13 May 1998
Source: http://www.access.gpo.gov/su_docs/aces/aaces002.html

-------------------------------------------------------------------------

[Congressional Record: May 12, 1998 (Senate)]
[Page S4713-S4727]
From the Congressional Record Online via GPO Access [wais.access.gpo.gov]
[DOCID:cr12my98-202]


          STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS

[Snip unrelated]

      By Mr. ASHCROFT (for himself, Mr. Leahy, Mr. Burns, Mr. Craig,
        Mrs. Boxer, Mr. Faircloth, Mr. Wyden, Mr. Kempthorne, Mrs.
        Murray, and Mrs. Hutchison):
  S. 2067. A bill to protect the privacy and constitutional rights of
Americans, to establish standards and procedures regarding law
enforcement access to decryption assistance for encrypted
communications and stored electronic information, to affirm the rights
of Americans to use and sell encryption products, and for other
purposes; to the Committee on the Judiciary.

                           the e-privacy act

  Mr. ASHCROFT. Mr. President, I rise to speak today on an issue that I
find very important to the future of this country's leading position in
the technology, and that is encryption. This issue has been under
consideration since I first came to Capitol Hill, and for more than
three years nothing has been accomplished by way of assistance to law
enforcement, or to industry, or most importantly to the users of
encryption in this country.
  My first involvement in this entire discussion came about as a result
of the need for protection and privacy. If we are to operate at our
highest and best in the information age, instead of settling for
something very far below our potential, we are going to need privacy
and protection, and we are going to need the ability to operate with
integrity on the Internet. The Internet has to be something more than
speaking on the public square, it has to have the ability to allow
individuals to communicate with each other. It has to have the same
kind of rights and protections that are accorded to other aspects of
communication. Without this privacy, the potential of the Internet is
destroyed. In my judgment, the Internet would be destined to become
just a sort of international bull session, nothing more than an
international party line of commentary, or an international broadcast
device. I do not believe it will fulfill its potential as a
communication, entertainment, commercial and educational opportunity
unless Internet communications are secure and the right of privacy is
respected.
  The Internet allows for the most participatory form of communications
ever. In order for us to be able to both invite participation by
everyone, and to be able to take advantage of it, we have to be able to
exclude some parties from a particular communication. I do not know of
any more successful exclusion technique in the electronic world than
encryption, especially when so much information is going to be
transmitted digitally, much of it through space as well as over hard
lines of communication.
  We have a tremendous potential for commerce on the Internet:
everything from selling clothes, to real estate, to software itself.
Electronic commerce has not reached its full potential, but it can. I
think we've got a big agenda there, not just encryption but we've got
to have legally binding signature legislation and therefore solid
encryption.

[[Page S4716]]

  Resisting efforts for mandatory domestic key recovery is also
crucial. We have to remind ourselves that the Internet is like so much
of the rest of the culture--government can't solve all the problems. At
least we have to plead for restraint by those who would harm this
technology. As I have said before, now is the time to draw a bright
line against federal regulation of the computer industry. Washington
must not start down the road of dreaming up regulations to fix problems
that may or may not exist. Two things can be predicted with confidence
about congressional meddling in this sector of the economy. First,
legislation will be obsolete on the day it is passed. Second, it will
hurt consumers, workers, shareholders, and the economy. If Congress had
helped set up the transportation industry, there still might be a
livery stable in every town, and buggy whip factories in large cities.
  The irrationality of limiting the United States to levels of
encryption which are far below what the world market is demanding and
supplying in other settings, has been mind boggling. This legislation
declares that American companies will be full and active participants
in the encryption industry. Today, numerous editions of leading
American designed and manufactured software bears the stamp, ``Not for
sale outside the United States,'' because the software features robust
encryption. That stamp does nothing to make Americans more secure, but
it does provide aid and comfort to foreign competitors of American
business. This legislation would eliminate that stamp once and for all.
  Encryption, of course, is the most important issue to the future of
electronic commerce and if we are to foster the integrity of the
Internet we must have the means of communication domestically and
international. I have to reaffirm that we must allow the software
industry to compete in an international market where robust encryption
already takes place. Months ago I went to a Commerce Committee meeting
and took with me an ad from the Internet, which was from Seimens
company in Germany advertising robust 128 bit encryption, saying that
you can't get this from a U.S. manufacturer. The advertisement also
indicated, however, that if you buy this you can use it in the United
States and you can use it overseas as well, and, so if you want to have
robust encryption buy it from Seimens. The Administration has decided
to tie the hands of the U.S. encryption industry. To me that's a
disaster, but it is also compounded by people beginning to develop
relationships with foreign software providers as a result of the
unavailability of 128 bit or robust encryption on the part of U.S.
providers.
  To see the Germans eagerly promoting this potential, and to have
people from my own jurisdiction, from the state of Missouri, say,
``John, we have an office in Singapore, we have to be able to speak
with them confidentially and communicate with them, and the government
is making it impossible for us to send the encryption that we can use
domestically. We can't send it to our office in Singapore because we
are ineligible to export it.'' I don't want the situation to be such
that I have to say, ``Well, go to Seimens in Germany.'' From Seimens
you can buy the encryption that can be sent into the United States and
from Seimens in Germany it can be sent to Singapore and so you can have
your cake and eat it too by dealing with a non-domestic firm. For us to
have a policy which provides for the slitting of our own throats, in a
technology arena, where we have held the lead and must continue to hold
the lead, I think is foolhardy to say the least. If we are to mark the
next century as an ``American Century,'' or even to celebrate this week
as high technology week in the Senate, we must be forward thinking and
acting. This bill moves us away from antiquated export laws to a future
in which American companies will be able to compete in the
international marketplace without having one hand tied behind their
back by the federal government.
  This bill also clarifies the proper approach for encryption
domestically as we move ahead in the digital age. The Administration
and the FBI first indicated support for language that would mandate key
recovery for all domestic encryption and now support several suggested
approaches that would make using domestic key escrow a practical--
though not legal--necessity. Director Freeh has gone so far as to
mention the need for a new Fourth Amendment that considers the
realities of the digital age. I think we need a new and improved
approach to domestic encryption, not a new updated version of the
Fourth Amendment. I, for one, am not eagerly awaiting the FBI's new
release of Fourth Amendment 2.0 or First Amendment '98.
  I think we have to work together to find a reasonable alternative to
the current Administration policy and I think we have to ensure secure
transactions. That's a clear responsibility. We can't have a situation
where we don't have security and integrity in our business
transactions. We have to be able to compete effectively in a worldwide
marketplace. For us to limit our own potential in terms of competition
makes no sense. We have to make sure that we don't allow those who
would use information improperly or illegally to have access to it.
That has to do with securing the transactions, and the integrity of the
Internet as well.
  This legislation is the solution to the problem. It is well thought
out and attempts to address the legitimate concerns of all affected
parties. I will seek passage of this legislation in this Congress and
will commit the resources of my office that may be needed to achieve
this end.
  Business Week has recently reported that 61 percent of adults
responded that they would be more likely to go on-line if the privacy
of their information and communications would be protected. Mr.
President, simply put, strong encryption means a strong economy.
Mandatory access, by contrast, means weaker encryption and a less
secure, and therefore less valuable, network.
  I ask for unanimous consent that the entire bill be printed in the
Record.
  There being no objection, the bill was ordered to be printed in the
Record, as follows:

                                S. 2067

       Be it enacted by the Senate and House of Representatives of
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the ``Encryption
     Protects the Rights of Individuals from Violation and Abuse
     in Cyberspace (E-PRIVACY) Act''.
       (b) Table of Contents.--The table of contents for this Act
     is as follows:

Sec. 1. Short title; table of contents.
Sec. 2. Purposes.
Sec. 3. Findings.
Sec. 4. Definitions.

     TITLE I--PRIVACY PROTECTION FOR COMMUNICATIONS AND ELECTRONIC
                              INFORMATION

Sec. 101. Freedom to use encryption.
Sec. 102. Purchase and use of encryption products by the Federal
              Government.
Sec. 103. Enhanced privacy protection for information on computer
              networks.
Sec. 104. Government access to location information.
Sec. 105. Enhanced privacy protection for transactional information
              obtained from pen registers or trap and trace devices.

                  TITLE II--LAW ENFORCEMENT ASSISTANCE

Sec. 201. Encrypted wire or electronic communications and stored
              electronic communications.

               TITLE III--EXPORTS OF ENCRYPTION PRODUCTS

Sec. 301. Commercial encryption products.
Sec. 302. License exception for mass market products.
Sec. 303. License exception for products without encryption capable of
              working with encryption products.
Sec. 304. License exception for product support and consulting
              services.
Sec. 305. License exception when comparable foreign products available.
Sec. 306. No export controls on encryption products used for
              nonconfidentiality purposes.
Sec. 307. Applicability of general export controls.
Sec. 308. Foreign trade barriers to United States products.

     SEC. 2. PURPOSES.

       The purposes of this Act are--
       (1) to ensure that Americans have the maximum possible
     choice in encryption methods to protect the security,
     confidentiality, and privacy of their lawful wire and
     electronic communications and stored electronic information;
       (2) to promote the privacy and constitutional rights of
     individuals and organizations in networked computer systems
     and other

[[Page S4717]]

     digital environments, protect the confidentiality of
     information and security of critical infrastructure systems
     relied on by individuals, businesses and government agencies,
     and properly balance the needs of law enforcement to have the
     same access to electronic communications and information as
     under current law; and
       (3) to establish privacy standards and procedures by which
     investigative or law enforcement officers may obtain
     decryption assistance for encrypted communications and stored
     electronic information.

     SEC. 3. FINDINGS.

