SEC. 1. SHORT TITLE. The Act may be cited as the "Electronic Rights (E-RIGHTS) for the 21st Century Act."

SEC. 2. PURPOSES. The Act has three general purposes: (1) promoting the privacy and constitutional rights of individuals and organizations in networked computer systems, and the security of critical information infrastructures, while properly balancing law enforcement access needs; (2) encouraging Americans to develop and deploy encryption technology and to promote the use of encryption by Americans to protect the security, confidentiality and privacy of their lawful wire and electronic communications and stored electronic information; and (3) establishing privacy standards and procedures for law enforcement officers to obtain decryption assistance for encrypted communications and information.

SEC. 3. FINDINGS. The Act enumerates twenty congressional findings that law enforcement investigative and electronic surveillance needs must be balanced with the right to privacy and other rights protected under the Fourth Amendment of the Constitution; encryption technology, which is widely available worldwide, is useful in protecting the privacy, security, and confidentiality of the national and global information infrastructure; Americans should be free to use, and American businesses free to compete and sell, encryption technology, programs and products; and given the convergence among digital media, privacy safeguards should be applied more uniformly to provide a level competitive playing field.

SEC. 4. DEFINITIONS.- The terms 'agency','person' and 'state' have the same meaning given those terms in specified sections of title 18, United States Code, except that the term 'agency' also includes the United States Postal Service.

Additional definitions are provided for the following terms:

The terms "encrypt" and "encryption" mean the use of mathematical formulas or algorithms to scramble or unscramble electronic data or communications for purposes of confidentiality, integrity, or authenticity. As defined, the terms cover a broad range of scrambling techniques and applications including cryptographic applications such as PGP or RSA's encryption algorithms; steganography; authentication; and winnowing and chafing.

The term "encryption product" includes any hardware, software, devices, or other technology with encryption capabilities, whether or not offered for sale or distribution.

The term 'key' means the variable information used in or produced by a mathematical formula to encrypt or decrypt wire or electronic communications or electronically stored information.

The term 'United States person' means any citizen of the United States or legal entity organized under U.S. law that has its principal place of business in this country.

SEC. 101. ENHANCED PRIVACY PROTECTION FOR INFORMATION ON COMPUTER NETWORKS. The Act modifies subsection (b) of section 2703 of title 18, United States Code, to extend privacy protections to electronic information stored on computer networks.

When held in a person's home, records may only be seized pursuant to a warrant based upon probable cause, or compelled under a subpoena, which may be challenged and quashed. In both instances, the record owner has notice of the search and an opportunity to challenge it. By contrast, under United States v. Miller, 425 U.S. 435 (1976)(customer has no standing to object to bank disclosure of customer records), and its progeny, records in the possession of third parties do not receive Fourth Amendment protection. A governmental agent with a subpoena based upon mere relevance may compel a third party to produce records originating with or belonging to another person, without notice to the person to whom the records pertain. The record subject may never receive notice or any meaningful opportunity to challenge the production.

This lack of protection for records held by third parties presents new privacy problems in the information age. With the rise of network computing, electronic information that was previously held on a person's own computer is increasingly stored elsewhere, such as on a network server. In many cases the location of such information is not even known to the record's owner.

Furthermore, Web-based information services are attracting customers by offering free storage and services accessible from any computer. Companies like When.com, Briefcase.com, Yahoo and Netscape offer calendars, address books, 'to do' lists, stock portfolios and storage space, while more targeted companies, like dietwatch.com let users keep track of their diets. Potential customers of such services should not be discouraged from subscribing due to the weaker privacy and confidentiality protections afforded their remotely stored records than if those records were stored on the customer's own laptop or PC.

Under current law, these services are covered by the remote computing service provision in 18 U.S.C. § 2703(b), which authorizes a governmental entity to require disclosure of those communications without notice to the subscriber. A remote computing service provides storage or computer processing services to customers and is not authorized to access the contents of the electronic communications created by the customer.

The Act amends section 2703(b) to extend the same privacy protections to a person's records whether storage takes place on that person's personal computer in their possession or in networked electronic storage. The amendment to section 2703(b) would authorize a governmental entity to require disclosure of electronic communications or records stored by a remote computing service pursuant to (i) a state or federal warrant (based upon probable cause), with a copy to be served on the customer or record owner at the same time the warrant is served on the remote computing service holding the record; or (ii) a subpoena that must also be served on the customer or record owner with a meaningful opportunity to challenge the subpoena.

