105TH CONGRESS
[DISCUSSION DRAFT]
SEPTEMBER 22, 1997
AMENDMENT TO HR 695
OFFERED BY MR. OXLEY OF OHIO
[Oxley/Manton Amendment: decryption requirements and liability]
(page & line nos. refer to Committee Print of 9/9/97)
Page 4, strike lines 11 through 23 and insert the
following (and redesignate the succeeding sections accordingly):
¤2802. Domestic use of encryption products
"(a) FREEDOM TO USE ENCRYPTION. -- Subject to subsection (b) and
Section 2804, it shall be lawful for any person to manufacture or sell in
interstate commerce in the United States, or to import into the United
States, any encryption product, regardless of the encryption algorithm
selected, encryption key length chosen, or medium used.
"(b) DECRYPTION CAPABILITY REQUIREMENTS. -
"(1) IN GENERAL. -- Except as provided in paragraph (2), beginning
upon the effective date of the regulations issued under subsection
(c), any encryption product manufactured or sold in interstate
commerce, or imported into the United States, shall include
features that permit immediate access (pursuant to appropriate
judicial process) to the plaintext of communications or electronic
information encrypted by such product without the knowledge or
cooperation of the person using such product.
"(2) EXCEPTIONS. -- The requirements under paragraph (1) shall not
apply to an encryption product to the extent that --
"(A) the encryption product is used by a corporation,
organization, or other legal entity that maintains policies that
ensure law enforcement agencies have immediate access to the
plaintext of communications or electronic information encrypted by
such product the knowledge or cooperation of --
"(i) a person using such product; or
"(ii) a person using a service provided by the corporation,
organization, or other legal entities that utilizes such
product:
"(B) the manufacturer of the encryption product formally agrees
in advance to provide to the appropriate and duly authorized
Federal, State, and local law enforcement agencies the technical
information and assistance that ensure law enforcement agencies
have immediate access to the plaintext of any communications or
electronic information encrypted using the product without the
knowledge or cooperation of the person using the product; or
"(C) the product was manufactured before January 1, 1999.
"(c) IMPLEMENTATION. --
"(1) CONTENT. -- The Attorney General, in consultation with the
Secretary of Commerce, shall carry out a rulemaking proceeding to
implement subsection (b). The regulations issued under such
rulemaking --
"(A) shall provide that ensuring access, by a third party, to
the plaintext of an encrypted communication or electronic
information (including by placing any key for an encryption
product in escrow with any third party or any other sharing of
private encryption keys) shall be sufficient to comply with the
requirement under subsection (b)(1);
"(B) shall provide that no officer of the Federal Government or
any State may require any particular decryption methodology
(including a methodology described in subparagraph (A)) in order
to comply with the requirements of subsection (b)(1);
"(C) may not have the effect of rendering inoperable, for its
intended purposes, any encryption product manufactured before
January 1, 1999; and
"(D) shall provide that no officer of the Federal Government or
any State may disclose to any person, other than to a law
enforcement authority, any information considered to be company
proprietary or confidential by the manufacturer of the encryption
product.
"(2) TIMING AND PROCEDURE. -- The rulemaking proceeding under
paragraph (1) --
"(A) shall be initiated within 90 days after the date of
enactment of the Security and Freedom Through Encryption (SAFE)
Act;
"(B) shall be completed within one year after such date of
enactment; and
"(C) shall be conducted in accordance with section 553 of title
5, United States Code and shall be subject to judicial review
under chapter 7 of such title.
"(3) EFFECTIVE DATE. -- The regulation issued under this
subsection shall take effect on January 1, 1999.
"(d) CRIMINAL PENALTY. --
"(1) IN GENERAL. -- Any person within the United States who
manufactures, alters, sells, or knowingly imports into the United
States any encryption product that does not comply with the
requirements under subsection (b) shall be imprisoned for not more
than 5 years, or fined in the amount set forth in this title, or
both.
"(2) PROTECTION OF MANUFACTURERS. -- A person who manufacturers an
encryption product shall not be considered to have committed a
violation under paragraph (1) if the encryption product fails to
comply with requirements under subsection (b) (or the regulations
issued under subsection (c) to implement such requirements) because
the product was altered subsequent to manufacture by a person not
under the control of the manufacturer.
"¤ 2803. Privacy Protection
Page 6, line 2, strike the quotation marks and the last period and
insert the following new section:
"¤ 2805 Liability Limitations
"No person shall be subject to civil or criminal liability for
providing access to the plaintext of an encrypted communication or an
encrypted electronic information to any law enforcement official or
authorized government entity, pursuant to judicial process.
Page 3, after line 17, insert the following new paragraphs (and
redesignate the succeeding paragraphs accordingly):
"(3) the term 'certificate or authority' means a person entrusted
by one or more persons to create and assign public key certificates;
"(4) the term 'public key certificates' means a certification of
the determination of the origin of encrypted information through
verification of a persons public key by identifying the unique
characteristics of the key;
"(5) [the term 'public key' means, for encryption products using
more than one key for encryption and decryption, the key that is
intended to be publicly known];
"(6) the term 'communications' includes wire communications and
electronic communications;
"(7) the term 'electronic information' means any signs, signals,
writing, images, sounds, data, or intelligence of any nature stored
in whole or in part by a wire, radio, electromagnetic, photo
electronic, or photo-optical system;
"(8) the term 'plaintext' means, with respect to communications or
electronic information, the form of the communications or information
before it has been encrypted or, if encrypted, the form after it has
been electronically transformed into its original form;
"(9) the term 'encryption product' means any product, software, or
technology that can be used to encrypt and decrypt communications or
electronic information and any product, software, or technology with
encryption capabilities;