Report text available as:

  • TXT
  • PDF   (PDF provides a complete and accurate display of this text.) Tip ?
106th Congress                                            Rept. 106-117

                        HOUSE OF REPRESENTATIVES
 1st Session                                                     Part 5

======================================================================



 
                ENCRYPTION FOR THE NATIONAL INTEREST ACT

                                _______
                                

 July 23, 1999.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

    Mr. Goss, from the Permanent Select Committee on Intelligence, 
                        submitted the following

                              R E P O R T

                        [To accompany H.R. 850]

      [Including cost estimate of the Congressional Budget Office]

    The Permanent Select Committee on Intelligence, to whom was 
referred the bill (H.R. 850) to amend title 18, United States 
Code, to affirm the rights of United States persons to use and 
sell encryption and to relax export controls on encryption, 
having considered the same, report favorably thereon with an 
amendment and recommend that the bill as amended do pass.
    The amendment is as follows:
    Strike out all after the enacting clause and insert in lieu 
thereof the following:

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

  (a) Short Title.--This Act may be cited as the ``Encryption for the 
National Interest Act''.
  (b) Table of Contents.--The table of contents is as follows:

Sec. 1. Short title; table of contents.
Sec. 2. Statement of policy.
Sec. 3. Congressional findings.

                  TITLE I--DOMESTIC USES OF ENCRYPTION

Sec. 101. Definitions.
Sec. 102. Lawful use of encryption.
Sec. 103. Unlawful use of encryption.

                    TITLE II--GOVERNMENT PROCUREMENT

Sec. 201. Federal purchases of encryption products.
Sec. 202. Networks established with Federal funds.
Sec. 203. Government contract authority.
Sec. 204. Product labels.
Sec. 205. No private mandate.
Sec. 206. Exclusion.

                    TITLE III--EXPORTS OF ENCRYPTION

Sec. 301. Exports of encryption.
Sec. 302. License exception for certain encryption products.
Sec. 303. Discretionary authority.
Sec. 304. Expedited review authority.
Sec. 305. Encryption licenses required.
Sec. 306. Encryption Industry and Information Security Board.

                    TITLE IV--LIABILITY LIMITATIONS

Sec. 401. Compliance with court order.
Sec. 402. Compliance defense.
Sec. 403. Good faith defense.

                   TITLE V--INTERNATIONAL AGREEMENTS

Sec. 501. Sense of Congress.
Sec. 502. Failure to negotiate.
Sec. 503. Report to Congress.

                   TITLE VI--MISCELLANEOUS PROVISIONS

Sec. 601. Effect on law enforcement activities.
Sec. 602. Interpretation.
Sec. 603. FBI technical support.
Sec. 604. Severability.

SEC. 2. STATEMENT OF POLICY.

  It is the policy of the United States to protect public computer 
networks through the use of strong encryption technology, to promote 
the export of encryption products developed and manufactured in the 
United States, and to preserve public safety and national security.

SEC. 3. CONGRESSIONAL FINDINGS.

  The Congress finds the following:
          (1) Information security technology, encryption, is--
                  (A) fundamental to secure the flow of intelligence 
                information to national policy makers;
                  (B) critical to the President and national command 
                authority of the United States;
                  (C) necessary to the Secretary of State for the 
                development and execution of the foreign policy of the 
                United States;
                  (D) essential to the Secretary of Defense's 
                responsibilities to ensure the effectiveness of the 
                Armed Forces of the United States;
                  (E) invaluable to the protection of the citizens of 
                the United States from fraud, theft, drug trafficking, 
                child pornography; kidnapping, and money laundering; 
                and
                  (F) basic to the protection of the nation's critical 
                infrastructures, including electrical grids, banking 
                and financial systems, telecommunications, water 
                supplies, and transportation.
          (2) The goal of any encryption legislation should be to 
        enhance and promote the global market strength of United States 
        encryption manufacturers, while guaranteeing that national 
        security and public safety obligations of the Government can 
        still be accomplished.
          (3) It is essential to the national security interests of the 
        United States that United States encryption products dominate 
        the global market.
          (4) Widespread use of unregulated encryption products poses a 
        significant threat to the national security interests of the 
        United States.
          (5) Leaving the national security and public safety 
        responsibilities of the Government to the marketplace alone is 
        not consistent with the obligations of the Government to 
        protect the public safety and to defend the Nation.
          (6) In order for the United States position in the global 
        market to benefit the national security interests of the United 
        States, it is imperative that the export of encryption products 
        be subject to a dynamic and constructive export control regime.
          (7) Export of commercial items are best managed through a 
        regulatory structure which has flexibility to address 
        constantly changing market conditions.
          (8) Managing sensitive dual-use technologies, such as 
        encryption products, is challenging in any regulatory 
        environment due to the difficulty in balancing competing 
        interests in national security, public safety, privacy, fair 
        competition within the industry, and the dynamic nature of the 
        technology.
          (9) There is a widespread perception that the executive 
        branch has not adequately balanced the equal and competing 
        interests of national security, public safety, privacy, and 
        industry.
          (10) There is a perception that the current encryption export 
        control policy has done more to disadvantage United States 
        business interests than to promote and protect national 
        security and public safety interests.
          (11) A balance can and must be achieved between industry 
        interests, national security, law enforcement requirements, and 
        privacy needs.
          (12) A court order process should be required for access to 
        plaintext, where and when available, and criminal and civil 
        penalties should be imposed for misuse of decryption 
        information.
          (13) Timely access to plaintext capability is--
                  (A) necessary to thwarting potential terrorist 
                activities;
                  (B) extremely useful in the collection of foreign 
                intelligence;
                  (C) indispensable to force protection requirements;
                  (D) critical to the investigation and prosecution of 
                criminals; and
                  (E) both technically and economically possible.
          (14) The United States Government should encourage the 
        development of those products that would provide a capability 
        allowing law enforcement (Federal, State, and local), with a 
        court order only, to gain timely access to the plaintext of 
        either stored data or data in transit.
          (15) Unless law enforcement has the benefit of such market 
        encouragement, drug traffickers, spies, child pornographers, 
        pedophiles, kidnappers, terrorists, mobsters, weapons 
        proliferators, fraud schemers, and other criminals will be able 
        to use encryption software to protect their criminal activity 
        and hinder the criminal justice system.
          (16) An effective regulatory approach to manage the 
        proliferation of encryption products which have dual-use 
        capabilities must be maintained and greater confidence in the 
        ability of the executive branch to preserve and promote the 
        competitive advantage of the United States encryption industry 
        in the global market must be provided.

                  TITLE I--DOMESTIC USES OF ENCRYPTION

SEC. 101. DEFINITIONS.

  For purposes of this Act:
          (1) Attorney for the government.--The term ``attorney for the 
        Government'' has the meaning given such term in Rule 54(c) of 
        the Federal Rules of Criminal Procedure, and also includes any 
        duly authorized attorney of a State who is authorized to 
        prosecute criminal offenses within such State.
          (2) Authorized party.--The term ``authorized party'' means 
        any person with the legal authority to obtain decryption 
        information or plaintext of encrypted data, including 
        communications.
          (3) Communications.--The term ``communications'' means any 
        wire communications or electronic communications as those terms 
        are defined in paragraphs (1) and (12) of section 2510 of title 
        18, United States Code.
          (4) Court of competent jurisdiction.--The term ``court of 
        competent jurisdiction'' means any court of the United States 
        organized under Article III of the Constitution of the United 
        States, the court organized under the Foreign Intelligence 
        Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), or a court 
        of general criminal jurisdiction of a State authorized pursuant 
        to the laws of such State to enter orders authorizing searches 
        and seizures.
          (5) Data network service provider.--The term ``data network 
        service provider'' means a person offering any service to the 
        general public that provides the users thereof with the ability 
        to transmit or receive data, including communications.
          (6) Decryption.--The term ``decryption'' means the 
        retransformation or unscrambling of encrypted data, including 
        communications, to its readable plaintext version. To 
        ``decrypt'' data, including communications, is to perform 
        decryption.
          (7) Decryption information.--The term ``decryption 
        information'' means information or technology that enables one 
        to readily retransform or unscramble encrypted data from its 
        unreadable and incomprehensible format to its readable 
        plaintext version.
          (8) Electronic storage.--The term ``electronic storage'' has 
        the meaning given that term in section 2510(17) of title 18, 
        United States Code.
          (9) Encryption.--The term ``encryption'' means the 
        transformation or scrambling of data, including communications, 
        from plaintext to an unreadable or incomprehensible format, 
        regardless of the technique utilized for such transformation or 
        scrambling and irrespective of the medium in which such data, 
        including communications, occur or can be found, for the 
        purposes of protecting the content of such data, including 
        communications. To ``encrypt'' data, including communications, 
        is to perform encryption.
          (10) Encryption product.--The term ``encryption product'' 
        means any software, technology, commodity, or mechanism, that 
        can be used to encrypt or decrypt or has the capability of 
        encrypting or decrypting any data, including communications.
          (11) Foreign availability.--The term ``foreign availability'' 
        has the meaning applied to foreign availability of encryption 
        products subject to controls under the Export Administration 
        Regulations, as in effect on July 1, 1999.
          (12) Government.--The term ``Government'' means the 
        Government of the United States and any agency or 
        instrumentality thereof, or the government of any State, and 
        any of its political subdivisions.
          (13) Investigative or law enforcement officer.--The term 
        ``investigative or law enforcement officer'' has the meaning 
        given that term in section 2510(7) of title 18, United States 
        Code.
          (14) National security.--The term ``national security'' means 
        the national defense, intelligence, or foreign policy interests 
        of the United States.
          (15) Plaintext.--The term ``plaintext'' means the readable or 
        comprehensible format of that data, including communications, 
        which has been encrypted.
          (16) Plainvoice.--The term ``plainvoice'' means communication 
        specific plaintext.
          (17) Secretary.--The term ``Secretary'' means the Secretary 
        of Commerce, unless otherwise specifically identified.
          (18) State.--The term ``State'' has the meaning given that 
        term in section 2510(3) of title 18, United States Code.
          (19) Telecommunications carrier.--The term 
        ``telecommunications carrier'' has the meaning given that term 
        in section 3 of the Communications Act of 1934 (47 U.S.C. 153).
          (20) Telecommunications system.--The term 
        ``telecommunications system'' means any equipment, technology, 
        or related software used in the movement, switching, 
        interchange, transmission, reception, or internal signaling of 
        data, including communications over wire, fiber optic, radio 
        frequency, or any other medium.
          (21) United states person.--The term ``United States person'' 
        means--
                  (A) any citizen of the United States;
                  (B) any other person organized under the laws of any 
                State; and
                  (C) any person organized under the laws of any 
                foreign country who is owned or controlled by 
                individuals or persons described in subparagraphs (A) 
                and (B).

SEC. 102. LAWFUL USE OF ENCRYPTION.

  Except as otherwise provided by this Act or otherwise provided by 
law, it shall be lawful for any person within any State and for any 
United States person to use any encryption product, regardless of 
encryption algorithm selected, encryption bit length chosen, or 
implementation technique or medium used.

SEC. 103. UNLAWFUL USE OF ENCRYPTION.

  (a) In General.--Part I of title 18, United States Code, is amended 
by inserting after chapter 123 the following new chapter:

        ``CHAPTER 125--ENCRYPTED DATA, INCLUDING COMMUNICATIONS

``Sec.
``2801. Unlawful use of encryption in furtherance of a criminal act.
``2802. Privacy protection.
``2803. Court order access to plaintext or decryption information.
``2804. Notification procedures.
``2805. Lawful use of plaintext or decryption information.
``2806. Identification of decryption information.
``2807. Definitions.

``Sec. 2801. Unlawful use of encryption in furtherance of a criminal 
                    act

  ``(a) Prohibited Acts.--Whoever knowingly uses encryption in 
furtherance of the commission of a criminal offense for which the 
person may be prosecuted in a district court of the United States 
shall--
          ``(1) in the case of a first offense under this section, be 
        imprisoned for not more than 5 years, or fined under this 
        title, or both; and
          ``(2) in the case of a second or subsequent offense under 
        this section, be imprisoned for not more than 10 years, or 
        fined under this title, or both.
  ``(b) Consecutive Sentence.--Notwithstanding any other provision of 
law, the court shall not place on probation any person convicted of a 
violation of this section, nor shall the term of imprisonment imposed 
under this section run concurrently with any other term of imprisonment 
imposed for the underlying criminal offense.
  ``(c) Probable Cause Not Constituted by Use of Encryption.--The use 
of encryption by itself shall not establish probable cause to believe 
that a crime is being or has been committed.

``Sec. 2802. Privacy protection

  ``(a) In General.--It shall be unlawful for any person to 
intentionally--
          ``(1) obtain or use decryption information without lawful 
        authority for the purpose of decrypting data, including 
        communications;
          ``(2) exceed lawful authority in decrypting data, including 
        communications;
          ``(3) break the encryption code of another person without 
        lawful authority for the purpose of violating the privacy or 
        security of that person or depriving that person of any 
        property rights;
          ``(4) impersonate another person for the purpose of obtaining 
        decryption information of that person without lawful authority;
          ``(5) facilitate or assist in the encryption of data, 
        including communications, knowing that such data, including 
        communications, are to be used in furtherance of a crime; or
          ``(6) disclose decryption information in violation of a 
        provision of this chapter.
  ``(b) Criminal Penalty.--Whoever violates this section shall be 
imprisoned for not more than 10 years, or fined under this title, or 
both.

``Sec. 2803. Court order access to plaintext or decryption information

  ``(a) Court Order.--(1) A court of competent jurisdiction shall issue 
an order, ex parte, granting an investigative or law enforcement 
officer timely access to the plaintext of encrypted data, including 
communications, or requiring any person in possession of decryption 
information to provide such information to a duly authorized 
investigative or law enforcement officer--
          ``(A) upon the application by an attorney for the Government 
        that--
                  ``(i) is made under oath or affirmation by the 
                attorney for the Government; and
                  ``(ii) provides a factual basis establishing the 
                relevance that the plaintext or decryption information 
                being sought has to a law enforcement, foreign 
                counterintelligence, or international terrorism 
                investigation then being conducted pursuant to lawful 
                authorities; and
          ``(B) if the court finds, in writing, that the plaintext or 
        decryption information being sought is relevant to an ongoing 
        lawful law enforcement, foreign counterintelligence, or 
        international terrorism investigation and the investigative or 
        law enforcement officer is entitled to such plaintext or 
        decryption information.
  ``(2) The order issued by the court under this section shall be 
placed under seal, except that a copy may be made available to the 
investigative or law enforcement officer authorized to obtain access to 
the plaintext of the encrypted information, or authorized to obtain the 
decryption information sought in the application. Such order shall, 
subject to the notification procedures set forth in section 2804, also 
be made available to the person responsible for providing the plaintext 
or the decryption information, pursuant to such order, to the 
investigative or law enforcement officer.
  ``(3) Disclosure of an application made, or order issued, under this 
section, is not authorized, except as may otherwise be specifically 
permitted by this section or another order of the court.
  ``(b) Record of Access Required.--(1) There shall be created an 
electronic record, or similar type record, of each instance in which an 
investigative or law enforcement officer, pursuant to an order under 
this section, gains access to the plaintext of otherwise encrypted 
information, or is provided decryption information,without the 
knowledge or consent of the owner of the data, including 
communications, who is the user of the encryption product involved.
  ``(2) The court issuing the order under this section may require that 
the electronic or similar type of record described in paragraph (1) is 
maintained in a place and a manner that is not within the custody or 
control of an investigative or law enforcement officer gaining the 
access or provided the decryption information. The record shall be 
tendered to the court, upon notice from the court.
  ``(3) The court receiving such electronic or similar type of record 
described in paragraph (1) shall make the original and a certified copy 
of the record available to the attorney for the Government making 
application under this section, and to the attorney for, or directly 
to, the owner of the data, including communications, who is the user of 
the encryption product, pursuant to the notification procedures set 
forth in section 2804.
  ``(c) Authority To Intercept Communications Not Increased.--Nothing 
in this chapter shall be construed to enlarge or modify the 
circumstances or procedures under which a Government entity is entitled 
to intercept or obtain oral, wire, or electronic communications or 
information.
  ``(d) Construction.--This chapter shall be strictly construed to 
apply only to a Government entity's ability to decrypt data, including 
communications, for which it has previously obtained lawful authority 
to intercept or obtain pursuant to other lawful authorities, which 
without an order issued under this section would otherwise remain 
encrypted.