The penalties for violating this section would not change and do not currently carry criminal fines or any term of imprisonment.(See 18 U.S.C. § 2701(c)(criminal offense provision does not apply to 'conduct authorized... in section 2703"). Instead, under 18 U.S.C. § 2707, a government agent that violates this section is subject to disciplinary action, and a service provider that violates this section is subject to civil action for appropriate relief.

SEC. 102. GOVERNMENT ACCESS TO LOCATION INFORMATION. The Act adds a new subsection (g) to section 2703 of title 18, United States Code, to extend privacy protections for physical location information generated on a real time basis by mobile electronic communications services, such as cellular telephones. This section requires that physical location information generated by a wireless service provider may only be released to a governmental entity pursuant to a court order based upon probable cause.

Location information on wireless telephones is fundamentally different from the type of location information that can be associated with a wireline telephone. Wireless telephones are normally directly associated with the physical presence of the individual user, and are carried by those users into places where there is a reasonable expectation of privacy. Tracking of cellular telephones, even more-so than automobiles, implicates the movements of a person going about his or her business and personal life.

Should the government seek to track a person by surreptitiously placing a mobile tracking device on that person's automobile, a court order would be required based upon a finding of probable cause. (See 18 U.S.C. § 3117; Fed. R. Cr. P. 41; U.S. v. In re Application, 155 F.R.D. 401, 402 (D. MA 1994)). No less should be required for use by the government of a wireless telephone as a tracking device.

Civil liberties experts have noted that cellular telephone technology 'is proceeding in the direction of providing more precise location information, a trend that has been boosted by the rulings of the Federal Communications Commission (FCC) in its 'E911" (Enhanced 911) proceeding, which requires service providers to develop a locator capability for medical emergency and rescue purposes.' (Testimony of Deirdre Mulligan, Center for Democracy and Technology, before the House Committee on the Judiciary, Subcommittee on Courts and Intellectual Property, March 26, 1998). Specifically, the FCC is requiring wireless service providers to modify their systems to enable them to relay to public safety authorities the cell site location of 911 callers. Carriers must also take steps to deploy the capability to provide latitude and longitude information of wireless telephone callers within 125 meters and, ultimately, to locate a caller within a 40-foot radius for longitude, latitude and altitude, to enable locating a caller within a tall building. (See In re Revision of the Commission's Rules to Ensure Compatibility with Enhanced 911 Emergency Calling Sys., CC Docket No. 94-102, Report and Order and Further Notice of Proposed Rulemaking (last modified Jan. 2, 1997)).

In a separate proceeding, the FCC in October 1998 proposed ruling that a location tracking capability for wireless telephones was required under the Communications Assistance for Law Enforcement Act (CALEA). The FCC has tentatively concluded that carriers must have the capability of providing to law enforcement a caller's cell site location at the beginning and termination of a call. (See In re CALEA, CC Docket No. 97-213, Further Notice of Proposed Rulemaking (adopted October 22, 1998), 63 Fed. Reg. 63639, November 16, 1998). Whether this capability is ultimately required by the FCC as part of CALEA, there is no doubt that real-time location information will be increasingly available to law enforcement agencies. Accordingly, the appropriate standard for law enforcement access to such location information should be clarified.

SEC. 103. ENHANCED PRIVACY PROTECTION FOR TRANSACTIONAL INFORMATION OBTAINED FROM PEN REGISTERS OR TRAP AND TRACE DEVICES. The Act enhances privacy protections for information obtained from pen register and trap and trace devices by amending section 3123(a) of title 18, United States Code. Under current law, the court is relegated to a mere ministerial function and must issue a pen register or trap and trace order whenever presented with a signed certification of a prosecutor.

This amendment authorize the court to review the information presented in the certification to determine whether the information likely to be obtained is relevant to an ongoing criminal investigation. The amendment would not change the standard for issuance of an ex parte order authorizing use of a pen register or trap and trace device.

In addition, the amendment would require law enforcement to minimize the information obtained from the pen register or trap and trace device that is not related to the dialing and signaling information utilized in call processing.

Currently, pen registers capture not just such dialing information but also any other dialed digits after a call has been connected. The Department of Justice has taken the position in connection with legislation pending in the 105th Congress regarding law enforcement access to clone numeric pagers that digits dialed and transmitted after a call has been placed may consist of electronic impulses but 'are the 'contents' of the call,' subject to more stringent privacy protections under the Fourth Amendment. This provision would provide protection for those 'contents.'