       Congress finds that--
       (1) the digitization of information and the explosion in
     the growth of computing and electronic networking offers
     tremendous potential benefits to the way Americans live,
     work, and are entertained, but also raises new threats to the
     privacy of American citizens and the competitiveness of
     American businesses;
       (2) a secure, private, and trusted national and global
     information infrastructure is essential to promote economic
     growth, protect privacy, and meet the needs of American
     citizens and businesses;
       (3) the rights of Americans to the privacy and security of
     their communications and in the conducting of personal and
     business affairs should be promoted and protected;
       (4) the authority and ability of investigative and law
     enforcement officers to access and decipher, in a timely
     manner and as provided by law, wire and electronic
     communications, and stored electronic information necessary
     to provide for public safety and national security should
     also be preserved;
       (5) individuals will not entrust their sensitive personal,
     medical, financial, and other information to computers and
     computer networks unless the security and privacy of that
     information is assured;
       (6) businesses will not entrust their proprietary and
     sensitive corporate information, including information about
     products, processes, customers, finances, and employees, to
     computers and computer networks unless the security and
     privacy of that information is assured;
       (7) America's critical infrastructures, including its
     telecommunications system, banking and financial
     infrastructure, and power and transportation infrastructure,
     increasingly rely on vulnerable information systems, and will
     represent a growing risk to national security and public
     safety unless the security and privacy of those information
     systems is assured;
       (8) encryption technology is an essential tool to promote
     and protect the privacy, security, confidentiality,
     integrity, and authenticity of wire and electronic
     communications and stored electronic information;
       (9) encryption techniques, technology, programs, and
     products are widely available worldwide;
       (10) Americans should be free to use lawfully whatever
     particular encryption techniques, technologies, programs, or
     products developed in the marketplace that best suits their
     needs in order to interact electronically with the government
     and others worldwide in a secure, private, and confidential
     manner;
       (11) government mandates for, or otherwise compelled use
     of, third-party key recovery systems or other systems that
     provide surreptitious access to encrypted data threatens the
     security and privacy of information systems;
       (12) American companies should be free to compete and sell
     encryption technology, programs, and products, and to
     exchange encryption technology, programs, and products
     through the use of the Internet, which is rapidly emerging as
     the preferred method of distribution of computer software and
     related information;
       (13) a national encryption policy is needed to advance the
     development of the national and global information
     infrastructure, and preserve the right to privacy of
     Americans and the public safety and national security of the
     United States;
       (14) Congress and the American people have recognized the
     need to balance the right to privacy and the protection of
     the public safety with national security;
       (15) the Constitution of the United States permits lawful
     electronic surveillance by investigative or law enforcement
     officers and the seizure of stored electronic information
     only upon compliance with stringent standards and procedures;
     and
       (16) there is a need to clarify the standards and
     procedures by which investigative or law enforcement officers
     obtain decryption assistance from persons--
       (A) who are voluntarily entrusted with the means to decrypt
     wire and electronic communications and stored electronic
     information; or
       (B) have information that enables the decryption of such
     communications and information.

     SEC. 4. DEFINITIONS.

       In this Act:
       (1) Agency.--The term ``agency'' has the meaning given the
     term in section 6 of title 18, United States Code.
       (2) Computer hardware.--The term ``computer hardware''
     includes computer systems, equipment, application-specific
     assemblies, smart cards, modules, and integrated circuits.
       (3) Computing device.--The term ``computing device'' means
     a device that incorporates 1 or more microprocessor-based
     central processing units that are capable of accepting,
     storing, processing, or providing output of data.
       (4) Encrypt and encryption.--The terms ``encrypt'' and
     ``encryption'' refer to the scrambling (and descrambling) of
     wire communications, electronic communications, or
     electronically stored information, using mathematical
     formulas or algorithms in order to preserve the
     confidentiality, integrity, or authenticity of, and prevent
     unauthorized recipients from accessing or altering, such
     communications or information.
       (5) Encryption product.--The term ``encryption product''--
       (A) means a computing device, computer hardware, computer
     software, or technology, with encryption capabilities; and
       (B) includes any subsequent version of or update to an
     encryption product, if the encryption capabilities are not
     changed.
       (6) Exportable.--The term ``exportable'' means the ability
     to transfer, ship, or transmit to foreign users.
       (7) Key.--The term ``key'' means the variable information
     used in or produced by a mathematical formula, code, or
     algorithm, or any component thereof, used to encrypt or
     decrypt wire communications, electronic communications, or
     electronically stored information.
       (8) Person.--The term ``person'' has the meaning given the
     term in section 2510(6) of title 18, United States Code.
       (9) Remote computing service.--The term ``remote computing
     service'' has the meaning given the term in section 2711(2)
     of title 18, United States Code.
       (10) State.--The term ``State'' has the meaning given the
     term in section 3156(a)(5) of title 18, United States Code.
       (11) Technical review.--The term ``technical review'' means
     a review by the Secretary, based on information about a
     product's encryption capabilities supplied by the
     manufacturer, that an encryption product works as
     represented.
       (12) United states person.--The term ``United States
     person'' means any--
       (A) United States citizen; or
       (B) any legal entity that--
       (i) is organized under the laws of the United States, or
     any State, the District of Columbia, or any commonwealth,
     territory, or possession of the United States; and
       (ii) has its principal place of business in the United
     States.
     TITLE I--PRIVACY PROTECTION FOR COMMUNICATIONS AND ELECTRONIC
                              INFORMATION

     SEC. 101. FREEDOM TO USE ENCRYPTION.

       (a) In General.--Except as otherwise provided by this Act
     and the amendments made by this Act, it shall be lawful for
     any person within the United States, and for any United
     States person in a foreign country, to use, develop,
     manufacture, sell, distribute, or import any encryption
     product, regardless of the encryption algorithm selected,
     encryption key length chosen, existence of key recovery or
     other plaintext access capability, or implementation or
     medium used.
       (b) Prohibition on Government-Compelled Key Escrow or Key
     Recovery Encryption.--
       (1) In general.--Except as provided in paragraph (3), no
     agency of the United States nor any State may require,
     compel, set standards for, condition any approval on, or
     condition the receipt of any benefit on, a requirement that a
     decryption key, access to a decryption key, key recovery
     information, or other plaintext access capability be--
       (A) given to any other person, including any agency of the
     United States or a State, or any entity in the private
     sector; or
       (B) retained by any person using encryption.
       (2) Use of particular products.--No agency of the United
     States may require any person who is not an employee or agent
     of the United States or a State to use any key recovery or
     other plaintext access features for communicating or
     transacting business with any agency of the United States.
       (3) Exception.--The prohibition in paragraph (1) does not
     apply to encryption used by an agency of the United States or
     a State, or the employees or agents of such an agency, solely
     for the internal operations and telecommunications systems of
     the United States or the State.
       (c) Use of Encryption for Authentication or Integrity
     Purposes.--
       (1) In general.--The use, development, manufacture, sale,
     distribution and import of encryption products, standards,
     and services for purposes of assuring the confidentiality,
     authenticity, or integrity or access control of electronic
     information shall be voluntary and market driven.
       (2) Conditions.--No agency of the United States or a State
     shall establish any condition, tie, or link between
     encryption products, standards, and services used for
     confidentiality, and those used for authentication,
     integrity, or access control purposes.

     SEC. 102. PURCHASE AND USE OF ENCRYPTION PRODUCTS BY THE
                   FEDERAL GOVERNMENT.

       (a) Purchases.--An agency of the United States may purchase
     encryption products for--
       (1) the internal operations and telecommunications systems
     of the agency; or
       (2) use by, among, and between that agency and any other
     agency of the United States, the employees of the agency, or
     persons operating under contract with the agency.
       (b) Interoperability.--To ensure that secure electronic
     access to the Government is

[[Page S4718]]

     available to persons outside of and not operating under
     contract with agencies of the United States, the United
     States shall purchase no encryption product with a key
     recovery or other plaintext access feature if such key
     recovery or plaintext access feature would interfere with use
     of the product's full encryption capabilities when
     interoperating with other commercial encryption products.

     SEC. 103. ENHANCED PRIVACY PROTECTION FOR INFORMATION ON
                   COMPUTER NETWORKS.

       Section 2703 of title 18, United States Code, is amended by
     adding at the end the following:
       ``(g) Access to Stored Electronic Information.--
       ``(1) Disclosure.--
       ``(A) In general.--Subject to subparagraph (B), a
     governmental entity may require the disclosure by a provider
     of a remote computing service of the contents of an
     electronic record in networked electronic storage only if the
     person who created the record is accorded the same
     protections that would be available if the record had
     remained in that person's possession.
       ``(B) Networked electronic storage.--In addition to the
     requirements of subparagraph (A) and subject to paragraph
     (2), a governmental entity may require the disclosure of the
     contents of an electronic record in networked electronic
     storage only--
       ``(i) pursuant to a warrant issued under the Federal Rules
     of Criminal Procedure or equivalent State warrant, a copy of
     which warrant shall be served on the person who created the
     record prior to or at the same time the warrant is served on
     the provider of the remote computing service;
       ``(ii) pursuant to a subpoena issued under the Federal
     Rules of Criminal Procedure or equivalent State warrant, a
     copy of which subpoena shall be served on the person who
     created the record, under circumstances allowing that person
     a meaningful opportunity to challenge the subpoena; or
       ``(iii) upon the consent of the person who created the
     record.
       ``(2) Definition.--In this subsection, an electronic record
     is in `networked electronic storage' if--
       ``(A) it is not covered by subsection (a) of this section;
       ``(B) the person holding the record is not authorized to
     access the contents of such record for any purposes other
     than in connection with providing the service of storage; and
       ``(C) the person who created the record is able to access
     and modify it remotely through electronic means.''.

     SEC. 104. GOVERNMENT ACCESS TO LOCATION INFORMATION.

       (a) Court Order Required.--Section 2703 of title 18, United
     States Code, is amended by adding at the end the following:
       ``(h) Requirements for Disclosure of Location
     Information.--A provider of mobile electronic communication
     service shall provide to a governmental entity information
     generated by and disclosing, on a real time basis, the
     physical location of a subscriber's equipment only if the
     governmental entity obtains a court order issued upon a
     finding that there is probable cause to believe that an
     individual using or possessing the subscriber equipment is
     committing, has committed, or is about to commit a felony
     offense.''.
       (b) Conforming Amendment.--Section 2703(c)(1)(B) of title
     18, United States Code, is amended by inserting ``or wireless
     location information covered by subsection (g) of this
     section'' after ``(b) of this section''.

     SEC. 105. ENHANCED PRIVACY PROTECTION FOR TRANSACTIONAL
                   INFORMATION OBTAINED FROM PEN REGISTERS OR TRAP
                   AND TRACE DEVICES.

