|
|
|
|
Cryptome DVDs are offered by
Cryptome. Donate $25 for two DVDs of the
Cryptome 12-and-a-half-years collection of 47,000 files from June 1996
to January 2009 (~6.9 GB). Click Paypal or mail check/MO made out to
John Young, 251 West 89th Street, New York, NY 10024. The collection includes
all files of cryptome.org, cryptome.info, jya.com, cartome.org,
eyeball-series.org and iraq-kill-maim.org, and
23,100 (updated)
pages of counter-intelligence dossiers declassified by the US Army Information
and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere
worldwide without extra cost. |
7 May 1999
See parts 2, 3, 4 and 5:
http://jya.com/hr106-117-p2.htm
http://jya.com/hr106-117-p3.htm
http://jya.com/hr106-117-p4.htm
http://jya.com/hr106-117-p5.htm
Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html
-----------------------------------------------------------------------
[DOCID: f:hr117p1.106]
From the House Reports Online via GPO Access
[wais.access.gpo.gov]
106th Congress Rept. 106-117
1st Session HOUSE OF REPRESENTATIVES Part 1
=======================================================================
SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT
_______
April 27, 1999.--Ordered to be printed
_______
Mr. Coble, from the Committee on the Judiciary, submitted the following
R E P O R T
together with
ADDITIONAL VIEWS
[To accompany H.R. 850]
[Including cost estimate of the Congressional Budget Office]
The Committee on the Judiciary, to whom was referred the bill
(H.R. 850) to amend title 18, United States Code, to affirm the
rights of United States persons to use and sell encryption and
to relax export controls on encryption, having considered the
same, report favorably thereon without amendment and recommend
that the bill do pass.
CONTENTS
Page
Purpose and Summary.............................................. 2
Background and Need for Legislation.............................. 2
I. Background................................................... 2
A. What is Encryption?................................... 2
B. Issues in the Encryption Debate....................... 3
1. Arguments Relating to the Domestic Use of Encryption 3
2. The White House Initiative.......................... 4
3. Arguments Relating to Export Controls on Encryption
Products........................................... 6
4. Recent Litigation................................... 6
II. Need for Legislation......................................... 7
A. Sections 2 and 4--Domestic Use of Encryption.......... 7
B. Section 3--Export Controls............................ 8
Hearings......................................................... 9
Committee Consideration.......................................... 9
Vote of the Committee............................................ 9
Committee Oversight Findings..................................... 9
Committee on Government Reform Findings.......................... 9
New Budget Authority and Tax Expenditures........................ 9
Congressional Budget Office Cost Estimate........................ 9
Constitutional Authority Statement............................... 12
Section-by-Section Analysis...................................... 12
Agency Views..................................................... 14
Changes in Existing Law Made by the Bill, as Reported............ 23
Additional Views................................................. 30
Purpose and Summary
The widespread use of strong encryption to encode digital
communications will prevent crime, economic espionage, and
information warfare. Unfortunately, this country's current
encryption policy discourages the use of encryption. H.R. 850,
the ``Security and Freedom Through Encryption (SAFE) Act,''
makes a series of changes to U.S. encryption policy which will
facilitate the use of encryption.
Current policy does not restrict the domestic use, sale, or
import of encryption. Section 2 of H.R. 850 generally codifies
that policy by affirmatively prohibiting restrictions on the
domestic use and sale of encryption. It also prohibits the
government from imposing a mandatory key escrow system,
allowing voluntary systems to develop in the marketplace, and
provides criminal penalties for the knowing and willful use of
encryption to avoid detection of other federal felonies.
At the same time, however, the export of strong encryption
products is tightly restricted under the export control laws.
Section 3 of H.R. 850 significantly relaxes those export
controls. In addition, section 4 requires that the Attorney
General compile statistics on instances in which these new
policies may interfere with the enforcement of federal criminal
laws.
Background and Need for the Legislation
I. Background
A. What is Encryption?
Encryption is the process of encoding data or
communications in a form that only the intended recipient can
understand. Until fairly recently, society generally considered
encryption to be the exclusive domain of national security and
law enforcement agencies. However, with the advent of computers
and digital electronic communications, encryption's importance
to persons and companies in the private sector has increased
because they want to transmit data securely. Many people feel
that the Internet has not succeeded as a commercial medium as
well as it might because those who want to use it do not feel
the data transmitted is secure. For example, people do not want
to transmit their credit card numbers when hackers may steal
those numbers.
To understand the issues involved, one must understand some
basic terminology. In the digital world, data are communicated
in a string of ones and zeroes that computers understand, but
the average person does not. An encryption scheme converts ones
to zeroes and zeroes to ones according to an algorithm or
mathematical formula. The intended recipient knows the formula
or ``key'' which he uses to decode the encrypted data.
The complexity and quality of an encryption scheme
determines how difficult it is to break the code and therefore
how well the scheme protects the data. One factor determining
the complexity of the encryption scheme is the length of the
key. The length of the key is usually expressed as a number
known as the ``bit length.'' A bit is one digit in the key. A
bit length of 40 is considered relatively weak, whereas a bit
length of 128 is considered very strong.
However, a bit length of 40 is not 3.2 times weaker than a
bit length of 128 because this is an exponential scale, not an
arithmetic one. A bit length of 40 has 2 \40\ possible keys,
whereas a bit length of 128 has 2 \128\ possible keys. To give
some practical sense of the difference, one researcher
estimated that a relatively inexpensive computer attempting a
``brute force'' effort to decode--i.e. simply trying all the
mathematical possibilities--could on average decode a 40-bit
scheme in a few seconds, whereas a 128-bit scheme would on
average take millions of years. Although there is no assurance
that this estimate is accurate, it does give a general sense of
the exponential differences in complexity that flow from an
increase in bit length.
B. Issues in the Encryption Debate
The encryption debate encompasses two main issues. The
first issue is whether the domestic use and sale of encryption
products should be restricted, and in particular, whether
domestic users should be required to place their keys in escrow
with the government or some other neutral third party, e.g. an
existing computer company or an entity created solely for the
purpose of holding keys. Current law does not have any such
restrictions.
The second issue is whether the export of encryption
products should be restricted. As discussed in more detail
below, current law regulates the export of encryption products
under two statutes: (1) the Arms Export Control Act (``AECA''),
22 U.S.C. Sec. 2751 et seq., and its accompanying International
Trafficking in Arms Regulations (``ITAR''), 22 C.F.R. Sec. 120
et seq., and (2) the Export Administration Act (``EAA''), 50
U.S.C. App. Sec. 2401 et seq., and its accompanying Export
Administration Regulations (``EAR''), 15 C.F.R. Sec. 730 et
seq. Although the EAA expired in 1994, President Clinton kept
its provisions in force by invoking his powers under the
International Emergency Economic Powers Act, 50 U.S.C.
Sec. 1701 et seq. Executive Order 12924 (August 19, 1994); 59
Fed. Reg. 43437 (August 23, 1994).
1. Arguments Relating to the Domestic Use of Encryption
Law enforcement and national security agencies believe that
they need some form of key escrow system to maintain their
ability toperform legitimate wiretaps and to read computer data
seized through lawful means. They have argued that widespread use of
strong encryption without key escrow would end the use of wiretapping
as a tool for fighting crime. For example, they have argued that
instances occur when law enforcement agencies learn in the course of a
wiretap that someone is about to commit a serious crime. If strong
encryption prevented a contemporaneous understanding of this
information, the agencies would not be able to prevent the crime.
Likewise, if strong encryption prevented the reading of lawfully seized
computer data, it could unreasonably delay criminal investigations.
They further have argued that a key escrow system would have the
salutary side effect of providing a backup for those users who might
lose their keys. Although they contend that they only favor a voluntary
key escrow system, many believe that the use of export controls as
leverage to encourage the use of a key escrow system effectively
amounts to making such a system mandatory.
The computer industry, the American business community, and
privacy groups vehemently oppose any mandatory key escrow
system. They argue that a mandatory system would unnecessarily
invade the privacy of users and that the market should develop
any voluntary key escrow system. They believe that law
enforcement can gain access to keys through traditional means
for obtaining evidence and that those with criminal intent will
not use key escrow products, thus defeating the purpose of the
Administration's policy. They argue that our law and tradition
do not require private citizens to take positive action to
assist the government in surveilling them in any other
instance.
Moreover, they contend that private citizens should not be
required to give access to their most precious assets to anyone
else regardless of whether it is the government or a third
party. In the digital age, information is often the most
valuable property that a company owns. They further argue that
the good that widespread use of encryption can do in preventing
crime far outweighs the harm done by the relatively few
instances in which the use of encryption hampers law
enforcement.
2. The White House Initiative
Until 1996, encryption products were treated as munitions
for export purposes. The State Department has jurisdiction over
the export of munitions under AECA and ITAR, and it had, as a
matter of practice, generally only allowed the export of
encryption products with bit lengths of 40 or less. The State
Department treated these relatively weak encryption products as
non-defense products subject to the jurisdiction of the
Department of Commerce under the Export Administration Act, 50
U.S.C. App. Sec. 2401 et seq. Beyond that level, any export of
encryption products required a special license.
