|
Cryptome DVDs are offered by Cryptome. Donate $25 for two DVDs of the Cryptome 12-years collection of 46,000 files from June 1996 to June 2008 (~6.7 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. The collection includes all files of cryptome.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org, and 23,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere worldwide without extra cost. |
27 July 1999
See parts 1, 2, 3 and 4:http://jya.com/hr106-117-p1.htm http://jya.com/hr106-117-p2.htm http://jya.com/hr106-117-p3.htm http://jya.com/hr106-117-p4.htm Thanks to DM.Source: ftp://ftp.loc.gov/pub/thomas/cp106/hr117p5.txt ------------------------------------------------------ H.L.C. 58 133 106 th Congress Rept. 106 117 HOUSE OF REPRESENTATIVES 1st Session Part 5 ENCRYPTION FOR THE NATIONAL INTEREST ACT July 23, 1999.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed Mr. Goss, from the Permanent Select Committee on Intelligence, submitted the following R E P O R T [To accompany H.R. 850] [Including cost estimate of the Congressional Budget Office] The Permanent Select Committee on Intelligence, to whom was referred the bill (H.R. 850) to amend title 18, United States Code, to affirm the rights of United States persons to use and sell encryption and to relax export controls on encryption, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass. The amendment is as follows: Strike out all after the enacting clause and insert in lieu thereof the following: SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) Short Title.--This Act may be cited as the ``Encryption for the National Interest Act''. (b) Table of Contents.--The table of contents is as follows: Sec. 1. Short title; table of contents. Sec. 2. Statement of policy. Sec. 3. Congressional findings. TITLE I--DOMESTIC USES OF ENCRYPTION Sec. 101. Definitions. Sec. 102. Lawful use of encryption. Sec. 103. Unlawful use of encryption. TITLE II--GOVERNMENT PROCUREMENT Sec. 201. Federal purchases of encryption products. Sec. 202. Networks established with Federal funds. Sec. 203. Government contract authority. Sec. 204. Product labels. Sec. 205. No private mandate. Sec. 206. Exclusion. TITLE III--EXPORTS OF ENCRYPTION Sec. 301. Exports of encryption. Sec. 302. License exception for certain encryption products. Sec. 303. Discretionary authority. Sec. 304. Expedited review authority. Sec. 305. Encryption licenses required. Sec. 306. Encryption Industry and Information Security Board. TITLE IV--LIABILITY LIMITATIONS Sec. 401. Compliance with court order. Sec. 402. Compliance defense. Sec. 403. Good faith defense. TITLE V--INTERNATIONAL AGREEMENTS Sec. 501. Sense of Congress. Sec. 502. Failure to negotiate. Sec. 503. Report to Congress. TITLE VI--MISCELLANEOUS PROVISIONS Sec. 601. Effect on law enforcement activities. Sec. 602. Interpretation. Sec. 603. FBI technical support. Sec. 604. Severability. SEC. 2. STATEMENT OF POLICY. It is the policy of the United States to protect public computer networks through the use of strong encryption technology, to promote the export of encryption products developed and manufactured in the United States, and to preserve public safety and national security. SEC. 3. CONGRESSIONAL FINDINGS. The Congress finds the following: (1) Information security technology, encryption, is-- (A) fundamental to secure the flow of intelligence information to national policy makers; (B) critical to the President and national command authority of the United States; (C) necessary to the Secretary of State for the development and execution of the foreign policy of the United States; (D) essential to the Secretary of Defense's responsibilities to ensure the effectiveness of the Armed Forces of the United States; (E) invaluable to the protection of the citizens of the United States from fraud, theft, drug trafficking, child pornography; kidnapping, and money laundering; and (F) basic to the protection of the nation's critical infrastructures, including electrical grids, banking and financial systems, telecommunications, water supplies, and transportation. (2) The goal of any encryption legislation should be to enhance and promote the global market strength of United States encryption manufacturers, while guaranteeing that national security and public safety obligations of the Government can still be accomplished. (3) It is essential to the national security interests of the United States that United States encryption products dominate the global market. (4) Widespread use of unregulated encryption products poses a significant threat to the national security interests of the United States. (5) Leaving the national security and public safety responsibilities of the Government to the marketplace alone is not consistent with the obligations of the Government to protect the public safety and to defend the Nation. (6) In order for the United States position in the global market to benefit the national security interests of the United States, it is imperative that the export of encryption products be subject to a dynamic and constructive export control regime. (7) Export of commercial items are best managed through a regulatory structure which has flexibility to address constantly changing market conditions. (8) Managing sensitive dual-use technologies, such as encryption products, is challenging in any regulatory environment due to the difficulty in balancing competing interests in national security, public safety, privacy, fair competition within the industry, and the dynamic nature of the technology. (9) There is a widespread perception that the executive branch has not adequately balanced the equal and competing interests of national security, public safety, privacy, and industry. (10) There is a perception that the current encryption export control policy has done more to disadvantage United States business interests than to promote and protect national security and public safety interests. (11) A balance can and must be achieved between industry interests, national security, law enforcement requirements, and privacy needs. (12) A court order process should be required for access to plaintext, where and when available, and criminal and civil penalties should be imposed for misuse of decryption information. (13) Timely access to plaintext capability is-- (A) necessary to thwarting potential terrorist activities; (B) extremely useful in the collection of foreign intelligence; (C) indispensable to force protection requirements; (D) critical to the investigation and prosecution of criminals; and (E) both technically and economically possible. (14) The United States Government should encourage the development of those products that would provide a capability allowing law enforcement (Federal, State, and local), with a court order only, to gain timely access to the plaintext of either stored data or data in transit. (15) Unless law enforcement has the benefit of such market encouragement, drug traffickers, spies, child pornographers, pedophiles, kidnappers, terrorists, mobsters, weapons proliferators, fraud schemers, and other criminals will be able to use encryption software to protect their criminal activity and hinder the criminal justice system. (16) An effective regulatory approach to manage the proliferation of encryption products which have dual-use capabilities must be maintained and greater confidence in the ability of the executive branch to preserve and promote the competitive advantage of the United States encryption industry in the global market must be provided. TITLE I--DOMESTIC USES OF ENCRYPTION SEC. 101. DEFINITIONS. For purposes of this Act: (1) Attorney for the government.--The term ``attorney for the Government'' has the meaning given such term in Rule 54(c) of the Federal Rules of Criminal Procedure, and also includes any duly authorized attorney of a State who is authorized to prosecute criminal offenses within such State. (2) Authorized party.--The term ``authorized party'' means any person with the legal authority to obtain decryption information or plaintext of encrypted data, including communications. (3) Communications.--The term ``communications'' means any wire communications or electronic communications as those terms are defined in paragraphs (1) and (12) of section 2510 of title 18, United States Code. (4) Court of competent jurisdiction.--The term ``court of competent jurisdiction'' means any court of the United States organized under Article III of the Constitution of the United States, the court organized under the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), or a court of general criminal jurisdiction of a State authorized pursuant to the laws of such State to enter orders authorizing searches and seizures. (5) Data network service provider.--The term ``data network service provider'' means a person offering any service to the general public that provides the users thereof with the ability to transmit or receive data, including communications. (6) Decryption.--The term ``decryption'' means the retransformation or unscrambling of encrypted data, including communications, to its readable plaintext version. To ``decrypt'' data, including communications, is to perform decryption. (7) Decryption information.--The term ``decryption information'' means information or technology that enables one to readily retransform or unscramble encrypted data from its unreadable and incomprehensible format to its readable plaintext version. (8) Electronic storage.--The term ``electronic storage'' has the meaning given that term in section 2510(17) of title 18, United States Code. (9) Encryption.--The term ``encryption'' means the transformation or scrambling of data, including communications, from plaintext to an unreadable or incomprehensible format, regardless of the technique utilized for such transformation or scrambling and irrespective of the medium in which such data, including communications, occur or can be found, for the purposes of protecting the content of such data, including communications. To ``encrypt'' data, including communications, is to perform encryption. (10) Encryption product.--The term ``encryption product'' means any software, technology, commodity, or mechanism, that can be used to encrypt or decrypt or has the capability of encrypting or decrypting any data, including communications. (11) Foreign availability.--The term ``foreign availability'' has the meaning applied to foreign availability of encryption products subject to controls under the Export Administration Regulations, as in effect on July 1, 1999. (12) Government.--The term ``Government'' means the Government of the United States and any agency or instrumentality thereof, or the government of any State, and any of its political subdivisions. (13) Investigative or law enforcement officer.--The term ``investigative or law enforcement officer'' has the meaning given that term in section 2510(7) of title 18, United States Code. (14) National security.--The term ``national security'' means the national defense, intelligence, or foreign policy interests of the United States. (15) Plaintext.--The term ``plaintext'' means the readable or comprehensible format of that data, including communications, which has been encrypted. (16) Plainvoice.--The term ``plainvoice'' means communication specific plaintext. (17) Secretary.--The term ``Secretary'' means the Secretary of Commerce, unless otherwise specifically identified. (18) State.--The term ``State'' has the meaning given that term in section 2510(3) of title 18, United States Code. (19) Telecommunications carrier.--The term ``telecommunications carrier'' has the meaning given that term in section 3 of the Communications Act of 1934 (47 U.S.C. 153). (20) Telecommunications system.--The term ``telecommunications system'' means any equipment, technology, or related software used in the movement, switching, interchange, transmission, reception, or internal signaling of data, including communications over wire, fiber optic, radio frequency, or any other medium. (21) United states person.