       Subsection 3123(a) of title 18, United States Code, is
     amended to read as follows:
       ``(a) In General.--Upon an application made under section
     3122, the court may enter an ex parte order--
       ``(1) authorizing the installation and use of a pen
     register or a trap and trace device within the jurisdiction
     of the court if the court finds, based on the certification
     by the attorney for the Government or the State law
     enforcement or investigative officer, that the information
     likely to be obtained by such installation and use is
     relevant to an ongoing criminal investigation; and
       ``(2) directing that the use of the pen register or trap
     and trace device be conducted in such a way as to minimize
     the recording or decoding of any electronic or other impulses
     that are not related to the dialing and signaling information
     utilized in call processing.''.
                  TITLE II--LAW ENFORCEMENT ASSISTANCE

     SEC. 201. ENCRYPTED WIRE OR ELECTRONIC COMMUNICATIONS AND
                   STORED ELECTRONIC COMMUNICATIONS.

       (a) In General.--Part I of title 18, United States Code, is
     amended by inserting after chapter 123 the following:

 ``CHAPTER 124--ENCRYPTED WIRE OR ELECTRONIC COMMUNICATIONS AND STORED
                         ELECTRONIC INFORMATION

``Sec.
``2801. Definitions.
``2802. Unlawful use of encryption.
``2803. Access to decryption assistance for communications.
``2804. Access to decryption assistance for stored electronic
              communications or records.
``2805. Foreign government access to decryption assistance.
``2806. Establishment and operations of National Electronic
              Technologies Center.

     ``Sec. 2801. Definitions

       ``In this chapter:
       ``(1) Decryption assistance.--The term `decryption
     assistance' means assistance that provides or facilitates
     access to the plaintext of an encrypted wire or electronic
     communication or stored electronic information, including the
     disclosure of a decryption key or the use of a decryption key
     to produce plaintext.
       ``(2) Decryption key.--The term `decryption key' means the
     variable information used in or produced by a mathematical
     formula, code, or algorithm, or any component thereof, used
     to decrypt a wire communication or electronic communication
     or stored electronic information that has been encrypted.
       ``(3) Encrypt; encryption.--The terms `encrypt' and
     `encryption' refer to the scrambling (and descrambling) of
     wire communications, electronic communications, or
     electronically stored information, using mathematical
     formulas or algorithms in order to preserve the
     confidentiality, integrity, or authenticity of, and prevent
     unauthorized recipients from accessing or altering, such
     communications or information.
       ``(4) Foreign government.--The term `foreign government'
     has the meaning given the term in section 1116.
       ``(5) Official request.--The term `official request' has
     the meaning given the term in section 3506(c).
       ``(6) Incorporated definitions.--Any term used in this
     chapter that is not defined in this chapter and that is
     defined in section 2510, has the meaning given the term in
     section 2510.

     ``Sec. 2802. Unlawful use of encryption

       ``Any person who, during the commission of a felony under
     Federal law, knowingly and willfully encrypts any
     incriminating communication or information relating to that
     felony, with the intent to conceal that communication or
     information for the purpose of avoiding detection by a law
     enforcement agency or prosecutor--
       ``(1) in the case of a first offense under this section,
     shall be imprisoned not more than 5 years, fined under this
     title, or both; and
       ``(2) in the case of a second or subsequent offense under
     this section, shall be imprisoned not more than 10 years,
     fined under this title, or both.

     ``Sec. 2803. Access to decryption assistance for
       communications

       ``(a) Criminal Investigations.--
       ``(1) In general.--An order authorizing the interception of
     a wire or electronic communication under section 2518 shall,
     upon request of the applicant, direct that a provider of wire
     or electronic communication service, or any other person
     possessing information capable of decrypting that
     communication, other than a person whose communications are
     the subject of the interception, shall promptly furnish the
     applicant with the necessary decryption assistance, if the
     court finds that the decryption assistance sought is
     necessary for the decryption of a communication intercepted
     pursuant to the order.
       ``(2) Limitations.--Each order described in paragraph (1),
     and any extension of such an order, shall--
       ``(A) contain a provision that the decryption assistance
     provided shall involve disclosure of a private key only if no
     other form of decryption assistance is available and
     otherwise shall be limited to the minimum necessary to
     decrypt the communications intercepted pursuant to this
     chapter; and
       ``(B) terminate on the earlier of--
       ``(i) the date on which the authorized objective is
     attained; or
       ``(ii) 30 days after the date on which the order or
     extension, as applicable, is issued.
       ``(3) Notice.--If decryption assistance is provided
     pursuant to an order under this subsection, the court issuing
     the order described in paragraph (1)--
       ``(A) shall cause to be served on the person whose
     communications are the subject of such decryption assistance,
     as part of the inventory required to be served pursuant to
     section 2518(8), notice of the receipt of the decryption
     assistance and a specific description of the keys or other
     assistance disclosed; and
       ``(B) upon the filing of a motion and for good cause shown,
     shall make available to such person, or to counsel for that
     person, for inspection, the intercepted communications to
     which the decryption assistance related, except that on an ex
     parte showing of good cause, the serving of the inventory
     required by section 2518(8) may be postponed.
       ``(b) Foreign Intelligence Investigations.--
       ``(1) In general.--An order authorizing the interception of
     a wire or electronic communication under section 105(b)(2) of
     the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C.
     1805(b)(2)) shall, upon request of the applicant, direct that
     a provider of wire or electronic communication service or any
     other person possessing information capable of decrypting
     such communications, other than a person whose communications
     are the subject of the interception, shall promptly furnish
     the applicant with the necessary decryption assistance, if
     the court finds that

[[Page S4719]]

     the decryption assistance sought is necessary for the
     decryption of a communication intercepted pursuant to the
     order.
       ``(2) Limitations.--Each order described in paragraph (1),
     and any extension of such an order, shall--
       ``(A) contain a provision that the decryption assistance
     provided shall be limited to the minimum necessary to decrypt
     the communications intercepted pursuant to this chapter; and
       ``(B) terminate on the earlier of--
       ``(i) the date on which the authorized objective is
     attained; or
       ``(ii) 30 days after the date on which the order or
     extension, as applicable, is issued.
       ``(c) General Prohibition on Disclosure.--Other than
     pursuant to an order under subsection (a) or (b) of this
     section, no person possessing information capable of
     decrypting a wire or electronic communication of another
     person shall disclose that information or provide decryption
     assistance to an investigative or law enforcement officer (as
     defined in section 2510(7)).

     ``Sec. 2804. Access to decryption assistance for stored
       electronic communications or records

       ``(a) Decryption Assistance.--No person may disclose a
     decryption key or provide decryption assistance pertaining to
     the contents of stored electronic communications or records,
     including those disclosed pursuant to section 2703, to a
     governmental entity, except--
       ``(1) pursuant to a warrant issued under the Federal Rules
     of Criminal Procedure or an equivalent State warrant, a copy
     of which warrant shall be served on the person who created
     the electronic communication prior to or at the same time
     service is made on the keyholder;
       ``(2) pursuant to a subpoena, a copy of which subpoena
     shall be served on the person who created the electronic
     communication or record, under circumstances allowing the
     person meaningful opportunity to challenge the subpoena; or
       ``(3) upon the consent of the person who created the
     electronic communication or record.
       ``(b) Delay of Notification.--In the case of communications
     disclosed pursuant to section 2703(a), service of the copy of
     the warrant or subpoena on the person who created the
     electronic communication under subsection (a) may be delayed
     for a period of not to exceed 90 days upon request to the
     court by the governmental entity requiring the decryption
     assistance, if the court determines that there is reason to
     believe that notification of the existence of the court order
     or subpoena may have an adverse result described in section
     2705(a)(2).

     ``Sec. 2805. Foreign government access to decryption
       assistance

       ``(a) In General.--No investigative or law enforcement
     officer may--
       ``(1) release a decryption key to a foreign government or
     to a law enforcement agency of a foreign government; or
       ``(2) except as provided in subsection (b), provide
     decryption assistance to a foreign government or to a law
     enforcement agency of a foreign government.
       ``(b) Conditions for Cooperation With Foreign Government.--
       ``(1) Application for an order.--In any case in which the
     United States has entered into a treaty or convention with a
     foreign government to provide mutual assistance with respect
     to providing decryption assistance, the Attorney General (or
     the designee of the Attorney General) may, upon an official
     request to the United States from the foreign government,
     apply for an order described in paragraph (2) from the
     district court in which the person possessing information
     capable of decrypting the communication or information at
     issue resides--
       ``(A) directing that person to release a decryption key or
     provide decryption assistance to the Attorney General (or the
     designee of the Attorney General); and
       ``(B) authorizing the Attorney General (or the designee of
     the Attorney General) to furnish the foreign government with
     the plaintext of the encrypted communication or stored
     electronic information at issue.
       ``(2) Contents of order.--An order is described in this
     paragraph if it is an order directing the person possessing
     information capable of decrypting the communication or
     information at issue to
       ``(A) release a decryption key to the Attorney General (or
     the designee of the Attorney General) so that the plaintext
     of the communication or information may be furnished to the
     foreign government; or
       ``(B) provide decryption assistance to the Attorney General
     (or the designee of the Attorney General) so that the
     plaintext of the communication or information may be
     furnished to the foreign government.
       ``(3) Requirements for order.--The court described in
     paragraph (1) may issue an order described in paragraph (2)
     if the court finds, on the basis of an application made by
     the Attorney General under this subsection, that--
       ``(A) the decryption key or decryption assistance sought is
     necessary for the decryption of a communication or
     information that the foreign government is authorized to
     intercept or seize pursuant to the law of that foreign
     country;
       ``(B) the law of the foreign country provides for adequate
     protection against arbitrary interference with respect to
     privacy rights; and
       ``(C) the decryption key or decryption assistance is being
     sought in connection with a criminal investigation for
     conduct that would constitute a violation of a criminal law
     of the United States if committed within the jurisdiction of
     the United States.

