2 August 1999
Source: http://www.access.gpo.gov/su_docs/aces/aaces002.html

-----------------------------------------------------------------------

[DOCID: f:h2616ih.txt]

106th CONGRESS
  1st Session
                                H. R. 2616

To clarify the policy of the United States with respect to the use and
         export of encryption products, and for other purposes.

_______________________________________________________________________

                    IN THE HOUSE OF REPRESENTATIVES

                             July 27, 1999

Mr. Goss (for himself, Mr. Dixon, Mr. Lewis of California, Mr. Castle,
   Mr. Boehlert, Mr. Bass, Mr. Gibbons, Mr. LaHood, Mrs. Wilson, Mr.
 Bishop, Mr. Sisisky, Mr. Condit, Mr. Hastings of Florida, Mr. Gilman,
 Mr. Oxley, and Mr. Stearns) introduced the following bill; which was
  referred to the Committee on the Judiciary, and in addition to the
  Committees on International Relations, and Government Reform, for a
 period to be subsequently determined by the Speaker, in each case for
consideration of such provisions as fall within the jurisdiction of the
                          committee concerned

_______________________________________________________________________

                                 A BILL


To clarify the policy of the United States with respect to the use and
         export of encryption products, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Encryption for the
National Interest Act''.
    (b) Table of Contents.--The table of contents is as follows:

Sec. 1. Short title; table of contents.
Sec. 2. Statement of policy.
Sec. 3. Congressional findings.
                  TITLE I--DOMESTIC USES OF ENCRYPTION

Sec. 101. Definitions.
Sec. 102. Lawful use of encryption.
Sec. 103. Unlawful use of encryption.
                    TITLE II--GOVERNMENT PROCUREMENT

Sec. 201. Federal purchases of encryption products.
Sec. 202. Networks established with Federal funds.
Sec. 203. Government contract authority.
Sec. 204. Product labels.
Sec. 205. No private mandate.
Sec. 206. Exclusion.
                    TITLE III--EXPORTS OF ENCRYPTION

Sec. 301. Exports of encryption.
Sec. 302. License exception for certain encryption products.
Sec. 303. Discretionary authority.
Sec. 304. Expedited review authority.
Sec. 305. Encryption licenses required.
Sec. 306. Encryption Industry and Information Security Board.
                    TITLE IV--LIABILITY LIMITATIONS

Sec. 401. Compliance with court order.
Sec. 402. Compliance defense.
Sec. 403. Good faith defense.
                   TITLE V--INTERNATIONAL AGREEMENTS

Sec. 501. Sense of Congress.
Sec. 502. Failure to negotiate.
Sec. 503. Report to Congress.
                   TITLE VI--MISCELLANEOUS PROVISIONS

Sec. 601. Effect on law enforcement activities.
Sec. 602. Interpretation.
Sec. 603. FBI technical support.
Sec. 604. Severability.

SEC. 2. STATEMENT OF POLICY.

    It is the policy of the United States to protect public computer
networks through the use of strong encryption technology, to promote
the export of encryption products developed and manufactured in the
United States, and to preserve public safety and national security.

SEC. 3. CONGRESSIONAL FINDINGS.

    The Congress finds the following:
            (1) Information security technology, encryption, is--
                    (A) fundamental to secure the flow of intelligence
                information to national policy makers;
                    (B) critical to the President and national command
                authority of the United States;
                    (C) necessary to the Secretary of State for the
                development and execution of the foreign policy of the
                United States;
                    (D) essential to the Secretary of Defense's
                responsibilities to ensure the effectiveness of the
                Armed Forces of the United States;
                    (E) invaluable to the protection of the citizens of
                the United States from fraud, theft, drug trafficking,
                child pornography, kidnapping, and money laundering;
                and
                    (F) basic to the protection of the nation's
                critical infrastructures, including electrical grids,
                banking and financial systems, telecommunications,
                water supplies, and transportation.
            (2) The goal of any encryption legislation should be to
        enhance and promote the global market strength of United States
        encryption manufacturers, while guaranteeing that national
        security and public safety obligations of the Government can
        still be accomplished.
            (3) It is essential to the national security interests of
        the United States that United States encryption products
        dominate the global market.
            (4) Widespread use of unregulated encryption products poses
        a significant threat to the national security interests of the
        United States.
            (5) Leaving the national security and public safety
        responsibilities of the Government to the marketplace alone is
        not consistent with the obligations of the Government to
        protect the public safety and to defend the Nation.
            (6) In order for the United States position in the global
        market to benefit the national security interests of the United
        States, it is imperative that the export of encryption products
        be subject to a dynamic and constructive export control regime.
            (7) Export of commercial items are best managed through a
        regulatory structure which has flexibility to address
        constantly changing market conditions.
            (8) Managing sensitive dual-use technologies, such as
        encryption products, is challenging in any regulatory
        environment due to the difficulty in balancing competing
        interests in national security, public safety, privacy, fair
        competition within the industry, and the dynamic nature of the
        technology.
            (9) There is a widespread perception that the executive
        branch has not adequately balanced the equal and competing
        interests of national security, public safety, privacy, and
        industry.
            (10) There is a perception that the current encryption
        export control policy has done more to disadvantage United
        States business interests than to promote and protect national
        security and public safety interests.
            (11) A balance can and must be achieved between industry
        interests, national security, law enforcement requirements, and
        privacy needs.
            (12) A court order process should be required for access to
        plaintext, where and when available, and criminal and civil
        penalties should be imposed for misuse of decryption
        information.
            (13) Timely access to plaintext capability is--
                    (A) necessary to thwarting potential terrorist
                activities;
                    (B) extremely useful in the collection of foreign
                intelligence;
                    (C) indispensable to force protection requirements;
                    (D) critical to the investigation and prosecution
                of criminals; and
                    (E) both technically and economically possible.
            (14) The United States Government should encourage the
        development of those products that would provide a capability
        allowing law enforcement (Federal, State, and local), with a
        court order only, to gain timely access to the plaintext of
        either stored data or data in transit.
            (15) Unless law enforcement has the benefit of such market
        encouragement, drug traffickers, spies, child pornographers,
        pedophiles, kidnappers, terrorists, mobsters, weapons
        proliferators, fraud schemers, and other criminals will be able
        to use encryption software to protect their criminal activity
        and hinder the criminal justice system.
            (16) An effective regulatory approach to manage the
        proliferation of encryption products which have dual-use
        capabilities must be maintained and greater confidence in the
        ability of the executive branch to preserve and promote the
        competitive advantage of the United States encryption industry
        in the global market must be provided.

