27 September 1997
Source: Hardcopy from Willis Ware, Chairman, Computer System Security and Privacy Advisory Board, who describes this document as "the FBI technical assistance draft."
See related document: http://jya.com/hr695-amend.htm
August 28, 1997
Legislation addressing encryption must respond to requirements for electronic security and privacy, for U.S. business competitiveness, and for public safety and national security. In the Senate, S 909, the "Secure Public Networks Act," responds to those requirements in a balanced manner.
This technical assistance draft embodies three changes to the approach taken in S 909 that would further enhance privacy interests, expand the ability of U.S. firms to export strong encryption, and better respond to the concerns of law enforcement.
August 28, 1997
To encourage and facilitate the creation of secure public networks for communication, commerce, education, medicine, and government.
IN THE HOUSE OF REPRESENTATIVES
Be it enacted by the Senate and the House of Representatives of the United States of America in Congress assembled,
Sec. 1. SHORT TITLE; -- This Act may be cited as the "Secure Public Networks Act."
Sec. 2. DECLARATION OF POLICY
It is the policy of the United States to encourage and facilitate the creation of secure public networks for communication, commerce, education, research, medicine and government.
TITLE I - DOMESTIC USES OF ENCRYPTION
SEC. 101. LAWFUL USE OF ENCRYPTION.
Except as otherwise provided by this Act or otherwise provided by law, it shall be lawful for any person within any State to use any encryption, regardless of encryption algorithm selected, encryption key length chosen, or implementation technique or medium used.
SEC. 102. VOLUNTARY PRIVATE SECTOR PARTICIPATION IN KEY MANAGEMENT INFRASTRUCTURE.
The participation of private persons in key management infrastructures using registered certificate authorities or key recovery agents is voluntary.
SEC. 103. UNLAWFUL USE OF ENCRYPTION
Whoever knowingly encrypts data or communications in furtherance of the commission of a criminal offense for which the person may be prosecuted in a court of competent jurisdiction and may be sentenced to a term of imprisonment of more than one year shall, in addition to any penalties for the underlying criminal offense, be fined under title 18, United States Code, or imprisoned not more than five years, or both, for a first conviction or fined under title 18, United States Code, or imprisoned not more than ten years, or both, for a second or subsequent conviction. The mere use of encryption shall not constitute probable cause to believe that a crime is being or has been committed.
SEC. 104. PRIVACY PROTECTION.
(a) IN GENERAL. It shall be unlawful for any person to intentionally --(1) obtain or use recovery information without lawful authority for the purpose of decrypting data or communications;
(2) exceed lawful authority in decrypting data or communications;
(3) break the encryption code of another person without lawful authority for the purpose of violating the privacy, security or property rights of that person;
(4) impersonate another person for the purpose of obtaining decryption information of that person without lawful authority;
(5) issue an encryption key to another person in furtherance of a crime; or
(6) disclose decryption information in violation of a provision of this Act; or
(b) CRIMINAL PENALTY. Any person who violates this section shall be fined under title 18, United States Code, or imprisoned not more than five years, or both.
SEC. 105. PUBLIC ENCRYPTION PRODUCTS AND SERVICES
(a) As of January 1, 1999, public network service providers offering encryption products or encryption services shall ensure that such products or services enable the immediate decryption of communications or electronic information encrypted by such products or services on the public network, upon receipt of a court order, warrant, or certification, pursuant to section 106, without the knowledge or cooperation of the person using such encryption products or services.
(b) As of January 1, 1999, it shall be unlawful for any person to manufacture for sale or distribution within the U.S., distribute within the U.S., sell within the U.S., or import into the U.S., any product that can be used to encrypt communications or electronic information, unless that product:(1) includes features, such as key recovery, trusted third party compatibility or other means, that
(A) permit immediate decryption upon receipt of decryption information by an authorized party without the knowledge or cooperation of the person using such encryption product; and
(B) is either enabled at the time of manufacture, distribution, sale, or import, or may be enabled by the purchase or end user; or
(2) can be used only on systems or networks that include features, such as key recovery, trusted third party compatibility or other means, that permit immediate decryption by an authorized party without the knowledge or cooperation of the person using such encryption product.
(c)(1) Within 180 days of the enactment of this Act, the Attorney General shall publish in the Federal Register functional criteria for complying with the decryption requirements set forth in this section.
(2) Within 180 days of the enactment of this Act, the Attorney General shall promulgate procedures by which data network service providers and encryption product manufacturers, sellers, re-sellers, distributors, and importers may obtain advisory opinions as to whether a decryption method will meet the requirements of this section.
(3) Nothing in this Act or any other law shall be construed as requiring the implementation of any particular decryption method in order to satisfy the requirements of paragraphs (a) or (b) of this section.
