104th CONGRESS  
2d Session 


                                

S. 1587

To affirm the rights of Americans to use and sell encryption products, to establish privacy standards for voluntary escrowed encryption systems, and for other purposes.
IN THE SENATE OF THE UNITED STATES March 5, 1996 Mr. Leahy (for himself, Mr. Burns, Mr. Dole, Mr. Pressler, and Mrs. Murray) introduced the following bill; which was read twice and referred to the Committee on the Judiciary
A BILL To affirm the rights of Americans to use and sell encryption products, to establish privacy standards for voluntary escrowed encryption systems, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the ``Encrypted Communications Privacy Act of 1996''.

SEC. 2. PURPOSE.

It is the purpose of this Act-- (1) to ensure that Americans are able to have the maximum possible choice in encryption methods to protect the security, confidentiality, and privacy of their lawful wire or electronic communications; and (2) to establish privacy standards for key holders who are voluntarily entrusted with the means to decrypt such communications, and procedures by which investigative or law enforcement officers may obtain assistance in decrypting such communications.

SEC. 3. FINDINGS.

The Congress finds that-- (1) the digitization of information and the explosion in the growth of computing and electronic networking offers tremendous potential benefits to the way Americans live, work, and are entertained, but also raises new threats to the privacy of American citizens and the competitiveness of American businesses; (2) a secure, private, and trusted national and global information infrastructure is essential to promote economic growth, protect citizens' privacy, and meet the needs of American citizens and businesses; (3) the rights of Americans to the privacy and security of their communications and in conducting their personal and business affairs should be preserved and protected; (4) the authority and ability of investigative and law enforcement officers to access and decipher, in a timely manner and as provided by law, wire and electronic communications necessary to provide for public safety and national security should also be preserved; (5) individuals will not entrust their sensitive personal, medical, financial, and other information to computers and computer networks unless the security and privacy of that information is assured; (6) business will not entrust their proprietary and sensitive corporate information, including information about products, processes, customers, finances, and employees, to computers and computer networks unless the security and privacy of that information is assured; (7) encryption technology can enhance the privacy, security, confidentiality, integrity, and authenticity of wire and electronic communications and stored electronic information; (8) encryption techniques, technology, programs, and products are widely available worldwide; (9) Americans should be free lawfully to use whatever particular encryption techniques, technologies, programs, or products developed in the marketplace they desire in order to interact electronically worldwide in a secure, private, and confidential manner; (10) American companies should be free to compete and to sell encryption technology, programs, and products; (11) there is a need to develop a national encryption policy that advances the development of the national and global information infrastructure, and preserves Americans' right to privacy and the Nation's public safety and national security; (12) there is a need to clarify the legal rights and responsibilities of key holders who are voluntarily entrusted with the means to decrypt wire or electronic communications; (13) the Congress and the American people have recognized the need to balance the right to privacy and the protection of the public safety and national security; (14) the Congress has permitted lawful electronic surveillance by investigative or law enforcement officers only upon compliance with stringent statutory standards and procedures; and (15) there is a need to clarify the standards and procedures by which investigative or law enforcement officers obtain assistance from key holders who are voluntarily entrusted with the means to decrypt wire or electronic communications, including such communications in electronic storage.

SEC. 4. FREEDOM TO USE ENCRYPTION.

(a) Lawful Use of Encryption.--It shall be lawful for any person within any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, and any territory or possession of the United States, and by United States persons in a foreign country to use any encryption, regardless of encryption algorithm selected, encryption key length chosen, or implementation technique or medium used except as provided in this Act and the amendments made by this Act or in any other law. (b) General Construction.--Nothing in this Act or the amendments made by this Act shall be construed to-- (1) require the use by any person of any form of encryption; (2) limit or affect the ability of any person to use encryption without a key escrow function; or (3) limit or affect the ability of any person who chooses to use encryption with a key escrow function not to use a key holder.

SEC. 5. ENCRYPTED WIRE AND ELECTRONIC COMMUNICATIONS.