``Sec. 2804. Notification procedures

  ``(a) In General.--Within a reasonable time, but not later than 90 
days after the filing of an application for an order under section 2803 
which is granted, the court shall cause to be served, on the persons 
named in the order or the application, and such other parties whose 
decryption information or whose plaintext has been provided to an 
investigative or law enforcement officer pursuant to this chapter, as 
the court may determine is in the interest of justice, an inventory 
which shall include notice of--
          ``(1) the fact of the entry of the order or the application;
          ``(2) the date of the entry of the application and issuance 
        of the order; and
          ``(3) the fact that the person's decryption information or 
        plaintext data, including communications, has been provided or 
        accessed by an investigative or law enforcement officer.
The court, upon the filing of a motion, may make available to that 
person or that person's counsel, for inspection, such portions of the 
plaintext, applications, and orders as the court determines to be in 
the interest of justice.
  ``(b) Postponement of Inventory for Good Cause.--(1) On an ex parte 
showing of good cause by an attorney for the Government to a court of 
competent jurisdiction, the serving of the inventory required by 
subsection (a) may be postponed for an additional 30 days after the 
granting of an order pursuant to the ex parte motion.
  ``(2) No more than 3 ex parte motions pursuant to paragraph (1) are 
authorized.
  ``(c) Admission Into Evidence.--The content of any encrypted 
information that has been obtained pursuant to this chapter or evidence 
derived therefrom shall not be received in evidence or otherwise 
disclosed in any trial, hearing, or other proceeding in a Federal or 
State court, other than the court organized pursuant to the Foreign 
Intelligence Surveillance Act of 1978, unless each party, not less than 
10 days before the trial, hearing, or proceeding, has been furnished 
with a copy of the order, and accompanying application, under which the 
decryption or access to plaintext was authorized or approved. This 10-
day period may be waived by the court if the court finds that it was 
not possible to furnish the party with the information described in the 
preceding sentence within 10 days before the trial, hearing, or 
proceeding and that the party will not be prejudiced by the delay in 
receiving such information.
  ``(d) Construction.--The provisions of this chapter shall be 
construed consistent with--
          ``(1) the Classified Information Procedures Act (18 U.S.C. 
        App.); and
          ``(2) the Foreign Intelligence Surveillance Act of 1978 (50 
        U.S.C. 1801 et seq.).
  ``(e) Contempt.--Any violation of the provisions of this section may 
be punished by the court as a contempt thereof.
  ``(f) Motion To Suppress.--Any aggrieved person in any trial, 
hearing, or proceeding in or before any court, department, officer, 
agency, regulatory body, or other authority of the United States or a 
State, other than the court organized pursuant to the Foreign 
Intelligence Surveillance Act of 1978, may move to suppress the 
contents of any decrypted data, including communications, obtained 
pursuant to this chapter, or evidence derived therefrom, on the grounds 
that --
          ``(1) the plaintext was decrypted or accessed in violation of 
        this chapter;
          ``(2) the order of authorization or approval under which it 
        was decrypted or accessed is insufficient on its face; or
          ``(3) the decryption was not made in conformity with the 
        order of authorization or approval.
Such motion shall be made before the trial, hearing, or proceeding 
unless there was no opportunity to make such motion, or the person was 
not aware of the grounds of the motion. If the motion is granted, the 
plaintext of the decrypted data, including communications, or evidence 
derived therefrom, shall be treated as having been obtained in 
violation of this chapter. The court, upon the filing of such motion by 
the aggrieved person, may make available to the aggrieved person or 
that person's counsel for inspection such portions of the decrypted 
plaintext, or evidence derived therefrom, as the court determines to be 
in the interests of justice.
  ``(g) Appeal by United States.--In addition to any other right to 
appeal, the United States shall have the right to appeal from an order 
granting a motion to suppress made under subsection (f), or the denial 
of an application for an order under section 2803, if the attorney for 
the Government certifies to the court or other official granting such 
motion or denying such application that the appeal is not taken for 
purposes of delay. Such appeal shall be taken within 30 days after the 
date the order was entered on the docket and shall be diligently 
prosecuted.
  ``(h) Civil Action for Violation.--Except as otherwise provided in 
this chapter, any person described in subsection (i) may, in a civil 
action, recover from the United States Government the actual damages 
suffered by the person as a result of a violation described in that 
subsection, reasonable attorney's fees, and other litigation costs 
reasonably incurred in prosecuting such claim.
``(i) Covered Persons.--Subsection (h) applies to any person whose 
decryption information--
          ``(1) is knowingly obtained without lawful authority by an 
        investigative or law enforcement officer;
          ``(2) is obtained by an investigative or law enforcement 
        officer with lawful authority and is knowingly used or 
        disclosed by such officer unlawfully; or
          ``(3) is obtained by an investigative or law enforcement 
        officer with lawful authority and whose decryption information 
        is unlawfully used to disclose the plaintext of the data, 
        including communications.
  ``(j) Limitation.--A civil action under subsection (h) shall be 
commenced not later than 2 years after the date on which the unlawful 
action took place, or 2 years after the date on which the claimant 
first discovers the violation, whichever is later.
  ``(k) Exclusive Remedies.--The remedies and sanctions described in 
this chapter with respect to the decryption of data, including 
communications, are the only judicial remedies and sanctions for 
violations of this chapter involving such decryptions, other than 
violations based on the deprivation of any rights, privileges, or 
immunities secured by the Constitution.
  ``(l) Technical Assistance by Providers.--A provider of encryption 
technology or network service that has received an order issued by a 
court pursuant to this chapter shall provide to the investigative or 
law enforcement officer concerned such technical assistance as is 
necessary to execute the order. Such provider may, however, move the 
court to modify or quash the order on the ground that its assistance 
with respect to the decryption or access to plaintext cannot be 
performed in fact, or in a timely or reasonable fashion. The court, 
upon notice to the Government, shall decide such motion expeditiously.
  ``(m) Reports to Congress.--In May of each year, the Attorney 
General, or an Assistant Attorney General specifically designated by 
the Attorney General, shall report in writing to Congress on the number 
of applications made and orders entered authorizing Federal, State, and 
local law enforcement access to decryption information for the purposes 
of reading the plaintext of otherwise encrypted data, including 
communications, pursuant to this chapter. Such reports shall be 
submitted to the Committees on the Judiciary of the House of 
Representatives and of the Senate, and to the Permanent Select 
Committee on Intelligence for the House of Representatives and the 
Select Committee on Intelligence for the Senate.

``Sec. 2805. Lawful use of plaintext or decryption information

  ``(a) Authorized Use of Decryption Information.--
          ``(1) Criminal investigations.--An investigative or law 
        enforcement officer to whom plaintext or decryption information 
        is provided may only use such plaintext or decryption 
        information for the purposes of conducting a lawful criminal 
        investigation, foreign counterintelligence, or international 
        terrorism investigation, and for the purposes of preparing for 
        and prosecuting any criminal violation of law.
          ``(2) Civil redress.--Any plaintext or decryption information 
        provided under this chapter to an investigative or law 
        enforcement officer may not be disclosed, except by court 
        order, to any other person for use in a civil proceeding that 
        is unrelated to a criminal investigation and prosecution for 
        which the plaintext or decryption information is authorized 
        under paragraph (1). Such order shall only issue upon a showing 
        by the party seeking disclosure that there is no alternative 
        means of obtaining the plaintext, or decryption information, 
        being sought and the court also finds that the interests of 
        justice would not be served by nondisclosure.
  ``(b) Limitation.--An investigative or law enforcement officer may 
not use decryption information obtained under this chapter to determine 
the plaintext of any data, including communications, unless it has 
obtained lawful authority to obtain such data, including 
communications, under other lawful authorities.
  ``(c) Return of Decryption Information.--An attorney for the 
Government shall, upon the issuance of an order of a court of competent 
jurisdiction--
          ``(1)(A) return any decryption information to the person 
        responsible for providing it to an investigative or law 
        enforcement officer pursuant to this chapter; or
          ``(B) destroy such decryption information, if the court finds 
        that the interests of justice or public safety require that 
        such decryption information should not be returned to the 
        provider; and
          ``(2) within 10 days after execution of the court's order to 
        return or destroy the decryption information--
                  ``(A) certify to the court that the decryption 
                information has either been returned or destroyed 
                consistent with the court's order; and
                  ``(B) if applicable, notify the provider of the 
                decryption information of the destruction of such 
                information.
  ``(d) Other Disclosure of Decryption Information.--Except as 
otherwise provided in section 2803, decryption information or the 
plaintext of otherwise encrypted data, including communications, shall 
not be disclosed by any person unless the disclosure is--
          ``(1) to the person encrypting the data, including 
        communications, or an authorized agent thereof;
          ``(2) with the consent of the person encrypting the data, 
        including pursuant to a contract entered into with the person;
          ``(3) pursuant to a court order upon a showing of compelling 
        need for the information that cannot be accommodated by any 
        other means if--
                  ``(A) the person who supplied the information is 
                given reasonable notice, by the person seeking the 
                disclosure, of the court proceeding relevant to the 
                issuance of the court order; and
                  ``(B) the person who supplied the information is 
                afforded the opportunity to appear in the court 
                proceeding and contest the claim of the person seeking 
                the disclosure;
          ``(4) pursuant to a determination by a court of competent 
        jurisdiction that another person is lawfully entitled to hold 
        such decryption information, including determinations arising 
        from legal proceedings associated with the incapacity, death, 
        or dissolution of any person; or
          ``(5) otherwise permitted by law.

``Sec. 2806. Identification of decryption information

  ``(a) Identification.--To avoid inadvertent disclosure of decryption 
information, any person who provides decryption information to an 
investigative or law enforcement officer pursuant to this chapter shall 
specifically identify that part of the material that discloses 
decryption information as such.
  ``(b) Responsibility of Investigative or Law Enforcement Officer.--
The investigative or law enforcement officer receiving any decryption 
information under this chapter shall maintain such information in a 
facility and in a method so as to reasonably assure that inadvertent 
disclosure does not occur.

``Sec. 2807. Definitions

  ``The definitions set forth in section 101 of the Encryption for the 
National Interest Act shall apply to this chapter.''.
  (b) Conforming Amendment.--The table of chapters for part I of title 
18, United States Code, is amended by inserting after the item relating 
to chapter 121 the following new item:

``125. Encrypted data, including communications.............    2801''.

                    TITLE II--GOVERNMENT PROCUREMENT

SEC. 201. FEDERAL PURCHASES OF ENCRYPTION PRODUCTS.

  (a) Decryption Capabilities.--The President may, consistent with the 
provisions of subsection (b), direct that any encryption product or 
service purchased or otherwise procured by the United States Government 
to provide the security service of data confidentiality for a computer 
system owned and operated by the United States Government shall include 
recoverability features or functions that enable the timely decryption 
of encrypted data, including communications, or timely access to 
plaintext by an authorized party without the knowledge or cooperation 
of the person using such encryption products or services.
  (b) Consistency With Intelligence Services and Military Operations.--
The President shall ensure that all encryption products purchased or 
used by the United States Government are supportive of, and consistent 
with, all statutory obligations to protect sources and methods of 
intelligence collection and activities, and supportive of, and 
consistent with, those needs required for military operations and the 
conduct of foreign policy.

SEC. 202. NETWORKS ESTABLISHED WITH FEDERAL FUNDS.

  The President may direct that any communications network established 
for the purpose of conducting the business of the Federal Government 
shall use encryption products that--
          (1) include features and functions that enable the timely 
        decryption of encrypted data, including communications, or 
        timely access to plaintext, by an authorized party without the 
        knowledge or cooperation of the person using such encryption 
        products or services; and
          (2) are supportive of, and consistent with, all statutory 
        obligations to protect sources and methods of intelligence 
        collection and activities, and supportive of, and consistent 
        with, those needs required for military operations and the 
        conduct of foreign policy.

SEC. 203. GOVERNMENT CONTRACT AUTHORITY.

  The President may require as a condition of any contract by the 
Government with a private sector vendor that any encryption product 
used by the vendor in carrying out the provisions of the contract with 
the Government include features and functions that enable the timely 
decryption of encrypted data, including communications, or timely 
access to plaintext, by an authorized party without the knowledge or 
cooperation of the person using such encryption products or services.

SEC. 204. PRODUCT LABELS.

  An encryption product may be labeled to inform Government users that 
the product is authorized for sale to or for use by Government agencies 
or Government contractors in transactions and communications with the 
United States Government under this title.

SEC. 205. NO PRIVATE MANDATE.

  The United States Government may not require the use of encryption 
standards for the private sector except as otherwise authorized by 
section 204.

SEC. 206. EXCLUSION.

  Nothing in this title shall apply to encryption products and services 
used solely for access control, authentication, integrity, 
nonrepudiation, digital signatures, or other similar purposes.

                    TITLE III--EXPORTS OF ENCRYPTION

SEC. 301. EXPORTS OF ENCRYPTION.

  (a) Authority To Control Exports.--The President shall control the 
export of all dual-use encryption products.
  (b) Authority To Deny Export for National Security Reasons.--
Notwithstanding any provision of this title, the President may deny the 
export of any encryption product on the basis that its export is 
contrary to the national security.
  (c) Decisions Not Subject to Judicial Review.--Any decision based on 
national security that is made by the President or his designee with 
respect to the export of encryption products under this title shall not 
be subject to judicial review.

SEC. 302. LICENSE EXCEPTION FOR CERTAIN ENCRYPTION PRODUCTS.

  (a) License Exception.--Upon the enactment of this Act, any 
encryption product with an encryption strength of 64 bits or less shall 
be eligible for export under a license exception if--
          (1) such encryption product is submitted for a 1-time 
        technical review;
          (2) such encryption product does not require licensing under 
        otherwise applicable regulations;
          (3) such encryption product is not intended for a country, 
        end user, or end use that is by regulation ineligible to 
        receive such product, and the encryption product is otherwise 
        qualified for export;
          (4) the exporter, within 180 days after the export of the 
        product, submits a certification identifying--
                  (A) the intended end use of the product; and
                  (B) the name and address of the intended recipient of 
                the product, where available;
          (5) the exporter, within 180 days after the export of the 
        product, provides the names and addresses of its distribution 
        chain partners; and
          (6) the exporter, at the time of submission of the product 
        for technical review, provides proof that its distribution 
        chain partners have contractually agreed to abide by all laws 
        and regulations of the United States concerning the export and 
        reexport of encryption products designed or manufactured within 
        the United States.
  (b) One-Time Technical Review.--(1) The technical review referred to 
in subsection (a) shall be completed within no longer than 45 days 
after the submission of all of the information required under paragraph 
(2).
  (2) The President shall specify the information that must be 
submitted for the 1-time technical review referred to in this section.
  (3) An encryption product may not be exported during the technical 
review of that product under this section.
  (c) Periodic Review of License Exception Eligibility Level.--(1) Not 
later than 180 days after the date of the enactment of this Act, the 
President shall notify the Congress of the maximum level of encryption 
strength, which may not be lower than 64-bit, that may be exported from 
the United States under license exception pursuant to this section 
consistent with the national security.
  (2) The President shall, at the end of each successive 180-day period 
after the notice provided to the Congress under paragraph (1), notify 
the Congress of the maximum level of encryption strength, which may not 
be lower than that in effect under this section during that 180-day 
period, that may be exported from the United States under a license 
exception pursuant to this section consistent with the national 
security.
  (d) Factors Not To Be Considered.--A license exception for the 
exports of an encryption product under this section may be allowed 
whether or not the product contains a method of decrypting encrypted 
data.

