Find a Security Clearance Job!

Intelligence


Congressional Documents

                                  39 006                                 
                            105 th Congress                             
                             Rept.  105 108                             
                        HOUSE OF REPRESENTATIVES                        
                               1st Session                              
                                 Part 1                                 
                  SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT           
                   May  22, 1997.--Ordered to be printed                 
 Mr. Coble, from the Committee on the Judiciary, submitted the following 
                               R E P O R T                               
                              together with                              
                             ADDITIONAL VIEW                             
                         [To accompany H.R. 695]                         
       [Including cost estimate of the Congressional Budget Office]      
     The Committee on the Judiciary, to whom was referred the bill (H.R.  
  695) to amend title 18, United States Code, to affirm the rights of     
  United States persons to use and sell encryption and to relax export    
  controls on encryption, having considered the same, report favorably    
  thereon with an amendment and recommend that the bill as amended do     
  pass.                                                                   
                               CONTENTS                                 
         The Amendment                                                    2
         Purpose and Summary                                              4
         Background and Need for Legislation                              5
  I.     Background                                                       5
         A. What is Encryption?                                           5
         B. Issues in the Encryption Debate                               5
         1. Arguments Relating to the Domestic Use of Encryption          6
         2. The Administration's Recent Initiative                        6
         3. Arguments Relating to Export Controls on Encryption Products  8
         4. Recent Litigation                                             9
  II.    Need for Legislation                                             9
         A. Sections 2 and 4--Domestic Use of Encryption                  9
         B. Section 3--Export Controls                                    10
         Hearings                                                         11
         Committee Consideration                                          12
         Vote of the Committee                                            12
         Committee Oversight Findings                                     12
         Committee on Government Reform and Oversight Findings            12
         New Budget Authority and Tax Expenditures                        12
         Congressional Budget Office Estimate                             12
         Constitutional Authority Statement                               14
         Section-by-Section Analysis                                      15
         Agency Views                                                     17
         Changes in Existing Law Made by the Bill, as Reported            19
         Additional Views                                                 24
                         The amendment is as follows:                      
   Strike out all after the enacting clause and insert in lieu thereof the 
                                following:                                 
                                  SECTION 1. SHORT TITLE.                         
   This Act may be cited as the ``Security and Freedom Through Encryption  
                              (SAFE) Act''.                                
                            SEC. 2. SALE AND USE OF ENCRYPTION.                   
      (a) In General.--Part I of title 18, United States Code, is amended  
   by inserting after chapter 123 the following new chapter:               
                  ``CHAPTER 125--ENCRYPTED WIRE AND ELECTRONIC INFORMATION        
      ``2801. Definitions.                                                    
      ``2802. Freedom to use encryption.                                      
      ``2803. Freedom to sell encryption.                                     
      ``2804. Prohibition on mandatory key escrow.                            
      ``2805. Unlawful use of encryption in furtherance of a criminal act.    
          ``2801. Definitions                                                     
   ``As used in this chapter--                                            
       ``(1) the terms `person', `State', `wire communication', `electronic
   communication', `investigative or law enforcement officer', and `judge  
   of competent jurisdiction' have the meanings given those terms in       
   section 2510 of this title;                                             
       ``(2) the terms `encrypt' and `encryption' refer to the scrambling  
   of wire communications, electronic communications, or electronically    
   stored information, using mathematical formulas or algorithms in order  
   to preserve the confidentiality, integrity, or authenticity of, and     
   prevent unauthorized recipients from accessing or altering, such        
   communications or information;                                          
       ``(3) the term `key' means the variable information used in a       
   mathematical formula, code, or algorithm, or any component thereof, used
   to decrypt wire communications, electronic communications, or           
   electronically stored information, that has been encrypted; and         
    ``(4) the term `United States person' means--                          
    ``(A) any United States citizen;                                       
       ``(B) any other person organized under the laws of any State, the   
   District of Columbia, or any commonwealth, territory, or possession of  
   the United States; and                                                  
       ``(C) any person organized under the laws of any foreign country who
   is owned or controlled by individuals or persons described in           
   subparagraphs (A) and (B).                                              
          ``2802. Freedom to use encryption                                       
     ``Subject to section 2805, it shall be lawful for any person within  
  any State, and for any United States person in a foreign country, to use
  any encryption, regardless of the encryption algorithm selected,        
  encryption key length chosen, or implementation technique or medium     
  used.                                                                   
          ``2803. Freedom to sell encryption                                      
     ``Subject to section 2805, it shall be lawful for any person within  
  any State to sell in interstate commerce any encryption, regardless of  
  the encryption algorithm selected, encryption key length chosen, or     
  implementation technique or medium used.                                
          ``2804. Prohibition on mandatory key escrow                             
     ``(a) Prohibition.--No person in lawful possession of a key to       
  encrypted communications or information may be required by Federal or   
  State law to relinquish to another person control of that key.          
     ``(b) Exception for Access for Law Enforcement Purposes.--Subsection 
  (a) shall not affect the authority of any investigative or law          
  enforcement officer, or any member of the intelligence community as     
  defined in section 3 of the National Security Act of 1947 (50 U.S.C.    
  401a), acting under any law in effect on the effective date of this     
  chapter, to gain access to encrypted communications or information.     
          ``2805. Unlawful use of encryption in furtherance of a criminal act     
     ``Any person who, in the commission of a felony under a criminal     
  statute of the United States, knowingly and willfully encrypts          
  incriminating communications or information relating to that felony with
  the intent to conceal such communications or information for the purpose
  of avoiding detection by law enforcement agencies or prosecution--      
       ``(1) in the case of a first offense under this section, shall be   
   imprisoned for not more than 5 years, or fined in the amount set forth  
   in this title, or both; and                                             
       ``(2) in the case of a second or subsequent offense under this      
   section, shall be imprisoned for not more than 10 years, or fined in the
   amount set forth in this title, or both.''.                             
     (b) Conforming Amendment.--The table of chapters for part I of title 
  18, United States Code, is amended by inserting after the item relating 
  to chapter 123 the following new item:                                  
         ``125. Encrypted wire and electronic information                       
        2801''.                                                                
          SEC. 3. EXPORTS OF ENCRYPTION.                                          
     (a) Amendment to Export Administration Act of 1979.--Section 17 of   
  the Export Administration Act of 1979 (50 U.S.C. App. 2416) is amended  
  by adding at the end thereof the following new subsection:              
   ``(g)  Computers and Related Equipment.--                              
       ``(1) General rule.--Subject to paragraphs (2), (3), and (4), the   
   Secretary shall have exclusive authority to control exports of all      
   computer hardware, software, and technology for information security    
   (including encryption), except that which is specifically designed or   
   modified for military use, including command, control, and intelligence 
   applications.                                                           
       ``(2) Items not requiring licenses.--No validated license may be    
   required, except pursuant to the Trading With The Enemy Act or the      
   International Emergency Economic Powers Act (but only to the extent that
   the authority of such Act is not exercised to extend controls imposed   
   under this Act), for the export or reexport of--                        
    ``(A) any software, including software with encryption capabilities--  
       ``(i) that is generally available, as is, and is designed for       
   installation by the purchaser; or                                       
       ``(ii) that is in the public domain for which copyright or other    
   protection is not available under title 17, United States Code, or that 
   is available to the public because it is generally accessible to the    
   interested public in any form; or                                       
       ``(B) any computing device solely because it incorporates or employs
   in any form software (including software with encryption capabilities)  
   exempted from any requirement for a validated license under subparagraph
   (A).                                                                    
       ``(3) Software with encryption capabilities.--The Secretary shall   
   authorize the export or reexport of software with encryption            
   capabilities for nonmilitary end uses in any country to which exports of
   software of similar capability are permitted for use by financial       
   institutions not controlled in fact by United States persons, unless    
   there is substantial evidence that such software will be--              
       ``(A) diverted to a military end use or an end use supporting       
   international terrorism;                                                
    ``(B) modified for military or terrorist end use; or                   
       ``(C) reexported without any authorization by the United States that
   may be required under this Act.                                         
       ``(4) Hardware with encryption capabilities.--The Secretary shall   
   authorize the export or reexport of computer hardware with encryption   
   capabilities if the Secretary determines that a product offering        
   comparable security is commercially available outside the United States 
   from a foreign supplier, without effective restrictions.                
