[Congressional Bills 105th Congress]
[From the U.S. Government Publishing Office]
[S. 2067 Introduced in Senate (IS)]
105th CONGRESS
2d Session
S. 2067
To protect the privacy and constitutional rights of Americans, to
establish standards and procedures regarding law enforcement access to
decryption assistance for encrypted communications and stored
electronic information, to affirm the rights of Americans to use and
sell encryption products, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
May 12, 1998
Mr. Ashcroft (for himself, Mr. Leahy, Mr. Burns, Mr. Craig, Mrs. Boxer,
Mr. Faircloth, Mr. Wyden, Mr. Kempthorne, Mrs. Murray, and Mrs.
Hutchison) introduced the following bill; which was read twice and
referred to the Committee on the Judiciary
_______________________________________________________________________
A BILL
To protect the privacy and constitutional rights of Americans, to
establish standards and procedures regarding law enforcement access to
decryption assistance for encrypted communications and stored
electronic information, to affirm the rights of Americans to use and
sell encryption products, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Encryption
Protects the Rights of Individuals from Violation and Abuse in
CYberspace (E-PRIVACY) Act''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Purposes.
Sec. 3. Findings.
Sec. 4. Definitions.
TITLE I--PRIVACY PROTECTION FOR COMMUNICATIONS AND ELECTRONIC
INFORMATION
Sec. 101. Freedom to use encryption.
Sec. 102. Purchase and use of encryption products by the Federal
Government.
Sec. 103. Enhanced privacy protection for information on computer
networks.
Sec. 104. Government access to location information.
Sec. 105. Enhanced privacy protection for transactional information
obtained from pen registers or trap and
trace devices.
TITLE II--LAW ENFORCEMENT ASSISTANCE
Sec. 201. Encrypted wire or electronic communications and stored
electronic communications.
TITLE III--EXPORTS OF ENCRYPTION PRODUCTS
Sec. 301. Commercial encryption products.
Sec. 302. License exception for mass market products.
Sec. 303. License exception for products without encryption capable of
working with encryption products.
Sec. 304. License exception for product support and consulting
services.
Sec. 305. License exception when comparable foreign products available.
Sec. 306. No export controls on encryption products used for
nonconfidentiality purposes.
Sec. 307. Applicability of general export controls.
Sec. 308. Foreign trade barriers to United States products.
SEC. 2. PURPOSES.
The purposes of this Act are--
(1) to ensure that Americans have the maximum possible
choice in encryption methods to protect the security,
confidentiality, and privacy of their lawful wire and
electronic communications and stored electronic information;
(2) to promote the privacy and constitutional rights of
individuals and organizations in networked computer systems and
other digital environments, protect the confidentiality of
information and security of critical infrastructure systems
relied on by individuals, businesses and government agencies,
and properly balance the needs of law enforcement to have the
same access to electronic communications and information as
under current law; and
(3) to establish privacy standards and procedures by which
investigative or law enforcement officers may obtain decryption
assistance for encrypted communications and stored electronic
information.
SEC. 3. FINDINGS.
Congress finds that--
(1) the digitization of information and the explosion in
the growth of computing and electronic networking offers
tremendous potential benefits to the way Americans live, work,
and are entertained, but also raises new threats to the privacy
of American citizens and the competitiveness of American
businesses;
(2) a secure, private, and trusted national and global
information infrastructure is essential to promote economic
growth, protect privacy, and meet the needs of American
citizens and businesses;
(3) the rights of Americans to the privacy and security of
their communications and in the conducting of personal and
business affairs should be promoted and protected;
(4) the authority and ability of investigative and law
enforcement officers to access and decipher, in a timely manner
and as provided by law, wire and electronic communications, and
stored electronic information necessary to provide for public
safety and national security should also be preserved;
(5) individuals will not entrust their sensitive personal,
medical, financial, and other information to computers and
computer networks unless the security and privacy of that
information is assured;
(6) businesses will not entrust their proprietary and
sensitive corporate information, including information about
products, processes, customers, finances, and employees, to
computers and computer networks unless the security and privacy
of that information is assured;
(7) America's critical infrastructures, including its
telecommunications system, banking and financial
infrastructure, and power and transportation infrastructure,
increasingly rely on vulnerable information systems, and will
represent a growing risk to national security and public safety
unless the security and privacy of those information systems is
assured;
(8) encryption technology is an essential tool to promote
and protect the privacy, security, confidentiality, integrity,
and authenticity of wire and electronic communications and
stored electronic information;
(9) encryption techniques, technology, programs, and
products are widely available worldwide;
(10) Americans should be free to use lawfully whatever
particular encryption techniques, technologies, programs, or
products developed in the marketplace that best suits their
needs in order to interact electronically with the government
and others worldwide in a secure, private, and confidential
manner;
(11) government mandates for, or otherwise compelled use
of, third-party key recovery systems or other systems that
provide surreptitious access to encrypted data threatens the
security and privacy of information systems;
(12) American companies should be free to compete and sell
encryption technology, programs, and products, and to exchange
encryption technology, programs, and products through the use
of the Internet, which is rapidly emerging as the preferred
method of distribution of computer software and related information;
(13) a national encryption policy is needed to advance the
development of the national and global information
infrastructure, and preserve the right to privacy of Americans
and the public safety and national security of the United
States;
(14) Congress and the American people have recognized the
need to balance the right to privacy and the protection of the
public safety with national security;
(15) the Constitution of the United States permits lawful
electronic surveillance by investigative or law enforcement
officers and the seizure of stored electronic information only
upon compliance with stringent standards and procedures; and
(16) there is a need to clarify the standards and
procedures by which investigative or law enforcement officers
obtain decryption assistance from persons--
(A) who are voluntarily entrusted with the means to
decrypt wire and electronic communications and stored
electronic information; or
(B) have information that enables the decryption of
such communications and information.