On October 1, 1996, Vice President Gore announced the
Administration's intention to develop a new policy on the
export of encryption products. The Vice President's
announcement stated in part:
Under this initiative, the export of 56-bit key
length encryption products will be permitted under a
general license after one-time review, and contingent
upon industry commitments to build and market future
products that support key recovery. This policy will
apply to hardware and software products. The relaxation
of controls will last up to two years.
Exporters of 56-bit DES or equivalent encryption
products would make commitments to develop and sell
products that support the key recovery system that I
announced in July. That vision presumes that a trusted
party (in some cases internal to the user's
organization) would recover the user's confidentiality
key for the user or for law enforcement officials
acting under proper authority. Access to keys would be
provided in accordance with destination country
policies and bilateral understandings. No key length
limits or algorithm restrictions will apply to exported
key recovery products.
Under the relaxation, six-month general export
licenses will be issued after one-time review,
contingent on commitments from exporters to explicit
benchmarks and milestones for developing and
incorporating key recovery features into their products
and services, and for building the supporting
infrastructure internationally. Initial approval will
be contingent on firms providing a plan for
implementing key recovery. The plan will explain in
detail the steps the applicant will take to develop,
produce, distribute, and/or market encryption products
with key recovery features. The specific commitments
will depend on the applicant's line of business.
The government will renew the licenses for additional
six-month periods if milestones are met. Two years from
now, the export of 56-bit products that do not support
key recovery will no longer be permitted. Currently
exportable 40-bit mass market software products will
continue to be exportable. We will continue to support
financial institutions in their efforts to assure the
recovery of encrypted financial information. Longer key
lengths will continue to be approved for products
dedicated to the support of financial applications.
Statement of the Vice President dated October 1, 1996 (emphasis
added).
On November 15, 1996, President Clinton issued Executive
Order 13026, 61 Fed. Reg. 58767 (November 19, 1996), and an
accompanying Presidential Memorandum which began the
implementation of the policy outlined in the October 1
statement. Among other things, the executive order and the
memorandum transferred all non-military encryption products to
the Commerce Control List, meaning that their licensing for
export would be overseen by the Department of Commerce under
the EAA. The order and memorandum also gave the Department of
Justice a significant voice in such licensing decisions. On
December 30, 1996, the Department of Commerce promulgated
regulations that implemented the new policy. 61 Fed. Reg. 68572
(December 30, 1996).
On September 16, 1998, the Administration announced an
update to its encryption policy. Among its provisions, the new
policystates U.S. firms can export any level of encryption to
their foreign subsidiaries, except for certain terrorist states. The
policy will also permit export of encryption products over 56-bit to 46
countries without a license to certain industries including banks,
insurance companies, hospitals, HMO's, medical labs, civilian
government agencies, non military health organizations, and online
merchants (for example, communications between merchants and customers,
like buying a book or clothes from an online catalog). A Tech Center
will be created whose stated purpose is to help law enforcement
understand technology. Under the updated policy, exports to countries
other than the 46 specific countries require a license, although the
application has a presumption of approval; 56-bit encryption can be
exported without restriction after a one-time review. The policy fails
to codify the current right of all Americans to use any type of
encryption they choose. This omission opens the door for the
Administration to change its domestic encryption policy in the future
without congressional authorization. For key recovery products, the
policy directs proponents will need a license to export to foreign
commercial firms but not for export to telecommunications companies or
Internet service providers. The new Administration policy will be
reviewed after one year.
3. Arguments Relating to Export Controls on Encryption
Products
The Administration has to date opposed any lifting of
export controls beyond that in its recent initiatives. It
argues that the controls are still effective and that our
allies would dislike the negative effect on law enforcement
efforts if we lifted the controls. It also argues that the
lifting of the controls might not help business because other
countries would impose import controls. Finally, the
Administration argues that it is making efforts under its new
policy to find ways to relax the controls on a case by case
basis.
The computer industry and the privacy groups argue that the
Administration ought to substantially relax, if not eliminate
the controls. They argue that wrongdoers can easily evade them
because many encryption products are available to anyone over
the Internet. At least one estimate contends that over 650
strong and reliable products are available worldwide. They also
argue that the controls are easily evaded because as a
practical matter, anyone can come into the United States, buy
encryption products, and take them out of the country with
little risk of detection. Because the controls are so easily
evaded, they further argue that the controls serve only to put
American companies at a competitive disadvantage and to
discourage investment in the development of better encryption
products. If the situation does not change, they believe that
American companies will no longer dominate this field.
In addition, they contend that the Administration's new
policy is a backdoor attempt to force the domestic use of
encryption with key escrow. Under the policy, a company that
wants both to sell encryption products here and abroad must
either make two versions of its product or sell only a product
the meets the export restrictions. They also question whether
the carrot and stick approach the new policy takes is a
legitimate and logical use of export controls. Current
encryption products of the 56-bit strength are either safe to
export or they are not--a company's compliance or noncompliance
with the Administration's directives regarding future products
will not change that.
4. Recent Litigation
At least two plaintiffs have challenged the
Administration's policies regarding encryption. In one case,
the United States District Court for the District of Columbia
ruled that the government's decision to designate an encryption
product as a munition, and therefore restrict its export, was
not subject to judicial review. Karn v. Department of State,
925 F.Supp. 1 (D.D.C. 1996), remanded, 1997 U.S. App. Lexis
3123 (D.C. Cir. 1997). The Court further held that the export
restriction on the product was content neutral and narrowly
tailored and therefore did not violate the First Amendment. The
District of Columbia Circuit Court of Appeals remanded the case
for further consideration in light of the Administration's new
policy.
In the other case, the United States District Court for the
Northern District of California ruled that the export
restrictions on encryption products were unconstitutional prior
restraints on free speech because they did not have adequate
procedural safeguards. Bernstein v. Department of State, 945
F.Supp. 1279 (N.D. Cal. 1996). Upon further review, the Court
concluded that the regulation of encryption products is not
prohibited by law and that the First Amendment does not remove
encryption technology entirely from all government regulation.
However, the Court ruled in favor of the plaintiff as it
applied to his publishing of scientific papers, algorithms, or
computer programs. Bernstein v. Department of State, 974
F.Supp. 1288 (N.D. Cal. 1997).
II. Need for the Legislation
A. Sections 2 and 4--Domestic Use of Encryption
The Committee believes that sections 2 and 4 of H.R. 850,
as reported by the Committee, will significantly aid the fight
against crime. Both sides of the debate agree that the use of
strong encryption will help users to prevent crimes before they
happen. As we increasingly depend on computers to control our
national infrastructure, the danger of information warfare and
economic espionage also increase. The use of strong encryption
diminishes that terrifying prospect.
The affirmative statements in new sections 2802 and 2803
that it is legal for persons in the United States and for
United States persons abroad to use, and for persons in the
United States to sell, encryption will encourage the use of
encryption to fight crime. These sections only state what the
Committee understands to be existing law, and therefore they
should not worsen any law enforcement and national security
concerns. By making these affirmative statements of positive
law, the bill will prevent any reduction of the existing right
to use or sell encryption domestically by administrative
action, state law, or other means.
New section 2804 effectively prohibits the imposition of
any mandatory key escrow system. The Committee believes that
Americans should not be forced to surrender the keys to their
data withoutproper justification any more than they should be
forced to surrender the keys to their homes. The limited circumstances
under which law enforcement and national security officers may obtain
access to the private spaces of Americans have stood the test of time.
They exist for good reasons that are well understood by all. The advent
of a new technology is not a sufficient justification for diminishing
these historic protections.
At the same time, however, new section 2804 preserves
existing authorities for law enforcement and national security
officers to obtain keys for legitimate purposes. Just as new
technology should not take away the longstanding rights of
citizens against government, it also should not take away the
traditional means for legitimate law enforcement and national
security investigations. However, the Committee does not
believe that the advance of technology warrants a system of
forcing people to deposit their keys with any third party
without proper justification. Thus, new section 2804 prohibits
any such system.
Despite the Committee's opposition to any mandatory key
escrow system, nothing in section 2804 should be construed to
prevent or hinder the development of a voluntary key escrow
system if the market demands it. Such a system may have many
benefits so long as users are allowed to choose freely whether
to join. If enough users desire it, the Committee believes that
the market will develop it.
In addition to the preservation of existing law enforcement
authorities to obtain keys for legitimate purposes in new
section 2804, new section 2805 further aids law enforcement and
national security by making it a crime to avoid detection of
another federal felony through the knowing and willful use of
encryption. This section gives the government another tool with
which to fight the misuse of encryption; however, it also
states that the mere use of encryption alone cannot be the
basis for establishing probable cause with respect to a search
warrant or in a criminal investigation.
