may be necessary and appropriate to preserve the confidentiality of the technique used by the governmental entity or the trade secret, consistent with constitutional principles. A confidentiality order under this subsection entered in a civil or criminal case may direct the use of special procedures, as appropriate, relating to the admissibility of evidence obtained through such technique used by a governmental entity. An interlocutory appeal by the United States shall lie from a decision or order of a district court with respect to a request for an order under this subsection.

"(c) Nondisclosure of trade secrets.--Notwithstanding any other provision of law, trade secrets (as that term is defined in section 1839 of this title) disclosed to a governmental entity pursuant to section 2518 of this title, or otherwise disclosed to a governmental entity to assist it in obtaining access to information protected by encryption or other security techniques or devices, shall not be disclosed by any governmental entity unless such disclosure is to another governmental entity, is necessary to implement such methods of access, is with the consent of the person or entity that owns the trade secret, is ordered by a court of competent jurisdiction pursuant to a request of the disclosing governmental entity, or is required to be disclosed to a defendant in a criminal case after giving an attorney for the government an opportunity to seek an order pursuant to subsection (b).

"(d) Interaction with the Classified Information Procedures Act.--Nothing in this section shall be deemed to affect the Classified Information Procedures Act, Pub. L. 96-456, 94 Stat. 2025 (1980), or as hereafter amended.

"§ 2717. Foreign intelligence information

"Sections 2711, 2712, 2713, and 2714 of this title shall not apply to the acquisition by the United States of foreign intelligence information as defined in section101(e) of the Foreign Intelligence Surveillance Act of 1978 or otherwise affect any lawfully authorized intelligence activity of an officer, agent or employee of the United States, or a person acting pursuant to a contract with the United States.".

 

SEC. 204. DEFINITIONS.

Section 2718 of title 18, United States Code, as redesignated by section 201 of this Act, is amended --

(a) in paragraph (1), by striking "and";

(b) in paragraph (2), by striking the period and inserting a semicolon; and

(c) by adding at the end the following:

"(3) the term ‘encryption’ means the electronic transformation of data (including communications) in order to obscure or hide their content;

"(4) the term ‘decryption’ means the electronic retransformation of data (including communications) that have been encrypted into the data’s form prior to encryption;

"(5) the term ‘plaintext’ means decrypted or unencrypted data (including communications);

"(6) the term ‘recovery information’ means a parameter that can be used with an algorithm, or other data or object, that can be used to decrypt data or communications;

"(7) the term ‘stored recovery information’ means recovery information held by a recovery agent on behalf of a person or entity who is not an officer, agent, or employee of the recovery agent acting in that capacity, which information--

"(a) can be used to decrypt the data or communications of that person or entity;

"(b) remains the exclusive property of that person or entity, and must be returned to such person or entity by the recovery agent on that person or entity’s demand; and

"(c) except as provided otherwise by this chapter, can be disclosed or used in any manner by the recovery agent only with the consent of that person or entity or such person or entity’s agent;

"(8) the term ‘recovery agent’ means a person or entity who provides recovery information storage services in the United States to the public, or is a person or entity, other than an individual, who provides recovery information storage services in the United States to more than one other person or entity as a business practice, and includes any officer, employee, or agent thereof;

"(9) the term ‘governmental entity’ includes the Government of the United States and any agency or instrumentality thereof, and any State as defined in section 2510(3) of this title, and any agency, instrumentality, or political subdivision thereof;

"(10) the term ‘court of competent jurisdiction’ has the meaning assigned by section 3127 of this title, and includes any federal court within that definition, without geographic limitation.".

 

SEC. 205. TECHNICAL AMENDMENTS

(a) Chapter title.--The title of chapter 121 of title18, United States Code, is amended by adding "AND RECOVERY INFORMATION ACCESS" to the end thereof.

(b) Chapter analysis.--The chapter analysis for chapter121 of title18, United States Code, is amended by striking the last item and inserting the following:

"2711. Disclosure or use of stored recovery information and customer information by recovery agents; notification of storage location.