SEC. 4. DEFINITIONS.
In this Act:
(1) Agency.--The term ``agency'' has the meaning given the
term in section 6 of title 18, United States Code.
(2) Computer hardware.--The term ``computer hardware''
includes computer systems, equipment, application-specific
assemblies, smart cards, modules, and integrated circuits.
(3) Computing device.--The term ``computing device'' means
a device that incorporates 1 or more microprocessor-based
central processing units that are capable of accepting,
storing, processing, or providing output of data.
(4) Encrypt and encryption.--The terms ``encrypt'' and
``encryption'' refer to the scrambling (and descrambling) of
wire communications, electronic communications, or
electronically stored information, using mathematical formulas
or algorithms in order to preserve the confidentiality,
integrity, or authenticity of, and prevent unauthorized
recipients from accessing or altering, such communications or
information.
(5) Encryption product.--The term ``encryption product''--
(A) means a computing device, computer hardware,
computer software, or technology, with encryption
capabilities; and
(B) includes any subsequent version of or update to
an encryption product, if the encryption capabilities
are not changed.
(6) Exportable.--The term ``exportable'' means the ability
to transfer, ship, or transmit to foreign users.
(7) Key.--The term ``key'' means the variable information
used in or produced by a mathematical formula, code, or
algorithm, or any component thereof, used to encrypt or decrypt
wire communications, electronic communications, or
electronically stored information.
(8) Person.--The term ``person'' has the meaning given the
term in section 2510(6) of title 18, United States Code.
(9) Remote computing service.--The term ``remote computing
service'' has the meaning given the term in section 2711(2) of
title 18, United States Code.
(10) State.--The term ``State'' has the meaning given the
term in section 3156(a)(5) of title 18, United States Code.
(11) Technical review.--The term ``technical review'' means
a review by the Secretary, based on information about a
product's encryption capabilities supplied by the manufacturer,
that an encryption product works as represented.
(12) United states person.--The term ``United States
person'' means any--
(A) United States citizen; or
(B) any legal entity that--
(i) is organized under the laws of the
United States, or any State, the District of
Columbia, or any commonwealth, territory, or
possession of the United States; and
(ii) has its principal place of business in
the United States.
TITLE I--PRIVACY PROTECTION FOR COMMUNICATIONS AND ELECTRONIC
INFORMATION
SEC. 101. FREEDOM TO USE ENCRYPTION.
(a) In General.--Except as otherwise provided by this Act and the
amendments made by this Act, it shall be lawful for any person within
the United States, and for any United States person in a foreign
country, to use, develop, manufacture, sell, distribute, or import any
encryption product, regardless of the encryption algorithm selected,
encryption key length chosen, existence of key recovery or other
plaintext access capability, or implementation or medium used.
(b) Prohibition on Government-Compelled Key Escrow or Key Recovery
Encryption.--
(1) In general.--Except as provided in paragraph (3), no
agency of the United States nor any State may require, compel,
set standards for, condition any approval on, or condition the
receipt of any benefit on, a requirement that a decryption key,
access to a decryption key, key recovery information, or other
plaintext access capability be--
(A) given to any other person, including any agency
of the United States or a State, or any entity in the
private sector; or
(B) retained by any person using encryption.
(2) Use of particular products.--No agency of the United
States may require any person who is not an employee or agent
of the United States or a State to use any key recovery or
other plaintext access features for communicating or
transacting business with any agency of the United States.