     ``Sec. 2806. Establishment and operations of National
       Electronic Technologies Center

       ``(a) National Electronic Technologies Center.--
       ``(1) Establishment.--There is established in the
     Department of Justice a National Electronic Technologies
     Center (referred to in this section as the `NET Center').
       ``(2) Director.--The NET Center shall be administered by a
     Director (referred to in this section as the `Director'), who
     shall be appointed by the Attorney General.
       ``(3) Duties.--The NET Center shall--
       ``(A) serve as a center for Federal, State, and local law
     enforcement authorities for information and assistance
     regarding decryption and other access requirements;
       ``(B) serve as a center for industry and government
     entities to exchange information and methodology regarding
     information security techniques and technologies;
       ``(C) support and share information and methodology
     regarding information security techniques and technologies
     with the Computer Investigations and Infrastructure Threat
     Assessment Center (CITAC) and Field Computer Investigations
     and Infrastructure Threat Assessment (CITA) Squads of the
     Federal Bureau of Investigation;
       ``(D) examine encryption techniques and methods to
     facilitate the ability of law enforcement to gain efficient
     access to plaintext of communications and electronic
     information;
       ``(E) conduct research to develop efficient methods, and
     improve the efficiency of existing methods, of accessing
     plaintext of communications and electronic information;
       ``(F) investigate and research new and emerging techniques
     and technologies to facilitate access to communications and
     electronic information, including--
       ``(i) reverse-stenography;
       ``(ii) decompression of information that previously has
     been compressed for transmission; and
       ``(iii) demultiplexing;
       ``(G) investigate and research interception and access
     techniques that preserve the privacy and security of
     information not authorized to be intercepted; and
       ``(H) obtain information regarding the most current
     hardware, software, telecommunications, and other
     capabilities to understand how to access digitized
     information transmitted across networks.
       ``(4) Equal access.--State and local law enforcement
     agencies and authorities shall have access to information,
     services, resources, and assistance provided by the NET
     Center to the same extent that Federal law enforcement
     agencies and authorities have such access.
       ``(5) Personnel.--The Director may appoint such personnel
     as the Director considers appropriate to carry out the duties
     of the NET Center.
       ``(6) Assistance of other federal agencies.--Upon the
     request of the Director of the NET Center, the head of any
     department or agency of the Federal Government may, to assist
     the NET Center in carrying out its duties under this
     subsection--
       ``(A) detail, on a reimbursable basis, any of the personnel
     of such department or agency to the NET Center; and
       ``(B) provide to the NET Center facilities, information,
     and other nonpersonnel resources.
       ``(7) Private industry assistance.--The NET Center may
     accept, use, and dispose of gifts, bequests, or devises of
     money, services, or property, both real and personal, for the
     purpose of aiding or facilitating the work of the Center.
     Gifts, bequests, or devises of money and proceeds from sales
     of other property received as gifts, bequests, or devises
     shall be deposited in the Treasury and shall be available for
     disbursement upon order of the Director of the NET Center.
       ``(8) Advisory board.--
       ``(A) Establishment.--There is established in the NET
     Center an Advisory Board for Excellence in Information
     Security (in this paragraph referred to as the `Advisory
     Board'), which shall be comprised of members who have the
     qualifications described in subparagraph (B) and who are
     appointed by the Attorney General. The Attorney General shall
     appoint a chairman of the Advisory Board.
       ``(B) Qualifications.--Each member of the Advisory Board
     shall have experience or expertise in the field of
     encryption, decryption, electronic communication, information
     security, electronic commerce, privacy protection, or law
     enforcement.
       ``(C) Duties.--The duty of the Advisory Board shall be to
     advise the NET Center and the Federal Government regarding
     new and emerging technologies relating to encryption and
     decryption of communications and electronic information.
       ``(9) Implementation plan.--
       ``(A) In general.--Not later than 2 months after the date
     of enactment of this chapter, the Attorney General shall, in
     consultation and cooperation with other appropriate Federal
     agencies and appropriate industry participants, develop and
     cause to be published in the Federal Register a plan for
     establishing the NET Center.
       ``(B) Contents of plan.--The plan published under
     subparagraph (A) shall--
       ``(i) specify the physical location of the NET Center and
     the equipment, software,

[[Page S4720]]

     and personnel resources necessary to carry out the duties of
     the NET Center under this subsection;
       ``(ii) assess the amount of funding necessary to establish
     and operate the NET Center; and
       ``(iii) identify sources of probable funding for the NET
     Center, including any sources of in-kind contributions from
     private industry.
       ``(b) Authorization.--There are authorized to be
     appropriated such sums as may be necessary for the
     establishment and operation of the NET Center.''.
       (b) Technical and Conforming Amendment.--The analysis for
     part I of title 18, United States Code, is amended by adding
     at the end the following:

``124. Encrypted wire or electronic communications and stored
    electronic information..................................2801''.....

               TITLE III--EXPORTS OF ENCRYPTION PRODUCTS

     SEC. 301. COMMERCIAL ENCRYPTION PRODUCTS.

       (a) Provisions Applicable to Commercial Products.--The
     provisions of this title apply to all encryption products,
     regardless of the encryption algorithm selected, encryption
     key length chosen, exclusion of key recovery or other
     plaintext access capability, or implementation or medium
     used, except those specifically designed or modified for
     military use, including command, control, and intelligence
     applications.
       (b) Control by Secretary of Commerce.--Subject to the
     provisions of this title, and notwithstanding any other
     provision of law, the Secretary of Commerce shall have
     exclusive authority to control exports of encryption products
     covered under subsection (a).

     SEC. 302. LICENSE EXCEPTION FOR MASS MARKET PRODUCTS.

       (a) Export Control Relief.--Subject to section 307, an
     encryption product that is generally available, or
     incorporates or employs in any form, implementation, or
     medium, an encryption product that is generally available,
     shall be exportable without the need for an export license,
     and without restrictions other than those permitted under
     this Act, after a 1-time 15-day technical review by the
     Secretary of Commerce.
       (b) Definitions.--In this section, the term ``generally
     available'' means an encryption product that is--
       (1) offered for sale, license, or transfer to any person
     without restriction, whether or not for consideration,
     including, but not limited to, over-the-counter retail sales,
     mail order transactions, phone order transactions, electronic
     distribution, or sale on approval; and
       (2) not designed, developed, or customized by the
     manufacturer for specific purchasers except for user or
     purchaser selection among installation or configuration
     parameters.
       (c) Commerce Department Assurance.--
       (1) In general.--The manufacturer or exporter of an
     encryption product may request written assurance from the
     Secretary of Commerce that an encryption product is
     considered generally available for purposes of this section.
       (2) Response.--Not later than 30 days after receiving a
     request under paragraph (1), the Secretary shall make a
     determination regarding whether to issue a written assurance
     under that paragraph, and shall notify the person making the
     request, in writing, of that determination.
       (3) Effect on manufacturers and exporters.--A manufacturer
     or exporter who obtains a written assurance under this
     subsection shall not be held liable, responsible, or subject
     to sanctions for failing to obtain an export license for the
     encryption product at issue.

     SEC. 303. LICENSE EXCEPTION FOR PRODUCTS WITHOUT ENCRYPTION
                   CAPABLE OF WORKING WITH ENCRYPTION PRODUCTS.

       Subject to section 307, any product that does not itself
     provide encryption capabilities, but that incorporates or
     employs in any form cryptographic application programming
     interfaces or other interface mechanisms for interaction with
     other encryption products covered by section 301(a), shall be
     exportable without the need for an export license, and
     without restrictions other than those permitted under this
     Act, after a 1-time, 15-day technical review by the Secretary
     of Commerce.

     SEC. 304. LICENSE EXCEPTION FOR PRODUCT SUPPORT AND
                   CONSULTING SERVICES.

       (a) No Additional Export Controls Imposed if Underlying
     Product Covered by License Exception.--Technical assistance
     and technical data associated with the installation and
     maintenance of encryption products covered by sections 302
     and 303 shall be exportable without the need for an export
     license, and without restrictions other than those permitted
     under this Act.
       (b) Definitions.--In this section:
       (1) Technical assistance.--The term ``technical
     assistance'' means services, including instruction, skills
     training, working knowledge, and consulting services, and the
     transfer of technical data.
       (2) Technical data.--The term ``technical data'' means
     information including blueprints, plans, diagrams, models,
     formulae, tables, engineering designs and specifications,
     manuals and instructions written or recorded on other media
     or devices such as disk, tape, or read-only memories.

     SEC. 305. LICENSE EXCEPTION WHEN COMPARABLE FOREIGN PRODUCTS
                   AVAILABLE.

       (a) Foreign Availability Standard.--An encryption product
     not qualifying under section 302 shall be exportable without
     the need for an export license, and without restrictions
     other than those permitted under this Act, after a 1-time 15-
     day technical review by the Secretary of Commerce, if an
     encryption product utilizing the same or greater key length
     or otherwise providing comparable security to such encryption
     product is, or will be within the next 18 months,
     commercially available outside the United States from a
     foreign supplier.
       (b) Determination of Foreign Availability.--
       (1) Encryption export advisory board established.--There is
     hereby established a board to be known as the ``Encryption
     Export Advisory Board'' (in this section referred to as the
     ``Board'').
       (2) Membership.--The Board shall be comprised of--
       (A) the Under Secretary of Commerce for Export
     Administration, who shall be Chairman;
       (B) seven individuals appointed by the President, of whom--
       (i) one shall be a representative from each of--

       (I) the National Security Agency;
       (II) the Central Intelligence Agency; and
       (III) the Office of the President; and