                  TITLE I--DOMESTIC USES OF ENCRYPTION

SEC. 101. DEFINITIONS.

    For purposes of this Act:
            (1) Attorney for the government.--The term ``attorney for
        the Government'' has the meaning given such term in Rule 54(c)
        of the Federal Rules of Criminal Procedure, and also includes
        any duly authorized attorney of a State who is authorized to
        prosecute criminal offenses within such State.
            (2) Authorized party.--The term ``authorized party'' means
        any person with the legal authority to obtain decryption
        information or plaintext of encrypted data, including
        communications.
            (3) Communications.--The term ``communications'' means any
        wire communications or electronic communications as those terms
        are defined in paragraphs (1) and (12) of section 2510 of title
        18, United States Code.
            (4) Court of competent jurisdiction.--The term ``court of
        competent jurisdiction'' means any court of the United States
        organized under Article III of the Constitution of the United
        States, the court organized under the Foreign Intelligence
        Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), or a court
        of general criminal jurisdiction of a State authorized pursuant
        to the laws of such State to enter orders authorizing searches
        and seizures.
            (5) Data network service provider.--The term ``data network
        service provider'' means a person offering any service to the
        general public that provides the users thereof with the ability
        to transmit or receive data, including communications.
            (6) Decryption.--The term ``decryption'' means the
        retransformation or unscrambling of encrypted data, including
        communications, to its readable plaintext version. To
        ``decrypt'' data, including communications, is to perform
        decryption.
            (7) Decryption information.--The term ``decryption
        information'' means information or technology that enables one
        to readily retransform or unscramble encrypted data from its
        unreadable and incomprehensible format to its readable
        plaintext version.
            (8) Electronic storage.--The term ``electronic storage''
        has the meaning given that term in section 2510(17) of title
        18, United States Code.
            (9) Encryption.--The term ``encryption'' means the
        transformation or scrambling of data, including communications,
        from plaintext to an unreadable or incomprehensible format,
        regardless of the technique utilized for such transformation or
        scrambling and irrespective of the medium in which such data,
        including communications, occur or can be found, for the
        purposes of protecting the content of such data, including
        communications. To ``encrypt'' data, including communications,
        is to perform encryption.
            (10) Encryption product.--The term ``encryption product''
        means any software, technology, commodity, or mechanism, that
        can be used to encrypt or decrypt or has the capability of
        encrypting or decrypting any data, including communications.
            (11) Foreign availability.--The term ``foreign
        availability'' has the meaning applied to foreign availability
        of encryption products subject to controls under the Export
        Administration Regulations, as in effect on July 1, 1999.
            (12) Government.--The term ``Government'' means the
        Government of the United States and any agency or
        instrumentality thereof, or the government of any State, and
        any of its political subdivisions.
            (13) Investigative or law enforcement officer.--The term
        ``investigative or law enforcement officer'' has the meaning
        given that term in section 2510(7) of title 18, United States
        Code.
            (14) National security.--The term ``national security''
        means the national defense, intelligence, or foreign policy
        interests of the United States.
            (15) Plaintext.--The term ``plaintext'' means the readable
        or comprehensible format of that data, including
        communications, which has been encrypted.
            (16) Plainvoice.--The term ``plainvoice'' means
        communication specific plaintext.
            (17) Secretary.--The term ``Secretary'' means the Secretary
        of Commerce, unless otherwise specifically identified.
            (18) State.--The term ``State'' has the meaning given that
        term in section 2510(3) of title 18, United States Code.
            (19) Telecommunications carrier.--The term
        ``telecommunications carrier'' has the meaning given that term
in section 3 of the Communications Act of 1934 (47 U.S.C. 153).
            (20) Telecommunications system.--The term
        ``telecommunications system'' means any equipment, technology,
        or related software used in the movement, switching,
        interchange, transmission, reception, or internal signaling of
        data, including communications over wire, fiber optic, radio
        frequency, or any other medium.
            (21) United states person.--The term ``United States
        person'' means--
                    (A) any citizen of the United States;
                    (B) any other person organized under the laws of
                any State; and
                    (C) any person organized under the laws of any
                foreign country who is owned or controlled by
                individuals or persons described in subparagraphs (A)
                and (B).