    ``(5)  Definitions.--As used in this subsection--                      
       ``(A) the term `encryption' means the scrambling of wire or         
   electronic information using mathematical formulas or algorithms in     
   order to preserve the confidentiality, integrity, or authenticity of,   
   and prevent unauthorized recipients from accessing or altering, such    
   information;                                                            
       ``(B) the term `generally available' means, in the case of software 
   (including software with encryption capabilities), software that is     
   offered for sale, license, or transfer to any person without            
   restriction, whether or not for consideration, including, but not       
   limited to, over-the-counter retail sales, mail order transactions,     
   phone order transactions, electronic distribution, or sale on approval; 
       ``(C) the term `as is' means, in the case of software (including    
   software with encryption capabilities), a software program that is not  
   designed, developed, or tailored by the software publisher for specific 
   purchasers, except that such purchasers may supply certain installation 
   parameters needed by the software program to function properly with the 
   purchaser's system and may customize the software program by choosing   
   among options contained in the software program;                        
       ``(D) the term `is designed for installation by the purchaser'      
   means, in the case of software (including software with encryption      
   capabilities) that--                                                    
       ``(i) the software publisher intends for the purchaser (including   
   any licensee or transferee), who may not be the actual program user, to 
   install the software program on a computing device and has supplied the 
   necessary instructions to do so, except that the publisher may also     
   provide telephone help line services for software installation,         
   electronic transmission, or basic operations; and                       
       ``(ii) the software program is designed for installation by the     
   purchaser without further substantial support by the supplier;          
       ``(E) the term `computing device' means a device which incorporates 
   one or more microprocessor-based central processing units that can      
   accept, store, process, or provide output of data; and                  
       ``(F) the term `computer hardware', when used in conjunction with   
   information security, includes, but is not limited to, computer systems,
   equipment, application-specific assemblies, modules, and integrated     
   circuits.''.                                                            
     (b) Continuation of Export Administration Act.--For purposes of      
  carrying out the amendment made by subsection (a), the Export           
  Administration Act of 1979 shall be deemed to be in effect.             
          SEC. 4. EFFECT ON LAW ENFORCEMENT ACTIVITIES.                           
     (a) Collection of Information by Attorney General.--The Attorney     
  General shall compile, and maintain in classified form, data on the     
  instances in which encryption (as defined in section 2801 of title 18,  
  United States Code) has interfered with, impeded, or obstructed the     
  ability of the Department of Justice to enforce the criminal laws of the
  United States.                                                          
     (b) Availability of Information to the Congress.--The information    
  compiled under subsection (a), including an unclassified summary        
  thereof, shall be made available, upon request, to any Member of        
  Congress.                                                               
                                    PURPOSE AND SUMMARY                           
      The widespread use of strong encryption to encode digital            
   communications will prevent crime, economic espionage, and information  
   warfare. Unfortunately, our current encryption policy discourages the   
   use of encryption. H.R. 695, the ``Security And Freedom through         
   Encryption (SAFE) Act,'' makes a series of changes to U.S. encryption   
   policy which will facilitate the use of encryption.                     
      Current policy does not restrict the domestic use, sale, or import of
   encryption. Section 2 of H.R. 695 generally codifies that policy by     
   affirmatively prohibiting restrictions on the domestic use and sale of  
   encryption. It also prohibits any mandatory key escrow system, allowing 
   voluntary systems to develop in the marketplace, and provides criminal  
   penalties for the knowing and willful use of encryption to avoid        
   detection of other federal felonies.                                    
      At the same time, however, the export of strong encryption products  
   is tightly restricted under the export control laws. Section 3 of H.R.  
   695 significantly relaxes those export controls. In addition, section 4 
   requires that the Attorney General compile statistics on instances in   
   which these new policies may interfere with the enforcement of federal  
   criminal laws.                                                          
                          BACKGROUND AND NEED FOR THE LEGISLATION                 
                              I.  Background                             
           A. What is encryption?                                                  
      Encryption is the process of encoding data or communications in a    
   form that only the intended recipient can understand. Until fairly      
   recently, society generally considered encryption to be the exclusive   
   domain of national security and law enforcement agencies. However, with 
   the advent of computers and digital electronic communications,          
   encryption's importance to persons and companies in the private sector  
   has increased because they want to transmit data securely. Many people  
   feel that the Internet has not succeeded as a commercial medium as well 
   as it might because those who want to use it do not feel the data       
   transmitted is secure. For example, people do not want to transmit their
   credit card numbers when hackers may steal those numbers.               
      To understand the issues involved, one must understand some basic    
   terminology. In the digital world, data are communicated in a string of 
   ones and zeroes that computers understand, but the average person does  
   not. An encryption scheme converts ones to zeroes and zeroes to ones    
   according to an algorithm or mathematical formula. The intended         
   recipient knows the formula or ``key'' which he uses to decode the      
   encrypted data.                                                         
      The complexity and quality of an encryption scheme determines how    
   difficult it is to break the code and therefore how well the scheme     
   protects the data. One factor determining the complexity of the         
   encryption scheme is the length of the key. The length of the key is    
   usually expressed as a number known as the ``bit length.'' A bit is one 
   digit in the key. A bit length of 40 is considered relatively weak,     
   whereas a bit length of 128 is considered very strong.                  
       However, a bit length of 40 is not 3.2 times weaker than a bit      
   length of 128 because this is an exponential scale, not an arithmetic   
   one. A bit length of 40 has 2\40\ possible keys, whereas a bit length of
   128 has 2\128\ possible keys. To give some practical sense of the       
   difference, one researcher estimated that a relatively inexpensive      
   computer attempting a ``brute force'' effort to decode--i.e. simply     
   trying all the mathematical possibilities--could on average decode a    
   40-bit scheme in a few seconds, whereas a 128-bit scheme would on       
   average take millions of years. Although there is no assurance that this
   estimate is accurate, it does give a general sense of the exponential   
   differences in complexity that flow from an increase in bit length.     
           B. Issues in the encryption debate                                      
      The encryption debate encompasses two main issues. The first issue is
   whether the domestic use and sale of encryption products should be      
   restricted, and in particular, whether domestic users should be required
   to place their keys in escrow with the government or some other neutral 
   third party, e.g. an existing computer company or an entity created     
   solely for the purpose of holding keys. Current law does not have any   
   such restrictions.                                                      
      The second issue is whether the export of encryption products should 
   be restricted. As discussed in more detail below, current law regulates 
   the export of encryption products under two statutes: (1) the Arms      
   Export Control Act (``AECA''), 22 U.S.C. 2751 et seq., and its          
   accompanying International Trafficking in Arms Regulations (``ITAR''),  
   22 C.F.R. 120 et seq., and (2) the Export Administration Act (``EAA''), 
   50 U.S.C. App. 2401 et seq., and its accompanying Export Administration 
   Regulations (``EAR''), 15 C.F.R. 730 et seq. Although the EAA expired in
   1994, President Clinton kept its provisions in force by invoking his    
   powers under the International Emergency Economic Powers Act, 50 U.S.C. 
   1701 et seq. Executive Order 12924 (August 19, 1994); 59 Fed. Reg. 43437
   (August 23, 1994).                                                      
            1. Arguments relating to the domestic use of encryption                 
      Law enforcement and national security agencies believe that they need
   some form of key escrow system to maintain their ability to perform     
   legitimate wiretaps and to read computer data seized through lawful     
   means. They argue that widespread use of strong encryption without key  
   escrow would end the use of wiretapping as a tool for fighting crime.   
   For example, they argue that instances occur when law enforcement       
   agencies learn in the course of a wiretap that someone is about to      
   commit a serious crime. If strong encryption prevented a contemporaneous
   understanding of this information, the agencies would not be able to    
   prevent the crime. Likewise, if strong encryption prevented the reading 
   of lawfully seized computer data, it could unreasonably delay criminal  
   investigations. They further argue that a key escrow system would have  
   the salutary side effect of providing a backup for those users who might
   lose their keys. Although they contend that they only favor a voluntary 
   key escrow system, many believe that the use of export controls as      
   leverage to encourage the use of a key escrow system effectively amounts
   to making such a system mandatory.                                      
      The computer industry, the American business community, and privacy  
   groups vehemently oppose any mandatory key escrow system. They argue    
   that a mandatory system would unnecessarily invade the privacy of users 
   and that the market should develop any voluntary key escrow system. They
   believe that law enforcement can gain access to keys through traditional
   means for obtaining evidence and that those with criminal intent will   
   not use key escrow products, thus defeating the purpose of the          
   Administration's policy. They argue that our law and tradition do not   
   require private citizens to take positive action to assist the          
   government in surveilling them in any other instance.                   
      Moreover, they contend that private citizens should not be required  
   to give access to their most precious assets to anyone else regardless  
   of whether it is the government or a third party. In the digital age,   
   information is often the most valuable property that a company owns.    
   They further argue that the good that widespread use of encryption can  
   do in preventing crime far outweighs the harm done by the relatively few
   instances in which the use of encryption hampers law enforcement.       
            2. The administration's recent initiative                               
      Until last fall, the Administration treated encryption products as   
   munitions for export purposes. The State Department has jurisdiction    
   over the export of munitions under AECA and ITAR, and it had, as a      
   matter of practice, generally only allowed the export of encryption     
   products with bit lengths of 40 or less. The State Department treated   
   these relatively weak encryption products as non-defense products       
   subject to the jurisdiction of the Department of Commerce under the     
   Export Administration Act, 50 U.S.C. App. 2401 et seq. Beyond that      
   level, any export of encryption products required a special license.    
      On October 1, 1996, Vice President Gore announced the                
   Administration's intention to develop a new policy on the export of     
   encryption products. The Vice President's announcement stated in part:  
      Under this initiative, the export of 56-bit key length encryption    
   products will be permitted under a general license after one-time       
   review, and contingent upon industry commitments to build and market    
   future products that support key recovery. This policy will apply to    
   hardware and software products. The relaxation of controls will last up 
   to two years.                                                           
         * * * * * * *                                                           
      Exporters of 56-bit DES or equivalent encryption products would make 
   commitments to develop and sell products that support the key recovery  
   system that I announced in July. That vision presumes that a trusted    
   party (in some cases internal to the user's organization) would recover 
   the user's confidentiality key for the user or for law enforcement      
   officials acting under proper authority. Access to keys would be        
   provided in accordance with destination country policies and bilateral  
   understandings. No key length limits or algorithm restrictions will     
   apply to exported key recovery products.                                