SEC. 106. RELEASE OF DECRYPTION INFORMATION TO GOVERNMENT AUTHORITIES
(a) A government entity may obtain decryption information:(1) To determine the plaintext communications or electronic information it has obtained or is lawfully obtaining pursuant to a duly authorized warrant or court order, a subpoena authorized by Federal or State statute or rule, a certification issued by the Attorney General under the Foreign Intelligence Surveillance Act, or other lawful authority; or
(2) To permit that entity to comply with a request from a foreign government that the entity is authorized to execute under United States law.
(b) A key recovery agent shall disclose decryption information to a government entity upon receipt of:(1)(A) A duly authorized warrant requiring the disclosure of the decryption information;
(B) a duly authorized warrant or court order authorizing interception of wire communications or electronic communications authorized under chapter 119 of Title 18, United States Code, or applicable State statute, or authorizing access to stored wire and electronic communications and transactional records under chapter 121 of Title 18, United States Code;
(C) a warrant or court order or certification issued by the Attorney General authorized under the Foreign Intelligence Surveillance Act, 50 United States Code 1801 et seq.; or
(D) a court order under subsection (c) of this section; and,
(2) if the warrant, court order, or certification directs the key recovery agent to disclose the decryption information.
(c) Upon receipt of an application in writing under oath or affirmation to a court of competent jurisdiction from an attorney for the government or a state investigative or law enforcement officer certifying (1) that the decryption information requested is relevant to an on-going law enforcement or counterintelligence investigation being lawfully conducted by the authority or agency, and (2) that the authority or agency is entitled to obtain decryption information under subsection (a) of this section, the court shall issue an ex parte order requiring the release of decryption information to the authority or agency.
(d) Nothing in this Act shall be construed to enlarge the circumstances under which a government entity is entitled to obtain communications or electronic information, other than decryption information.
SEC. 107. CIVIL RECOVERY.
(a) IN GENERAL. -- Except as otherwise provided in this Act, any person described in subsection (b) may in a civil action recover from the United States Government the actual damages suffered by the person as result of a violation described in that subsection reasonable attorney's fee, and other litigation costs reasonably incurred.
(b) COVERED PERSONS. Subsection (a) applies to any person whose decryption information --(1) is knowingly obtained without lawful authority by an agent of the United States Government from a key recovery agent or certificate authority registered under this Act;
(2) is obtained by an agent of the United States Government with lawful authority from a key recovery agent or certificate authority registered under this Act and is knowingly used or disclosed by an agent of the United States Government without lawful authority; or
(3) is obtained by an agent of the United States Government with lawful authority from a key recovery agent or certificate authority registered under this Act and is knowingly used to disclose decrypted information without lawful authority.
(c) LIMITATION. A civil action under this section shall be commenced not later than two years after the date on which the claimant first discovers the violation.
SEC. 108. USE AND DESTRUCTION OR RETURN OF DECRYPTED INFORMATION.
(a) AUTHORIZED USE OF DECRYPTED INFORMATION.(1) IN GENERAL - A government entity to which decryption information is released in accordance with this Act may use the decryption information only for lawful purposes.
(2) LIMITATION - A government entity may not use decryption information obtained under this Act to determine the plaintext of any
communication or electronic information unless it has lawful authority to obtain the communication or electronic information apart from this Act.
(b) RETURN OR DESTRUCTION OF INFORMATION - Upon completion of the use of decryption information obtained under this Act, the government entity concerned shall, unless otherwise required by law, destroy the information or return the information to the key recovery agent and shall make a record documenting such destruction or return.
(c) NOTICE - When a government entity destroys the decryption information, pursuant to this section, the government entity shall notify the key recovery agent.
SEC. 109. DISCLOSURE OR RELEASE OF DECRYPTION INFORMATION.
Except as otherwise authorized by this Act, a key recovery agent or other person may not disclose to any person the facts or circumstances of any release of decryption information pursuant to section 106, or of any requests therefor, unless under an order by a court of competent jurisdiction,
SEC. 110. NOTIFICATION TO RECIPIENTS OF DECRYPTION INFORMATION.
A key recovery agent or certificate authority who discloses decryption information shall --
(1) notify the recipient that decryption information is being disclosed; and
(2) specify which part of the information disclosed is decryption information.
TITLE II -- GOVERNMENT PROCUREMENT
SEC. 201. POLICY.
It is the policy of the United States Government to facilitate the creation of secure networks that permit the public to interact with the government through networks which protect privacy, the integrity of information, rights in intellectual property, and the personal security of network users.
SEC. 202. FEDERAL PURCHASES OF ENCRYPTION PRODUCTS.
After January 1, 1999, any encryption product purchased or otherwise procured by the United States Government to provide security service or data confidentiality for a federal computer system shall include a technique enabling immediate decryption by an authorized party without the knowledge or cooperation of the person using such encryption products or services.