--The term ``United States person'' means-- (A) any citizen of the United States; (B) any other person organized under the laws of any State; and (C) any person organized under the laws of any foreign country who is owned or controlled by individuals or persons described in subparagraphs (A) and (B). SEC. 102. LAWFUL USE OF ENCRYPTION. Except as otherwise provided by this Act or otherwise provided by law, it shall be lawful for any person within any State and for any United States person to use any encryption product, regardless of encryption algorithm selected, encryption bit length chosen, or implementation technique or medium used. SEC. 103. UNLAWFUL USE OF ENCRYPTION. (a) In General.--Part I of title 18, United States Code, is amended by inserting after chapter 123 the following new chapter: ``CHAPTER 125--ENCRYPTED DATA, INCLUDING COMMUNICATIONS ``Sec. ``2801. Unlawful use of encryption in furtherance of a criminal act. ``2802. Privacy protection. ``2803. Court order access to plaintext or decryption information. ``2804. Notification procedures. ``2805. Lawful use of plaintext or decryption information. ``2806. Identification of decryption information. ``2807. Definitions. ``2801. Unlawful use of encryption in furtherance of a criminal act ``(a) Prohibited Acts.--Whoever knowingly uses encryption in furtherance of the commission of a criminal offense for which the person may be prosecuted in a district court of the United States shall-- ``(1) in the case of a first offense under this section, be imprisoned for not more than 5 years, or fined under this title, or both; and ``(2) in the case of a second or subsequent offense under this section, be imprisoned for not more than 10 years, or fined under this title, or both. ``(b) Consecutive Sentence.--Notwithstanding any other provision of law, the court shall not place on probation any person convicted of a violation of this section, nor shall the term of imprisonment imposed under this section run concurrently with any other term of imprisonment imposed for the underlying criminal offense. ``(c) Probable Cause Not Constituted by Use of Encryption.--The use of encryption by itself shall not establish probable cause to believe that a crime is being or has been committed. ``2802. Privacy protection ``(a) In General.--It shall be unlawful for any person to intentionally-- ``(1) obtain or use decryption information without lawful authority for the purpose of decrypting data, including communications; ``(2) exceed lawful authority in decrypting data, including communications; ``(3) break the encryption code of another person without lawful authority for the purpose of violating the privacy or security of that person or depriving that person of any property rights; ``(4) impersonate another person for the purpose of obtaining decryption information of that person without lawful authority; ``(5) facilitate or assist in the encryption of data, including communications, knowing that such data, including communications, are to be used in furtherance of a crime; or ``(6) disclose decryption information in violation of a provision of this chapter. ``(b) Criminal Penalty.--Whoever violates this section shall be imprisoned for not more than 10 years, or fined under this title, or both. ``2803. Court order access to plaintext or decryption information ``(a) Court Order.--(1) A court of competent jurisdiction shall issue an order, ex parte, granting an investigative or law enforcement officer timely access to the plaintext of encrypted data, including communications, or requiring any person in possession of decryption information to provide such information to a duly authorized investigative or law enforcement officer-- ``(A) upon the application by an attorney for the Government that-- ``(i) is made under oath or affirmation by the attorney for the Government; and ``(ii) provides a factual basis establishing the relevance that the plaintext or decryption information being sought has to a law enforcement, foreign counterintelligence, or international terrorism investigation then being conducted pursuant to lawful authorities; and ``(B) if the court finds, in writing, that the plaintext or decryption information being sought is relevant to an ongoing lawful law enforcement, foreign counterintelligence, or international terrorism investigation and the investigative or law enforcement officer is entitled to such plaintext or decryption information. ``(2) The order issued by the court under this section shall be placed under seal, except that a copy may be made available to the investigative or law enforcement officer authorized to obtain access to the plaintext of the encrypted information, or authorized to obtain the decryption information sought in the application. Such order shall, subject to the notification procedures set forth in section 2804, also be made available to the person responsible for providing the plaintext or the decryption information, pursuant to such order, to the investigative or law enforcement officer. ``(3) Disclosure of an application made, or order issued, under this section, is not authorized, except as may otherwise be specifically permitted by this section or another order of the court. ``(b) Record of Access Required.--(1) There shall be created an electronic record, or similar type record, of each instance in which an investigative or law enforcement officer, pursuant to an order under this section, gains access to the plaintext of otherwise encrypted information, or is provided decryption information, without the knowledge or consent of the owner of the data, including communications, who is the user of the encryption product involved. ``(2) The court issuing the order under this section may require that the electronic or similar type of record described in paragraph (1) is maintained in a place and a manner that is not within the custody or control of an investigative or law enforcement officer gaining the access or provided the decryption information. The record shall be tendered to the court, upon notice from the court. ``(3) The court receiving such electronic or similar type of record described in paragraph (1) shall make the original and a certified copy of the record available to the attorney for the Government making application under this section, and to the attorney for, or directly to, the owner of the data, including communications, who is the user of the encryption product, pursuant to the notification procedures set forth in section 2804. ``(c) Authority To Intercept Communications Not Increased.--Nothing in this chapter shall be construed to enlarge or modify the circumstances or procedures under which a Government entity is entitled to intercept or obtain oral, wire, or electronic communications or information. ``(d) Construction.--This chapter shall be strictly construed to apply only to a Government entity's ability to decrypt data, including communications, for which it has previously obtained lawful authority to intercept or obtain pursuant to other lawful authorities, which without an order issued under this section would otherwise remain encrypted. ``2804. Notification procedures ``(a) In General.--Within a reasonable time, but not later than 90 days after the filing of an application for an order under section 2803 which is granted, the court shall cause to be served, on the persons named in the order or the application, and such other parties whose decryption information or whose plaintext has been provided to an investigative or law enforcement officer pursuant to this chapter, as the court may determine is in the interest of justice, an inventory which shall include notice of-- ``(1) the fact of the entry of the order or the application; ``(2) the date of the entry of the application and issuance of the order; and ``(3) the fact that the person's decryption information or plaintext data, including communications, has been provided or accessed by an investigative or law enforcement officer. The court, upon the filing of a motion, may make available to that person or that person's counsel, for inspection, such portions of the plaintext, applications, and orders as the court determines to be in the interest of justice. ``(b) Postponement of Inventory for Good Cause.--(1) On an ex parte showing of good cause by an attorney for the Government to a court of competent jurisdiction, the serving of the inventory required by subsection (a) may be postponed for an additional 30 days after the granting of an order pursuant to the ex parte motion. ``(2) No more than 3 ex parte motions pursuant to paragraph (1) are authorized. ``(c) Admission Into Evidence.--The content of any encrypted information that has been obtained pursuant to this chapter or evidence derived therefrom shall not be received in evidence or otherwise disclosed in any trial, hearing, or other proceeding in a Federal or State court, other than the court organized pursuant to the Foreign Intelligence Surveillance Act of 1978, unless each party, not less than 10 days before the trial, hearing, or proceeding, has been furnished with a copy of the order, and accompanying application, under which the decryption or access to plaintext was authorized or approved. This 10-day period may be waived by the court if the court finds that it was not possible to furnish the party with the information described in the preceding sentence within 10 days before the trial, hearing, or proceeding and that the party will not be prejudiced by the delay in receiving such information. ``(d) Construction.--The provisions of this chapter shall be construed consistent with-- ``(1) the Classified Information Procedures Act (18 U.S.C. App.); and ``(2) the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.). ``(e) Contempt.--Any violation of the provisions of this section may be punished by the court as a contempt thereof. ``(f) Motion To Suppress.--Any aggrieved person in any trial, hearing, or proceeding in or before any court, department, officer, agency, regulatory body, or other authority of the United States or a State, other than the court organized pursuant to the Foreign Intelligence Surveillance Act of 1978, may move to suppress the contents of any decrypted data, including communications, obtained pursuant to this chapter, or evidence derived therefrom, on the grounds that -- ``(1) the plaintext was decrypted or accessed in violation of this chapter; ``(2) the order of authorization or approval under which it was decrypted or accessed is insufficient on its face; or ``(3) the decryption was not made in conformity with the order of authorization or approval. Such motion shall be made before the trial, hearing, or proceeding unless there was no opportunity to make such motion, or the person was not aware of the grounds of the motion. If the motion is granted, the plaintext of the decrypted data, including communications, or evidence derived therefrom, shall be treated as having been obtained in violation of this chapter. The court, upon the filing of such motion by the aggrieved person, may make available to the aggrieved person or that person's counsel for inspection such portions of the decrypted plaintext, or evidence derived therefrom, as the court determines to be in the interests of justice. ``(g) Appeal by United States.--In addition to any other right to appeal, the United States shall have the right to appeal from an order granting a motion to suppress made under subsection (f), or the denial of an application for an order under section 2803, if the attorney for the Government certifies to the court or other official granting such motion or denying such application that the appeal is not taken for purposes of delay. Such appeal shall be taken within 30 days after the date the order was entered on the docket and shall be diligently prosecuted. ``(h) Civil Action for Violation.--Except as otherwise provided in this chapter, any person described in subsection (i) may, in a civil action, recover from the United States Government the actual damages suffered by the person as a result of a violation described in that subsection, reasonable attorney's fees, and other litigation costs reasonably incurred in prosecuting such claim. ``(i) Covered Persons.