         * * * * * * *                                                           
      Under the relaxation, six-month general export licenses will be      
   issued after one-time review, contingent on commitments from exporters  
   to explicit benchmarks and milestones for developing and incorporating  
   key recovery features into their products and services, and for building
   the supporting infrastructure internationally. Initial approval will be 
   contingent on firms providing a plan for implementing key recovery. The 
   plan will explain in detail the steps the applicant will take to        
   develop, produce, distribute, and/or market encryption products with key
   recovery features. The specific commitments will depend on the          
   applicant's line of business.                                           
      The government will renew the licenses for additional six-month      
   periods if milestones are met. Two years from now, the export of 56-bit 
   products that do not support key recovery will no longer be permitted.  
   Currently exportable 40-bit mass market software products will continue 
   to be exportable. We will continue to support financial institutions in 
   their efforts to assure the recovery of encrypted financial information.
   Longer key lengths will continue to be approved for products dedicated  
   to the support of financial applications.                               
  Statement of the Vice President dated October 1, 1996.                  
       On November 15, 1996, President Clinton issued Executive Order      
   13026, 61 Fed. Reg. 58767 (November 19, 1996), and an accompanying      
   Presidential Memorandum which began the implementation of the policy    
   outlined in the October 1 statement. Among other things, the executive  
   order and the memorandum transferred all non-military encryption        
   products to the Commerce Control List, meaning that their licensing for 
   export would be overseen by the Department of Commerce under the EAA.   
   The order and memorandum also gave the Department of Justice a          
   significant voice in such licensing decisions.                          
      On December 30, 1996, the Department of Commerce promulgated         
   regulations that implemented the new policy. 61 Fed. Reg. 68572         
   (December 30, 1996). Although the policy has only been in place for a   
   few months, much of the computer industry, particularly software        
   companies, have criticized it.                                          
            3. Arguments relating to export controls on encryption products         
      The Administration has to date opposed any lifting of export controls
   beyond that in its recent initiative. It argues that the controls are   
   still effective and that our allies would dislike the negative effect on
   law enforcement efforts if we lifted the controls. It also argues that  
   the lifting of the controls might not help business because other       
   countries would impose import controls. Finally, the Administration     
   argues that it is making efforts under its new policy to find ways to   
   relax the controls on a case by case basis.                             
      The computer industry and the privacy groups argue that the          
   Administration ought to substantially relax, if not eliminate the       
   controls. They argue that wrongdoers can easily evade them because many 
   encryption products are available to anyone over the Internet. At least 
   one study estimated that at least 500 products are available worldwide. 
   They also argue that the controls are easily evaded because as a        
   practical matter, anyone can come into the United States, buy encryption
   products, and take them out of the country with little risk of          
   detection. Because the controls are so easily evaded, they further argue
   that the controls serve only to put American companies at a competitive 
   disadvantage and to discourage investment in the development of better  
   encryption products. If the situation does not change, they believe that
   American companies will no longer dominate this field.                  
      In addition, they contend that the Administration's new policy is a  
   backdoor attempt to force the domestic use of encryption with key       
   escrow. Under the policy, a company that wants both to sell encryption  
   products here and abroad must either make two versions of its product or
   sell only a product that meets the export restrictions. They also       
   question whether the carrot and stick approach the new policy takes is a
   legitimate and logical use of export controls. Current encryption       
   products of the 56-bit strength are either safe to export or they are   
   not--a company's compliance or noncompliance with the Administration's  
   directives regarding future products will not change that.              
            4. Recent litigation                                                    
      Currently, at least two plaintiffs have ongoing lawsuits that        
   challenge the Administration's policies regarding encryption. In one    
   case, the United States District Court for the District of Columbia     
   ruled that the government's decision to designate an encryption product 
   as a munition, and therefore restrict its export, was not subject to    
   judicial review. Karn v. Department of State , 925 F.Supp. 1 (D.D.C.    
   1996) , remanded , 107 F.3d 923 (D.C. Cir. 1997). The Court further held
   that the export restriction on the product was content neutral and      
   narrowly tailored, and therefore did not violate the First Amendment.   
   The United States Court of Appeals for the District of Columbia Circuit 
   recently remanded the case for further consideration in light of the    
   Administration's new policy, and the Committee understands that the     
   Court has not made a further decision. The plaintiff in the case, Philip
   Karn, testified before the Subcommittee on Courts and Intellectual      
   Property at the March 20, 1997 hearing on H.R. 695.                     
      In the other case, the United States District Court for the Northern 
   District of California ruled that the export restrictions on encryption 
   products were unconstitutional prior restraints on free speech because  
   they did not have adequate procedural safeguards. Bernstein v.          
   Department of State , 945 F.Supp. 1279 (N.D. Cal. 1996). The Committee  
   understands that this case is still before the District Court for       
   further consideration in light of the Administration's new policy.      
                       II. Need for the Legislation                      
           A. Sections 2 and 4--domestic use of encryption                         
      The Committee believes that sections 2 and 4 of H.R. 695, as reported
   by the Committee, will significantly aid the fight against crime. Both  
   sides of the debate agree that the use of strong encryption will help   
   users to prevent crimes before they happen. As we increasingly depend on
   computers to control our national infrastructure, the danger of         
   information warfare and economic espionage also increase. The use of    
   strong encryption diminishes that terrifying prospect.                  
      The affirmative statements in new sections 2802 and 2803 that it is  
   legal for persons in the United States and for United States persons    
   abroad to use, and for persons in the United States to sell, encryption 
   will encourage the use of encryption to fight crime. These sections only
   state what the Committee understands to be existing law, and therefore  
   they should not worsen any law enforcement and national security        
   concerns. By making these affirmative statements of positive law, the   
   bill will prevent any reduction of the existing right to use or sell    
   encryption domestically by administrative action, state law, or other   
   means.                                                                  
      New section 2804 effectively prohibits the imposition of any         
   mandatory key escrow system. The Committee believes that Americans      
   should not be forced to surrender the keys to their data without proper 
   justification any more than they should be forced to surrender the keys 
   to their homes. The limited circumstances under which law enforcement   
   and national security officers may obtain access to the private spaces  
   of Americans have stood the test of time. They exist for good reasons   
   that are well understood by all. The advent of a new technology is not a
   sufficient justification for diminishing these historic protections.    
      At the same time, however, new section 2804 preserves existing       
   authorities for law enforcement and national security officers to obtain
   keys for legitimate purposes. Just as new technology should not take    
   away the longstanding rights of citizens against government, it also    
   should not take away the traditional means for legitimate law           
   enforcement and national security investigations. However, the Committee
   does not believe that the advance of technology warrants a system of    
   forcing people to deposit their keys with any third party without proper
   justification. Thus, new section 2804 prohibits any such system.        
      Despite the Committee's opposition to any mandatory key escrow       
   system, nothing in section 2804 should be construed to prevent or hinder
   the development of a voluntary key escrow system if the market demands  
   it. Such a system may have many benefits so long as users are allowed to
   choose freely whether to join. If enough users desire it, the Committee 
   believes that the market will develop it.                               
      In addition to the preservation of existing law enforcement          
   authorities to obtain keys for legitimate purposes in new section 2804, 
   new section 2805 further aids law enforcement and national security by  
   making it a crime to avoid detection of another federal felony through  
   the knowing and willful use of encryption. This section gives the       
   government another tool with which to fight the misuse of encryption.   
      Section 4 requires the Attorney General to compile and make available
   to Congress information on instances in which encryption interferes with
   the enforcement of the federal criminal law. This requirement will      
   assist the Committee in determining whether to make any further changes 
   to encryption policy. It will also foster a continuing dialogue between 
   the Congress and the executive branch on these matters. Through all of  
   these means, the Committee believes that it has carefully balanced the  
   needs of law abiding citizens against those of the law enforcement and  
   national security agencies as to the matters within its jurisdiction.   
           B. Section 3--export controls                                           
      Section 3 of H.R. 695 significantly relaxes existing export controls 
   on encryption products. Because Section 3 amends the Export             
   Administration Act of 1979, it falls within the                         
                    jurisdiction of the House Committee on International          
          Relations. The International Relations Committee has been given a       
          secondary referral of H.R. 695 for consideration of Section 3.          
      For that reason, the Committee on the Judiciary did not address      
   Section 3 during its consideration of H.R. 695. However, the Committee  
   realizes that export controls must be addressed as part of any          
   comprehensive national encryption policy. The Committee believes that it
   has carefully balanced the interests involved in the matters under its  
   jurisdiction. It stands ready to work with the Committee on             
   International Relations, the Administration, and all other interested   
   parties in an effort to develop a similar, but more comprehensive,      
   balancing of all the interests, including those relating to export      
   controls, as this legislation moves forward.                            