       (ii) four shall be individuals from the private sector who
     have expertise in the development, operation, or marketing of
     information technology products; and
       (C) four individuals appointed by Congress from among
     individuals in the private sector who have expertise in the
     development, operation, or marketing of information
     technology products, of whom--
       (i) one shall be appointed by the Majority Leader of the
     Senate;
       (ii) one shall be appointed by the Minority Leader of the
     Senate;
       (iii) one shall be appointed by the Speaker of the House of
     Representatives; and
       (iv) one shall be appointed by the Minority Leader of the
     House of Representatives.
       (3) Meetings.--
       (A) In general.--Subject to subparagraph (B), the Board
     shall meet at the call of the Under Secretary of Commerce for
     Export Administration.
       (B) Meetings when applications pending.--If any application
     referred to in paragraph (4)(A) is pending, the Board shall
     meet not less than once every 30 days.
       (4) Duties.--
       (A) In general.--Whenever an application for a license
     exception for an encryption product under this section is
     submitted to the Secretary of Commerce, the Board shall
     determine whether a comparable encryption product is
     commercially available outside the United States from a
     foreign supplier as specified in subsection (a).
       (B) Majority vote required.--The Board shall make a
     determination under this paragraph upon a vote of the
     majority of the members of the Board.
       (C) Deadline.--The Board shall make a determination with
     respect to an encryption product under this paragraph not
     later than 30 days after receipt by the Secretary of an
     application for a license exception under this subsection
     based on the encryption product.
       (D) Notice of determinations.--The Board shall notify the
     Secretary of Commerce of each determination under this
     paragraph.
       (E) Reports to president.--Not later than 30 days after a
     meeting under this paragraph, the Board shall submit to the
     President a report on the meeting.
       (F) Applicability of faca.--The provisions of the Federal
     Advisory Committee Act (5 U.S.C. App.) shall not apply to the
     Board or to meetings held by the Board under this paragraph.
       (5) Action by secretary of commerce.--
       (A) Approval or disapproval.--The Secretary of Commerce
     shall specifically approve or disapprove each determination
     of the Board under paragraph (5) not later than 30 days of
     the submittal of such determination to the Secretary under
     that paragraph.
       (B) Notification and publication of decision.--The
     Secretary of Commerce shall--
       (i) notify the Board of each approval or disapproval under
     this paragraph; and
       (ii) publish a notice of the approval or disapproval in the
     Federal Register.
       (C) Contents of notice.--Each notice of a decision of
     disapproval by the Secretary of Commerce under subparagraph
     (B) of a determination of the Board under paragraph (4) that
     an encryption product is commercially available outside the
     United States from a foreign supplier shall set forth an
     explanation in detail of the reasons for the decision,
     including why and how continued export control of the
     encryption product which the determination concerned will be
     effective in achieving its purpose and the amount of lost
     sales and loss in market share of United States encryption
     products as a result of the decision.
       (6) Judicial review.--Notwithstanding any other provision
     of law, a decision of disapproval by the Secretary of
     Commerce under paragraph (5) of a determination of the Board
     under paragraph (4) that an encryption product is
     commercially available outside the United States from a
     foreign supplier shall be subject to judicial review under
     the provisions of subchapter II of chapter 5 of title 5,
     United States Code (commonly referred to as the
     ``Administrative Procedures Act'').
       (c) Inclusion of Comparable Foreign Encryption Product in a
     United States Product Not Basis for Export Controls.--A
     product that incorporates or employs a

[[Page S4721]]

     foreign encryption product, in the way it was intended to be
     used and that the Board has determined to be commercially
     available outside the United States, shall be exportable
     without the need for an export license and without
     restrictions other than those permitted under this Act, after
     a 1-time 15-day technical review by the Secretary of
     Commerce.

     SEC. 306. NO EXPORT CONTROLS ON ENCRYPTION PRODUCTS USED FOR
                   NONCONFIDENTIALITY PURPOSES.

       (a) Prohibition on New Controls.--The Federal Government
     shall not restrict the export of encryption products used for
     nonconfidentiality purposes such as authentication,
     integrity, digital signatures, nonrepudiation, and copy
     protection.
       (b) No Reinstatement of Controls on Previously Decontrolled
     Products.--Those encryption products previously decontrolled
     and not requiring an export license as of January 1, 1998, as
     a result of administrative decision or rulemaking shall not
     require an export license.

     SEC. 307. APPLICABILITY OF GENERAL EXPORT CONTROLS.

       (a) Subject to Terrorist and Embargo Controls.--Nothing in
     this Act shall be construed to limit the authority of the
     President under the International Emergency Economic Powers
     Act, the Trading with the Enemy Act, or the Export
     Administration Act, to--
       (1) prohibit the export of encryption products to countries
     that have been determined to repeatedly provide support for
     acts of international terrorism; or
       (2) impose an embargo on exports to, and imports from, a
     specific country.
       (b) Subject to Specific Denials for Specific Reasons.--The
     Secretary of Commerce shall prohibit the export of particular
     encryption products to an individual or organization in a
     specific foreign country identified by the Secretary if the
     Secretary determines that there is substantial evidence that
     such encryption products will be used for military or
     terrorist end-use, including acts against the national
     security, public safety, or the integrity of the
     transportation, communications, or other essential systems of
     interstate commerce in the United States.
       (c) Other Export Controls Remain Applicable.--(1)
     Encryption products shall remain subject to all export
     controls imposed on such products for reasons other than the
     existence of encryption capabilities.
       (2) Nothing in this Act alters the Secretary's ability to
     control exports of products for reasons other than
     encryption.

     SEC. 308. FOREIGN TRADE BARRIERS TO UNITED STATES PRODUCTS.

       Not later than 180 days after the date of enactment of this
     Act, the Secretary of Commerce, in consultation with the
     United States Trade Representative, shall--
       (1) identify foreign barriers to exports of United States
     encryption products;
       (2) initiate appropriate actions to address such barriers;
     and
       (3) submit to Congress a report on the actions taken under
     this section.

  Mr. LEAHY. Mr. President, I am pleased to join Senator Ashcroft, and
others, in introducing today the ``Encryption Protects the Rights of
Individuals from Violation and Abuse in Cyberspace,'' or E-PRIVACY Act,
to reform our nation's cryptography policy in a constructive and
positive manner. It is time the Administration woke up to the critical
need for a common sense encryption policy in this country.
  I have been sounding the alarm bells about this issue for several
years now, and have introduced encryption legislation, with bipartisan
support, in the last Congress and again in this one, to balance the
important privacy, economic, national security and law enforcement
interests at stake. The volume of those alarm bells should be raised to
emergency sirens.
  Hardly a month goes by without press reports of serious breaches of
computer security that threaten our critical infrastructures, including
Defense Department computer systems, the telephone network, or computer
systems for airport control towers. The lesson of these computer
breaches--often committed by computer savvy teenagers--is that all the
physical barriers we might put in place can be circumvented using the
wires that run into every building to support the computers and
computer networks that are the mainstay of how we do business. A well-
focused cyber-attack on the computer networks that support
telecommunications, transportation, water supply, banking, electrical
power and other critical infrastructure systems could wreak havoc on
our national economy or even jeopardize our national defense or public
safety.
  We have been aware of the vulnerabilities of our computer networks
for some time. It became clear to me almost a decade ago, during
hearings I chaired of the Judiciary Subcommittee on Technology and the
Law on the risks of high-tech terrorism, that merely ``hardening'' our
physical space from potential attack is not enough. We must also
``harden'' our critical infrastructures to ensure our security and our
safety.
  That is where encryption technology comes in. Encryption can protect
the security of our computer information and networks. Indeed, both
former Senator Sam Nunn and former Deputy Attorney General Jamie
Gorelick, who serve as co-chairs of the Advisory Committee to the
President's Commission on Critical Infrastructure Protection, have
testified that ``encryption is essential for infrastructure
protection.''
  Yet U.S. encryption policy has acted as a deterrent to better
security. As long ago as 1988, at the High-Tech Terrorism hearings I
chaired, Jim Woolsey, who later became the director of the Central
Intelligence Agency, testified about the need to do a better job of
using encryption to protect our computer networks. Of particular
concern is the recent testimony of former Senator Sam Nunn that the
``continuing federal government-private sector deadlock over encryption
and export policies'' may pose an obstacle to the cooperation needed to
protect our country's critical infrastructures.
  I have long advocated the use of strong encryption by individuals,
government agencies and private companies to protect their valuable and
confidential computer information. Moreover, as more Americans every
year use the Internet and other computer networks to obtain critical
medical services, and conduct their personal and business affairs,
maintaining the privacy and confidentiality of our computer
communications both here and abroad has only grown in importance. As an
avid computer user and Internet surfer myself, I care deeply about
protecting individual privacy and encouraging the development of the
Internet as a secure and trusted communications medium.
  Encryption is the key to protecting the privacy of our online
communications and electronic records by ensuring that only the people
we choose can read those communications and records. That is why the
primary thrust of the encryption legislation I have introduced is to
encourage--and not stand in the way of--the widespread use of strong
encryption.
  Strong encryption serves as a crime prevention shield to stop
hackers, industrial spies and thieves from snooping into private
computer files and stealing valuable proprietary information.
Unfortunately, we still have a long away to go to reform our country's
encryption policy to reflect that this technology is a significant
crime and terrorism prevention tool.
  Even as our law enforcement and intelligence agencies try to slow
down the widespread use of strong encryption, technology continues to
move forward. Ironically, foot-dragging by the Administration on export
controls is driving encryption technology, expertise and manufacturing
overseas where we will lose even more control over its proliferation.
  Indeed, due to the sorry state of our export controls on encryption,
we are seeing rising numbers of our high-tech companies turning to
overseas firms as suppliers of the strong encryption demanded by their
customers. For example, Network Associates recently announced that it
will make strong encryption software developed in the United States
available through a Swiss company. Other companies, including Sun
Microsystems, are cooperating with foreign firms to manufacture and
distribute overseas strong encryption software originally developed
here at home.
  Encryption technology, invented with American ingenuity, will now be
manufactured and distributed in Europe, and imported back into this
country.
  Driving encryption expertise overseas is extremely short-sighted and
poses a real threat to our national security. Driving high-tech jobs
overseas is a threat to our economic security, and stifling the
widespread, integrated use of strong encryption is a threat to our
public safety. The E-PRIVACY Act would reverse the incentives for
American companies to look abroad for strong encryption by relaxing our
export controls.
  Specifically, the bill would grant export license exceptions, after a
one-time technical review, for mass market products with encryption
capabilities,