--Subsection (h) applies to any person whose decryption information-- ``(1) is knowingly obtained without lawful authority by an investigative or law enforcement officer; ``(2) is obtained by an investigative or law enforcement officer with lawful authority and is knowingly used or disclosed by such officer unlawfully; or ``(3) is obtained by an investigative or law enforcement officer with lawful authority and whose decryption information is unlawfully used to disclose the plaintext of the data, including communications. ``(j) Limitation.--A civil action under subsection (h) shall be commenced not later than 2 years after the date on which the unlawful action took place, or 2 years after the date on which the claimant first discovers the violation, whichever is later. ``(k) Exclusive Remedies.--The remedies and sanctions described in this chapter with respect to the decryption of data, including communications, are the only judicial remedies and sanctions for violations of this chapter involving such decryptions, other than violations based on the deprivation of any rights, privileges, or immunities secured by the Constitution. ``(l) Technical Assistance by Providers.--A provider of encryption technology or network service that has received an order issued by a court pursuant to this chapter shall provide to the investigative or law enforcement officer concerned such technical assistance as is necessary to execute the order. Such provider may, however, move the court to modify or quash the order on the ground that its assistance with respect to the decryption or access to plaintext cannot be performed in fact, or in a timely or reasonable fashion. The court, upon notice to the Government, shall decide such motion expeditiously. ``(m) Reports to Congress.--In May of each year, the Attorney General, or an Assistant Attorney General specifically designated by the Attorney General, shall report in writing to Congress on the number of applications made and orders entered authorizing Federal, State, and local law enforcement access to decryption information for the purposes of reading the plaintext of otherwise encrypted data, including communications, pursuant to this chapter. Such reports shall be submitted to the Committees on the Judiciary of the House of Representatives and of the Senate, and to the Permanent Select Committee on Intelligence for the House of Representatives and the Select Committee on Intelligence for the Senate. ``2805. Lawful use of plaintext or decryption information ``(a) Authorized Use of Decryption Information.-- ``(1) Criminal investigations.--An investigative or law enforcement officer to whom plaintext or decryption information is provided may only use such plaintext or decryption information for the purposes of conducting a lawful criminal investigation, foreign counterintelligence, or international terrorism investigation, and for the purposes of preparing for and prosecuting any criminal violation of law. ``(2) Civil redress.--Any plaintext or decryption information provided under this chapter to an investigative or law enforcement officer may not be disclosed, except by court order, to any other person for use in a civil proceeding that is unrelated to a criminal investigation and prosecution for which the plaintext or decryption information is authorized under paragraph (1). Such order shall only issue upon a showing by the party seeking disclosure that there is no alternative means of obtaining the plaintext, or decryption information, being sought and the court also finds that the interests of justice would not be served by nondisclosure. ``(b) Limitation.--An investigative or law enforcement officer may not use decryption information obtained under this chapter to determine the plaintext of any data, including communications, unless it has obtained lawful authority to obtain such data, including communications, under other lawful authorities. ``(c) Return of Decryption Information.--An attorney for the Government shall, upon the issuance of an order of a court of competent jurisdiction-- ``(1)(A) return any decryption information to the person responsible for providing it to an investigative or law enforcement officer pursuant to this chapter; or ``(B) destroy such decryption information, if the court finds that the interests of justice or public safety require that such decryption information should not be returned to the provider; and ``(2) within 10 days after execution of the court's order to return or destroy the decryption information-- ``(A) certify to the court that the decryption information has either been returned or destroyed consistent with the court's order; and ``(B) if applicable, notify the provider of the decryption information of the destruction of such information. ``(d) Other Disclosure of Decryption Information.--Except as otherwise provided in section 2803, decryption information or the plaintext of otherwise encrypted data, including communications, shall not be disclosed by any person unless the disclosure is-- ``(1) to the person encrypting the data, including communications, or an authorized agent thereof; ``(2) with the consent of the person encrypting the data, including pursuant to a contract entered into with the person; ``(3) pursuant to a court order upon a showing of compelling need for the information that cannot be accommodated by any other means if-- ``(A) the person who supplied the information is given reasonable notice, by the person seeking the disclosure, of the court proceeding relevant to the issuance of the court order; and ``(B) the person who supplied the information is afforded the opportunity to appear in the court proceeding and contest the claim of the person seeking the disclosure; ``(4) pursuant to a determination by a court of competent jurisdiction that another person is lawfully entitled to hold such decryption information, including determinations arising from legal proceedings associated with the incapacity, death, or dissolution of any person; or ``(5) otherwise permitted by law. ``2806. Identification of decryption information ``(a) Identification.--To avoid inadvertent disclosure of decryption information, any person who provides decryption information to an investigative or law enforcement officer pursuant to this chapter shall specifically identify that part of the material that discloses decryption information as such. ``(b) Responsibility of Investigative or Law Enforcement Officer.--The investigative or law enforcement officer receiving any decryption information under this chapter shall maintain such information in a facility and in a method so as to reasonably assure that inadvertent disclosure does not occur. ``2807. Definitions ``The definitions set forth in section 101 of the Encryption for the National Interest Act shall apply to this chapter.''. (b) Conforming Amendment.--The table of chapters for part I of title 18, United States Code, is amended by inserting after the item relating to chapter 121 the following new item: ``125. Encrypted data, including communications 2801''. TITLE II--GOVERNMENT PROCUREMENT SEC. 201. FEDERAL PURCHASES OF ENCRYPTION PRODUCTS. (a) Decryption Capabilities.--The President may, consistent with the provisions of subsection (b), direct that any encryption product or service purchased or otherwise procured by the United States Government to provide the security service of data confidentiality for a computer system owned and operated by the United States Government shall include recoverability features or functions that enable the timely decryption of encrypted data, including communications, or timely access to plaintext by an authorized party without the knowledge or cooperation of the person using such encryption products or services. (b) Consistency With Intelligence Services and Military Operations.--The President shall ensure that all encryption products purchased or used by the United States Government are supportive of, and consistent with, all statutory obligations to protect sources and methods of intelligence collection and activities, and supportive of, and consistent with, those needs required for military operations and the conduct of foreign policy. SEC. 202. NETWORKS ESTABLISHED WITH FEDERAL FUNDS. The President may direct that any communications network established for the purpose of conducting the business of the Federal Government shall use encryption products that-- (1) include features and functions that enable the timely decryption of encrypted data, including communications, or timely access to plaintext, by an authorized party without the knowledge or cooperation of the person using such encryption products or services; and (2) are supportive of, and consistent with, all statutory obligations to protect sources and methods of intelligence collection and activities, and supportive of, and consistent with, those needs required for military operations and the conduct of foreign policy. SEC. 203. GOVERNMENT CONTRACT AUTHORITY. The President may require as a condition of any contract by the Government with a private sector vendor that any encryption product used by the vendor in carrying out the provisions of the contract with the Government include features and functions that enable the timely decryption of encrypted data, including communications, or timely access to plaintext, by an authorized party without the knowledge or cooperation of the person using such encryption products or services. SEC. 204. PRODUCT LABELS. An encryption product may be labeled to inform Government users that the product is authorized for sale to or for use by Government agencies or Government contractors in transactions and communications with the United States Government under this title. SEC. 205. NO PRIVATE MANDATE. The United States Government may not require the use of encryption standards for the private sector except as otherwise authorized by section 204. SEC. 206. EXCLUSION. Nothing in this title shall apply to encryption products and services used solely for access control, authentication, integrity, nonrepudiation, digital signatures, or other similar purposes. TITLE III--EXPORTS OF ENCRYPTION SEC. 301. EXPORTS OF ENCRYPTION. (a) Authority To Control Exports.--The President shall control the export of all dual-use encryption products. (b) Authority To Deny Export for National Security Reasons.--Notwithstanding any provision of this title, the President may deny the export of any encryption product on the basis that its export is contrary to the national security. (c) Decisions Not Subject to Judicial Review.--Any decision based on national security that is made by the President or his designee with respect to the export of encryption products under this title shall not be subject to judicial review. SEC. 302. LICENSE EXCEPTION FOR CERTAIN ENCRYPTION PRODUCTS. (a) License Exception.--Upon the enactment of this Act, any encryption product with an encryption strength of 64 bits or less shall be eligible for export under a license exception if-- (1) such encryption product is submitted for a 1-time technical review; (2) such encryption product does not require licensing under otherwise applicable regulations; (3) such encryption product is not intended for a country, end user, or end use that is by regulation ineligible to receive such product, and the encryption product is otherwise qualified for export; (4) the exporter, within 180 days after the export of the product, submits a certification identifying-- (A) the intended end use of the product; and (B) the name and address of the intended recipient of the product, where available; (5) the exporter, within 180 days after the export of the product, provides the names and addresses of its distribution chain partners; and (6) the exporter, at the time of submission of the product for technical review, provides proof that its distribution chain partners have contractually agreed to abide by all laws and regulations of the United States concerning the export and reexport of encryption products designed or manufactured within the United States. (b) One-Time Technical Review.