                                          HEARINGS                                
      The Committee's Subcommittee on Courts and Intellectual Property held
   one day of hearings on H.R. 695 on March 20, 1997. The Subcommittee     
   received testimony from the following twelve witnesses: Hon. William    
   Reinsch, Under Secretary, Bureau of Export Administration, Department of
   Commerce, Washington, D.C.; Hon. William Crowell, Deputy Director,      
   National Security Agency, Fort Meade, Maryland; Hon. Robert Litt, Deputy
   Assistant Attorney General, Criminal Division, United States Department 
   of Justice, Washington, D.C.; Mrs. Phyllis Schlafly, President, Eagle   
   Forum, St. Louis, Missouri; Mr. Ira Rubinstein, Senior Corporate        
   Attorney, Microsoft Corporation, on behalf of the Business Software     
   Alliance; Ms. Roberta Katz, Senior Vice-President, General Counsel, and 
   Secretary, Netscape Communications Corporation, Mountain View,          
   California, on behalf of the Information Technology Association of      
   America and the Software Publishers Association; Mr. Jonathan Seybold,  
   Chairman of the Executive Committee and Director, Pretty Good Privacy,  
   Inc., San Mateo, California; Mr. Tom Morehouse, President and Chief     
   Executive Officer, SourceFile, Inc., Oakland, California; Mr. Grover    
   Norquist, President, Americans for Tax Reform, Washington, D.C.; Mr.    
   Philip Karn, Staff Engineer, Qualcomm, Inc., San Diego, California; Mr. 
   Marc Rotenberg, Director, Electronic Privacy Information Center,        
   Washington, D.C.; and Mr. Jerry Berman, Executive Director, Center for  
   Democracy and Technology, Washington, D.C. Two organizations submitted  
   additional material for the record.                                     
      In addition, Congressman Goodlatte introduced identical legislation, 
   H.R. 3011, in the 104th Congress. The full Committee held one day of    
   hearings on H.R. 3011 on September 25, 1996 (Serial No. 100). The       
   Committee received testimony from the following eight witnesses: Hon.   
   Bob Goodlatte, United States Representative, 6th District of Virginia;  
   Hon. Jamie Gorelick, Deputy Attorney General, United States Department  
   of Justice, Washington, D.C.; Hon. William Crowell, Deputy Director,    
   National Security Agency, Fort Meade, Maryland; Hon. William Reinsch,   
   Under Secretary, Bureau of Export Administration, Department of         
   Commerce, Washington, D.C.; Ms. Melinda Brown, Vice-President and       
   General Counsel, Lotus Development Corporation, Cambridge,              
   Massachusetts, on behalf of the Business Software Alliance; Ms. Roberta 
   Katz, Senior Vice-President, General Counsel, and Secretary, Netscape   
   Communications Corporation, Mountain View, California, on behalf of the 
   Information Technology Association of America and the Software          
   Publishers Association; Ms. Patricia Ripley, Managing Director, Bear    
   Stearns & Company, Inc., New York, New York; and Dr. Charles Deneka,    
   Senior Vice-President and Chief Technology Officer, Corning, Inc.,      
   Corning, New York, on behalf of the National Association of             
   Manufacturers. Two organizations submitted additional material for the  
   record.                                                                 
                                  COMMITTEE CONSIDERATION                         
      On April 30, 1997, the Subcommittee on Courts and Intellectual       
   Property met in open session and ordered reported the bill H.R. 695     
   without amendment, by a voice vote, a quorum being present. On May 14,  
   1997, the Committee met in open session and ordered reported favorably  
   the bill H.R. 695 with a single amendment in the nature of a substitute,
   by a voice vote, a quorum being present.                                
                                   VOTE OF THE COMMITTEE                          
      During their consideration of H.R. 695, the Committee and the        
   Subcommittee took no roll call votes.                                   
                                COMMITTEE OVERSIGHT FINDINGS                      
      In compliance with clause 2(l)(3)(A) of rule XI of the Rules of the  
   House of Representatives, the Committee reports that the findings and   
   recommendations of the Committee, based on oversight activities under   
   clause 2(b)(1) of rule X of the Rules of the House of Representatives,  
   are incorporated in the descriptive portions of this report.            
                   COMMITTEE ON GOVERNMENT REFORM AND OVERSIGHT FINDINGS          
      No findings or recommendations of the Committee on Government Reform 
   and Oversight were received as referred to in clause 2(l)(3)(D) of rule 
   XI of the Rules of the House of Representatives.                        
                         NEW BUDGET AUTHORITY AND TAX EXPENDITURES                
      Clause 2(l)(3)(B) of House rule XI does not apply because this       
   legislation does not provide new budgetary authority or increased tax   
   expenditures.                                                           
                         CONGRESSIONAL BUDGET OFFICE COST ESTIMATE                
      In compliance with clause 2(l)(3)(C) of rule XI of the Rules of the  
   House of Representatives, the Committee sets forth, with respect to the 
   bill, H.R. 695, the following estimate and comparison prepared by the   
   Director of the Congressional Budget Office under section 403 of the    
   Congressional Budget Act of 1974:                                       
       U.S. Congress,                                                          
       Congressional Budget Office,                                            
       Washington, DC, May 21, 1997.                                           
          Hon.  Henry J. Hyde,           Chairman, Committee on the Judiciary,
       House of Representatives, Washington, DC.                               
       Dear Mr. Chairman: The Congressional Budget Office has prepared the 
   enclosed cost estimate for H.R. 695, the Security and Freedom Through   
   Encryption (SAFE) Act.                                                  
      If you wish further details on this estimate, we will be pleased to  
   provide them. The CBO staff contacts are Rachel Forward (for federal    
   costs); Stephanie Weiner (for revenues); and Leo Lex (for the state and 
   local impact).                                                          
   Sincerely,                                                              
        James L. Blum                                                           
         (For June E. O'Neill, Director).                                       
   Enclosure.                                                              
           H.R. 695--Security and Freedom Through Encryption (SAFE) Act            
      Summary: H.R. 695 would allow individuals in the United States to use
   and sell any form of encryption and would prohibit states or the federal
   government from requiring individuals to relinquish the key to          
   encryption technologies to any third party. The bill also would prevent 
   the Bureau of Export Administration (BXA) in the Department of Commerce 
   from restricting the export of most nonmilitary encryption products.    
   H.R. 695 would establish criminal penalties and fines for the use of    
   encryption technologies to conceal incriminating information relating to
   a felony from law enforcement officials. Finally, the bill would require
   the Attorney General to maintain data on the instances in which         
   encryption impedes or obstructs the ability of the Department of Justice
   (DOJ) to enforce the criminal laws.                                     
      Assuming appropriation of the necessary amounts, CBO estimates that  
   enacting this bill would result in additional discretionary spending of 
   between $1 million and $3 million over the 1998 2002 period of BXA and  
   DOJ. Spending by BXA and DOJ for activities required by H.R. 695 would  
   total between $5 million and $7 million over the next five years. By    
   comparison, CBO estimates that--under current policies--spending by BXA 
   for reviewing the export of nonmilitary encryption products would total 
   about $4.5 million over the same period. (Spending related to encryption
   exports by DOJ is negligible under current law.) Enacting H.R. 695 also 
   would affect direct spending and receipts beginning in fiscal year 1998 
   through the imposition of criminal fines and the resulting spending from
   the Crime Victims Fund. Therefore, pay-as-you-go procedures would apply.
   CBO estimates, however, that the amounts of additional direct spending  
   or receipts would not be significant.                                   
      H.R. 695 contains no private-sector mandates as defined in the       
   Unfunded Mandates Reform Act of 1995 (UMRA). The bill would prohibit    
   states from requiring persons to make encryption keys available to      
   another person or entity. This prohibition would be an                  
                    intergovernmental mandate as defined in UMRA. However, states 
          would bear no costs as a result of the mandate because none currently   
          require the registration or availability of such keys.                  
      Estimated cost to the Federal Government: Under current policy, BXA  
   would likely spend about $900,000 a year reviewing exports of encryption
   products. Assuming appropriation of the necessary amounts, CBO estimates
   that enacting H.R. 695 would lower BXA's encryption-related costs to    
   about $500,000 a year. In November 1996, the Administration issued an   
   executive order and memorandum that authorized BXA to control the export
   of all nonmilitary encryption products. If H.R. 695 were enacted, BXA   
   would still be required to review requests to export most computer      
   hardware with encryption capabilities but would not be required to      
   review most requests to export computer software with encryption        
   capabilities. Thus, enacting H.R. 695 would reduce the costs to BXA to  
   control the exports of nonmilitary encryption products.                 
      According to the DOJ, maintaining data on the instances in which     
   encryption impedes or obstructs the ability of the Department of Justice
   to enforce the criminal laws could cost $1 million or more per year. The
   cost of maintaining the data is difficult to ascertain because DOJ      
   believes that if H.R. 695 were enacted such instances would be numerous.
   But the agency is uncertain as to how much it would cost to track such  
   classified information nationwide. For the purposes of this estimate,   
   CBO projects that maintaining the data would cost DOJ between $500,000  
   and $1 million a year, assuming appropriation of the necessary amounts. 
      CBO estimates that the collections of criminal fines for the use of  
   encryption technologies to conceal incriminating information relating to
   a felony from law enforcement officials would not be significant.       
      The costs of this legislation fall within budget functions 370       
   (commerce and housing credit) and 750 (administration of justice).      