(3) Exception.--The prohibition in paragraph (1) does not
apply to encryption used by an agency of the United States or a
State, or the employees or agents of such an agency, solely for
the internal operations and telecommunications systems of the
United States or the State.
(c) Use of Encryption for Authentication or Integrity Purposes.--
(1) In general.--The use, development, manufacture, sale,
distribution and import of encryption products, standards, and
services for purposes of assuring the confidentiality,
authenticity, or integrity or access control of electronic
information shall be voluntary and market driven.
(2) Conditions.--No agency of the United States or a State
shall establish any condition, tie, or link between encryption
products, standards, and services used for confidentiality, and
those used for authentication, integrity, or access control
purposes.
SEC. 102. PURCHASE AND USE OF ENCRYPTION PRODUCTS BY THE FEDERAL
GOVERNMENT.
(a) Purchases.--An agency of the United States may purchase
encryption products for--
(1) the internal operations and telecommunications systems
of the agency; or
(2) use by, among, and between that agency and any other
agency of the United States, the employees of the agency, or
persons operating under contract with the agency.
(b) Interoperability.--To ensure that secure electronic access to
the Government is available to persons outside of and not operating
under contract with agencies of the United States, the United States
shall purchase no encryption product with a key recovery or other
plaintext access feature if such key recovery or plaintext access
feature would interfere with use of the product's full encryption
capabilities when interoperating with other commercial encryption
products.
SEC. 103. ENHANCED PRIVACY PROTECTION FOR INFORMATION ON COMPUTER
NETWORKS.
Section 2703 of title 18, United States Code, is amended by adding
at the end the following:
``(g) Access to Stored Electronic Information.--
``(1) Disclosure.--
``(A) In general.--Subject to subparagraph (B), a
governmental entity may require the disclosure by a
provider of a remote computing service of the contents
of an electronic record in networked electronic storage
only if the person who created the record is accorded
the same protections that would be available if the
record had remained in that person's possession.
``(B) Networked electronic storage.--In addition to
the requirements of subparagraph (A) and subject to
paragraph (2), a governmental entity may require the
disclosure of the contents of an electronic record in
networked electronic storage only--
``(i) pursuant to a warrant issued under
the Federal Rules of Criminal Procedure or
equivalent State warrant, a copy of which
warrant shall be served on the person who
created the record prior to or at the same time
the warrant is served on the provider of the
remote computing service;
``(ii) pursuant to a subpoena issued under
the Federal Rules of Criminal Procedure or
equivalent State warrant, a copy of which
subpoena shall be served on the person who
created the record, under circumstances
allowing that person a meaningful opportunity
to challenge the subpoena; or
``(iii) upon the consent of the person who
created the record.
``(2) Definition.--In this subsection, an electronic record
is in `networked electronic storage' if--
``(A) it is not covered by subsection (a) of this
section;
``(B) the person holding the record is not
authorized to access the contents of such record for
any purposes other than in connection with providing
the service of storage; and
``(C) the person who created the record is able to
access and modify it remotely through electronic
means.''.
SEC. 104. GOVERNMENT ACCESS TO LOCATION INFORMATION.
(a) Court Order Required.--Section 2703 of title 18, United States
Code, is amended by adding at the end the following:
``(h) Requirements for Disclosure of Location Information.--A
provider of mobile electronic communication service shall provide to a
governmental entity information generated by and disclosing, on a real
time basis, the physical location of a subscriber's equipment only if
the governmental entity obtains a court order issued upon a finding
that there is probable cause to believe that an individual using or
possessing the subscriber equipment is committing, has committed, or is
about to commit a felony offense.''.
(b) Conforming Amendment.--Section 2703(c)(1)(B) of title 18,
United States Code, is amended by inserting ``or wireless location
information covered by subsection (g) of this section'' after ``(b) of
this section''.
SEC. 105. ENHANCED PRIVACY PROTECTION FOR TRANSACTIONAL INFORMATION
OBTAINED FROM PEN REGISTERS OR TRAP AND TRACE DEVICES.
Subsection 3123(a) of title 18, United States Code, is amended to
read as follows:
``(a) In General.--Upon an application made under section 3122, the
court may enter an ex parte order--
``(1) authorizing the installation and use of a pen
register or a trap and trace device within the jurisdiction of
the court if the court finds, based on the certification by the
attorney for the Government or the State law enforcement or
investigative officer, that the information likely to be
obtained by such installation and use is relevant to an ongoing
criminal investigation; and
``(2) directing that the use of the pen register or trap
and trace device be conducted in such a way as to minimize the
recording or decoding of any electronic or other impulses that
are not related to the dialing and signaling information
utilized in call processing.''.