--(1) The technical review referred to in subsection (a) shall be completed within no longer than 45 days after the submission of all of the information required under paragraph (2). (2) The President shall specify the information that must be submitted for the 1-time technical review referred to in this section. (3) An encryption product may not be exported during the technical review of that product under this section. (c) Periodic Review of License Exception Eligibility Level.--(1) Not later than 180 days after the date of the enactment of this Act, the President shall notify the Congress of the maximum level of encryption strength, which may not be lower than 64-bit, that may be exported from the United States under license exception pursuant to this section consistent with the national security. (2) The President shall, at the end of each successive 180-day period after the notice provided to the Congress under paragraph (1), notify the Congress of the maximum level of encryption strength, which may not be lower than that in effect under this section during that 180-day period, that may be exported from the United States under a license exception pursuant to this section consistent with the national security. (d) Factors Not To Be Considered.--A license exception for the exports of an encryption product under this section may be allowed whether or not the product contains a method of decrypting encrypted data. SEC. 303. DISCRETIONARY AUTHORITY. Notwithstanding the requirements of section 305, the President may permit the export, under a license exception pursuant to the conditions of section 302, of encryption products with an encryption strength exceeding the maximum level eligible for a license exception under section 302, if the export is consistent with the national security. SEC. 304. EXPEDITED REVIEW AUTHORITY. The President shall establish procedures for the expedited review of commodity classification requests, or export license applications, involving encryption products that are specifically approved, by regulation, for export. SEC. 305. ENCRYPTION LICENSES REQUIRED. (a) United States Products Exceeding Certain Bit Length.--Except as permitted under section 303, in the case of all encryption products with an encryption strength exceeding the maximum level eligible for a license exception under section 302, which are designed or manufactured within the United States, the President may grant a license for export of such encryption products, under the following conditions: (1) There shall not be any requirement, as a basis for an export license, that a product contains a method of-- (A) gaining timely access to plaintext; or (B) gaining timely access to decryption information. (2) The export license applicant shall submit-- (A) the product for technical review; (B) a certification, under oath, identifying-- (i) the intended end use of the product; and (ii) the expected end user or class of end users of the product; (C) proof that its distribution chain partners have contractually agreed to abide by all laws and regulations of the United States concerning the export and reexport of encryption products designed or manufactured within the United States; and (D) the names and addresses of its distribution chain partners. (b) Technical Review for License Applicants.--(1) The technical review described in subsection (a)(3)(A) shall be completed within 45 days after the submission of all the information required under paragraph (2). (2) The information to be submitted for the technical review shall be the same as that required to be submitted pursuant to section 302(b)(2). (3) An encryption product may not be exported during the technical review of that product under this section. (c) Post-Export Reporting.-- (1) Unauthorized use.--All exporters of encryption products that are designed or manufactured within the United States shall submit a report to the Secretary at any time the exporter has reason to believe any such exported product is being diverted to a use or a user not approved at the time of export. (2) Pirating.--All exporters of encryption products that are designed or manufactured within the United States shall report any pirating of their technology or intellectual property to the Secretary as soon as practicable after discovery. (3) Distribution chain partners.--All exporters of encryption products that are designed or manufactured within the United States, and all distribution chain partners of such exporters, shall submit to the Secretary a report which shall specify-- (A) the particular product sold; (B) the name and address of-- (i) the ultimate end user of the product, if known; or (ii) the name and address of the next purchaser in the distribution chain; and (C) the intended use of the product sold. (d) Exercise of Other Authorities.--The Secretary, the Secretary of Defense, and the Secretary of State may exercise the authorities they have under other provisions of law, including the Export Administration Act of 1979, as continued in effect under the International Emergency Economic Powers Act, to carry out this title. (e) Waiver Authority.-- (1) In general.--The President may by Executive order waive any provision of this title, or the applicability of any such provision to a person or entity, if the President determines that the waiver is necessary to advance the national security. The President shall, not later than 15 days after making such determination, submit a report to the committees referred to in paragraph (2) that includes the factual basis upon which such determination was made. The report may be in classified format. (2) Committees.--The committees referred to in paragraph (1) are the Committee on International Relations, the Committee on Armed Services, and the Permanent Select Committee on Intelligence of the House of Representatives, and the Committee on Foreign Relations, the Committee on Armed Services, and the Select Committee on Intelligence of the Senate. (3) Decisions not subject to judicial review.--Any determination made by the President under this subsection shall not be subject to judicial review. SEC. 306. ENCRYPTION INDUSTRY AND INFORMATION SECURITY BOARD. (a) Encryption Industry and Information Security Board Established.--There is hereby established an Encryption Industry and Information Security Board. The Board shall undertake an advisory role for the President. (b) Purposes.--The purposes of the Board are-- (1) to provide a forum to foster communication and coordination between industry and the Federal Government on matters relating to the use of encryption products; (2) to enable the United States to effectively and continually understand the benefits and risks to its national security, law enforcement, and public safety interests by virtue of the proliferation of strong encryption on the global market; (3) to evaluate and make recommendations regarding the further development and use of encryption; (4) to advance the development of international standards regarding interoperability and global use of encryption products; (5) to promote the export of encryption products manufactured in the United States; (6) to recommend policies enhancing the security of public networks; (7) to encourage research and development of products that will foster electronic commerce; (8) to promote the protection of intellectual property and privacy rights of individuals using public networks; and (9) to evaluate the availability and market share of foreign encryption products and their threat to United States industry. (c) Membership.--(1) The Board shall be composed of 12 members, as follows: (A) The Secretary, or the Secretary's designee. (B) The Attorney General, or his or her designee. (C) The Secretary of Defense, or the Secretary's designee. (D) The Director of Central Intelligence, or his or her designee. (E) The Director of the Federal Bureau of Investigation, or his or her designee. (F) The Special Assistant to the President for National Security Affairs, or his or her designee, who shall chair the Board. (G) Six representatives from the private sector who have expertise in the development, operation, marketing, law, or public policy relating to information security or technology. Members under this subparagraph shall each serve for 5-year terms. (2) The six private sector representatives described in paragraph (1)(G) shall be appointed as follows: (A) Two by the Speaker of the House of Representatives. (B) One by the Minority Leader of the House of Representatives. (C) Two by the Majority Leader of the Senate. (D) One by the Minority Leader of the Senate. (e) Meetings.--The Board shall meet at such times and in such places as the Secretary may prescribe, but not less frequently than every four months. The Federal Advisory Committee Act (5 U.S.C. App.) does not apply to the Board or to meetings held by the Board under this section. (f) Findings and Recommendations.--The chair of the Board shall convey the findings and recommendations of the Board to the President and to the Congress within 30 days after each meeting of the Board. The recommendations of the Board are not binding upon the President. (g) Limitation.--The Board shall have no authority to review any export determination made pursuant to this title. (h) Foreign Availability.--The consideration of foreign availability by the Board shall include computer software that is distributed over the Internet or advertised for sale, license, or transfer, including over-the-counter retail sales, mail order transactions, telephone order transactions, electronic distribution, or sale on approval and its comparability with United States products and its use in United States and foreign markets. (i) Termination.--This section shall cease to be effective 10 years after the date of the enactment of this Act. TITLE IV--LIABILITY LIMITATIONS SEC. 401. COMPLIANCE WITH COURT ORDER. (a) No Liability for Compliance.--Subject to subsection (b), no civil or criminal liability under this Act, or under any other provision of law, shall attach to any person for disclosing or providing-- (1) the plaintext of encrypted data, including communications; (2) the decryption information of such encrypted data, including communications; or (3) technical assistance for access to the plaintext of, or decryption information for, encrypted data, including communications. (b) Exception.--Subsection (a) shall not apply to a person who provides plaintext or decryption information to another in violation of the provisions of this Act. SEC. 402. COMPLIANCE DEFENSE. Compliance with the provisions of sections 2803, 2804, 2805, or 2806 of title 18, United States Code, as added by section 103(a) of this Act, or any regulations authorized by this Act, shall provide a complete defense for any civil action for damages based upon activities covered by this Act, other than an action founded on contract. SEC. 403. GOOD FAITH DEFENSE. An objectively reasonable reliance on the legal authority provided by this Act and the amendments made by this Act, authorizing access to the plaintext of otherwise encrypted data, including communications, or to decryption information that will allow the timely decryption of data, including communications, that is otherwise encrypted, shall be an affirmative defense to any criminal or civil action that may be brought under the laws of the United States or any State. TITLE V--INTERNATIONAL AGREEMENTS SEC. 501. SENSE OF CONGRESS. It is the sense of Congress that-- (1) the President should conduct negotiations with foreign governments for the purposes of establishing binding export control requirements on strong nonrecoverable encryption products; and (2) such agreements should safeguard the privacy of the citizens of the United States, prevent economic espionage, and enhance the information security needs of the United States. SEC. 502. FAILURE TO NEGOTIATE. The President may consider a government's refusal to negotiate agreements described in section 501 when considering the participation of the United States in any cooperation or assistance program with that country. SEC. 503. REPORT TO CONGRESS. (a) Report to Congress.--The President shall report annually to the Congress on the status of the international effort outlined by section 501. (b) First Report.--The first report required under subsection (a) shall be submitted in unclassified form no later than September 1, 2000. TITLE VI--MISCELLANEOUS PROVISIONS SEC. 601. EFFECT ON LAW ENFORCEMENT ACTIVITIES. (a) Collection of Information by Attorney General.