ENCRYPTED COMMUNICATIONS PRIVACY ACT OF 1996
Summary
SEC. 1. SHORT TITLE. The Act may be cited as the "Encrypted
Communications Privacy Act of 1996."
SEC. 2. PURPOSE. The Act would ensure that Americans have the
maximum possible choice in encryption methods to protect the security,
confidentiality and privacy of their lawful wire and electronic
communications. For those Americans who choose an encryption method
in which another person, called a "key holder," is voluntarily
entrusted with the decryption key, the Act would establish privacy
standards for the key holder, and procedures for law enforcement
officers to follow to obtain assistance from the key holder in
decrypting encrypted communications.
SEC. 3. FINDINGS. The Act enumerates fifteen congressional findings,
including that a secure, private and trusted national and global
information infrastructure is essential to promote citizens' privacy
and meet the needs of both American citizens and businesses, that
encryption technology widely available worldwide can help meet those
needs, that Americans should be free to use, and American businesses
free to compete and sell, encryption technology, programs and
products, and that there is a need to develop a national encryption
policy to advance the global information infrastructure and preserve
Americans' right to privacy and the Nation's public safety and
national security.
SEC. 4. FREEDOM TO USE ENCRYPTION.
(a) Lawful Use of Encryption. The Act legislatively confirms
current practice in the United States that any person in this country
may lawfully use any encryption method, regardless of encryption
algorithm, key length or implementation selected. The Act thereby
prohibits any government-mandated use of any particular encryption
system, such as a key escrow encryption system.
The Act further makes lawful the use of any encryption method by
United States persons in a foreign country. This provision is
consistent with, though broader than, the Department of State's new
personal use exemption published in the Federal Register on February
16, 1996, that permits the export of cryptographic products by U.S.
citizens and permanent residents who have the need to temporarily
export the cryptographic products when leaving the U.S. for brief
periods of time. For example, under this new exemption, U.S. citizens
traveling abroad will be able to take their laptop computers
containing copies of Lotus Notes software, many versions of which
contain an encryption program otherwise not exportable.
(b) General Constructions. Nothing in the Act is to be construed
to require the use of encryption, a key escrow encryption system, or a
key holder if a person chooses to use a key escrow encryption system.
SEC. 5. ENCRYPTED WIRE AND ELECTRONIC COMMUNICATIONS. This section
of the Act adds a new chapter 122, entitled "Encrypted Wire and
Electronic Communications," to title 18 of the United States Code to
establish privacy standards for key holders and to set forth
procedures that law enforcement officers must follow to obtain
decryption assistance from key holders.
(a) In General. New chapter 122 has five sections.
§ 2801. Definitions. Generally, the terms used in the new chapter
have the same meanings as in the federal wiretap statute in 18 U.S.C.
§ 2510. Definitions are provided for "encryption", "key holder",
"decryption key", and "decryption assistance". A "key holder" may, but
is not required to be, a Federal agency.
This chapter applies only to wire or electronic communications and
communications in electronic storage, as defined in 18 U.S.C. § 2510,
and not to stored electronic data. For example, encrypted electronic
mail messages, encrypted telephone conversations, encrypted facsimile
transmissions, encrypted computer transmissions and encrypted file
transfers over the Internet would be covered, but not encrypted data
merely stored on computers.
§ 2802. Prohibited acts by key holders.
(a) UNAUTHORIZED RELEASE OF KEY.- Key holders will be subject
to both criminal and civil liability for the unauthorized release of
decryption keys or providing unauthorized decryption assistance.
(b) AUTHORIZED RELEASE OF KEY.- Key holders are authorized to
release decryption keys or provide decryption assistance with the
consent of the key owner, as may be necessary for the holding or
management of the key, or to investigative or law enforcement officers
upon compliance with the procedures set forth in subsection (c).
(c) REQUIREMENTS FOR RELEASE OF DECRYPTION KEY TO INVESTIGATIVE
OR LAW ENFORCEMENT OFFICER.- To obtain access to a decryption key or
decryption assistance from a key holder, an investigative or law
enforcement officer must present to the key holder the same form of
lawful process used to obtain access to the encrypted content. For
example, to obtain the decryption key to, or decryption assistance
for, an encrypted telephone conversation that is the subject of a
court-ordered wiretap under 18 U.S.C. § 2518, a law enforcement agent
must present a court order to the key holder to obtain the decoding
key. Likewise, to obtain the decryption key to, or decryption
assistance for, an encrypted stored wire or electronic communication,
a law enforcement officer must present a court warrant, order,
subpoena or certification, depending upon what process was used to
obtain access to the stored communication.