SEC. 102. LAWFUL USE OF ENCRYPTION.

    Except as otherwise provided by this Act or otherwise provided by
law, it shall be lawful for any person within any State and for any
United States person to use any encryption product, regardless of
encryption algorithm selected, encryption bit length chosen, or
implementation technique or medium used.

SEC. 103. UNLAWFUL USE OF ENCRYPTION.

    (a) In General.--Part I of title 18, United States Code, is amended
by inserting after chapter 123 the following new chapter:

        ``CHAPTER 125--ENCRYPTED DATA, INCLUDING COMMUNICATIONS

``Sec.
``2801. Unlawful use of encryption in furtherance of a criminal act.
``2802. Privacy protection.
``2803. Court order access to plaintext or decryption information.
``2804. Notification procedures.
``2805. Lawful use of plaintext or decryption information.
``2806. Identification of decryption information.
``2807. Definitions.
``Sec. 2801. Unlawful use of encryption in furtherance of a criminal
              act
    ``(a) Prohibited Acts.--Whoever knowingly uses encryption in
furtherance of the commission of a criminal offense for which the
person may be prosecuted in a district court of the United States
shall--
            ``(1) in the case of a first offense under this section, be
        imprisoned for not more than 5 years, or fined under this
        title, or both; and
            ``(2) in the case of a second or subsequent offense under
        this section, be imprisoned for not more than 10 years, or
        fined under this title, or both.
    ``(b) Consecutive Sentence.--Notwithstanding any other provision of
law, the court shall not place on probation any person convicted of a
violation of this section, nor shall the term of imprisonment imposed
under this section run concurrently with any other term of imprisonment
imposed for the underlying criminal offense.
    ``(c) Probable Cause Not Constituted by Use of Encryption.--The use
of encryption by itself shall not establish probable cause to believe
that a crime is being or has been committed.
``Sec. 2802. Privacy protection
    ``(a) In General.--It shall be unlawful for any person to
intentionally--
            ``(1) obtain or use decryption information without lawful
        authority for the purpose of decrypting data, including
        communications;
            ``(2) exceed lawful authority in decrypting data, including
        communications;
            ``(3) break the encryption code of another person without
        lawful authority for the purpose of violating the privacy or
        security of that person or depriving that person of any
        property rights;
            ``(4) impersonate another person for the purpose of
        obtaining decryption information of that person without lawful
        authority;
            ``(5) facilitate or assist in the encryption of data,
        including communications, knowing that such data, including
        communications, are to be used in furtherance of a crime; or
            ``(6) disclose decryption information in violation of a
        provision of this chapter.
    ``(b) Criminal Penalty.--Whoever violates this section shall be
imprisoned for not more than 10 years, or fined under this title, or
both.
``Sec. 2803. Court order access to plaintext or decryption information
    ``(a) Court Order.--(1) A court of competent jurisdiction shall
issue an order, ex parte, granting an investigative or law enforcement
officer timely access to the plaintext of encrypted data, including
communications, or requiring any person in possession of decryption
information to provide such information to a duly authorized
investigative or law enforcement officer--
            ``(A) upon the application by an attorney for the
        Government that--
                    ``(i) is made under oath or affirmation by the
                attorney for the Government; and
                    ``(ii) provides a factual basis establishing the
                relevance that the plaintext or decryption information
                being sought has to a law enforcement, foreign
                counterintelligence, or international terrorism
                investigation then being conducted pursuant to lawful
                authorities; and
            ``(B) if the court finds, in writing, that the plaintext or
        decryption information being sought is relevant to an ongoing
        lawful law enforcement, foreign counterintelligence, or
        international terrorism investigation and the investigative or
        law enforcement officer is entitled to such plaintext or
        decryption information.
    ``(2) The order issued by the court under this section shall be
placed under seal, except that a copy may be made available to the
investigative or law enforcement officer authorized to obtain access to
the plaintext of the encrypted information, or authorized to obtain the
decryption information sought in the application. Such order shall,
subject to the notification procedures set forth in section 2804, also
be made available to the person responsible for providing the plaintext
or the decryption information, pursuant to such order, to the
investigative or law enforcement officer.
    ``(3) Disclosure of an application made, or order issued, under
this section, is not authorized, except as may otherwise be
specifically permitted by this section or another order of the court.
    ``(b) Record of Access Required.--(1) There shall be created an
electronic record, or similar type record, of each instance in which an
investigative or law enforcement officer, pursuant to an order under
this section, gains access to the plaintext of otherwise encrypted
information, or is provided decryption information, without the
knowledge or consent of the owner of the data, including
communications, who is the user of the encryption product involved.
    ``(2) The court issuing the order under this section may require
that the electronic or similar type of record described in paragraph
(1) is maintained in a place and a manner that is not within the
custody or control of an investigative or law enforcement officer
gaining the access or provided the decryption information. The record
shall be tendered to the court, upon notice from the court.
    ``(3) The court receiving such electronic or similar type of record
described in paragraph (1) shall make the original and a certified copy
of the record available to the attorney for the Government making
application under this section, and to the attorney for, or directly
to, the owner of the data, including communications, who is the user of
the encryption product, pursuant to the notification procedures set
forth in section 2804.
    ``(c) Authority To Intercept Communications Not Increased.--Nothing