--The Attorney General shall compile, and maintain in classified form, data on-- (1) the instances in which encryption has interfered with, impeded, or obstructed the ability of the Department of Justice to enforce the laws of the United States; and (2) the instances where the Department of Justice has been successful in overcoming any encryption encountered in an investigation. (b) Availability of Information to the Congress.--The information compiled under subsection (a), including an unclassified summary thereof, shall be submitted to Congress annually beginning October 1, 2000. SEC. 602. INTERPRETATION. Nothing contained in this Act or the amendments made by this Act shall be deemed to-- (1) preempt or otherwise affect the application of the Arms Export Control Act (22 U.S.C. 2751 et seq.), the Export Administration Act of 1979 (50 U.S.C. App. 2401 et seq.), or the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) or any regulations promulgated thereunder; (2) affect foreign intelligence activities of the United States; or (3) negate or diminish any intellectual property protections under the laws of the United States or of any State. SEC. 603. FBI TECHNICAL SUPPORT. There are authorized to be appropriated for the Technical Support Center in the Federal Bureau of Investigation, established pursuant to section 811(a)(1) of the Antiterrorism and Effective Death Penalty Act of 1996 (Public Law 104 132)-- (1) $25,000,000 for fiscal year 2000 for building and personnel costs; (2) $20,000,000 for fiscal year 2001 for personnel and equipment costs; (3) $15,000,000 for fiscal year 2002; and (4) $15,000,000 for fiscal year 2003. SEC. 604. SEVERABILITY. If any provision of this Act or the amendments made by this Act, or the application thereof, to any person or circumstances is held invalid by a court of the United States, the remainder of this Act or such amendments, and the application thereof, to other persons or circumstances shall not be affected thereby. PURPOSE The House Permanent Select Committee on Intelligence sought referral of H.R. 850, the ``Security and Freedom through Encryption (SAFE) Act,'' as reported by the House Committee on the Judiciary, because the bill impacts directly upon matters relating to the intelligence and intelligence-related activities and national security capabilities of the Intelligence Community. Specifically, the bill will have a profound effect on the intelligence, counter-intelligence, and counter-terrorism responsibilities of the Department of Defense, the National Security Agency, the Department of Justice, and the Federal Bureau of Investigation, to name but a few of those Intelligence Community agencies within this Committee's jurisdiction. The legislation as introduced or reported by the Committees on the Judiciary, International Relations, and Commerce, raises serious issues of great significance to our national security and public safety. Because of the significant risk to the intelligence and intelligence-related activities and capabilities of the United States the Committee determined that it needed to act in a comprehensive manner. The paramount duty of government is to protect its citizens from harm to their persons or property. Fundamental to a free society, however, is a delicate balance between the need to defend the nation's security and preserving the liberties of the people endowed by their Creator. The balance achieved in the Constitution and the Bill of Rights provides a clear backdrop against which the Committee's legislative action should be considered. During the Committee's consideration of H.R. 850 it was determined that the SAFE Act did not adequately address the national security and public safety interests at stake in the public policy debate over encryption legislation. Government official, after government official, advised the Committee that strong encryption is being used to facilitate drug trafficking, child pornography, terrorism, espionage, and myriad other crimes. Proponents of the SAFE Act urged the Committee to ignore the concern of these witnesses and to leave the management of encryption policy to the marketplace. They argued that it was too late to do anything about the widespread use of strong encryption. They asserted that the ``genie was out of the bottle'' and could not be put back in. They claimed that any effort to continue control of encryption technology would be a losing proposition that would harm industry. They rejected the enormous consequences described by the government officials charged with the duty to protect the national security and defend the public safety. The Committee considered the arguments of the SAFE Act proponents and the administration officials and struck a balance. The Committee's amendment, the ``Encryption for the National Interest Act,'' gives the government the authority: To access the plaintext of encrypted information, through the use of court orders, during lawful criminal, foreign intelligence, and international terrorist investigations; To control encryption exports in defense of the national security; To procure and use encryption products with recoverability features; and To improve their technical capabilities against the widespread use of strong encryption. But, at the same time, the Encryption for the National Interest Act assures the industry and the cyber-libertarians that their concerns have too been heeded. The bill provides that: U.S. persons can use any encryption product of any strength regardless of whether it contains access to plaintext capabilities; All access to plaintext or decryption information will be upon the order of a judge after an appropriate showing by the government; Civil and criminal sanctions can be imposed upon those who misuse the decryption information of any other person; and Electronic audit trails are required whenever law enforcement accesses the plaintext or decryption information of an encryption user. The Encryption for the National Interest Act asserts that the nation's security and the protection of its citizens are worthy objectives of the federal government and its principal obligation. The Encryption for the National Interest Act also, however, seeks to establish a dynamic and constructive framework for continued cooperation between government and industry to achieve a workable solution to this extremely vexing issue facing the nation. It does not preclude continued American competitiveness in an increasingly competitive global market, yet secures the right of the Commander-in-Chief to defend our interests against those who wish us harm. It does not turn national security and public security over to the random behavior of the marketplace. The Encryption for the National Interest Act achieves a compromise in the best interests of all protagonists in this public debate: industry, national security, public safety, and privacy. The Committee's amendment was adopted upon a unanimous voice vote of the Committee, and H.R. 850 was ordered reported favorably to the House, as amended by the Committee. SUMMARY SECTION-BY-SECTION ANALYSIS Section 1.--Short title and table of contents This section provides the title of the bill as the ``Encryption for the National Interest Act'' and a table of contents. Section 2.--Statement of policy This section sets forth the policy of the United States with respect to encryption technology. Section 3.--Congressional findings This section sets forth the findings of Congress as to the important role information security technology, encryption, plays in relaying and protecting intelligence information, linking policy makers, establishing an effective foreign policy, protecting United States banking and financial systems and critical infrastructure, and citizens from such crimes as fraud, theft, drug trafficking, espionage, terrorism, money laundering, and child pornography, among other serious offenses. TITLE I--DOMESTIC USE OF ENCRYPTION Section 101.--Definitions This section establishes the definitions of specific terms used throughout the bill. Section 102.--Lawful use of encryption This section makes clear that, except as otherwise provided, it is lawful to use encryption products, regardless of algorithm length selected, encryption key length chosen, or implementation technique or medium used. Section 103.--Unlawful use of encryption This section amends Title 18, United States Code, by new sections 2801 through 2807 within new chapter 122, which bears the heading, ``Chapter 122 Encrypted Data, Including Communications.'' New section 2801 of Title 18, United States Code, would make it a criminal offense to use encryption in furtherance of the commission of a federal crime. The penalties attached to such crimes would be in addition to any sentence imposed for the underlying offense. For first time offenders, a fine under Title 18, United States Code, or both. For repeat offenders of this provision, the jail time is potentially no more than 10 years. This section also makes clear that merely using encryption, without additional facts, cannot be the basis for a probable cause determination. New section 2802 creates several new crimes. First, it makes it illegal to intentionally obtain or use decryption information without lawful authority in order to decrypt data, including information. In addition, it makes it a criminal offense to exceed lawful authority in decrypting data, including communications. This new section would make the breaking of encryption code of another without lawful authority and with the purpose of violating that person's privacy or security, or for the purpose of depriving that person of his or her property a criminal violation of law. Furthermore this section would make it a criminal offense to assist in the encryption of data knowing that such data, including communications are to be used in furtherance of a crime. New section 2803 sets forth the standards and procedures for the issuance of a court order granting an investigative or law enforcement officer timely access to the plaintext of otherwise encrypted data, including communications, or compelling the provision of decryption information to an investigative or law enforcement officer that has a lawful basis to obtain that data. The application for such order must be made by an attorney for the government. That application must establish facts supporting the finding that the plaintext of decrypted information is relevant to an on-going lawful law enforcement, foreign counterintelligence, or international terrorist investigation. The application and any order issued thereon shall be made ex parte and placed under seal. Disclosure of the application or order is not authorized, except as may be otherwise permitted by this section or another order of the court. This section also requires that the court granting access to plaintext or the disclosure of decryption information, shall also ensure that a verifiable audit trail of any access to plaintext or decrypted information be maintained. The record will be tendered to the court upon an order of the court. Subsection (d) clarifies that nothing in this new chapter shall be read to expand or modify any other constitutional or statutory requirement under which a government entity is entitled to intercept or obtain oral, wire, or electronic communications or information. Subsection (e) mandates a strict construction of this new chapter so that it is read only to apply to a government entity's ability to decrypt or otherwise gain access to the plaintext data, including communications, for which it previously obtained lawful authority to intercept or obtain. New section 2804 provides the users of encryption products with a statutory right to be notified when their decryption information is provided to law enforcement, or when law enforcement is granted access to the plaintext of their data, including communications. This section provides for a delayed notification to the user so as not to jeopardize the integrity of the on-going criminal investigation, foreign counterintelligence, or international terrorist investigation. Basically, the