Key holders may only provide the minimal key release or decryption
assistance needed to access the particular communications specified by
court order or other legal process. Released keys or other decryption
assistance may only be used in the manner and for the purpose and
duration expressly provided by court order or other legal process.
A key holder who fails to provide the decryption key or decryption
assistance called for in the court order, subpoena or other lawful
process may be penalized under current contempt or obstruction laws.
(d) RECORDS OR OTHER INFORMATION HELD BY KEY HOLDERS.- Key
holders are prohibited from disclosing records or other information
(not including decryption keys) pertaining to key owners, except with
the owner's consent or to an investigative or law enforcement officer,
pursuant to a subpoena, court order or other lawful process.
(e) CRIMINAL PENALTIES.- Key holders who violate this section
for a tortious, malicious or an illegal purpose, or for direct or
indirect commercial advantage or private commercial gain, will be
subject to a fine and up to 1 year imprisonment for a first offense,
and fine and up to 2 years' imprisonment for a second offense. Other
reckless and intentional violations would subject the key holder to a
fine of up to $5000 and up to 6 months' imprisonment.
(f) CIVIL DAMAGES.- Persons aggrieved by key holder violations
may sue for injunctive relief, and actual damages or statutory damages
of $5,000, whichever is greater.
(g) DEFENSE.- A complete defense is provided if the
defendant acted in good faith reliance upon a court order, warrant,
grand jury or trial subpoena or statutory authorization.
§ 2803. Reporting requirements. The Attorney General is required to
include in her report to the Administrative Office of the U.S. Courts
under 18 U.S.C. § 2519(2), the number of orders and extensions served
on key holders to obtain access to decryption keys or decryption
assistance. The Director of the Administrative Office of the U.S.
Courts is required to include this information, and the offenses for
which the orders were obtained, in the report to Congress under 18
U.S.C. § 2519(3).
§ 2804. Unlawful use of encryption to obstruct justice.
Persons who willfully use encryption in an effort and for the purpose
of obstructing, impeding, or prevent the communication of information
in furtherance of a federal felony crime to a law enforcement officer,
would be subject to a fine and up to 5 years' imprisonment for a first
offense, and up to 10 years' imprisonment for a second or subsequent
offense.
§ 2805. Freedom to sell encryption products.
(a) IN GENERAL.- The Act legislatively confirms that it is
lawful to sell any encryption, regardless of encryption algorithm, key
length or implementation used, domestically in the United States or
its territories.
(b) CONTROL OF EXPORTS BY SECRETARY OF COMMERCE.-
Notwithstanding any other law, the Act vests the Secretary of Commerce
with control of exports of hardware, software and technology for
information security, including encryption for both communications and
other stored data, except when the hardware, software or technology is
specifically designed or modified for military use.
No export license may be required for encryption software and
hardware with encryption capabilities that is generally available,
including mass market products (i.e., those generally available, sold
"as is", and designed for installation by the purchaser) or encryption
in the public domain and generally accessible. For example, no
licenses would be required for encryption products commercially
available without restriction and sold "as is", such as Netscape's
commercially available World Wide Web Browser, which can not be
exported. Similarly, no license would be required to export software
and corresponding hardware placed in the public domain and generally
accessible, such as Phil Zimmermann's Pretty Good Privacy program,
which has been distributed to the public free of charge via the
Internet.
In addition, the Secretary of Commerce must authorize the export of
encryption software to commercial users in any country to which
exports of such software has been approved for use by foreign
financial institutions, except when there is substantial evidence that
the software will be diverted or modified for military or terrorists'
end-use or re-exported without requisite U.S. authorization. Finally,
the Secretary of Commerce must authorize the export of computer
hardware with encryption capabilities if the Secretary determines that
a product with comparable security is commercially available from
foreign suppliers without effective restrictions outside the United
States.
Significantly, the government is authorized to continue controls on
countries that pose terrorism concerns, such as Libya, Syria and Iran,
or other embargoed countries, such as Cuba and North Korea, pursuant
to the Trading With the Enemy Act or the International Emergency
Economic Powers Act.
(b) Technical Amendment. The Act adds new chapter 122 and the
new title in the table of chapters in title 18 of the United States
Code.
SEC. 6. INTELLIGENCE ACTIVITIES. The Act does not authorize the
conduct of intelligence activities, nor affect the conduct by Federal
government officers or employees in intercepting (1) encrypted or
other official communications of Federal executive branch or Federal
contractors for communications security purposes; (2) radio
communications between or among foreign powers or agents, as defined
by the Foreign Intelligence Surveillance Act (FISA); or (3) electronic
communication systems used exclusively by foreign powers or agents, as
defined by FISA.
Return to the CDT Cryptography Page
Return to the CDT Home Page