SEC. 203. ENCRYPTION PRODUCT PURCHASED WITH FEDERAL FUNDS.
After January 1, 1999, any encryption product purchased directly with Federal funds to provide security service or data confidentiality for a federal computer system shall include a technique enabling immediate decryption by an authorized party without the knowledge or cooperation of the person using such encryption products or services unless the Secretary of Commerce, with concurrence of the Attorney General, determines implementing this requirement would not promote the purposes of this Act.
SEC. 204. NETWORKS ESTABLISHED WITH FEDERAL FUNDS.
After January 1, 1999, any communications network established with the use of federal funds shall use encryption products which include techniques enabling immediate decryption by an authorized party without the knowledge or cooperation of the person using such encryption products or services unless the Secretary of Commerce, with concurrence of the Attorney General, determines implementing this requirement would not promote the purposes of this Act.
SEC. 205. PRODUCT LABELS.
An encryption product may be labeled to inform users that the product is authorized for sale to or for use in transactions and communications with the United States Government under this title.
SEC. 206. NO PRIVATE MANDATE.
The United States Government may not mandate the use of encryption standards for the private sector other than for use with computer systems, networks or other systems of the United States Government, or systems or networks created using Federal funds.
SEC. 207. IMPLEMENTATION
(a) Nothing in this Title shall apply to encryption products and services used solely for access control, authentication, integrity, nonrepudiation, digital signatures, or other similar purposes.
(b) The Secretary in consultation with the Attorney General and other affected agencies may through rules provide for the orderly implementation of this Title and the effective use of secure public networks.
TITLE III -- EXPORT OF ENCRYPTION
SEC. 301. THE DEPARTMENT OF COMMERCE.
The Secretary of Commerce in consultation with other relevant executive branch agencies shall have jurisdiction over the export of commercial encryption products. The Secretary shall have the sole duty to issue export licenses on commercial encryption products consistent with the Export Administration Regulations. The Secretary's decisions with respect to exports of encryption products set forth in this title shall not be subject to judicial review.
SEC. 302. LICENSE EXCEPTION FOR CERTAIN ENCRYPTION PRODUCTS.
Encryption products that implement up to and including 56 bit DES or equivalent strength algorithms shall be exportable under a license exception, following a one time review, provided that the encryption product being exported does not include features that would otherwise require licensing under applicable regulations, is not destined for countries, end-users, or end-uses that the Secretary has determined by regulation are not ineligible to receive such products; and is
otherwise qualified for export. The Secretary shall complete a license exception review under this section within thirty (30) working days of a properly filed license exception request.
SEC. 303. PRESIDENTIAL ORDER.
The encryption strength of encryption products that may be exported under section 302 of this Act shall be increased in accordance with recommendations of the Encryption Export Advisory Board under section 308(d), if the President determines that the increase is in the national interests of the United States and consistent with international obligations.
SEC. 304. LICENSE EXCEPTION FOR ENCRYPTION PRODUCTS THAT PERMIT INFORMATION RECOVERY.
(a) Encryption products shall be exportable under a license exception, following a one time review, without regard to the encryption algorithm selected or encryption key length chosen, when such encryption product includes features such as key recovery, trusted third party compatibility, or other means which would permit decryption of information or access to the plaintext of encrypted information by an authorized party without the knowledge or cooperation of the person using the product and such features are either enabled at the time of export or may be enabled by the purchaser or end-user.
(b) The Secretary shall complete a license review under this section to ensure such products contain the specified decryption or access features within thirty (30) calendar days of receipt of a properly filed application for a license exception completed in accordance with applicable regulations.
SEC. 305. LICENSE EXCEPTION FOR TELECOMMUNICATIONS PRODUCTS.
The Secretary shall authorize for export under a license exception, after a one time review, voice encryption products that do not contain decryption or access features as described in section 304 above if the Secretary determines that information recovery requirements for such exports would disadvantage United States exporters; and that such exports under license exception would not create a significant risk to the foreign policy, nonproliferation, or national security interests of the United States.
SEC. 306. EXPEDITED REVIEW FOR CERTAIN INSTITUTIONS.
The Secretary in consultation with other relevant executive branch agencies shall establish a procedure for expedited review of export license applications involving encryption products for use by qualified banks, financial institutions, subsidiaries of United States owned and controlled companies, or other users authorized by the Secretary.
SEC. 307. CRIMINAL PENALTIES.
Any person who exports an encryption product in violation of this title shall be fined under Title 18, United States Code or imprisoned for not more than five years.
SEC. 308. ENCRYPTION INDUSTRY AND INFORMATION SECURITY BOARD.