      Pay-as-you-go considerations: Section 25 of the Balanced Budget and  
   Deficit Control Act of 1985 sets up pay-as-you-go procedures for        
   legislation affecting direct spending or receipts through 1998. Enacting
   H.R. 695 would affect direct spending and receipts through the          
   imposition of criminal fines for encrypting incriminating information   
   related to a felony. Collections from such fines are likely to be       
   negligible, however, because the federal government would probably not  
   pursue many cases under the bill. Any such collections would be recorded
   in the budget as governmental receipts, or revenues. They would be      
   deposited in the Crime Victims Fund and spent the following year.       
   Because the increase in direct spending would be the same amount as the 
   amount of fines collected with a one-year lag, the additional direct    
   spending would also be negligible.                                      
      Estimated impact on State, local, and tribal governments: H.R. 695   
   would prohibit states from requiring persons to make encryption keys    
   available to another person or entity. This prohibition would be an     
   intergovernmental mandate as defined in UMRA. However, states would bear
   no costs as the result of the mandate because none currently require the
   registration or availability of such keys.                              
      Estimated impact on the private sector: The bill would impose no new 
   private-sector mandates as defined in UMRA.                             
      Estimate prepared by: Federal Costs: Rachel Forward--Revenues:       
   Stephanie Weiner--Impact on State, Local, and Tribal Governments: Leo   
   Lex.                                                                    
      Estimate approved by: Robert A. Sunshine, Deputy Assistant Director  
   for Budget Analysis.                                                    
                             CONSTITUTIONAL AUTHORITY STATEMENT                   
      Pursuant to rule XI, clause 2(l)(4) of the Rules of the House of     
   Representatives, the Committee finds the authority for this legislation 
   in Article I, section 8 of the Constitution.                            
                                SECTION-BY-SECTION ANALYSIS                       
       Section 1. Short Title. Section 1 provides that H.R. 695 may be     
   cited as the ``Security And Freedom through Encryption (SAFE) Act.''    
       Section 2. Sale and Use of Encryption. Subsection 2(a) of H.R. 695  
   creates a new chapter 122 in Title 18 of the United States Code. This   
   chapter 122 would include new sections 2801 05.                         
      New section 2801 provides for definitions of terms to be used in the 
   chapter. Many of the definitions used are explicitly taken from the     
   definitions in the existing federal wiretap statute, 18 U.S.C. 2510 et  
   seq. During the Committee markup, Mr. Delahunt offered an amendment     
   making technical changes to these definitions to conform them more      
   closely with the existing definitions. The Delahunt amendment passed on 
   a voice vote.                                                           
      New section 2802 affirmatively states that it is legal for any person
   in the United States, or any United States person in a foreign country, 
   to use any form of encryption regardless of the algorithm, key length,  
   or technique used in the encryption. New section 2803 affirmatively     
   states that it is legal for any person in the United States to sell in  
   interstate commerce encryption products using any form of encryption    
   regardless of the algorithm, key length, or technique used. Some        
   business groups have expressed concern that new sections 2802 and 2803  
   might be construed to override their lawful policies for employee use of
   their computer systems. The Committee does not intend for these sections
   to be so read. The Committee intends that these sections should be read 
   as limitations on government power. They should not be read as          
   overriding otherwise lawful employer policies concerning employee use of
   the employer's computer systems, nor as limiting the employer's         
   otherwise lawful means for remedying violations of those policies.      
      Thus, even though employees cannot be prosecuted for an offense of   
   unlawful encryption under Section 2802, employees may be prosecuted for 
   failing to return business property, unlawful appropriation, or         
   conversion. Consider, for example, the case in which an employer's      
   information management policy calls for company-wide deployment of key  
   recovery encryption, and a given employee refuses to comply, encrypting 
   instead without key recovery using some other system. In that instance, 
   the employer remains within his rights, under state statutory or common 
   law, to sue to obtain the needed key to recover the business            
   property--plans, designs, texts, databases, and the like--contained in  
   the computer or computers under the employee's control.                 
      New section 2804 specifically prohibits requiring any person in      
   lawful possession of an encryption key to turn that key over to another 
   person. This section effectively prevents any form of mandatory key     
   escrow system. As introduced, this section provided an exception for law
   enforcement personnel acting under any law in effect on the date of     
   enactment. At the Committee markup, Mr. McCollum offered an amendment   
   that expands the exception to include members of the intelligence       
   community as defined in section 3 of the National Security Act of 1947  
   (50 U.S.C. 401a). The McCollum amendment passed by a voice vote.        
      Finally, new section 2805 makes it a crime to use encryption         
   unlawfully in furtherance of some other crime. This new crime is        
   punishable by a sentence of 5 years for the first offense and 10 years  
   for a subsequent offense. The Delahunt amendment that made technical    
   changes to the definitions also changed the language of this section.   
   The Delahunt amendment clarified two points relating to this new crime: 
   (1) it applies only to the use of encryption to avoid detection of some 
   other federal felony, and (2) it applies only when the encryption is    
   knowingly and willfully used to avoid detection. In other words, this   
   crime cannot occur without the commission of some other federal felony, 
   and the use of encryption must be a deliberate attempt to avoid         
   detection of that felony. It may not be unknowing or accidental. As     
   noted above, the Delahunt amendment passed on a voice vote.             
      Subsection 2(b) of H.R. 695 provides for a conforming amendment to   
   the table of chapters in Title 18.                                      
       Section 3. Exports of Encryption. Subsection 3(a) of H.R. 695 amends
   the Export Administration Act by creating a new subsection (g) to 50    
   U.S.C. App. 2416. New subsection (g)(1) would place all encryption      
   products, except those specifically designed or modified for military   
   use, under the jurisdiction of the Secretary of Commerce. New subsection
   (g)(2) allows encryption software that is generally available or in the 
   public domain, like mass-market software products, to be exported       
   freely. New subsection (g)(3) requires the Secretary to allow other     
   encryption software to be exported unless there is substantial evidence 
   that it will be put to military or terrorist uses or that it will be    
   reexported without U.S. authorization.                                  
      New subsection (g)(4) requires the Secretary to allow the export of  
   hardware with encryption capabilities when the Commerce Department finds
   that it is commercially available from foreign suppliers without        
   effective restrictions. New subsection (g)(5) provides definitions.     
      The Committee would like to clarify that with the ever increasing    
   incorporation of computer-like intelligence (including hardware and     
   software) into consumer products for the protection of privacy,         
   information security, and intellectual property interests, it intends   
   this legislation to cover all devices--whether traditional ``computing''
   devices or ``convergent'' consumer products--that incorporate           
   encryption. Further, the applications covered by this legislation       
   include video, audio, and data communications systems. Hardware and     
   software containing encryption, such as encoders, decoders, and network 
   terminals, which are essential to protect the video signal, are         
   therefore included under section 3(a) of this Act. Video, audio, and    
   data communications systems containing encryption and decryption        
   capability are used by cable, satellite, and wireless delivery systems. 
      Subsection 3(b) of H.R. 695 provides that for purposes of carrying   
   out the amendment made by subsection 3(a), the Export Administration Act
   shall be deemed to be in effect. This statement is necessary because    
   Congress allowed the Export Administration Act to lapse in 1994. To     
   date, it has not been renewed, and its policies have been continued by  
   executive order.                                                        
       Section 4. Effect on Law Enforcement Activities. Section 4 was not  
   part of the bill as introduced. An amendment offered by Mr. Hutchinson  
   added this language to the bill. Subsection 4(a) requires the Attorney  
   General to compile information on instances in which encryption has     
   interfered with, impeded, or obstructed the ability of the Justice      
   Department to enforce federal criminal law and to maintain that         
   information in classified form. The Committee intends that information  
   compiled by the Attorney General pursuant to this section also include  
   instances in which encryption has prevented crimes from occurring,      
   especially in protecting national infrastructures and preventing        
   economic espionage (although not limited to those areas). Subsection    
   4(b) requires that the Attorney General shall make the information      
   compiled under subsection 4(a), including an unclassified summary,      
   available to Members of Congress upon request. The Hutchinson amendment 
   passed on a voice vote.                                                 
                                        AGENCY VIEWS                              
       U.S. Department of Justice,                                             
       Office of Legislative Affairs,                                          
       Washington, DC, April 30, 1997.                                         
          Hon.  Howard Coble,            
Chairman, Subcommittee on Courts and Intellectual Property, 
Committee on the Judiciary, House of Representatives, Washington, DC.
       Dear Mr. Chairman: Your Subcommittee will soon begin mark-up of H.R.
   695, the ``Security and Freedom Through Encryption (SAFE) Act.''        
   Although the Department of Justice supports H.R. 695's overall goal of  
   promoting the wide dissemination of strong encryption, we believe that  
   the bill would severely compromise law enforcement's ability to protect 
   the American people from the threats posed by terrorists, organized     
   crime, child pornographers, drug cartels, financial predators, hostile  
   foreign intelligence agents, and other criminals. In addition, the bill 
   would greatly impair the government's ability to prosecute those crimes 
   when they do occur. We urge the Subcommittee to reject H.R. 695 in its  
   present form.                                                           
      There is widespread agreement that strong encryption is essential to 
   the success of the emerging Global Information Infrastructure (GII).    