Sec. 104. PRIVACY PROTECTION FOR CONFERENCE CALLS. This section clarifies the circumstances under which the government may continue monitoring a three-way call or conference call after a facility specified in the wiretap order is no longer connected to the call. The Fourth Amendment requires the government when conducting a search and seizure to have a warrant "particularly describing the place to be searched, and the person or things to be seized." Under the terminology of the wiretap laws, the place to be searched is called a "facility," which has generally been interpreted to mean a subscriber telephone line.

Modern three-way and conference calling technology allows an individual to initiate a three-way or conference call with two or more other parties and then to 'drop off' the call while the other parties continue communicating. At that point, the telephone line specified in the order is no longer connected to the call. This section makes it clear that the government may continue monitoring the communications of parties remaining on a conference call when the facility identified in the wiretap order is no longer participating only if the government has shown and the authorizing judge has found that an individual who remains a party to the communication is committing, has committed or is about to commit a particular offense enumerated in the wiretap order and that communications concerning that offense will be obtained through the continuing interception. Since these are the basic standards of the wiretap law, which the government must satisfy for any interception, the effect of the change is to make it clear that the interception of the remaining parties to a three-way or conference call must satisfy the basic requirements of the wiretap law.

Sec. 105. ENHANCED PRIVACY PROTECTION FOR PACKET NETWORKS, INCLUDING THE INTERNET. This section amends subsection 3121(c) of title 18 to require law enforcement agencies conducting pen register or trap and trace investigations on packet communications to use reasonably available technology to ensure that they do not intercept the content of communications without a Title III order. The electronic surveillance laws draw a distinction between the interception of content, which requires a court order based on the high probable cause standard, and the interception of call routing information, which is obtained under the lower pen register or trap and trace authority in sections 3121 - 3127. The Communications Assistance for Law Enforcement Act of 1994 requires carriers, to the extent reasonably achievable, to design their systems to ensure that law enforcement agencies conducting pen register and trap and trace investigations do not intercept the content of communications. Subsection 3121(c), originally added by CALEA, imposed a mirror obligation on law enforcement to use pen register or trap and trace equipment that does not record or decode content.

Sec. 105 amends 3121(c) to make it clear that obligation applies to packet switched communications, which are based on technology that breaks a digital message into many small packets, each consisting of addressing or routing information plus a segment of content. This change makes it clear that law enforcement agencies using pen registers or trap and trace devices in packet switched environments must, if the technology is reasonably available, record or decode only addressing information, not content.

Sec. 106. PRIVACY SAFEGUARDS FOR INFORMATION COLLECTED BY INTERNET REGISTRARS. The Act would amend section 2703 of title 18, United States Code, to add a new subsection (g) protecting the privacy of records pertaining to persons who register for a second-level domain name, which serves as an Internet address. Just as consumers may, by obtaining an unlisted telephone number for privacy, safety or other reasons, keep confidential personally identifiable information associated with telephone numbers, such as name and address, Internet users should be able to get an 'unlisted' Internet address. A domain name registration service provider that violates this section would be subject to civil action for appropriate relief, under 18 U.S.C. § 2707.

Internet domain names are the unique identifiers or addresses that enables businesses, organizations, and individuals to communicate and conduct commerce on the Internet.

Until recently, pursuant to a cooperative agreement with the Department of Commerce, Network Solutions, Inc. (NSI), was the exclusive registrar assigning domain names ending in .com, .net, .org and .edu. As a registrar, NSI enters new domain names into the master directory or registry.

The U.S. government is in the process of privatizing the administration of the Internet domain name system (DNS) to increase competition in the registration of domain names. With the advent of competition in the DNS, NSI will continue to operate the .com, .net, .org registries, but other companies, including domain name registration resellers, country code registries, ISPs, and major telecommunications firms, may be able to offer competing registrar services or registry/registrar services using other top level domains.

Normally, in order to process a request for a domain name, registrars and registries must collect personal information for billing and other purposes. The information currently collected by NSI includes: name, organization, address, country, contacts for administrative, technical and billing matters, telephone and fax numbers, and e-mail address. This information, along with the date on which the name was registered and information on the computer network used by the registrant to connect to the Internet, is compiled in a registry and made publicly available on an Internet-accessible 'WHOIS' database.