(a) ENCRYPTION INDUSTRY AND INFORMATION SECURITY BOARD ESTABLISHED. - There is hereby established an Encryption Export Advisory Board comprised of -(1) the Secretary of Commerce, who shall chari the Board; and
(2) 8 individuals appointed by the president as follows:(A) one representative from -(i) the National Security Agency;
(ii) the Federal Bureau of Investigation;
(iii) the Central Intelligence Agency;
(iv) the Executive office of the president; and
(v) 4 representatives drawn from the private sector who have expertise in the development, operation, or marketing of electronic data processing hardware and software.
(b) PURPOSES. - The purposes of the Board are -(1) to provide a forum to foster communication and coordination between industry and the Federal Government on matters relating to the use of encryption products and the development of international key management infrastructures to support electronic commerce; and
(2) to evaluate and make recommendations with respect to -(A) the development and use of encryption and the development of international standards regarding interoperability and use of such products;
(B) the foreign availability of comparable products from foreign countries; and
(C) increases in strength of encryption products which can be exported under section 302.
(c) MEETINGS. - The Board shall meet at such times and in such places as the Secretary may prescribe, but not less frequently than quarterly. The Federal Advisory Committee Act (5 U.S.C. App.) does not apply to the Board or to meetings held by the Board under subsection (d).
(d) RECOMMENDATIONS. - The chair of the Board shall convey recommendations of the Board to the President with respect to the appropriate level of encryption strength that may be exported under section 302. The Chair of the Board shall report to the President within 30 days after each meeting.
(e) FOREIGN AVAILABILITY. - The term "foreign availability" shall have the same meaning as that applied to foreign availability of encryption products under the Export Administration Regulations. The consideration of foreign availability by the Board shall include computer software that is distributed via the Internet or
widely offered for sale, license, or transfer (without regard to whether it is offered for consideration), including over-the-counter retail sales, mail order transactions, telephone order transactions, electronic distribution, or sale on approval.
TITLE IV -- VOLUNTARY REGISTRATION SYSTEM
SEC. 401. VOLUNTARY USE OF CERTIFICATE AUTHORITIES AND KEY RECOVERY AGENTS.
Nothing in this Act may be construed to require a person, in encrypted communications between private persons within the United States, to -
(a) use an encryption product or service that enables decryption without the knowledge or cooperation of the person using such encryption products or services;
(b) use a public key issued by a certificate authority registered under this Act; or
(c) entrust key decryption information with a key recovery agent registered under this Act.
SEC. 402. REGISTRATION OF CERTIFICATE AUTHORITIES.
(a) AUTHORITY TO REGISTER. -- The Secretary or the Secretary's designee may register any private person, entity, government entity, or foreign government agency to act as a certificate authority if the Secretary determines that the person, entity or agency meets such standards relating to security in and performance of the activities of a certificate authority registered under this Act.
(b) AUTHORIZED ACTIVITIES OF REGISTERED CERTIFICATE -- AUTHORITIES. --(1) A certificate authority registered under this section may issue public key certificates which may be used to verify the identity of a person engaged in electronic communications for such purposes as authentication, integrity, nonrepudiation, digital signature, and other similar purposes.
(2) A certificate authority registered under this section may issue public key certificates which may be used for encryption.
(3) The Secretary shall not, as a condition of registration under this Act, require any certificate authority to store with a third party information used solely for the purposes in subparagraph (b)(1) of this section.
(c) CONDITION, MODIFICATION AND REVOCATION OF REGISTRATION. The Secretary may condition, modify or revoke the registration of a certificate authority under this section if the Secretary determines that the certificate authority has violated any provision of this Act, or any regulations thereunder, or for any other reason specified in such regulations.
(d) REGULATIONS. -(1) REQUIREMENT. - The Secretary in consultation with other relevant executive branch agencies shall prescribe regulations relating to certificate authorities registered under this section. The regulations shall be consistent with the purposes of this Act.
(2) ELEMENTS. - The regulations prescribed under this subsection shall -(A) establish requirements relating to the practices of certificate authorities, including the basis for the modification or revocation of registration under subsection (c);
(B) specify reasonable requirements for public key certificates issued by certificate authorities which requirements shall meet generally accepted standards for such certificates;
(C) specify reasonable requirements for record keeping by certificate authorities;
(D) specify reasonable requirements for the content, form, and sources of information in disclosure records of certificate authorities, including the updating and timeliness of such information, and for other practices and policies relating to such disclosure records; and
(E) otherwise give effect to and implement the provisions of this Act relating to certificate authorities.
SEC. 403. REGISTRATION OF KEY RECOVERY AGENTS.
(a) AUTHORITY TO REGISTER. -- The Secretary or the Secretary's designee may register a private person, entity, or government entity to act as a key recovery agent if the Secretary determines that the person or entity possesses the capability, competency, trustworthiness, and resources to(1) safeguard sensitive information;
(2) carry out the responsibilities set forth in subsection (b); and
(3) comply with such regulations relating to the practices of key recovery agents as the Secretary shall prescribe.