TITLE II--LAW ENFORCEMENT ASSISTANCE
SEC. 201. ENCRYPTED WIRE OR ELECTRONIC COMMUNICATIONS AND STORED
ELECTRONIC COMMUNICATIONS.
(a) In General.--Part I of title 18, United States Code, is amended
by inserting after chapter 123 the following:
``CHAPTER 124--ENCRYPTED WIRE OR ELECTRONIC COMMUNICATIONS AND STORED
ELECTRONIC INFORMATION
``Sec.
``2801. Definitions.
``2802. Unlawful use of encryption.
``2803. Access to decryption assistance for communications.
``2804. Access to decryption assistance for stored electronic
communications or records.
``2805. Foreign government access to decryption assistance.
``2806. Establishment and operations of National Electronic
Technologies Center.
``Sec. 2801. Definitions
``In this chapter:
``(1) Decryption assistance.--The term `decryption
assistance' means assistance that provides or facilitates
access to the plaintext of an encrypted wire or electronic
communication or stored electronic information, including the
disclosure of a decryption key or the use of a decryption key
to produce plaintext.
``(2) Decryption key.--The term `decryption key' means the
variable information used in or produced by a mathematical
formula, code, or algorithm, or any component thereof, used to
decrypt a wire communication or electronic communication or
stored electronic information that has been encrypted.
``(3) Encrypt; encryption.--The terms `encrypt' and
`encryption' refer to the scrambling (and descrambling) of wire
communications, electronic communications, or electronically
stored information, using mathematical formulas or algorithms
in order to preserve the confidentiality, integrity, or
authenticity of, and prevent unauthorized recipients from
accessing or altering, such communications or information.
``(4) Foreign government.--The term `foreign government'
has the meaning given the term in section 1116.
``(5) Official request.--The term `official request' has
the meaning given the term in section 3506(c).
``(6) Incorporated definitions.--Any term used in this
chapter that is not defined in this chapter and that is defined
in section 2510, has the meaning given the term in section
2510.
``Sec. 2802. Unlawful use of encryption
``Any person who, during the commission of a felony under Federal
law, knowingly and willfully encrypts any incriminating communication
or information relating to that felony, with the intent to conceal that
communication or information for the purpose of avoiding detection by a
law enforcement agency or prosecutor--
``(1) in the case of a first offense under this section,
shall be imprisoned not more than 5 years, fined under this
title, or both; and
``(2) in the case of a second or subsequent offense under
this section, shall be imprisoned not more than 10 years, fined
under this title, or both.
``Sec. 2803. Access to decryption assistance for communications
``(a) Criminal Investigations.--
``(1) In general.--An order authorizing the interception of
a wire or electronic communication under section 2518 shall,
upon request of the applicant, direct that a provider of wire
or electronic communication service, or any other person
possessing information capable of decrypting that
communication, other than a person whose communications are the
subject of the interception, shall promptly furnish the
applicant with the necessary decryption assistance, if the
court finds that the decryption assistance sought is necessary
for the decryption of a communication intercepted pursuant to
the order.
``(2) Limitations.--Each order described in paragraph (1),
and any extension of such an order, shall--
``(A) contain a provision that the decryption
assistance provided shall involve disclosure of a
private key only if no other form of decryption
assistance is available and otherwise shall be limited
to the minimum necessary to decrypt the communications
intercepted pursuant to this chapter; and
``(B) terminate on the earlier of--
``(i) the date on which the authorized
objective is attained; or
``(ii) 30 days after the date on which the
order or extension, as applicable, is issued.
``(3) Notice.--If decryption assistance is provided
pursuant to an order under this subsection, the court issuing
the order described in paragraph (1)--
``(A) shall cause to be served on the person whose
communications are the subject of such decryption
assistance, as part of the inventory required to be
served pursuant to section 2518(8), notice of the
receipt of the decryption assistance and a specific
description of the keys or other assistance disclosed;
and
``(B) upon the filing of a motion and for good
cause shown, shall make available to such person, or to
counsel for that person, for inspection, the
intercepted communications to which the decryption
assistance related, except that on an ex parte showing
of good cause, the serving of the inventory required by
section 2518(8) may be postponed.
``(b) Foreign Intelligence Investigations.--
``(1) In general.--An order authorizing the interception of
a wire or electronic communication under section 105(b)(2) of
the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C.
1805(b)(2)) shall, upon request of the applicant, direct that a
provider of wire or electronic communication service or any
other person possessing information capable of decrypting such
communications, other than a person whose communications are
the subject of the interception, shall promptly furnish the
applicant with the necessary decryption assistance, if the
court finds that the decryption assistance sought is necessary
for the decryption of a communication intercepted pursuant to
the order.