in this chapter shall be construed to enlarge or modify the
circumstances or procedures under which a Government entity is entitled
to intercept or obtain oral, wire, or electronic communications or
information.
    ``(d) Construction.--This chapter shall be strictly construed to
apply only to a Government entity's ability to decrypt data, including
communications, for which it has previously obtained lawful authority
to intercept or obtain pursuant to other lawful authorities, which
without an order issued under this section would otherwise remain
encrypted.
``Sec. 2804. Notification procedures
    ``(a) In General.--Within a reasonable time, but not later than 90
days after the filing of an application for an order under section 2803
which is granted, the court shall cause to be served, on the persons
named in the order or the application, and such other parties whose
decryption information or whose plaintext has been provided to an
investigative or law enforcement officer pursuant to this chapter, as
the court may determine is in the interest of justice, an inventory
which shall include notice of--
            ``(1) the fact of the entry of the order or the
        application;
            ``(2) the date of the entry of the application and issuance
        of the order; and
            ``(3) the fact that the person's decryption information or
        plaintext data, including communications, has been provided or
        accessed by an investigative or law enforcement officer.
The court, upon the filing of a motion, may make available to that
person or that person's counsel, for inspection, such portions of the
plaintext, applications, and orders as the court determines to be in
the interest of justice.
    ``(b) Postponement of Inventory for Good Cause.--(1) On an ex parte
showing of good cause by an attorney for the Government to a court of
competent jurisdiction, the serving of the inventory required by
subsection (a) may be postponed for an additional 30 days after the
granting of an order pursuant to the ex parte motion.
    ``(2) No more than 3 ex parte motions pursuant to paragraph (1) are
authorized.
    ``(c) Admission Into Evidence.--The content of any encrypted
information that has been obtained pursuant to this chapter or evidence
derived therefrom shall not be received in evidence or otherwise
disclosed in any trial, hearing, or other proceeding in a Federal or
State court, other than the court organized pursuant to the Foreign
Intelligence Surveillance Act of 1978, unless each party, not less than
10 days before the trial, hearing, or proceeding, has been furnished
with a copy of the order, and accompanying application, under which the
decryption or access to plaintext was authorized or approved. This 10-
day period may be waived by the court if the court finds that it was
not possible to furnish the party with the information described in the
preceding sentence within 10 days before the trial, hearing, or
proceeding and that the party will not be prejudiced by the delay in
receiving such information.
    ``(d) Construction.--The provisions of this chapter shall be
construed consistent with--
            ``(1) the Classified Information Procedures Act (18 U.S.C.
        App.); and
            ``(2) the Foreign Intelligence Surveillance Act of 1978 (50
        U.S.C. 1801 et seq.).
    ``(e) Contempt.--Any violation of the provisions of this section
may be punished by the court as a contempt thereof.
    ``(f) Motion To Suppress.--Any aggrieved person in any trial,
hearing, or proceeding in or before any court, department, officer,
agency, regulatory body, or other authority of the United States or a
State, other than the court organized pursuant to the Foreign
Intelligence Surveillance Act of 1978, may move to suppress the
contents of any decrypted data, including communications, obtained
pursuant to this chapter, or evidence derived therefrom, on the grounds
that--
            ``(1) the plaintext was decrypted or accessed in violation
        of this chapter;
            ``(2) the order of authorization or approval under which it
        was decrypted or accessed is insufficient on its face; or
            ``(3) the decryption was not made in conformity with the
        order of authorization or approval.
Such motion shall be made before the trial, hearing, or proceeding
unless there was no opportunity to make such motion, or the person was
not aware of the grounds of the motion. If the motion is granted, the
plaintext of the decrypted data, including communications, or evidence
derived therefrom, shall be treated as having been obtained in
violation of this chapter. The court, upon the filing of such motion by
the aggrieved person, may make available to the aggrieved person or
that person's counsel for inspection such portions of the decrypted
plaintext, or evidence derived therefrom, as the court determines to be
in the interests of justice.
    ``(g) Appeal by United States.--In addition to any other right to
appeal, the United States shall have the right to appeal from an order
granting a motion to suppress made under subsection (f), or the denial
of an application for an order under section 2803, if the attorney for
the Government certifies to the court or other official granting such
motion or denying such application that the appeal is not taken for
purposes of delay. Such appeal shall be taken within 30 days after the
date the order was entered on the docket and shall be diligently
prosecuted.
    ``(h) Civil Action for Violation.--Except as otherwise provided in
this chapter, any person described in subsection (i) may, in a civil
action, recover from the United States Government the actual damages
suffered by the person as a result of a violation described in that
subsection, reasonable attorney's fees, and other litigation costs
reasonably incurred in prosecuting such claim.
    ``(i) Covered Persons.--Subsection (h) applies to any person whose
decryption information--
            ``(1) is knowingly obtained without lawful authority by an
        investigative or law enforcement officer;
            ``(2) is obtained by an investigative or law enforcement
        officer with lawful authority and is knowingly used or
        disclosed by such officer unlawfully; or
            ``(3) is obtained by an investigative or law enforcement
        officer with lawful authority and whose decryption information
        is unlawfully used to disclose the plaintext of the data,
        including communications.
    ``(j) Limitation.--A civil action under subsection (h) shall be
commenced not later than 2 years after the date on which the unlawful
action took place, or 2 years after the date on which the claimant
first discovers the violation, whichever is later.
    ``(k) Exclusive Remedies.--The remedies and sanctions described in