(b) RESPONSIBILITIES OF KEY RECOVERY AGENTS. - A key recovery agent registered under subsection (a) shall, consistent with any regulations prescribed under subsection (a), establish procedures and take other appropriate steps to -(1) ensure the confidentiality, integrity, availability, and timely release of recovery information held by the key recovery agent;
(2) protect the confidentiality of the identity of the person or persons for whom the key recovery agent holds recovery information;
(3) protect the confidentiality of lawful requests for recovery information, including the identity of the individual or government entity requesting recovery information and information concerning access to and use of recovery information by the individual or entity; and
(4) carry out the responsibilities of key recovery agents set forth in this Act and the regulations thereunder.
(c) CONDITION, MODIFICATION OR REVOCATION OF REGISTRATION. - The Secretary may condition, modify or revoke the registration of a key recovery agent under this section if the Secretary determines that the key recovery agent has violated any provision of this Act, or any regulations thereunder, or for any other reason specified in such regulations.
(d) REGULATIONS. -- The Secretary in consultation with other relevant executive branch agencies shall prescribe regulations relating to key recovery agents registered under this section. The regulations shall be consistent with the purposes of this Act.
SEC. 404. DUAL REGISTRATION AS KEY RECOVERY AGENT AND CERTIFICATE AUTHORITY.
Nothing in this Act shall be construed to prohibit the registration as a certificate authority under section 402 of a person or entity registered as a key recovery agent under section 403.
SEC. 405. PUBLIC KEY CERTIFICATES FOR ENCRYPTION KEYS.
The Secretary or a Certificate Authority for Public Keys registered under this Act may issue to a person a public key certificate that certifies a public key that can be used for encryption only if the person:
(a) stores with a key recovery agent registered under this Act sufficient information, as specified by the Secretary in regulations, to allow for the immediate lawful decryption of that person's encrypted data or communications without the knowledge or cooperation of the person using such encryption products or services; or
(b) makes other arrangements, approved by the Secretary pursuant to regulations promulgated in concurrence with the Attorney General, that assure the immediate lawful decryption of that person's encrypted data or communications without the knowledge or cooperation of the person using such encryption products or services.
SEC. 406. DISCLOSURE OF DECRYPTION INFORMATION.
Except as otherwise provided in section 105 of this Act, a key recovery agent may not disclose decryption information stored with the key recovery agent by a person unless the disclosure is --
(a) to the person, or an authorized agent thereof;
(b) with the consent of the person, including pursuant to a contract entered into with the person;
(c) pursuant to a court order upon a showing of compelling need for the information that cannot be accommodated by any other means if -(1) the person who supplied the information is given reasonable notice, by the person seeking the disclosure, of the court proceeding relevant to the issuance of the court order; and
(2) the person who supplied the information is afforded the opportunity to appear in the court proceeding and contest the claim of the person seeking the disclosure;
(d) pursuant to a determination by a court of competent jurisdiction that another person is lawfully entitled to hold such decryption information, including determinations arising from legal proceedings associated with the incapacity, death, or dissolution of any person; or
(e) otherwise permitted by a provision of this Act or otherwise permitted by law.
SEC. 407. CRIMINAL ACTS.
(a) IN GENERAL. - It shall be unlawful for -(1) a certificate authority registered under this Act, or an officer, employee, or agent thereof, to intentionally issue a public key certificate in violation of this Act;
(2) any person to intentionally issue what purports to be a public key certificate issued by a certificate authority registered under this Act when such person is not a certificate authority registered under this Act;
(3) any person to fail to revoke what purports to be a public key certificate issued by a certificate authority registered under this Act when such person knows that the issuing person is not such a certificate authority and have the power to revoke a public key certificate;
(4) any person to intentionally issue a public key certificate to a person who does not meet the requirements of this Act or the regulations prescribed thereunder; or
(5) any person to intentionally apply for or obtain a public key certificate under this Act knowing that the person to be identified in the public key certificate does not meet the requirements of this Act or the regulations thereunder.
(b) CRIMINAL PENALTY. - Any person who violates this section shall be fined under title 18, United States Code, or imprisoned not more than five years, or both.
TITLE V -- LIABILITY LIMITATIONS
SEC. 501. NO CAUSE OF ACTION FOR COMPLYING WITH GOVERNMENT REQUESTS.
No civil or criminal liability under this Act, or under any other provision of law, shall attach to any key recovery agent, or any officer, employee, or agent thereof, or any other persons specified by the Secretary in regulations, for disclosing recovery information or providing other assistance to a government entity in accordance with sections 106 and 406 of this Act.
SEC. 502. COMPLIANCE DEFENSE.