Section 4 requires the Attorney General to compile and make
available to Congress information on instances in which
encryption interferes with the enforcement of the federal
criminal law. This requirement will assist the Committee in
determining whether to make any further changes to encryption
policy. It will also foster a continuing dialogue between the
Congress and the executive branch on these matters. Through all
of these means, the Committee believes that it has carefully
balanced the needs of law abiding citizens against those of the
law enforcement and national security agencies as to the
matters within its jurisdiction.
B. Section 3--Export Controls
Section 3 of H.R. 850 significantly relaxes existing export
controls on encryption products. Because Section 3 amends the
Export Administration Act of 1979, it falls within the
jurisdiction of the House Committee on International Relations.
The International Relations Committee has been given a
secondary referral of H.R. 850 for consideration of Section 3.
For that reason, the Committee on the Judiciary did not
address Section 3 during its consideration of H.R. 850.
However, the Committee realizes that export controls must be
addressed as part of any comprehensive national encryption
policy. The Committee believes that it has carefully balanced
the interests involved in the matters under its jurisdiction.
It stands ready to work with the Committee on International
Relations, the Administration, and all other interested parties
in an effort to develop a similar, but more comprehensive,
balancing of all the interests, including those relating to
export controls, as this legislation moves forward.
Hearings
On Thursday, March 4, 1999, the Subcommittee on Courts and
Intellectual Property held a hearing on H.R. 850, the
``Security and Freedom Through Encryption (SAFE) Act.'' The
following individuals testified at the March 4th hearing:
William Reinsch, Undersecretary of Commerce for Export
Administration, United States Department of Commerce; Ronald D.
Lee, Associate Deputy Attorney General, United States
Department of Justice; Barbara McNamara, Deputy Director,
National Security Administration; Tom Parenty, Data and
Communications Security, Sybase, Incorporated; Craig
McLaughlin, Chief Technology Officer, Privada, Incorporated;
Grover Norquist, President, Americans for Tax Reform; Professor
Dorothy E. Denning, Georgetown University; Alan B. Davidson,
Staff Counsel, Center for Democracy and Technology; Ed
Gillespie, Executive Director, Americans for Computer Privacy;
and Dave McCurdy, President, Electronic Industries Alliance.
Committee Consideration
On March 11, 1999, the Subcommittee on Courts and
Intellectual Property met in open session and ordered reported
the bill H.R. 850 without amendment, by a voice vote, a quorum
being present. On March 24, 1999, the Committee met in open
session and ordered reported favorably the bill H.R. 850
without amendment, by a voice vote, a quorum being present.
Vote of the Committee
During their consideration of H.R. 850, the Committee and
the Subcommittee took no rollcall votes.
Committee Oversight Findings
In compliance with clause 3(c)(1) of rule XI of the Rules
of the House of Representatives, the Committee reports that the
findings and recommendations of the Committee, based on
oversight activities under clause 2(b)(1) of rule X of the
Rules of the House of Representatives, are incorporated in the
descriptive portions of this report.
Committee on Government Reform and Oversight Findings
No findings or recommendations of the Committee on
Government Reform and Oversight were received as referred to in
clause 3(c)(4) of rule XIII of the Rules of the House of
Representatives.
New Budget Authority and Tax Expenditures
Clause 3(c)(2) of House rule XIII is inapplicable because
this legislation does not provide new budgetary authority or
increased tax expenditures.
Congressional Budget Office Cost Estimate
In compliance with clause 3(c)(3) of rule XIII of the Rules
of the House of Representatives, the Committee sets forth, with
respect to the bill, H.R. 850, the following estimate and
comparison prepared by the Director of the Congressional Budget
Office under section 402 of the Congressional Budget Act of
1974:
U.S. Congress,
Congressional Budget Office,
Washington, DC, April 21, 1999.
Hon. Henry J. Hyde,
Chairman, Committee on the Judiciary,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 850, the Security
and Freedom Through Encryption (SAFE) Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contacts are Mark
Grabowicz (for costs of the Justice Department) and Mark Hadley
(for costs of the Commerce Department), Hester Grippando (for
revenues), and Leo Lex (for the state and local impact).
Sincerely,
Dan L. Crippen, Director.
Enclosure.
H.R. 850--Security and Freedom Through Encryption (SAFE) Act
Summary
H.R. 850 would allow individuals in the United States to
use and sell any form of encryption and would prohibit states
or the federal government from requiring individuals to
relinquish the key to encryption technologies to any third
party. The bill also would prevent the Bureau of Export
Administration (BXA) in the Department of Commerce from
restricting the export of most nonmilitary encryption products.
H.R. 850 would establish criminal penalties and fines for the
use of encryption technologies to conceal incriminating
information relating to a felony from law enforcement
officials. Finally, the bill would require the Attorney General
to maintain data on the instances in which encryption impedes
or obstructs the ability of the Department of Justice (DOJ) to
enforce the criminal laws.
Assuming appropriation of the necessary amounts, CBO
estimates that implementing H.R. 850 would result in additional
discretionary spending, by DOJ, of $3 million to $5 million
over the 2000-2004 period. (The department's spending for
activities related to encryption exports is negligible under
current law.) Enacting H.R. 850 also would affect direct
spending and receipts, beginning in fiscal year 2000, through
the imposition of criminal fines and the resulting spending
from the Crime Victims Fund. Therefore, pay-as-you-go
procedures would apply. CBO estimates, however, that the
amounts of additional direct spending and receipts would not be
significant.
H.R. 850 contains no new private-sector mandates as defined
in the Unfunded Mandates Reform Act (UMRA). The bill would
preempt state laws that require the use of encryption products
or services in a number of circumstances. These preemptions
would be intergovernmental mandates as defined in UMRA, but the
cost to states would be small and would not exceed the
threshold established in UMRA ($50 million in 1996, adjusted
annually for inflation).
Estimated Cost to the Federal Government
The expense of compiling and maintaining data on the
instances in which encryption impedes or obstructs the ability
of the department to enforce the criminal laws is difficult to
ascertain because the number of such instances is unknown--but
DOJ believes that if H.R. 850 were enacted they would be
numerous. CBO estimates that such efforts would cost DOJ
between $500,000 and $1 million a year, assuming appropriation
of the necessary amounts. These costs would fall within budget
function 750 (administration of justice).
Under current policy, BXA would likely spend about $500,000
a year reviewing exports of encryption products, pursuant to a
November 1996 executive order and memorandum that authorized
BXA to control the export of all nonmilitary encryption
products. If H.R. 850 were enacted, BXA would still be required
to review requests to export most computer hardware and
software with encryption capabilities. Thus, enacting H.R. 850
would not significantly affect BXA's spending.
CBO estimates that the collections from criminal fines
established by the bill--for the use of encryption technologies
to conceal incriminating information relating to a felony--
would not be significant.
Pay-As-You-Go Considerations
The Balanced Budget and Emergency Deficit Control Act sets
up pay-as-you-go procedures for legislation affecting direct
spending or receipts. H.R. 850 would affect direct spending and
receipts by imposing criminal fines for encrypting
incriminating information related to a felony. Collections from
such fines are likely to be negligible, however, because the
federal government would probably not pursue many additional
cases under the bill. Any such collections would be recorded in
the budget as governmental receipts, or revenues. They would be
deposited in the Crime Victims Fund and spent the following
year. Because the increase in direct spending would be the same
as the amount of fines collected with a one-year lag, the
additional direct spending would also be negligible.
Estimated Impact on State, Local, and Tribal Governments
H.R. 850 would preempt state laws that require encryption
keys to be built into computer systems or to be registered with
anoutside entity or retained by the owner. The bill would also
preempt state laws that require the use of encryption for
authenticating documents or for ensuring their confidentiality. Both
preemptions would be mandates as defined in UMRA. The preemptions of
state law would apply to all entities in the state, but they would also
prevent the states themselves from using certain types of encryption
technology. The direct impact on state budgets would depend upon the
degree to which they are using and will use such technology. Most
states have not implemented electronic systems that use encryption, so
the impact of the bill on current operations would be small.
CBO has no basis for predicting the degree to which states
would use encryption technology in the future in the absence of
this legislation. Encryption that is prohibited by the bill
includes the scrambling of electronically stored or transmitted
information in order to preserve confidentiality, integrity, or
authenticity. Thus, the bill may preclude states from using
digital signatures to send or receive legal documents
electronically. Digital signatures consist of a stream of
electronically coded text that uses the body of the document
itself, along with unique identifying information about the
sender, to authenticate the document and its sender. They are
generated through the use of mathematical algorithms, and they
can be validated by using electronic keys.
The use of digital signatures would provide options to
states and other entities that wish to send legal documents
electronically, rather than as hard copies. Resulting
reductions in paperwork and distribution costs could lead to
cost savings. However, CBO estimates that any lost savings or
other costs of the mandates to states would not exceed the
threshold established in UMRA ($50 million in 1996, adjusted
annually for inflation).
