H.R.850 - Security And Freedom Through Encryption (SAFE) Act106th Congress (1999-2000)
Summary: H.R.850 — 106th Congress (1999-2000)
Reported to House amended, Part V (07/23/1999)
TABLE OF CONTENTS:
Title I: Domestic Uses of Encryption
Title II: Government Procurement
Title III: Exports of Encryption
Title IV: Liability Limitations
Title V: International Agreements
Title VI: Miscellaneous Provisions
Encryption for the National Interest Act - Declares that it is U.S. policy to protect public computer networks through the use of strong encryption technology, promote the export of encryption products developed and manufactured in the United States, and preserve public safety and national security.
Title I: Domestic Uses of Encryption - Makes it lawful for any person within any State and for any United States person to use any encryption product, regardless of encryption algorithm selected, encryption bit length chosen, or implementation technique or medium used, except as otherwise provided by this Act or by law. Defines "United States person" to mean any U.S. citizen, any other person organized under the laws of any State, and any person organized under the laws of any foreign country who is owned or controlled by such individuals.
(Sec. 103) Amends the Federal criminal code to prohibit, and set penalties for, knowingly using encryption in furtherance of the commission of a criminal offense for which the person may be prosecuted in a U.S. district court. Prohibits the court from placing on probation any person convicted of such a violation and prohibits the term of imprisonment imposed from running concurrently with any other term imposed for the underlying criminal offense. Specifies that the use of encryption by itself shall not establish probable cause to believe that a crime is being or has been committed.
Makes it unlawful for any person to intentionally: (1) obtain or use decryption information without lawful authority for the purpose of decrypting data, including communications; (2) exceed lawful authority in decrypting data; (3) break the encryption code of another person without lawful authority for the purpose of violating the privacy or security of that person or depriving that person of any property rights; (4) impersonating another person for the purpose of obtaining decryption information of that person without lawful authority; (5) facilitating or assisting in the encryption of data, knowing that such data are to be used in furtherance of a crime; or (6) disclose decryption information in violation of code provisions. Sets penalties for violations.
Requires a court of competent jurisdiction to issue an order ex parte granting an investigative or law enforcement officer (officer) timely access to the plaintext of encrypted data, or requiring any person in possession of decryption information to provide such information to a duly authorized officer: (1) upon the application by a Government attorney that is made under oath and that provides a factual basis establishing the relevance of the information sought to a law enforcement, foreign counterintelligence, or international terrorism investigation; and (2) if the court finds that the information being sought is relevant to an ongoing investigation and the officer is entitled to such information.
Directs that the order issued by the court: (1) be placed under seal, except that a copy may be made available to the officer authorized to obtain access to the information sought in the application; and (2) subject to notification procedures, be made available to the person responsible for providing the information to the officer.
Bars disclosure of an application made or order issued under this section, except as specifically permitted by this section or another court order.
Directs that there be created an electronic or similar type of record of each instance in which an officer, pursuant to an order under this section, gains access to the plaintext of otherwise encrypted information, or is provided decryption information, without the knowledge or consent of the owner of the data who is the user of the encryption product involved. Authorizes the court issuing the order to require that the record be maintained in a place and manner that is not within the officer's custody or control. Requires: (1) the record to be tendered to the court, upon notice from the court; and (2) the court to make the original and a certified copy of the record available to the Government attorney and to the attorney for, or directly to, the owner of the data who is the user of the encryption product, pursuant to specified notification procedures.
Specifies that nothing herein shall be construed to enlarge or modify the circumstances or procedures under which a Government entity is entitled to intercept or obtain oral, wire, or electronic communications or information.
Directs the court, within a reasonable time but not later than 90 days after the filing of an application for such an order which is granted, to cause to be served to specified parties an inventory which shall include notice of: (1) the entry of the order or application; (2) the date of the entry of the application and issuance of the order; and (3) the fact that the person's decryption information or plaintext data has been provided or accessed by an officer. Allows the court, upon the filing of a motion, to make available for inspection to that person or that person's counsel such portions of the plaintext, applications, and orders as the court determines to be in the interest of justice.