This database provides an efficient way of identifying and contacting persons operating Web sites for both legitimate or illegitimate purposes, such as online trademark and copyright infringement. The personally identifiable information placed on the WHOIS database has been misused for 'spamming', or sending unsolicited and unwanted e-mail messages to the persons who are registered with domain names. In addition, this information has been used by 'cyber-squatters' to appropriate domain names for resale to the rightful owners. Despite these misuses and abuses of the WHOIS database, this information is valuable to marketers, news organizations, governments, and intellectual property owners.

'Personally identifiable information collected by domain name registrars has privacy implications. For example, when human rights organizations obtain a domain name to use the Internet for political activities, disclosure of the required mailing and contact information may be dangerous. The importance of anonymity is amply demonstrated by the recent example of people in Kosovo, who are using anonymous remail services to try to maintain confidential communications and avoid detection by Serbian forces. (See New York Times, at C4, April 19, 1998). As one civil liberties organization has said, 'Internet users should not have to sacrifice their privacy and personal safety to exercise their right to free speech and expression.'

The amendment seeks to balance these competing interests by setting procedures for access to personally identifiable information regarding domain name holders. The procedures allow continued public access to information identifying the service provider hosting the website of the subscriber or customer, and are consistent with procedures adopted by the Congress in the Digital Millennium Copyright Act (DMCA), P.L. 105-304, 112 STAT. 2883 (1998), which authorizes copyright owners to obtain information identifying the operators of Web sites or other Internet addresses engaged in possible copyright infringements through use of an expedited subpoena process. The DMCA provides that copyright owners 'may request a clerk of any U.S. district court to issue a subpoena to a service provider for identification of an alleged infringer.' 17 U.S.C. § 512(h)(1).

Sec. 107. REPORTS CONCERNING GOVERNMENTAL ACCESS TO ELECTRONIC COMMUNICATIONS. This section requires the Attorney General to provide to Congress annual reports on the number and nature of government interceptions of E-mail and other electronic communications. To provide the appropriate oversight, the Congress, other policy makers and the public need information about government practices under the law. While the wiretap provisions of Title III require detailed reports by the courts and prosecutors on the number of wiretap orders issued, there is no similar requirement for collecting and publishing information on the nature and extent of government access to E-mail and other electronic communications under section 2703. Section 107 corrects this deficiency by requiring the Attorney General to transmit to Congress on an annual basis a report on the warrants, court orders and subpoenas applied for and issued under section 2703.

Sec. 108. ROVING WIRETAPS. This section amends subsection (11)(b) of section 2518 of title 18, United States Code, concerning the standard for issuance of a roving wiretap. This standard was modified without debate or hearing in the Intelligence Authorization Act for Fiscal Year 1999, P.L. 105-272, that passed in the final days of the 105^th Congress, to address the concern of the Department of Justice that the prior standard for roving taps was too difficult to meet because it required the government to demonstrate that the subjective intent of the target was to avoid surveillance. However, the modification eliminated virtually any standard at all.

This section would amend the roving wiretap provision by preserving the central rationale for roving taps: that they are only appropriate where the subject is changing facilities in a way that thwarts interception. As amended by this section, (b)(i) does not require the government to prove intent; it only requires the government to show effect. Alternatively, under (b)(ii), the government can obtain a roving tap where it can show the intent of the target, e.g., where an associate of the target informs the government that the target intends to evade surveillance by changing facilities.

Sec. 109. AUTHORITY TO PROVIDE CUSTOMER LOCATION INFORMATION FOR EMERGENCY PURPOSES. This section amends section 222 of the Communications Act of 1934 (47 U.S.C. 222) to authorize telecommunications carriers to: (1) provide call location information concerning the user of a commercial mobile service to providers of emergency services, to inform such user's legal guardian or family members of the user's location in an emergency situation involving the risk of death or serious bodily injury, or to providers of information services to assist in the delivery of emergency response services; and (2) transmit automatic crash notification system information as part of the operation of such a system. In addition, this amendment requires the express prior customer authorization of the use of either of the above information for other than the stated purposes.

Finally, the amendment requires a telecommunications carrier that provides telephone exchange service to provide subscriber list information (including information on unlisted subscribers) that is in its sole possession or control to providers of emergency services and emergency support services for use solely in delivering, or assisting in delivering, emergency services.

This provision was included by Representative Markey (D-MA) to the 'Wireless Communications and Public Safety Act of 1999,' H.R. 438, which passed the House on February 23, 1999.

Sec. 110.' CONFIDENTIALITY OF SUBSCRIBER INFORMATION. This section amends section 2703(c) of title 18, United States Code, to protect the confidentiality of information provided to and collected by electronic communication and remote computing services about their subscribers. Under current law, these service providers may disclose a record or other information pertaining to a subscriber or customer to any person other than a governmental entity.

By contrast, cable operators may not release to any person, including the government, 'personally identifiable information' about a customer' without the prior written or electronic consent of the subscriber concerned and shall take such actions as are necessary to prevent unauthorized access to such information by a person other than the subscriber or cable operator.' 47 U.S.C. § 551(c)(1). Similarly, telecommunications carriers are generally barred from using, disclosing or permitting access to individually identifiable customer proprietary network information, such as the services used and billing information, except 'with the approval of the customer.' ' 47 U.S.C. § 222(c)(1). Telecommunications carriers are now offering online and Internet access services. In addition, digital convergence is allowing cable operators to provide Internet services. These developments only highlight the disparities in the privacy regimes applicable to different providers.

This section would authorize providers of electronic communication and remote computing services to disclose records or information pertaining to their subscribers or customers only if such disclosure is: (1) necessary in connection with rendering services; (2) necessary to protect the rights or property of the provider; (3) required by law; (4) requested by the subscriber; or (5) if the provider has provided the subscriber with the opportunity in a clear and conspicuous manner, to prohibit such disclosure. In addition, providers of electronic communication and remote computing services are authorized to use aggregate subscriber information from which individual subscriber identities have been removed in any manner they wish.

SEC. 201. FREEDOM TO USE ENCRYPTION.

(a) NO DOMESTIC ENCRYPTION CONTROLS.- The Act legislatively confirms current practice in the United States that any person in this country may lawfully use any encryption method, regardless of encryption algorithm, key length, existence of key recovery or other plaintext access capability, or implementation selected. Specifically, the Act states the freedom of any person in the U.S., as well as U.S. persons in a foreign country, to make, use, import, and distribute any encryption product without regard to its strength or the use of key recovery, subject to the other provisions of the Act.

(b) PROHIBITION ON GOVERNMENT-COMPELLED KEY ESCROW OR KEY RECOVERY ENCRYPTION.- The Act prohibits any federal or state agency from compelling the use of key recovery systems or other plaintext access systems. Agencies may not set standards, or condition approval or benefits, to compel use of these systems. U.S. agencies may not require persons to use particular key recovery products for interaction with the government. These prohibitions do not apply to systems for use solely for the internal operations and telecommunications systems of a U.S. or a State government agency.

(c) USE OF ENCRYPTION FOR AUTHENTICATION OR INTEGRITY PURPOSES.- The Act requires that the use of encryption products shall be voluntary and that no federal or state agency may link the use of encryption for authentication or identity (such as through certificate authority and digital signature systems) to the use of encryption for confidentiality purposes. For example, conditioning receipt of a digital certificate from a licensed certificate authority on the use of key recovery would be prohibited.

SEC. 202. PURCHASE AND USE OF ENCRYPTION PRODUCTS BY THE FEDERAL GOVERNMENT. The Act authorizes agencies of the United States to purchase encryption products for internal governmental operations and telecommunications systems. To ensure that secure electronic access to the Government is available to persons outside of and not operating under contract with Federal agencies, the Act requires that any key recovery features in encryption products used by the Government interoperate with commercial encryption products.

SEC. 203. LAW ENFORCEMENT DECRYPTION ASSISTANCE. The Act adds a new chapter 124 to Title 18, Part I, governing the procedures for governmental access, including by foreign governments, to decryption assistance from third parties.

(a) IN GENERAL.- New chapter 124 has four sections. This chapter applies to wire or electronic communications and communications in electronic storage, as defined in 18 U.S.C. § 2510, and to stored electronic data. It proscribes procedures for law enforcement to obtain assistance in decrypting encrypted electronic mail messages, encrypted telephone conversations, encrypted facsimile transmissions, encrypted computer transmissions and encrypted file transfers over the Internet that are lawfully intercepted pursuant to a wiretap order, under 18 U.S.C. § 2518, or obtained pursuant to lawful process, under 18 U.S.C. § 2703, and encrypted information stored on computers that are seized pursuant to a search warrant or other lawful process.

§ 2801.'Definitions. Generally, the terms used in the new chapter have the same meanings as in the federal wiretap statute, 18 U.S.C. § 2510. Definitions are provided for 'decryption assistance', 'decryption key', 'encrypt; encryption', 'foreign government' and 'official request'.

§ 2802. Access to decryption assistance for communications.

In the United States today, decryption keys and other decryption assistance held by third parties constitute third party records and may be disclosed to a governmental entity with a subpoena or an administrative request, and without any notice to the owner of the encrypted data. Such a low standard of access creates new problems in the information age because encryption users rely heavily on the integrity of keys to protect personal information or sensitive trade secrets, even when those keys are placed in the hands of trusted agents for recovery purposes.

Under new section 2802, in criminal investigations a third party holding decryption keys or other decryption assistance for wire or electronic communications may be required to release such assistance pursuant to a court order, if the court issuing the order finds that such assistance is needed for the decryption of communications covered by the order. Specifically, such an order for decryption assistance may be issued upon a finding that the key or assistance is necessary to decrypt communications or stored data lawfully intercepted or seized. The standard for release of the key or provision of decryption assistance is tied directly to the problem at hand: the need to decrypt a message or information that the government is otherwise authorized to intercept or obtain.

This will ensure that third parties holding decryption keys or decryption information need respond to only one type of compulsory process — a court order. Moreover, this Act will set a single standard for law enforcement, removing any extra burden on law enforcement to demonstrate, for example, probable cause for two separate orders (i.e., for the encrypted communications or information and for decryption assistance) and possibly before two different judges (i.e., the judge issuing the order for the encrypted communications or information and the judge issuing the order to the third party able to provide decryption assistance).

The Act reinforces the principle of minimization. The decryption assistance provided is limited to the minimum necessary to access the particular communications or information specified by court order. Under some key recovery schemes, release of a key holder's private key — rather than an individual session key — might provide the ability to decrypt every communication or stored file ever encrypted by a particular key owner, or by every user in an entire corporation, or by every user who was ever a customer of the key holder. The Act protects against such over broad releases of keys by requiring the court issuing the order to find that the decryption assistance being sought is necessary. Private keys may only be released if no other form of decryption assistance is available.

Notice of the assistance given will be included as part of the inventory provided to subjects of the interception pursuant to current wiretap law standards.

For foreign intelligence investigations, new section 2802 allows FISA orders to direct third-party holders to release decryption assistance if the court finds the assistance is needed to decrypt covered communications. Minimization is also required, though no notice is provided to the target of the investigation.

Under new section 2802, decryption assistance is only required from third-parties (i.e., other than those whose communications are the subject of interception), thereby avoiding self-incrimination problems.

Finally, new section 2802 generally prohibits any person from providing decryption assistance for another person's communications to a governmental entity, except pursuant to the orders described.

§ 2803. Access to decryption assistance for stored electronic communications or records. New section 2803 governs access to decryption assistance for stored electronic communications and records.

As noted above, under current law third party decryption assistance may be disclosed to a governmental entity with a subpoena or even a mere request and without notice. This standard is particularly problematic for stored encrypted data, which may exist in insecure media but rely on encryption to maintain security; in such cases easy access to keys destroys the encryption security so heavily relied upon.

Under new section 2803, third parties holding decryption keys or other decryption assistance for stored electronic communications may only release such assistance to a governmental entity pursuant to (1) a state or federal warrant (based upon probable cause), with a copy to be served on the record owner at the same time the warrant is served on the record holder; (2) a subpoena that must also be served on the record owner with a meaningful opportunity to challenge the subpoena; or (3) the consent of the record owner. This standard closely mirrors the protection that would be afforded to encryption keys that are actually kept in the possession of those whose records were encrypted. In the specific case of decryption assistance for communications stored incident to transit (such as e-mail), notice may be delayed under the standards laid out for delayed notice under current law in section 2705(a)(2) of title 18, United States Code.

§ 2804. Foreign government access to decryption assistance. New section 2804 creates standards for the U.S. government to provide decryption assistance to foreign governments. No law enforcement officer would be permitted to release decryption keys to a foreign government, but only to provide decryption assistance in the form of producing plaintext. No officer would be permitted to provide decryption assistance except upon an order requested by the Attorney General or designee. Such an order could require the production of decryption keys or assistance to the Attorney General only if the court finds that (1) the assistance is necessary to decrypt data the foreign government is authorized to intercept under foreign law; (2) the foreign country's laws provide "adequate protection against arbitrary interference with respect to privacy rights"; and (3) the assistance is sought for a criminal investigation of conduct that would violate U.S. criminal law if committed in the United States.