Estimated Impact on the Private Sector
This bill would impose no new private-sector mandates as
defined in UMRA.
Estimate Prepared By:
Federal Costs: Mark Grabowicz for DOJ and Mark Hadley for
BXA.
Revenues: Hester Grippando.
Impact on State, Local, and Tribal Governments: Leo Lex.
Estimate Approved By:
Robert A. Sunshine, Deputy Assistant Director for Budget
Analysis.
[See Additional Views, Statement of Representative Bob
Goodlatte disagreeing with the CBO letter.]
Constitutional Authority Statement
Pursuant to clause 3(d)(1) of rule XIII of the Rules of the
House of Representatives, the Committee finds the authority for
this legislation in Article I, section 8 of the Constitution.
Section-by-Section Analysis
Section 1. Title
This section states that the title of the bill is the
Security and Freedom Through Encryption (SAFE) Act.
Section 2. Domestic use and sale of encryption; prohibition on
mandatory key escrow; use of encryption in furtherance of a
federal felony
This section creates a new chapter in title 18 of the U.S.
Code regarding the use and sale of encryption within the United
States, the prohibition of a mandatory key escrow system, and
the unlawful use of encryption in furtherance of a criminal
act.
New section 2801 contains a series of definitions relating
to encryption. New section 2802 states that it is legal for any
person in the United States or any United States person in a
foreign country to use any form of encryption.
New section 2803 states that it is legal for any person in
the United States to sell any type of encryption product in
interstate commerce. New section 2804 prohibits the federal
government or a state from requiring or conditioning approval
on a requirement that encryption products be built with a
third-party access feature (also known as ``key escrow'' or
``key recovery'') or that persons with control over decryption
keys provide access to someone other than the key owner. This
section also prohibits the federal government or a state from
establishing conditions, ties, or links between encryption
products and the issuance of certificate authorities or digital
signatures. Exceptions to this section exist for law
enforcement or intelligence officers seeking access to
encrypted information and where the federal government or a
state wishes to use key escrow/key recovery encryption for its
own systems.
New section 2805 makes it a crime to use encryption
unlawfully in furtherance of some other crime. This new crime
is punishable with a sentence of 5 years for a first offense
and 10 years for a second or subsequent offense. To trigger the
provisions of this section, a person must be convicted of or
plead guilty to a federal felony in which the person knowingly
and willfully used encryption to conceal that felony for the
purpose of avoiding detection by law enforcement. This section
also states that the use of encryption cannot, by itself, be
the basis for establishing probable cause with respect to a
criminal offense or a search warrant.
Section 3. Exports of encryption
This section makes a series of changes to the export of
encryption products. Subsection (a) amends the Export
Administration Act of 1979 by creating a new subsection (g)
regarding encryption products and products containing
encryption or encryption capabilities.
New subsection (g)(1) places all encryption products,
except those specifically designed or modified for military
use, under the jurisdiction of the Secretary of Commerce. New
subsection (g)(2) states that after a one-time, 15-day
technical review by the Secretary, no export license may be
required for generally available encryption software and
hardware products, generally available products containing
encryption, generally available products with
encryptioncapabilities, technical assistance and data used to install
or maintain generally available encryption products, products
containing encryption, and products with encryption capabilities, and
encryption products not used for confidentiality purposes.
New subsection (g)(3) states that after a one-time, 15-day
technical review by the Secretary, the Secretary shall allow
the export of custom-designed encryption products and custom-
designed products with encryption capabilities if those
products are permitted for use by banks or if comparable
products are commercially available outside the U.S. An
exception to this subsection exists if there is substantial
evidence that these products will be diverted or modified for
military or terrorist use or reexported without authorization.
New subsection (g)(4) creates a series of definitions
relating to encryption products, products containing
encryption, products containing encryption capabilities, and
the export of such products for this subsection.
Subsection (b) states that encryption products that do not
require an export license as of the date of enactment of this
Act shall not require an export license on or after that date.
Subsection (c) states that nothing in this Act shall limit
the authority of the President to prohibit the export of
encryption products to terrorist nations or nations that have
been determined to repeatedly support acts of international
terrorism, or to impose an embargo on exports to and imports
from a specific country. This subsection also allows the
Secretary of Commerce to prohibit the export of specific
encryption products to specific individuals or organizations in
specific foreign countries, if the Secretary determines that
there is substantial evidence that such products will be used
for military or terrorist purposes.
Subsection (d) deems that the Export Administration Act of
1979 be in effect for the purpose of carrying out the amendment
contained in this section of the bill.
Section 4. Study on the effect of encryption on law enforcement
activities
This section requires the Attorney General to compile
information on the instances in which encryption has interfered
with, impeded, or obstructed the ability of the Justice
Department to enforce the criminal laws of the United States.
Agency Views
Department of Justice,
Federal Bureau of Investigation,
Washington, DC, March 3, 1999.
Hon. Howard Coble,
Chairman, Subcommittee on Courts and Intellectual Property, Committee
on the Judiciary, House of Representatives, Washington, DC.
Dear Mr. Chairman: Enclosed please find copies of
resolutions and letters from various law enforcement
associations and groups which set forth their positions
concerning encryption. Even though these letters were prepared
during the last Congress, the positions set forth in them
remain unchanged. You and the Members of the Subcommittee may
find this information helpful as you begin consideration of
H.R. 850, the ``Security and Freedom Through Encryption (SAFE)
Act,'' a bill to relax existing export controls on encryption.
Encryption is becoming a fact of everyday life in today's
information age and a natural consequence of technology.
Encryption is extremely beneficial when used legitimately to
protect sensitive electronically stored information and the
privacy of communications. But the use of strong, unbreakable
encryption by hostile governments and by criminals and
terrorists for illegal purposes poses a significant and
unacceptable threat to our national security capabilities.
As you know, export controls on encryption products exist
primarily to protect national security and foreign policy
interests. On occasion, U.S. law enforcement is provided with
valuable criminal-related information obtained through our
Nation's intelligence gathering efforts. Law enforcement
believes that such intelligence gathering capabilities derived,
in part, from export controls on encryption should be
preserved.
The law enforcement community continues to support the
adoption of a balanced encryption policy. Such a balanced
policy must satisfy the needs of commerce and communications
privacy, the national security needs of the Intelligence
Community as well as the public safety needs of law
enforcement. We look forward to working with the Subcommittee
and the Congress in an effort to develop a balanced encryption
policy that effectively addresses all parties' concerns
regarding this most important privacy, commerce, national
security and public safety issue.
Sincerely yours,
John E. Collingwood,
Assistant Director, Office of
Public and Congressional Affairs.
------
International Association of Chiefs of Police
Encryption
Submitted by: Legislative Committee
L006.a96
Whereas, the introduction of digitally-based
telecommunications technologies, as well as the widespread use
of computers and computer networks having encryption
capabilities are facilitating the development and production of
affordable and robust encryption products for private sector
use; and
Whereas, on one hand encryption is extremely beneficial
when used legitimately to protect commercially sensitive
information and communications. On the other hand, the
potential use of such encryption products by a vast array of
criminals and terrorists to conceal their criminal
communications and information from law enforcement poses an
extremely serious threat to public safety; and
Whereas, the law enforcement community is extremely
concerned about the serious threat posed by the use of robust
encryption products that do not allow for law enforcement
access and its timely decryption, pursuant to lawful
authorization (court-authorized wiretaps or court-authorized
search and seizure); and
Whereas, law enforcement fully supports a balanced
encryption policy that satisfies both the commercial needs of
industry for robust encryption while at the same time
satisfying law enforcement's public safety needs; and
Whereas, law enforcement has found that robust key-escrow
encryption is clearly the best way, and perhaps the only way,
to achieve both the goals of industry and law enforcement; and
Whereas, government representatives have been working with
industry to encourage the voluntary development, sale, and use
of key-escrow encryption in its pursuit of a balanced
encryption policy; now, therefore, be it
Resolved, That the International Association of Chiefs of
Police, duly assembled at its 103rd annual conference in
Phoenix, Arizona, supports and encourages the development and
adoption of a key-escrow encryption policy, which we believe
represents a policy that appropriately addresses both the
commercial needs of industry while at the same time satisfying
law enforcement's public safety needs and that we oppose any
efforts, legislative or otherwise, that would under cut the
adoption of such a balanced encryption policy.