``(2) Limitations.--Each order described in paragraph (1),
and any extension of such an order, shall--
``(A) contain a provision that the decryption
assistance provided shall be limited to the minimum
necessary to decrypt the communications intercepted
pursuant to this chapter; and
``(B) terminate on the earlier of--
``(i) the date on which the authorized
objective is attained; or
``(ii) 30 days after the date on which the
order or extension, as applicable, is issued.
``(c) General Prohibition on Disclosure.--Other than pursuant to an
order under subsection (a) or (b) of this section, no person possessing
information capable of decrypting a wire or electronic communication of
another person shall disclose that information or provide decryption
assistance to an investigative or law enforcement officer (as defined
in section 2510(7)).
``Sec. 2804. Access to decryption assistance for stored electronic
communications or records
``(a) Decryption Assistance.--No person may disclose a decryption
key or provide decryption assistance pertaining to the contents of
stored electronic communications or records, including those disclosed
pursuant to section 2703, to a governmental entity, except--
``(1) pursuant to a warrant issued under the Federal Rules
of Criminal Procedure or an equivalent State warrant, a copy of
which warrant shall be served on the person who created the
electronic communication prior to or at the same time service
is made on the keyholder;
``(2) pursuant to a subpoena, a copy of which subpoena
shall be served on the person who created the electronic
communication or record, under circumstances allowing the
person meaningful opportunity to challenge the subpoena; or
``(3) upon the consent of the person who created the
electronic communication or record.
``(b) Delay of Notification.--In the case of communications
disclosed pursuant to section 2703(a), service of the copy of the
warrant or subpoena on the person who created the electronic
communication under subsection (a) may be delayed for a period of not
to exceed 90 days upon request to the court by the governmental entity
requiring the decryption assistance, if the court determines that there
is reason to believe that notification of the existence of the court
order or subpoena may have an adverse result described in section
2705(a)(2).
``Sec. 2805. Foreign government access to decryption assistance
``(a) In General.--No investigative or law enforcement officer
may--
``(1) release a decryption key to a foreign government or
to a law enforcement agency of a foreign government; or
``(2) except as provided in subsection (b), provide
decryption assistance to a foreign government or to a law
enforcement agency of a foreign government.
``(b) Conditions for Cooperation With Foreign Government.--
``(1) Application for an order.--In any case in which the
United States has entered into a treaty or convention with a
foreign government to provide mutual assistance with respect to
providing decryption assistance, the Attorney General (or the
designee of the Attorney General) may, upon an official request
to the United States from the foreign government, apply for an
order described in paragraph (2) from the district court in
which the person possessing information capable of decrypting
the communication or information at issue resides--
``(A) directing that person to release a decryption
key or provide decryption assistance to the Attorney
General (or the designee of the Attorney General); and
``(B) authorizing the Attorney General (or the
designee of the Attorney General) to furnish the
foreign government with the plaintext of the encrypted
communication or stored electronic information at
issue.
``(2) Contents of order.--An order is described in this
paragraph if it is an order directing the person possessing
information capable of decrypting the communication or
information at issue to--
``(A) release a decryption key to the Attorney
General (or the designee of the Attorney General) so
that the plaintext of the communication or information
may be furnished to the foreign government; or
``(B) provide decryption assistance to the Attorney
General (or the designee of the Attorney General) so
that the plaintext of the communication or information
may be furnished to the foreign government.
``(3) Requirements for order.--The court described in
paragraph (1) may issue an order described in paragraph (2) if
the court finds, on the basis of an application made by the
Attorney General under this subsection, that--
``(A) the decryption key or decryption assistance
sought is necessary for the decryption of a
communication or information that the foreign
government is authorized to intercept or seize pursuant
to the law of that foreign country;
``(B) the law of the foreign country provides for
adequate protection against arbitrary interference with
respect to privacy rights; and
``(C) the decryption key or decryption assistance
is being sought in connection with a criminal
investigation for conduct that would constitute a
violation of a criminal law of the United States if
committed within the jurisdiction of the United States.
``Sec. 2806. Establishment and operations of National Electronic
Technologies Center
``(a) National Electronic Technologies Center.--
``(1) Establishment.--There is established in the
Department of Justice a National Electronic Technologies Center
(referred to in this section as the `NET Center').
``(2) Director.--The NET Center shall be administered by a
Director (referred to in this section as the `Director'), who
shall be appointed by the Attorney General.