"2712. Requirements for governmental access to, use of, and disclosure of stored recovery information.

"2713. Use, disclosure, and destruction of recovery information obtained by a governmental entity by compulsory process.

"2714. Notice of access to recovery information held by third parties and obtained by a governmental entity.

"2715. No cause of action against a provider or recovery agent for compliance with legal demands.

"2716. Protection of confidential information.

"2717. Foreign intelligence information.

"2718. Definitions for chapter.".

(c) Part analysis.--The part analysis for PartI of title18, United States Code, is amended by inserting "and recovery information access" after "access" in the item for chapter121.

 

SEC. 206. CONFORMING AMENDMENT

Section227(a)(2) of the Victims of Child Abuse Act of 1990 (42U.S.C. 13032(a)(2)) is amended by striking "2711" and inserting "2718".

 

SEC. 207. FBI TECHNICAL SUPPORT

There are authorized to be appropriated for the Technical Support Center in the Federal Bureau of Investigation, established pursuant to section 811(a)(1) of the Antiterrorism and Effective Death Penalty Act of 1996 (Public Law 104-132)--

(1) $25,000,000 for fiscal year 2000 for building and personnel costs;

(2) $20,000,000 for fiscal year 2001 for personnel and equipment costs;

(3) $20,000,000 for fiscal year 2002; and

(4) $15,000,000 for fiscal year 2003.

 

TITLE III--INTERCEPTION OF INFORMATION

SEC. 301. MODIFICATION OF SECTION 2516 OF TITLE 18, UNITED STATES CODE, TO PERMIT INTERCEPTION OF INFORMATION IN CERTAIN CASES.

Section 2516(1)(c) of title 18, United States Code, is amended by inserting ", a felony violation of section 1030 (relating to computer fraud and abuse)" after "section 1341 (relating to mail fraud)".

 

TITLE IV-- MISCELLANEOUS PROVISIONS

SEC. 401. DIRECTIVES TO THE SENTENCING COMMISSION.

(a) Amendment of sentencing guidelines.--Pursuant to its authority under section994(p) of title28, United States Code, the United States Sentencing Commission shall review the federal sentencing guidelines and, if appropriate, shall promulgate guidelines or policy statements or amend existing guidelines or policy statements to--

(1) ensure that the guidelines provide sufficiently stringent penalties to deter and punish persons who knowingly use encryption in connection with the commission or concealment of criminal acts sentenced under the guidelines;

(2) provide appropriate penalties for persons who violate this Act; and

(3) address any other factor the Commission considers appropriate in connection with this Act.

(b) Emergency authority.--The Commission may promulgate the guidelines or amendments provided for under this section in accordance with the procedures set forth in section21(a) of the Sentencing Act of 1987, as though the authority under that Act had not expired.

 

SEC. 402. PROCUREMENT.

Notwithstanding any other provision of law, if the head of a federal law enforcement agency determines that disclosure of agency needs pertaining to procurement of sensitive equipment, goods, or services associated with access to the plaintext of data and communications, might reasonably jeopardize an ongoing or future investigation or the use of such equipment, goods, or services by the agency, then the agency head may limit the number of sources from which the agency solicits bids or proposals, but should use best efforts to solicit bids from at least two sources, and the agency is not required to advertise the solicitation of such equipment, goods, or services.

 

SEC. 403. PERSONNEL EXCHANGE PROGRAMS

Section 3371(4) of title 5, United States Code, is amended--

(a) by striking "or" at the end of subparagraph (C);

(b) by striking the period at the end of subparagraph (D) and inserting "; or" and

(c) by adding at the end the following new subparagraph:

"(E) a provider of wire, electronic communications or data encryption or related services, or a recovery agent, or any other entity, for the limited purpose of carrying out the duties and furthering the purposes set forth in the Cyberspace Electronic Security Act of 1999.".

 

SEC. 404. SEVERABILITY.

If any provision of this Act, or the application thereof, to any person or circumstance, is held invalid, the remainder of this Act, and the application thereof, to other persons or circumstances shall not be affected thereby.

 


Return to the CESA Page