Compliance with the provisions of this Act and the regulations thereunder is a complete defense for certificate authorities and key recovery agents registered under this Act to any noncontractual civil action for damages based upon activities regulated by this Act.
SEC. 503. REASONABLE CARE DEFENSE.
The use by any person of a certificate authority or key recovery agent registered under this Act shall be treated as evidence of reasonable care or due
diligence in any judicial or administrative proceeding where the reasonableness of the selection of the authority or agent, as the case may be, or of encryption products, is a material issue.
SEC. 504. GOOD FAITH DEFENSE.
A good faith reliance on legal authority requiring or authorizing access to decryption information under this Act, or any regulations thereunder, is a complete defense to any criminal action brought under this Act or any civil action.
SEC. 505. LIMITATION ON FEDERAL GOVERNMENT LIABILITY.
Except as otherwise provided in this Act, the United States shall not be liable for any loss incurred by any individual or entity resulting from any violation of this Act or the performance or nonperformance of any duties under any regulation or procedure established by or under this Act, nor resulting from any action by any person who is not an official or employee of the United States.
SEC. 506. CIVIL ACTION
A civil action may be brought against a key recovery agent, a certificate authority whether registered under this Act or not, as well as any other person who violates or acts in a manner which is inconsistent with this Act.
TITLE VI -- INTERNATIONAL AGREEMENTS
The President may conduct negotiations with other countries for the purpose of mutual recognition of key recovery agents and certificate authorities and to safeguard privacy and prevent commercial espionage. The President may consider a country's refusal to negotiate such mutual recognition agreements when considering the participation of the United States in any cooperation or assistance program with that country. The President shall report to the Congress the status of international efforts regarding cryptography by December 31, 1999.
TITLE VII -- GENERAL AUTHORITY AND CIVIL PENALTIES
SEC. 701. GENERAL AUTHORITY AND CIVIL REMEDIES.
(a) AUTHORITY TO SECURE INFORMATION. - To the extent necessary or appropriate to the enforcement of this Act or any regulations thereunder, the Secretary may make investigations, obtain information, take sworn testimony, and require reports or the keeping of records by, and make inspection of the books, records, and other writings, premises or property of any person.
(b) INVESTIGATIONS. -(1) APPLICABLE AUTHORITIES. - In conducting investigations under subsection (a)the Secretary may, to the extent necessary or appropriate to the enforcement of this Act and subject to such requirements as the Attorney General shall prescribe, exercise such authorities as are conferred upon the Secretary by other laws of the United States.
(2) ADDITIONAL AUTHORITY. - In conducting such investigations, the Secretary may administer oaths or affirmations and may by subpoena require any person to appear and testify or to appear and produce books, records, and other writings, or both.
(3) WITNESSES AND DOCUMENTS. --(A) IN GENERAL -- The attendance of witnesses and the production of documents provided for in this subsection may be required in any State at any designated place.
(B) WITNESS FEES -- Witnesses summoned shall be paid the same fees and mileage that are paid to witnesses in the courts of the United States.
(4) ORDERS TO APPEAR. -- In the case of contumacy by, or refusal to obey a subpoena issued to any person pursuant to this subsection, the district court of the United States for the district in which such person is found, resides, or transacts business, upon application by the United States and after notice to such person, shall have jurisdiction to issue an order requiring such person to appear and give testimony before the Secretary or to appear and produce documents before the Secretary, or both, and any failure to obey such order of the court may be punished by such court as a contempt thereof.
(c) AUTHORITY OF THE ATTORNEY GENERAL. - Nothing in this section shall limit the authority of the Attorney General to investigate any violation of this Act or any regulations thereunder.
SEC. 702. CIVIL PENALTIES.
(a) AUTHORITY TO IMPOSE CIVIL PENALTIES.(1) IN GENERAL. - The Secretary may, after notice and an opportunity for an agency hearing on the record in accordance with sections 554 through 557 of title 5, United States Code, impose a civil penalty of not more than $100,000 for each violation of this Act or any regulation thereunder either in addition to or in lieu of any other liability or penalty which may be imposed for such violation.
(2) CONSIDERATION REGARDING AMOUNT. -- In determining the amount of the penalty, the Secretary shall consider the risk of harm to law enforcement, public safety, and national security, the risk of harm to affected persons, the gross receipts of the charged party, and the willfulness of the violation.
(3) LIMITATION. -- Any proceeding in which a civil penalty is sought under this subsection may not be initiated more than 5 years after the date of the violation.
(4) JUDICIAL REVIEW. -- The imposition of a civil penalty under paragraph (1) shall be subject to judicial review in accordance with sections 701 through 706 of title 5, United States Code.
(b) RECOVERY. -(1) IN GENERAL. - A civil penalty under this section, plus interest at the currently prevailing rates from the date of the final order, may be recovered in an action brought by the Attorney General on behalf of the United States in the appropriate district court of the United States. In such action, the validity and appropriateness of the final order imposing the civil penalty shall not be subject to review.