(a) In General.--Part I of title 18, United States Code, is amended by inserting after chapter 121 the following new chapter: ``CHAPTER 122--ENCRYPTED WIRE AND ELECTRONIC COMMUNICATIONS ``2801. Definitions. ``2802. Prohibited acts by key holders. ``2803. Reporting requirements. ``2804. Unlawful use of encryption to obstruct justice. ``2805. Freedom to sell encryption products. ``Sec. 2801. Definitions ``As used in this chapter-- ``(1) the terms `person', `State', `wire communication', `electronic communication', `investigative or law enforcement officer', `judge of competent jurisdiction', and `electronic storage' have the same meanings given such terms in section 2510 of this title; ``(2) the term `encryption' means the scrambling of wire or electronic communications using mathematical formulas or algorithms in order to preserve the confidentiality, integrity or authenticity and prevent unauthorized recipients from accessing or altering such communications; ``(3) the term `key holder' means a person located within the United States (which may, but is not required to, be a Federal agency) who is voluntarily entrusted by another independent person with the means to decrypt that person's wire or electronic communications for the purpose of subsequent decryption of such communications; ``(4) the term `decryption key' means the variable information used in a mathematical formula, code, or algorithm, or any component thereof, used to decrypt wire or electronic communications that have been encrypted; and ``(5) the term `decryption assistance' means providing access, to the extent possible, to the plain text of encrypted wire or electronic communications. ``Sec. 2802. Prohibited acts by key holders ``(a) Unauthorized Release of Key.--Except as provided in subsection (b), any key holder who releases a decryption key or provides decryption assistance shall be subject to the criminal penalties provided in subsection (e) and to civil liability as provided in subsection (f). ``(b) Authorized Release of Key.--A key holder shall only release a decryption key in its possession or control or provide decryption assistance-- ``(1) with the lawful consent of the person whose key is being held or managed by the key holder; ``(2) as may be necessarily incident to the holding or management of the key by the key holder; or ``(3) to investigative or law enforcement officers authorized by law to intercept wire or electronic communications under chapter 119, to obtain access to stored wire and electronic communications and transactional records under chapter 121, or to conduct electronic surveillance, as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801), upon compliance with subsection (c) of this section. ``(c) Requirements for Release of Decryption Key or Provision of Decryption Assistance to Investigative or Law Enforcement Officer.-- ``(1) Contents of wire and electronic communications.--A key holder is authorized to release a decryption key or provide decryption assistance to an investigative or law enforcement officer authorized by law to conduct electronic surveillance under chapter 119, only if-- ``(A) the key holder is given-- ``(i) a court order signed by a judge of competent jurisdiction directing such release or assistance; or ``(ii) a certification in writing by a person specified in section 2518(7) or the Attorney General stating that-- ``(I) no warrant or court order is required by law; ``(II) all requirements under section 2518(7) have been met; and ``(III) the specified release or assistance is required; ``(B) the order or certification under paragraph (A)-- ``(i) specifies the decryption key or decryption assistance which is being sought; and ``(ii) identifies the termination date of the period for which release or assistance has been authorized; and ``(C) in compliance with an order or certification under subparagraph (A), the key holder shall provide only such key release or decryption assistance as is necessary for access to communications covered by subparagraph (B). ``(2) Stored wire and electronic communications.--(A) A key holder is authorized to release a decryption key or provide decryption assistance to an investigative or law enforcement officer authorized by law to obtain access to stored wire and electronic communications and transactional records under chapter 121, only if the key holder is directed to give such assistance pursuant to the same lawful process (court warrant, order, subpoena, or certification) used to obtain access to the stored wire and electronic communications and transactional records. ``(B) The notification required under section 2703(b) shall, in the event that encrypted wire or electronic communications were obtained from electronic storage, include notice of the fact that a key to such communications was or was not released or decryption assistance was or was not provided by a key holder. ``(C) In compliance with the lawful process under subparagraph (A), the key holder shall provide only such key release or decryption assistance as is necessary for access to the communications covered by such lawful process. ``(3) Use of key.