SEC. 303. DISCRETIONARY AUTHORITY.

  Notwithstanding the requirements of section 305, the President may 
permit the export, under a license exception pursuant to the conditions 
of section 302, of encryption products with an encryption strength 
exceeding the maximum level eligible for a license exception under 
section 302, if the export is consistent with the national security.

SEC. 304. EXPEDITED REVIEW AUTHORITY.

  The President shall establish procedures for the expedited review of 
commodity classification requests, or export license applications, 
involving encryption products that are specifically approved, by 
regulation, for export.

SEC. 305. ENCRYPTION LICENSES REQUIRED.

  (a) United States Products Exceeding Certain Bit Length.--Except as 
permitted under section 303, in the case of all encryption products 
with an encryption strength exceeding the maximum level eligible for a 
license exception under section 302, which are designed or manufactured 
within the United States, the Presidentmay grant a license for export 
of such encryption products, under the following conditions:
          (1) There shall not be any requirement, as a basis for an 
        export license, that a product contains a method of--
                  (A) gaining timely access to plaintext; or
                  (B) gaining timely access to decryption information.
          (2) The export license applicant shall submit--
                  (A) the product for technical review;
                  (B) a certification, under oath, identifying--
                        (i) the intended end use of the product; and
                        (ii) the expected end user or class of end 
                        users of the product;
                  (C) proof that its distribution chain partners have 
                contractually agreed to abide by all laws and 
                regulations of the United States concerning the export 
                and reexport of encryption products designed or 
                manufactured within the United States; and
                  (D) the names and addresses of its distribution chain 
                partners.
  (b) Technical Review for License Applicants.--(1) The technical 
review described in subsection (a)(3)(A) shall be completed within 45 
days after the submission of all the information required under 
paragraph (2).
  (2) The information to be submitted for the technical review shall be 
the same as that required to be submitted pursuant to section 
302(b)(2).
  (3) An encryption product may not be exported during the technical 
review of that product under this section.
  (c) Post-Export Reporting.--
          (1) Unauthorized use.--All exporters of encryption products 
        that are designed or manufactured within the United States 
        shall submit a report to the Secretary at any time the exporter 
        has reason to believe any such exported product is being 
        diverted to a use or a user not approved at the time of export.
          (2) Pirating.--All exporters of encryption products that are 
        designed or manufactured within the United States shall report 
        any pirating of their technology or intellectual property to 
        the Secretary as soon as practicable after discovery.
          (3) Distribution chain partners.--All exporters of encryption 
        products that are designed or manufactured within the United 
        States, and all distribution chain partners of such exporters, 
        shall submit to the Secretary a report which shall specify--
                  (A) the particular product sold;
                  (B) the name and address of--
                        (i) the ultimate end user of the product, if 
                        known; or
                        (ii) the name and address of the next purchaser 
                        in the distribution chain; and
                  (C) the intended use of the product sold.
  (d) Exercise of Other Authorities.--The Secretary, the Secretary of 
Defense, and the Secretary of State may exercise the authorities they 
have under other provisions of law, including the Export Administration 
Act of 1979, as continued in effect under the International Emergency 
Economic Powers Act, to carry out this title.
  (e) Waiver Authority.--
          (1) In general.--The President may by Executive order waive 
        any provision of this title, or the applicability of any such 
        provision to a person or entity, if the President determines 
        that the waiver is necessary to advance the national security. 
        The President shall, not later than 15 days after making such 
        determination, submit a report to the committees referred to in 
        paragraph (2) that includes the factual basis upon which such 
        determination was made. The report may be in classified format.
          (2) Committees.--The committees referred to in paragraph (1) 
        are the Committee on International Relations, the Committee on 
        Armed Services, and the Permanent Select Committee on 
        Intelligence of the House of Representatives, and the Committee 
        on Foreign Relations, the Committee on Armed Services, and the 
        Select Committee on Intelligence of the Senate.
          (3) Decisions not subject to judicial review.--Any 
        determination made by the President under this subsection shall 
        not be subject to judicial review.

SEC. 306. ENCRYPTION INDUSTRY AND INFORMATION SECURITY BOARD.

  (a) Encryption Industry and Information Security Board Established.--
There is hereby established an Encryption Industry and Information 
Security Board. The Board shall undertake an advisory role for the 
President.
  (b) Purposes.--The purposes of the Board are--
          (1) to provide a forum to foster communication and 
        coordination between industry and the Federal Government on 
        matters relating to the use of encryption products;
          (2) to enable the United States to effectively and 
        continually understand the benefits and risks to its national 
        security, law enforcement, and public safety interests by 
        virtue of the proliferation of strong encryption on the global 
        market;
          (3) to evaluate and make recommendations regarding the 
        further development and use of encryption;
          (4) to advance the development of international standards 
        regarding interoperability and global use of encryption 
        products;
          (5) to promote the export of encryption products manufactured 
        in the United States;
          (6) to recommend policies enhancing the security of public 
        networks;
          (7) to encourage research and development of products that 
        will foster electronic commerce;
          (8) to promote the protection of intellectual property and 
        privacy rights of individuals using public networks; and
          (9) to evaluate the availability and market share of foreign 
        encryption products and their threat to United States industry.
  (c) Membership.--(1) The Board shall be composed of 12 members, as 
follows:
          (A) The Secretary, or the Secretary's designee.
          (B) The Attorney General, or his or her designee.
          (C) The Secretary of Defense, or the Secretary's designee.
          (D) The Director of Central Intelligence, or his or her 
        designee.
          (E) The Director of the Federal Bureau of Investigation, or 
        his or her designee.
          (F) The Special Assistant to the President for National 
        Security Affairs, or his or her designee, who shall chair the 
        Board.
          (G) Six representatives from the private sector who have 
        expertise in the development, operation, marketing, law, or 
        public policy relating to information security or technology. 
        Members under this subparagraph shall each serve for 5-year 
        terms.
  (2) The six private sector representatives described in paragraph 
(1)(G) shall be appointed as follows:
                  (A) Two by the Speaker of the House of 
                Representatives.
                  (B) One by the Minority Leader of the House of 
                Representatives.
                  (C) Two by the Majority Leader of the Senate.
                  (D) One by the Minority Leader of the Senate.
  (e) Meetings.--The Board shall meet at such times and in such places 
as the Secretary may prescribe, but not less frequently than every four 
months. The Federal Advisory Committee Act (5 U.S.C. App.) does not 
apply to the Board or to meetings held by the Board under this section.
  (f) Findings and Recommendations.--The chair of the Board shall 
convey the findings and recommendations of the Board to the President 
and to the Congress within 30 days after each meeting of the Board. The 
recommendations of the Board are not binding upon the President.
  (g) Limitation.--The Board shall have no authority to review any 
export determination made pursuant to this title.
  (h) Foreign Availability.--The consideration of foreign availability 
by the Board shall include computer software that is distributed over 
the Internet or advertised for sale, license, or transfer, including 
over-the-counter retail sales, mail order transactions, telephone order 
transactions, electronic distribution, or sale on approval and its 
comparability with United States products and its use in United States 
and foreign markets.
  (i) Termination.--This section shall cease to be effective 10 years 
after the date of the enactment of this Act.

                    TITLE IV--LIABILITY LIMITATIONS

SEC. 401. COMPLIANCE WITH COURT ORDER.

  (a) No Liability for Compliance.--Subject to subsection (b), no civil 
or criminal liability under this Act, or under any other provision of 
law, shall attach to any person for disclosing or providing--
          (1) the plaintext of encrypted data, including 
        communications;
          (2) the decryption information of such encrypted data, 
        including communications; or
          (3) technical assistance for access to the plaintext of, or 
        decryption information for, encrypted data, including 
        communications.
  (b) Exception.--Subsection (a) shall not apply to a person who 
provides plaintext or decryption information to another in violation of 
the provisions of this Act.

SEC. 402. COMPLIANCE DEFENSE.

  Compliance with the provisions of sections 2803, 2804, 2805, or 2806 
of title 18, United States Code, as added by section 103(a) of this 
Act, or any regulations authorized by this Act, shall provide a 
complete defense for any civil action for damages based upon activities 
covered by this Act, other than an action founded on contract.

SEC. 403. GOOD FAITH DEFENSE.

  An objectively reasonable reliance on the legal authority provided by 
this Act and the amendments made by this Act, authorizing access to the 
plaintext of otherwise encrypted data, including communications, or to 
decryption information that will allow the timely decryption of data, 
including communications, that is otherwise encrypted, shall be an 
affirmative defense to any criminal or civil action that may be brought 
under the laws of the United States or any State.

                   TITLE V--INTERNATIONAL AGREEMENTS

SEC. 501. SENSE OF CONGRESS.

  It is the sense of Congress that--
          (1) the President should conduct negotiations with foreign 
        governments for the purposes of establishing binding export 
        control requirements on strong nonrecoverable encryption 
        products; and
          (2) such agreements should safeguard the privacy of the 
        citizens of the United States, prevent economic espionage, and 
        enhance the information security needs of the United States.

SEC. 502. FAILURE TO NEGOTIATE.

  The President may consider a government's refusal to negotiate 
agreements described in section 501 when considering the participation 
of the United States in any cooperation or assistance program with that 
country.

SEC. 503. REPORT TO CONGRESS.

  (a) Report to Congress.--The President shall report annually to the 
Congress on the status of the international effort outlined by section 
501.
  (b) First Report.--The first report required under subsection (a) 
shall be submitted in unclassified form no later than September 1, 
2000.

                   TITLE VI--MISCELLANEOUS PROVISIONS

SEC. 601. EFFECT ON LAW ENFORCEMENT ACTIVITIES.

  (a) Collection of Information by Attorney General.--The Attorney 
General shall compile, and maintain in classified form, data on--
          (1) the instances in which encryption has interfered with, 
        impeded, or obstructed the ability of the Department of Justice 
        to enforce the laws of the United States; and
          (2) the instances where the Department of Justice has been 
        successful in overcoming any encryption encountered in an 
        investigation.
  (b) Availability of Information to the Congress.--The information 
compiled under subsection (a), including an unclassified summary 
thereof, shall be submitted to Congress annually beginning October 1, 
2000.

SEC. 602. INTERPRETATION.

  Nothing contained in this Act or the amendments made by this Act 
shall be deemed to--
          (1) preempt or otherwise affect the application of the Arms 
        Export Control Act (22 U.S.C. 2751 et seq.), the Export 
        Administration Act of 1979 (50 U.S.C. App. 2401 et seq.), or 
        the International Emergency Economic Powers Act (50 U.S.C. 1701 
        et seq.) or any regulations promulgated thereunder;
          (2) affect foreign intelligence activities of the United 
        States; or
          (3) negate or diminish any intellectual property protections 
        under the laws of the United States or of any State.

SEC. 603. FBI TECHNICAL SUPPORT.

  There are authorized to be appropriated for the Technical Support 
Center in the Federal Bureau of Investigation, established pursuant to 
section 811(a)(1) of the Antiterrorism and Effective Death Penalty Act 
of 1996 (Public Law 104-132)--
          (1) $25,000,000 for fiscal year 2000 for building and 
        personnel costs;
          (2) $20,000,000 for fiscal year 2001 for personnel and 
        equipment costs;
          (3) $15,000,000 for fiscal year 2002; and
          (4) $15,000,000 for fiscal year 2003.

SEC. 604. SEVERABILITY.

  If any provision of this Act or the amendments made by this Act, or 
the application thereof, to any person or circumstances is held invalid 
by a court of the United States, the remainder of this Act or such 
amendments, and the application thereof, to other persons or 
circumstances shall not be affected thereby.

                                Purpose

    The House Permanent Select Committee on Intelligence sought 
referral of H.R. 850, the ``Security and Freedom through 
Encryption (SAFE) Act,'' as reported by the House Committee on 
the Judiciary, because the bill impacts directly upon matters 
relating to the intelligence and intelligence-related 
activities and national security capabilities of the 
Intelligence Community. Specifically, the bill will have a 
profound effect on the intelligence, counter-intelligence, and 
counter-terrorism responsibilities of the Department of 
Defense, the National Security Agency, the Department of 
Justice, and the Federal Bureau of Investigation, to name but a 
few of those Intelligence Community agencies within this 
Committee's jurisdiction. The legislation as introduced or 
reported by the Committees on the Judiciary, International 
Relations, and Commerce, raises serious issues of great 
significance to our national security and public safety. 
Because of the significant risk to the intelligence and 
intelligence-related activities and capabilities of the United 
States the Committee determined that it needed to act in a 
comprehensive manner.
    The paramount duty of government is to protect its citizens 
from harm to their persons or property. Fundamental to a free 
society, however, is a delicate balance between the need to 
defend the nation's security and preserving the liberties of 
the people endowed by their Creator. The balance achieved in 
the Constitution and the Bill of Rights provides a clear 
backdrop against which the Committee's legislative action 
should be considered.
    During the Committee's consideration of H.R. 850 it was 
determined that the SAFE Act did not adequately address the 
national security and public safety interests at stake in the 
public policy debate over encryption legislation. Government 
official, after government official, advised the Committee that 
strong encryption is being used to facilitate drug trafficking, 
child pornography, terrorism, espionage, and myriad other 
crimes. Proponents of the SAFE Act urged the Committee to 
ignore the concern of these witnesses and to leave the 
management of encryption policy to the marketplace. They argued 
that it was too late to do anything about the widespread use of 
strong encryption. They asserted that the ``genie was out of 
the bottle'' and could not be put back in. They claimed that 
any effort to continue control of encryption technology would 
be a losing proposition that would harm industry. They rejected 
the enormous consequences described by the government officials 
charged with the duty to protect the national security and 
defend the public safety.
    The Committee considered the arguments of the SAFE Act 
proponents and the administration officials and struck a 
balance. The Committee's amendment, the ``Encryption for the 
National Interest Act,'' gives the government the authority:
           To access the plaintext of encrypted 
        information, through the use of court orders, during 
        lawful criminal, foreign intelligence, and 
        international terrorist investigations;
           To control encryption exports in defense of 
        the national security;
           To procure and use encryption products with 
        recoverability features; and
           To improve their technical capabilities 
        against the widespread use of strong encryption.
    But, at the same time, the Encryption for the National 
Interest Act assures the industry and the cyber-libertarians 
that their concerns have too been heeded. The bill provides 
that:
           U.S. persons can use any encryption product 
        of any strength regardless of whether it contains 
        access to plaintext capabilities;
           All access to plaintext or decryption 
        information will be upon the order of a judge after an 
        appropriate showing by the government;
           Civil and criminal sanctions can be imposed 
        upon those who misuse the decryption information of any 
        other person; and
           Electronic audit trails are required 
        whenever law enforcement accesses the plaintext or 
        decryption information of an encryption user.
    The Encryption for the National Interest Act asserts that 
the nation's security and the protection of its citizens are 
worthy objectives of the federal government and its principal 
obligation. The Encryption for the National Interest Act also, 
however, seeks to establish a dynamic and constructive 
framework for continued cooperation between government and 
industry to achieve a workable solution to this extremely 
vexing issue facing the nation. It does not preclude continued 
American competitiveness in an increasingly competitive global 
market, yet secures the right of the Commander-in-Chief to 
defend our interests against those who wish us harm. It does 
not turn national security and public security over to the 
random behavior of the marketplace.
    The Encryption for the National Interest Act achieves a 
compromise in the best interests of all protagonists in this 
public debate: industry, national security, public safety, and 
privacy. The Committee's amendment was adopted upon a unanimous 
voice vote of the Committee, and H.R. 850 was ordered reported 
favorably to the House, as amended by the Committee.