Sets forth provisions regarding: (1) postponement of inventory for good cause; (2) admission of encrypted information into evidence; (3) contempt; (4) motions to suppress; (5) appeal by the United States; (6) a civil action for violations; (7) a statute of limitations; (8) exclusive remedies; (9) technical assistance by a provider of encryption technology or network service; and (10) reporting requirements.
Authorizes an officer to whom plaintext or decryption information is provided to use such information only for purposes of conducting a lawful criminal investigation, foreign counterintelligence, or international terrorism investigation and for purposes of preparing for and prosecuting any criminal violation of law. Bars any such information provided to an officer from being disclosed, except by court order, to any other person for use in a civil proceeding that is unrelated to a criminal investigation and prosecution for which the information is so authorized. Allows such order to issue only upon a showing by the party seeking disclosure that there is no alternative means of obtaining the information being sought where the court also finds that the interests of justice would not be served by nondisclosure.
Prohibits an officer from using decryption information to determine the plaintext of any data unless it has obtained lawful authority to obtain such data under other lawful authorities.
Sets forth provisions regarding: (1) the return of decryption information; (2) other disclosure of such information; (3) identification of material that discloses such information; and (4) responsibility of the officer to reasonably assure that inadvertent disclosure does not occur.
Title II: Government Procurement - Authorizes the President to require an encryption product or service procured to provide the security service of data confidentiality for a computer system owned and operated by the Government to include recoverability features or functions that enable the timely decryption of encrypted data or timely access to plaintext by an authorized party without the knowledge or cooperation of the person using such products or services.
Requires the President to ensure that all encryption products purchased or used by the Government are supportive of and consistent with: (1) all statutory obligations to protect sources and methods of intelligence collection and activities; and (2) those needs required for military operations and the conduct of foreign policy.
(Sec. 202) Authorizes the President to direct that any communications network established for the purpose of conducting the business of the Government use encryption products that: (1) include features or functions that enable the timely decryption of encrypted data or timely access to plaintext by an authorized party without the knowledge or cooperation of the person using such products or services; and (2) are supportive of and consistent with all statutory obligations to protect sources and methods of intelligence collection and activities and those needs required for military operations and the conduct of foreign policy.
(Sec. 203) Authorizes the President to require as a condition of any Government contract that any encryption product used by a private vendor in carrying out the contract include features or functions that enable the timely decryption of encrypted data or timely access to plaintext by an authorized party without the knowledge or cooperation of the person using such products or services.
(Sec. 204) Permits an encryption product to be labeled to inform Government users that the product is authorized for sale to or for use by Government agencies or Government contractors in transactions and communications with the Government under this title.
(Sec. 205) Bars the Government from requiring the use of encryption standards for the private sector, except as otherwise authorized by section 204.
(Sec. 206) Makes this title inapplicable to encryption products and services used solely for access control, authentication, integrity, nonrepudiation, digital signatures, or other similar purposes.
Title III: Exports of Encryption - Directs the President to control the export of all dual-use encryption products. Authorizes the President to deny the export of any encryption product on the basis that its export is contrary to national security. Provides that any decision made by the President or his designee regarding the export of encryption products under this title shall not be subject to judicial review.
(Sec. 302) Makes encryption products with encryption strength of 64 bits or less eligible for export under a license exception if: (1) such encryption product is submitted for a one-time technical review, does not require licensing under otherwise applicable regulations, and is not intended for a country, end user, or end use that is by regulation ineligible to receive such product and is otherwise qualified for export; (2) the exporter, within 180 days after the export of the product, submits a certification identifying the intended end use and intended recipient of the product and provides the names and addresses of its distribution chain partners; and (3) the exporter, at the time of submission of the product for technical review, provides proof that its distribution chain partners have contractually agreed to abide by all U.S. laws and regulations concerning the export and reexport of encryption products designed or manufactured within the United States.
Requires the technical review to be completed within 45 days after submission of all required information. Directs the President to specify the information that must be submitted for the one-time technical review. Prohibits the exportation of an encryption product during the technical review of that product.