------
National Sheriffs' Association
Resolution
Digital Telecommunications Encryption
Whereas, the introduction of digitally-based
telecommunications technologies as well as the widespread use
of computers and computer networks having encryption
capabilities are facilitating the development and production of
affordable and robust encryption products for private sector
use; and
Whereas, on one hand encryption is extremely beneficial
when used legitimately to protect commercially sensitive
information and communications. On the other hand, the
potential use of such encryption products by a vast array of
criminals and terrorists to conceal their criminal
communications and information from law enforcement poses an
extremely serious threat to public safety; and
Whereas, the law enforcement community is extremely
concerned about the serious threat posed by the use of robust
encryption products that do not allow for court authorized law
enforcement access and its timely decryption, pursuant to
lawful authorization; and
Whereas, law enforcement fully supports a balanced
encryption policy that satisfies both the commercial needs of
industry for robust encryption while at the same time
satisfying law enforcement's public safety needs; and
Whereas, law enforcement has found that robust key-escrow
encryption is clearly the best way, and perhaps the only way,
to achieve both the goals of industry and law enforcement; and
Whereas, government representatives have been working with
industry to encourage the voluntary development, sale, and use
of key-escrow encryption in its pursuit of a balanced
encryption policy; and
Therefore be it resolved, That the National Sheriff's
Association supports and encourages the development and
adoption of a key-escrow encryption policy which we believe
represents a policy that appropriately addresses both the
commercial needs of industry while at the same time satisfying
law enforcement's public safety needs and that we oppose any
efforts, legislatively or otherwise, that would undercut the
adoption of such a balanced encryption policy.
Adopted at a meeting of the Membership on this 19th
day of June, 1996 in Portland, Oregon
------
National District Attorneys Association
Resolution
Encryption
Whereas, the introduction of digitally-based
telecommunications technologies as well as the widespread use
of computers and computer networks having encryption
capabilities are facilitating the development and production of
strong, affordable encryption products and services for private
sector use; and
Whereas, on one hand the use of strong encryption products
and services are extremely beneficial when used legitimately to
protect commercially sensitive information and communications.
On the other hand, the potential use of strong encryption
products and services that do not allow for timely law
enforcement decryption by a vast array of criminals and
terrorists to conceal their criminal communications and
information from law enforcement poses an extremely serious
threat to public safety; and
Whereas, the law enforcement community is extremely
concerned about the serious threat posed by the use of these
strong encryption products and services that do not allow for
authorization (court-authorized wiretaps or court-authorized
search and seizure); and
Whereas, law enforcement fully supports a balanced
encryption policy that satisfies both the commercial needs of
industry for strong encryption while at the same tie satisfying
law enforcement's public safety needs for the timely decryption
of encrypted criminal communications and information; and
Whereas, law enforcement has found that strong key recovery
encryption products and services are clearly the best way and
perhaps the only way to achieve both the goals of industry and
law enforcement; and
Whereas, government representatives have been working with
industry to encourage the voluntary development, sale, and use
of key recovery encryption products and services in its pursuit
of a balanced encryption policy;
Be it resolved, That the National District Attorneys
Association supports and encourages the development and
adoption ofa balanced encryption policy that encourages the
development, sale, and use of key recovery encryption products and
services, both domestically and abroad. We believe that this approach
represents a policy that appropriately addresses both the commercial
needs of industry while at the same time satisfying law enforcement's
public safety needs.
------
Major Cities Chiefs,
Chicago, IL, July 24, 1997.
Hon. Orrin G. Hatch,
Chairman, Judiciary Committee,
Senate Hart Office Building, Washington, DC.
Dear Mr. Chairman: The Major Cities Chiefs is a
professional association of police executives representing the
largest jurisdictions in the United States. The association
provides a forum for urban police chiefs, sheriffs and other
law enforcement chief executives to discuss common problems
associated with protecting cities with populations exceeding
500,000 people.
Congress is considering a variety of legislative proposals
concerning encryption. Some of these proposals would, in
effect, make it impossible for law enforcement agencies across
the country, both on the federal, state and local level, to
lawfully gain access to criminal telephone conversations or
electronically stored evidence. Since the impact of these
proposals would seriously jeopardize public safety, our
association urges you to support a balanced approach that
strongly supports commercial and private interests but also
maintains law enforcements ability to investigate and prosecute
serious crime.
While we recognize that encryption is critical to
communications security and privacy and that commercial
interests are at stake, we all agree that without adequate
legislation, law enforcement across the country will be
severely limited in its ability to combat serious crime. The
widespread use of non-key recovery encryption ultimately will
eliminate our ability to obtain valuable evidence of criminal
activity. The legitimate and lawful interception of
communications, pursuant to a court order, for the most serious
criminal acts will be meaningless because of our inability to
decipher the evidence.
Encryption is certainly of great importance to the
commercial interests across this country. However, public
safety concerns are just as critical and we must not loose
sight of this. The need to preserve an invaluable investigative
tool is of the utmost importance in law enforcement's ability
to protect the public against serious crime.
Sincerely yours,
Matt Rodriguez,
Chairman.
------
Office of the Attorney General,
Washington, DC, July 18, 1997.
Dear Member of Congress: Congress is considering a variety
of legislative proposals concerning encryption. Some of these
proposals would, in effect, make it impossible for the Federal
Bureau of Investigation (FBI), Drug Enforcement Administration
(DEA), Secret Service, Customs Service, Bureau of Alcohol,
Tobacco and Firearms, and other federal, state, and local law
enforcement agencies to lawfully gain access to criminal
telephone conversations or electronically stored evidence
possessed by terrorists, child pornographers, drug kingpins,
spies and other criminals. Since the impact of these proposals
would seriously jeopardize public safety and national security,
we collectively urge you to support a different, balanced
approach that strongly supports commercial and privacy
interests but maintains our ability to investigate and
prosecute serious crimes.
We fully recognize that encryption is critical to
communications security and privacy, and that substantial
commercial interests are at stake. Perhaps in recognition of
these facts, all the bills being considered allow market forces
to shape the development of encryption products. We, too, place
substantial reliance on market forces to promote electronic
security and privacy, but believe that we cannot rely solely on
market forces to protect the public safety and national
security. Obviously, the government cannot abdicate its solemn
responsibility to protect public safety and national security.
Currently, of course, encryption is not widely used, and
most data is stored, and transmitted, in the clear. As we move
from a plaintext world to an encrypted one, we have a critical
choice to make: we can either (1) choose robust, unbreakable
encryption that protects commerce and privacy but gives
criminals a powerful new weapon, or (2) choose robust,
unbreakable encryption that protects commerce and privacy and
gives law enforcement that ability to protect public safety.
The choice should be obvious and it would be a mistake of
historic proportions to do nothing about the dangers to public
safety posed by encryption without adequate safeguards for law
enforcement.
Let there be no doubt: without encryption safeguards, all
Americans will be endangered. No one disputes this fact; not
industry, not encryption users, no one. We need to take
definitive actions to protect the safety of the public and
security of the nation. That is why law enforcement at all
levels of government--including the Justice Department,
Treasury Department, the National Association of Attorneys
General, International Association of Chiefs of Police, the
Major City Chiefs, the National Sheriffs' Association, and the
National District Attorneys Association--are so concerned about
this issue.
We all agree that without adequate legislation, law
enforcement in the United States will be severely limited in
its ability to combat the worst criminals and terrorists.
Further, law enforcement agrees that the widespread use of
robust non-key recovery encryption ultimately will devastate
our ability to fight crime and prevent terrorism.
Simply stated, technology is rapidly developing to the
point where powerful encryption will become commonplace both
for routine telephone communications and for stored computer
data. Without legislation that accommodates public safety and
national security concerns, society's most dangerous criminal
will be able to communicate safely and electronically store
data without fear of discovery. Court orders to conduct
electronic surveillance and court-authorized search warrants
will be ineffectual, and the Fourth Amendment's carefully-
struck balance between ensuring privacy and protecting public
safety will be forever altered by technology. Technology should
not dictate public policy, and it should promote, rather than
defeat, public safety.
We are not suggesting the balance of the Fourth Amendment
be tipped toward law enforcement either. To the contrary, we
only seek the status quo, not the lessening of any legal
standard or the expansion of any law enforcement authority. The
Fourth Amendment protects the privacy and liberties of our
citizens but permits law enforcement to use tightly controlled
investigative techniques to obtain evidence of crimes. The
result has been the freest country in the world with the
strongest economy.
Law enforcement has already confronted encryption in high-
profile espionage, terrorist, and criminal cases. For example:
An international terrorist was plotting to blow up 11
U.S.-owned commercial airliners in the Far East. His
laptop computer, which was seized in Manila, contained
encrypted files concerning this terrorist plot.
A subject in a child pornography case used encryption
in transmitting obscene and pornographic images of
children over the Internet.
A major international drug trafficking subject
recently used a telephone encryption device to
frustrate court-approved electronic surveillance.
And this is just the tip of the iceberg. Convicted spy Aldrich
Ames, for example, was told by the Russian Intelligence Service
to encrypt computer file information that was to be passed to
them.
Further, today's international drug trafficking
organizations are the most powerful, ruthless and affluent
criminal enterprises we have ever faced. We know from numerous
past investigations that they have utilized their virtually
unlimited wealth to purchase sophisticated electronic equipment
to facilitate their illegal activities. This has included state
of the art communication and encryption devices. They have used
this equipment as part of their command and control process for
their international criminal operations. We believe you share
our concern that criminals will increasingly take advantage of
developing technology to further insulate their violent and
destructive activities.