                                Summary


                      SECTION-BY-SECTION ANALYSIS

Section 1.--Short title and table of contents

    This section provides the title of the bill as the 
``Encryption for the National Interest Act'' and a table of 
contents.

Section 2.--Statement of policy

    This section sets forth the policy of the United States 
with respect to encryption technology.

Section 3.--Congressional findings

    This section sets forth the findings of Congress as to the 
important role information security technology, encryption, 
plays in relaying and protecting intelligence information, 
linking policy makers, establishing an effective foreign 
policy, protecting United States banking and financial systems 
and critical infrastructure, and citizens from such crimes as 
fraud, theft, drug trafficking, espionage, terrorism, money 
laundering, and child pornography, among other serious 
offenses.

                  TITLE I--DOMESTIC USE OF ENCRYPTION


Section 101.--Definitions

    This section establishes the definitions of specific terms 
used throughout the bill.

Section 102.--Lawful use of encryption

    This section makes clear that, except as otherwise 
provided, it is lawful to use encryption products, regardless 
of algorithm length selected, encryption key length chosen, or 
implementation technique or medium used.

Section 103.--Unlawful use of encryption

    This section amends Title 18, United States Code, by new 
sections 2801 through 2807 within new chapter 122, which bears 
the heading, ``Chapter 122-Encrypted Data, Including 
Communications.''
    New section 2801 of Title 18, United States Code, would 
make it a criminal offense to use encryption in furtherance of 
the commission of a federal crime. The penalties attached to 
such crimes would be in addition to any sentence imposed for 
the underlying offense. For first time offenders, a fine under 
Title 18, United States Code, or both. For repeat offenders of 
this provision, the jail time is potentially no more than 10 
years. This section also makes clear that merely using 
encryption, without additional facts, cannot be the basis for a 
probable cause determination.
    New section 2802 creates several new crimes. First, it 
makes it illegal to intentionally obtain or use decryption 
information without lawful authority in order to decrypt data, 
including information. In addition, it makes it a criminal 
offense to exceed lawful authority in decrypting data, 
including communications. This new section would make the 
breaking of encryption code of another without lawful authority 
and with the purpose of violating that person's privacy or 
security, or for the purpose of depriving that person of his or 
her property a criminal violation of law. Furthermore this 
section would make it a criminal offense to assist in the 
encryption of data knowing that such data, including 
communications are to be used in furtherance of a crime.
    New section 2803 sets forth the standards and procedures 
for the issuance of a court order granting an investigative or 
law enforcement officer timely access to the plaintext of 
otherwise encrypted data, including communications, or 
compelling the provision of decryption information to an 
investigative or law enforcement officer that has a lawful 
basis to obtain that data. The application for such order must 
be made by an attorney for the government. That application 
must establish facts supporting the finding that the plaintext 
of decrypted information is relevant to an on-going lawful law 
enforcement, foreign counterintelligence, or international 
terrorist investigation. The application and any order issued 
thereon shall be made ex parte and placed under seal. 
Disclosure of the application or order is not authorized, 
except as may be otherwise permitted by this section or another 
order of the court.
    This section also requires that the court granting access 
to plaintext or the disclosure of decryption information, shall 
also ensure that a verifiableaudit trail of any access to 
plaintext or decrypted information be maintained.
    The record will be tendered to the court upon an order of 
the court.
    Subsection (d) clarifies that nothing in this new chapter 
shall be read to expand or modify any other constitutional or 
statutory requirement under which a government entity is 
entitled to intercept or obtain oral, wire, or electronic 
communications or information.
    Subsection (e) mandates a strict construction of this new 
chapter so that it is read only to apply to a government 
entity's ability to decrypt or otherwise gain access to the 
plaintext data, including communications, for which it 
previously obtained lawful authority to intercept or obtain.
    New section 2804 provides the users of encryption products 
with a statutory right to be notified when their decryption 
information is provided to law enforcement, or when law 
enforcement is granted access to the plaintext of their data, 
including communications. This section provides for a delayed 
notification to the user so as not to jeopardize the integrity 
of the on-going criminal investigation, foreign 
counterintelligence, or international terrorist investigation. 
Basically, the user must be notified within 90 days after the 
filing of an application for the decryption information, or for 
access to the plaintext, unless the judge finds good cause 
warranting delay. Specifically, however, neither any of the 
decrypted contents of the encrypted information that has been 
obtained, nor any evidence derived therefrom may be used in any 
proceeding unless the user has been furnished with a copy of 
the order, application, and the data, including communications. 
The user may move to suppress the use of any of the plaintext 
or evidence derived therefrom in any proceeding on the grounds 
that the plaintext or the decryption information was unlawfully 
obtained. This section also provides aggrieved persons with a 
civil cause of action for any violations of this new chapter.
    New section 2805 limits the lawful uses of plaintext or 
decryption information obtained under this chapter. It may be 
used for the purposes of conducting a lawful criminal or 
foreign counterintelligence or terrorist investigation and for 
the purposes of preparing for and prosecuting any criminal 
violation of law. It may not be disclosed to any party to a 
civil suit that does not arise from criminal investigation or 
prosecution, unless a court finds that there is no alternative 
means of obtaining the plaintext, or decryption information and 
that the interests of justice would not be served by 
nondisclosure. This section further clarifies that decryption 
information may not be used to determine the plaintext unless 
the officer possesses other lawful authority to plaintext.
    This section also outlines the procedures for returning or 
destroying any decryption information upon the conclusion of 
the investigation, trial, or proceeding. This section also 
places limitations upon any person acting as a key recovery 
agent. It specifies whom and under what circumstances a key 
recovery agent may provide decryption information to another 
person.
    New section 2806 requires those who are providing 
decryption information to an investigative or law enforcement 
officer to so identify that information in order to avoid any 
inadvertent disclosure. The officer is responsible for 
maintaining the decryption information in such a manner so as 
reasonably to ensure against inadvertent disclosure.
    New section 2807 states that the same definitions set forth 
in section 101 of the ``Encryption for the National Interest 
Act'' shall apply to this chapter.

                    TITLE II--GOVERNMENT PROCUREMENT


Section 201.--Federal purchases of encryption products

    This section permits the United States government to 
purchase encryption products enabling the timely decryption by 
an authorized party, without the knowledge or cooperation of 
the person using the encryption product. This requirement only 
applies to those products or services purchased or procured by 
the United States government for data confidentiality for 
computer systems armed or operated by the United States.
    The Committee believes that a ``National Information 
Assurance Plan'' is needed to ensure that the data, including 
communications, of the United States government are secure. To 
this end the Committee requests that the President submit to 
the Permanent Select Committee on Intelligence and the 
Committee on Armed Services of the House of Representatives and 
the Select Committee on Intelligence and the Committee on Armed 
Services of the Senate within 120 days after enactment of this 
Act a report that outlines the national information assurance 
plan and policy for the United States government.
    The Committee believes that any plan or policy developed 
should include the following goals, which should be addressed 
in the report to be submitted to the congressional committees:
          (1) The protection of the Federal Government's 
        information infrastructure against hostile penetration 
        by ensuring the Federal Government's use of the 
        strongest possible information assurance products, 
        including encryption, in secure configurations and 
        applications;
          (2) A requirement that the Federal Government use 
        products designed or manufactured in the United States 
        enabling the recovery of information pursuant to lawful 
        authority; and
          (3) A requirement that the Federal Government use 
        reliable authentication products designed or 
        manufactured in the United States so that the Federal 
        Government knows who is accessing its systems.

Section 202.--Networks established with federal funds

    This section permits the President to require that any 
communications network that is established for the purpose of 
conducting the business of the Federal Government must use 
encryption products that include techniques enabling the timely 
decryption of data, including communications, without the 
knowledge or cooperation of the person using the encryption 
product or service. It is not intended that private 
communications networks that might benefit from federal grants 
fall within this requirement. Nor is it intended that this 
section include the Internet, although it is understood that 
there may be government business that is conducted via the 
Internet.

Section 203.--Government contract authority

    This section grants to the President of the United States 
the authority to require, as a condition of any contract by the 
United States government with a private vendor that any 
encryption product used by the vendor in carrying out the 
provisions of the contract include features and functions that 
enable the decryption of encrypted data, including 
communications, or timely access to plaintext by an authorized 
party without the knowledge or cooperation of the person using 
such encryption products or services.

Section 204.--Product labels

    This section allows for the labeling of encryption products 
so that purchasers and users are aware that the product is 
authorized for sale to, or for use in transactions with, the 
United States government.

Section 205.--No private mandate

    This section specifies that the United States government 
may not require the use of encryption standards for the private 
sector except as otherwise authorized by section 203.

Section 206.--Exclusion

    This section clarifies that nothing in this title shall 
apply to encryption products and services used solely for 
access control, authentication, integrity, non-repudiation, 
digital signatures, or other similar purposes.

                    TITLE III--EXPORTS OF ENCRYPTION


Section 301.--Exports of encryption

    Subsection (a) authorizes the President to control the 
export of all dual-use encryption products.
    Subsection (b) grants the President the authority to deny 
the export of any encryption product on the basis that its 
exportation would be contrary to the national security 
interests of the United States.
    Subsection (c) specifies that all national security 
decisions made by the President, or his designee, under this 
title shall not be subject to judicial review.

Section 302.--License exception for certain encryption products

    Subsection (a) sets forth criteria for the export of those 
encryption products with an encryption strength of 64 bits or 
less under a license exception. The product must be submitted 
for a 1-time technical review, not require licensing under 
otherwise applicable regulations, and not be intended for a 
country, end-user, or end use that is otherwise ineligible to 
receive such products. In addition, the exporter must within 
six months after export supply the names and addresses of its 
distribution chain partners, and identify the intended end user 
(if available) or use of the product. The exporter must provide 
proof that its distribution chain partners have contractually 
agreed to abide by all laws and regulations of the United 
States regarding export and re-export of encryption products.
    Subsection (b) sets a time limit of 45 days after 
submission for all information required for the technical 
review for the completion of the review referred to in 
subsection (a).
    Subsection (c) requires that the President notify Congress 
every six months of the maximum strength level encryption that 
may be exported under a license exception pursuant to this 
section without harm to national security. The initial maximum 
bit level for which products can be exported under this 
exception shall not be less than 64 bits. This brings U.S. 
policy in line with Waasenaar Arrangement commitments. At the 
end of each successive 180-day period, the President shall 
notify Congress of the maximum encryption bit level that may be 
exported under license exception. The levels cannot be reduced 
once raised by the President. This report will ensure that the 
Administration review on a regular, short-term basis, which is 
necessary given the dynamic nature of technology, the 
appropriate level to allow products out under a license 
exception.
    Subsection (d) enables the export of a product under a 
license exception that meets the criteria set forth in section 
302(a), regardless of whether the product contains a method of 
decrypting encrypted data. There is no requirement that 
recoverability features be included in the product for this 
section to apply.

Section 303.--Discretionary authority

    Section 303 authorizes the President to allow the export, 
under a license exception, of encryption products with bit 
lengths greater than that level set through operation of 
section 302, subject to the conditions of section 302, if the 
export would be consistent with the national security interest 
of the United States.
    This provision ensures that export of those 128-bit 
encryption products currently allowed under a license exception 
may continue after enactment of the Act.

Section 304.--Expedited authority

    This section grants the President authority to establish 
procedures for expediting the review of commodity 
classification requests, or export license applications 
involving encryption products that are specifically approved, 
by regulation, for export.

Section 305.--Encryption licenses required

    Subsection (a) establishes criteria the President shall 
employ in the review and granting of a license for export of 
encryption products exceeding the maximum level eligible for 
license exception under section 302. Products beingconsidered 
for export determinations shall not be required to contain features or 
functions for the timely access to plaintext or decryption information. 
In addition, any bit length encryption product is eligible for export 
under this section. The license applicant is responsible for submitting 
the product for technical review, certifying under oath the intended 
end user, the end use of the product, and providing the names and 
addresses of its distribution chain partners. The exporter must certify 
that these distributors are contractually obligated to abide by all 
laws and regulations of the United States concerning the export and re-
export of encryption products and services.
    Subsection (b) further clarifies that the technical review 
described in subsection (a) to be completed within 45 days 
after product submission and no export shall occur during the 
technical review.
    Subsection (c) sets forth post-export reporting 
requirements to be submitted to the Secretary of Commerce. 
Reports shall be filed specifically when the exporter believes 
the exported encryption products or services are being diverted 
to a user or use not approved for export, or the exporter has 
detected pirating of their technology or intellectual property. 
In addition, all exporters and their distribution chain 
partners shall report the names and addresses of the next 
purchaser in the distribution chain.
    Subsection (d) clarifies that the Secretaries of Commerce, 
Defense, and State may exercise the authority they have under 
other provisions of law, specifically the International 
Emergency Economic Powers Act.
    Subsection (e) provides the President with the authority to 
waive any provision of this title for national security 
purposes. Requires the President to report to the relevant 
committees of Congress within 15 days after this authority is 
used. The determination made by the President shall not be 
subject to judicial review.

Section 306.--Encryption industry and information security board

    This section establishes an Encryption Industry and 
Information Security Board (``EIIS'') to advise the President 
on future encryption policy and technological advancements that 
might serve to alter the United States policy on encryption 
products. This section also defines the purposes of the board. 
It further specifies that the Board shall be composed of 12 
members, and how those members shall be appointed. In addition 
to the Secretary of Commerce, Secretary of Defense, Attorney 
General, the Director of Central Intelligence, the Director of 
the Federal Bureau of Investigation, and the Special Assistant 
to the President for National Security Affairs, or their 
designees; six representatives from the private sector who have 
expertise in development, operation, marketing, law, and public 
policy relating to information security or technology shall be 
appointed by Congressional Leadership. The Board will have no 
authority to challenge or review an export determination made 
pursuant to this Act. The Board will report to the President 
and the Congress. This section will cease to be effective 10 
years after the date of enactment.

                    TITLE IV--LIABILITY LIMITATIONS


Section 401.--Compliance with court order

    This section states that a person shall not be subject to 
civil or criminal liability under this Act, or under any other 
provision of law, for acting in compliance with a court order 
compelling the disclosure of plaintext or decryption 
information.

Section 402.--Compliance defense

    This section provides a complete defense for any non-
contract action for damages based upon activities covered by 
the Act as long as the person complies with the provisions of 
sections 2803, 2804, 2805, and 2806 of Title 18, United States 
Code, as amended by section 103(a) of this Act, or any 
regulations authorized by this Act.

