The Congress finds the following:

(a) The development of the information superhighway is fundamentally changing the way we interact. The nation's commerce is moving to networking. Individuals, government entities, and other institutions are communicating across common links.

(b) The Internet has provided our society with a glimpse of what is possible in the information age, and the demand for information access and electronic commerce is rapidly increasing. This demand is arising from all elements of society, including individuals, banks, manufacturers, online merchants, service providers, State and local governments, and educational institutions.

(c) At the same time, society's increasing reliance on information systems in this new environment exposes U.S. citizens, institutions, and their information to unprecedented risks.

(d) In order for the global information infrastructure and electronic commerce to achieve their potential, information systems must overcome these risks and must provide trusted methods to identify users and keep data and communications confidential.

(e) Cryptography can meet these needs. In particular, cryptography, through the technique of encryption, is an important tool in protecting the confidentiality of wire and electronic communications and stored data. Thus, there is a national need to encourage the development, adoption, and use of cryptographic products that are consistent with the foregoing considerations and are appropriate for use by private parties and by the United States Government.

(f) While encryption is an important tool for protecting the privacy of legitimate communications and stored data, it has also been used to facilitate and hide unlawful activity by terrorists, drug traffickers, child pornographers, and other criminals.

(g) The advent and eventual widespread use of encryption poses significant and heretofore unseen challenges to law enforcement and public safety. While under existing law, both statutory and constitutional in nature, law enforcement is provided with different means to collect evidence of illegal activity - in the form of communications, stored data on computers, etc. - these means are rendered wholly insufficient when encryption is utilized to scramble the information in such a manner that law enforcement, acting pursuant to lawful authority, cannot decipher the evidence.

(h) Technology does not presently exist that allows law enforcement timely to decrypt such information. In the context of law enforcement operations, for example, stopping a terrorist attack or seeking to recover a kidnaped child, time is of the essence and may mean the difference between success and catastrophic failure. While: existing means of obtaining evidence would remain applicable in a fully-encrypted world, the failure to provide law enforcement with the necessary ability to obtain the plaintext, or decrypted "readable" version, of the evidence makes
existing authorities useless.

(i) A sound and effective public policy must support the development and use of encryption for legitimate purposes but allow access to plaintext by law enforcement when encryption is utilized by criminals. Law enforcement entities have a critical need to decrypt communications and stored data that they are lawfully authorized to access in order to obtain the plaintext that is necessary to conduct investigations and prosecutions of such unlawful activity, and there is a compelling national interest in preserving law enforcement entities' ability to obtain such plaintext. Appropriate means must be available to fulfill these law enforcement objectives, consistent with existing legal authorities and constitutional principles, in order to protect public safety. This requires an approach which properly balances critical privacy interests with the need to preserve public safety.

(j) While means to aid investigators' and prosecutors' efforts to obtain plaintext are needed, this Act is not intended to make it unlawful for any person to use encryption in the United States for otherwise lawful purposes, regardless of the encryption algorithm selected, key length chosen, or implementation technique or medium used. Similarly, this Act is not intended to require anyone to use third parties for storage of decryption keys, and this Act does not establish any regulatory regime for entities engaging in such an activity. Finally, this Act is not intended to affect export controls on cryptographic products.

Section 2711 of title 18, United States Code, is redesignated as section 2719.

(a) Subsection 2703(d) of title 18, United States Code, is amended by striking "described in section 3127(2)(A) and".

(b) Section 2707 of title 18, United States Code, is amended--

"(b) Authorizations for disclosure or use.-

"(c) Confidentiality -- Except as otherwise provided by law, or by order of a court of competent jurisdiction, a recovery agent who is requested or ordered to disclose stored recovery information to, or to use stored recovery information on behalf of, a governmental entity pursuant to paragraph (b)(1) above shall not reveal to any person or entity the fact that the governmental entity has requested or received stored recovery information from, or has required the use of stored recovery information by, the recovery agent, and shall not disclose to any other person or entity any decrypted data or communications that are provided to the governmental entity.

"(d) Exclusions.-Nothing in this section or section 2712 of this title shall be construed to prohibit a recovery agent from:

but an order under this section must be sought within forty-eight hours after the stored recovery information has been released or the decryption has occurred. In the event no order is requested within that time or the request for an order is denied, the governmental entity shall not further use or disclose the recovery information received or plaintext recovered, shall seal such information or plaintext under the direction of a court of competent jurisdiction, and shall serve notice as provided for in subsection (c) of this section;

A federal governmental entity may require a recovery agent to disclose stored recovery information to it or another federal governmental entity, or to use stored recovery information to decrypt data or communications, under paragraphs (1), (2), (3), or (4) for the benefit of a foreign government, pursuant to a request of a foreign government under applicable legislation, treaties, or other international agreements.