Requests for cryptographic support pertaining to electronic
surveillance interceptions from FBI Field Offices and other law
enforcement agencies have steadily risen over the past several
years. There has been an increase in the number of instances
where the FBI's and DEA's court-authorized electronic efforts
were frustrated by the use of encryption that did not allow for
law enforcement access.
There have also been numerous other cases where law
enforcement, through the use of electronic surveillance, has
not only solved and successfully prosecuted serious crimes but
has also been able to prevent life-threatening criminal acts.
For example, terrorists in New York were plotting to bomb the
United Nations building, the Lincoln and Holland Tunnels, and
26 Federal Plaza as well as conduct assassinations of political
figures. Court-authorized electronic surveillance enabled the
FBI to disrupt the plot as explosives were being mixed.
Ultimately, the evidence obtained was used to convict the
conspirators. In another example, electronic surveillance was
used to stop and then convict two men who intended to kidnap,
molest, and kill a child. In all of these cases, the use of
encryption might have seriously jeopardized public safety and
resulted in the loss of life.
To preserve law enforcement's abilities, and to preserve
the balance so carefully established by the constitution, we
believe any encryption legislation must accomplish three goals
in addition to promoting the widespread use of strong
encryption. It must establish:
A viable key management infrastructure that promotes
electronic commerce and enjoys the confidence of
encryption users.
A key management infrastructure that supports a key
recovery scheme that will allow encryption users access
to their own data should the need arise, and that will
permit law enforcement to obtain lawful access to the
plain text of encrypted communications and data.
An enforcement mechanism that criminalizes both
improper use of encryption key recovery information and
the use of encryption for criminal purposes.
Only one bill, S. 909 (the McCain/Kerrey/Hollings bill),
comes close to meeting these core public safety, law
enforcement, and national security needs. The other bills being
considered by Congress, as currently written, risk great harm
to our ability to enforce the laws and protect our citizens. We
look forward to working to improve the McCain/Kerrey/Hollings
bill.
In sum, while encryption is certainly a commercial interest
of great importance to this Nation, it is not solely a
commercial or business issue. Those of us charged with the
protection of public safety and national security, believe that
the misuse of encryption technology will become a matter of
life and death in many instances. That is why we urge you to
adopt a balanced approach that accomplishes the goals mentioned
above. Only this approach will allow police departments,
attorneys general, district attorneys, sheriffs, and federal
authorities to continue to use their most effective
investigative techniques, with court approval, to fight crime
and espionage and prevent terrorism.
Sincerely yours,
Janet Reno,
Attorney General.
Louis Freeh,
Director, Federal Bureau of
Investigation.
Thomas A. Constantine,
Director, Drug Enforcement
Administration.
Raymond W. Kelly,
Undersecretary for
Enforcement, U.S.
Department of Treasury.
John W. Magaw,
Director, Bureau of Alcohol,
Tobacco and Firearms.
Barry McCaffrey,
Director, Office of National
Drug Control Policy.
Lewis C. Merletti,
Director, United States
Secret Service.
George J. Weise,
Commissioner, United States
Customs Service.
------
International Association of Chiefs of Police,
Alexandria, VA, July 21, 1997.
Dear Member of Congress: Enclosed is a letter sent to you
by the Attorney General, the Director of National Drug Control
Policy and all the federal law enforcement heads concerning
encryption legislation being considered Congress. Collectively
we, the undersigned, represent over 17,000 police departments
including every major city policy department, over 3,000
sheriffs departments, nearly every district attorney in the
United States and all of the state Attorneys General. We fully
endorse the position taken by our federal counterparts in the
enclosed letter. As we have stated many times, Congress must
adopt a balanced approach to encryption that fully addresses
public safety concerns or the ability of state and local law
enforcement to fight crime and drugs will be severely damaged.
Any encryption legislation that does not ensure that law
enforcement can gain timely access to the plaintext of
encrypted conversations and information by established legal
procedures will cause grave harm to public safety. The risk
cannot be left to the uncertainty of market forces or
commercial interests as the current legislative proposals would
require. Without adequate safeguards, the unbridled use of
powerful encryption soon will deprive law enforcement of two or
its most effective tools, court authorized electronic
surveillance and the search and seizure of information stored
in computers. This will substantially tip the balance in the
fight against crime towards society's most dangerous criminals
as the information age develops.
We are in unanimous agreement that Congress must adopt
encryption legislation that requires the development,
manufacture, distribution and sale of only key recovery
products and we are opposed to the bills that do not do so.
Only the key recovery approach will ensure that law enforcement
can continue to gain timely access to the plaintext of
encrypted conversations and other evidence ofcrimes when
authorized by a court to do so. If we lose this ability--and the bills
you are considering will have this result--it will be a substantial
setback for law enforcement at the direct expense of public safety.
Sincerely yours,
Darrell L. Sanders,
President, International
Association of Chiefs of
Police.
James E. Doyle,
President, National
Association of Attorneys
General.
Fred Scoralic,
President, National
Sheriffs' Association.
William L. Murphy,
President, National District
Attorneys Association.
------
Department of Defense,
Deputy Secretary of Defense,
Washington, DC, March 24, 1999.
Hon. Henry J. Hyde,
Chairman, Committee on Judiciary,
House of Representatives, Washington, DC.
Dear Mr. Chairman: On March 11, 1999 the House Judiciary
Subcommittee on Courts and Intellectual Property passed the
Goodlatte Bill (H.R. 850, ``Security and Freedom Through
Encryption (SAFE) Act''). I am writing to let you know that the
Defense Department has deep reservations about this
legislation. We believe that the bill, in its current form,
threatens our ability to undertake critical national security
activities.
Let me say at the outset that the Department strongly
supports encryption. Indeed, we believe it is essential since
we increasingly operate critical command and control functions
over commercial systems. Encryption is critical for us to
maintain confidentiality of our communications. But at the same
time, we and the law enforcement community have an obligation
to protect American security interests through the timely
delivery of intelligence to decision-makers. The passage of
legislation that immediately decontrols the export of strong
encryption will result in the loss or delay of essential
intelligence reporting because it may take too long to decrypt
the information--if indeed we can decrypt it at all. Our nation
cannot have an effective decision-making process, a strong
fighting force, or a responsive law enforcement community
unless the required intelligence information is available in
time to make a difference. H.R. 850 threatens our ability to do
just that.
The Department of Defense worked closely with other
elements of the Administration, with Congress and with the
software industry last year to craft encryption export
regulations that provided maximum opportunity to American
industry while still preserving essential restraints critical
for national security. H.R. 850 threatens that balance and
would seriously weaken our national security. I must ask for
your help in bringing the full picture to bear on your
deliberations as you review this legislation.
Sincerely,
John J. Hamre.
Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, are shown as follows (new matter is
printed in italic and existing law in which no change is
proposed is shown in roman):
TITLE 18, UNITED STATES CODE
PART I--CRIMES
Chap. Sec.
1. General provisions......................................... 1
* * * * * * *
2801Encrypted wire and electronic information...................
* * * * * * *
CHAPTER 125--ENCRYPTED WIRE AND ELECTRONIC INFORMATION
2801. Definitions.
2802. Freedom to use encryption.
2803. Freedom to sell encryption.
2804. Prohibition on mandatory key escrow.
2805. Unlawful use of encryption in furtherance of a criminal act.
Sec. 2801. Definitions
As used in this chapter--
(1) the terms ``person'', ``State'', ``wire
communication'', ``electronic communication'',
``investigative or law enforcement officer'', and
``judge of competent jurisdiction'' have the meanings
given those terms in section 2510 of this title;
(2) the term ``decrypt'' means to retransform or
unscramble encrypted data, including communications, to
its readable form;
(3) the terms ``encrypt'', ``encrypted'', and
``encryption'' mean the scrambling of wire
communications, electronic communications, or
electronically stored information, using mathematical
formulas or algorithms in order to preserve the
confidentiality, integrity, or authenticity of, and
prevent unauthorized recipients from accessing or
altering, such communications or information;
(4) the term ``key'' means the variable information
used in a mathematical formula, code, or algorithm, or
any component thereof, used to decrypt wire
communications, electronic communications, or
electronically stored information, that has been
encrypted; and
(5) the term ``key recovery information'' means
information that would enable obtaining the key of a
user of encryption;
(6) the term ``plaintext access capability'' means
any method or mechanism which would provide information
in readable form prior to its being encrypted or after
it has been decrypted;
(7) the term ``United States person'' means--
(A) any United States citizen;
(B) any other person organized under the laws
of any State, the District of Columbia, or any
commonwealth, territory, or possession of the
United States; and
(C) any person organized under the laws of
any foreign country who is owned or controlled
by individuals or persons described in
subparagraphs (A) and (B).
Sec. 2802. Freedom to use encryption
Subject to section 2805, it shall be lawful for any person
within any State, and for any United States person in a foreign
country, to use any encryption, regardless of the encryption
algorithm selected, encryption key length chosen, or
implementation technique or medium used.