Section 403.--Good faith defense

    This section provides anyone who relies on the legal 
authority provided under this Act as the basis for providing an 
investigative or law enforcement officer with access to the 
plaintext of otherwise encrypted data, including 
communications, or for providing such officer with decryption 
information, a complete defense to any criminal or civil action 
arising therefrom.

                   TITLE V--INTERNATIONAL AGREEMENTS


Section 501.--Sense of Congress

    This section expresses the Sense of Congress that the 
President should negotiate with foreign governments to 
establish binding export control requirements on nonrecoverable 
encryption products. Any agreement should safeguard the privacy 
of U.S. persons, prevent economic espionage, and enhance the 
information security needs of the United States.

Section 502.--Failure to negotiate

    This section permits the President to take a country's 
refusal to negotiate into consideration when making decisions 
about U.S. participation in any cooperation or assistance 
program with that country.

Section 503.--Report to Congress

    This section requires an annual report to Congress on the 
status of the negotiations, with the first report due September 
1, 2000.

                   TITLE VI--MISCELLANEOUS PROVISIONS


Section 601.--Effect on law enforcement activities

    This section requires the Attorney General to compile, and 
maintain in classified form, information on those instances 
where encryption has posed problems in the enforcement of 
federal laws. This information will be available to any Member 
of Congress upon request.

Section 602.--Interpretation

    This section clarifies the relationship of the bill to the 
interpretation of certain laws: the bill does not preempt the 
application of other important export control acts, including: 
the Arms Export Control Act, the Export Administration Act, or 
the International Emergency Powers Act. It shall not affect 
foreign intelligence activities of the United States; nor does 
it diminish the intellectual property protections provided by 
the laws of the U.S. or of any State.

Section 603.--FBI technical support

    This section authorizes appropriations totaling $75 million 
for fiscal years 2000 through 2003 to the Federal Bureau of 
Investigation for the Technical Support Center established 
pursuant to section 811(a)(1) of the Antiterrorism and 
Effective Death Penalty Act of 1996. (P.L. 104-132)

Section 604.--Severability

    This section permits any court reviewing this Act to sever 
any provision from the remainder of the Act, so as not to find 
the Act invalid in its entirety.

                  Background and Need for Legislation


                     benefits of strong encryption

    There is little doubt that strong encryption has enormous 
benefits for society. For our national security apparatus, it 
is invaluable and essential to secure the flow of intelligence 
information, enhance our ability to execute foreign policy, and 
ensure the protection of the 1.4 million men and women of our 
armed forces deployed around the world. It is fundamental to 
protecting the Nation's critical infrastructures, such as power 
grids, telecommunications, and transportation facilities. 
Strong encryption is a remarkable tool that has aided the 
advancement of the Internet. It has been one factor in the 
explosive growth of on-line commerce, banking, investments, 
telemedicine, and legal services, to name only a few areas 
where the Internet has changed our daily lives.
    Encryption also advances the interests of law enforcement 
where it is used for legitimate purposes, because it can and 
does shield on-line activities from criminals interested in 
stealing personal financial data, credit card information, or 
national secrets, for example. But, as crucial as it is to the 
protection of information, it can be equally harmful to our 
Nation's security and the public's safety.

          problems with h.r. 850, as referred to the committee

    After all, the benefit that strong encryption provides to 
the individual legitimate encryption user is equally provided 
to the person with criminal intent. Our laws should not 
preclude lawful investigation of criminal activity. Our laws 
should enhance the Nation's security and public safety. The 
SAFE Act (H.R. 850), as reported by the Committee on the 
Judiciary, would deny law enforcement authorities the 
opportunity to obtain evidence--evidence to which they are 
statutorily authorized to obtain--simply because a criminal 
decided to encrypt it. Under that bill, the child pornographer 
will be able to operate with impunity. The terrorist will be 
able to communicate with his comrades. He will be able to plan 
and execute his cowardly acts without fear that he will be 
identified or brought to justice. Spies would operate without 
fear of discovery. The drug trafficker will be able to arrange 
for distribution of his poison and collection of the thousands 
or millions of dollars made in the deal. He will be able to 
launder his proceeds unconcerned that his activities have 
caught the attention of the law enforcement authorities. Those 
that engage in the proliferation of weapons of mass destruction 
will be able to continue their menacing activities unhindered 
by our national security apparatus or intelligence collectors.
    Allowing the unchecked export of unbreakable encryption to 
all markets and all users across the globe presents a series of 
challenges that the national security agencies of the United 
States cannot meet or overcome simply by employing faster and 
more powerful computers. The consequences of such a policy 
would be devastating. Criminals and international thugs wishing 
to do harm to the people of the United States would have 
available to them an ``electronic sanctuary.''
    Legislation that precludes the federal government from 
using encryption products that permit the recovery of data or 
communications is irresponsible. The SAFE Act has been read to 
do just this. With the time it would take to break just one 
128-bit encrypted message (many times the age of the universe), 
annihilation would be quicker than our ability to protect 
ourselves.
    Without an ability to undo quickly an encryption code, the 
people of this country could suffer unfathomable harm. 
Similarly, child pornographers could distribute their filth 
unimpeded. Pedophiles could secretly entice the children of 
America into their clutches. Drug traffickers will make their 
plans to deliver larger and larger amounts of cocaine, heroin, 
marijuana, and other narcotics without the slightest concern 
that they will be detected. Terrorists and spies can cause 
unspeakable damage without even the possibility of being 
stopped before it is too late. In a world governed by policies 
espoused by the SAFE Act, protecting America, her interests, 
and her citizens becomes a far riskier endeavor.
    While the SAFE Act does not on its face remove export 
controls, the regime it would establish is so fraught with 
exceptions and limitations on government authority that control 
might as well be non-existent. The SAFE Act does acknowledge, 
however, that the nation's security should override an ability 
to export on occasion. Yet, the circumstances under which the 
SAFE Act would authorize denial of exports are limited only to 
those instances where the Secretary of Commerce has 
``substantial evidence'' that the product intended for export 
was going to Iran, Iraq, North Korea, Libya, Sudan, Cuba, and 
Syria, or has ``substantial evidence'' that a specific product 
would be used by foreign militaries or terrorists. First, there 
is no role under the SAFE Act for the participation of the 
national security apparatus of the United States in such 
decisions not to export. Secondly, there can be no doubt that 
these two factors cover only a fraction of all situations that 
present threats to our national security interests. A broader 
authority to deny exports must be provided in order to ensure 
the nation's security in an age of constantly changing 
political realities.
    Expert witnesses before the Committee and Congress have 
provided compelling and sobering testimony about the lack of 
balance in H.R. 850 as reported from the Judiciary Committee. 
The administration opposes any encryption legislation that is 
not balanced. ``The current version [of H.R. 850] does not 
balance the needs of privacy and business, public safety, and 
national security, * * *.'' Testimony of Janet Reno, Attorney 
General of the United States, before the House Permanent Select 
Committee on Intelligence on July 14, 1999. ``The proposed SAFE 
Act does not include any provisions aimed at improving law 
enforcement's ability to perform its public safety mission in 
an encrypted world.'' Id. ``The objective of the legislation is 
unfettered encryption which has no concern for public safety 
and, in all reality, eliminates any concerns for public safety 
in the future.'' Testimony of Thomas A. Constantine, former 
Administrator, Drug Enforcement Administration, before the 
House Permanent Select Committee on Intelligence on July 14, 
1999 (hereinafter ``Constantine Test.''). ``The [SAFE Act] * * 
* will harm law enforcement, will harm public safety, will harm 
national security, and lives will be lost * * *.'' Testimony of 
Louis J. Freeh, Director, Federal Bureau of Investigation, 
before the House Committee on Armed Services on July 13, 1999. 
``[R]ather than a SAFE Act * * * I would call it the `Drug 
Lords Protection Act.' '' Constantine Test. ``[T]he SAFE Act 
will harm national security by making [NSA's] job of providing 
critical, actionable intelligence to our leaders and military 
commanders difficult, if not impossible, thus putting our 
nation's security at considerable risk.'' Testimony of Barbara 
A. McNamara, Deputy Director, National Security Agency, before 
the House Committee on Armed Services on July 13, 1999. ``H.R. 
850 * * * would be a tidal wave that would crush your national 
security and law enforcement agencies that are protecting this 
country.'' Testimony of John J. Hamre, Deputy Secretary, 
Department of Defense, before the House Committee on Armed 
Services on July 13, 1999. ``[T]here are real national security 
and law enforcement costs to the policy that is articulated by 
the [SAFE Act]. * * *'' Testimony of William Reinsch, 
Undersecretary of Commerce for Export Administration, 
Department of Commerce (hereinafter ``Reinsch Test.''), before 
the House Committee on Armed Services on July 13, 1999. ``[T]he 
bill in letter and spirit would destroy the balance we have 
worked so hard to achieve and would jeopardize our law 
enforcement and national security interests.'' Reinsch Test. 
before the House Permanent Select Committee on Intelligence on 
June 9, 1999.
    Importantly, during his appearance before the HPSCI on June 
9, 1999, Mr. Goodlatte, the author of the SAFE Act, conceded 
that a balance needed to be achieved on this issue. Mr. 
Goodlatte stated that he shared the serious national security 
and law enforcement concerns at stake in this debate. Testimony 
of Representative Bob Goodlatte (hereinafter ``Goodlatte 
Test.'') before the House Permanent Select Committee on 
Intelligence on June 9, 1999,at pp. 26, 27, 28, 52. He claimed 
his bill was not designed to eliminate all export controls, which was a 
significant concession. Goodlatte Test. at pp. 21, 30. It is a 
testament to the notion that we cannot place market share and larger 
profits ahead of the nation's security and the public's safety. It 
further reemphasizes the concept that there must be accommodation in 
the encryption export control policy to assure the national security 
and the interests of the industry. Mr. Goodlatte's support for export 
controls in certain circumstances extends to the foundational concept 
that export controls can be used to protect against threats to the 
national security of the United States. Goodlatte Test. at pp. 31, 44. 
He also testified that it was not the intent of his legislation to deny 
law enforcement the ability to gain access to plaintext or decryption 
information, where it was available. Goodlatte Test. at pp. 34, 53, 77. 
See also Report of the Committee on the Judiciary to Accompany H.R. 
850, House Report 106-117, Part 1, at p. 8 (April 27, 1999) (``Just as 
new technology should not take away the longstanding rights of citizens 
against government, it also should not take away the traditional means 
for legitimate law enforcement and national security investigations.'') 
He was open to modification of the ``substantial evidence'' standard 
his bill uses to preclude an export of encryption to terrorists and 
militaries in order to alleviate the risks attendant to the export of 
encryption throughout the world. Goodlatte Test. at pp. 38, 43, 44. He 
further contended that it was not the intent of his legislative 
proposal to preclude the federal government, or state and local 
governments, from using encryption products that have features or 
functions that permit the recovery of data when those government 
entities find it necessary to use such products. Goodlatte Test. at pp. 
77. Although not included anywhere in his legislation, Mr. Goodlatte 
also supports the provision of more and better resources to federal, 
state, and local law enforcement so they can more adequately meet the 
challenges of widespread use of strong encryption. Goodlatte Test. at 
pp. 25, 28, 53, 54.

                      BALANCED APPROACH IS NEEDED

    The HPSCI reported amendment, the ``Encryption for the 
National Interest Act,'' strives to balance the needs of law 
enforcement, national security, industry, and privacy. It 
advances the interests of all sectors engaged in this debate, 
yet requires some sacrifice on the part of each, as well.
    The Committee amendment preserves law enforcement's crime 
fighting and public safety capabilities by providing clear 
authority through judicial processes to access the plaintext or 
decryption information, without the target of the 
investigation's knowledge or cooperation. It does not, however, 
require key escrow, or mandate key recovery. Key recovery is a 
non-factor for domestic use and for export considerations.
    In addition to laying the framework for a national 
information assurance program, the Committee's amendment will 
relax the current export control policy of the United States on 
encryption products to bring the policy in line with the 
government's commitments under the Waasenaar Arrangement. In 
other words, where now only those products of 56-bit strength 
and lower can be exported under a license exception, upon 
enactment of the HPSCI amendment, all products of 64-bit 
strength and lower will be allowed for export in this manner. 
All products in excess of 64-bits will require a license prior 
to export, unless granted a waiver. This will permit the export 
of any bit-length encryption product under license exception 
conditions to those sectors that pose little or no risk to 
national security. Of course, prior to the first export of any 
encryption product, the Committee's amendment will still 
require a technical review to be conducted.
    Furthermore, the Committee's amendment requires the 
administration to review its encryption export policies on a 
more regularized basis than is currently done. The amendment 
requires a semi-annual look at export policy and certifications 
to Congress with respect to the results of this review.
    The Committee's amendment also streamlines export reporting 
requirements in an effort to reduce the burdensome and costly 
paperwork that is the bane of the industry. It does not remove 
these requirements completely, as the SAFE Act does, because 
there is significant national security utility in such 
reporting and the Committee determined it should continue in 
some form.
    Importantly, the Encryption for the National Interest Act 
preserves the President's authority to protect national 
security by authorizing him, or his designee, to deny an export 
of an encryption product based on national security grounds. 
This is an acknowledgement that the conduct of foreign policy 
and the protection of the citizens of the United States cannot 
be tied to only a couple of particular threats. The exigencies 
of our role as the world's only superpower must be accommodated 
and our export control regime must reflect the need for such 
flexibility.
    The Committee's amendment permits the federal government to 
procure and utilize encryption products with recoverability 
features for the conduct of the government's business. 
Likewise, the federal government will be permitted to require 
that its contractors use recoverable encryption products for 
the conduct of the government's business pursuant to the 
government contract. This authority does not permit, however, 
the government to require contractors to use such products in 
the course of their private sector, non-governmental business 
activities.
    Finally, the Committee's amendment establishes an advisory 
board to assist the President in his determination of 
appropriate encryption export policies and to foster 
government-industry cooperation on this important issue with 
significant ramifications for national security and public 
safety. Moreover, the Committee's legislative initiative 
authorizes the appropriation of $75 million to build, equip, 
and maintain the FBI's Technical Support Center. This Center 
will help move law enforcement at all levels forward in this 
age of high technology. It will help law enforcement meet and 
overcome the substantial challenges presented in a world where 
strong encryption will be commonplace.
    The Committee's Ranking Democrat, Representative Julian C. 
Dixon, put the matter succinctly after the Committee adopted 
its amendment in the nature of a substitute, when he stated:

          The encryption compromise adopted by the Intelligence 
        Committee achieves two important goals: it recognizes 
        that government access to information on the electronic 
        infrastructure--when necessary to protect public safety 
        and national security--is legitimate within reasonable, 
        lawful constraints; and, it provides greater certainty 
        in the export control process while allowing for 
        regulatory flexibility as technology advances. The 
        balance between commercial interests and public safety 
        achieved by the Intelligence Committee substitute has 
        improved greatly the encryption legislation with which 
        the Committee was asked to deal.

    The Committee believes that the United States government 
should encourage the development of encryption products that 
are responsive to the needs and obligations of government to 
ensure public safety, and that are viable in the commercial 
marketplace, without resorting to mandated key recovery or key 
escrow. For certain, law enforcement would have no difficulty 
obtaining decrypted evidence of criminality were Congress to 
impose mandatory requirements on the encryption industry to 
develop products with access to plaintext functions or 
features. Such an approach, however, does not advance the 
debate on comprehensive encryption policy for the United States 
in the fast approaching 21st Century.
    The Committee determined that the SAFE Act, as reported by 
the Judiciary, the International Relations, and the Commerce 
Committees did not adequately address national security and 
public safety concerns. In fact, the Committee found, based on 
the testimony of various witnesses before the Committee, that 
the SAFE Act actually would disadvantage our national security 
apparatus and federal, state, and local law enforcement in the 
conduct of their very serious obligations. To correct these 
faults, the Committee decided that an amendment in the nature 
of a substitute was necessary rather than merely ``tinkering 
around the edges'' of the SAFE Act, in order to ensure that the 
appropriate and desired balance could be achieved. Thus, the 
Committee adopted by unanimous voice vote the ``Encryption for 
the National Interest Act.''