``(3) Duties.--The NET Center shall--
``(A) serve as a center for Federal, State, and
local law enforcement authorities for information and
assistance regarding decryption and other access
requirements;
``(B) serve as a center for industry and government
entities to exchange information and methodology
regarding information security techniques and
technologies;
``(C) support and share information and methodology
regarding information security techniques and
technologies with the Computer Investigations and
Infrastructure Threat Assessment Center (CITAC) and
Field Computer Investigations and Infrastructure Threat
Assessment (CITA) Squads of the Federal Bureau of
Investigation;
``(D) examine encryption techniques and methods to
facilitate the ability of law enforcement to gain
efficient access to plaintext of communications and
electronic information;
``(E) conduct research to develop efficient
methods, and improve the efficiency of existing
methods, of accessing plaintext of communications and
electronic information;
``(F) investigate and research new and emerging
techniques and technologies to facilitate access to
communications and electronic information, including--
``(i) reverse-stenography;
``(ii) decompression of information that
previously has been compressed for
transmission; and
``(iii) demultiplexing;
``(G) investigate and research interception and
access techniques that preserve the privacy and
security of information not authorized to be
intercepted; and
``(H) obtain information regarding the most current
hardware, software, telecommunications, and other
capabilities to understand how to access digitized
information transmitted across networks.
``(4) Equal access.--State and local law enforcement
agencies and authorities shall have access to information,
services, resources, and assistance provided by the NET Center
to the same extent that Federal law enforcement agencies and
authorities have such access.
``(5) Personnel.--The Director may appoint such personnel
as the Director considers appropriate to carry out the duties
of the NET Center.
``(6) Assistance of other federal agencies.--Upon the
request of the Director of the NET Center, the head of any
department or agency of the Federal Government may, to assist
the NET Center in carrying out its duties under this
subsection--
``(A) detail, on a reimbursable basis, any of the
personnel of such department or agency to the NET
Center; and
``(B) provide to the NET Center facilities,
information, and other nonpersonnel resources.
``(7) Private industry assistance.--The NET Center may
accept, use, and dispose of gifts, bequests, or devises of
money, services, or property, both real and personal, for the
purpose of aiding or facilitating the work of the Center.
Gifts, bequests, or devises of money and proceeds from sales of
other property received as gifts, bequests, or devises shall be
deposited in the Treasury and shall be available for
disbursement upon order of the Director of the NET Center.
``(8) Advisory board.--
``(A) Establishment.--There is established in the
NET Center an Advisory Board for Excellence in
Information Security (in this paragraph referred to as
the `Advisory Board'), which shall be comprised of
members who have the qualifications described in
subparagraph (B) and who are appointed by the Attorney
General. The Attorney General shall appoint a chairman
of the Advisory Board.
``(B) Qualifications.--Each member of the Advisory
Board shall have experience or expertise in the field
of encryption, decryption, electronic communication,
information security, electronic commerce, privacy
protection, or law enforcement.
``(C) Duties.--The duty of the Advisory Board shall
be to advise the NET Center and the Federal Government
regarding new and emerging technologies relating to
encryption and decryption of communications and
electronic information.
``(9) Implementation plan.--
``(A) In general.--Not later than 2 months after
the date of enactment of this chapter, the Attorney
General shall, in consultation and cooperation with
other appropriate Federal agencies and appropriate
industry participants, develop and cause to be
published in the Federal Register a plan for
establishing the NET Center.
``(B) Contents of plan.--The plan published under
subparagraph (A) shall--
``(i) specify the physical location of the
NET Center and the equipment, software, and
personnel resources necessary to carry out the
duties of the NET Center under this subsection;
``(ii) assess the amount of funding
necessary to establish and operate the NET
Center; and
``(iii) identify sources of probable
funding for the NET Center, including any
sources of in-kind contributions from private
industry.
``(b) Authorization.--There are authorized to be appropriated such
sums as may be necessary for the establishment and operation of the NET
Center.''.
(b) Technical and Conforming Amendment.--The analysis for part I of
title 18, United States Code, is amended by adding at the end the
following:
``124. Encrypted wire or electronic communications and 2801''.
stored electronic information.
TITLE III--EXPORTS OF ENCRYPTION PRODUCTS
SEC. 301. COMMERCIAL ENCRYPTION PRODUCTS.
(a) Provisions Applicable to Commercial Products.--The provisions
of this title apply to all encryption products, regardless of the
encryption algorithm selected, encryption key length chosen, exclusion
of key recovery or other plaintext access capability, or implementation
or medium used, except those specifically designed or modified for
military use, including command, control, and intelligence
applications.
(b) Control by Secretary of Commerce.--Subject to the provisions of
this title, and notwithstanding any other provision of law, the
Secretary of Commerce shall have exclusive authority to control exports
of encryption products covered under subsection (a).
SEC. 302. LICENSE EXCEPTION FOR MASS MARKET PRODUCTS.