Sec. 2803. Freedom to sell encryption
Subject to section 2805, it shall be lawful for any person
within any State to sell in interstate commerce any encryption,
regardless of the encryption algorithm selected, encryption key
length chosen, or implementation technique or medium used.
Sec. 2804. Prohibition on mandatory key escrow
(a) General Prohibition.--Neither the Federal Government nor
a State may require that, or condition any approval on a
requirement that, a key, access to a key, key recovery
information, or any other plaintext access capability be--
(1) built into computer hardware or software for any
purpose;
(2) given to any other person, including a Federal
Government agency or an entity in the private sector
that may be certified or approved by the Federal
Government or a State to receive it; or
(3) retained by the owner or user of an encryption
key or any other person, other than for encryption
products for use by the Federal Government or a State.
(b) Prohibition on Linkage of Different Uses of Encryption.--
Neither the Federal Government nor a State may--
(1) require the use of encryption products,
standards, or services used for confidentiality
purposes, as a condition of the use of such products,
standards, or services for authenticity or integrity
purposes; or
(2) require the use of encryption products,
standards, or services used for authenticity or
integrity purposes, as a condition of the use of such
products, standards, or services for confidentiality
purposes.
(c) Exception for Access for Law Enforcement Purposes.--
Subsection (a) shall not affect the authority of any
investigative or law enforcement officer, or any member of the
intelligence community as defined in section 3 of the National
Security Act of 1947 (50 U.S.C. 401a), acting under any law in
effect on the effective date of this chapter, to gain access to
encrypted communications or information.
Sec. 2805. Unlawful use of encryption in furtherance of a criminal act
(a) Encryption of Incriminating Communications or Information
Unlawful.--Any person who, in the commission of a felony under
a criminal statute of the United States, knowingly and
willfully encrypts incriminating communications or information
relating to that felony with the intent to conceal such
communications or information for the purpose of avoiding
detection by law enforcement agencies or prosecution--
(1) in the case of a first offense under this
section, shall be imprisoned for not more than 5 years,
or fined in the amount set forth in this title, or
both; and
(2) in the case of a second or subsequent offense
under this section, shall be imprisoned for not more
than 10 years, or fined in the amount set forth in this
title, or both.
(b) Use of Encryption Not a Basis for Probable Cause.--The
use of encryption by any person shall not be the sole basis for
establishing probable cause with respect to a criminal offense
or a search warrant.
* * * * * * *
----------
SECTION 17 OF THE EXPORT ADMINISTRATION ACT
effect on other acts
Sec. 17. (a) * * *
* * * * * * *
(g) Certain Consumer Products, Computers, and Related
Equipment.--
(1) General rule.--Subject to paragraphs (2) and (3),
the Secretary shall have exclusive authority to control
exports of all computer hardware, software, computing
devices, customer premises equipment, communications
network equipment, and technology for information
security (including encryption), except that which is
specifically designed or modified for military use,
including command, control, and intelligence
applications.
(2) Items not requiring licenses.--After a one-time,
15-day technical review by the Secretary, no export
license may be required, except pursuant to the Trading
With the Enemy Act or the International Emergency
Economic Powers Act (but only to the extent that the
authority of such Act is not exercised to extend
controls imposed under this Act), for the export or
reexport of--
(A) any computer hardware or software or
computing device, including computer hardware
or software or computing devices with
encryption capabilities--
(i) that is generally available;
(ii) that is in the public domain for
which copyright or other protection is
not available under title 17,United
States Code, or that is available to the public because it is generally
accessible to the interested public in any form; or
(iii) that is used in a commercial,
off-the-shelf, consumer product or any
component or subassembly designed for
use in such a consumer product
available within the United States or
abroad which--
(I) includes encryption
capabilities which are
inaccessible to the end user;
and
(II) is not designed for
military or intelligence end
use;
(B) any computing device solely because it
incorporates or employs in any form--
(i) computer hardware or software
(including computer hardware or
software with encryption capabilities)
that is exempted from any requirement
for a license under subparagraph (A);
or
(ii) computer hardware or software
that is no more technically complex in
its encryption capabilities than
computer hardware or software that is
exempted from any requirement for a
license under subparagraph (A) but is
not designed for installation by the
purchaser;
(C) any computer hardware or software or
computing device solely on the basis that it
incorporates or employs in any form interface
mechanisms for interaction with other computer
hardware or software or computing devices,
including computer hardware and software and
computing devices with encryption capabilities;
(D) any computing or telecommunication device
which incorporates or employs in any form
computer hardware or software encryption
capabilities which--
(i) are not directly available to the
end user; or
(ii) limit the encryption to be
point-to-point from the user to a
central communications point or link
and does not enable end-to-end user
encryption;
(E) technical assistance and technical data
used for the installation or maintenance of
computer hardware or software or computing
devices with encryption capabilities covered
under this subsection; or
(F) any encryption hardware or software or
computing device not used for confidentiality
purposes, such as authentication, integrity,
electronic signatures, nonrepudiation, or copy
protection.
(3) Computer hardware or software or computing
devices with encryption capabilities.--After a one-
time, 15-day technical review by the Secretary, the
Secretary shall authorize the export or reexport of
computer hardware or software or computing devices with
encryption capabilities for nonmilitary end uses in any
country--
(A) to which exports of computer hardware or
software or computing devices of comparable
strength are permitted for use by financial
institutions not controlled in fact by United
States persons, unless there is substantial
evidence that such computer hardware or
software or computing devices will be--
(i) diverted to a military end use or
an end use supporting international
terrorism;
(ii) modified for military or
terrorist end use; or
(iii) reexported without any
authorization by the United States that
may be required under this Act; or
(B) if the Secretary determines that a
computer hardware or software or computing
device offering comparable security is
commercially available outside the United
States from a foreign supplier, without
effective restrictions.
(4) Definitions.--As used in this subsection--
(A)(i) the term ``encryption'' means the
scrambling of wire communications, electronic
communications, or electronically stored
information, using mathematical formulas or
algorithms in order to preserve the
confidentiality, integrity, or authenticity of,
and prevent unauthorized recipients from
accessing or altering, such communications or
information;
(ii) the terms ``wire communication'' and
``electronic communication'' have the meanings
given those terms in section 2510 of title 18,
United States Code;
(B) the term ``generally available'' means,
in the case of computer hardware or computer
software (including computer hardware or
computer software with encryption
capabilities)--
(i) computer hardware or computer
software that is--
(I) distributed through the
Internet;
(II) offered for sale,
license, or transfer to any
person without restriction,
whether or not for
consideration, including, but
not limited to, over-the-
counter retail sales, mail
order transactions, phone order
transactions, electronic
distribution, or sale on
approval;
(III) preloaded on computer
hardware or computing devices
that are widely available for
sale to the public; or
(IV) assembled from computer
hardware or computer software
components that are widely
available for sale to the
public;
(ii) not designed, developed, or
tailored by the manufacturer for
specific purchasers or users, except
that any such purchaser or user may--
(I) supply certain
installation parameters needed
by the computer hardware or
software to function properly
with the computer system of the
user or purchaser; or
(II) select from among
options contained in the
computer hardware or computer
software; and
(iii) with respect to which the
manufacturer of that computer hardware
or computer software--
(I) intended for the user or
purchaser, including any
licensee or transferee, to
install the computer hardware
or software and has supplied
the necessary instructions to
do so, except that the
manufacturer of the computer
hardware or software, or any
agent of such manufacturer, may
also provide telephone or
electronic mail help line
services for installation,
electronic transmission, or
basic operations; and
(II) the computer hardware or
software is designed for such
installation by the user or
purchaser without further
substantial support by the
manufacturer;
(C) the term ``computing device'' means a
device which incorporates one or more
microprocessor-based central processing units
that can accept, store, process, or provide
output of data;
(D) the term ``computer hardware'' includes,
but is not limited to, computer systems,
equipment, application-specific assemblies,
smart cards, modules, integrated circuits, and
printed circuit board assemblies;
(E) the term ``customer premises equipment''
means equipment employed on the premises of a
person to originate, route, or terminate
communications;
(F) the term ``technical assistance''
includes instruction, skills training, working
knowledge, consulting services, and the
transfer of technical data;
(G) the term ``technical data'' includes
blueprints, plans, diagrams, models, formulas,
tables, engineering designs and specifications,
and manuals and instructions written or
recorded on other media or devices such as
disks, tapes, or read-only memories; and
(H) the term ``technical review'' means a
review by the Secretary of computer hardware or
software or computing devices with encryption
capabilities, based on information about the
product's encryption capabilities supplied by
the manufacturer, that the computer hardware or
software or computing device works as
represented.