   Communications and data must be protected--both in transit and in       
   storage--if the GII is to be used for personal communications, financial
   transactions, medical care, the development of new intellectual         
   property, and myriad other applications. Having recognized the          
   importance of encryption, we must ensure that its application is        
   consistent with the larger goals of society. One approach, that taken by
   H.R. 695 advocates the proliferation of unbreakable encryption that     
   would not only protect commerce and privacy, but also unintentionally   
   protect criminals. A better approach, advocated by the Administration,  
   encourages the use of data recovery products that fully protect commerce
   and privacy, but without sacrificing public safety and national         
   security.                                                               
      Viewed in this light, the proposed legislation poses two major       
   problems for federal, state, and local law enforcement. First, it would 
   effectively eliminate all export controls on                            
                    strong encryption, thereby undermining public safety and      
          national security by encouraging the proliferation of unbreakable       
          encryption. Second, the bill discourages formation of a key management  
          infrastructure that addresses the needs of public safety, economic      
          security and privacy.                                                   
      The elimination of export controls would adversely affect national   
   security and foreign policy interests and severely impair many law      
   enforcement efforts at the federal, state and local level. We have      
   heard, of course, the oft-repeated argument that the ``genie is already 
   out of the bottle''--that strong encryption is already widely available 
   overseas and over the Internet and that attempts to limit its spread are
   futile, and serve only to handicap U.S. manufacturers seeking to sell   
   their encryption products overseas. In fact, this is not the case.      
      Although strong encryption products can be found overseas, these     
   products are not ubiquitous, in part because the export of strong       
   encryption is controlled by both the U.S. and other countries. It is    
   worth noting in this regard that export of encryption over the Internet,
   like any other means of export, is restricted under U.S. law. Although  
   it is difficult to prevent completely encryption products from being    
   sent abroad over the Internet, we believe that the legal restrictions   
   will limit the use of the Internet as a means of evading export         
   controls.                                                               
      In addition, the quality of encryption products offered abroad varies
   greatly, with some encryption products not providing the levels of      
   protection advertised. Finally, the vast majority of businesses with a  
   serious need for strong encryption are not likely to rely on encryption 
   downloaded from the Internet from untested sources, but will prefer     
   instead to deal with known and reliable suppliers. For these reasons,   
   export controls continue to serve a critical function.                  
      A few other factors are important to consider regarding export       
   controls. First, our allies strongly concur that unrestricted export of 
   encryption would severely hamper law enforcement objectives. It would be
   a terrible irony if this government--which prides itself on its         
   leadership in fighting international crime--were to enact a law that    
   would jeopardize public safety and weaken law enforcement agencies      
   worldwide.                                                              
      Second, critics of export controls have mistakenly assumed that the  
   lifting of export controls would result in unrestricted access to       
   markets abroad by U.S. companies. But this assumption ignores the likely
   reaction of foreign governments to the elimination of U.S. export       
   controls. To date, most other countries have not needed to restrict     
   imports or domestic use of encryption, largely because export controls  
   in the U.S.--the                                                        
                    world leader in computer technology--and other countries have 
          made such restrictions unnecessary. But given other countries'          
          legitimate concerns about the potential worldwide proliferation of      
          unbreakable encryption products, we believe that many of those countries
          would respond to any lifting of U.S. export controls by imposing import 
          controls, or by restricting use of strong encryption by their citizens. 
      France, Russia and Israel, for example, have already established     
   domestic restrictions on the import, manufacture, sale and use of       
   encryption products. In addition, a number of European Union countries  
   are moving towards the adoption of a key-recovery-based key management  
   infrastructure similar to that proposed by the Administration. In the   
   long run, then, U.S. companies might not be any better off if U.S.      
   export controls were lifted, but the would have undermined our          
   leadership role in fighting international crime and damaged our own     
   national security interests in the meantime.                            
      We also oppose H.R. 695 because it would impede or prevent the       
   development of a key management infrastructure. The bill could be read  
   as prohibiting the United States government from using appropriate      
   incentives to support a key management infrastructure and key recovery. 
   Without such an infrastructure supporting key recovery, federal law     
   enforcement investigations will become far more difficult. The problems 
   that enactment of H.R. 695 would pose for state and local law           
   enforcement, which lack access to supercomputers, are even greater.     
      In law enforcement, quick action can save lives, reduce crime and    
   apprehend criminals. Criminals, therefore, rely on techniques that help 
   them slow or prevent law enforcement officers from detecting and solving
   crimes and catching offenders. The passage of H.R. 695 could            
   unintentionally add a powerful new technique--unbreakable encryption--to
   the collection of methods that criminals use to thwart law enforcement  
   and prey upon the residents of the United States. It is difficult enough
   to fight crime without making criminals' tasks any easier.              
      The Subcommittee should approve a bill that encourages the           
   development of a key management infrastructure and key recovery system  
   coupled with responsible export controls. We look forward to working    
   with you in developing an approach to encryption that meets the dual    
   goals of maintaining law enforcement's ability to fight crime and       
   protecting the right to privacy within the burgeoning global information
   infrastructure. We are hopeful that by working together we can create a 
   mutually acceptable national encryption policy. The Office of Management
   and Budget has advised that there is no objection from the standpoint of
   the Administration's program to the presentation of this report.        
   Sincerely,                                                              
         Andrew Fois,                                                           
        Assistant Attorney General.                                             
                   CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED          
      In compliance with clause 3 of rule XIII of the Rules of the House of
   Representatives, changes in existing law made by the bill, as reported, 
   are shown as follows (new matter is printed in italic, and existing law 
   in which no change is proposed is shown in roman):                      
                                TITLE 18, UNITED STATES CODE                      
         * * * * * * *                                                           
          PART I--CRIMES                                                          
 Chap.                                                                   
 Sec.                                                                    
         1.   General provisions                                                
        1                                                                      
         * * * * * * *                                                           
         125. Encrypted wire and electronic information                         
        2801                                                                   
         * * * * * * *                                                           
                   CHAPTER 125--ENCRYPTED WIRE AND ELECTRONIC INFORMATION         
      2801. Definitions.                                                      
      2802. Freedom to use encryption.                                        
      2803. Freedom to sell encryption.                                       
      2804. Prohibition on mandatory key escrow.                              
      2805. Unlawful use of encryption in furtherance of a criminal act.      
          2801. Definitions                                                       
   As used in this chapter--                                              
       (1) the terms ``person'', ``State'', ``wire communication'',        
   ``electronic communication'', ``investigative or law enforcement        
   officer'', and ``judge of competent jurisdiction'' have the meanings    
   given those terms in section 2510 of this title;                        
       (2) the terms ``encrypt'' and ``encryption'' refer to the scrambling
   of wire communications, electronic communications, or electronically    
   stored information, using mathematical formulas or algorithms in order  
   to preserve the confidentiality, integrity, or authenticity of, and     
   prevent unauthorized recipients from accessing or altering, such        
   communications or information;                                          
       (3) the term ``key'' means the variable information used in a       
   mathematical formula, code, or algorithm, or any component thereof, used
   to decrypt wire communications, electronic communications, or           
   electronically stored information, that has been encrypted; and         
    (4) the term ``United States person'' means--                          
    (A) any United States citizen;                                         
       (B) any other person organized under the laws of any State, the     
   District of Columbia, or any commonwealth, territory, or possession of  
   the United States; and                                                  
       (C) any person organized under the laws of any foreign country who  
   is owned or controlled by individuals or persons described in           
   subparagraphs (A) and (B).                                              
          2802. Freedom to use encryption                                         
     Subject to section 2805, it shall be lawful for any person within any
  State, and for any United States person in a foreign country, to use any
  encryption, regardless of the encryption algorithm selected, encryption 
  key length chosen, or implementation technique or medium used.          
          2803. Freedom to sell encryption                                        
     Subject to section 2805, it shall be lawful for any person within any
  State to sell in interstate commerce any encryption, regardless of the  
  encryption algorithm selected, encryption key length chosen, or         
  implementation technique or medium used.                                
          2804. Prohibition on mandatory key escrow                               
     (a) Prohibition.--No person in lawful possession of a key to         
  encrypted communications or information may be required by Federal or   
  State law to relinquish to another person control of that key.          
     (b) Exception for Access for Law Enforcement Purposes.--Subsection   
  (a) shall not affect the authority of any investigative or law          
  enforcement officer, or any member of the intelligence community as     
  defined in section 3 of the National Security Act of 1947 (50 U.S.C.    
  401a), acting under any law in effect on the effective date of this     
  chapter, to gain access to encrypted communications or information.     
          2805. Unlawful use of encryption in furtherance of a criminal act       
     Any person who, in the commission of a felony under a criminal       
  statute of the United States, knowingly and willfully encrypts          
  incriminating communications or information relating to that felony with
  the intent to conceal such communications or information for the purpose
  of avoiding detection by law enforcement agencies or prosecution--      
       (1) in the case of a first offense under this section, shall be     
   imprisoned for not more than 5 years, or fined in the amount set forth  
   in this title, or both; and                                             
       (2) in the case of a second or subsequent offense under this        
   section, shall be imprisoned for not more than 10 years, or fined in the
   amount set forth in this title, or both.                                