            THE ``ENCRYPTION FOR THE NATIONAL INTEREST ACT''

A. Establishes government encryption procurement policies

    As noted, the Committee amendment, the Encryption for the 
National Interest Act, permits the United States government to 
procure and use encryption products that include recoverability 
or comparable features to allow authorized parties to have 
access to plaintext. The SAFE Act forbids the government and 
the States from using such products; and the SAFE Act would 
deny the government the opportunity to encourage the 
development of products with features that might help catch 
spies, thieves, child pornographers, and embezzlers, among 
others. Thus, specifically, the Encryption for the National 
Interest Act would authorize the United States government to 
include as a condition of any government contract a requirement 
that any encryption employed by the contractor in the execution 
of the contract with the government will include features 
permitting access to plaintext or decryption information. This 
amendment would not require that federal government contractors 
use recoverable encryption products in the conduct of non-
federal government business. The Committee amendment also does 
not preclude the States from employing recoverable encryption 
products. The SAFE Act, however, includes such a prohibition.

B. Preserves law enforcement's investigative capabilities

    The Encryption for the National Interest Act also 
establishes definite procedures to be followed by federal, 
state, and local law enforcement when seeking access to the 
plaintext or decryption information of data, including 
communications, that is otherwise encrypted. Without expanding 
current wiretap or search and seizure authorities, the 
amendment allows law enforcement, through judicially authorized 
court orders, to gain access to decryption information, or to 
plaintext, where it is available, for use in criminal, foreign 
counterintelligence, and international terrorism 
investigations. A close reading of the SAFE Act would deny law 
enforcement this critical capability. The SAFE Act would deny 
law enforcement the ability to decrypt any encrypted 
communications that are intercepted through legitimate court 
issued wiretap orders.
    Many proponents of the SAFE Act routinely assert that 
wiretaps are of limited utility to law enforcement, and that 
the lack of this capability would cause no egregious harm to 
public safety. The Committee's extensive experience and the 
testimony on this matter indicate otherwise.
    Some have concluded that the effort to enact the SAFE Act 
is a not-so- subtle attempt to render the government's wiretap 
authority void. As the distinguished Chairman of the House 
Committee on the Judiciary, Chairman Henry Hyde wrote in 
October 1996, ``Without a remedy, America will effectively 
disarm itself of one of its most potent weapons in the fight 
against two particularly pernicious crimes: international 
terrorism and drug smuggling.'' Washington Times, p. B3, 
October 27, 1996. Mr. Hyde made the point that ``efforts to 
prevent or eliminate this important law enforcement tool are 
both naie and dangerous.'' Id. He concluded, by asserting, 
``Our Constitution requires the federal government to provide 
for the common security of the people. Wiretaps, used sparingly 
and with court authorization, are indispensable in safeguarding 
both our liberties and our security in an age of dangerous 
uncertainty.'' Id. Although Chairman Hyde was expressing his 
concern about digital telephony, his logic and arguments are 
entirely apt within the context of this public debate over 
encryption policy, and should be heeded.

C. Protects civil liberties

    It is apparent to the Committee that the use of encryption 
to protect the security of one's data or communications would 
be indicative of an individual's heightened expectation of 
privacy with respect to that data or communication. Although 
this does not raise the search and seizure probable cause 
standard of the Fourth Amendment to the Constitution of the 
United States, Congress can provide additional procedural 
protections that will recognize this heightened expectation of 
privacy. In fact, the Encryption for the National Interest Act 
does exactly this while allowing law enforcement agencies to 
conduct their investigations in this computer age. The 
Committee amendment provides a judicially supervised mechanism 
for accessing the plaintext or decryption information. It 
likewise permits all U.S. persons to purchase and use any 
encryption technology that is available anywhere in the world, 
whether it contains access to plaintext capabilities, or not.
    Most proponents of the SAFE Act speak of the need to 
protect our privacy from the ``abuses'' of government, 
particularly law enforcement. They assert that any access 
capability to the plaintext of communications or stored data 
will leave law abiding Americans vulnerable to government 
prying and abusive intrusion into our private lives. In making 
these claims, the supporters of the SAFE Act ignore the bulwark 
of our freedoms, the guarantor of our liberties: the 
Constitution.
    The Framers, brilliant in their foresight, understood 
that--at times--there might happen an occasion where government 
misunderstood its mission, where government intruded on the 
liberties of its citizenry. It was due to this foresight that 
the Constitution requires neutral, detached magistrates to 
approve the search or seizure of the people's papers and 
effects. The judicial branch protects the people from the 
excesses of the state. We cannot forget that there are lawful 
processes to redress abuses that might be committed. But, 
simply because speculative abuses might occur at some unknown 
time in the future under unknowable circumstances is no reason 
to deny law enforcement the legal authority to obtain evidence 
of criminal activity that might be encrypted today. The 
Committee's amendment, in an effort to further encourage the 
appropriate handling of one's decryption information, permits 
civil and criminal sanctions for those who exceed their lawful 
authority, who misuse the information, or who violate any 
provision of title I of the Act.

D. Maintains but streamlines export controls on encryption products

    The Committee believes that increased market share for 
United States industry is a societal good that should be 
supported, and that trends in market share for U.S. information 
technology products should be one factor--but only one factor--
in the design of export controls for sensitive technologies. 
Providing tools to our malefactors, who want to invade our 
privacy and confound our law enforcement or intelligence 
professionals, makes no sense at any price. Thus, any 
legislation on encryption policy must be balanced. 
Unfortunately, some in the information technology industry have 
argued that anything short of the Judiciary Committee's 
approach to encryption export control legislation is 
unacceptable.
    The Encryption for the National Interest Act maintains a 
meaningful export control regime that places national security 
as the premium interest to be considered when contemplating the 
export of strong encryption products from the United States. 
But, at the same time, it relaxes current export control 
policies where appropriate and streamlines end use and end user 
reporting. Although it authorizes the President to control 
exports of encryption products, and to deny an export on 
national security grounds, it allows for more products to be 
exported under license exceptions and under specially granted 
Presidential waivers for products above 64-bit length strength. 
It also requires the executive branch to more routinely review 
the level at which products can be exported by license 
exception. This will add regularity to what has beendescribed 
as an inconsistent method by which the executive branch has reviewed 
encryption export control policy.
    The current policy was issued nearly one year ago, and many 
believe it was only produced as a result of pressure brought to 
bear upon the executive branch by the industry and Congress. 
This seems to be an ad hoc method of addressing a critical 
national security issue of this magnitude. So, the Committee 
amendment attempts to inject order into the regulatory process 
and to create a dynamic and constructive regulatory structure 
that will address the needs of industry, though not losing 
sight of the serious national security and public safety 
implications of any export of encryption products.
    The Intelligence Committee amendment seeks to lighten this 
burdensome responsibility for industry while at the same time 
obtaining important national security information. The 
Encryption for the National Interest Act provides for a 
meaningful technical review period that will provide the United 
States government with an opportunity to make well informed and 
rational national security determinations under the Act, when 
necessary. Additionally, the Committee amendment would 
eliminate recoverability features as a condition for export; 
indeed, the amendment would eliminate recovery features as a 
factor in reaching any export determination.
    The Encryption for the National Interest Act does not try 
to return the proverbial ``genie to the bottle,'' but rather 
merely seeks to manage the spread of encryption in a manner 
that is consistent with national security and public safety 
interests and in a way that will foster the continued dominance 
of the American encryption industry in the global marketplace. 
The Committee believes it would be a mistake of catastrophic 
proportions to allow indecipherable encryption to be exported 
without restriction. Public safety and national security are 
not matters that should be left to the ebb and flow of 
technological advances and breakthroughs, or to the random 
fluctuations of the marketplace.
    It is important to note that no one doubts that U.S. 
manufactured encryption products are facing competition from 
foreign providers. But, simply because a product of purported 
capability is available in a country with dubious reliability 
at controlling terrorists or drug traffickers, for instance, is 
not a sufficient reason for removing virtually all limitations 
on the export of encryption of the strongest sort. Rather, it 
seems it would be wise for the President to consider whether 
U.S. industry stands to lose market share in a particular 
market if not permitted to export to that market and whether 
export to that market sector presents undue risks to the 
national security. It cannot be overstated: the Committee 
shares the concern of American industry that its products could 
be replaced by foreign competitors. It notes, however, that the 
grip of the U.S. industry on the global market is truly 
remarkable. Testimony before the Committee indicates U.S. 
industry controls approximately 75-80% of the global encryption 
market. Goodlatte Test. at p. 50. This ``full-nelson'' hold by 
U.S. encryption manufacturers and designers on the global 
market is noteworthy given what many have described as 
restrictive export controls. On this point, it is worth 
highlighting that in 1997 only 25 of 1,850 applications for 
encryption export licenses were denied; in 1998, the numbers 
were 13 of 1,895; and thus far in 1999, only 1 of 508 
applications has been denied.
    Interesting to note, too, is that despite the alarmist 
rhetoric put forward in support of the SAFE Act, to wit: ``many 
hundreds of thousands of American jobs are at stake here,'' see 
Goodlatte Test. at p. 32, Congress last year authorized an 
additional 50,000 non-immigrant H-1B work visas, P.L. 105-277, 
because there are not enough Americans with the skills needed 
to fill the available computer industry jobs. Similarly, 
Congress is currently debating another increase to the number 
of H-1B work visas to be allowed. The claims that hundred of 
thousands of American jobs are at risk appears to be a bit of 
hyperbole.
    Moreover, all sides of this issue acknowledge that U.S. 
encryption technology is the best in the world. There is no 
wish on the part of the Committee to undermine that position, 
nor diminish the U.S. preeminence in this regard. Indeed, it is 
the national security interest for U.S. industry to dominate 
this market, but only under proper circumstances and with the 
appropriate degree of regulation.

                               conclusion

    The encryption policy of the United States requires a 
comprehensive approach that takes into account the interests of 
national security; federal, state, and local law enforcement; 
industry; and the citizens of the United States. The 
Committee's amendment in the nature of a substitute to H.R. 850 
as reported by the Committee on the Judiciary, renamed by the 
amendment as the Encryption for the National Interest Act, 
strikes the well-measured balance that so many have sought 
since this national policy debate began.

                         Committee Proceedings

    The Committee met several times in executive session where 
it was briefed on the topic of encryption and the serious 
national security and public safety consequences resulting from 
pending encryption legislation. Witnessesbefore the Committee 
at these briefings included: the President's Special Envoy on 
Encryption Policy, Ambassador David Aaron; the Honorable Louis J. 
Freeh, Director, Federal Bureau of Investigation; the Honorable Thomas 
A. Constantine, Administrator, Drug Enforcement Administration; the 
Honorable John J. Hamre, Deputy Secretary of Defense; and the Honorable 
Barbara A. McNamara, Deputy Director, National Security Agency.
    The Committee held three closed briefings for Members of 
the Committee and three hearings on H.R. 850. The first 
briefing was held on June 8, 1999. That was followed by the 
first hearing, which was held on June 9, 1999, in open session. 
The second hearing was held on June 15, 1999, in closed 
session. The second briefing was held on June 16, 1999. The 
final briefing was held on July 13, 1999. The final hearing was 
held July 14, 1999, in open session.
    On June 8, 1999, the Deputy Director of the NSA, the 
Honorable Barbara A. McNamara, briefed the Members of the 
Committee in closed session on the equities of the intelligence 
community that are impacted by the SAFE Act.
    Witnesses before the Committee at the June 9, 1999, hearing 
were: the Honorable Bob Goodlatte, United States 
Representative, 6th District of Virginia, and author of the 
``Security and Freedom through Encryption (SAFE) Act'' (H.R. 
80); the Honorable William Reinsch, Under Secretary, Bureau of 
Export Administration, Department of Commerce; Mr. Christopher 
G. Caine, Vice President of Governmental Affairs, IBM 
Corporation; Ms. Elizabeth Kaufman, Senior Director and General 
Manager for Security, Cisco Systems, Inc.; Colonel Michael D. 
Robinson, First Vice President, International Association of 
Chiefs of Police (IACP); Mr. Alan Davidson, Counsel, Center for 
Democracy and Technology; Mr. Ramon Marks, Board Member, 
Business Executives for National Security (BENS); the Honorable 
John Kaye, former President, National District Attorney's 
Association; Mr. Richard D. Heideman, President, B'nai B'rith 
International. In addition to this testimony presented live to 
the Committee, the following submissions for the record were 
also received and considered: Statement of Jeffrey H. Smith, 
Counsel, Americans for Computer Privacy; Statement of Security 
Dynamics Technologies, Inc.; and the Statement of Mr. Patrick 
P. Gelsinger, Vice President for Desktop Productions, Intel 
Corporation.
    At the June 15, 1999, closed hearing on H.R. 850, the 
Committee took testimony from the Honorable Louis J. Freeh, 
Director, Federal Bureau of Investigation; the Honorable Thomas 
A. Constantine, Administrator, Drug Enforcement Administration; 
and the Honorable John J. Hamre, Deputy Secretary of Defense.
    On June 16, 1999, the Members of the Committee were briefed 
by the President's Special Envoy for Encryption Policy, 
Ambassador David Aaron, on the administration's efforts to 
achieve international agreement or consensus on the appropriate 
approach to encryption policy and export controls.
    Members of the Committee received another briefing on July 
13, 1999, from the Honorable Barbara A. McNamara, Deputy 
Director of NSA, concerning the SAFE Act. The focus of the 
briefing included the effect of removal of export controls on 
national security and intelligence, as well as questions 
surrounding the issue of foreign availability and foreign 
market share.
    The witnesses appearing before the Committee at the July 
14, 1999, open hearing were: the Honorable Janet Reno, Attorney 
General of the United States; the Honorable Louis J. Freeh, 
Director, Federal Bureau of Investigation; Thomas A. 
Constantine, former Administrator of the Drug Enforcement 
Administration; and the Honorable John J. Hamre, Deputy 
Secretary of Defense.
    The Committee extensively reviewed additional testimony, 
reports, and other written materials relating to encryption 
policy in general, and H.R. 850 in particular. Among the 
documents reviewed by the Committee are House Report 106-117, 
Part 1, Committee on the Judiciary Report on H.R. 850, April 
27, 1999; House Report 106-117, Part 2, Committee on Commerce 
Report on H.R. 850, July 2, 1999; Senate Report 106-48, Senate 
Select Committee on Intelligence Report on Fiscal S. 1009, the 
Intelligence Authorization Act for Fiscal Year 2000, May 11, 
1999; House Report 105-108, Part 1, Committee on the Judiciary 
Report on H.R. 695, May 22, 1997; House Report 105-108, Part 2, 
Committee on International Relations Report on H.R. 695, July 
25, 1997; House Report 105-108, Part 3, Committee on National 
Security Report on H.R. 65, September 12, 1997; House Report 
105-108, Part 4, Permanent Select Committee on Intelligence 
Report on H.R. 695, September 16, 1997; House Report 105-108, 
Part 5, Committee on Commerce Report on H.R. 695, September 29, 
1997; Hiding Crimes in Cyberspace, Dorothy E. Denning and 
William E. Baugh, Jr., to appear in Information, Communication 
and Society, vol. 2, no. 3 (Autumn 1999) and in Cybercrime, 
B.D. Loader and D. Thomas (eds.) Routledge, 1999; Growing 
Development of Foreign Encryption Products in the Face of U.S. 
Export Regulations, Lance J. Hoffman, et al, Cyberspace Policy 
Institute, School of Engineering and Applied Science, George 
Washington University, Washington, D.C., June 1999; 
Cryptography & Liberty 1999: An International Survey of 
Encryption Policy, Electronic Privacy Information Center, 
Washington, DC, June 1999; Congressional Research Service Issue 
Brief Encryption Technology: Congressional Issues, produced by 
Mr. Richard M.Nunno, February 25, 1999; Terrorism in the Next 
Millennium: Enter the Cyberterrorist, by George R. Barth, National 
Counterintelligence Center; Access With Trust, Federal Public Key 
Infrastructure Steering Committee, Government Information Technology 
Services Board, Office of Management and Budget, Washington, DC, 
September 1998; Cryptography Policy: the Guidelines and the Issues, 
Organization for Economic Cooperation and Development, Washington, DC, 
March 1998; Deciphering the Cryptography Debate, by Kenneth Flamm, The 
Brookings Institution; The Risks of Key Recovery, Key Escrow, & Trusted 
Third Party Encryption: A Report by an Ad Hoc Group of Cryptographers 
and Computer Scientists, produced by Center for Democracy and 
Technology, June 1998; ``Opening the Lines for Criminal Conversation,'' 
Robert D. Novak, Washington Post, June 28, 1999; and ``Wiretap 
Technology. Updating an effective tool,'' by the Honorable Henry J. 
Hyde, Washington Times, October 1996.
    Testimony before the United States House of Representative 
Judiciary Subcommittee on Courts and Intellectual Property, 
March 4, 1999: The Honorable William A. Reinsch, Under 
Secretary for Export Administration, Department of Commerce; 
Mr. Dave McCurdy, President, Electronic Industries Alliance; 
the Honorable Ron Lee, Associate Deputy Attorney General, 
Department of Justice; Mr. Craig McLaughlin, Chief Technology 
Officer, Privada, Inc.; Mr. Edward Gillespie, Executive 
Director, Americans for Computer Privacy; Mr. Thomas Parenty, 
Director, Data and Communications Security Sybase, Inc. on 
behalf of Business Software Alliance; Ms. Dorothy E. Denning, 
Computer Science Department, Georgetown University; and 
Statement of the Honorable Howard Coble, United States 
Representative, 6th District of North Carolina.
    Testimony before the United States House of Representatives 
Commerce Subcommittee on Telecommunications Trade and Consumer 
Protection, May 25, 1999: The Honorable Ronald D. Lee, 
Associate Deputy Attorney General, Department of Justice; the 
Honorable Barbara A. McNamara, Deputy Director, National 
Security Agency; the Honorable William A. Reinsch, 
Undersecretary Bureau of Export Administration, Department of 
Commerce, Executive Director, Americans for Computer Privacy; 
Mr. Richard Hornstein, General Counsel, Network Associates; Mr. 
Tom Arnold, Vice President and Chief Technology Officer, 
CyberSource Corporation; Dr. Gene Schultz, Trusted Security 
Advisor, Global Integrity Corporation; Mr. Paddy Holohan, 
Executive Vice President, Marketing, Baltimore Technologies 
International Finance Services Centre; and Mr. David Dawson, 
Chairman and CEO, V-One Corporation.
    Testimony before the United States House of Representatives 
Armed Services Committee, July 13, 1999: the Honorable Janet 
Reno, Attorney General; the Honorable William A. Reinsch, 
Undersecretary for Export Administration, Department of 
Commerce; the Honorable Louis J. Freeh, Director, Federal 
Bureau of Investigation; Ms. Elizabeth Kaufman, Senior Director 
and General Manager for Security, Cisco Systems, Inc; and Mr. 
Matthew Bowcock, Executive Vice President of Cooperate 
Development, Baltimore Technologies.
    In addition, the Committee staff was briefed on the subject 
of encryption from representatives of Cisco Systems, Inc.; IBM; 
Nortel; 3Com; Center for Technology and Democracy; Netscape; 
Motorola; the Alliance for Network Security; the Business 
Software Alliance; and Americans for Computer Privacy.