--(A) An investigative or law enforcement officer to whom a key has been released under this subsection may use the key only in the manner and for the purpose and duration that is expressly provided for in the court order or other provision of law authorizing such release and use, not to exceed the duration of the electronic surveillance for which the key was released. ``(B) On or before completion of the authorized release period, the investigative or law enforcement officer to whom a key has been released shall destroy and not retain the released key. ``(C) The inventory required to be served pursuant to section 2518(8)(d) on persons named in the order or the application under section 2518(7)(b), and such other parties to intercepted communications as the judge may determine, in the interest of justice, shall, in the event that encrypted wire or electronic communications were intercepted, include notice of the fact that during the period of the order or extensions thereof a key to, or decryption assistance for, any encrypted wire or electronic communications of the person or party intercepted was or was not provided by a key holder. ``(4) Nondisclosure of release.--No key holder, officer, employee, or agent thereof shall disclose the key release or provision of decryption assistance pursuant to subsection (b), except as may otherwise be required by legal process and then only after prior notification to the Attorney General or to the principal prosecuting attorney of a State or any political subdivision of a State, as may be appropriate. ``(d) Records or Other Information Held by Key Holders.--A key holder, shall not disclose a record or other information (not including the key) pertaining to any person whose key is being held or managed by the key holder, except-- ``(1) with the lawful consent of the person whose key is being held or managed by the key holder; or ``(2) to an investigative or law enforcement officer pursuant to a subpoena authorized under Federal or State law, court order, or lawful process. An investigative or law enforcement officer receiving a record or information under paragraph (2) is not required to provide notice to the person to whom the record or information pertains. Any disclosure in violation of this subsection shall render the person committing the violation liable for the civil damages provided for in subsection (f). ``(e) Criminal Penalties.--The punishment for an offense under subsection (a) of this section is-- ``(1) if the offense is committed for a tortious, malicious, or illegal purpose, or for purposes of direct or indirect commercial advantage or private commercial gain-- ``(A) a fine under this title or imprisonment for not more than 1 year, or both, in the case of a first offense under this subparagraph; or ``(B) a fine under this title or imprisonment for not more than 2 years, or both, for any second or subsequent offense; and ``(2) in any other case where the offense is committed recklessly or intentionally, a fine of not more than $5,000 or imprisonment for not more than 6 months, or both. ``(f) Civil Damages.-- ``(1) In general.--Any person aggrieved by any act of a person in violation of subsections (a) or (d) may in a civil action recover from such person appropriate relief. ``(2) Relief.--In an action under this subsection, appropriate relief includes-- ``(A) such preliminary and other equitable or declaratory relief as may be appropriate; ``(B) damages under paragraph (3) and punitive damages in appropriate cases; and ``(C) a reasonable attorney's fee and other litigation costs reasonably incurred. ``(3) Computation of damages.--The court may assess as damages whichever is the greater of-- ``(A) the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation; or ``(B) statutory damages in the amount of $5,000. ``(4) Limitation.--A civil action under this subsection shall not be commenced later than 2 years after the date upon which the plaintiff first knew or should have known of the violation. ``(g) Defense.--It shall be a complete defense against any civil or criminal action brought under this chapter that the defendant acted in good faith reliance upon a court warrant or order, grand jury or trial subpoena, or statutory authorization. ``Sec. 2803. Reporting requirements ``(a) In General.--In reporting to the Administrative Office of the United States Courts as required under section 2519(2) of this title, the Attorney General, an Assistant Attorney General specially designated by the Attorney General, the principal prosecuting attorney of a State, or the principal prosecuting attorney of any political subdivision of a State, shall report on the number of orders and extensions served on key holders to obtain access to decryption keys or decryption assistance. ``(b) Requirements.--The Director of the Administrative Office of the United States Courts shall include as part of the report transmitted to the Congress under section 2519(3) of this title, the number of orders and extensions served on key holders to obtain access to decryption keys or decryption assistance and the offenses for which the orders were obtained. ``Sec. 2804. Unlawful use of encryption to obstruct justice ``Whoever willfully endeavors by means of encryption to obstruct, impede, or prevent the communication of information in furtherance of a felony which may be prosecuted in a court of the United States, to an investigative or law enforcement officer shall-- ``(1) in the case of a first conviction, be sentenced to imprisonment for not more than 5 years, fined under this title, or both; or ``(2) in the case of a second or subsequent conviction, be sentenced to imprisonment for not more than 10 years, fined under this title, or both. ``Sec. 2805. Freedom to sell encryption products ``(a) In General.--It shall be lawful for any person within any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, and any territory or possession of the United States, to sell in interstate commerce any encryption, regardless of encryption algorithm selected, encryption key length chosen, or implementation technique or medium used. ``(b) Control of Exports by Secretary of Commerce.