ADDITIONAL VIEWS
H.R. 850, the Security and Freedom Through Encryption
(SAFE) Act of 1999, accomplishes three critical goals:
preventing economic crime, promoting electronic commerce, and
protecting the personal privacy of all law-abiding Americans. I
am pleased that both the Courts and Intellectual Property
Subcommittee and the full Judiciary Committee have approved
this bipartisan legislation without amendment by voice vote. I
would also like to thank the lead cosponsor of the SAFE Act,
Rep. Zoe Lofgren (D-CA), for her leadership, support, and
dedication to this important issue, and to note that the bill
currently has 250 cosponsors, including a majority of the
leadership on both sides of the aisle.
The Congressional Budget Office (CBO)'s April 21, 1999 cost
estimate, submitted as a part of this Committee Report,
contains a number of inaccuracies that deserve correction. In
the section entitled ``Estimated Impact on State, Local, and
Tribal Governments,'' the CBO letter states that H.R. 850
``would also preempt state laws that require the use of
encryption for authenticating documents or for ensuring their
confidentiality.'' This statement is false. While the bill
would preempt state laws (none of which currently exist)
requiring the use of encryption for authentication or integrity
as a condition of the use of encryption for confidentiality
(and vice versa), H.R. 850 does not preempt state laws that
require the use of encryption for authentication or the use of
encryption for confidentiality. In other words, the bill would
only preempt a linkage of these two uses. In fact, one of the
chief purposes of this legislation is to encourage the use of
encryption, not to hinder the use of encryption.
The CBO letter also incorrectly states that H.R. 850
``would also prevent the states themselves from using certain
types of encryption technology.'' Again, the purpose of this
legislation is to encourage the use of encryption, not to
hinder the use of encryption. H.R. 850 only prohibits the
federal government or a state from requiring that only
recoverable encryption products be used in communications
between private persons or between private persons and federal
government or state entities. The bill does not prohibit the
federal government or a state from using any type of encryption
product, including a recoverable encryption product, on its own
networks or systems, provided that such product is
interoperable with a non-recoverable encryption product. This
is true whether the federal government or state retains its own
encryption keys, or uses other public or private entities to
retain its encryption keys.
An additional error in the CBO letter is the statement that
``Encryption that is prohibited by the bill includes the
scrambling of electronically stored or transmitted information
in order to preserve confidentiality, integrity, or
authenticity.'' Encryption is the scrambling of electronically
stored or transmitted information in order to preserve
confidentiality, integrity, or authenticity. Again, the bill
only prohibits the federal government or a state from linking
the use of encryption for confidentiality to the use of
encryption for authenticity or integrity. H.R. 850 does not
prohibit encryption--in fact, the purpose of the bill is to
affirm the rights of U.S. persons to use and sell encryption
and to relax export controls on encryption. With this
statement, however, CBO is essentially arguing that the bill
achieves the exact opposite of that which it was intended to
achieve, which is false.
Finally, the CBO letter asserts that H.R. 850 ``may
preclude states from using digital signatures to send or
receive legal documents electronically.'' To the contrary, the
bill has no effect whatsoever on state electronic signature
laws, except in cases in which states require the use of
recoverable encryption products as a condition of giving legal
recognition to electronic signatures. However, no such cases
currently exist. Again, the bill simply prohibits the federal
government or a state from linking the use of encryption to the
use of electronic signatures or certificate authorities, not
from requiring the use of encryption, electronic signatures, or
certificate authorities themselves (provided that the federal
government or state doesn't only require the use of recoverable
encryption).
In the 105th Congress, similar legislation (H.R. 695) was
reported by the Judiciary Committee, International Relations
Committee, Commerce Committee, and National Security Committee
(since renamed the Armed Services Committee). CBO letters were
included in each of those reports, and none of those letters
alleged that the legislation would prevent states from using
certain types of encryption technology.
As H.R. 850 will next be considered in the 106th Congress
by the International Relations Committee, there will be at
least one more CBO letter regarding this bill. I look foward to
working with CBO to correct the incorrect statements from its
April 21 letter as H.R. 850 moves forward through the
legislative process.
Bob Goodlatte.
ADDITIONAL COMMENTS OF CONGRESSWOMAN ZOE LOFGREN
Following the Subcommittee Hearing I forwarded the
following correspondence to Associate Deputy Attorney General
Ron Lee with the enclosed attachment:
Congress of the United States,
House of Representatives,
Washington, DC, April 22, 1999.
Hon. Ron Lee,
Associate Deputy Attorney General,
Department of Justice, Washington, DC.
Dear Mr. Lee: During your testimony on March 4, 1999, you
testified that there were ``many technologies that aren't,
strictly speaking, key recovery that do promote the interest of
law enforcementas well as other government interests.'' I
therefore asked you to tell me ``specifically'' what these ``many
technologies'' were.
When you said, ``very well,'' and that you would supply the
requested information, our Subcommittee Chairman Howard Coble
further reinforced my request when he instructed, ``Give that
to us in detail if you will, Mr. Lee.''
But more than a month later, I don't know what these many
technologies are and I have no detail at all from you. I have,
however, received a letter from the Office of Legislative
Affairs but that was not responsive at all.
The letter I've received (and I've attached a copy for your
convenience) speaks of ``active discussions'' that ``might
help'' address the problem, and what ``a number of companies
have suggested to [the Department of Justice]'' and what are
characterized as ``three possible solutions.''
This tardy submission by someone on your behalf is totally
inadequate. Either you got it wrong at the hearing or, for some
reason I can't fathom, you are withholding the very information
you promised to supply.
I therefore respectfully request that you clarify which it
is, either that you misspoke, or supply the information you
originally promised to supply.
Sincerely,
Zoe Lofgren,
Congresswoman.
------
U.S. Department of Justice,
Office of Legislative Affairs,
Washington, DC, April 14, 1999.
Hon. Zoe Lofgren,
House of Representatives,
Washington, DC.
Dear Congresswoman Lofgren: During Associate Deputy
Attorney General Ron Lee's March 4, 1999 testimony before the
Subcommittee on Courts and Intellectual Property of the
Committee on the Judiciary, you asked him to write to you to
identify those encryption technologies in addition to key
recovery that promote the interests of law enforcement.
First, I would like to thank you for your continuing
interest in this topic. You will recall that you exchanged
letters on this matter with former Principal Associate Deputy
Attorney General Robert S. Litt just last summer and fall. In
his letter to you of September 24, 1998, Mr. Litt indicated
that what law enforcement needs is, quite simply, access to the
plaintext of encrypted data and communications when it has
lawfu1 authority to obtain that plaintext. He also indicated
that law enforcement was not seeking a one-hundred percent
solution, but workable solutions that support the continued
ability of law enforcement to conduct judicially authorized
searches for data and interceptions of communications.
Critics of law enforcement openly insist that its demands
are unattainable. However, there is nothing unattainable about
industry's developing products and services that protect not
only the security of encrypted data and communications but also
the security and safety of the persons using those products and
the public at large. It is important to remember that the goal
of providing law enforcement with access to plaintext is the
safety of the public.
We recognize, of course, that industry is responsible for
designing and deploying information technologies, including
encryption products, and that it must do so in a competitive
marketplace. Both industry and government have learned that
there is a market demand for products allowing access to
plaintext (e.g., businesses that need to ensure the
availability of data). In addition, creating a technological
environment that directly, even if inadvertently, supports
criminal activity by enabling criminals to act with impunity is
not good for the public, industry, or the marketplace. While we
are asking that industry use its creative genius to create
smart solutions, those solutions will, in the long run, promote
both public safety and commerce.
In this regard, industry has engaged in active discussions
with law enforcement about technical solutions that might help
address law enforcement's concerns. For example, a number of
companies suggested to us that for some network-based
encryption products there may be points in the network where
plaintext exists, or where encryption can be disabled by a
system administrator in response to a court order. Other
products, such as corporate encryption systems, by their very
nature, tend to be operated by corporate computer or network
administrators, who can otherwise provide law enforcement with
access to plaintext when such access is lawfully authorized.
Still other products provide each individual user with the
option to activate ``recovery'' for stored data, so that if the
user loses his key, he need not also lose his data (such
``recovery-capable'' products tend to use key recovery). Each
of these types of products helps to meet the needs of law
enforcement. And these are just three possible solutions out of
a panoply that are being or may be developed by industry.
You may recall that the Administration updated its
encryption export control policy in 1998, taking into account
the benefits of such products for public safety worldwide. For
example, ``recoverable'' products are approved for export to
foreign commercial firms in over 40 countries. A number of
companies thereafter cited this update as an excellent example
of how industry and government can work together to find
workable solutions.
Of course, the needs of public safety are just one of the
many interests to be considered in the encryption debate. The
Department of Justice supports the use of strong encryption for
legitimate purposes, such as the protection of privacy,
proprietary and financial information, and intellectual
property, as well as combating fraud and securing electronic
commerce. Based on our discussions with industry, we are
hopeful that it will develop more solutions that meet these
needs and also protect the safety of the public in general.
I look forward to continuing to work with you in this
important area.
Sincerely,
Dennis K. Burke,
Acting Assistant Attorney General.
<all>