this chapter with respect to the decryption of data, including
communications, are the only judicial remedies and sanctions for
violations of this chapter involving such decryptions, other than
violations based on the deprivation of any rights, privileges, or
immunities secured by the Constitution.
    ``(l) Technical Assistance by Providers.--A provider of encryption
technology or network service that has received an order issued by a
court pursuant to this chapter shall provide to the investigative or
law enforcement officer concerned such technical assistance as is
necessary to execute the order. Such provider may, however, move the
court to modify or quash the order on the ground that its assistance
with respect to the decryption or access to plaintext cannot be
performed in fact, or in a timely or reasonable fashion. The court,
upon notice to the Government, shall decide such motion expeditiously.
    ``(m) Reports to Congress.--In May of each year, the Attorney
General, or an Assistant Attorney General specifically designated by
the Attorney General, shall report in writing to Congress on the number
of applications made and orders entered authorizing Federal, State, and
local law enforcement access to decryption information for the purposes
of reading the plaintext of otherwise encrypted data, including
communications, pursuant to this chapter. Such reports shall be
submitted to the Committees on the Judiciary of the House of
Representatives and of the Senate, and to the Permanent Select
Committee on Intelligence for the House of Representatives and the
Select Committee on Intelligence for the Senate.
``Sec. 2805. Lawful use of plaintext or decryption information
    ``(a) Authorized Use of Decryption Information.--
            ``(1) Criminal investigations.--An investigative or law
        enforcement officer to whom plaintext or decryption information
        is provided may only use such plaintext or decryption
        information for the purposes of conducting a lawful criminal
        investigation, foreign counterintelligence, or international
        terrorism investigation, and for the purposes of preparing for
        and prosecuting any criminal violation of law.
            ``(2) Civil redress.--Any plaintext or decryption
        information provided under this chapter to an investigative or
        law enforcement officer may not be disclosed, except by court
        order, to any other person for use in a civil proceeding that
        is unrelated to a criminal investigation and prosecution for
        which the plaintext or decryption information is authorized
        under paragraph (1). Such order shall only issue upon a showing
        by the party seeking disclosure that there is no alternative
        means of obtaining the plaintext, or decryption information,
        being sought and the court also finds that the interests of
        justice would not be served by nondisclosure.
    ``(b) Limitation.--An investigative or law enforcement officer may
not use decryption information obtained under this chapter to determine
the plaintext of any data, including communications, unless it has
obtained lawful authority to obtain such data, including
communications, under other lawful authorities.
    ``(c) Return of Decryption Information.--An attorney for the
Government shall, upon the issuance of an order of a court of competent
jurisdiction--
            ``(1)(A) return any decryption information to the person
        responsible for providing it to an investigative or law
        enforcement officer pursuant to this chapter; or
            ``(B) destroy such decryption information, if the court
        finds that the interests of justice or public safety require
        that such decryption information should not be returned to the
        provider; and
            ``(2) within 10 days after execution of the court's order
        to return or destroy the decryption information--
                    ``(A) certify to the court that the decryption
                information has either been returned or destroyed
                consistent with the court's order; and
                    ``(B) if applicable, notify the provider of the
                decryption information of the destruction of such
                information.
    ``(d) Other Disclosure of Decryption Information.--Except as
otherwise provided in section 2803, decryption information or the
plaintext of otherwise encrypted data, including communications, shall
not be disclosed by any person unless the disclosure is--
            ``(1) to the person encrypting the data, including
        communications, or an authorized agent thereof;
            ``(2) with the consent of the person encrypting the data,
        including pursuant to a contract entered into with the person;
            ``(3) pursuant to a court order upon a showing of
        compelling need for the information that cannot be accommodated
        by any other means if--
                    ``(A) the person who supplied the information is
                given reasonable notice, by the person seeking the
                disclosure, of the court proceeding relevant to the
                issuance of the court order; and
                    ``(B) the person who supplied the information is
                afforded the opportunity to appear in the court
                proceeding and contest the claim of the person seeking
                the disclosure;
            ``(4) pursuant to a determination by a court of competent
        jurisdiction that another person is lawfully entitled to hold
        such decryption information, including determinations arising
        from legal proceedings associated with the incapacity, death,
        or dissolution of any person; or
            ``(5) otherwise permitted by law.
``Sec. 2806. Identification of decryption information
    ``(a) Identification.--To avoid inadvertent disclosure of
decryption information, any person who provides decryption information
to an investigative or law enforcement officer pursuant to this chapter
shall specifically identify that part of the material that discloses
decryption information as such.
    ``(b) Responsibility of Investigative or Law Enforcement Officer.--
The investigative or law enforcement officer receiving any decryption
information under this chapter shall maintain such information in a
facility and in a method so as to reasonably assure that inadvertent
disclosure does not occur.
``Sec. 2807. Definitions
    ``The definitions set forth in section 101 of the Encryption for
the National Interest Act shall apply to this chapter.''.
    (b) Conforming Amendment.--The table of chapters for part I of
title 18, United States Code, is amended by inserting after the item
relating to chapter 121 the following new item:

``125. Encrypted data, including communications.............    2801''.

                    TITLE II--GOVERNMENT PROCUREMENT

SEC. 201. FEDERAL PURCHASES OF ENCRYPTION PRODUCTS.

    (a) Decryption Capabilities.--The President may, consistent with
the provisions of subsection (b), direct that any encryption product or
service purchased or otherwise procured by the United States Government
to provide the security service of data confidentiality for a computer
system owned and operated by the United States Government shall include
recoverability features or functions that enable the timely decryption
of encrypted data, including communications, or timely access to
plaintext by an authorized party without the knowledge or cooperation
of the person using such encryption products or services.
    (b) Consistency With Intelligence Services and Military
Operations.--The President shall ensure that all encryption products
purchased or used by the United States Government are supportive of,
and consistent with, all statutory obligations to protect sources and
methods of intelligence collection and activities, and supportive of,
and consistent with, those needs required for military operations and
the conduct of foreign policy.

SEC. 202. NETWORKS ESTABLISHED WITH FEDERAL FUNDS.

    The President may direct that any communications network
established for the purpose of conducting the business of the Federal
Government shall use encryption products that--
            (1) include features and functions that enable the timely
        decryption of encrypted data, including communications, or
        timely access to plaintext, by an authorized party without the
        knowledge or cooperation of the person using such encryption
        products or services; and
            (2) are supportive of, and consistent with, all statutory
        obligations to protect sources and methods of intelligence
        collection and activities, and supportive of, and consistent
        with, those needs required for military operations and the
        conduct of foreign policy.

SEC. 203. GOVERNMENT CONTRACT AUTHORITY.

    The President may require as a condition of any contract by the
Government with a private sector vendor that any encryption product
used by the vendor in carrying out the provisions of the contract with
the Government include features and functions that enable the timely
decryption of encrypted data, including communications, or timely
access to plaintext, by an authorized party without the knowledge or
cooperation of the person using such encryption products or services.

SEC. 204. PRODUCT LABELS.

    An encryption product may be labeled to inform Government users
that the product is authorized for sale to or for use by Government
agencies or Government contractors in transactions and communications
with the United States Government under this title.

SEC. 205. NO PRIVATE MANDATE.

    The United States Government may not require the use of encryption
standards for the private sector except as otherwise authorized by
section 204.

SEC. 206. EXCLUSION.

    Nothing in this title shall apply to encryption products and
services used solely for access control, authentication, integrity,
nonrepudiation, digital signatures, or other similar purposes.

                    TITLE III--EXPORTS OF ENCRYPTION

SEC. 301. EXPORTS OF ENCRYPTION.

    (a) Authority To Control Exports.--The President shall control the
export of all dual-use encryption products.
    (b) Authority To Deny Export for National Security Reasons.--
Notwithstanding any provision of this title, the President may deny the
export of any encryption product on the basis that its export is
contrary to the national security.
    (c) Decisions Not Subject to Judicial Review.--Any decision made by
the President or his designee with respect to the export of encryption
products under this title shall not be subject to judicial review.

SEC. 302. LICENSE EXCEPTION FOR CERTAIN ENCRYPTION PRODUCTS.

    (a) License Exception.--Upon the enactment of this Act, any
encryption product with an encryption strength of 64 bits or less shall
be eligible for export under a license exception if--
            (1) such encryption product is submitted for a 1-time
        technical review;
            (2) such encryption product does not require licensing
        under otherwise applicable regulations;
            (3) such encryption product is not intended for a country,
        end user, or end use that is by regulation ineligible to
        receive such product, and the encryption product is otherwise
        qualified for export;
            (4) the exporter, within 180 days after the export of the
        product, submits a certification identifying--
                    (A) the intended end use of the product; and
                    (B) the name and address of the intended recipient
                of the product, where available;
            (5) the exporter, within 180 days of the export of the
        product, provides the names and addresses of its distribution
        chain partners; and
            (6) the exporter, at the time of submission of the product
        for technical review, provides proof that its distribution
        chain partners have contractually agreed to abide by all laws
        and regulations of the United States concerning the export and
        reexport of encryption products designed or manufactured within
        the United States.
    (b) One-Time Technical Review.--(1) The technical review referred
to in subsection (a) shall be completed within no longer than 45 days
after the submission of all of the information required under paragraph
(2).
    (2) The President shall specify the information that must be
submitted for the 1-time technical review referred to in this section.
    (3) An encryption product may not be exported during the technical
review of that product under this section.
    (c) Periodic Review of License Exception Eligibility Level.--(1)
Not later than 180 days after the date of the enactment of this Act,
the President shall notify the Congress of the maximum level of
encryption strength, which may not be lower than 64-bit, that may be
exported from the United States under license exception pursuant to
this section consistent with the national security.
    (2) The President shall, at the end of each successive 180-day
period after the notice provided to the Congress under paragraph (1),
notify the Congress of the maximum level of encryption strength, which
may not be lower than that in effect under this section during that
180-day period, that may be exported from the United States under a
license exception pursuant to this section consistent with the national
security.
    (d) Factors Not To Be Considered.--A license exception for the
exports of an encryption product under this section may be allowed
whether or not the product contains a method of decrypting encrypted
data.

SEC. 303. DISCRETIONARY AUTHORITY.

    Notwithstanding the requirements of section 305, the President may
permit the export, under a license exception pursuant to the conditions
of section 302, of encryption products with an encryption strength
exceeding the maximum level eligible for a license exception under
section 302, if the export is consistent with the national security.

SEC. 304. EXPEDITED REVIEW AUTHORITY.

    The President shall establish procedures for the expedited review
of commodity classification requests, or export license applications,
involving encryption products that are specifically approved, by
regulation, for export.

SEC. 305. ENCRYPTION LICENSES REQUIRED.