(a) Export Control Relief.--Subject to section 307, an encryption
product that is generally available, or incorporates or employs in any
form, implementation, or medium, an encryption product that is
generally available, shall be exportable without the need for an export
license, and without restrictions other than those permitted under this
Act, after a 1-time 15-day technical review by the Secretary of
Commerce.
(b) Definitions.--In this section, the term ``generally available''
means an encryption product that is--
(1) offered for sale, license, or transfer to any person
without restriction, whether or not for consideration,
including, but not limited to, over-the-counter retail sales,
mail order transactions, phone order transactions, electronic
distribution, or sale on approval; and
(2) not designed, developed, or customized by the
manufacturer for specific purchasers except for user or
purchaser selection among installation or configuration
parameters.
(c) Commerce Department Assurance.--
(1) In general.--The manufacturer or exporter of an
encryption product may request written assurance from the
Secretary of Commerce that an encryption product is considered
generally available for purposes of this section.
(2) Response.--Not later than 30 days after receiving a
request under paragraph (1), the Secretary shall make a
determination regarding whether to issue a written assurance
under that paragraph, and shall notify the person making the
request, in writing, of that determination.
(3) Effect on manufacturers and exporters.--A manufacturer
or exporter who obtains a written assurance under this
subsection shall not be held liable, responsible, or subject to
sanctions for failing to obtain an export license for the
encryption product at issue.
SEC. 303. LICENSE EXCEPTION FOR PRODUCTS WITHOUT ENCRYPTION CAPABLE OF
WORKING WITH ENCRYPTION PRODUCTS.
Subject to section 307, any product that does not itself provide
encryption capabilities, but that incorporates or employs in any form
cryptographic application programming interfaces or other interface
mechanisms for interaction with other encryption products covered by
section 301(a), shall be exportable without the need for an export
license, and without restrictions other than those permitted under this
Act, after a 1-time, 15-day technical review by the Secretary of
Commerce.
SEC. 304. LICENSE EXCEPTION FOR PRODUCT SUPPORT AND CONSULTING
SERVICES.
(a) No Additional Export Controls Imposed if Underlying Product
Covered by License Exception.--Technical assistance and technical data
associated with the installation and maintenance of encryption products
covered by sections 302 and 303 shall be exportable without the need
for an export license, and without restrictions other than those
permitted under this Act.
(b) Definitions.--In this section:
(1) Technical assistance.--The term ``technical
assistance'' means services, including instruction, skills
training, working knowledge, and consulting services, and the
transfer of technical data.
(2) Technical data.--The term ``technical data'' means
information including blueprints, plans, diagrams, models,
formulae, tables, engineering designs and specifications,
manuals and instructions written or recorded on other media or
devices such as disk, tape, or read-only memories.
SEC. 305. LICENSE EXCEPTION WHEN COMPARABLE FOREIGN PRODUCTS AVAILABLE.
(a) Foreign Availability Standard.--An encryption product not
qualifying under section 302 shall be exportable without the need for
an export license, and without restrictions other than those permitted
under this Act, after a 1-time 15-day technical review by the Secretary
of Commerce, if an encryption product utilizing the same or greater key
length or otherwise providing comparable security to such encryption
product is, or will be within the next 18 months, commercially
available outside the United States from a foreign supplier.
(b) Determination of Foreign Availability.--
(1) Encryption export advisory board established.--There is
hereby established a board to be known as the ``Encryption
Export Advisory Board'' (in this section referred to as the
``Board'').
(2) Membership.--The Board shall be comprised of--
(A) the Under Secretary of Commerce for Export
Administration, who shall be Chairman;
(B) seven individuals appointed by the President,
of whom--
(i) one shall be a representative from each
of--
(I) the National Security Agency;
(II) the Central Intelligence
Agency; and
(III) the Office of the President;
and
(ii) four shall be individuals from the
private sector who have expertise in the
development, operation, or marketing of
information technology products; and
(C) four individuals appointed by Congress from
among individuals in the private sector who have
expertise in the development, operation, or marketing
of information technology products, of whom--
(i) one shall be appointed by the Majority
Leader of the Senate;
(ii) one shall be appointed by the Minority
Leader of the Senate;
(iii) one shall be appointed by the Speaker
of the House of Representatives; and
(iv) one shall be appointed by the Minority
Leader of the House of Representatives.
(3) Meetings.--
(A) In general.--Subject to subparagraph (B), the
Board shall meet at the call of the Under Secretary of
Commerce for Export Administration.
(B) Meetings when applications pending.--If any
application referred to in paragraph (4)(A) is pending,
the Board shall meet not less than once every 30 days.
(4) Duties.--
(A) In general.--Whenever an application for a
license exception for an encryption product under this
section is submitted to the Secretary of Commerce, the
Board shall determine whether a comparable encryption
product is commercially available outside the United
States from a foreign supplier as specified in
subsection (a).