(2) LIMITATION. - No action under this subsection may be commenced more than 5 years after the order imposing the civil penalty concerned becomes final.
SEC. 703. INJUNCTIONS.
The Attorney General may bring an action to enjoin any person from committing any violation of any provision of this Act or any regulation thereunder.
SEC. 704. JURISDICTION.
The district courts of the United States shall have original jurisdiction over any action brought by the Attorney General under this title.
TITLE VIII -- RESEARCH AND MONITORING
SEC. 801. INFORMATION SECURITY BOARD.
(a) REQUIREMENT TO ESTABLISH. - The President shall establish an advisory board to be known as the Information Security Board (in this section referred to as the 'Board').
(b) MEMBERSHIP. - The Board shall be composed of -
(1) such number of members as the President shall appoint from among the officers or employees of the Federal Government involved in the formation of United States policy regarding secure public networks, including United States policy on exports of products with information security features; and
(2) a number of members equal to the number of members under paragraph (1) appointed by the President from among individuals in the private sector having an expertise in information technology or in law or policy relating to such technology.
(c) MEETINGS. - The Board shall meet not less often than once each year.
(d) DUTIES. - The Board shall review available information and make recommendations to the President and Congress on appropriate policies to ensure -(1) the security of networks;
(2) the protection of intellectual property rights in information and products accessible through computer networks;
(3) the promotion of exports of software, hardware, and telecommunications products produced in the United States;
(4) the national security, effective law enforcement, and public safety interests of the United States related to communications networks; and
(5) The protection of the interests of Americans in the privacy of data and communications.
SEC. 802. COORDINATION OF ACTIVITIES ON SECURE PUBLIC NETWORKS.
In order to meet the purposes of this Act, the President shall --
(a) ensure a high level of cooperation and coordination between the departments and agencies of the Federal Government in the formation and discharge of United States policy regarding secure public networks; and
(b) encourage cooperation and coordination between the Federal Government and State and local governments in the formation and discharge of such policy.
SEC. 803. NETWORK RESEARCH.
It shall be a priority of the Federal Government to encourage research to facilitate the creation of secure public networks which satisfy privacy concerns, national security interests, effective law enforcement requirements, and public safety needs.
SEC. 804. ANNUAL REPORT.
(a) REQUIREMENT. - The Department of Commerce shall, in consultation with other Federal departments and agencies, submit to Congress and the President each year a report on developments in the creation of secure public networks in the United States.
(b) ELEMENTS. - The report shall discuss developments in encryption, authentication, identification, and security on communications networks during the year preceding the submittal of the report and may include recommendations on improvements in United States policy to such matters.
SEC. 805. NATIONAL PERFORMANCE REVIEW
The National Performance Review shall evaluate the progress of federal efforts to migrate government services and operations to secure public networks.
SEC. 806. EDUCATION NETWORKS
The Department of Education, in cooperation the Department of Commerce and the Federal Communications Commission and the Joint Board established by the Department of Education shall evaluate technical, educational, legal and regulatory standards for distance learning via secure public networks.
TITLE IX -- WAIVER AUTHORITY
SEC. 901. WAIVER AUTHORITY.
(a) AUTHORITY TO WAIVE. - The President may by executive order waive provisions of this Act, or the applicability of any such provision to a person or entity, if the President determines that the waiver is in the interests of national security, or domestic safety and security.
(b) REPORT. -- Not later than 15 days after each exercise of authority provided in subsection (a), the President shall submit to Congress a report on the exercise of the authority, including the determination providing the basis of the exercise of the authority. The report shall explain the grounds of the President's action with specificity and be submitted in unclassified and classified form.
TITLE X -- MISCELLANEOUS PROVISIONS
SEC. 1001. REGULATION AND FEES.
(a) REGULATIONS. - The Secretary shall, in consultation with the Secretary of State, the Secretary of Defense, and the Attorney General and after notice to the public and opportunity for comment, prescribe any regulations necessary to carry out this Act.
(b) FEES. - The Secretary may provide in the regulations prescribed under subsection (a) for the imposition and collection of such fees as the Secretary considers appropriate for purposes of this Act.
SEC. 1002 INTERPRETATION.
Nothing contained in this Title shall be deemed to:
(a) pre-empt or otherwise affect the application of the Arms Export Control Act (22 U.S.C. 2751 et seq.), the Export Administration Act of 1979, as amended (50 U.S.C. app. 2401-2420), and the International Emergency Economic Powers Act (50 U.S.C. 1701-1706), or any regulations promulgated thereunder;
(b) affect intelligence activities outside the United States;
(c) or weaken any intellectual property protection.
SEC. 1003. SEVERABILITY.