    (a) United States Products Exceeding Certain Bit Length.--Except as
permitted under section 303, in the case of all encryption products
with an encryption strength exceeding the maximum level eligible for a
license exception under section 302, which are designed or manufactured
within the United States, the President may grant a license for export
of such encryption products, under the following conditions:
            (1) There shall not be any requirement, as a basis for an
        export license, that a product contains a method of--
                    (A) gaining timely access to plaintext; or
                    (B) gaining timely access to decryption
                information.
            (2) The export license applicant shall submit--
                    (A) the product for technical review;
                    (B) a certification, under oath, identifying--
                            (i) the intended end use of the product;
                        and
                            (ii) the expected end user or class of end
                        users of the product;
                    (C) proof that its distribution chain partners have
                contractually agreed to abide by all laws and
                regulations of the United States concerning the export
                and reexport of encryption products designed or
                manufactured within the United States; and
                    (D) the names and addresses of its distribution
                chain partners.
    (b) Technical Review for License Applicants.--(1) The technical
review described in subsection (a)(3)(A) shall be completed within 45
days after the submission of all the information required under
paragraph (2).
    (2) The information to be submitted for the technical review shall
be the same as that required to be submitted pursuant to section
302(b)(2).
    (3) An encryption product may not be exported during the technical
review of that product under this section.
    (c) Post-Export Reporting.--
            (1) Unauthorized use.--All exporters of encryption products
        that are designed or manufactured within the United States
        shall submit a report to the Secretary at any time the exporter
        has reason to believe any such exported product is being
        diverted to a use or a user not approved at the time of export.
            (2) Pirating.--All exporters of encryption products that
        are designed or manufactured within the United States shall
        report any pirating of their technology or intellectual
        property to the Secretary as soon as practicable after
        discovery.
            (3) Distribution chain partners.--All exporters of
        encryption products that are designed or manufactured within
        the United States, and all distribution chain partners of such
        exporters, shall submit to the Secretary a report which shall
        specify--
                    (A) the particular product sold;
                    (B) the name and address of--
                            (i) the ultimate end user of the product,
                        if known; or
                            (ii) the name and address of the next
                        purchaser in the distribution chain; and
                    (C) the intended use of the product sold.
    (d) Exercise of Other Authorities.--The Secretary, the Secretary of
Defense, and the Secretary of State may exercise the authorities they
have under other provisions of law, including the Export Administration
Act of 1979, as continued in effect under the International Emergency
Economic Powers Act, to carry out this title.
    (e) Waiver Authority.--
            (1) In general.--The President may by Executive order waive
        any provision of this title, or the applicability of any such
        provision to a person or entity, if the President determines
        that the waiver is necessary to advance the national security.
        The President shall, not later than 15 days after making such
        determination, submit a report to the committees referred to in
        paragraph (2) that includes the factual basis upon which such
        determination was made. The report may be in classified format.
            (2) Committees.--The committees referred to in paragraph
        (1) are the Committee on International Relations, the Committee
        on Armed Services, and the Permanent Select Committee on
        Intelligence of the House of Representatives, and the Committee
        on Foreign Relations, the Committee on Armed Services, and the
        Select Committee on Intelligence of the Senate.
            (3) Decisions not subject to judicial review.--Any
        determination made by the President under this subsection shall
        not be subject to judicial review.

SEC. 306. ENCRYPTION INDUSTRY AND INFORMATION SECURITY BOARD.

    (a) Encryption Industry and Information Security Board
Established.--There is hereby established an Encryption Industry and
Information Security Board. The Board shall undertake an advisory role
for the President.
    (b) Purposes.--The purposes of the Board are--
            (1) to provide a forum to foster communication and
        coordination between industry and the Federal Government on
        matters relating to the use of encryption products;
            (2) to enable the United States to effectively and
        continually understand the benefits and risks to its national
        security, law enforcement, and public safety interests by
        virtue of the proliferation of strong encryption on the global
        market;
            (3) to evaluate and make recommendations regarding the
        further development and use of encryption;
            (4) to advance the development of international standards
        regarding interoperability and global use of encryption
        products;
            (5) to promote the export of encryption products
        manufactured in the United States;
            (6) to recommend policies enhancing the security of public
        networks;
            (7) to encourage research and development of products that
        will foster electronic commerce;
            (8) to promote the protection of intellectual property and
        privacy rights of individuals using public networks; and
            (9) to evaluate the availability and market share of
        foreign encryption products and their threat to United States
        industry.
    (c) Membership.--(1) The Board shall be composed of 12 members, as
follows:
            (A) The Secretary, or the Secretary's designee.
            (B) The Attorney General, or his or her designee.
            (C) The Secretary of Defense, or the Secretary's designee.
            (D) The Director of Central Intelligence, or his or her
        designee.
            (E) The Director of the Federal Bureau of Investigation, or
        his or her designee.
            (F) The Special Assistant to the President for National
        Security Affairs, or his or her designee, who shall chair the
        Board.
            (G) Six representatives from the private sector who have
        expertise in the development, operation, marketing, law, or
        public policy relating to information security or technology.
        Members under this subparagraph shall each serve for 5-year
        terms.
    (2) The six private sector representatives described in paragraph
(1)(G) shall be appointed as follows:
                    (A) Two by the Speaker of the House of
                Representatives.
                    (B) One by the Minority Leader of the House of
                Representatives.
                    (C) Two by the Majority Leader of the Senate.
                    (D) One by the Minority Leader of the Senate.
    (e) Meetings.--The Board shall meet at such times and in such
places as the Secretary may prescribe, but not less frequently than
every four months. The Federal Advisory Committee Act (5 U.S.C. App.)
does not apply to the Board or to meetings held by the Board under this
section.
    (f) Findings and Recommendations.--The chair of the Board shall
convey the findings and recommendations of the Board to the President
and to the Congress within 30 days after each meeting of the Board. The
recommendations of the Board are not binding upon the President.
    (g) Limitation.--The Board shall have no authority to review any
export determination made pursuant to this title.
    (h) Foreign Availability.--The consideration of foreign
availability by the Board shall include computer software that is
distributed over the Internet or advertised for sale, license, or
transfer, including over-the-counter retail sales, mail order
transactions, telephone order transactions, electronic distribution, or
sale on approval and its comparability with United States products and
its use in United States and foreign markets.
    (i) Termination.--This section shall cease to be effective 10 years
after the date of the enactment of this Act.