"(b) Requirements for court order for disclosure or use of stored recovery information by a recovery agent.-A court order requiring a recovery agent to disclose stored recovery information to a governmental entity or to use stored recovery information to decrypt data or communications on behalf of a governmental entity shall be issued by a court of competent jurisdiction upon a finding, based on specific and articulable facts, that-

"(c) Notice.- Within 90 days after receiving stored recovery information or decrypted data or communications from a recovery agent, the governmental entity shall notify the person or entity, if known, who stored the recovery information that stored recovery information was disclosed or used by the recovery agent, and such notice shall state the date on which the stored recovery information or decrypted data and communications were disclosed. On the government's ex parte showing of good cause, the giving of notice may be postponed by a court of competent jurisdiction. Notice under this section shall be provided by personal service, or by delivery by registered or first-class mail.

"(d) Cost reimbursement.-A governmental entity obtaining stored recovery information from a recovery agent or directing a recovery agent to decrypt the data or communications pursuant to subsection (b) shall pay to the recovery agent a fee for reimbursement for such costs as are reasonably necessary and which have been directly incurred in providing such information or decrypting such data and communications. The amount of the fee shall be as mutually agreed by the governmental entity and the recovery agent, or, in the absence of agreement, shall be as determined by the court which issued the order pursuant to subsection (b).

"(c) Destruction of recovery information.-Unless otherwise specified in an order of a court of competent jurisdiction, once the authorized use of recovery information obtained by compulsory process, and all investigations, trials, and appeals related to that use are completed, after the time period for filing a request for post-conviction relief has expired, and after any statutory period for retention of records has expired, a governmental entity, a recovery agent assisting a governmental entity, or other person or entity who has received a disclosure under this section, shall destroy such recovery jnformation in its possession and the governmental entity shall make a record documenting the destruction of such recovery information that is in its possession and shall maintain that record for at least 10 years.

"(a) Confidentiality of access techniques.-In any civil or criminal case where a party seeks (1) to discover or introduce plaintext that had been encrypted or protected by other security techniques or devices, and which plaintext had been obtained using government methods of access to such protected information, or (2) to discover or introduce evidence or information concerning government methods of access to such protected information, an attorney for the government (as that term is defined in the Federal Rules of Criminal Procedure), whether or not the government is a party, may file, ex parte and in camera, an application requesting that the court enter an order pursuant to subsection (b) protecting the confidentiality of the technique or mechanism that provided access to that evidence or information.

"(b) Confidentiality orders. -If the court finds that disclosure of a technique or mechanism used by a governmental. entity to obtain access to information protected by encryption or other security techniques or devices-

"(c) Nondisclosure of trade secrets.-Notwithstanding any other provision of law, trade secrets (as that term is defined in section 1839 of this title) disclosed to the government pursuant to section 2518 or 2713 of this title, or otherwise disclosed to a governmental entity to assist it in obtaining access to information protected by encryption or other security techniques or devices, shall not be disclosed by any governmental entity unless such disclosure is to another governmental entity, is necessary to implement such methods of access, is with the consent of the person or entity that owns the trade secret, or is ordered by a court of competent jurisdiction pursuant to a request of that governmental entity.

"(d) Interaction with the Classified Information Procedures Act.-Nothing in this section shall be deemed to affect the Classified Information Procedures Act, Pub. L. 96-456, 94 Stat. 2025 (1980), or as hereafter amended.

(b) in paragraph (2), by striking the period and inserting a semicolon; and

(c) by adding at the end the following:

(a) Chapter title.-- The title of chapter 121 of title 18, United States Code, is amended by adding "AND RECOVERY INFORMATION ACCESS" to the end thereof.

(b) Chapter analysis.-- The chapter analysis for chapter 121 of title 18, United States

Code, is amended by striking the last item and inserting the following:

(c) Part analysis.-The part analysis for Part I of title 18, United States Code, is amended by inserting "and recovery information access" after "access" in the item for chapter 121.

(a) Amendment of sentencing guidelines.-- Pursuant to its authority under section 994(p) of title 28, United States Code, the United States Sentencing Commission shall review the federal sentencing guidelines and, if appropriate, shall promulgate guidelines or policy statements or amend existing guidelines or policy statements to--

(b) by striking the period at the end of subparagraph (D) and inserting "; or" and (c) by adding at the end the following new subparagraph: