Report text available as:

(PDF provides a complete and accurate display of this text.) Tip?



106th Congress                                            Rept. 106-117
                        HOUSE OF REPRESENTATIVES
 1st Session                                                     Part 2

======================================================================



 
           SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT
                                _______
                                

                  July 2, 1999.--Ordered to be printed

                                _______


  Mr. Bliley, from the Committee on Commerce, submitted the following

                              R E P O R T

                        [To accompany H.R. 850]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Commerce, to whom was referred the bill 
(H.R. 850) to amend title 18, United States Code, to affirm the 
rights of United States persons to use and sell encryption and 
to relax export controls on encryption, having considered the 
same, report favorably thereon with an amendment and recommend 
that the bill as amended do pass.

                                CONTENTS

                                                                   Page
Amendment........................................................     1
Purpose and Summary..............................................    10
Background and Need for Legislation..............................    10
Hearings.........................................................    16
Committee Consideration..........................................    17
Committee Votes..................................................    17
Committee Oversight Findings.....................................    18
Committee on Government Reform Oversight Findings................    18
New Budget Authority, Entitlement Authority, and Tax Expenditures    18
Committee Cost Estimate..........................................    18
Congressional Budget Office Estimate.............................    19
Federal Mandates Statement.......................................    22
Advisory Committee Statement.....................................    22
Constitutional Authority Statement...............................    22
Applicability to Legislative Branch..............................    22
Section-by-Section Analysis of the Legislation...................    22
Changes in Existing Law Made by the Bill, as Reported............    28

                               Amendment

    The amendment is as follows:
    Strike out all after the enacting clause and insert in lieu 
thereof the following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``Security And Freedom through 
Encryption (SAFE) Act''.

SEC. 2. DEFINITIONS.

  For purposes of this Act, the following definitions shall apply:
          (1) Computer hardware.--The term ``computer hardware'' 
        includes computer systems, equipment, application-specific 
        assemblies, smart cards, modules, integrated circuits, printed 
        circuit board assemblies, and devices that incorporate 1 or 
        more microprocessor-based central processing units that are 
        capable of accepting, storing, processing, or providing output 
        of data.
          (2) Encrypt and encryption.--The terms ``encrypt'' and 
        ``encryption'' means the scrambling (and descrambling) of wire 
        communications, electronic communications, or electronically 
        stored information, using mathematical formulas or algorithms 
        to preserve the confidentiality, integrity, or authenticity of, 
        and prevent unauthorized recipients from accessing or altering, 
        such communications or information.
          (3) Encryption product.--The term ``encryption product''--
                  (A) means computer hardware, computer software, or 
                technology with encryption capabilities; and
                  (B) includes any subsequent version of or update to 
                an encryption product, if the encryption capabilities 
                are not changed.
          (4) Key.--The term ``key'' means the variable information 
        used in a mathematical formula, code, or algorithm, or any 
        component thereof, used to decrypt wire communications, 
        electronic communications, or electronically stored 
        information, that has been encrypted.
          (5) Key recovery information.--The term ``key recovery 
        information'' means information that would enable obtaining the 
        key of a user of encryption.
          (6) Person.--The term ``person'' has the meaning given the 
        term in section 2510 of title 18, United States Code.
          (7) Secretary.--The term ``Secretary'' means the Secretary of 
        Commerce.
          (8) State.--The term ``State'' means any State of the United 
        States and includes the District of Columbia and any 
        commonwealth, territory, or possessions of the United States.
          (9) United states person.--The term ``United States person'' 
        means any--
                  (A) United States citizen; or
                  (B) legal entity that--
                          (i) is organized under the laws of the United 
                        States, or any States, the District of 
                        Columbia, or any commonwealth, territory, or 
                        possession of the United States; and
                          (ii) has its principal place of business in 
                        the United States.
          (10) Wire communication; electronic communication.--The terms 
        ``wire communication'' and ``electronic communication'' have 
        the meanings given such terms in section 2510 of title 18, 
        United States Code.

SEC. 3. ENSURING DEVELOPMENT AND DEPLOYMENT OF ENCRYPTION IS A 
                    VOLUNTARY PRIVATE SECTOR ACTIVITY.

  (a) Statement of Policy.--It is the policy of the United States that 
the use, development, manufacture, sale, distribution, and importation 
of encryption products, standards, and services for purposes of 
assuring the confidentiality, authenticity, or integrity of electronic 
information shall be voluntary and market driven.
  (b) Limitation on Regulation.--Neither the Federal Government nor a 
State may establish any conditions, ties, or links between encryption 
products, standards, and services used for confidentiality, and those 
used for authenticity or integrity purposes.

SEC. 4. PROTECTION OF DOMESTIC SALE AND USE OF ENCRYPTION.

  Except as otherwise provided by this Act, it is lawful for any person 
within any State, and for any United States person in a foreign 
country, to develop, manufacture, sell, distribute, import, or use any 
encryption product, regardless of the encryption algorithm selected, 
encryption key length chosen, existence of key recovery, or other 
plaintext access capability, or implementation or medium used.

SEC. 5. PROHIBITION ON MANDATORY GOVERNMENT ACCESS TO PLAINTEXT.

  (a) In General.--No department, agency, or instrumentality of the 
United States or of any State may require that, set standards for, 
condition any approval on, create incentives for, or tie any benefit to 
a requirement that, a decryption key, access to a key, key recovery 
information, or any other plaintext access capability be--
          (1) required to be built into computer hardware or software 
        for any purpose;
          (2) given to any other person (including a department, 
        agency, or instrumentality of the United States or an entity in 
        the private sector that may be certified or approved by the 
        United States or a State); or
          (3) retained by the owner or user of an encryption key or any 
        other person, other than for encryption products for the use of 
        the United States Government or a State government.
  (b) Protection of Existing Access.--Subsection (a) does not affect 
the authority of any investigative or law enforcement officer, or any 
member of the intelligence community (as defined in section 3 of the 
National Security Act of 1947 (50 U.S.C.401a)), acting under any law in 
effect on the date of the enactment of this Act, to gain access to 
encrypted communications or information.

SEC. 6. UNLAWFUL USE OF ENCRYPTION IN FURTHERANCE OF A CRIMINAL ACT.

  (a) Encryption of Incriminating Communications or Information 
Unlawful.--Any person who, in the commission of a felony under a 
criminal statute of the United States, knowingly and willfully encrypts 
incriminating communications or information relating to that felony 
with the intent to conceal such communications or information for the 
purpose of avoiding detection by law enforcement agencies or 
prosecution--
          (1) in the case of a first offense under this section, shall 
        be imprisoned for not more than 5 years, or fined under title 
        18, United States Code, or both; and
          (2) in the case of a second or subsequent offense under this 
        section, shall be imprisoned for not more than 10 years, or 
        fined under title 18, United States Code, or both.
  (b) Use of Encryption Not a Basis for Probable Cause.--The use of 
encryption by any person shall not be the sole basis for establishing 
probable cause with respect to a criminal offense or a search warrant.

SEC. 7. EXPORTS OF ENCRYPTION.

  (a) Amendment to Export Administration Act of 1979.--Section 17 of 
the Export Administration Act of 1979 (50 U.S.C. App. 2416) is amended 
by adding at the end the following new subsection:
  ``(g) Certain Consumer Products, Computers, and Related Equipment.--
          ``(1) General rule.--Subject to paragraphs (2), (3), and (4), 
        the Secretary shall have exclusive authority to control exports 
        of all computer hardware, software, computing devices, customer 
        premises equipment, communications network equipment, and 
        technology for information security (including encryption), 
        except that which is specifically designed or modified for 
        military use, including command, control, and intelligence 
        applications.
          ``(2) Critical infrastructure protection products.--
                  ``(A) Identification.--Not later than 90 days after 
                the date of the enactment of the Security And Freedom 
                through Encryption (SAFE) Act, the Assistant Secretary 
                of Commerce for Communications and Information and the 
                National Telecommunications and Information 
                Administration shall issue regulations that identify, 
                define, or determine which products and equipment 
                described in paragraph (1) are designed for improvement 
                of network security, network reliability, or data 
                security.
                  ``(B) NTIA responsibility.--Not later than the 
                expiration of the 2-year period beginning on the date 
                of the enactment of the Security And Freedom through 
                Encryption (SAFE) Act, all authority of the Secretary 
                under this subsection and all determinations and 
                reviews required by this section, with respect to 
                products and equipment described in paragraph (1) that 
                are designed for improvement of network security, 
                network reliability, or data security through the use 
                of encryption, shall be exercised through and made by 
                the Assistant Secretary of Commerce for Communications 
                and Information and the National Telecommunications and 
                Information Administration. The Secretary may, at any 
                time, assign to the Assistant Secretary and the NTIA 
                authority of the Secretary under this section with 
                respect to other products and equipment described in 
                paragraph (1).
          ``(3) Items not requiring licenses.--After a one-time 
        technical review by the Secretary of not more than 30 working 
        days, which shall include consultation with the Secretary of 
        Defense, the Secretary of State, the Attorney General, and the 
        Director of Central Intelligence, no export license may be 
        required, except pursuant to the Trading with the Enemy Act or 
        the International Emergency Economic Powers Act (but only to 
        the extent that the authority of such Act is not exercised to 
        extend controls imposed under this Act), for the export or 
        reexport of--
                  ``(A) any computer hardware or software or computing 
                device, including computer hardware or software or 
                computing devices with encryption capabilities--
                          ``(i) that is generally available;
                          ``(ii) that is in the public domain for which 
                        copyright or other protection is not available 
                        under title 17, United States Code, or that is 
                        available to the public because it is generally 
                        accessible to the interested public in any 
                        form; or
                          ``(iii) that is used in a commercial, off-
                        the-shelf, consumer product or any component or 
                        subassembly designed for use in such a consumer 
                        product available within the United States or 
                        abroad which--
                                  ``(I) includes encryption 
                                capabilities which are inaccessible to 
                                the end user; and
                                  ``(II) is not designed for military 
                                or intelligence end use;
                  ``(B) any computing device solely because it 
                incorporates or employs in any form--
                          ``(i) computer hardware or software 
                        (including computer hardware or software with 
                        encryption capabilities) that is exempted from 
                        any requirement for a license under 
                        subparagraph (A); or
                          ``(ii) computer hardware or software that is 
                        no more technically complex in its encryption 
                        capabilities than computer hardware or software 
                        that is exempted from any requirement for a 
                        license under subparagraph (A) but is not 
                        designed for installation by the purchaser;
                  ``(C) any computer hardware or software or computing 
                device solely on the basis that it incorporates or 
                employs in any form interface mechanisms for 
                interaction with other computer hardware or software or 
                computing devices, including computer hardware and 
                software and computing devices with encryption 
                capabilities;
                  ``(D) any computing or telecommunication device which 
                incorporates or employs in any form computer hardware 
                or software encryption capabilities which--
                          ``(i) are not directly available to the end 
                        user; or
                          ``(ii) limit the encryption to be point-to-
                        point from the user to a central communications 
                        point or link and does not enable end-to-end 
                        user encryption;
                  ``(E) technical assistance and technical data used 
                for the installation or maintenance of computer 
                hardware or software or computing devices with 
                encryption capabilities covered under this subsection; 
                or
                  ``(F) any encryption hardware or software or 
                computing device not used for confidentiality purposes, 
                such as authentication, integrity, electronic 
                signatures, nonrepudiation, or copy protection.
          ``(4) Computer hardware or software or computing devices with 
        encryption capabilities.--After a one-time technical review by 
        the Secretary of not more than 30 working days, which shall 
        include consultation with the Secretary of Defense, the 
        Secretary of State, the Attorney General, and the Director of 
        Central Intelligence, the Secretary shall authorize the export 
        or reexport of computer hardware or software or computing 
        devices with encryption capabilities for nonmilitary end uses 
        in any country--
                  ``(A) to which exports of computer hardware or 
                software or computing devices of comparable strength 
                are permitted for use by financial institutions not 
                controlled in fact by United States persons, unless 
                there is substantial evidence that such computer 
                hardware or software or computing devices will be--
                          ``(i) diverted to a military end use or an 
                        end use supporting international terrorism;
                          ``(ii) modified for military or terrorist end 
                        use;
                          ``(iii) reexported without any authorization 
                        by the United States that may be required under 
                        this Act; or
                          ``(iv)(I) harmful to the national security of 
                        the United States, including capabilities of 
                        the United States in fighting drug trafficking, 
                        terrorism, or espionage, (II) used in illegal 
                        activities involving the sexual exploitation 
                        of, abuse of, or sexually explicit conduct with 
                        minors (including activities in violation of 
                        chapter 110 of title 18, United States Code, 
                        and section 2423 of such title), or (III) used 
                        in illegal activities involving organized 
                        crime; or
                  ``(B) if the Secretary determines that a computer 
                hardware or software or computing device offering 
                comparable security is commercially available in such 
                country from a foreign supplier, without effective 
                restrictions.
          ``(5) Definitions.--For purposes of this subsection--
                  ``(A) the term `computer hardware' has the meaning 
                given such term in section 2 of the Security And 
                Freedom through Encryption (SAFE) Act;
                  ``(B) the term `computing device' means a device 
                which incorporates one or more microprocessor-based 
                central processing units that can accept, store, 
                process, or provide output of data;
                  ``(C) the term `customer premises equipment' means 
                equipment employed on the premises of a person to 
                originate, route, or terminate communications;
                  ``(D) the term `data security' means the protection, 
                through techniques used by individual computer and 
                communications users, of data from unauthorized 
                penetration, manipulation, or disclosure;
                  ``(E) the term `encryption' has the meaning given 
                such term in section 2 of the Security And Freedom 
                through Encryption (SAFE) Act;
                  ``(F) the term `generally available' means, in the 
                case of computer hardware or computer software 
                (including computer hardware or computer software with 
                encryption capabilities)--
                          ``(i) computer hardware or computer software 
                        that is--
                                  ``(I) distributed through the 
                                Internet;
                                  ``(II) offered for sale, license, or 
                                transfer to any person without 
                                restriction, whether or not for 
                                consideration, including, but not 
                                limited to, over-the-counter retail 
                                sales, mail order transactions, phone 
                                order transactions, electronic 
                                distribution, or sale on approval;
                                  ``(III) preloaded on computer 
                                hardware or computing devices that are 
                                widely available for sale to the 
                                public; or
                                  ``(IV) assembled from computer 
                                hardware or computer software 
                                components that are widely available 
                                for sale to the public;
                          ``(ii) not designed, developed, or tailored 
                        by the manufacturer for specific purchasers or 
                        users, except that any such purchaser or user 
                        may--
                                  ``(I) supply certain installation 
                                parameters needed by the computer 
                                hardware or software to function 
                                properly with the computer system of 
                                the user or purchaser; or
                                  ``(II) select from among options 
                                contained in the computer hardware or 
                                computer software; and
                          ``(iii) with respect to which the 
                        manufacturer of that computer hardware or 
                        computer software--
                                  ``(I) intended for the user or 
                                purchaser, including any licensee or 
                                transferee, to install the computer 
                                hardware or software and has supplied 
                                the necessary instructions to do so, 
                                except that the manufacturer of the 
                                computer hardware or software, or any 
                                agent of such manufacturer, may also 
                                provide telephone or electronic mail 
                                help line services for installation, 
                                electronic transmission, or basic 
                                operations; and
                                  ``(II) the computer hardware or 
                                software is designed for such 
                                installation by the user or purchaser 
                                without further substantial support by 
                                the manufacturer;
                  ``(G) the term `network reliability' means the 
                prevention, through techniques used by providers of 
                computer and communications services, of the 
                malfunction, and the promotion of the continued 
                operations, of computer or communications network;
                  ``(H) the term `network security' means the 
                prevention, through techniques used by providers of 
                computer and communications services, of unauthorized 
                penetration, manipulation, or disclosure of information 
                of a computer or communications network;
                  ``(I) the term `technical assistance' includes 
                instruction, skills training, working knowledge, 
                consulting services, and the transfer of technical 
                data;
                  ``(J) the term `technical data' includes blueprints, 
                plans, diagrams, models, formulas, tables, engineering 
                designs and specifications, and manuals and 
                instructions written or recorded on other media or 
                devices such as disks, tapes, or read-only memories; 
                and
                  ``(K) the term `technical review' means a review by 
                the Secretary of computer hardware or software or 
                computing devices with encryption capabilities, based 
                on information about the product's encryption 
                capabilities supplied by the manufacturer, that the 
                computer hardware or software or computing device works 
                as represented.''.
  (b) Transfer of Authority to National Telecommunications and 
Information Administration.--Section 103(b) of the National 
Telecommunications and Information Administration Organization Act (47 
U.S.C. 902(b)) is amended by adding at the end the following new 
paragraph:
          ``(4) Export of communications transaction technologies.--In 
        accordance with section 17(g)(2) of the Export Administration 
        Act of 1979 (50 U.S.C. App. 2416(g)(2)), the Secretary shall 
        assign to the Assistant Secretary and the NTIA the authority of 
        the Secretary under such section 17(g), with respect to 
        products and equipment described in paragraph (1) of such 
        section that are designed for improvement of network security, 
        network reliability, or data security, that (after the 
        expiration of the 2-year period beginning on the date of the 
        enactment of the Security And Freedom through Encryption (SAFE) 
        Act) is to be exercised by the Assistant Secretary and the 
        NTIA.''.
  (c) No Reinstatement of Export Controls on Previously Decontrolled 
Products.--Any encryption product not requiring an export license as of 
the date of enactment of this Act, as a result of administrative 
decision or rulemaking, shall not require an export license on or after 
such date of enactment.
  (d) Applicability of Certain Export Controls.--
          (1) In general.--Nothing in this Act shall limit the 
        authority of the President under the International Emergency 
        Economic Powers Act, the Trading with the Enemy Act, or the 
        Export Administration Act of 1979, to--
                  (A) prohibit the export of encryption products to 
                countries that have been determined to repeatedly 
                provide support for acts of international terrorism; or
                  (B) impose an embargo on exports to, and imports 
                from, a specific country.
          (2) Specific denials.--The Secretary of Commerce may prohibit 
        the export of specific encryption products to an individual or 
        organization in a specific foreign country identified by the 
        Secretary, if the Secretary determines that there is 
        substantial evidence that such encryption products will be--
                  (A) used for military or terrorist end-use or 
                modified for military or terrorist end use;
                  (B) harmful to United States national security, 
                including United States capabilities in fighting drug 
                trafficking, terrorism, or espionage;
                  (C) used in illegal activities involving the sexual 
                exploitation of, abuse of, or sexually explicit conduct 
                with minors (including activities in violation of 
                chapter 110 of title 18, United States Code, and 
                section 2423 of such title); or
                  (D) used in illegal activities involving organized 
                crime.
          (3) Other export controls.--An encryption product is subject 
        to any export control imposed on that product for any reason 
        other than the existence of encryption capability. Nothing in 
        this Act or the amendments made by this Act alters the ability 
        of the Secretary of Commerce to control exports of products for 
        reasons other than encryption.
  (e) Continuation of Export Administration Act.--For purposes of 
carrying out the amendment made by subsection (a), the Export 
Administration Act of 1979 shall be deemed to be in effect.

SEC. 8. GOVERNMENT PROCUREMENT OF ENCRYPTION PRODUCTS.

  (a) Statement of Policy.--It is the policy of the United States--
          (1) to permit the public to interact with government through 
        commercial networks and infrastructure; and
          (2) to protect the privacy and security of any electronic 
        communication from, or stored information obtained from, the 
        public.
  (b) Purchase of Encryption Products by Federal Government.--Any 
department, agency, or instrumentality of the United States may 
purchase encryption products for internal use by officers and employees 
of the United States to the extent and in the manner authorized by law.
  (c) Prohibition of Requirement for Citizens To Purchase Specified 
Products.--No department, agency, or instrumentality of the United 
States, nor any department, agency, or political subdivision of a 
State, may require any person in the private sector to use any 
particular encryption product or methodology, including products with a 
decryption key, access to a key, key recovery information, or any other 
plaintext access capability, to communicate with, or transact business 
with, the government.

SEC. 9. NATIONAL ELECTRONIC TECHNOLOGIES CENTER.

  Part A of the National Telecommunications and Information 
Administration Organization Act is amended by inserting after section 
105 (47 U.S.C. 904) the following new section:

``SEC. 106. NATIONAL ELECTRONIC TECHNOLOGIES CENTER.

  ``(a) Establishment.--There is established in the NTIA a National 
Electronic Technologies Center (in this section referred to as the `NET 
Center').
  ``(b) Director.--The NET Center shall have a Director, who shall be 
appointed by the Assistant Secretary.
  ``(c) Duties.--The duties of the NET Center shall be--
          ``(1) to serve as a center for industry and government 
        entities to exchange information and methodology regarding data 
        security techniques and technologies;
          ``(2) to examine encryption techniques and methods to 
        facilitate the ability of law enforcement to gain efficient 
        access to plaintext of communications and electronic 
        information;
          ``(3) to conduct research to develop efficient methods, and 
        improve the efficiency of existing methods, of accessing 
        plaintext of communications and electronic information;
          ``(4) to investigate and research new and emerging techniques 
        and technologies to facilitate access to communications and 
        electronic information, including --
                  ``(A) reverse-steganography;
                  ``(B) decompression of information that previously 
                has been compressed for transmission; and
                  ``(C) de-multiplexing;
          ``(5) to obtain information regarding the most current 
        computer hardware and software, telecommunications, and other 
        capabilities to understand how to access information 
        transmitted across computer and communications networks; and
          ``(6) to serve as a center for Federal, State, and local law 
        enforcement authorities for information and assistance 
        regarding decryption and other access requirements.
  ``(d) Equal Access.--State and local law enforcement agencies and 
authorities shall have access to information, services, resources, and 
assistance provided by the NET Center to the same extent that Federal 
law enforcement agencies and authorities have such access.
  ``(e) Personnel.--The Director may appoint such personnel as the 
Director considers appropriate to carry out the duties of the NET 
Center.
  ``(f) Assistance of Other Federal Agencies.--Upon the request of the 
Director of the NET Center, the head of any department or agency of the 
Federal Government may, to assist the NET Center in carrying out its 
duties under this section--
          ``(1) detail, on a reimbursable basis, any of the personnel 
        of such department or agency to the NET Center; and
          ``(2) provide to the NET Center facilities, information, and 
        other non-personnel resources.
  ``(g) Private Industry Assistance.--The NET Center may accept, use, 
and dispose of gifts, bequests, or devises of money, services, or 
property, both real and personal, for the purpose of aiding or 
facilitating the work of the Center. Gifts, bequests, or devises of 
money and proceeds from sales of other property received as gifts, 
bequests, or devises shall be deposited in the Treasury and shall be 
available for disbursement upon order of the Director of the NET 
Center.
  ``(h) Advisory Board.--
          ``(1) Establishment.--There is established the Advisory Board 
        of the NET Center (in this subsection referred to as the 
        ``Advisory Board''), which shall be comprised of 11 members who 
        shall have the qualifications described in paragraph (2) and 
        who shall be appointed by the Assistant Secretary not later 
        than 6 months after the date of the enactment of this Act. The 
        chairman of the Advisory Board shall be designated by the 
        Assistant Secretary at the time of appointment.
          ``(2) Qualifications.--Each member of the Advisory Board 
        shall have experience or expertise in the field of encryption, 
        decryption, electronic communication, information security, 
        electronic commerce, or law enforcement.
          ``(3) Duties.--The duty of the Advisory Board shall be to 
        advise the NET Center and the Federal Government regarding new 
        and emerging technologies relating to encryption and decryption 
        of communications and electronic information.
  ``(i) Implementation Plan.--Within 2 months after the date of the 
enactment of this Act, the Assistant Secretary, in consultation and 
cooperation with other appropriate Federal agencies and appropriate 
industry participants, develop and cause to be published in the Federal 
Register a plan for establishing the NET Center. The plan shall--
          ``(1) specify the physical location of the NET Center and the 
        equipment, software, and personnel resources necessary to carry 
        out the duties of the NET Center under this section;
          ``(2) assess the amount of funding necessary to establish and 
        operate the NET Center; and
          ``(3) identify sources of probable funding for the NET 
        Center, including any sources of in-kind contributions from 
        private industry.''.

SEC. 10. STUDY OF NETWORK AND DATA SECURITY ISSUES.

  Part C of the National Telecommunications and Information 
Administration Organization Act is amended by adding at the end the 
following new section:

``SEC. 156. STUDY OF NETWORK RELIABILITY AND SECURITY AND DATA SECURITY 
                    ISSUES.

  ``(a) In General.--The NTIA shall conduct an examination of--
          ``(1) the relationship between--
                  ``(A) network reliability (for communications and 
                computer networks), network security (for such 
                networks), and data security issues; and
                  ``(B) the conduct, in interstate commerce, of 
                electronic commerce transactions, including through the 
                medium of the telecommunications networks, the 
                Internet, or other interactive computer systems;
          ``(2) the availability of various methods for encrypting 
        communications; and
          ``(3) the effects of various methods of providing access to 
        encrypted communications and to information to further law 
        enforcement activities.
  ``(b) Specific Issues.--In conducting the examination required by 
subsection (a), the NTIA shall--
          ``(1) analyze and evaluate the requirements under paragraphs 
        (3) and (4) of section 17(g) of the Export Administration Act 
        of 1979 (50 U.S.C. App. 2416(g); as added by section 7(a) of 
        this Act) for products referred to in such paragraphs to 
        qualify for the license exemption or mandatory export 
        authorization under such paragraphs, and determine--
                  ``(A) the scope and applicability of such 
                requirements and the products that, at the time of the 
                examination, qualify for such license exemption or 
                export authorization; and
                  ``(B) the products that will, 12 months after the 
                examination is conducted, qualify for such license 
                exemption or export authorization; and
          ``(2) assess possible methods for providing access to 
        encrypted communications and to information to further law 
        enforcement activities.
  ``(c) Reports.--Within one year after the date of enactment of this 
section, the NTIA shall submit to the Congress and the President a 
detailed report on the examination required by subsections (a) and (b). 
Annually thereafter, the NTIA shall submit to the Congress and the 
President an update on such report.
  ``(d) Definitions.--For purposes of this section--
          ``(1) the terms `data security', `encryption', `network 
        reliability', and `network security' have the meanings given 
        such terms in section 17(g)(5) of the Export Administration Act 
        of 1979 (50 U.S.C. App. 2416(g)(5)); and
          ``(2) the terms `Internet' and `interactive computer systems' 
        have the meanings provided by section 230(e) of the 
        Communications Act of 1934 (47 U.S.C. 230(e)).''.

SEC. 11. TREATMENT OF ENCRYPTION IN INTERSTATE AND FOREIGN COMMERCE.

  (a) Inquiry Regarding Impediments to Commerce.--Within 180 days after 
the date of the enactment of this Act, the Secretary of Commerce shall 
complete an inquiry to--
          (1) identify any domestic and foreign impediments to trade in 
        encryption products and services and the manners in which and 
        extent to which such impediments inhibit the development of 
        interstate and foreign commerce; and
          (2) identify import restrictions imposed by foreign nations 
        that constitute trade barriers to providers of encryption 
        products or services.
The Secretary shall submit a report to the Congress regarding the 
results of such inquiry by such date.
  (b) Removal of Impediments to Trade.--Within 1 year after such date 
of enactment, the Secretary shall prescribe such regulations as may be 
necessary to reduce the impediments to trade in encryption products and 
services identified in the inquiry pursuant to subsection (a) for the 
purpose of facilitating the development of interstate and foreign 
commerce. Such regulations shall be designed to--
          (1) promote the sale and distribution, including through 
        electronic commerce, in foreign commerce of encryption products 
        and services manufactured in the United States; and
          (2) strengthen the competitiveness of domestic providers of 
        encryption products and services in foreign commerce, including 
        electronic commerce.
  (c) International Agreements.--
          (1) Report to president.--Upon the completion of the inquiry 
        under subsection (a), the Secretary shall submit a report to 
        the President regarding reducing any impediments to trade in 
        encryption products and services that are identified by the 
        inquiry and could, in the determination of the Secretary, 
        require international negotiations for such reduction.
          (2) Negotiations.--The President shall take all actions 
        necessary to conduct negotiations with other countries for the 
        purposes of (A) concluding international agreements on the 
        promotion of encryption products and services, and (B) 
        achieving mutual recognition of countries' export controls, in 
        order to meet the needs of countries to preserve national 
        security, safeguard privacy, and prevent commercial espionage. 
        The President may consider a country's refusal to negotiate 
        such international export and mutual recognition agreements 
        when considering the participation of the United States in any 
        cooperation or assistance program with that country. The 
        President shall submit a report to the Congress regarding the 
        status of international efforts regarding cryptography not 
        later than December 31, 2000.

SEC. 12. COLLECTION OF INFORMATION ON EFFECT OF ENCRYPTION ON LAW 
                    ENFORCEMENT ACTIVITIES.

  (a) Collection of Information by Attorney General.--The Attorney 
General shall compile, and maintain in classified form, data on the 
instances in which encryption (as defined in section 2801 of title 18, 
United States Code) has interfered with, impeded, or obstructed the 
ability of the Department of Justice to enforce the criminal laws of 
the United States.
  (b) Availability of Information to the Congress.--The information 
compiled under subsection (a), including an unclassified summary 
thereof, shall be made available, upon request, to any Member of 
Congress.

SEC. 13. PROHIBITION ON TRANSFERS TO PLA AND COMMUNIST CHINESE MILITARY 
                    COMPANIES.

  (a) Prohibition.--Whoever knowingly and willfully transfers to the 
People's Liberation Army or to any Communist Chinese military company 
any encryption product that utilizes a key length of more than 56 
bits--
          (1) in the case of a first offense under this section, shall 
        be imprisoned for not more than 5 years, or fined under title 
        18, United States Code, or both; and
          (2) in the case of second or subsequent offense under this 
        section, shall be imprisoned for not more than 10 years, or 
        fined under title 18, United States Code, or both.
  (b) Definitions.--For purposes of this section:
          (1) Communist chinese military company.--(A) Subject to 
        subparagraph (B), the term ``Communist Chinese military 
        company'' has the meaning given that term in section 1237(b)(4) 
        of the Strom Thurmond National Defense Authorization Act for 
        Fiscal Year 1999 (50 U.S.C. 1701 note).
          (B) At such time as the determination and publication of 
        persons are made under section 1237(b)(1) of the Strom Thurmond 
        National Defense Authorization Act for Fiscal Year 1999, the 
        term ``Communist Chinese military company'' shall mean the list 
        of those persons so published, as revised under section 
        1237(b)(2) of that Act.
          (2) People's liberation army.--The term ``People's Liberation 
        Army'' has the meaning given that term in section 1237(c) of 
        the Strom Thurmond National Defense Authorization Act for 
        Fiscal Year 1999.

SEC. 14. FAILURE TO DECRYPT INFORMATION OBTAINED UNDER COURT ORDER.

  Whoever is required by an order of any court to provide to the court 
or any other party any information in such person's possession which 
has been encrypted and who, having possession of the key or such other 
capability to decrypt such information into the readable or 
comprehensible format of such information prior to its encryption, 
fails to provide such information in accordance with the order in such 
readable or comprehensible form--
          (1) in the case of a first offense under this section, shall 
        be imprisoned for not more than 5 years, or fined under title 
        18, United States Code, or both; and
          (2) in the case of second or subsequent offense under this 
        section, shall be imprisoned for not more than 10 years, or 
        fined under title 18 United States Code, or both.

                          Purpose and Summary

    H.R. 850, the Security And Freedom through Encryption 
(SAFE) Act, modernizes the encryption policy of the United 
States. It also addresses law enforcement and national security 
needs as strong encryption products become more widely used.
    In summary, H.R. 850, as amended by the Committee on 
Commerce, clarifies U.S. policy regarding the domestic use of 
encryption products, including prohibiting the Federal 
government or State governments from requiring key recovery or 
a similar technique in most circumstances and adding criminal 
penalties for the use of encryption products in the cover-up of 
felonious activity. H.R. 850 also relaxes U.S. export policies 
by permitting mass-market encryption products to be exported 
under a general license exception. It also permits other custom 
made computer hardware and software encryption products to be 
exported on an expedited basis. The bill includes a specified 
role for the National Telecommunications and Information 
Administration (NTIA) in the consideration of the export of 
certain encryption products.
    H.R. 850 establishes a National Electronic Technologies 
Center (NET Center) to help Federal, State, and local law 
enforcement agencies obtain access to encrypted communications. 
The Center will aid law enforcement in accessing encrypted 
communications and information by promoting a positive 
relationship with the related industry.
    H.R. 850 also requires: an annual in-depth analysis of the 
relationship between network reliability, network security, and 
data security and the conduct of transactions in interstate 
commerce; an examination of foreign barriers to the importation 
of U.S. encryption products and positive steps to be taken to 
remove these barriers; and that the Attorney General compile 
information regarding instances when law enforcement's efforts 
have been stymied because of the use of strong encryption 
products. The information from these efforts will be helpful in 
analyzing the impact of increased use of encryption products.

                  Background and Need for Legislation


I. Background

    Encryption is the commonly used term to describe the use of 
cryptography to ensure the confidentiality of messages. 
Encryption products can be either computer software or hardware 
and can be used over any electronic medium (e.g., the public 
switched telephone network, or the Internet). The strength of 
an encryption product, and thus the likelihood that a message 
will remain confidential as it travels through a network, is 
measured in terms of bits. For example, a two-bit code results 
in four possible combinations of messages (00, 01, 10, 11), 
whereas a 56-bit code results in millions of possible 
combinations. ``Keys'' are widely used in today's encryption 
technology to encrypt/decrypt messages. While encrypting 
messages was historically the province of the military, the 
growing use of computers on both public and private networks 
has led to development of new commercially available products 
designed for non-military purposes. For instance, the use of 
encryption products can be an effective mechanism to promote 
the reliability of the telecommunications networks and to 
secure data related to electronic commerce transactions.
            A. Current law and regulation
    Current law generally prohibits the export of certain 
controlled encryption products. Such products can be exported 
if they qualify for a license exception or the exporter obtains 
individual licenses, which means approval by the reviewing 
agency. Federal restrictions generally prohibit the export of 
encryption products that are above a specified level of 
strength (e.g., 56-bit length). Federal law currently imposes 
no import or domestic restrictions on encryption products 
(i.e., encryption products of any strength are available for 
domestic use, regardless of whether the product is developed 
here or abroad). These export restrictions are intended to 
ensure strong U.S. encryption products do not fall into the 
hands of countries where the intelligence community is 
gathering information, terrorists, or rogue countries.
    The Administration has modified its encryption policy a 
number of times over the course of the last several years. For 
instance, U.S. encryption policy was amended in December 1996 
to permit the export of encryption products of any length to 
financial institutions. The Administration reviews and, if 
necessary revises, its encryption products policy every six 
months. The Department of Commerce's current encryption 
products rules (modified as recently as December 31, 1998) can 
be generally summarized as follows:
          (1) there are no restrictions on the ability to buy, 
        sell, manufacture, or distribute encryption products 
        within the United States;
          (2) 56-bit (or lower) encryption products, without 
        being recoverable, may be exported after a one-time 
        review;
          (3) encryption products above 56 bits for use by 
        subsidiaries of American companies for the protection 
        of international business can be exported under a 
        license exemption, except to the seven terrorist 
        nations;
          (4) encryption products above 56 bits can be exported 
        under a license exception or a license exception-like 
        treatment and can be exported to 45 specified countries 
        for use by the health and medical companies, insurance 
        companies, and online merchants; and
          (5) encryption products above 56 bits for use by 
        foreign commercial firms for internal company 
        proprietary use may be exported to specified countries 
        under licensing exception treatment--only if the 
        manufacturer provides a ``recoverable mechanism'' that 
        allows for the recovery of plaintext.
            B. International developments
    While a number of countries have export or import 
restrictions on encryption products, those that do often do not 
have rules as stringent as the United States' rules. The 
Clinton Administration has been negotiating with Member 
countries of the ``Wassenaar Arrangement'' to develop a unified 
approach to rules relating to the export of encryption 
products. The Wassenaar Arrangement was created in 1996 as a 
global multilateral arrangement on export controls for 
conventional weapons and sensitive dual-use goods and 
technologies. In December 1998, the Administration announced 
that the participating countries reached agreement to impose 
export restrictions for certain encryption products. The 33 
signatories represent a large portion of the countries 
producing encryption products.
            C. Recent litigation
    On May 6, 1999, the United States Court of Appeals for the 
Ninth Circuit rendered a decision in Bernstein v. United 
States, No. 97-16686, 1999 U.S. App. Lexis 8595 (9th Cir. 
1999). Professor Daniel Bernstein filed suit against the 
Federal government after he was notified by the State 
Department that his ``Snuffle'' encryption program would 
require an export license to post the source code on the 
Internet. In a 2-1 decision, the Ninth Circuit upheld the trial 
court's ruling that the regulation of Bernstein's export of his 
encryption program constituted an impermissible prior restraint 
on speech. The Administration has not decided whether it will 
appeal the Ninth Circuit's ruling.
    In addition, in Karn v. Dept. of State, 925 F.Supp. 1 
(D.D.C. 1996), remanded, 1997 U.S. App. Lexis 3123 (D.C. Cir. 
1997), the District Court for the District of Columbia ruled 
that the export restrictions were not subject to judicial 
review, but do not violate the First Amendment.

II. Arguments in the debate over encryption products

    The debate over the export of encryption products centers 
around whether: (1) U.S. companies should be permitted to 
export encryption products of any strength, thus increasing the 
availability of such products in the global market; and (2) 
there should be restrictions on use of encryption products 
within the United States. In general, sound encryption policy 
must balance privacy interests with society's interest in 
protecting the public. To the greatest extent possible, it must 
also be based on free-market principles.
    The high technology industry and the business community 
argue that current U.S. encryption policy harms domestic 
businesses with operations abroad because they are forced to 
export weak encryption products that compete with stronger 
foreign encryption products. These technology builders and 
users point out that today's informal world standard that 
encryption users demand is based on encryption products with 
128 bit technology. However, under the Administration's current 
policy, encryption products, based on 56 bit technology, are 
exportable without restriction while encryption products above 
this level are subject to significant export limitations.
    The high technology industry and business community also 
argue that the current policy has a direct impact on the 
strength of encryption products available within the United 
States. In practice, current U.S. encryption policy, while 
based on export restrictions acts as a de facto domestic 
restriction for U.S. encryption manufacturers. American firms 
are either unwilling or unable to spend the resources to 
develop two products--one available for domestic use, and 
another less robust product that may be exported. Instead, 
American firms develop one product at the lowest level of 
encryption to comply with the more stringent export laws.
    Many representatives of the high technology and business 
community also argue that the security of a strong encryption 
product is jeopardized if it contains a recoverable feature. 
They claim that recoverable products contain a larger number of 
flaws and weaknesses in encryption products, which can be 
exploited by unauthorized people to gain entry to secure 
communications or information. Further, they argue that the 
regime necessary for recoverable products to operate (e.g., key 
management) increases the likelihood of implementation and 
managementproblems that can weaken the effectiveness of 
encryption products. Therefore, they conclude that stronger, non-
recoverable products effectively help to prevent crime.
    In addition, the high technology industry generally argues 
that the current policy may impose excessive costs as they may 
be forced to develop prohibitively costly, new recoverable 
products; manufacture two different products (one for the 
domestic use (strong) and one for abroad (weaker)); and/or be 
subject to a burdensome licensing process. Therefore, U.S. 
domestic manufacturers argue that the United States is losing 
market share to foreign software and hardware firms, which face 
fewer restrictions.
    Alternatively, government officials, which include Federal, 
State, and local law enforcement officials, argue that 
permitting the export of stronger encryption products without a 
clear mechanism to decrypt a communication or stored 
information, when necessary and lawful, will jeopardize public 
safety and national security. They believe that recoverable 
encryption products must be developed, not only to facilitate 
lawful searches and seizures, but to help users or employers in 
the event they lose the ability to decrypt a communications or 
related information. They also argue that widespread use of 
strong encryption without being recoverable would infringe on 
their surveillance techniques.
    In addition, the national security community argues that 
most foreign countries view lifting the export restrictions as 
America's attempt to dominate world markets at the expense of 
other nations' national security, thereby forcing these 
countries to adopt import restrictions to keep American 
products out of their countries. Further, they point out that 
official government access to sensitive international 
communications (e.g., e-mail traffic between terrorist groups 
and manufacturing operations) will be stopped or curtailed if 
strong encryption products are allowed to proliferate. They 
argue that since U.S. encryption products are the most 
influential and dominant in the marketplace, limiting or 
implementing a policy of containment (i.e., preventing or 
limiting the spread and use of strong encryption products) of 
U.S.-made encryption products is necessary for the national 
security community to continue to do its job. Loosening of 
encryption rules, they note, would also impair the ability of 
our intelligence agencies to track the use of strong U.S. 
encryption products overseas since removing export controls 
would also remove complementary reporting requirements.
    Lastly, both law enforcement and national security 
communities point out that the current policy is flexible 
enough to allow the export of strong encryption products. These 
groups further contend that the current policy is under 
constant review and will change based on new information 
regarding encryption products or changes in technology.

III. Need for encryption products policy reform

    Electronic commerce, the growth in use of the Internet, and 
the innovation of U.S. high technology companies are helping 
drive the economic prosperity experienced today in the U.S. and 
worldwide. In sum, the world is in the early stages of the 
formation of the digital age. However, barriers remain to the 
full development of these capabilities and underlying 
transaction mediums. Today, consumer wariness over the safety, 
security, and privacy of information transmitted via electronic 
mediums has been listed very often in consumer surveys as a 
reason more consumers are not utilizing these technologies.
    Encryption and the prolific use of encryption products are 
essential to ease consumers' worries about the availability of 
their sensitive information to unwanted parties. Unfortunately, 
the Administration's existing policy towards the export of U.S. 
manufactured encryption products is hampering the use of such 
technology. Existing U.S. encryption policy is partly premised 
upon the belief that minimizing the proliferation of U.S. 
manufactured encryption products worldwide will minimize the 
use of encryption products overall. Thus, current U.S. 
encryption policy is based upon the theory of containment 
rather than access.
    The Committee is not convinced that reliance on export 
restrictions provides adequate assistance to national security 
personnel in their ever increasing need to keep up with the 
latest technologies. The Committee finds that the current 
export rules place domestic manufacturers of encryption 
products at a competitive disadvantage with respect to their 
foreign counterparts. Moreover, bad actors simply use strong 
encryption products manufactured by foreign producers. 
Containment, which is the heart of the national security 
argument, prevents U.S. manufacturers from exporting strong 
encryption products to serve international and U.S. customers, 
while allowing foreign encryption manufacturers that abide by 
lesser restrictions an inherent, unfair market advantage.
    While it may be possible that the containment strategy may 
be slowing the proliferation of strong encryption products, it 
is not stopping its proliferation and will not do so as 
technology becomes more prevalent and consumers' demand for 
security and privacy increases. Foreign strong encryption 
products are turning up not only in the hands of international 
criminals and rogue agents, but also are being used by U.S.-
based multi-national companies within the U.S. borders in order 
to provide the necessary security strong encryption products 
users can afford. Thus, current export restrictions are 
effective in containing our domestic encryption manufacturers.
    The containment aspect of current policy is also flawed by 
its lack of uniformity and consistency. To be more effective 
and to further the goal of containing strong encryption 
products, it would be expected that the Administration would 
also favor import restrictions to prevent foreign encryption 
products manufacturers from importing strong encryption 
productsinto the United States. The United States is by far the 
largest single marketplace of high technology users. However, as the 
use of strong encryption products becomes more prevalent, it becomes 
increasingly difficult to contain them within U.S. borders. Current 
policy does not advocate (nor would the Committee favor) import 
restrictions. The lack of an import regime makes the containment 
component of the current policy highly questionable.
    Current encryption policy is also based on providing law 
enforcement officials access to encrypted communications and 
information through the voluntary promotion of recoverable 
products. Clearly, the needs of law enforcement are not being 
met by changes in technology. The Fourth Amendment and title 
III of the Omnibus Crime Control and Safe Streets Act of 1968 
permit law enforcement agencies to search, seize, and intercept 
electronic communications and stored data. With the development 
of strong encryption technologies, however, law enforcement's 
efforts are being thwarted because even though they can search, 
seize, or intercept the information, they cannot understand it 
because it is encoded. Without the necessary tools, law 
enforcement does not have the ability to prevent and solve 
crimes. Thus, the law enforcement community seeks to promote 
the development and use of recoverable products by all parties. 
In their view, recoverable products can satisfy both demand for 
strong encryption products and law enforcement's need to access 
such underlying communications or information under proper 
authority.
    The Committee finds the current encryption policy is 
fundamentally flawed in its goal to promote the voluntary use 
of recoverable encryption. For instance, current policy allows 
the export of strong encryption products to certain market 
segments for certain countries--covering over 70 percent of all 
business activity according to the Administration. The current 
policy permits and even touts that recoverable features are not 
necessary for a large portion of encryption products. Thus, 
while law enforcement would like recoverable features to be 
built into all encryption products, the current policy, which 
was developed with the law enforcement community's involvement, 
does not include such a requirement.
    While certain recoverable encryption products are allowed 
to be exported today, it is not necessarily the current policy 
that has led to this result. Instead, some companies are 
seeking permission to export some recoverable products for 
certain uses because the marketplace, more specifically, the 
end-users, demand such capabilities. However, the evidence 
before the Committee strongly suggests that recoverable 
products are not currently in demand. Computer users, for the 
most part, do not support having back-door access built into 
their encryption products. Thus, current policy cannot and 
should not continue to be based on allowing recoverable 
products favorable treatment under the export regime.
    Consequently, the Committee has turned to the legislative 
process to provide a sound policy for the export of encryption 
products. The policy contained in H.R. 850, as reported by the 
Committee on Commerce, addresses the needs of law enforcement 
to access encrypted communications while easing existing export 
restrictions that hamper domestic manufacturers of encryption 
products.
    As reported by the Committee on Commerce, H.R. 850 takes a 
significant step towards addressing the concerns of law 
enforcement. The legislation creates a ``National Electronic 
Technologies Center'' (NET Center) that will assemble experts 
on encryption technology to develop and advise law enforcement 
officials on how to access encrypted electronic communications 
or information. The NET Center also will look ahead to future 
technologies and assist law enforcement with decryption 
techniques as new technologies are introduced. The Committee 
concludes that a partnership between the industry and law 
enforcement is an appropriate means to help law enforcement 
protect public safety. The Committee also believes that this 
approach will provide for increased access to encrypted 
communications and information.
    The bill, as reported by the Committee, also addresses the 
needs of domestic manufacturers of encryption products by 
granting export relief for certain encryption products. This 
change in export policy should place the U.S. high technology 
industry in a position where domestic companies producing 
encryption products can compete on a level playing field with 
their competitors in a global market. Moreover, H.R. 850 seeks 
to push for further relief for U.S. manufacturers by directing 
the Department of Commerce to reduce foreign impediments to 
trade.
    H.R. 850 also codifies current policy regarding the 
availability and use of encryption products within the U.S. The 
Committee has great interest in making sure that the current 
policy, which does not restrict the legitimate use of 
encryption products within the U.S., does not change.
    On process, the Administration argues that there is no need 
for legislation on this matter because current policy allows 
for more flexible regulation updates than allowed for under 
H.R. 850. This perspective, however, ignores or overlooks two 
very important respects. First, while revising current export 
restrictions through modification of Federal regulations is 
possible, the Administration has shown little interest, beyond 
certain strong rhetoric, in providing the significant export 
relief contemplated by H.R. 850. Thus, while altering current 
regulations could be a faster mechanism to change policy than 
legislation, there is no evidence that the Administration will 
make such changes any time soon. Further, the approach 
contained in section 7 of H.R. 850, as reported by the 
Committee (basing the permissible export of encryption products 
by U.S. companies on the availability of encryption products 
already in the market), provides significant and sufficient 
flexibility to respond to the changing marketplace for 
encryption products.
    Overall, the Committee finds that H.R. 850, as reported, 
strikes the appropriate balance between the needs of law 
enforcement and those of the U.S. high technology industry and 
business community.

                                Hearings

    The Subcommittee on Telecommunications, Trade, and Consumer 
Protection held a legislative hearing on H.R. 850, the Security 
And Freedom through Encryption (SAFE) Act, on May 25, 1999. The 
Subcommittee received testimony from: The Honorable William A. 
Reinsch, Undersecretary of Commerce for Export Administration, 
United States Department of Commerce; The Honorable Ronald D. 
Lee, Associate Deputy Attorney General, United States 
Department of Justice; The Honorable Barbara A. McNamara, 
Deputy Director, National Security Agency; Mr. David D. Dawson, 
Chairman and CEO, V-ONE Corporation; Mr. Paddy Holahan, 
Executive Vice President of Marketing, Baltimore Technologies; 
Mr. Richard Hornstein, Vice President of Legal Affairs, 
Taxation, and Corporate Development, Network Associates, on 
behalf of the Business Software Alliance; Mr. Tom Arnold, Vice 
President & Chief Technology Officer, CyberSource Corp.; Dr. E. 
Eugene Schultz, Ph.D., CISSP, Trusted Security Advisor and 
Research Director, Global Integrity Corporation; and Mr. Ed 
Gillespie, Executive Director, Americans for Computer Privacy 
(ACP).

                        Committee Consideration

    On June 16, 1999, the Subcommittee on Telecommunications, 
Trade, and Consumer Protection met in open markup session and 
approved H.R. 850, the Security And Freedom through Encryption 
(SAFE) Act, for Full Committee consideration, amended, by a 
voice vote. On June 23, 1999, the Full Committee met in open 
markup session and ordered H.R. 850 reported to the House, 
amended, by a voice vote, a quorum being present.

                            Committee Votes

    Clause 3(b) of rule XIII of the Rules of the House requires 
the Committee to list the record votes on the motion to report 
legislation and amendments thereto. There were no record votes 
taken in connection with ordering H.R. 850, the Security And 
Freedom through Encryption (SAFE) Act, reported. The following 
amendments were considered and agreed to by voice votes:

          An Amendment by Mr. Oxley, No. 1, to clarify that 
        because a product may be allowed to be exported under 
        this bill because it has encryption capabilities does 
        not prevent the Secretary of Commerce from prohibiting 
        its export for other reasons;
          An Amendment by Mr. Dingell, No. 2, to require that 
        in order for a U.S. manufacturer to export a product to 
        a particular country a comparable security product must 
        be commercially available in that particular country;
          An Amendment by Mr. Oxley, No. 3, to expand the list 
        of reasons for which the Secretary of Commerce can deny 
        the export of encryption products to specific groups 
        and organizations to include: (A) used to harm national 
        security, (B) used to sexually exploit children, or (C) 
        used for illegal activities by organized crime;
          An Amendment by Mr. Oxley, No. 4, to require the 
        Secretary of Commerce to consult with the Secretary of 
        Defense, the Secretary of State, the Attorney General, 
        and the Director of the Central Intelligence Agency 
        when conducting a technical review of an encryption 
        product for export;
          An Amendment by Mr. Stearns, No. 6, to prohibit the 
        ability of U.S. companies to export products to the 
        People's Liberation Army or Communist Chinese Military; 
        and
          An Amendment by Mr. Stearns, No. 7, to require that 
        if a person was served a subpoena for access to 
        encrypted information and if the person had the 
        capability to decrypt the information but did not, then 
        the person would be subject to additional criminal 
        penalties.

    In addition, the following amendments were offered and 
withdrawn by unanimous consent:

          An Amendment by Mr. Oxley, No. 5, to allow Federal 
        government agencies to condition their contracts with 
        the private sector to require use of a particular 
        encryption technology (e.g., recoverable encryption 
        products); and
          A unanimous consent request by Mr. Tauzin to amend 
        the Oxley Amendment by adding ``to assist in the 
        performance of national security or law enforcement 
        function'' in line 4, after the word ``entity''.

    A second unanimous consent request by Mr. Tauzin to amend 
the Oxley Amendment by striking ``with a non-Government 
entity'' in line 4 and inserting in lieu thereof ``performing 
national security or law enforcement functions with a non-
Government entity'', was pending when the Oxley Amendment was 
withdrawn by unanimous consent.
    A motion by Mr. Bliley to order H.R. 850 reported to the 
House, amended, was agreed to by a voice vote, a quorum being 
present.

                      Committee Oversight Findings

    Pursuant to clause 3(c)(1) of rule XIII of the Rules of the 
House of Representatives, the Committee held a legislative 
hearing and made findings that are reflected in this report.

           Committee on Government Reform Oversight Findings

    Pursuant to clause 3(c)(4) of rule XIII of the Rules of the 
House of Representatives, no oversight findings have been 
submitted to the Committee by the Committee on Government 
Reform.

   New Budget Authority, Entitlement Authority, and Tax Expenditures

    In compliance with clause 3(c)(2) of rule XIII of the Rules 
of the House of Representatives, the Committee finds that H.R. 
850, the Security And Freedom through Encryption (SAFE) Act, 
would result in no new or increased budget authority, 
entitlement authority, or tax expenditures or revenues.

                        Committee Cost Estimate

    The Committee adopts as its own the cost estimate prepared 
by the Director of the Congressional Budget Office pursuant to 
section 402 of the Congressional Budget Act of 1974.

                  Congressional Budget Office Estimate

    Pursuant to clause 3(c)(3) of rule XIII of the Rules of the 
House of Representatives, the following is the cost estimate 
provided by the Congressional Budget Office pursuant to section 
402 of the Congressional Budget Act of 1974:

                                     U.S. Congress,
                               Congressional Budget Office,
                                      Washington, DC, July 1, 1999.
Hon. Tom Bliley,
Chairman, Committee on Commerce,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 850, the Security 
and Freedom Through Encryption (SAFE) Act.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contacts are Mark Hadley 
and Mark Grabowicz (for federal costs), and Shelley Finlayson 
(for the state and local impact).
            Sincerely,
                                          Barry B. Anderson
                                    (For Dan L. Crippen, Director).
    Enclosure.

H.R. 850--Security and Freedom Through Encryption (SAFE) Act

    Summary: H.R. 850 would allow individuals in the United 
States to use and sell any form of encryption and would 
prohibit states or the federal government from requiring 
individuals to relinquish the key to encryption products. The 
bill also would prevent the Department of Commerce (DOC) from 
restricting the export of most nonmilitary encryption products. 
H.R. 850 would establish a National Electronic Technologies 
(NET) Center within DOC's National Telecommunications and 
Information Administration (NTIA) to provide assistance and 
information on encryption products to law enforcement 
officials. The bill also would require the Attorney General to 
maintain data on the instances in which encryption impedes or 
obstructs the ability of the Department of Justice (DOJ) to 
enforce criminal laws. Finally, the bill would establish 
criminal penalties and fines for the use of encryption 
technologies to conceal incriminating information related to a 
felony, for transferring certain encryption products to the 
military of the People's Republic of China, and for providing 
information that is required by a court order in only an 
encrypted format.
    Assuming the appropriation of the necessary amounts, CBO 
estimates that enacting this bill would result in additional 
discretionary spending by DOC and DOJ of at least $25 million 
over the 2000-2004 period. Enacting H.R. 850 also would affect 
direct spending and receipts. Therefore, pay-as-you-go 
procedures would apply. CBO estimates, however, that the 
amounts of additional direct spending and receipts would not be 
significant.
    H.R. 850 contains intergovernmental mandates on state 
governments as defined in the Unfunded Mandates Reform Act 
(UMRA). CBO estimates that states would not incur any costs to 
comply with the mandates, and that local and tribal governments 
would not be affected by the bill. H.R. 850 contains no new 
private-sector mandates as defined in UMRA.
    Estimated cost to the Federal Government: CBO estimates 
that implementing H.R. 850 would increase discretionary costs 
for DOC and DOJ by about $5 million a year over the 2000-2004 
period. The costs of this legislation fall within budget 
function 370 (commerce and housing credit) and 750 
(administration of justice). Direct spending and revenues would 
also increase, but by less than $500,000 a year.

Spending subject to appropriation

    Under current policy, BXA would likely spend about $500,000 
a year reviewing exports of encryption products, assuming 
appropriation of the necessary amounts. In November 1996, the 
Administration issued an executive order and memorandum that 
authorized BXA to control the export of all nonmilitary 
encryption products. If H.R. 850 were enacted, BXA would still 
be required to review requests to export most computer hardware 
with encryption capabilities but would not be required to 
review most requests to export computer software with 
encryption capabilities. Within two years of enactment, H.R. 
850 would shift such responsibilities and the associated costs 
from BXA to NTIA. Thus, CBO estimates that implementing H.R. 
850 not significantly change costs to DOC to control exports of 
nonmilitary encryption products.
    H.R. 850 would require the Secretary of Commerce to conduct 
a number of studies on electronic commerce and domestic and 
foreign impediments to trade in encryption products. Based on 
information from the Department of Commerce, CBO estimates that 
completing the required studies would cost about $1 million in 
fiscal year 2000, assuming appropriation of the necessary 
funds.
    H.R. 850 would establish within NTIA the NET Center, which 
would assist federal, state, and local law enforcement agencies 
with issues involving encryption and information security. The 
bill would assign the NET Center a broad range of duties, 
including providing information and assistance, serving as an 
information clearinghouse, and conducting research. The costs 
to establish and operate the NET Center would depend on the 
extent to which service would be provided to the law 
enforcement community nationwide. Based on information from 
DOC, we estimate that the minimum costs to fulfill the bill's 
requirements would be roughly $4 million annually, but the 
costs could be much greater. Any spending relating to the NET 
Center would be subject to the availability of appropriations.
    DOJ would also be required to collect and maintain data on 
the instances in which encryption impedes or obstructs the 
ability of the agency to enforce criminal laws. CBO projects 
that collecting and maintaining the data would cost DOJ between 
$500,000 and $1 million a year.Because H.R. 850 would establish 
new federal crimes, CBO anticipates that the U.S. government would be 
able to pursue cases that it otherwise would be unable to prosecute. 
Based on information from DOJ, however, we do not expect the government 
to pursue many additional cases. Thus, CBO estimates that implementing 
these provisions would not have a significant impact on the cost of 
federal law enforcement activity.

Direct spending and revenues

    Enacting H.R. 850 would affect direct spending and receipts 
by imposing criminal fines. Collections of such fines are 
recorded in the budget as governmental receipts (i.e., 
revenues), which are deposited in the Crime Victims Fund and 
spent in subsequent years. Any additional collections as a 
result of this bill are likely to be negligible, however, 
because the federal government would probably not pursue many 
cases under the bill. Because any increase in direct spending 
would equal the fines collected (with a lag of one year or 
more), the additional direct spending also would be negligible.
    Direct spending and revenues also could result from the 
provision that would allow the NET Center to accept donations 
to further its work. CBO expects that the amount of any 
contributions (recorded in the budget as revenues) would be 
less than $500,000 a year, and that they would be used in the 
same year as they were received. Therefore, we estimate that 
the net budgetary impact of the gift authority granted to the 
NET Center would be negligible for all years.
    Pay-as-you-go considerations: The Balanced Budget and 
Emergency Control Act sets up pay-as-you-go procedures for 
legislation affecting direct spending or receipts. H.R. 850 
would affect direct spending and receipts by imposing criminal 
fines and by allowing the new NET Center to accept donations. 
CBO estimates that the amounts of additional direct spending 
and receipts would not be significant.
    Estimated impact on State, local, and tribal governments: 
H.R. 850 would preempt state law by prohibiting states from 
setting standards for encryption products or methodology. The 
bill would also prohibit states from requiring persons to build 
decryption keys into computer hardware or software, make 
decryption keys available to another person or entity, or 
retain encryption keys. These preemptions would be mandates as 
defined by UMRA. However, states would bear no costs as the 
result of the mandates because none currently require the 
availability of such keys or require private individuals to use 
a particular encryption standard.
    Estimated impact on the private sector: This bill would 
impose no new private-sector mandates as defined in UMRA.
    Previous CBO estimates: On April 21, 1999, CBO transmitted 
a cost estimate for H.R. 850 as ordered reported by the House 
Committee on the Judiciary on May 24, 1999. CBO estimated that 
the Judiciary Committee's version would increase total 
discretionary costs over the 2000-2004 period by between $3 
million and $5 million. In comparison, CBO estimates that 
implementing this version of the bill would cost at least $25 
million over the same period.
    Estimate prepared by: Federal Costs: Mark Hadley and Mark 
Grabowicz. Impact on State, Local and Tribal Governments: 
Shelly Finlayson.
    Estimate approved by: Robert A. Sunshine, Deputy Assistant 
Director for Budget Analysis.

                       Federal Mandates Statement

    The Committee adopts as its own the estimate of Federal 
mandates prepared by the Director of the Congressional Budget 
Office pursuant to section 423 of the Unfunded Mandates Reform 
Act.

                      Advisory Committee Statement

    Section 9 of H.R. 850 creates an Advisory Board of the 
Strategic NET Center to advise the Federal government on new 
technologies relating to encryption. Pursuant to the 
requirements of subsection 5(b) of the Federal Advisory 
Committee Act, the Committee finds that the functions of the 
proposed advisory committee are not and cannot be performed by 
an existing Federal agency or advisory commission or by 
enlarging the mandate of an existing advisory committee.

                   Constitutional Authority Statement

    Pursuant to clause 3(d)(1) of rule XIII of the Rules of the 
House of Representatives, the Committee finds that the 
Constitutional authority for this legislation is provided in 
Article I, section 8, clause 3, which grants Congress the power 
to regulate commerce with foreign nations, among the several 
States, and with the Indian tribes.

                  Applicability to Legislative Branch

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of section 
102(b)(3) of the Congressional Accountability Act.

             Section-by-Section Analysis of the Legislation


Section 1. Short title

    Section 1 establishes the short title of the bill as the 
``Security And Freedom through Encryption (SAFE) Act.''

Section 2. Definitions

    Section 2 provides for definitions of terms to be used in 
the bill including ``computer hardware,'' ``encrypt or 
encryption,'' ``encryption product,'' ``key,'' ``key recovery 
information,'' ``person,'' ``Secretary,'' ``State,'' and 
``United States person.'' In addition, section 2 ties the 
definitions of ``wire communications'' and ``electronic 
communications'' to their definitions contained in the existing 
Federal wiretap statute, section 2510 et seq. of title 18, U.S. 
Code.

Section 3. Ensuring development and deployment of encryption is a 
        voluntary private sector activity

    Section 3(a) establishes as policy that the use, 
development, manufacture, sale, distribution, and importation 
of encryption products used for confidentiality, authenticity, 
or integrity be voluntary and market driven. Section 3(b) 
prohibits the Federal government or any State from 
conditioning, tying, or linking the encryption products, 
standards, or services used for confidentiality with those used 
for authentication or integrity purposes.

Section 4. Protection of domestic sale and use of encryption

    Section 4 codifies current policy that it is lawful for a 
person within any State or any United States person in a 
foreign country to use any encryption product, regardless of 
the encryption algorithm selected, encryption length chosen, 
existence of key recovery, other plaintext access capability, 
or implementation or medium used.

Section 5. Prohibition on mandatory government access to plaintext

    Section 5(a) prohibits the Federal government or a State 
from requiring, conditioning approval, providing incentives 
for, or tying any benefit to a requirement that a decryption 
key, access to a key, key recovery information, or any other 
plaintext access capability be: (1) built into any hardware or 
software; (2) given to any person; or (3) retained by the owner 
or user of an encryption key or any other person.
    Section 5(b) provides an exception to subsection (a) for 
access by law enforcement officers or any member of the 
intelligence community acting pursuant to lawful authority to 
require a party to provide access to encrypted communications 
or information.

Section 6. Unlawful use of encryption in furtherance of a criminal act

    Section 6(a) makes it a crime to knowingly and willfully 
encrypt incriminating communications or information relating to 
a felony with the intent to conceal information in order to 
avoid detection by law enforcement agencies or prosecution. A 
person found guilty of this offense may be fined, imprisoned 
for not more than 5 years, or both. Second and subsequent 
offenses may result in a fine, imprisonment of not more than 10 
years, or both.
    Section 6(b) states that the use of encryption cannot, by 
itself, be the basis for establishing probable cause with 
respect to a criminal offense or a search warrant.

Section 7. Exports of encryption

    Section 7(a) of the bill would amend the Export 
Administration Act of 1979 to add a new section 17(g).
    New subsection (g)(1) provides the Secretary of Commerce 
(the Secretary) with exclusive authority over the export 
control of all encryption related products and equipment, 
except those designed or modified for military use. New 
subsection (g)(2) requires the Administrator of the National 
Telecommunications and Information Administration (NTIA) to 
identify, define, and determine which encryption products are 
designed for improvement of network security, network 
reliability, or data security. New subsection (g)(2) also 
requires the Secretary to delegate, within a two year period 
from the date of enactment, authority for all export 
determinations and technical product reviews for encryption 
products used to improve network reliability, network security 
and data security to NTIA within the Department of Commerce. 
The Secretary is given authority to further delegate other 
encryption products beyond those identified in subparagraph (A) 
to NTIA.
    New subsection (g)(3) requires the Secretary, after a 30 
working day technical review (which includes consultation with 
the Departments of Defense, State, and Justice, and the Central 
Intelligence Agency) of each encryption product, to provide for 
the export of encryption products without a license for 
generally available encryption software and hardware products, 
generally available products containing encryption, generally 
available products with encryption capabilities, technical 
assistance and data used to install or maintain generally 
available encryption products, products containing encryption, 
products with encryption capabilities, and encryption products 
not used for confidentiality purposes.
    New subsection (g)(4) requires the Secretary, after a 30 
working day technical review (which includes consultation with 
the Departments of Defense, State, and Justice, and the Central 
Intelligence Agency) of each encryption product, to allow the 
export of custom-designed encryption products and custom-
designed products with encryption capabilities if those 
products are permitted for use by international financial 
institutions or if comparable products are commercially 
available in such country. An exception to this subsection 
exists if there is substantial evidence that these products 
will be used: (1) for military or terrorist end-use, or 
modified for military or terrorist end-use; (2) to harm U.S. 
national security, including U.S. capabilities fighting drug 
trafficking, terrorism, or espionage; (3) in illegal activities 
involving sexual exploitation of, abuse of, or sexually 
explicit conduct with minors; or (4) in illegal activities 
involving organized crime. New subsection (g)(5) provides 
definitions for ``computer hardware,'' ``computing device,'' 
``customer premises equipment,'' ``data security,'' 
``encryption,'' ``generally available,'' ``network 
reliability,'' ``network security,'' ``technical assistance,'' 
``technical data,'' and ``technical review.''
    Section 7(b) amends section 103(b) of the National 
Telecommunications and Information Administration Organization 
Act to provide specific authority to carry out the functions 
relating to export determinations and technical product reviews 
of encryption products used for network security, network 
reliability, or data security, as added by section 7(a). 
Section 7(c) prevents the Secretary from requiring export 
licenses for products that as of the date of enactment of the 
bill are not required to have one.
    Section 7(d)(1) provides a savings clause to make clear 
that nothing in the bill affects the President's authority 
under the International Emergency Economic Powers Act, the 
Trading with the Enemy Act, or the Export Administration Act of 
1979 to prohibit the export of encryption products to terrorist 
nations or nations that have been determined to repeatedly 
support acts of international terrorism, or to impose an 
embargo on exports to and imports from a specific country. 
Section 7(d)(2) provides the Secretary of Commerce authority to 
prohibit the export to an individual or organization in a 
specified foreign country of a specific encryption product if 
there is substantial evidence that the product will be used: 
(1) for military or terrorist end-use, or modified for military 
or terrorist end-use; (2) to harm U.S. national security, 
including U.S. capabilities fighting drug trafficking, 
terrorism, or espionage; (3) in illegal activities involving 
sexual exploitation of, abuse of, or sexually explicit conduct 
with minors; or (4) in illegal activities involving organized 
crime. Section 7(d)(3) provides a savings clause to make clear 
that nothing in the bill prevents the Secretary from denying 
the export of products with encryption capabilities for other 
reasons than encryption.
    Section 7(e) deems that the Export Administration Act of 
1979 be in effect for the purpose of carrying out the amendment 
contained in this section of the bill.

Section 8. Government procurement of encryption products

    Section 8 clarifies Federal procurement policy with regard 
to encryption products. Section 8(a) establishes that it is the 
policy of the United States to promote public interaction with 
the government while promoting privacy and security for 
electronic communications or stored information.
    Section 8(b) clarifies that a Federal government agency, 
department or instrumentality is permitted without restriction 
to purchase and use encryption products of any nature for their 
own internal purposes. Conversely, section 8(c) prevents the 
Federal government from using its transactions with the private 
sector through contracts, procurement, individual contacts and 
the like to be a mechanism to encourage or mandate the use of 
any type of encryption product.

Section 9. National Electronic Technologies Center

    Section 9 amends Part A of the National Telecommunications 
and Information Administration Organization Act to add a new 
section 106.
    New section 106 establishes within NTIA a National 
Electronic Technologies Center (referred to as the ``NET 
Center''). The primary purpose of the NET Center is to provide 
technical assistance to law enforcement agencies so that they 
may cope with new technology challenges. Specifically, the NET 
Center will be responsible for serving as a national center for 
Federal, State, and local law enforcement authorities for 
information and assistance regarding decryption. It will also 
serve as a national center where industry and government can 
gather to exchange information regarding data security. In 
addition, the NET Center will be required to: (1) examine 
encryption techniques and methods to facilitate the ability of 
law enforcement to gain access to plaintext of communications 
and electronic information; (2) conduct research to improve law 
enforcement's means of access to encrypted communications; (3) 
determine whether other techniques can be used to help law 
enforcement access communications and electronic information; 
and (4) obtain information regarding the most current computer 
hardware, computer software, and telecommunications equipment 
to understand how best to access communications.
    Administratively, the Administrator of NTIA will appoint 
the Director of the NET Center and the Director will be 
responsible for hiring personnel that he or she determines is 
necessary to carry out the duties of the NET Center. Other 
Federal government agencies may also ``loan'' personnel to the 
NET Center or provide facilities, information, and other non-
personnel resources. In addition, the NET Center may accept 
donations in the form of money, services, or property from the 
private sector to help it function. Such donations shall be 
deposited in the Treasury and shall be available for 
disbursement upon order of the Director.
    Within two months after the date of enactment of this Act, 
the Administrator of NTIA will be required to develop a plan 
for the establishment of the NET Center. The plan must be 
published in the Federal Register and must identify: the 
physical location of the NET Center; equipment, software, and 
personnel necessary for the NET Center to function; the amount 
of funding necessary to establish and operate the NET Center; 
and sources of probable funding for the NET Center, including 
any sources of in-kind contributions from private industry.
    In addition, new section 106(h) creates an Advisory Board 
of the NET Center, which is intended to advise the government 
on new technologies relating to encryption. The Administrator 
of NTIA is required to appoint a chairman of the Advisory Board 
and members of the Advisory Board must have technical expertise 
in the field of encryption, decryption, electronic 
communication, information security, electronic commerce, or 
law enforcement. More specifically, the purpose of the Advisory 
Board is to advise the NET Center and the Federal government 
regarding new and emerging technologies relating to encryption 
and decryption of communications and electronic information.

Section 10. Study of network and data security issues

    Section 10 amends Part C of the National Telecommunications 
and Information Administration Organization Act to add a new 
section 156.
    New section 156(a) requires NTIA to conduct an annual in-
depth analysis of: (1) the relationship between network 
reliability, network security, and data security and the 
conduct of transactions in interstate commerce; (2) the 
availability of various methods for encrypting communications; 
and, (3) the effects of various methods on providing access to 
encrypted communications and to information to further law 
enforcement activities.
    New section 156(b) requires NTIA to specifically examine on 
the current availability and availability expected in one year 
of the encryption products that meet or would meet the tests 
under section 7 of the bill, as reported by the Committee on 
Commerce, and thus qualify to be exported. While section 7 
provides extensive definitions to help clarify what encryption 
products would qualify for export relief, there will still be 
some debate and dispute over certain encryption products. New 
subsection (b) is intended to provide an examination of the 
products as they exist in the marketplace and those products 
that are expected to be available within a one year time 
period. The forward-looking aspect of this provision will 
provide industry and government a very good vision of what is 
expected to come to market in the near future.
    New subsection 156(c) requires NTIA to report to Congress 
and the President within one year, and annually thereafter, on 
its findings under this section. New section 156(d) states that 
definitions of ``data security,'' ``encryption,'' ``network 
reliability,'' and ``network security'' have the same meaning 
as contained in the Export Administration Act of 1979, as 
amended by this bill, and that the definitions of ``Internet'' 
and ``interactive computer systems'' have the same meaning as 
contained in the Communications Act of 1934.

Section 11. Treatment of encryption in interstate and foreign commerce

    Section 11 requires the Secretary of Commerce to undertake 
certain activities in order to promote the export of U.S. 
encryption products in the global market. Through such 
instruction to the Secretary of Commerce, the Committee intends 
to promote robust participation by U.S. firms in the 
development of global electronic commerce. The Committee is 
concerned that as U.S. export policy with regards to encryption 
products is relaxed, through passage of this legislation, other 
countries may attempt to impose import barriers as a mechanism 
to maintain the status quo with regards to the availability of 
U.S. encryption products. Section 11 isintended to address this 
real possibility by requiring active, positive action by the 
Administration in order to prevent this from happening.
    Subsection (a) requires the Secretary of Commerce to 
complete an inquiry within 180 days of the enactment of this 
Act to identify both domestic and foreign impediments to trade 
in encryption products and services. Such an inquiry would 
include the identification of import restrictions maintained by 
other countries that constitute unfair barriers. The inquiry 
would also include an examination of U.S. regulations, such as 
export restrictions, that may actually impede trade in 
encryption products and services.
    Subsection (b) requires the Secretary to adopt regulations 
within one year of the Act's enactment that are intended to 
reduce foreign and domestic impediments to encryption products 
and services. The regulations must be designed to promote the 
sale in foreign markets of U.S. encryption products and 
services, including through strengthening the competitiveness 
of U.S. providers of such products and services.
    Subsection (c)(1) requires that upon completion of the six-
month inquiry into foreign and domestic impediments to trade in 
encryption products and services, the Secretary of Commerce 
shall submit a report to the President on his or her findings. 
The report must include a determination by the Secretary on 
what impediments may require international negotiation to 
reduce.
    Subsection (c)(2) requires the President to negotiate with 
other countries for agreements designed to promote encryption 
products and services and to achieve mutual recognition of 
export controls. Export controls may be designed to preserve 
countries' national security, safeguard privacy interests, and 
prevent commercial espionage. Mutual recognition of export 
controls will promote the sale in foreign commerce of U.S. 
encryption products and services by facilitating a common 
approach by the U.S. and our trading partners. Subsection 
(c)(2) also enables the President to consider a country's 
refusal to negotiate such agreements when considering U.S. 
participation in an assistance or cooperation program with that 
country. Finally, the subsection requires the President to 
submit a report to the Congress regarding the status of 
international efforts on encryption not later than December 31, 
2000.

Section 12. Collection of information on effect of encryption on law 
        enforcement activities

    Section 12(a) requires the Attorney General to compile 
information on instances in which encryption has interfered 
with, impeded, or obstructed the ability of the Department of 
Justice to enforce Federal criminal law and to maintain that 
information in classified form. Subsection (b) requires that 
the Attorney General shall make the information compiled under 
subsection (a), including an unclassified summary, available to 
Members of Congress upon request.

Section 13. Prohibition on transfers to PLA and Communist Chinese 
        military companies

    Section 13 adds new criminal penalties for knowingly and 
willfully exporting encryption products above 56 bits to the 
People's Liberation Army or to any Communist Chinese military 
company. Under section 13(a), a person found guilty of this 
offense may be fined, imprisoned for not more than 5 years, or 
both. Second and subsequent offenses may result in a fine, 
imprisonment of not more than 10 years, or both.
    Section 13(b) provides definitions used in the section, 
including ``Communist Chinese military company.'' The Committee 
notes that this definition will be based on section 1237(b)(2) 
of the Strom Thurmond National Defense Authorization Act for 
Fiscal Year 1999 once the Administration complies with the 
requirement to identify and list such companies.

Section 14. Failure to decrypt information obtained under court order

    Section 14 adds new criminal penalties for individuals that 
fail to comply with a court order to provide access to 
encrypted information if they have possession of the key or 
other such capabilities to decrypt the information into a 
readable or comprehensive manner prior to its encryption. Under 
section 14, a person found guilty of this offense may be fined, 
imprisoned for not more than 5 years, or both. Second and 
subsequent offenses may result in a fine, imprisonment of not 
more than 10 years, or both. The Committee does not expect that 
the interpretation of ``such capabilities'' will be expanded to 
interfere with an individual's right not to self-incriminate 
himself or herself under protection afforded by the Fifth 
Amendment to the U.S. Constitution.

         Changes in Existing Law Made by the Bill, as Reported

    In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in black brackets, new 
matter is printed in italic, existing law in which no change is 
proposed is shown in roman):

          SECTION 17 OF THE EXPORT ADMINISTRATION ACT OF 1979


                          effect on other acts

  Sec. 17. (a) * * *

           *       *       *       *       *       *       *

  (g) Certain Consumer Products, Computers, and Related 
Equipment.--
          (1) General rule.--Subject to paragraphs (2), (3), 
        and (4), the Secretary shall have exclusive authority 
        to control exports of all computer hardware, software, 
        computing devices, customer premises equipment, 
        communications network equipment, and technology for 
        information security (including encryption), except 
        that which is specifically designed or modified for 
        military use, including command, control, and 
        intelligence applications.
          (2) Critical infrastructure protection products.--
                  (A) Identification.--Not later than 90 days 
                after the date of the enactment of the Security 
                And Freedom through Encryption (SAFE) Act, the 
                Assistant Secretary of Commerce for 
                Communications and Information and the National 
                Telecommunications and Information 
                Administration shall issue regulations that 
                identify, define, or determine which products 
                and equipment described in paragraph (1) are 
                designed for improvement of network security, 
                network reliability, or data security.
                  (B) NTIA responsibility.--Not later than the 
                expiration of the 2-year period beginning on 
                the date of the enactment of the Security And 
                Freedom through Encryption (SAFE) Act, all 
                authority of the Secretary under this 
                subsection and all determinations and reviews 
                required by this section, with respect to 
                products and equipment described in paragraph 
                (1) that are designed for improvement of 
                network security, network reliability, or data 
                security through the use of encryption, shall 
                be exercised through and made by the Assistant 
                Secretary of Commerce for Communications and 
                Information and the National Telecommunications 
                and Information Administration. The Secretary 
                may, at any time, assign to the Assistant 
                Secretary and the NTIA authority of the 
                Secretary under this section with respect to 
                other products and equipment described in 
                paragraph (1).
          (3) Items not requiring licenses.--After a one-time 
        technical review by the Secretary of not more than 30 
        working days, which shall include consultation with the 
        Secretary of Defense, the Secretary of State, the 
        Attorney General, and the Director of Central 
        Intelligence, no export license may be required, except 
        pursuant to the Trading with the Enemy Act or the 
        International Emergency Economic Powers Act (but only 
        to the extent that the authority of such Act is not 
        exercised to extend controls imposed under this Act), 
        for the export or reexport of--
                  (A) any computer hardware or software or 
                computing device, including computer hardware 
                or software or computing devices with 
                encryption capabilities--
                          (i) that is generally available;
                          (ii) that is in the public domain for 
                        which copyright or other protection is 
                        not available under title 17, United 
                        States Code, or that is available to 
                        the public because it is generally 
                        accessible to the interested public in 
                        any form; or
                          (iii) that is used in a commercial, 
                        off-the-shelf, consumer product or any 
                        component or subassembly designed for 
                        use in such a consumer product 
                        available within the United States or 
                        abroad which--
                                  (I) includes encryption 
                                capabilities which are 
                                inaccessible to the end user; 
                                and
                                  (II) is not designed for 
                                military or intelligence end 
                                use;
                  (B) any computing device solely because it 
                incorporates or employs in any form--
                          (i) computer hardware or software 
                        (including computer hardware or 
                        software with encryption capabilities) 
                        that is exempted from any requirement 
                        for a license under subparagraph (A); 
                        or
                          (ii) computer hardware or software 
                        that is no more technically complex in 
                        its encryption capabilities than 
                        computer hardware or software that is 
                        exempted from any requirement for a 
                        license under subparagraph (A) but is 
                        not designed for installation by the 
                        purchaser;
                  (C) any computer hardware or software or 
                computing device solely on the basis that it 
                incorporates or employs in any form interface 
                mechanisms for interaction with other computer 
                hardware or software or computing devices, 
                including computer hardware and software and 
                computing devices with encryption capabilities;
                  (D) any computing or telecommunication device 
                which incorporates or employs in any form 
                computer hardware or software encryption 
                capabilities which--
                          (i) are not directly available to the 
                        end user; or
                          (ii) limit the encryption to be 
                        point-to-point from the user to a 
                        central communications point or link 
                        and does not enable end-to-end user 
                        encryption;
                  (E) technical assistance and technical data 
                used for the installation or maintenance of 
                computer hardware or software or computing 
                devices with encryption capabilities covered 
                under this subsection; or
                  (F) any encryption hardware or software or 
                computing device not used for confidentiality 
                purposes, such as authentication, integrity, 
                electronic signatures, nonrepudiation, or copy 
                protection.
          (4) Computer hardware or software or computing 
        devices with encryption capabilities.--After a one-time 
        technical review by the Secretary of not more than 30 
        working days, which shall include consultation with the 
        Secretary of Defense, the Secretary of State, the 
        Attorney General, and the Director of Central 
        Intelligence, the Secretary shall authorize the export 
        or reexport of computer hardware or software or 
        computing devices with encryption capabilities for 
        nonmilitary end uses in any country--
                  (A) to which exports of computer hardware or 
                software or computing devices of comparable 
                strength are permitted for use by financial 
                institutions not controlled in fact by United 
                States persons, unless there is substantial 
                evidence that such computer hardware or 
                software or computing devices will be--
                          (i) diverted to a military end use or 
                        an end use supporting international 
                        terrorism;
                          (ii) modified for military or 
                        terrorist end use;
                          (iii) reexported without any 
                        authorization by the United States that 
                        may be required under this Act; or
                          (iv)(I) harmful to the national 
                        security of the United States, 
                        including capabilities of the United 
                        States in fighting drug trafficking, 
                        terrorism, or espionage, (II) used in 
                        illegal activities involving the sexual 
                        exploitation of, abuse of, or sexually 
                        explicit conduct with minors (including 
                        activities in violation of chapter 110 
                        of title 18, United States Code, and 
                        section 2423 of such title), or (III) 
                        used in illegal activities involving 
                        organized crime; or
                  (B) if the Secretary determines that a 
                computer hardware or software or computing 
                device offering comparable security is 
                commercially available in such country from a 
                foreign supplier, without effective 
                restrictions.
          (5) Definitions.--For purposes of this subsection--
                  (A) the term ``computer hardware'' has the 
                meaning given such term in section 2 of the 
                Security And Freedom through Encryption (SAFE) 
                Act;
                  (B) the term ``computing device'' means a 
                device which incorporates one or more 
                microprocessor-based central processing units 
                that can accept, store, process, or provide 
                output of data;
                  (C) the term ``customer premises equipment'' 
                means equipment employed on the premises of a 
                person to originate, route, or terminate 
                communications;
                  (D) the term ``data security'' means the 
                protection, through techniques used by 
                individual computer and communications users, 
                of data from unauthorized penetration, 
                manipulation, or disclosure;
                  (E) the term ``encryption'' has the meaning 
                given such term in section 2 of the Security 
                And Freedom through Encryption (SAFE) Act;
                  (F) the term ``generally available'' means, 
                in the case of computer hardware or computer 
                software (including computer hardware or 
                computer software with encryption 
                capabilities)--
                          (i) computer hardware or computer 
                        software that is--
                                  (I) distributed through the 
                                Internet;
                                  (II) offered for sale, 
                                license, or transfer to any 
                                person without restriction, 
                                whether or not for 
                                consideration, including, but 
                                not limited to, over-the-
                                counter retail sales, mail 
                                order transactions, phone order 
                                transactions, electronic 
                                distribution, or sale on 
                                approval;
                                  (III) preloaded on computer 
                                hardware or computing devices 
                                that are widely available for 
                                sale to the public; or
                                  (IV) assembled from computer 
                                hardware or computer software 
                                components that are widely 
                                available for sale to the 
                                public;
                          (ii) not designed, developed, or 
                        tailored by the manufacturer for 
                        specific purchasers or users, except 
                        that any such purchaser or user may--
                                  (I) supply certain 
                                installation parameters needed 
                                by the computer hardware or 
                                software to function properly 
                                with the computer system of the 
                                user or purchaser; or
                                  (II) select from among 
                                options contained in the 
                                computer hardware or computer 
                                software; and
                          (iii) with respect to which the 
                        manufacturer of that computer hardware 
                        or computer software--
                                  (I) intended for the user or 
                                purchaser, including any 
                                licensee or transferee, to 
                                install the computer hardware 
                                or software and has supplied 
                                the necessary instructions to 
                                do so, except that the 
                                manufacturer of the computer 
                                hardware or software, or any 
                                agent of such manufacturer, may 
                                also provide telephone or 
                                electronic mail help line 
                                services for installation, 
                                electronic transmission, or 
                                basic operations; and
                                  (II) the computer hardware or 
                                software is designed for such 
                                installation by the user or 
                                purchaser without further 
                                substantial support by the 
                                manufacturer;
                  (G) the term ``network reliability'' means 
                the prevention, through techniques used by 
                providers of computer and communications 
                services, of the malfunction, and the promotion 
                of the continued operations, of computer or 
                communications network;
                  (H) the term ``network security'' means the 
                prevention, through techniques used by 
                providers of computer and communications 
                services, of unauthorized penetration, 
                manipulation, or disclosure of information of a 
                computer or communications network;
                  (I) the term ``technical assistance'' 
                includes instruction, skills training, working 
                knowledge, consulting services, and the 
                transfer of technical data;
                  (J) the term ``technical data'' includes 
                blueprints, plans, diagrams, models, formulas, 
                tables, engineering designs and specifications, 
                and manuals and instructions written or 
                recorded on other media or devices such as 
                disks, tapes, or read-only memories; and
                  (K) the term ``technical review'' means a 
                review by the Secretary of computer hardware or 
                software or computing devices with encryption 
                capabilities, based on information about the 
                product's encryption capabilities supplied by 
                the manufacturer, that the computer hardware or 
                software or computing device works as 
                represented.
                              ----------                              


NATIONAL TELECOMMUNICATIONS AND INFORMATION ADMINISTRATION ORGANIZATION 
                                  ACT

           *       *       *       *       *       *       *


  TITLE I--NATIONAL TELECOMMUNICATIONS AND INFORMATION ADMINISTRATION

                  PART A--ORGANIZATION AND FUNCTIONS

           *       *       *       *       *       *       *


SEC. 103. ESTABLISHMENT; ASSIGNED FUNCTIONS.

  (a) * * *
  (b) Assigned Functions.--
          (1) * * *

           *       *       *       *       *       *       *

          (4) Export of communications transaction 
        technologies.--In accordance with section 17(g)(2) of 
        the Export Administration Act of 1979 (50 U.S.C. App. 
        2416(g)(2)), the Secretary shall assign to the 
        Assistant Secretary and the NTIA the authority of the 
        Secretary under such section 17(g), with respect to 
        products and equipment described in paragraph (1) of 
        such section that are designed for improvement of 
        network security, network reliability, or data 
        security, that (after the expiration of the 2-year 
        period beginning on the date of the enactment of the 
        Security And Freedom through Encryption (SAFE) Act) is 
        to be exercised by the Assistant Secretary and the 
        NTIA.

           *       *       *       *       *       *       *


SEC. 106. NATIONAL ELECTRONIC TECHNOLOGIES CENTER.

  (a) Establishment.--There is established in the NTIA a 
National Electronic Technologies Center (in this section 
referred to as the ``NET Center'').
  (b) Director.--The NET Center shall have a Director, who 
shall be appointed by the Assistant Secretary.
  (c) Duties.--The duties of the NET Center shall be--
          (1) to serve as a center for industry and government 
        entities to exchange information and methodology 
        regarding data security techniques and technologies;
          (2) to examine encryption techniques and methods to 
        facilitate the ability of law enforcement to gain 
        efficient access to plaintext of communications and 
        electronic information;
          (3) to conduct research to develop efficient methods, 
        and improve the efficiency of existing methods, of 
        accessing plaintext of communications and electronic 
        information;
          (4) to investigate and research new and emerging 
        techniques and technologies to facilitate access to 
        communications and electronic information, including --
                  (A) reverse-steganography;
                  (B) decompression of information that 
                previously has been compressed for 
                transmission; and
                  (C) de-multiplexing;
          (5) to obtain information regarding the most current 
        computer hardware and software, telecommunications, and 
        other capabilities to understand how to access 
        information transmitted across computer and 
        communications networks; and
          (6) to serve as a center for Federal, State, and 
        local law enforcement authorities for information and 
        assistance regarding decryption and other access 
        requirements.
  (d) Equal Access.--State and local law enforcement agencies 
and authorities shall have access to information, services, 
resources, and assistance provided by the NET Center to the 
same extent that Federal law enforcement agencies and 
authorities have such access.
  (e) Personnel.--The Director may appoint such personnel as 
the Director considers appropriate to carry out the duties of 
the NET Center.
  (f) Assistance of Other Federal Agencies.--Upon the request 
of the Director of the NET Center, the head of any department 
or agency of the Federal Government may, to assist the NET 
Center in carrying out its duties under this section--
          (1) detail, on a reimbursable basis, any of the 
        personnel of such department or agency to the NET 
        Center; and
          (2) provide to the NET Center facilities, 
        information, and other non-personnel resources.
  (g) Private Industry Assistance.--The NET Center may accept, 
use, and dispose of gifts, bequests, or devises of money, 
services, or property, both real and personal, for the purpose 
of aiding or facilitating the work of the Center. Gifts, 
bequests, or devises of money and proceeds from sales of other 
property received as gifts, bequests, or devises shall be 
deposited in the Treasury and shall be available for 
disbursement upon order of the Director of the NET Center.
  (h) Advisory Board.--
          (1) Establishment.--There is established the Advisory 
        Board of the NET Center (in this subsection referred to 
        as the ``Advisory Board''), which shall be comprised of 
        11 members who shall have the qualifications described 
        in paragraph (2) and who shall be appointed by the 
        Assistant Secretary not later than 6 months after the 
        date of the enactment of this Act. The chairman of the 
        Advisory Board shall be designated by the Assistant 
        Secretary at the time of appointment.
          (2) Qualifications.--Each member of the Advisory 
        Board shall have experience or expertise in the field 
        of encryption, decryption, electronic communication, 
        information security, electronic commerce, or law 
        enforcement.
          (3) Duties.--The duty of the Advisory Board shall be 
        to advise the NET Center and the Federal Government 
        regarding new and emerging technologies relating to 
        encryption and decryption of communications and 
        electronic information.
  (i) Implementation Plan.--Within 2 months after the date of 
the enactment of this Act, the Assistant Secretary, in 
consultation and cooperation with other appropriate Federal 
agencies and appropriate industry participants, develop and 
cause to be published in the Federal Register a plan for 
establishing the NET Center. The plan shall--
          (1) specify the physical location of the NET Center 
        and the equipment, software, and personnel resources 
        necessary to carry out the duties of the NET Center 
        under this section;
          (2) assess the amount of funding necessary to 
        establish and operate the NET Center; and
          (3) identify sources of probable funding for the NET 
        Center, including any sources of in-kind contributions 
        from private industry.

           *       *       *       *       *       *       *


               PART C--SPECIAL AND TEMPORARY PROVISIONS

           *       *       *       *       *       *       *


SEC. 156. STUDY OF NETWORK RELIABILITY AND SECURITY AND DATA SECURITY 
                    ISSUES.

  (a) In General.--The NTIA shall conduct an examination of--
          (1) the relationship between--
                  (A) network reliability (for communications 
                and computer networks), network security (for 
                such networks), and data security issues; and
                  (B) the conduct, in interstate commerce, of 
                electronic commerce transactions, including 
                through the medium of the telecommunications 
                networks, the Internet, or other interactive 
                computer systems;
          (2) the availability of various methods for 
        encrypting communications; and
          (3) the effects of various methods of providing 
        access to encrypted communications and to information 
        to further law enforcement activities.
  (b) Specific Issues.--In conducting the examination required 
by subsection (a), the NTIA shall--
          (1) analyze and evaluate the requirements under 
        paragraphs (3) and (4) of section 17(g) of the Export 
        Administration Act of 1979 (50 U.S.C. App. 2416(g); as 
        added by section 7(a) of this Act) for products 
        referred to in such paragraphs to qualify for the 
        license exemption or mandatory export authorization 
        under such paragraphs, and determine--
                  (A) the scope and applicability of such 
                requirements and the products that, at the time 
                of the examination, qualify for such license 
                exemption or export authorization; and
                  (B) the products that will, 12 months after 
                the examination is conducted, qualify for such 
                license exemption or export authorization; and
          (2) assess possible methods for providing access to 
        encrypted communications and to information to further 
        law enforcement activities.
  (c) Reports.--Within one year after the date of enactment of 
this section, the NTIA shall submit to the Congress and the 
President a detailed report on the examination required by 
subsections (a) and (b). Annually thereafter, the NTIA shall 
submit to the Congress and the President an update on such 
report.
  (d) Definitions.--For purposes of this section--
          (1) the terms ``data security'', ``encryption'', 
        ``network reliability'', and ``network security'' have 
        the meanings given such terms in section 17(g)(5) of 
        the Export Administration Act of 1979 (50 U.S.C. App. 
        2416(g)(5)); and
          (2) the terms ``Internet'' and ``interactive computer 
        systems'' have the meanings provided by section 230(e) 
        of the Communications Act of 1934 (47 U.S.C. 230(e)).

           *       *       *       *       *       *       *