[[Page S4722]]

products which do not themselves provide encryption but are capable of
interoperating with encryption products, and customized hardware and
software with encryption capabilities so long as foreign products with
comparable encryption are available.
  At the same time, the bill retains important restrictions on
encryption exports for military end-uses or to terrorist-designated or
embargoed countries, such as Cuba and North Korea. It also affirms the
continued authority of the Secretary of Commerce over encryption
exports and assures that before export, the Secretary is able to
conduct a one-time technical review of all encryption products to
ensure that the product works as represented.
  The E-PRIVACY Act puts to rest the specter of domestic controls on
encryption. This legislation bars government-mandated key recovery (or
key escrow encryption) and ensures that all computer users are free to
choose any encryption method to protect the privacy of their online
communications and computer files.
  At the heart of the encryption debate is the power this technology
gives computer users to choose who may access their communications and
stored records, to the exclusion of all others. For the same reason
that encryption is a powerful privacy enhancing tool, it also poses
challenges for law enforcement. Law enforcement agencies want access
even when we do not choose to give it. We are mindful of these national
security and law enforcement concerns that have dictated the
Administration's policy choices on encryption.
  With the appropriate procedural safeguards in place, law enforcement
agencies should be able to get access to decryption assistance. The E-
PRIVACY Act contains a number of provisions designed to address these
concerns, including a new criminal offense for willful use of
encryption to hide incriminating evidence from law enforcement
detection, establishment of a NET Center to help federal, state and
local law enforcement stay abreast of advanced technologies, and
explicit procedures for law enforcement to obtain decryption assistance
from third parties for encrypted communications or records to which law
enforcement has lawful access.
  One of the starkest deficiencies in the Administration's key recovery
proposals has always been the question of foreign government access.
The Administration has sought reciprocal relationships with foreign
governments as a critical part of an effective global key recovery
system. Yet many Americans and American companies are rightfully
concerned about the terms under which foreign governments would get
access to decryption assistance. The E-PRIVACY Act makes clear what
those terms will be and ensures that foreign governments will not get
access to private decryption keys, but only, at most, plaintext.
  This is not just an important issue for the privacy and security of
Americans; it also is a significant human rights issue. Today, human
rights organizations worldwide are using encryption to protect their
work and the lives of investigators, witnesses and victims overseas.
Amnesty International uses it. Human Rights Watch uses it. The human
rights program in the American Association for the Advancement of
Science uses it. It is used to protect witnesses who report human
rights abuses in the Balkans, in Burma, in Guatemala, in Tibet. I have
been told about a number of other instances in which strong encryption
has been used to further the causes of democracy and human rights.

  For example, in the ongoing trial of Argentinean military officers in
Spain, on charges of genocide and terrorism arising out of the ``dirty
war,'' the human rights group Derechos uses the encryption program
Pretty Good Privacy (PGP)--which the United States government tried to
keep out of the hands of foreigners--to encrypt particularly
confidential messages that go between Spain and Argentina, to stop the
Argentinean intelligence forces from being able to read them and so try
to jeopardize the trial.
  A group in Guatemala is using a computer database to track the names
of witnesses to military massacres. A South African organization keeps
the names of applicants for amnesty for political crimes carried out in
South Africa during the apartheid regime. Workers at both groups could
be subject to intimidation, harassment, or murder by those intent on
preventing the public discussion and analysis of the claims. Both
systems are protected by strong cryptography.
  A not-for-profit agency working for human rights in the Balkans uses
PGP to protect all sensitive files. Its offices have been raided by
various police forces looking for evidence of ``subversive
activities.'' Last year in Zagreb, security police raided its office
and confiscated its computers in the hope of retrieving information
about the identity of people who had complained about human rights
abuses by the authorities. PGP allowed the group to communicate and
protect its files from any attempt to gain access. The director of the
organization spent 13 days in prison for not opening his encrypted
files but has said ``it was a very small price to pay for protecting
our clients.''
  The Iraqi National Congress, a group opposing Saddam Hussein with
offices in London and supporters inside Iraq, uses encrypted e-mail to
communicate with its supporters inside Iraq. (Non-governmental Internet
connections are banned in Iraq, but the dissidents within Iraq access
e-mail by dialing outside the country with satellite telephones).
  Burmese human rights activists working in the relative safe haven of
Thailand use encryption when communicating on-line, because the Thai
government maintains diplomatic relations with the Burmese government
and is expected to turn over information to the Burmese authorities.
  The FBI has argued that lives may be lost in sensitive terrorist and
other investigations if government agencies do not have access to
private encryption keys. However, the reverse is equally true: weak
encryption or easy government access to decryption assistance could
jeopardize lives as well.
  Finally, the E-PRIVACY Act contains provisions to enhance the privacy
protections for communications, even when encryption is not employed.
Specifically, the bill would require law enforcement to obtain a court
order based on probable cause before using a cellular telephone as a
tracking device. In addition, the bill would require law enforcement
agencies to obtain a court order or provide notice when seizing
electronic records that a person stores on a computer network rather
than on the hard drive of his or her own personal computer. Finally,
the bill grants Federal judges authority to evaluate the reasons
proffered by a prosecutor for issuance of an ex parte pen register or
trap and trace device order, by contrast to their mere ministerial
authority under current law.
  In sum, the E-PRIVACY Act accomplishes the eight goals that Senator
Ashcroft and I set out during our April 2, 1998, colloquy on the floor.
Specifically, we sought to craft legislation that promotes the
following principles:
  First, ensure the right of Americans to choose how to protect the
privacy and security of their communications and information;
  Second, bar a government-mandated key escrow encryption system;
  Third, establish both procedures and standards for access by law
enforcement to decryption keys or decryption assistance for both
encrypted communications and stored electronic information and only
permit such access upon court order authorization, with appropriate
notice and other procedural safeguards;
  Fourth, establish both procedures and standards for access by foreign
governments and foreign law enforcement agencies to the plaintext of
encrypted communications and stored electronic information of United
States persons;
  Fifth, modify the current export regime for encryption to promote the
global competitiveness of American companies;
  Sixth, avoid linking the use of certificate authorities with key
recovery agents or, in other words, not link the use of encryption for
confidentiality purposes with use of encryption for authenticity and
integrity purposes;
  Seventh, consistent with these goals of promoting privacy and the
global competitiveness of our high-tech industries, help our law
enforcement agencies and national security agencies deal with the
challenges posed by the use of encryption; and

[[Page S4723]]

  Eighth, protect the security and privacy of information provided by
Americans to the government by ensuring that encryption products used
by the government interoperate with commercial encryption products.
  Resolving the encryption debate is critical for our economy, our
national security and our privacy. This is not a partisan issue. This
is not a black-and-white issue of being either for law enforcement and
national security or for Internet freedom. Characterizing the debate in
these simplistic terms is neither productive nor accurate.
  Delays in resolving the encryption debate hurt most the very public
safety and national security interests that are posed as obstacles to
resolving this issue. We need sensible solutions in legislation that
will not be subject to change at the whim of agency bureaucrats.
  Every American, not just those in the software and high-tech
industries and not just those in law enforcement agencies, has a stake
in the outcome of this debate. We have a legislative stalemate right
now that needs to be resolved, and I hope to work closely with my
colleagues and the Administration on a solution.
  I ask unanimous consent that the sectional summary for the ``E-
PRIVACY Act'' be printed in the Record.
  There being no objection, the summary was ordered to be printed in
the Record, as follows:

              Section-by-Section Analysis of E-Privacy Act

       Sec. 1. Short Title.--The Act may be cited as the
     ``Encryption Protects the Rights of Individuals from
     Violation and Abuse in CYberspace (E-PRIVACY) Act.''
       Sec. 2 Purposes.--The Act would ensure that Americans have
     the maximum possible choice in encryption methods to protect
     the security, confidentiality and privacy of their lawful
     wire and electronic communications and stored electronic
     information. The Act would also promote the privacy and
     constitutional rights of individuals and organizations and
     the security of critical information infrastructures.
     Finally, the Act would establish privacy standards and
     procedures for law enforcement officers to follow to obtain
     decryption assistance for encrypted communications and
     information.
       Sec. 3 Findings.--The Act enumerates sixteen congressional
     findings, including that a secure, private and trusted
     national and global information infrastructure is essential
     to promote citizens' privacy, economic growth and meet the
     needs of both American citizens and businesses, that
     encryption technology widely available worldwide can help
     meet those needs, that Americans should be free to use, and
     American businesses free to compete and sell, encryption
     technology, programs and products, and that there is a need
     to develop a national encryption policy to advance the global
     information infrastructure and preserve Americans' right to
     privacy and the Nation's public safety and national security.
       Sec. 4 Definitions.--The terms ``agency'', ``person'',
     ``remote computing service'' and ``state'' have the same
     meaning given those terms in specified sections of title 18,
     United States Code.
       Additional definitions are provided for the following
     terms:
       The terms ``encrypt'' and ``encryption'' mean the use of
     mathematical formulas or algorithms to scramble or descramble
     electronic data or communications for purposes of
     confidentiality, integrity, or authenticity. As defined, the
     terms cover a broad range of scrambling techniques and
     applications including cryptographic applications such as PGP
     or RSA's encryption algorithms; stegonagraphy;
     authentication; and winnowing and chafing.
       The term ``encryption product'' includes any hardware,
     software, devices, or other technology with encryption
     capabilities, whether or not offered for sale or
     distribution. A particular encryption product includes
     subsequent versions of the product, if the encryption
     capabilities remain the same.
       The term ``exportable'' means the ability to transfer,
     ship, or transmit to foreign users. The term includes the
     ability to electronically transmit via the Internet.
       The term ``key'' means the variable information used in or
     produced by a mathematical formula to encrypt or decrypt wire
     or electronic communications, or electronically stored
     information.
       The term ``technical review'' means a review by the
     Secretary of Commerce based on information about a product's
     encryption capabilities supplied by the manufacturer that an
     encryption product works as represented.

     title i--privacy protection for communications and electronic
                              information