         * * * * * * *                                                           
                     SECTION 17 OF THE EXPORT ADMINISTRATION ACT OF 1979          
    Sec.  17. (a) * * *                                                   
         * * * * * * *                                                           
   (g)  Computers and Related Equipment.--                                
       (1) General rule.--Subject to paragraphs (2), (3), and (4), the     
   Secretary shall have exclusive authority to control exports of all      
   computer hardware, software, and technology for information security    
   (including encryption), except that which is specifically designed or   
   modified for military use, including command, control, and intelligence 
   applications.                                                           
       (2) Items not requiring licenses.--No validated license may be      
   required, except pursuant to the Trading With The Enemy Act or the      
   International Emergency Economic Powers Act (but only to the extent that
   the authority of such Act is not exercised to extend controls imposed   
   under this Act), for the export or reexport of--                        
    (A) any software, including software with encryption capabilities--    
       (i) that is generally available, as is, and is designed for         
   installation by the purchaser; or                                       
       (ii) that is in the public domain for which copyright or other      
   protection is not available under title 17, United States Code, or that 
   is available to the public because it is generally accessible to the    
   interested public in any form; or                                       
       (B) any computing device solely because it incorporates or employs  
   in any form software (including software with encryption capabilities)  
   exempted from any requirement for a validated license under subparagraph
   (A).                                                                    
       (3) Software with encryption capabilities.--The Secretary shall     
   authorize the export or reexport of software with encryption            
   capabilities for nonmilitary end uses in any country to which exports of
   software of similar capability are permitted for use by financial       
   institutions not controlled in fact by United States persons, unless    
   there is substantial evidence that such software will be--              
       (A) diverted to a military end use or an end use supporting         
   international terrorism;                                                
    (B) modified for military or terrorist end use; or                     
       (C) reexported without any authorization by the United States that  
   may be required under this Act.                                         
       (4) Hardware with encryption capabilities.--The Secretary shall     
   authorize the export or reexport of computer hardware with encryption   
   capabilities if the Secretary determines that a product offering        
   comparable security is commercially available outside the United States 
   from a foreign supplier, without effective restrictions.                
    (5)  Definitions.--As used in this subsection--                        
       (A) the term ``encryption'' means the scrambling of wire or         
   electronic information using mathematical formulas or algorithms in     
   order to preserve the confidentiality, integrity, or authenticity of,   
   and prevent unauthorized recipients from accessing or altering, such    
   information;                                                            
       (B) the term ``generally available'' means, in the case of software 
   (including software with encryption capabilities), software that is     
   offered for sale, license, or transfer to any person without            
   restriction, whether or not for consideration, including, but not       
   limited to, over-the-counter retail sales, mail order transactions,     
   phone order transactions, electronic distribution, or sale on approval; 
       (C) the term ``as is'' means, in the case of software (including    
   software with encryption capabilities), a software program that is not  
   designed, developed, or tailored by the software publisher for specific 
   purchasers, except that such purchasers may supply certain installation 
   parameters needed by the software program to function properly with the 
   purchaser's system and may customize the software program by choosing   
   among options contained in the software program;                        
       (D) the term ``is designed for installation by the purchaser''      
   means, in the case of software (including software with encryption      
   capabilities) that--                                                    
       (i) the software publisher intends for the purchaser (including any 
   licensee or transferee), who may not be the actual program user, to     
   install the software program on a computing device and has supplied the 
   necessary instructions to do so, except that the publisher may also     
   provide telephone help line services for software installation,         
   electronic transmission, or basic operations; and                       
       (ii) the software program is designed for installation by the       
   purchaser without further substantial support by the supplier;          
       (E) the term ``computing device'' means a device which incorporates 
   one or more microprocessor-based central processing units that can      
   accept, store, process, or provide output of data; and                  
       (F) the term ``computer hardware'', when used in conjunction with   
   information security, includes, but is not limited to, computer systems,
   equipment, application-specific assemblies, modules, and integrated     
   circuits.                                                               
                           ADDITIONAL VIEWS OF HON. BOB GOODLATTE                 
      H.R. 695, the Security And Freedom through Encryption (SAFE) Act of  
   1997, accomplishes three critical goals: preventing economic crime,     
   promoting electronic commerce, and protecting the personal privacy of   
   all law-abiding Americans. I am pleased that both the Courts and        
   Intellectual Property Subcommittee and the full Judiciary Committee have
   approved this bipartisan legislation by voice vote. I would also like to
   thank the lead cosponsor of the SAFE Act, Rep. Zoe Lofgren (D CA), for  
   her leadership. support, and dedication to this important issue.        
      The Administration's encryption policies are at odds with its stated 
   goals. For example, the Administration has stated in testimony before   
   both the House and Senate that it supports the widespread use of strong 
   encryption. However, the Administration continues to enforce antiquated 
   Cold War export restrictions that prevent the widespread use of strong  
   encryption.                                                             
      The Department of Justice has been particularly hostile to H.R. 695, 
   even going so far as publicly stating that the bill would be devastating
   to international law enforcement. As an example, just hours prior to    
   Subcommittee markup of H.R. 695 on April 30, 1997, the Department of    
   Justice circulated a letter to Judiciary Committee members opposing the 
   legislation. This letter contained a series of allegations which deserve
   a response.                                                             
                     DOJ Claim: The bill ``discourages formation of a   
          key management infrastructure''.                              
                     Response: The SAFE Act takes no position on the    
          development of a key management infrastructure.               
      The term ``key management infrastructure'' refers to a system, yet to
   be fully developed, that would allow Internet users to know with whom   
   they are communicating, to verify document signatures, and to identify  
   whether documents are tampered with or altered in transmission. Such a  
   system could partly operate through ``Certificate Authorities'', or     
   commercial entities that would certify, like digital notary publics,    
   that certain public keys are in fact the keys of particular individuals 
   or corporations.                                                        
      Driven by user needs, the on-line world is developing such systems of
   assurance without government intervention. The security and             
   effectiveness of these systems will be tested by the market.            
   Consequently, it is impossible to know at this point which systems will 
   succeed and which will fail--the intensely competitive global           
   marketplace will decide that question. Government bureaucracy and       
   regulation is neither necessary nor desirable.                          
      Perhaps the greatest impediment to the development of a widespread   
   global key management infrastructure to date has been the               
   Administration's restrictive export policies. By preventing American    
   companies from exporting strong encryption, this Administration has     
   perpetuated a sense of uncertainty in the global market that has        
   discouraged these companies from developing commercial infrastructures. 
   Contrary to the Administration's claim, therefore, H.R. 695 would       
   actually promote development of' Certificate Authorities and key        
   management infrastructures in the best way possible, by removing        
   unwanted, unworkable, and unwise government bureaucracy and regulation. 
      A recent report issued by nine of the world's top cryptographers,    
   entitled ``The Risks of Key Recovery, Key Escrow, and Trusted Third     
   Party Encryption'', offers further evidence that various key escrow, key
   recovery. and key management systems that have been proposed by the     
   Administration are neither feasible nor advisable. As stated In this    
   report:                                                                 
                     Government key recovery proposals call for one of  
          the most ambitious and far-reaching deployments of the        
          information age. The field of cryptography has no experience  
          in deploying secure systems of this scope and complexity.* * *
          Attempts to force the widespread adoption of key recovery     
          encryption through export controls, import or domestic use    
          regulations, or international standards should be considered  
          in light of these factors. The public must carefully consider 
          the costs and benefits of embracing government-access key     
          recovery before imposing the new security risks and spending  
          the huge investment required--potentially many billions of    
          dollars, in direct and indirect costs--to deploy a global key 
          recovery infrastructure.                                      
    The Administration has stated publicly that ``only industry can build 
  a robust and scalable key management infrastructure''. This report shows
  quite clearly that proposals to establish global key management systems,
  including incentives to use such systems, are at best premature. As     
  former British Prime Minister Margaret Thatcher aptly put it,           
  ``Governments * * * are themselves `blind forces' blundering about in   
  the dark, and obstructing the operations of markets rather than         
  improving them.''                                                       
                     DOJ Claim: Strong encryption is not widely         
          available overseas, in part because of U.S. export controls.  
                     Response: German, Dutch, Swedish, British, Russian 
          and other foreign manufacturers have created strong and       
          reliable encryption products that are available               
          internationally and on the Internet.                          
      As evidence of this, the following excerpt is from a recent New York 
   Times article discussing the success of a German company, Brokat        
   Informationsysteme, which produces a 128-bit encryption program:        
                     Far from hindering the spread of powerful          
          encryption programs * * * American policy has created a       
          bonanza for alert entrepreneurs outside the United States.    
          When America Online wanted to offer on-line banking and       
          shopping services in Europe, it turned to Brokat for the      
          software that encodes transactions and protects them from     
          hackers and on-line bandits. When Netscape Communications and 
          Microsoft wanted to sell Internet software to Germany's       
          biggest banks, they had to team up with Brokat to deliver the 
          security guarantees that the banks demanded.* * * Besides     
          America Online, Brokat's customers include more than 30 big   
          banking and financial institutions around Europe.             
      Perhaps a more vivid example of the folly of the Administration's    
   export restrictions is the recent announcement that Sun Microsystems,   
   one of the leading U.S. computer companies, will be entering into a     
   partnership with Elvis+, a Russian encryption manufacturer, to          
   distribute strong encryption worldwide. Since the U.S. has no import or 
   domestic controls on the use of non-key escrow encryption, Sun can      
   import the Russian product and distribute it domestically, while the    
   Russian company distributes the same product overseas. Therefore, U.S.  
   companies will now be able to securely communicate with their overseas  
   offices and subsidiaries without violating the export control laws.     