Provides for: (1) periodic review of the license exception eligibility level; and (2) an export license exception for an encryption product whether or not it contains a method of decrypting encrypted data.
(Sec. 303) Authorizes the President to permit the export of encryption products with an encryption strength exceeding the maximum level eligible for a license exception if the export is consistent with national security.
(Sec. 304) Directs the President to establish procedures for the expedited review of commodity classification requests, or export license applications, involving encryption products that are specifically approved by regulation for export.
(Sec. 305) Authorizes the President to grant an export license for encryption products with an encryption strength exceeding the maximum level eligible for a license exception which are designed or manufactured within the United States (with an exception) under the following conditions: (1) there shall not be any requirement, as a basis for an export license, that a product contains a method of gaining timely access to plaintext or decryption information; and (2) the export license applicant shall submit the product for technical review, a certification under oath identifying the intended use of the product and the expected end user or class of end users of the product, proof that its distribution chain partners have contractually agreed to abide by all U.S. laws and regulations concerning the export and reexport of encryption products designed or manufactured within the United States, and the names and addresses of its distribution chain partners.
Requires the technical review to be completed within 45 days after submission of all required information. Bars exportation of an encryption product during the technical review.
Requires all exporters of encryption products designed or manufactured within the United States to: (1) submit a report to the Secretary of Commerce (the Secretary) at any time the exporter has reason to believe any such exported product is being diverted to a use or a user not approved at the time of export; (2) report any pirating of their technology or intellectual property to the Secretary as soon as practicable after discovery; and (3) submit to the Secretary a report specifying the particular product sold, the name and address of the ultimate end user of the product (if known), or the name and address of the next purchaser in the distribution chain, and the intended use of the product sold.
Authorizes the Secretary, the Secretary of Defense, and the Secretary of State to exercise the authorities they have under other provisions of law to carry out this title.
Grants the President specified waiver authority.
(Sec. 306) Establishes an Encryption Industry and Information Security Board, which shall undertake an advisory role for the President. Sets forth provisions regarding the Board's purposes, membership, meetings, findings and recommendations, and termination. Specifies that the Board shall have no authority to review any export determination made under this title and that the consideration of foreign availability by the Board include computer software that is distributed over the Internet or advertised for sale, license, or transfer.
Title IV: Liability Limitations - Provides that, except for a person who provides plaintext or decryption information to another in violation of this Act, no civil or criminal liability shall attach to anyone for disclosing or providing: (1) the plaintext of encrypted data; (2) the decryption information of such data; or (3) technical assistance for access to the plaintext of, or decryption information for, such data.
(Sec. 402) Makes compliance with this Act a complete defense for any civil action for damages based upon activities covered by this Act, other than an action founded on contract.
(Sec. 403) Specifies that an objectively reasonable reliance on the legal authority provided by this Act authorizing access to the plaintext of otherwise encrypted data or to decryption information that will allow the timely decryption of data that is otherwise encrypted shall be an affirmative defense to any criminal or civil action that may be brought under the laws of the United States or any State.
Title V: International Agreements - Expresses the sense of Congress that: (1) the President shall conduct negotiations with foreign governments for purposes of establishing binding export control requirements on strong non-recoverable encryption products; and (2) such agreements should safeguard the privacy of U.S. citizens, prevent economic espionage, and enhance U.S. information security needs.
(Sec. 502) Authorizes the President to consider a government's refusal to negotiate such agreements when considering U.S. participation in any cooperation or assistance program with that country.
(Sec. 503) Sets forth reporting requirements.
Title VI: Miscellaneous Provisions - Directs the Attorney General to compile, and maintain in classified form, data on: (1) the instances in which encryption has interfered with, impeded, or obstructed the ability of the Department of Justice (DOJ) to enforce U.S. law; and (2) the instances where DOJ has been successful in overcoming any encryption encountered in an investigation. Requires that such information, including an unclassified summary, be submitted to Congress annually beginning October 1, 2000.
(Sec. 603) Authorizes appropriations for the Technical Support Center of the Federal Bureau of Investigation for FY 2000 through 2003.