       Sec. 101. Freedom to use Encryption.
       (a) In General.--The Act legislatively confirms current
     practice in the United States that any person in this country
     may lawfully use any encryption method, regardless of
     encryption algorithm, key length, existence of key recovery
     or other plaintext access capability, or implementation
     selected. Specifically, the Act states the freedom of any
     person in the U.S., as well as U.S. persons in a foreign
     country, to make, use, import, and distribute any encryption
     product without regard to its strength or the use of key
     recovery, subject to the other provisions of the Act.
       (b) Prohibition on Government-Compelled Key Escrow or Key
     Recovery Encryption.--The Act prohibits any federal or state
     agency from compelling the use of key recovery systems or
     other plaintext access systems. Agencies may not set
     standards, or condition approval or benefits, to compel use
     of these systems. U.S. agencies may not require persons to
     use particular key recovery products for interaction with the
     government. These prohibitions do not apply to systems for
     use solely for the internal operations and telecommunications
     systems of a U.S. or a State government agency.
       (c) Use of Encryption For Authentication or Integrity
     Purposes.--The Act requires that the use of encryption
     products shall be voluntary and market-driven, and no federal
     or state agency may link the use of encryption for
     authentication or identity (such as through certificate
     authority and digital signature systems) to the use of
     encryption for confidentiality purposes. For example, some
     Administration proposals would condition receipt of a digital
     certificate from a licensed certificate authority on the use
     of key recovery. Such conditions would be prohibited.
       Sec. 102. Purchase and Use of Encryption Products by the
     Federal Government.--The Act authorizes agencies of the
     United States to purchase encryption products for internal
     governmental operations and telecommunications systems. To
     ensure that secure electronic access to the Government is
     available to persons outside of and not operating under
     contract with Federal agencies, the Act requires that any key
     recovery features in encryption products used by the
     Government interoperate with commercial encryption products.
       Sec. 103. Enhanced Privacy Protection For Electronic
     Records on Computer Networks.--The Act adds a new subsection
     (g) to section 2703 of title 18, United States Code, to
     extend privacy protections to electronic information stored
     on computer networks.
       Under United States v. Miller, 425 U.S. 435 (1976)
     (customer has no standing to object to bank disclosure of
     customer records) and its progeny, records in the possession
     of third parties do not receive Fourth Amendment protection.
     When held in a person's home, such records can only be seized
     pursuant to a warrant based upon probable cause, or compelled
     under a subpoena which can be challenged and quashed. In both
     these instances, the record owner has notice of the search
     and an opportunity to challenge it. By contrast, production
     of records held by third parties can be compelled by a
     governmental agent with a subpoena to the third party holding
     the information, without notice to the person to whom the
     records belong or pertain. The record owner may never receive
     notice or any meaningful opportunity to challenge the
     production.
       This lack of protection for records held by third parties
     presents new privacy problems in the information age. With
     the rise of network computing, electronic information that
     was previously held on a person's own computer is
     increasingly stored elsewhere, such as on a network server or
     an ISP's computers. In many cases the location of such
     information is not even known to the record's owner.
       The Act amends section 2703 to extend the same privacy
     protections to a person's records whether storage takes place
     on that person's personal computer in their possession or in
     networked electronic storage. The term ``networked electronic
     storage'' applies to electronic records held by a third
     party, who is not authorized to access the contents of the
     record except in connection with providing storage services,
     and where the person who created the record is able to access
     and modify the record remotely through electronic means.
     Electronic data stored incident to transmission (such as e-
     mail) and covered under 2703(a) is not included.
       The new section 2703(g) requires that a governmental entity
     may only require disclosure of electronic records in
     ``networked electronic storage'' pursuant to (i) a state or
     federal warrant (based upon probable cause), with a copy to
     be served on the record owner at the same time the warrant
     is served on the record holder; (ii) a subpoena that must
     also be served on the record owner with a meaningful
     opportunity to challenge the subpoena; or (iii) the
     consent of the record owner.
       Sec. 104. Government Access to Location Information.--The
     Act adds a new subsection (h) to section 2703 of title 18,
     United States Code, to extend privacy protections for
     physical location information generated on a real time basis
     by mobile electronic communications services, such as
     cellular telephones. This section requires that when cellular
     telephones are used as contemporaneous tracking devices, the
     physical location information generated by the service
     provider may only be released to a governmental entity
     pursuant to a court order based upon probable cause.
       Sec. 105. Enhanced Privacy Protection for Transactional
     Information Obtained From Pen Registers or Trap and Trace
     Devices.--The Act enhances privacy protections for
     information obtained from pen register and trap and trace
     devices by amending section 3123(a) of title 18, United
     States

[[Page S4724]]

     Code. This amendment would not change the standard for
     issuance of an ex parte order authorizing use of a pen
     register or trap and trace device, but would grant a court
     authority to review the information presented in a
     certification by the prosecuting attorney to determine
     whether the information likely to be obtained is relevant to
     an ongoing criminal investigation. Under current law, the
     court is relegated to a mere ministerial function and must
     issue the order upon presentation of a certification.
       In addition, the amendment requires law enforcement to
     minimize the information obtained from the pen register or
     trap and trace device that is not related to the dialing and
     signaling information utilized in call processing. Currently,
     such devices capture not just such dialing information but
     also any other dialed digits after a call has been completed.

                  TITLE II--LAW ENFORCEMENT ASSISTANCE

       Sec. 201. Encrypted Wire or Electronic Communications and
     Stored Electronic Communications.--The Act adds a new chapter
     124 to Title 18, Part I, governing the unlawful use of
     encryption, protections and standards for governmental
     access, including foreign governments, to decryption
     assistance from third parties, and establishment of a ``Net
     Center'' to assist law enforcement in dealing with advanced
     technologies, such as encryption.
       (a) In General.--New chapter 124 has six sections. This
     chapter applies to wire or electronic communications and
     communications in electronic storage, as defined in 18 U.S.C.
     Sec. 2510, and to stored electronic data. Thus, this chapter
     describes procedures for law enforcement to obtain assistance
     in decrypting encrypted electronic mail messages, encrypted
     telephone conversations, encrypted facsimile transmissions,
     encrypted computer transmissions and encrypted file transfers
     over the Internet that are lawfully intercepted pursuant to a
     wiretap order, under 18 U.S.C. Sec. 2518, or obtained
     pursuant to lawful process, under 18 U.S.C. Sec. 2703, and
     encrypted information stored on computers that are seized
     pursuant to a search warrant or other lawful process.
       Sec. 2801. Definitions.--Generally, the terms used in the
     new chapter have the same meanings as in the federal wiretap
     statute, 18 U.S.C. Sec. 2510. Definitions are provided for
     ``decryption assistance'', ``decryption key'', ``encrypt;
     encryption'', ``foreign government'' and ``official
     request''.
       Sec. 2802. Unlawful use of encryption.--This section
     creates a new federal crime for knowingly and willfully using
     encryption during the commission of a Federal felony offense,
     with the intent to conceal that information for the purpose
     of avoiding detection by law enforcement. This new offense
     would be subject to a fine and up to 5 years' imprisonment
     for a first offense, and up to 10 years' imprisonment for a
     second or subsequent offense.
       Sec. 2803. Access to decryption assistance for
     communications.--In the United States today, decryption keys
     and other decryption assistance held by third parties
     constitute third party records and may be disclosed to a
     governmental entity with a subpoena or an administrative
     request, and without any notice to the owner of the encrypted
     data. Such a low standard of access creates new problems in
     the information age because encryption users rely heavily on
     the integrity of keys to protect personal information or
     sensitive trade secrets, even when those keys are placed in
     the hands of trusted agents for recovery purposes.
       Under new section 2803, in criminal investigations a third
     party holding decryption keys or other decryption assistance
     for wire or electronic communications may be required to
     release such assistance pursuant to a court order, if the
     court issuing the order finds that such assistance is needed
     for the decryption of communications covered by the order.
     Specifically, such an order for decryption assistance may be
     issued upon a finding that the key or assistance is necessary
     to decrypt communications or stored data lawfully intercepted
     or seized. The standard for release of the key or provision
     of decryption assistance is tied directly to the problem at
     hand: the need to decrypt a message or information that the
     government is otherwise authorized to intercept or obtain.
       This will ensure that third parties holding decryption keys
     or decryption information need respond to only one type of
     compulsory process--a court order. Moreover, this Act will
     set a single standard for law enforcement, removing any extra
     burden on law enforcement to demonstrate, for example,
     probable cause for two separate orders (i.e., for the
     encrypted communications or information and for decryption
     assistance) and possibly before two different judges (i.e.,
     the judge issuing the order for the encrypted communications
     or information and the judge issuing the order to the third
     party able to provide decryption assistance).
       The Act reinforces the principle of minimization. The
     decryption assistance provided is limited to the minimum
     necessary to access the particular communications or
     information specified by court order. Under some key recovery
     schemes, release of a key holder's private key--rather than
     an individual session key--might provide the ability to
     decrypt every communication or stored file ever encrypted by
     a particular key owner, or by every user in an entire
     corporation, or by every user who was ever a customer of the
     key holder. The Act protects against such over broad releases
     of keys by requiring the court issuing the order to find that
     the decryption assistance being sought is necessary. Private
     keys may only be released if no other form of decryption
     assistance is available.
       Notice of the assistance given will be included as part of
     the inventory provided to subjects of the interception
     pursuant to current wiretap law standards.
       For foreign intelligence investigations, new section 2803
     allows FISA orders to direct third-party holders to release
     decryption assistance if the court finds the assistance is
     needed to decrypt covered communications. Minimization is
     also required, though no notice is provided to the target of
     the investigation.
       Under new section 2803, decryption assistance is only
     required under third-parties (i.e., other than those whose
     communications are the subject of interception), thereby
     avoiding self-incrimination problems.
       Finally, new section 2803 generally prohibits any person
     from providing decryption assistance for another person's
     communications to a governmental entity, except pursuant to
     the orders described.
       Sec. 2804. Access to decryption assistance for stored
     electronic communications or records.--New section 2804
     governs access to decryption assistance for stored electronic
     communications and records.
       As noted above, under current law third party decryption
     assistance may be disclosed to a governmental entity with a
     subpoena or even a mere request and without notice. This
     standard is particularly problematic for stored encrypted
     data, which may exist in insecure media but rely on
     encryption to maintain security; in such cases easy access to
     keys destroys the encryption security so heavily relied upon.
       Under new section 2804, third parties holding decryption
     keys or other decryption assistance for stored electronic
     communications may only release such assistance to a
     governmental entity pursuant to (1) a state or federal
     warrant (based upon probable cause), with a copy to be served
     on the record owner at the same time the warrant is served on
     the record holder; (2) a subpoena that must also be served on
     the record owner with a meaningful opportunity to challenge
     the subpoena; or (3) the consent of the record owner. This
     standard closely mirrors the protection that would be
     afforded to encryption keys that are actually kept in the
     possession of those whose records were encrypted. In the
     specific case of decryption assistance for communications
     stored incident to transit (such as e-mail), notice may be
     delayed under the standards laid out for delayed notice under
     current law in section 2705(a)(2) of title 18, United States
     Code.
       Sec. 2805. Foreign government access to decryption
     assistance.--New section 2805 creates standards for the U.S.
     government to provide decryption assistance to foreign
     governments. No law enforcement officer would be permitted to
     release decryption keys to a foreign government, but only to
     provide decryption assistance in the form of producing
     plaintext. No officer would be permitted to provide
     decryption assistance except upon an order requested by the
     Attorney General or designee. Such an order could require the
     production of decryption keys or assistance to the Attorney
     General only if the court finds that (1) the assistance is
     necessary to decrypt data the foreign government is
     authorized to intercept under foreign law; (2) the foreign
     country's laws provide ``adequate protection against
     arbitrary interference with respect to privacy rights''; and
     (3) the assistance is sought for a criminal investigation of
     conduct that would violate U.S. criminal law if committed in
     the United States.
       Sec. 2806. Establishment and operations of National
     Electronic Technologies Center.--This section establishes a
     National Electronic Technologies Center (``NET Center'') to
     serve as a focal point for information and assistance to
     federal, state, and local law enforcement authorities to
     address the technical difficulties of obtaining plaintext of
     communications and electronic information through the use of
     encryption, steganography, compression, multiplexing, and
     other techniques.