If any provision of this Act, or the application thereof, to any person or circumstances is held invalid, the remainder of this Act, and the application thereof, to other persons or circumstances shall not he affected thereby.
SEC. 1004. AUTHORIZATION OF APPROPRIATIONS.
There are hereby authorized to be appropriated to the Secretary of Commerce for fiscal years 1998, 1999, 2000, 2001, and 2002 such sums as may be necessary to carry out responsibilities under this Act.
SEC. 1005. DEFINITIONS.
For purposes of this Act:
(a) CERTIFICATE AUTHORITY. - The term "certificate authority" means a person trusted by one or more persons to create and assign public key certificates.
(b) COURT OF COMPETENT JURISDICTION. - The term "court of competent jurisdiction" means(A)[sic] a district court of the United States (including a magistrate of such a court) or a United States Court of Appeals; or
(B)[sic] a court of general criminal jurisdiction of a State authorized by the law of that State to enter orders authorizing searches.
(c) COMMUNICATIONS. - The term "communications" includes the meaning given the terms wire communication and electronic communication in sections 2510(1) and 2510(12) of Title 18, United States Code.
(d) DECRYPTION. - The term "decryption" means the electronic retransformation of data (including communications) that has been encrypted into the data's original form. To "decrypt" is to perform decryption.
(e) DECRYPTION INFORMATION. - The term "decryption information" means a key or other information that can be used to decrypt the encrypted electronic information or communications of a person.
(f) DIGITAL SIGNATURE. - The term "digital signature" means a method of signing electronic information using public key encryption that certifies that the document was originated or "signed" by a specific person or organization. It can also be used to verify the integrity of the document.
(g) ELECTRONIC INFORMATION. - The term "electronic information" means any signs, signals, writing, images, sounds, data, or intelligence of any nature stored in whole or in part by a wire, radio, electromagnetic, photo-electronic, or photo-optical system.
(h) ELECTRONIC STORAGE. - The term "electronic storage" has the meaning given that term in section 2510(17) of title 18, United States Code.
(i) ENCRYPTION. - The term "encryption" means the electronic transformation of data (including communications) in order to hide its information content. To "encrypt" is to perform encryption. The term does not include techniques used for such purposes as authentication, integrity, nonrepudiation, digital signature, and other similar purposes.
(j) ENCRYPTION PRODUCT. - The term "encryption product" includes any product, software, or technology used to encrypt and decrypt electronic messages and any product software or technology with encryption capabilities.
(k) FEDERAL COMPUTER SYSTEM. - The term "federal computer system" has the meaning given such term at 15 U.S.C. 278(a) - 3(d).
(l) FOREIGN AVAILABILITY. - The term "foreign availability'' shall have the same meaning as that applied to foreign availability of encryption products subject to controls under the Export Administration Regulations.
(m) GOVERNMENT ENTITY. - The term "government entity" means the Government of the United States and any agency or instrumentality thereof, a State or political subdivision of a State, the District of Columbia, or a commonwealth, territory, or possession of the United States.
(n) KEY. - The term "key" means a parameter, or a component thereof, used with an algorithm to validate, authenticate, encrypt, or decrypt data or communications.
(o) KEY RECOVERY AGENT. - The term "key recovery agent" means a person trusted by another person or persons to hold and maintain sufficient decryption information to allow for the immediate decryption of the encrypted data or communications of another person or persons for whom that information is held, and who holds and maintains that information as a
business or governmental practice, whether or not for profit. The term "key recovery agent" includes any person who holds the person's own decryption information.
(p) PERSON. - The term "person" means any individual, corporation, company, association, firm, partnership, society, or joint stock company.
(q) PLAINTEXT. - The term "plaintext" refers to electronic information (including communications) that has not been encrypted or, if encrypted, has been decrypted.
(r) PUBLIC KEY. - The term "public key" means, for cryptographic systems that use different keys for encryption and decryption, the key that is intended to be publicly known.
(s) PUBLIC KEY CERTIFICATE. - The term "public key certificate" means information about a public key and its user, particularly including information that identifies that public key with its user, which has been digitally signed by the person issuing the public key certificate, using a private key of the issuer.
(t) PUBLIC NETWORK SERVICE PROVIDER. - The term "public network service provider" means a person offering any service to the general public which provides to the users thereof the ability to transmit or receive communications or electronic information.
(u) SECRETARY. -- The term "Secretary" means the Secretary of Commerce.
(v) STATE. -- The term "State" has the meaning given the term in section 2510(3) of title 18, United States Code.
(w) TELECOMMUNICATIONS SYSTEM. - The term "telecommunications system" means any equipment and related software use in the movement, switching, interchange, transmission, or reception of data or information over wire, fiber optic, radio frequency, or other medium.
Digitized and hypertexted by JYA/Urban Deadline.