-- ``(1) General rule.--Notwithstanding any other law, subject to paragraphs (2), (3), and (4), the Secretary of Commerce shall have exclusive authority to control exports of all computer hardware, software, and technology for information security (including encryption), except computer hardware, software, and technology that is specifically designed or modified for military use, including command, control, and intelligence applications. ``(2) Items not requiring licenses.--No validated license may be required, except pursuant to the Trading With The Enemy Act or the International Emergency Economic Powers Act (IEEPA) (but only to the extent that the authority of the IEEPA is not exercised to extend controls imposed under the Export Administration Act of 1979), for the export or reexport of-- ``(A) any software, including software with encryption capabilities, that is-- ``(i) generally available, as is, and designed for installation by the purchaser; or ``(ii) in the public domain or publicly available because it is generally accessible to the interested public in any form; or ``(B) any computing device solely because it incorporates or employs in any form software (including software with encryption capabilities) exempted from any requirement for a validated license under subparagraph (A). ``(3) Software with encryption capabilities.--The Secretary of Commerce shall authorize the export or reexport of software with encryption capabilities for nonmilitary end-uses in any country to which exports of software of similar capability are permitted for use by financial institutions not controlled in fact by United States persons, unless there is substantial evidence that such software will be-- ``(A) diverted to a military end-use or an end-use supporting international terrorism; ``(B) modified for military or terrorist end-use; or ``(C) reexported without requisite United States authorization. ``(4) Hardware with encryption capabilities.--The Secretary shall authorize the export or reexport of computer hardware with encryption capabilities if the Secretary determines that a product offering comparable security is commercially available from a foreign supplier without effective restrictions outside the United States. ``(5) Definitions.--As used in this subsection-- ``(A) the term `generally available' means, in the case of software (including software with encryption capabilities), software that is widely offered for sale, license, or transfer including, but not limited to, over-the-counter retail sales, mail order transactions, phone order transactions, electronic distribution, or sale on approval; ``(B) the term `as is' means, in the case of software (including software with encryption capabilities), a software program that is not designed, developed, or tailored by the software company for specific purchasers, except that such purchasers may supply certain installation parameters needed by the software program to function properly with the purchaser's system and may customize the software program by choosing among options contained in the software program; ``(C) the term `is designed for installation by the purchaser' means, in the case of software (including software with encryption capabilities)-- ``(i) the software company intends for the purchaser (including any licensee or transferee), who may not be the actual program user, to install the software program on a computing device and has supplied the necessary instructions to do so, except that the company may also provide telephone help-line services for software installation, electronic transmission, or basic operations; and ``(ii) that the software program is designed for installation by the purchaser without further substantial support by the supplier; ``(D) the term `computing device' means a device which incorporates one or more microprocessor-based central processing units that can accept, store, process, or provide output of data; and ``(E) the term `computer hardware', when used in conjunction with information security, includes, but is not limited to, computer systems, equipment, application-specific assemblies, modules, and integrated circuits.''. (b) Technical Amendment.--The table of chapters for part I of title 18, United States Code, is amended by inserting after the item relating to chapter 33, the following new item: ``122. Encrypted wire and electronic communications......... 2801''.

SEC. 6. INTELLIGENCE ACTIVITIES.

(a) Construction.--Nothing in this Act or the amendments made by this Act constitutes authority for the conduct of any intelligence activity. (b) Certain Conduct.--Nothing in this Act or the amendments made by this Act shall affect the conduct, by officers or employees of the United States Government in accordance with other applicable Federal law, under procedures approved by the Attorney General, or activities intended to-- (1) intercept encrypted or other official communications of United States executive branch entities or United States Government contractors for communications security purposes; (2) intercept radio communications transmitted between or among foreign powers or agents of a foreign power as defined by the Foreign Intelligence Surveillance Act of 1978; or (3) access an electronic communication system used exclusively by a foreign power or agent of a foreign power as defined by the Foreign Intelligence Surveillance Act of 1978. S 1587 IS----2