SEC. 301. WRONGFUL DISCLOSURE OF LIBRARY AND BOOKSTORE RECORDS.

The Act amends section 2710 of title 18, United States Code, to extend the privacy protections currently in place for video rental and sale records to library and book sale records, whether the transactions take place on-line or in a physical store.

Section 2710(a) is amended with definitions for the following new terms: (1) 'book seller' means any person engaged in the business of selling books, magazines or other printed material; (2) 'library'means an institution which operates as a public, university, college, or school library; and (3) 'patron' means a person who requests or receives services within, or books or other materials on loan from, a library.

Section 2710 (b) is amended by applying the same privacy safeguards that apply to video tape rental and sale records to book sale records. As amended, a book seller who knowingly discloses personally identifiable information about a consumer of such seller is liable to an aggrieved person in a civil action. A book seller is authorized to disclose such information: (1) to the consumer; (2) with the informed, written consent of the consumer; (3) to a law enforcement agency pursuant to a warrant or a court order based upon probable cause to believe a person is engaging in criminal activity and the records sought are material to the investigation of such activity; (4) to any person, if the disclosure is limited to the names and addresses of consumers and these consumers have been given the opportunity to prohibit such disclosure, which does not identify the subject matter of the material purchased or rented by the consumers; (5) to any person, if the disclosure is incident to the ordinary course of business; or (6) pursuant to a court order in a civil proceeding upon a showing of compelling need and if the consumer is given reasonable notice and an opportunity to appear and contest the claim of the person seeking disclosure.

A new section 2710 (c) is added to address privacy protections for library records. This new subsection provides that a library which knowingly discloses personally identifiable information about a patron is liable to the aggrieved person in a civil action. A library is authorized to disclose such information: (1) to the patron; (2) with the informed, written consent of the patron; (3) to a law enforcement agency pursuant to a warrant or court order based upon probable cause to believe a person is engaging in criminal activity and the records sought are material to the investigation of such activity; (4) to any person, if the disclosure is limited to the names and addresses of patrons and the patrons have been given the opportunity to prohibit such disclosure, which does not identify the subject matter of the library services used by the patrons; (5) to any person, if the disclosure is necessary for the retrieval of overdue materials or the recoupment of compensation for damaged or lost library materials; or (6) pursuant to a court order in a civil proceeding upon a showing of compelling need and if the patron is given reasonable notice and an opportunity to appear and contest the claim of the person seeking disclosure.

SEC. 401. PRIVACY PROTECTION FOR SUBSCRIBERS OF SATELLITE SERVICES FOR PRIVATE HOME VIEWING. This section amends section 631 of the Communications Act of 1934 (codified at 47 U.S.C. § 551), to extend the privacy protections currently in place for subscribers of cable service to subscribers of satellite home viewing services or other services offered by cable or satellite carriers or distributors.

In the Cable Communications Policy Act of 1984 ('Cable Act'), Congress established a nationwide standard for the privacy protection of cable subscribers. (See H.R. Rep. No. 98-934, at 76, reprinted in 1984 U.S.C.C.A.N. 4655, 4713). Since the Cable Act was adopted, an entirely new form of access to television has emerged — home satellite viewing — which is especially popular in areas not served by cable. Yet there is no statutory privacy protection for information collected by home satellite viewing services about their customers or subscribers This title fills this gap by amending the privacy provisions of the Cable Act to cover home satellite viewing.

The amendments do not change the rules governing access to cable subscriber information. Instead, they merely rewrite section 631 to add the words " satellite home viewing service" and "satellite carrier or distributor" where appropriate.

The amendment does not address another inconsistency in the law, which bears mentioning: should a cable company that provides Internet services to its customers be subject to the privacy safeguards in the Cable Act or in the Electronic Communications Privacy (ECPA), which normally applies to Internet service providers and contains obligations regarding the disclosure of personally identifiable information to both governmental and nongovernmental entities different from those in the Cable Act? At least one court has noted the "statutory riddle raised by the entrance of cable operators into the Internet services market," but declined "to resolve such ephemeral puzzles." In re Application of the United States, — -F.Supp.2d — -, 1999 WL 74192 (D.Mass. Feb. 9, 1999).

— -END — -