user must be notified within 90 days after the filing of an application for the decryption information, or for access to the plaintext, unless the judge finds good cause warranting delay. Specifically, however, neither any of the decrypted contents of the encrypted information that has been obtained, nor any evidence derived therefrom may be used in any proceeding unless the user has been furnished with a copy of the order, application, and the data, including communications. The user may move to suppress the use of any of the plaintext or evidence derived therefrom in any proceeding on the grounds that the plaintext or the decryption information was unlawfully obtained. This section also provides aggrieved persons with a civil cause of action for any violations of this new chapter. New section 2805 limits the lawful uses of plaintext or decryption information obtained under this chapter. It may be used for the purposes of conducting a lawful criminal or foreign counterintelligence or terrorist investigation and for the purposes of preparing for and prosecuting any criminal violation of law. It may not be disclosed to any party to a civil suit that does not arise from criminal investigation or prosecution, unless a court finds that there is no alternative means of obtaining the plaintext, or decryption information and that the interests of justice would not be served by nondisclosure. This section further clarifies that decryption information may not be used to determine the plaintext unless the officer possesses other lawful authority to plaintext. This section also outlines the procedures for returning or destroying any decryption information upon the conclusion of the investigation, trial, or proceeding. This section also places limitations upon any person acting as a key recovery agent. It specifies whom and under what circumstances a key recovery agent may provide decryption information to another person. New section 2806 requires those who are providing decryption information to an investigative or law enforcement officer to so identify that information in order to avoid any inadvertent disclosure. The officer is responsible for maintaining the decryption information in such a manner so as reasonably to ensure against inadvertent disclosure. New section 2807 states that the same definitions set forth in section 101 of the ``Encryption for the National Interest Act'' shall apply to this chapter. TITLE II--GOVERNMENT PROCUREMENT Section 201.--Federal purchases of encryption products This section permits the United States government to purchase encryption products enabling the timely decryption by an authorized party, without the knowledge or cooperation of the person using the encryption product. This requirement only applies to those products or services purchased or procured by the United States government for data confidentiality for computer systems armed or operated by the United States. The Committee believes that a ``National Information Assurance Plan'' is needed to ensure that the data, including communications, of the United States government are secure. To this end the Committee requests that the President submit to the Permanent Select Committee on Intelligence and the Committee on Armed Services of the House of Representatives and the Select Committee on Intelligence and the Committee on Armed Services of the Senate within 120 days after enactment of this Act a report that outlines the national information assurance plan and policy for the United States government. The Committee believes that any plan or policy developed should include the following goals, which should be addressed in the report to be submitted to the congressional committees: (1) The protection of the Federal Government's information infrastructure against hostile penetration by ensuring the Federal Government's use of the strongest possible information assurance products, including encryption, in secure configurations and applications; (2) A requirement that the Federal Government use products designed or manufactured in the United States enabling the recovery of information pursuant to lawful authority; and (3) A requirement that the Federal Government use reliable authentication products designed or manufactured in the United States so that the Federal Government knows who is accessing its systems. Section 202.--Networks established with federal funds This section permits the President to require that any communications network that is established for the purpose of conducting the business of the Federal Government must use encryption products that include techniques enabling the timely decryption of data, including communications, without the knowledge or cooperation of the person using the encryption product or service. It is not intended that private communications networks that might benefit from federal grants fall within this requirement. Nor is it intended that this section include the Internet, although it is understood that there may be government business that is conducted via the Internet. Section 203.--Government contract authority This section grants to the President of the United States the authority to require, as a condition of any contract by the United States government with a private vendor that any encryption product used by the vendor in carrying out the provisions of the contract include features and functions that enable the decryption of encrypted data, including communications, or timely access to plaintext by an authorized party without the knowledge or cooperation of the person using such encryption products or services. Section 204.--Product labels This section allows for the labeling of encryption products so that purchasers and users are aware that the product is authorized for sale to, or for use in transactions with, the United States government. Section 205.--No private mandate This section specifies that the United States government may not require the use of encryption standards for the private sector except as otherwise authorized by section 203. Section 206.--Exclusion This section clarifies that nothing in this title shall apply to encryption products and services used solely for access control, authentication, integrity, non-repudiation, digital signatures, or other similar purposes. TITLE III--EXPORTS OF ENCRYPTION Section 301.--Exports of encryption Subsection (a) authorizes the President to control the export of all dual-use encryption products. Subsection (b) grants the President the authority to deny the export of any encryption product on the basis that its exportation would be contrary to the national security interests of the United States. Subsection (c) specifies that all national security decisions made by the President, or his designee, under this title shall not be subject to judicial review. Section 302.--License exception for certain encryption products Subsection (a) sets forth criteria for the export of those encryption products with an encryption strength of 64 bits or less under a license exception. The product must be submitted for a 1-time technical review, not require licensing under otherwise applicable regulations, and not be intended for a country, end-user, or end use that is otherwise ineligible to receive such products. In addition, the exporter must within six months after export supply the names and addresses of its distribution chain partners, and identify the intended end user (if available) or use of the product. The exporter must provide proof that its distribution chain partners have contractually agreed to abide by all laws and regulations of the United States regarding export and re-export of encryption products. Subsection (b) sets a time limit of 45 days after submission for all information required for the technical review for the completion of the review referred to in subsection (a). Subsection (c) requires that the President notify Congress every six months of the maximum strength level encryption that may be exported under a license exception pursuant to this section without harm to national security. The initial maximum bit level for which products can be exported under this exception shall not be less than 64 bits. This brings U.S. policy in line with Waasenaar Arrangement commitments. At the end of each successive 180-day period, the President shall notify Congress of the maximum encryption bit level that may be exported under license exception. The levels cannot be reduced once raised by the President. This report will ensure that the Administration review on a regular, short-term basis, which is necessary given the dynamic nature of technology, the appropriate level to allow products out under a license exception. Subsection (d) enables the export of a product under a license exception that meets the criteria set forth in section 302(a), regardless of whether the product contains a method of decrypting encrypted data. There is no requirement that recoverability features be included in the product for this section to apply. Section 303.--Discretionary authority Section 303 authorizes the President to allow the export, under a license exception, of encryption products with bit lengths greater than that level set through operation of section 302, subject to the conditions of section 302, if the export would be consistent with the national security interest of the United States. This provision ensures that export of those 128-bit encryption products currently allowed under a license exception may continue after enactment of the Act. Section 304.--Expedited authority This section grants the President authority to establish procedures for expediting the review of commodity classification requests, or export license applications involving encryption products that are specifically approved, by regulation, for export. Section 305.--Encryption licenses required Subsection (a) establishes criteria the President shall employ in the review and granting of a license for export of encryption products exceeding the maximum level eligible for license exception under section 302. Products being considered for export determinations shall not be required to contain features or functions for the timely access to plaintext or decryption information. In addition, any bit length encryption product is eligible for export under this section. The license applicant is responsible for submitting the product for technical review, certifying under oath the intended end user, the end use of the product, and providing the names and addresses of its distribution chain partners. The exporter must certify that these distributors are contractually obligated to abide by all laws and regulations of the United States concerning the export and re-export of encryption products and services. Subsection (b) further clarifies that the technical review described in subsection (a) to be completed within 45 days after product submission and no export shall occur during the technical review. Subsection (c) sets forth post-export reporting requirements to be submitted to the Secretary of Commerce. Reports shall be filed specifically when the exporter believes the exported encryption products or services are being diverted to a user or use not approved for export, or the exporter has detected pirating of their technology or intellectual property. In addition, all exporters and their distribution chain partners shall report the names and addresses of the next purchaser in the distribution chain. Subsection (d) clarifies that the Secretaries of Commerce, Defense, and State may exercise the authority they have under other provisions of law, specifically the International Emergency Economic Powers Act. Subsection (e) provides the President with the authority to waive any provision of this title for national security purposes. Requires the President to report to the relevant committees of Congress within 15 days after this authority is used. The determination made by the President shall not be subject to judicial review. Section 306.