                    TITLE IV--LIABILITY LIMITATIONS

SEC. 401. COMPLIANCE WITH COURT ORDER.

    (a) No Liability for Compliance.--Subject to subsection (b), no
civil or criminal liability under this Act, or under any other
provision of law, shall attach to any person for disclosing or
providing--
            (1) the plaintext of encrypted data, including
        communications;
            (2) the decryption information of such encrypted data,
        including communications; or
            (3) technical assistance for access to the plaintext of, or
        decryption information for, encrypted data, including
        communications.
    (b) Exception.--Subsection (a) shall not apply to a person who
provides plaintext or decryption information to another in violation of
the provisions of this Act.

SEC. 402. COMPLIANCE DEFENSE.

    Compliance with the provisions of sections 2803, 2804, 2805, or
2806 of title 18, United States Code, as added by section 103(a) of
this Act, or any regulations authorized by this Act, shall provide a
complete defense for any civil action for damages based upon activities
covered by this Act, other than an action founded on contract.

SEC. 403. GOOD FAITH DEFENSE.

    An objectively reasonable reliance on the legal authority provided
by this Act and the amendments made by this Act, authorizing access to
the plaintext of otherwise encrypted data, including communications, or
to decryption information that will allow the timely decryption of
data, including communications, that is otherwise encrypted, shall be
an affirmative defense to any criminal or civil action that may be
brought under the laws of the United States or any State.

                   TITLE V--INTERNATIONAL AGREEMENTS

SEC. 501. SENSE OF CONGRESS.

    It is the sense of Congress that--
            (1) the President should conduct negotiations with foreign
        governments for the purposes of establishing binding export
        control requirements on strong nonrecoverable encryption
        products; and
            (2) such agreements should safeguard the privacy of the
        citizens of the United States, prevent economic espionage, and
        enhance the information security needs of the United States.

SEC. 502. FAILURE TO NEGOTIATE.

    The President may consider a government's refusal to negotiate
agreements described in section 501 when considering the participation
of the United States in any cooperation or assistance program with that
country.

SEC. 503. REPORT TO CONGRESS.

    (a) Report to Congress.--The President shall report annually to the
Congress on the status of the international effort outlined by section
501.
    (b) First Report.--The first report required under subsection (a)
shall be submitted in unclassified form no later than September 1,
2000.

                   TITLE VI--MISCELLANEOUS PROVISIONS

SEC. 601. EFFECT ON LAW ENFORCEMENT ACTIVITIES.

    (a) Collection of Information by Attorney General.--The Attorney
General shall compile, and maintain in classified form, data on--
            (1) the instances in which encryption has interfered with,
        impeded, or obstructed the ability of the Department of Justice
        to enforce the laws of the United States; and
            (2) the instances where the Department of Justice has been
        successful in overcoming any encryption encountered in an
        investigation.
    (b) Availability of Information to the Congress.--The information
compiled under subsection (a), including an unclassified summary
thereof, shall be submitted to Congress annually beginning October 1,
2000.

SEC. 602. INTERPRETATION.

    Nothing contained in this Act or the amendments made by this Act
shall be deemed to--
            (1) preempt or otherwise affect the application of the Arms
        Export Control Act (22 U.S.C. 2751 et seq.), the Export
        Administration Act of 1979 (50 U.S.C. App. 2401 et seq.), or
        the International Emergency Economic Powers Act (50 U.S.C. 1701
        et seq.) or any regulations promulgated thereunder;
            (2) affect foreign intelligence activities of the United
        States; or
            (3) negate or diminish any intellectual property
        protections under the laws of the United States or of any
        State.

SEC. 603. FBI TECHNICAL SUPPORT.

    There are authorized to be appropriated for the Technical Support
Center in the Federal Bureau of Investigation, established pursuant to
section 811(a)(1) of the Antiterrorism and Effective Death Penalty Act
of 1996 (Public Law 104-132)--
            (1) $25,000,000 for fiscal year 2000 for building and
        personnel costs;
            (2) $20,000,000 for fiscal year 2001 for personnel and
        equipment costs;
            (3) $15,000,000 for fiscal year 2002; and
            (4) $15,000,000 for fiscal year 2003.

SEC. 604. SEVERABILITY.

    If any provision of this Act or the amendments made by this Act, or
the application thereof, to any person or circumstances is held invalid
by a court of the United States, the remainder of this Act or such
amendments, and the application thereof, to other persons or
circumstances shall not be affected thereby.
                                 <all>