                        Committee Consideration

    The Committee met on July 15, 1999, to mark up H.R. 850. In 
closed session, the Committee approved by unanimous voice vote 
the amendment in the nature of a substitute to H.R. 850 as 
amended and reported by the Committee on the Judiciary (House 
Report No. 106-117, Part 1, (April 27, 1999)), which was 
offered by Chairman Goss and Mr. Dixon and further amended by 
Ms. Pelosi. Upon adoption of the Goss and Dixon amendment as 
amended, the Committee, in open session, by unanimous voice 
vote, ordered H.R. 850, the ``Encryption for the National 
Interest Act,'' as amended by the Committee, reported favorably 
to the House, a quorum being present.

                         Vote of the Committee

    During its consideration of H.R. 850, the Committee took no 
roll call votes.

Findings and Recommendations of the Committee on Government Reform and 
                               Oversight

    With respect to clause 3(c)(4) of rule XIII of the Rules of 
the House of Representatives, the Committee has not received a 
report from the Committee on Government Reform pertaining to 
the subject of the bill.

                           Oversight Findings

    In compliance with clause 3(c)(1) of rule XIII of the Rules 
of the House of Representatives, the bill as reported by the 
Committee reflects the conclusions, findings, and 
recommendations of the Committee in light of its oversight 
activity.

                 Congressional Budget Office Estimates

    In compliance with clause 3(c)(2) and (3) of rule XIII of 
the Rules of the House of Representatives, and pursuant to 
sections 308 and 402 of the Congressional Budget Act of 1974, 
the Committee submits the following estimate prepared by the 
Congressional Budget Office:

                                     U.S. Congress,
                               Congressional Budget Office,
                                     Washington, DC, July 23, 1999.
Hon. Porter J. Goss,
Chairman, Committee on Intelligence, House of Representatives, 
        Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 850, the 
Encryption for the National Interest Act.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contacts are Mark Hadley 
and Mark Grabowicz.
            Sincerely,
                                          Barry B. Anderson
                                    (For Dan L. Crippen, Director).
    Enclosure.

H.R. 850--Encryption for the National Interest Act

    Summary: H.R. 850 would clarify the President's authority 
to control the export of encryption products. The effectiveness 
or strength of contemporary encryption products is measured by 
the number of bits that make up the key for the encryption 
algorithm. (The term ``key'' refers to the mathematical code 
used to translate encrypted information back into its original, 
unencrypted format.) Under current policy, domestic producers 
may export encryption products with key lengths of up to 56 
bits and stronger products for specified industries.
    H.R. 850 would generally allow domestic producers to export 
encryption products with key lengths of up to 64 bits. The 
President would determine the maximum strength of encryption 
products that may be exported (with a review and potential 
update of that maximum every 180 days). The bill would 
establish a board to advise the President on the export of 
encryption products. H.R. 850 also would establish two federal 
crimes relating to the improper use of encryption technology 
and would require the Attorney General to issue numerous 
reports and maintain data on the instances in which encryption 
impedes or obstructs the ability of the Department of Justice 
(DOJ) to enforce the criminal laws. Finally, the bill would 
authorize appropriations of $75 million over the 2000-2003 
period to establish a technical support center within the 
Federal Bureau of Investigation (FBI).
    Assuming the appropriation of the necessary amounts, CBO 
estimates that enacting this bill would result in additional 
discretionary spending by DOJ of about $80 million over the 
2000-2004 period. Enacting H.R. 850 also would affect direct 
spending and receipts. Therefore, pay-as-you-go procedures 
would apply. CBO estimates, however, that the amounts of 
additional direct spending and receipts would not be 
significant.
    CBO is uncertain whether H.R. 850 contains 
intergovernmental mandates as defined in the Unfunded Mandates 
Reform Act (UMRA), but we estimate that any costs to state, 
local, or tribal governments would not be significant and would 
not meet the threshold established by that act ($50 million in 
1996, adjusted annually for inflation).
    This bill would impose no new private-sector mandates as 
defined in UMRA.
    Estimated cost to the Federal Government: The estimated 
budgetary impact of H.R. 850 is shown in the following table. 
For purpose of this estimate, CBO assumes H.R. 850 will be 
enacted by the beginning of fiscal year 2000 and that the 
authorized amounts will be provided for each year. The costs of 
this legislation fall within budget function 750 
(administration of justice).

----------------------------------------------------------------------------------------------------------------
                                                                      By fiscal years, in millions of dollars--
                                                                    --------------------------------------------
                                                                       2000     2001     2002     2003     2004
----------------------------------------------------------------------------------------------------------------
                                        SPENDING SUBJECT TO APPROPRIATION

Estimated Authorization Level......................................       26       21       16       16        1
Estimated Outlays..................................................       19       25       16       16        4
----------------------------------------------------------------------------------------------------------------

                           Basis of Estimate

            Spending subject to appropriation
    H.R. 850 would establish a technical support center within 
the FBI and authorize appropriations of $75 million over the 
2000-2003 period. Based on the historical spending patterns of 
FBI funds, CBO estimates that implementing this provision would 
result in outlays of $74 million over the 2000-2004 period.
    In addition, CBO estimates that complying with the bill's 
data collection and reporting requirements would cost DOJ about 
$1 million a year, assuming appropriation of the necessary 
amounts. The expense of compiling and maintaining data on the 
instances in which encryption impedes or obstructs the ability 
of the department to enforce the criminal laws is difficult to 
ascertain because the number of such instances is unknown--but 
DOJ believes that if H.R. 850 were enacted they would be 
numerous.
    Under current policy, the Department of Commerce's (DOC's) 
Bureau of Export Administration (BXA) would likely spend about 
$500,000 a year reviewing exports of encryption products. If 
H.R. 850 were enacted, BXA would still be required to review 
requests to export encryption products. Thus, CBO estimates 
that implementing H.R. 850 would not significantly change the 
costs to control exports of nonmilitary encryption products.
    H.R. 850 would establish a new federal crime for using 
encryption technologies to conceal incriminating information 
relating to a felony from law enforcement officials and for 
illegally decrypting private information. The bill would also 
create a new federal crime for violating privacy by decrypting 
someone's private information. Because H.R. 850 would establish 
new federal crimes, CBO anticipates that the U.S. government 
would be able to pursue cases that it otherwise would be unable 
to prosecute. Based on information from DOJ, however, we do not 
expect the government to pursue many additional cases. Thus, 
CBO estimates that implementing these provisions would not have 
a significant impact on the cost of federal law enforcement 
activity.
            Direct spending and revenues
    Enacting H.R. 850 would affect direct spending and receipts 
by imposing criminal fines. Collections of such fines are 
recorded in the budget as governmental receipts (i.e., 
revenues), which are deposited in the Crime Victims Fund and 
spent in subsequent years. Any additional collections as a 
result of this bill are likely to be negligible, however, 
because the federal government would probably not pursue many 
cases under the bill. Because any increase in direct spending 
would equal the fines collected (with a lag of one year or 
more), the additional direct spending would be negligible.
    Direct spending also could result from the provision that 
would allow the government to be sued for decrypting private 
information without a court order. CBO expects that this 
provision is not likely to result in any significant spending.
    Pay-as-you-go considerations: The Balanced Budget and 
Emergency Control Act sets up pay-as-you-go procedures for 
legislation affecting direct spending or receipts. H.R. 850 
would affect direct spending and receipts by imposing criminal 
fines and by allowing civil actions against the United States 
government. CBO estimates that the amount of additional direct 
spending and receipts would not be significant.
    Estimated impact on State, local, and tribal governments: 
H.R. 850 would require state and local law enforcement agencies 
to follow specified procedures in order to obtain access to the 
decryption keys of suspected criminals and would require state 
courts to undertake additional administrative duties in 
processing such requests. In addition, the bill would limit the 
liability of anyone who provides access to a decryption key to 
law enforcement officials who follow the procedures prescribed 
by the bill. We cannot determine if the requirements of H.R. 
850 would constitute new intergovernmental mandates because it 
is unclear how these requirements would interact with the 
current wiretap, search, and seizure laws. CBO estimates that 
the costs of those requirements would be small because they are 
similar to current laws and procedures and because the burden 
of the bill's requirements would fall predominantly on federal 
entities. We therefore estimate that the bill would not impose 
significant costs on state, local, or tribal governments and 
that such costs would not exceed the threshold established by 
UMRA ($50 million in 1996), adjusted annually for inflation.)
    Estimated impact on the private sector: This bill would 
impose no new private-sector mandates as defined in UMRA.
    Previous CBO estimates: CBO has completed numerous other 
estimates of bills affecting the export of encryption products, 
including three versions of H.R. 850. Differences between this 
estimate and our previous estimates reflect differences between 
the bills. On April 21, 1999, CBO transmitted a cost estimate 
for H.R. 850 as ordered reported by the House Committee on the 
Judiciary on March 24, 1999. On July 1, 1999, CBO transmitted 
an estimate for H.R. 850 as ordered reported by the House 
Committee on Commerce on June 23, 1999. On July 16, 1999, CBO 
transmitted an estimate of H.R. 850 as ordered reported by the 
House Committee on International Relations on July 13, 1999. On 
July 9, 1999, CBO transmitted an estimate for S. 798, the 
Promote Online Transactions to Encourage Commerce and Trade 
(PROTECT) Act of 1999, as ordered reported by the Senate 
Committee on Commerce, Science, and Transportation on June 23, 
1999. And on July 22, 1999, CBO transmitted an estimate for 
H.R. 850 as ordered reported by the House Committee on Armed 
Services on July 21, 1999.
    CBO estimated that the versions of H.R. 850 reported by the 
Judiciary Committee and the International Relations Committee 
would each cost between $3 million and $5 million over the 
2000-2004 period, that the version reported by the Armed 
Services Committee would cost $5 million over the 2000-2004 
period, and that the House Commerce Committee's version of H.R. 
850 and the Senate bill (S. 798) would each increase costs by 
at least $25 million over the same period. None of those 
previously estimated bills contain authorizations for a new 
technical support center within the FBI.
    Estimate prepared by: Federal costs: Mark Hadley and Mark 
Grabowicz. Impact on State, local, and tribal governments: 
Shelley Finlayson.
    Estimate approved by: Robert A. Sunshine, Deputy Assistant 
Director for Budget Analysis.

                        Committee Cost Estimates

    The Committee agrees with the estimate of the Congressional 
Budget Office.

 Specific Constitutional Authority for Congressional Enactment of this 
                              Legislation

    The intelligence and intelligence-related activities of the 
United States government are carried out to support the 
national security interests of the United States, to support 
and assist the armed forces of the United States, and to 
support the President in the execution of the foreign policy of 
the United States. Article 1, section 8, of the Constitution of 
the United States provides, in pertinent part, that ``Congress 
shall have power * * * to pay the debts and provide for the 
common defense and general welfare of the United States; * * * 
''; ``to raise and support Armies, * * * ''; ``to provide and 
maintain a Navy; * * * '' and ``to make all laws which shall be 
necessary and proper for the carrying into execution . . . all 
other powers vested by this Constitution in the Government of 
the United States, or in any Department or Officer thereof.'' 
Therefore, pursuant to such authority, Congress is empowered to 
enact this legislation.