--Encryption industry and information security board This section establishes an Encryption Industry and Information Security Board (``EIIS'') to advise the President on future encryption policy and technological advancements that might serve to alter the United States policy on encryption products. This section also defines the purposes of the board. It further specifies that the Board shall be composed of 12 members, and how those members shall be appointed. In addition to the Secretary of Commerce, Secretary of Defense, Attorney General, the Director of Central Intelligence, the Director of the Federal Bureau of Investigation, and the Special Assistant to the President for National Security Affairs, or their designees; six representatives from the private sector who have expertise in development, operation, marketing, law, and public policy relating to information security or technology shall be appointed by Congressional Leadership. The Board will have no authority to challenge or review an export determination made pursuant to this Act. The Board will report to the President and the Congress. This section will cease to be effective 10 years after the date of enactment. TITLE IV--LIABILITY LIMITATIONS Section 401.--Compliance with court order This section states that a person shall not be subject to civil or criminal liability under this Act, or under any other provision of law, for acting in compliance with a court order compelling the disclosure of plaintext or decryption information. Section 402.--Compliance defense This section provides a complete defense for any non-contract action for damages based upon activities covered by the Act as long as the person complies with the provisions of sections 2803, 2804, 2805, and 2806 of Title 18, United States Code, as amended by section 103(a) of this Act, or any regulations authorized by this Act. Section 403.--Good faith defense This section provides anyone who relies on the legal authority provided under this Act as the basis for providing an investigative or law enforcement officer with access to the plaintext of otherwise encrypted data, including communications, or for providing such officer with decryption information, a complete defense to any criminal or civil action arising therefrom. TITLE V--INTERNATIONAL AGREEMENTS Section 501.--Sense of Congress This section expresses the Sense of Congress that the President should negotiate with foreign governments to establish binding export control requirements on nonrecoverable encryption products. Any agreement should safeguard the privacy of U.S. persons, prevent economic espionage, and enhance the information security needs of the United States. Section 502.--Failure to negotiate This section permits the President to take a country's refusal to negotiate into consideration when making decisions about U.S. participation in any cooperation or assistance program with that country. Section 503.--Report to Congress This section requires an annual report to Congress on the status of the negotiations, with the first report due September 1, 2000. TITLE VI--MISCELLANEOUS PROVISIONS Section 601.--Effect on law enforcement activities This section requires the Attorney General to compile, and maintain in classified form, information on those instances where encryption has posed problems in the enforcement of federal laws. This information will be available to any Member of Congress upon request. Section 602.--Interpretation This section clarifies the relationship of the bill to the interpretation of certain laws: the bill does not preempt the application of other important export control acts, including: the Arms Export Control Act, the Export Administration Act, or the International Emergency Powers Act. It shall not affect foreign intelligence activities of the United States; nor does it diminish the intellectual property protections provided by the laws of the U.S. or of any State. Section 603.--FBI technical support This section authorizes appropriations totaling $75 million for fiscal years 2000 through 2003 to the Federal Bureau of Investigation for the Technical Support Center established pursuant to section 811(a)(1) of the Antiterrorism and Effective Death Penalty Act of 1996. (P.L. 104 132) Section 604.--Severability This section permits any court reviewing this Act to sever any provision from the remainder of the Act, so as not to find the Act invalid in its entirety. BACKGROUND AND NEED FOR LEGISLATION BENEFITS OF STRONG ENCRYPTION There is little doubt that strong encryption has enormous benefits for society. For our national security apparatus, it is invaluable and essential to secure the flow of intelligence information, enhance our ability to execute foreign policy, and ensure the protection of the 1.4 million men and women of our armed forces deployed around the world. It is fundamental to protecting the Nation's critical infrastructures, such as power grids, telecommunications, and transportation facilities. Strong encryption is a remarkable tool that has aided the advancement of the Internet. It has been one factor in the explosive growth of on-line commerce, banking, investments, telemedicine, and legal services, to name only a few areas where the Internet has changed our daily lives. Encryption also advances the interests of law enforcement where it is used for legitimate purposes, because it can and does shield on-line activities from criminals interested in stealing personal financial data, credit card information, or national secrets, for example. But, as crucial as it is to the protection of information, it can be equally harmful to our Nation's security and the public's safety. PROBLEMS WITH H.R. 850, AS REFERRED TO THE COMMITTEE After all, the benefit that strong encryption provides to the individual legitimate encryption user is equally provided to the person with criminal intent. Our laws should not preclude lawful investigation of criminal activity. Our laws should enhance the Nation's security and public safety. The SAFE Act (H.R. 850), as reported by the Committee on the Judiciary, would deny law enforcement authorities the opportunity to obtain evidence--evidence to which they are statutorily authorized to obtain--simply because a criminal decided to encrypt it. Under that bill, the child pornographer will be able to operate with impunity. The terrorist will be able to communicate with his comrades. He will be able to plan and execute his cowardly acts without fear that he will be identified or brought to justice. Spies would operate without fear of discovery. The drug trafficker will be able to arrange for distribution of his poison and collection of the thousands or millions of dollars made in the deal. He will be able to launder his proceeds unconcerned that his activities have caught the attention of the law enforcement authorities. Those that engage in the proliferation of weapons of mass destruction will be able to continue their menacing activities unhindered by our national security apparatus or intelligence collectors. Allowing the unchecked export of unbreakable encryption to all markets and all users across the globe presents a series of challenges that the national security agencies of the United States cannot meet or overcome simply by employing faster and more powerful computers. The consequences of such a policy would be devastating. Criminals and international thugs wishing to do harm to the people of the United States would have available to them an ``electronic sanctuary.'' Legislation that precludes the federal government from using encryption products that permit the recovery of data or communications is irresponsible. The SAFE Act has been read to do just this. With the time it would take to break just one 128-bit encrypted message (many times the age of the universe), annihilation would be quicker than our ability to protect ourselves. Without an ability to undo quickly an encryption code, the people of this country could suffer unfathomable harm. Similarly, child pornographers could distribute their filth unimpeded. Pedophiles could secretly entice the children of America into their clutches. Drug traffickers will make their plans to deliver larger and larger amounts of cocaine, heroin, marijuana, and other narcotics without the slightest concern that they will be detected. Terrorists and spies can cause unspeakable damage without even the possibility of being stopped before it is too late. In a world governed by policies espoused by the SAFE Act, protecting America, her interests, and her citizens becomes a far riskier endeavor. While the SAFE Act does not on its face remove export controls, the regime it would establish is so fraught with exceptions and limitations on government authority that control might as well be non-existent. The SAFE Act does acknowledge, however, that the nation's security should override an ability to export on occasion. Yet, the circumstances under which the SAFE Act would authorize denial of exports are limited only to those instances where the Secretary of Commerce has ``substantial evidence'' that the product intended for export was going to Iran, Iraq, North Korea, Libya, Sudan, Cuba, and Syria, or has ``substantial evidence'' that a specific product would be used by foreign militaries or terrorists. First, there is no role under the SAFE Act for the participation of the national security apparatus of the United States in such decisions not to export. Secondly, there can be no doubt that these two factors cover only a fraction of all situations that present threats to our national security interests. A broader authority to deny exports must be provided in order to ensure the nation's security in an age of constantly changing political realities. Expert witnesses before the Committee and Congress have provided compelling and sobering testimony about the lack of balance in H.R. 850 as reported from the Judiciary Committee. The administration opposes any encryption legislation that is not balanced. ``The current version [of H.R. 850] does not balance the needs of privacy and business, public safety, and national security, * * *.'' Testimony of Janet Reno, Attorney General of the United States, before the House Permanent Select Committee on Intelligence on July 14, 1999. ``The proposed SAFE Act does not include any provisions aimed at improving law enforcement's ability to perform its public safety mission in an encrypted world.'' Id. ``The objective of the legislation is unfettered encryption which has no concern for public safety and, in all reality, eliminates any concerns for public safety in the future.'' Testimony of Thomas A. Constantine, former Administrator, Drug Enforcement Administration, before the House Permanent Select Committee on Intelligence on July 14, 1999 (hereinafter ``Constantine Test.''). ``The [SAFE Act] * * * will harm law enforcement, will harm public safety, will harm national security, and lives will be lost * * *.'' Testimony of Louis J. Freeh, Director, Federal Bureau of Investigation, before the House Committee on Armed Services on July 13, 1999. ``[R]ather than a SAFE Act * * * I would call it the `Drug Lords Protection Act.''' Constantine Test. ``[T]he SAFE Act will harm national security by making [NSA's] job of providing critical, actionable intelligence to our leaders and military commanders difficult, if not impossible, thus putting our nation's security at considerable risk.'' Testimony of Barbara A. McNamara, Deputy Director, National Security Agency, before the House Committee on Armed Services on July 13, 1999. ``H.R. 850 * * * would be a tidal wave that would crush your national security and law enforcement agencies that are protecting this country.'' Testimony of John J. Hamre, Deputy Secretary, Department of Defense, before the House Committee on Armed Services on July 13, 1999. ``[T]here are real national security and law enforcement costs to the policy that is articulated by the [SAFE Act]. * * *'' Testimony of William Reinsch, Undersecretary of Commerce for Export Administration, Department of Commerce (hereinafter ``Reinsch Test.''), before the House Committee on Armed Services on July 13, 1999. ``[T]he bill in letter and spirit would destroy the balance we have worked so hard to achieve and would jeopardize our law enforcement and national security interests.'' Reinsch Test. before the House Permanent Select Committee