      The Sun announcement demonstrates three critical facts that reveal   
   the absurdity of arguments the Administration uses to defend its current
   policies: (1) consumers are demanding strong encryption products to     
   protect their digital communications; (2) strong encryption products are
   already available from foreign manufacturers, and reputable U.S. firms  
   are willing to stake their corporate reputations on the quality of those
   products; and (3) the current export control scheme is taking jobs and  
   revenue away from our economy.                                          
      Additionally, many individuals and small businesses rely on the      
   Pretty Good Privacy encryption program, which is available on the       
   Internet worldwide. PGP is equivalent to 128-bit encryption, and has    
   been tested again and again. It is based on a public algorithm, so every
   hacker, graduate student, and computer scientist in the world can try to
   break it. None have succeeded.                                          
                     DOJ Claim: If the U.S. were to relax its current   
          export controls on strong encryption, foreign governments     
          would respond by creating import controls on U.S. products and
          thus those markets would not open to U.S. companies.          
                     Response: The United States should not set its     
          export policies on the basis of actions that other countries  
          might take.                                                   
      The U.S. government should not stand in the way of our industry's    
   ability to compete in the global marketplace--in fact, it should use any
   resources available to help American companies succeed in global        
   markets. When foreign governments raise import barriers to keep out U.S.
   products, they do so to allow their own industries to dominate the      
   marketplace. We should not allow ourselves to be fooled into believing  
   otherwise.                                                              
                     DOJ Claim: H.R. 695 would ``adversely affect       
          national security and foreign policy interests and severely   
          impair many law enforcement efforts at the federal, state, and
          local level.''                                                
                     Response: Strong encryption prevents crime.        
          Consider the findings of the National Research Council on the 
          use of strong encryption:                                     
                    If cryptography can protect the trade secrets and   
          proprietary information of businesses and thereby reduce      
          economic espionage (which it can). it also supports in a most 
          important manner the job of law enforcement. If cryptography  
          can help protect nationally critical information systems and  
          networks against unauthorized penetration (which it can), it  
          also supports the national security of the United States.     
      When criminals talk to other criminals, they will always be able to  
   use strong encryption, with no mechanism for law enforcement access, to 
   protect their communications. The Administration's policy will not      
   prevent this, since it is not proposing direct domestic or import       
   controls on strong encryption, and cannot prevent foreign companies from
   developing and distributing such products. However, when these criminals
   communicate with legitimate organizations, such as banks, law           
   enforcement will always be able to obtain evidence from such            
   organizations via court order or grand jury subpoena. Therefore,        
   allowing law-abiding people to use strong encryption to protect         
   themselves, and allowing U.S. companies to fully compete in the global  
   marketplace, will not prevent law enforcement from pursuing and stopping
   criminals.                                                              
      It is truly ironic that law enforcement agencies would oppose        
   legislation that prevents crime. Unfortunately, it seems that the       
   Administration does not want to empower our citizens and our industries 
   to protect themselves in the Information Age. Just as dead-bolt locks   
   and alarm systems help people protect their houses against intruders,   
   thereby assisting law enforcement in preventing crime, strong encryption
   allows people to protect their digital communications and computer      
   systems against criminal hackers and computer thieves.                  
      The SAFE Act prevents crime, promotes commerce, and protects privacy.
   Additionally, it allows the free market to design its own standards and 
   solutions for the development of global commerce, free from unwanted and
   unworkable government regulation. This bipartisan legislation ensures   
   that all law-abiding Americans will be able to communicate and conduct  
   business securely in the Information Age.                               
         Bob Goodlatte.                                                         
                                 ADDITIONAL MINORITY VIEWS                        
      We offer these additional views not to foment dissent but to         
   encourage dialogue with the Administration on the issues related to     
   encryption. We would like to work with federal law enforcement and      
   national security agencies to address their concerns.                   
      We sympathize with the difficulties faced by investigative and       
   security agencies in combating crime, terrorism, and espionage. We      
   believe it is quite legitimate for the Administration to be concerned   
   about the uncertain impact that strong and ubiquitous encryption        
   products may have on law enforcement and national security agencies. We 
   realize that it may ultimately become impossible for government agencies
   to decipher intercepted or retrieved data and communications that have, 
   by encryption, been transformed into a seemingly unintelligible form.   
      We recognize the days of cracking strong codes are nearly gone.      
   Unbreakable codes (256-bit key algorithms can generate more possible    
   solutions than there are particles in the known universe) are already   
   widely known. Private security experts and sophisticated hackers have   
   already realized this and are beginning to develop ways of attacking the
   vulnerable points before and after the information is encrypted (i.e.,  
   on the sender's hard drive or at a ``good-guy'' recipient such as a     
   bank). We suspect that law enforcement and national security experts    
   within the government are acquiring similar capabilities. But these     
   alternative (and more subtle) approaches are not reflected in the       
   Administration's current public policy toward encryption.               
      The Administration's current encryption policy, a policy that runs   
   back at least to the Bush Administration, creates more problems than it 
   resolves. The policy is a combination of encryption export controls and 
   a key escrow system by which the key to the code encrypting the         
   information is to be held by a third party (so it may be made available 
   to the government).                                                     
      We need to be honest about this situation. We don't expect most      
   narcotics traffickers, terrorists, or criminals to respect export       
   restrictions on encryption when they don't respect our underlying drugs 
   or weapons laws. And we don't generally expect anyone who employs       
   encryption in furtherance of a crime to readily give their keys to some 
   third party so they may be made available to the government.            
      The Administration maintains that there is a commercial need for key 
   recovery. While that may be true to some extent, there appears to be    
   little or no demand for the all-encompassing system they want to        
   mandate. Experts have uniformly concluded the government's proposed     
   system is either excessively costly and complex or insecure. In part,   
   this is true because the government seeks access to real-time           
   communications and data transmissions, rather than the ability to       
   recover stored data.                                                    
      The Administration insists it doesn't want domestic restrictions on  
   encryption. We are concerned, however, that the Administration policy   
   does have this effect. Development of software programs, including those
   utilizing encryption, occurs at an amazingly rapid pace, so it is not   
   feasible for computer software and hardware companies to develop        
   separate products for export and for domestic use. As a result, as a    
   practical matter, only products that are exportable, with weaker        
   encryption or with government-approved key recovery-escrow, can be      
   marketed at present.                                                    
      We fear that current encryption policy, encouraging as it does weaker
   encryption, makes every American more vulnerable to illicit or          
   surreptitious access to our computer files, our phone conversations, and
   personal information, and thus exposes our citizens to hackers,         
   terrorists, and thieves. It is ironic that what is trumpeted as an aid  
   to law enforcement may instead                                          
          compromise individual and corporate security.                           
      What we have here is not only a combination of export controls and a 
   key recovery system that does not work, we have a system that           
   compromises the competitiveness and security of this nation's software  
   and hardware industry, as well as our privacy rights. As conceded by    
   Administration witnesses, the proposed key recovery system can succeed  
   only as long as there is no non-conforming encryption software readily  
   available in the market. But there is already an abundance of such      
   software, some of it freeware, that is readily available over the       
   Internet.                                                               
      The proposed key recovery system can not work unless the United      
   States persuades every other nation to adopt key recovery. We can safely
   say we are unlikely to obtain the agreement of Libya, Iran, Iraq, or    
   North Korea. In addition, the efforts to date of David Aaron, U.S.      
   Ambassador to the Organization for Economic Cooperation and Development 
   (OECD), to obtain a consensus in support of key recovery resulted       
   instead in a consensus opposing it.                                     
      The Administration's policy has therefore been a strong market       
   incentive:                                                              
       (a) for non-participants (in the Administration's key escrow        
   program) to make non-standard, secure encryption available, and         
       (b) for U.S. companies to set up abroad in ``encryption havens'' so 
   they may legally market strong, secure encryption products to customers 
   who decline to make their ``international key'' available to diverse    
   governments around the world.                                           
    There are already U.S. companies establishing ties with foreign       
  companies in Japan, Russia, and elsewhere.                              
      Nor is this policy without its cost. It is estimated that, if the    
   U.S. persists in its current policy through the year 2000, we shall lose
   200,000 jobs and $60 billion each year. This is what it will cost this  
   nation to lose the cryptography lead we enjoy and the competitive       
   expertise necessary to maintain our market position.                    
      Unfortunately, our discussions to date with law enforcement and      
   intelligence agencies have not admitted of the possibility of any       
   further relaxation of export restrictions as part of the broader process
   essential to resolving this complex question. Nor has the Administration
   offered to consider alternatives to its key escrow or key recovery      
   system.                                                                 
      H.R. 695 need not be the end of the process but the beginning of a   
   real dialogue. This is what we would like to happen. We continue to     
   remain hopeful that the Administration will acknowledge the shortcomings
   of its current policy and sincerely hope that this will happen soon lest
   more serious damage be done to our industry, to our security and to our 
   privacy.                                                                
     John Conyers,  Jr.                                                     
     Rick Boucher .                                                         
     Zoe Lofgren .                                                          
     Maxine Waters .                                                        
     William Delahunt .                                                     
     Martin T. Meehan .                                                     
                                                                        



NEWSLETTER
Join the GlobalSecurity.org mailing list