(B) Majority vote required.--The Board shall make a
determination under this paragraph upon a vote of the
majority of the members of the Board.
(C) Deadline.--The Board shall make a determination
with respect to an encryption product under this
paragraph not later than 30 days after receipt by the
Secretary of an application for a license exception
under this subsection based on the encryption product.
(D) Notice of determinations.--The Board shall
notify the Secretary of Commerce of each determination
under this paragraph.
(E) Reports to president.--Not later than 30 days
after a meeting under this paragraph, the Board shall
submit to the President a report on the meeting.
(F) Applicability of faca.--The provisions of the
Federal Advisory Committee Act (5 U.S.C. App.) shall
not apply to the Board or to meetings held by the Board
under this paragraph.
(5) Action by secretary of commerce.--
(A) Approval or disapproval.--The Secretary of
Commerce shall specifically approve or disapprove each
determination of the Board under paragraph (5) not
later than 30 days of the submittal of such
determination to the Secretary under that paragraph.
(B) Notification and publication of decision.--The
Secretary of Commerce shall--
(i) notify the Board of each approval or
disapproval under this paragraph; and
(ii) publish a notice of the approval or
disapproval in the Federal Register.
(C) Contents of notice.--Each notice of a decision
of disapproval by the Secretary of Commerce under
subparagraph (B) of a determination of the Board under
paragraph (4) that an encryption product is
commercially available outside the United States from a
foreign supplier shall set forth an explanation in
detail of the reasons for the decision, including why
and how continued export control of the encryption
product which the determination concerned will be
effective in achieving its purpose and the amount of
lost sales and loss in market share of United States
encryption products as a result of the decision.
(6) Judicial review.--Notwithstanding any other provision
of law, a decision of disapproval by the Secretary of Commerce
under paragraph (5) of a determination of the Board under
paragraph (4) that an encryption product is commercially
available outside the United States from a foreign supplier
shall be subject to judicial review under the provisions of subchapter
II of chapter 5 of title 5, United States Code (commonly referred to as
the ``Administrative Procedures Act'').
(c) Inclusion of Comparable Foreign Encryption Product in a United
States Product Not Basis for Export Controls.--A product that
incorporates or employs a foreign encryption product, in the way it was
intended to be used and that the Board has determined to be
commercially available outside the United States, shall be exportable
without the need for an export license and without restrictions other
than those permitted under this Act, after a 1-time 15-day technical
review by the Secretary of Commerce.
SEC. 306. NO EXPORT CONTROLS ON ENCRYPTION PRODUCTS USED FOR
NONCONFIDENTIALITY PURPOSES.
(a) Prohibition on New Controls.--The Federal Government shall not
restrict the export of encryption products used for nonconfidentiality
purposes such as authentication, integrity, digital signatures,
nonrepudiation, and copy protection.
(b) No Reinstatement of Controls on Previously Decontrolled
Products.--Those encryption products previously decontrolled and not
requiring an export license as of January 1, 1998, as a result of
administrative decision or rulemaking shall not require an export
license.
SEC. 307. APPLICABILITY OF GENERAL EXPORT CONTROLS.
(a) Subject to Terrorist and Embargo Controls.--Nothing in this Act
shall be construed to limit the authority of the President under the
International Emergency Economic Powers Act, the Trading with the Enemy
Act, or the Export Administration Act, to--
(1) prohibit the export of encryption products to countries
that have been determined to repeatedly provide support for
acts of international terrorism; or
(2) impose an embargo on exports to, and imports from, a
specific country.
(b) Subject to Specific Denials for Specific Reasons.--The
Secretary of Commerce shall prohibit the export of particular
encryption products to an individual or organization in a specific
foreign country identified by the Secretary if the Secretary determines
that there is substantial evidence that such encryption products will
be used for military or terrorist end-use, including acts against the
national security, public safety, or the integrity of the
transportation, communications, or other essential systems of
interstate commerce in the United States.
(c) Other Export Controls Remain Applicable.--(1) Encryption
products shall remain subject to all export controls imposed on such
products for reasons other than the existence of encryption
capabilities.
(2) Nothing in this Act alters the Secretary's ability to control
exports of products for reasons other than encryption.
SEC. 308. FOREIGN TRADE BARRIERS TO UNITED STATES PRODUCTS.
Not later than 180 days after the date of enactment of this Act,
the Secretary of Commerce, in consultation with the United States Trade
Representative, shall--
(1) identify foreign barriers to exports of United States
encryption products;
(2) initiate appropriate actions to address such barriers;
and
(3) submit to Congress a report on the actions taken under
this section.
<all>