         Changes in Existing Law Made by the Bill, as Reported

    In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in black brackets, new 
matter is printed in italic, existing law in which no change is 
proposed is shown in roman):

                     TITLE 18, UNITED STATES CODE

           *       *       *       *       *       *       *


Chap.                                                               Sec.
1.     General provisions.........................................     1
     * * * * * * *
2801  Encrypted data, including communications..................

           *       *       *       *       *       *       *


         CHAPTER 125--ENCRYPTED DATA, INCLUDING COMMUNICATIONS

Sec.
2801. Unlawful use of encryption in furtherance of a criminal act.
2802. Privacy protection.
2803. Court order access to plaintext or decryption information.
2804. Notification procedures.
2805. Lawful use of plaintext or decryption information.
2806. Identification of decryption information.
2807. Definitions.

Sec. 2801. Unlawful use of encryption in furtherance of a criminal act

  (a) Prohibited Acts.--Whoever knowingly uses encryption in 
furtherance of the commission of a criminal offense for which 
the person may be prosecuted in a district court of the United 
States shall--
          (1) in the case of a first offense under this 
        section, be imprisoned for not more than 5 years, or 
        fined under this title, or both; and
          (2) in the case of a second or subsequent offense 
        under this section, be imprisoned for not more than 10 
        years, or fined under this title, or both.
  (b) Consecutive Sentence.--Notwithstanding any other 
provision of law, the court shall not place on probation any 
person convicted of a violation of this section, nor shall the 
term of imprisonment imposed under this section run 
concurrently with any other term of imprisonment imposed for 
the underlying criminal offense.
  (c) Probable Cause Not Constituted by Use of Encryption.--The 
use of encryption by itself shall not establish probable cause 
to believe that a crime is being or has been committed.

Sec. 2802. Privacy protection

  (a) In General.--It shall be unlawful for any person to 
intentionally--
          (1) obtain or use decryption information without 
        lawful authority for the purpose of decrypting data, 
        including communications;
          (2) exceed lawful authority in decrypting data, 
        including communications;
          (3) break the encryption code of another person 
        without lawful authority for the purpose of violating 
        the privacy or security of that person or depriving 
        that person of any property rights;
          (4) impersonate another person for the purpose of 
        obtaining decryption information of that person without 
        lawful authority;
          (5) facilitate or assist in the encryption of data, 
        including communications, knowing that such data, 
        including communications, are to be used in furtherance 
        of a crime; or
          (6) disclose decryption information in violation of a 
        provision of this chapter.
    (b) Criminal Penalty.--Whoever violates this section shall 
be imprisoned for not more than 10 years, or fined under this 
title, or both.

Sec. 2803. Court order access to plaintext or decryption information

  (a) Court Order.--(1) A court of competent jurisdiction shall 
issue an order, ex parte, granting an investigative or law 
enforcement officer timely access to the plaintext of encrypted 
data, including communications, or requiring any person in 
possession of decryption information to provide such 
information to a duly authorized investigative or law 
enforcement officer--
          (A) upon the application by an attorney for the 
        Government that--
                  (i) is made under oath or affirmation by the 
                attorney for the Government; and
                  (ii) provides a factual basis establishing 
                the relevance that the plaintext or decryption 
                information being sought has to a law 
                enforcement, foreign counterintelligence, or 
                international terrorism investigation then 
                being conducted pursuant to lawful authorities; 
                and
          (B) if the court finds, in writing, that the 
        plaintext or decryption information being sought is 
        relevant to an ongoing lawful law enforcement, foreign 
        counterintelligence, or international terrorism 
        investigation and the investigative or law enforcement 
        officer is entitled to such plaintext or decryption 
        information.
  (2) The order issued by the court under this section shall be 
placed under seal, except that a copy may be made available to 
the investigative or law enforcement officer authorized to 
obtain access to the plaintext of the encrypted information, or 
authorized to obtain the decryption information sought in the 
application. Such order shall, subject to the notification 
procedures set forth in section 2804, also be made available to 
the person responsible for providing the plaintext or the 
decryption information, pursuant to such order, to the 
investigative or law enforcement officer.
  (3) Disclosure of an application made, or order issued, under 
this section, is not authorized, except as may otherwise be 
specifically permitted by this section or another order of the 
court.
  (b) Record of Access Required.--(1) There shall be created an 
electronic record, or similar type record, of each instance in 
which an investigative or law enforcement officer, pursuant to 
an order under this section, gains access to the plaintext of 
otherwise encrypted information, or is provided decryption 
information, without the knowledge or consent of the owner of 
the data, including communications, who is the user of the 
encryption product involved.
  (2) The court issuing the order under this section may 
require that the electronic or similar type of record described 
in paragraph (1) is maintained in a place and a manner that is 
not within the custody or control of an investigative or law 
enforcement officer gaining the access or provided the 
decryption information. The record shall be tendered to the 
court, upon notice from the court.
  (3) The court receiving such electronic or similar type of 
record described in paragraph (1) shall make the original and a 
certified copy of the record available to the attorney for the 
Government making application under this section, and to the 
attorney for, or directly to, the owner of the data, including 
communications, who is the user of the encryption product, 
pursuant to the notification procedures set forth in section 
2804.
    (c) Authority To Intercept Communications Not Increased.--
Nothing in this chapter shall be construed to enlarge or modify 
the circumstances or procedures under which a Government entity 
is entitled to intercept or obtain oral, wire, or electronic 
communications or information.
    (d) Construction.--This chapter shall be strictly construed 
to apply only to a Government entity's ability to decrypt data, 
including communications, for which it has previously obtained 
lawful authority to intercept or obtain pursuant to other 
lawful authorities, which without an order issued under this 
section would otherwise remain encrypted.

Sec. 2804. Notification procedures

    (a) In General.--Within a reasonable time, but not later 
than 90 days after the filing of an application for an order 
under section 2803 which is granted, the court shall cause to 
be served, on the persons named in the order or the 
application, and such other parties whose decryption 
information or whose plaintext has been provided to an 
investigative or law enforcement officer pursuant to this 
chapter, as the court may determine is in the interest of 
justice, an inventory which shall include notice of--
          (1) the fact of the entry of the order or the 
        application;
          (2) the date of the entry of the application and 
        issuance of the order; and
          (3) the fact that the person's decryption information 
        or plaintext data, including communications, has been 
        provided or accessed by an investigative or law 
        enforcement officer.
The court, upon the filing of a motion, may make available to 
that person or that person's counsel, for inspection, such 
portions of the plaintext, applications, and orders as the 
court determines to be in the interest of justice.
  (b) Postponement of Inventory for Good Cause.--(1) On an ex 
parte showing of good cause by an attorney for the Government 
to a court of competent jurisdiction, the serving of the 
inventory required by subsection (a) may be postponed for an 
additional 30 days after the granting of an order pursuant to 
the ex parte motion.
  (2) No more than 3 ex parte motions pursuant to paragraph (1) 
are authorized.
  (c) Admission Into Evidence.--The content of any encrypted 
information that has been obtained pursuant to this chapter or 
evidence derived therefrom shall not be received in evidence or 
otherwise disclosed in any trial, hearing, or other proceeding 
in a Federal or State court, other than the court organized 
pursuant to the Foreign Intelligence Surveillance Act of 1978, 
unless each party, not less than 10 days before the trial, 
hearing, or proceeding, has been furnished with a copy of the 
order, and accompanying application, under which the decryption 
or access to plaintext was authorized or approved. This 10-day 
period may be waived by the court if the court finds that it 
was not possible to furnish the party with the information 
described in the preceding sentence within 10 days before the 
trial, hearing, or proceeding and that the party will not be 
prejudiced by the delay in receiving such information.
  (d) Construction.--The provisions of this chapter shall be 
construed consistent with--
          (1) the Classified Information Procedures Act (18 
        U.S.C. App.); and
          (2) the Foreign Intelligence Surveillance Act of 1978 
        (50 U.S.C. 1801 et seq.).
  (e) Contempt.--Any violation of the provisions of this 
section may be punished by the court as a contempt thereof.
  (f) Motion To Suppress.--Any aggrieved person in any trial, 
hearing, or proceeding in or before any court, department, 
officer, agency, regulatory body, or other authority of the 
United States or a State, other than the court organized 
pursuant to the Foreign Intelligence Surveillance Act of 1978, 
may move to suppress the contents of any decrypted data, 
including communications, obtained pursuant to this chapter, or 
evidence derived therefrom, on the grounds that--
          (1) the plaintext was decrypted or accessed in 
        violation of this chapter;
          (2) the order of authorization or approval under 
        which it was decrypted or accessed is insufficient on 
        its face; or
          (3) the decryption was not made in conformity with 
        the order of authorization or approval.
Such motion shall be made before the trial, hearing, or 
proceeding unless there was no opportunity to make such motion, 
or the person was not aware of the grounds of the motion. If 
the motion is granted, the plaintext of the decrypted data, 
including communications, or evidence derived therefrom, shall 
be treated as having been obtained in violation of this 
chapter. The court, upon the filing of such motion by the 
aggrieved person, may make available to the aggrieved person or 
that person's counsel for inspection such portions of the 
decrypted plaintext, or evidence derived therefrom, as the 
court determines to be in the interests of justice.
  (g) Appeal by United States.--In addition to any other right 
to appeal, the United States shall have the right to appeal 
from an order granting a motion to suppress made under 
subsection (f), or the denial of an application for an order 
under section 2803, if the attorney for the Government 
certifies to the court or other official granting such motion 
or denying such application that the appeal is not taken for 
purposes of delay. Such appeal shall be taken within 30 days 
after the date the order was entered on the docket and shall be 
diligently prosecuted.
  (h) Civil Action for Violation.--Except as otherwise provided 
in this chapter, any person described in subsection (i) may, in 
a civil action, recover from the United States Government the 
actual damages suffered by the person as a result of a 
violation described in that subsection, reasonable attorney's 
fees, and other litigation costs reasonably incurred in 
prosecuting such claim.
  (i) Covered Persons.--Subsection (h) applies to any person 
whose decryption information--
          (1) is knowingly obtained without lawful authority by 
        an investigative or law enforcement officer;
          (2) is obtained by an investigative or law 
        enforcement officer with lawful authority and is 
        knowingly used or disclosed by such officer unlawfully; 
        or
          (3) is obtained by an investigative or law 
        enforcement officer with lawful authority and whose 
        decryption information is unlawfully used to disclose 
        the plaintext of the data, including communications.
  (j) Limitation.--A civil action under subsection (h) shall be 
commenced not later than 2 years after the date on which the 
unlawful action took place, or 2 years after the date on which 
the claimant first discovers the violation, whichever is later.
  (k) Exclusive Remedies.--The remedies and sanctions described 
in this chapter with respect to the decryption of data, 
including communications, are the only judicial remedies and 
sanctions for violations of this chapter involving such 
decryptions, other than violations based on the deprivation of 
any rights, privileges, or immunities secured by the 
Constitution.
  (l) Technical Assistance by Providers.--A provider of 
encryption technology or network service that has received an 
order issued by a court pursuant to this chapter shall provide 
to the investigative or law enforcement officer concerned such 
technical assistance as is necessary to execute the order. Such 
provider may, however, move the court to modify or quash the 
order on the ground that its assistance with respect to the 
decryption or access to plaintext cannot be performed in fact, 
or in a timely or reasonable fashion. The court, upon notice to 
the Government, shall decide such motion expeditiously.
  (m) Reports to Congress.--In May of each year, the Attorney 
General, or an Assistant Attorney General specifically 
designated by the Attorney General, shall report in writing to 
Congress on the number of applications made and orders entered 
authorizing Federal, State, and local law enforcement access to 
decryption information for the purposes of reading the 
plaintext of otherwise encrypted data, including 
communications, pursuant to this chapter. Such reports shall be 
submitted to the Committees on the Judiciary of theHouse of 
Representatives and of the Senate, and to the Permanent Select 
Committee on Intelligence for the House of Representatives and the 
Select Committee on Intelligence for the Senate.

Sec. 2805. Lawful use of plaintext or decryption information

  (a) Authorized Use of Decryption Information.--
          (1) Criminal investigations.--An investigative or law 
        enforcement officer to whom plaintext or decryption 
        information is provided may only use such plaintext or 
        decryption information for the purposes of conducting a 
        lawful criminal investigation, foreign 
        counterintelligence, or international terrorism 
        investigation, and for the purposes of preparing for 
        and prosecuting any criminal violation of law.
          (2) Civil redress.--Any plaintext or decryption 
        information provided under this chapter to an 
        investigative or law enforcement officer may not be 
        disclosed, except by court order, to any other person 
        for use in a civil proceeding that is unrelated to a 
        criminal investigation and prosecution for which the 
        plaintext or decryption information is authorized under 
        paragraph (1). Such order shall only issue upon a 
        showing by the party seeking disclosure that there is 
        no alternative means of obtaining the plaintext, or 
        decryption information, being sought and the court also 
        finds that the interests of justice would not be served 
        by nondisclosure.
  (b) Limitation.--An investigative or law enforcement officer 
may not use decryption information obtained under this chapter 
to determine the plaintext of any data, including 
communications, unless it has obtained lawful authority to 
obtain such data, including communications, under other lawful 
authorities.
  (c) Return of Decryption Information.--An attorney for the 
Government shall, upon the issuance of an order of a court of 
competent jurisdiction--
          (1)(A) return any decryption information to the 
        person responsible for providing it to an investigative 
        or law enforcement officer pursuant to this chapter; or
          (B) destroy such decryption information, if the court 
        finds that the interests of justice or public safety 
        require that such decryption information should not be 
        returned to the provider; and
          (2) within 10 days after execution of the court's 
        order to return or destroy the decryption information--
                  (A) certify to the court that the decryption 
                information has either been returned or 
                destroyed consistent with the court's order; 
                and
                  (B) if applicable, notify the provider of the 
                decryption information of the destruction of 
                such information.
  (d) Other Disclosure of Decryption Information.--Except as 
otherwise provided in section 2803, decryption information or 
the plaintext of otherwise encrypted data, including 
communications, shall not be disclosed by any person unless the 
disclosure is--
          (1) to the person encrypting the data, including 
        communications, or an authorized agent thereof;
          (2) with the consent of the person encrypting the 
        data, including pursuant to a contract entered into 
        with the person;
          (3) pursuant to a court order upon a showing of 
        compelling need for the information that cannot be 
        accommodated by any other means if--
                  (A) the person who supplied the information 
                is given reasonable notice, by the person 
                seeking the disclosure, of the court proceeding 
                relevant to the issuance of the court order; 
                and
                  (B) the person who supplied the information 
                is afforded the opportunity to appear in the 
                court proceeding and contest the claim of the 
                person seeking the disclosure;
          (4) pursuant to a determination by a court of 
        competent jurisdiction that another person is lawfully 
        entitled to hold such decryption information, including 
        determinations arising from legal proceedings 
        associated with the incapacity, death, or dissolution 
        of any person; or
          (5) otherwise permitted by law.

Sec. 2806. Identification of decryption information

  (a) Identification.--To avoid inadvertent disclosure of 
decryption information, any person who provides decryption 
information to an investigative or law enforcement officer 
pursuant to this chapter shall specifically identify that part 
of the material that discloses decryption information as such.
  (b) Responsibility of Investigative or Law Enforcement 
Officer.--The investigative or law enforcement officer 
receiving any decryption information under this chapter shall 
maintain such information in a facility and in a method so as 
to reasonably assure that inadvertent disclosure does not 
occur.

Sec. 2807. Definitions

  The definitions set forth in section 101 of the Encryption 
for the National Interest Act shall apply to this chapter.

           *       *       *       *       *       *       *