on Intelligence on June 9, 1999. Importantly, during his appearance before the HPSCI on June 9, 1999, Mr. Goodlatte, the author of the SAFE Act, conceded that a balance needed to be achieved on this issue. Mr. Goodlatte stated that he shared the serious national security and law enforcement concerns at stake in this debate. Testimony of Representative Bob Goodlatte (hereinafter ``Goodlatte Test.'') before the House Permanent Select Committee on Intelligence on June 9, 1999, at pp. 26, 27, 28, 52. He claimed his bill was not designed to eliminate all export controls, which was a significant concession. Goodlatte Test. at pp. 21, 30. It is a testament to the notion that we cannot place market share and larger profits ahead of the nation's security and the public's safety. It further reemphasizes the concept that there must be accommodation in the encryption export control policy to assure the national security and the interests of the industry. Mr. Goodlatte's support for export controls in certain circumstances extends to the foundational concept that export controls can be used to protect against threats to the national security of the United States. Goodlatte Test. at pp. 31, 44. He also testified that it was not the intent of his legislation to deny law enforcement the ability to gain access to plaintext or decryption information, where it was available. Goodlatte Test. at pp. 34, 53, 77. See also Report of the Committee on the Judiciary to Accompany H.R. 850, House Report 106 117, Part 1, at p. 8 (April 27, 1999) (``Just as new technology should not take away the longstanding rights of citizens against government, it also should not take away the traditional means for legitimate law enforcement and national security investigations.'') He was open to modification of the ``substantial evidence'' standard his bill uses to preclude an export of encryption to terrorists and militaries in order to alleviate the risks attendant to the export of encryption throughout the world. Goodlatte Test. at pp. 38, 43, 44. He further contended that it was not the intent of his legislative proposal to preclude the federal government, or state and local governments, from using encryption products that have features or functions that permit the recovery of data when those government entities find it necessary to use such products. Goodlatte Test. at pp. 77. Although not included anywhere in his legislation, Mr. Goodlatte also supports the provision of more and better resources to federal, state, and local law enforcement so they can more adequately meet the challenges of widespread use of strong encryption. Goodlatte Test. at pp. 25, 28, 53, 54. BALANCED APPROACH IS NEEDED The HPSCI reported amendment, the ``Encryption for the National Interest Act,'' strives to balance the needs of law enforcement, national security, industry, and privacy. It advances the interests of all sectors engaged in this debate, yet requires some sacrifice on the part of each, as well. The Committee amendment preserves law enforcement's crime fighting and public safety capabilities by providing clear authority through judicial processes to access the plaintext or decryption information, without the target of the investigation's knowledge or cooperation. It does not, however, require key escrow, or mandate key recovery. Key recovery is a non-factor for domestic use and for export considerations. In addition to laying the framework for a national information assurance program, the Committee's amendment will relax the current export control policy of the United States on encryption products to bring the policy in line with the government's commitments under the Waasenaar Arrangement. In other words, where now only those products of 56-bit strength and lower can be exported under a license exception, upon enactment of the HPSCI amendment, all products of 64-bit strength and lower will be allowed for export in this manner. All products in excess of 64-bits will require a license prior to export, unless granted a waiver. This will permit the export of any bit-length encryption product under license exception conditions to those sectors that pose little or no risk to national security. Of course, prior to the first export of any encryption product, the Committee's amendment will still require a technical review to be conducted. Furthermore, the Committee's amendment requires the administration to review its encryption export policies on a more regularized basis than is currently done. The amendment requires a semi-annual look at export policy and certifications to Congress with respect to the results of this review. The Committee's amendment also streamlines export reporting requirements in an effort to reduce the burdensome and costly paperwork that is the bane of the industry. It does not remove these requirements completely, as the SAFE Act does, because there is significant national security utility in such reporting and the Committee determined it should continue in some form. Importantly, the Encryption for the National Interest Act preserves the President's authority to protect national security by authorizing him, or his designee, to deny an export of an encryption product based on national security grounds. This is an acknowledgement that the conduct of foreign policy and the protection of the citizens of the United States cannot be tied to only a couple of particular threats. The exigencies of our role as the world's only superpower must be accommodated and our export control regime must reflect the need for such flexibility. The Committee's amendment permits the federal government to procure and utilize encryption products with recoverability features for the conduct of the government's business. Likewise, the federal government will be permitted to require that its contractors use recoverable encryption products for the conduct of the government's business pursuant to the government contract. This authority does not permit, however, the government to require contractors to use such products in the course of their private sector, non-governmental business activities. Finally, the Committee's amendment establishes an advisory board to assist the President in his determination of appropriate encryption export policies and to foster government-industry cooperation on this important issue with significant ramifications for national security and public safety. Moreover, the Committee's legislative initiative authorizes the appropriation of $75 million to build, equip, and maintain the FBI's Technical Support Center. This Center will help move law enforcement at all levels forward in this age of high technology. It will help law enforcement meet and overcome the substantial challenges presented in a world where strong encryption will be commonplace. The Committee's Ranking Democrat, Representative Julian C. Dixon, put the matter succinctly after the Committee adopted its amendment in the nature of a substitute, when he stated: The encryption compromise adopted by the Intelligence Committee achieves two important goals: it recognizes that government access to information on the electronic infrastructure--when necessary to protect public safety and national security--is legitimate within reasonable, lawful constraints; and, it provides greater certainty in the export control process while allowing for regulatory flexibility as technology advances. The balance between commercial interests and public safety achieved by the Intelligence Committee substitute has improved greatly the encryption legislation with which the Committee was asked to deal. The Committee believes that the United States government should encourage the development of encryption products that are responsive to the needs and obligations of government to ensure public safety, and that are viable in the commercial marketplace, without resorting to mandated key recovery or key escrow. For certain, law enforcement would have no difficulty obtaining decrypted evidence of criminality were Congress to impose mandatory requirements on the encryption industry to develop products with access to plaintext functions or features. Such an approach, however, does not advance the debate on comprehensive encryption policy for the United States in the fast approaching 21st Century. The Committee determined that the SAFE Act, as reported by the Judiciary, the International Relations, and the Commerce Committees did not adequately address national security and public safety concerns. In fact, the Committee found, based on the testimony of various witnesses before the Committee, that the SAFE Act actually would disadvantage our national security apparatus and federal, state, and local law enforcement in the conduct of their very serious obligations. To correct these faults, the Committee decided that an amendment in the nature of a substitute was necessary rather than merely ``tinkering around the edges'' of the SAFE Act, in order to ensure that the appropriate and desired balance could be achieved. Thus, the Committee adopted by unanimous voice vote the ``Encryption for the National Interest Act.'' THE ``ENCRYPTION FOR THE NATIONAL INTEREST ACT'' A. Establishes government encryption procurement policies As noted, the Committee amendment, the Encryption for the National Interest Act, permits the United States government to procure and use encryption products that include recoverability or comparable features to allow authorized parties to have access to plaintext. The SAFE Act forbids the government and the States from using such products; and the SAFE Act would deny the government the opportunity to encourage the development of products with features that might help catch spies, thieves, child pornographers, and embezzlers, among others. Thus, specifically, the Encryption for the National Interest Act would authorize the United States government to include as a condition of any government contract a requirement that any encryption employed by the contractor in the execution of the contract with the government will include features permitting access to plaintext or decryption information. This amendment would not require that federal government contractors use recoverable encryption products in the conduct of non-federal government business. The Committee amendment also does not preclude the States from employing recoverable encryption products. The SAFE Act, however, includes such a prohibition. B. Preserves law enforcement's investigative capabilities The Encryption for the National Interest Act also establishes definite procedures to be followed by federal, state, and local law enforcement when seeking access to the plaintext or decryption information of data, including communications, that is otherwise encrypted. Without expanding current wiretap or search and seizure authorities, the amendment allows law enforcement, through judicially authorized court orders, to gain access to decryption information, or to plaintext, where it is available, for use in criminal, foreign counterintelligence, and international terrorism investigations. A close reading of the SAFE Act would deny law enforcement this critical capability. The SAFE Act would deny law enforcement the ability to decrypt any encrypted communications that are intercepted through legitimate court issued wiretap orders. Many proponents of the SAFE Act routinely assert that wiretaps are of limited utility to law enforcement, and that the lack of this capability would cause no egregious harm to public safety. The Committee's extensive experience and the testimony on this matter indicate otherwise. Some have concluded that the effort to enact the SAFE Act is a not-so- subtle attempt to render the government's wiretap authority void. As the distinguished Chairman of the House Committee on the Judiciary, Chairman Henry Hyde wrote in October 1996, ``Without a remedy, America will effectively disarm itself of one of its most potent weapons in the fight against two particularly pernicious crimes: international terrorism and drug smuggling.'' Washington Times, p. B3, October 27, 1996. Mr. Hyde made the point that ``efforts to prevent or eliminate this important law enforcement tool are both nai AE4e and