               title iii--exports of encryption products

       Sec. 301. Commercial Encryption Products.
       (a) Provisions Applicable to Commercial Products.--This
     title applies to all encryption products other than those
     specifically designed or modified for military use.
       (b) Control by Secretary of Commerce.--This section grants
     exclusive authority to the Secretary of Commerce (the
     ``Secretary'') to control commercial encryption product
     exports.
       Sec. 302. License Exception for Mass Market Products.
       (a) Export Control Relief.--The Act permits export under a
     license exception of generally available, mass market,
     encryption products, which by their nature are uncontrollable
     given the volume sold and ease of distribution, without a
     license or restrictions, other than those permitted under
     this Act, after a 1-time 15-day technical review by the
     Secretary.
       (b) Definitions.--This section defines ``generally
     available'' as a product offered for sale, license, or
     transfer, including over-the-counter sales, mail or phone
     order transactions, electronic distribution, or sale on
     approval and not designed, developed or customized by the
     manufacturer for specific purchasers (except for installation
     or configuration parameters).

[[Page S4725]]

       (c) Commerce Department Assurance.--This section permits
     requests from manufacturers or exporters to the Secretary for
     written assurance that a product is ``generally available,''
     and requires that the Secretary notify the petitioner of a
     decision within 30 days. This section prohibits imposition of
     liability or sanctions on petitioners who receive such a
     written assurance for failing to obtain an export license.
       Sec. 303. License Exception for Products Without Encryption
     Capable of Working With Encryption Products.
       This section permits export under a license exception of
     products, which do not provide any encryption themselves, but
     that are capable of working with encryption products, without
     restriction other than those permitted under this Act, after
     a 1-time, 15 day technical review by the Secretary.
       Sec. 304. License Exception For Product Support and
     Consulting Services.
       (a) No Additional Export Controls Imposed if Underlying
     Product Covered by License Exception.--This section permits
     export of product support and consulting services, including
     technical assistance and technical data associated with the
     installation and maintenance of mass market encryption
     products or products capable of working with encryption
     products without an export license and without restrictions
     other than those permitted under this Act.
       (b) Definitions.--This section defines technical assistance
     as services, such as instruction, skills training, working
     knowledge, consulting services and transfer of technical
     data. ``Technical data'' is defined as information, including
     blueprints, plans, diagrams, models, formulae, table,
     engineering designs and specifications, manuals and
     instructions.
       Sec. 304. License Exception When Comparable Foreign
     Products Available.
       (a) Foreign Availability Standard.--This section permits
     unrestricted export of customized encryption hardware and
     software products (i.e., not generally available mass market
     products) if a foreign encryption product using the same or
     greater key length or providing comparable security is, or
     will within 18 months, be commercially available outside the
     United States.
       (b) Determination of Foreign Availability.--This section
     establishes an Encryption Export Advisory Board (the
     ``Board''), which is chaired by the Under Secretary of
     Commerce for Export Administration, with seven Presidential
     appointees (3 government and 4 private sector
     representatives); and four Congressional appointees from the
     private sector. The Board is required to meet at the call of
     the Chairman, or if there are any pending applications for a
     license exception, the Board shall meet at least once every
     30 days.
       The primary duties of the Board shall be to determine
     whether comparable foreign encryption products are
     commercially available outside the United States. The
     decision is by majority vote, and must be made within 30 days
     of receipt of application for a license exception. The Board
     must notify the Secretary of its determination, and submit a
     report to the President within 30 days. Board meetings are
     exempt from the Federal Advisory Committee Act.
       The Secretary is required to approve or disapprove each
     Board determination within 30 days of receipt of that
     determination, notify the Board of the approval or
     disapproval, and publish notice of the approval or
     disapproval in the Federal Register. The notice shall include
     an explanation in detail of the reasons for the decision,
     including why and how continued export controls will be
     effective and the amount of lost sales and market share of
     U.S. encryption product which resulted. Judicial review of
     the Secretary's decision to disapprove a Board decision that
     a product is commercially available is permitted.
       (c) Inclusion of Comparable Foreign Encryption Products in
     a United States Product Not Baiss for Export Controls.--This
     section permits export under a license exception of products
     incorporating or employing a foreign encryption product in
     the way it was intended to be used and that the Board has
     determined to be commercially available outside the United
     States, without an export license and without restrictions
     other than those under the Act, after a 1-time 15 day review
     by the Secretary.
       Sec. 306. No Export Controls on Encryption Products Used
     For Nonconfidentiality Purposes.
       (a) Prohibition on New Controls.--This section prohibits
     restrictions on encryption exports used for
     nonconfidentiality purposes such as authentication,
     integrity, digital signatures, nonrepudiation and copy
     protection.
       (b) No Reinstatement of Controls on Previously Decontrolled
     products.--This section prohibits administratively imposed
     encryption controls on previously decontrolled products not
     requiring an export license as of January 1, 1998.
       Sec. 307. Applicability of General Export Controls.
       (a) Subject to Terrorists and Embargo Controls.--Nothing in
     the Act shall limit the President's authority under the
     International Emergency Economic Powers Act, the Trading With
     the Enemy Act, or the Export Administration Act to prohibit
     export of encryption products to countries that have
     repeatedly provided support for international terrorism, or
     impose an embargo on exports or imports from a specific
     country.
       (b) Subject to Specific Denials for Specific Reasons.--The
     Secretary is required to prohibit export of encryption
     products to an individual or organization in a specific
     foreign country identified by the Secretary, if the Secretary
     determines that there is substantial evidence that such
     encryption product will be used for military or terrorist
     end-use, including acts against the critical infrastructure
     of the United States.
       (c) Other Export Controls Remain Applicable.--Encryption
     products remain subject to all export controls imposed for
     reasons other than the existence of encryption capabilities,
     and the Secretary retains the authority to control exports of
     products for reasons other than encryption.
       Sec. 308. Foreign Trade Barriers to United States Products.
       The Secretary, in consultation with the United States Trade
     Representative, is required within 180 days of enactment of
     the Act to: (1) identify foreign barriers to the export of
     U.S. encryption products; (2) initiate appropriate actions to
     address such barriers; and (3) submit to Congress a report on
     the actions taken under this section.
  Mr. BURNS. Mr. President, I stand before the chamber today in support
of the e-Privacy Act because the very future of electronic commerce on
the Internet is being held hostage to cold-war era export controls.
These outdated regulations tie the hands of the U.S. high technology
industry and pose a threat to privacy and security of all Americans who
use the Internet. Despite some small concessions by the Administration,
the competitive advantage of the U.S. high technology industries and
the privacy and security of our citizens remain trapped by the Clinton
Administration's outdated policy.
  The e-Privacy Act will relax current export controls on encryption
technologies so that U.S. companies can effectively compete in the
global marketplace. The bill will also prevent the government from
mandating risky and expensive ``key-recovery'' or ``key-escrow''
encryption systems domestically. It's a good bill, it has broad support
from the computer and communications industry, Internet users, and
privacy advocates from both the left and right of the political
spectrum.
  The Clinton Administration has expressed concerns about the impact
the e-Privacy Act would have on the legitimate needs of law enforcement
and national security. My colleagues and I do not take their concerns
lightly. Several provisions in the e-Privacy Act address the
Administration's valid concerns while at the same time freeing U.S.
companies to effectively compete in the global marketplace, and
ensuring that the American people can trust the Internet as a secure
means of commerce, education, and free expression of ideas.
  The e-Privacy Act would create a National Electronic Technology
Center (``NET Center'') to serve as a central point for information and
assistance to federal, state, and local law enforcement authorities to
address the technical difficulties of obtaining electronic information
because of encryption. National security and law enforcement would be
given seats at the table in making these determinations. Once again, I
am very sensitive to the legitimate needs of national security and law
enforcement, and I think the provisions made in the e-Privacy Act
address them.
  The e-Privacy Act also extends to citizens that same privacy rights
that they have in their homes to their digital property in cyberspace.
The bill would require a court order or subpoena to obtain either the
plaintext or decryption key from their parties. I believe that this is
the correct approach.
  Citizens are also specifically given the right to use whatever kind
of encryption software at whatever strength they choose. The bill
recognizes the folly of requiring the government to create procedures
to license ``key certificate authorities'' and ``key-recovery agents,''
as well as require the development of a massive and complicated
infrastructure to ensure that the government could recover the right
key out of the hundreds of millions of keys in real time.
  On many occasions, the world's leading cryptographers concluded that
building such a key recovery infrastructure would be prohibitively
expensive and would create a less secure network. The bill recognizes
that mandatory key escrow will never work, no one will use it and
certainly no criminals or other bad actors will use a system that is
immediately accessible by the government.
  I urge my colleagues to support the e-Privacy Act, which I feel is
the true compromise package. We all have the same goals in mind--
allowing for the

[[Page S4726]]

continued growth of high tech industries while not harming national
security. If we move forward with the compromise bill being offered
today, I am confident we can do both.
                                 ______


                          ____________________
