Adam White Scoville
fnAJanuary 14, 1998
II. Strong Encryption Backers Grow More Confident of Legal, Political Support
III. FBI and NSA Raise Demands for Encryption Restrictions
IV. Conclusion
Appendix A: Comparison Matrix for Bills Relaxing Encryption Restrictions
Appendix B: Comparison Matrix for Bills Increasing Restrictions on
Encryption
I. Introduction
In late 1997, at least six bills or amendments on the use of encryption were either introduced or circulated in draft form. Seven congressional committees considered encryption legislation. A clear trend is emerging from these developments. Law enforcement and national security interests favoring restrictions on encryption are quickly growing further apart from civil liberties groups and computer and telecommunications industry associations favoring liberalization of encryption rules. The rifts have grown wide enough to induce at least one interested group to predict that no satisfactory compromise could imminently be possible and to cease advocating the passage of encryption legislation in the short term. This article surveys the current landscape of the encryption debate, and analyzes the major legislative proposals. By identifying their major provisions and policy decisions rather than advocating a particular solution, this article attempts to be a resource for those involved in the ongoing encryption debate.
II. Strong Encryption Backers Grow More Confident of Legal, Political Support
The Security and Freedom through Encryption (SAFE) bill, one of the bills under consideration, specifies that the Commerce Department have jurisdiction over the export of encryption products, except where the product is specifically for military use.[1] SAFE also explicitly exempts several types of products from controls, for example, generally available software, public domain software, or products comparable to one available from a foreign supplier. In a concession to law enforcement interests, the bill includes a provision by which the use of encryption "in the furtherance" of a crime would be punishable with a sentence of five years for the first offense and ten years for subsequent offenses. In comparison to other liberalizing bills, this provision has drawn criticism from those advocating the loosened controls. Such critics are uncomfortable with criminalizing the use of encryption because encryption is predicted to be critical to and ubiquitous in the impending information society. Criminal penalties are aimed at the pedophiles and Cali cartels of the world. However, a light sentence other relatively minor crimes (filing improper tax returns, for example) could expand totally out of proportion with its severity if encryption was in any way involved (such as if supporting data was encrypted while being sent to a tax preparer).
Another bill, titled the Protection of Commerce Online in the Digital Era
(ProCODE), prohibits several forms of governmental controls of encryption.[2] Under ProCODE, the government cannot regulate or set standards other than for
federal computer systems. The government also cannot set export controls or
regulate the interstate commerce in products solely because they include
encryption. Unlike SAFE, ProCODE does not include any criminal penalties.
Hence, it is the preferred solution of the most hard-line elements of the
on-line community.
S. 376, the Encrypted Communications Privacy Act, has thus far received little attention. However, it is the preferred bill of perhaps the most active voice in Congress on internet issues, Senator Patrick Leahy of Vermont, who is its sponsor (incidentally, the bill was named, and is nicknamed ECPA II, in deference to ECPA, the Electronic Communications Privacy Act of 1986, Pub.L. 99-508, of which Leahy was a sponsor). Similar to SAFE, ECPA II not only declares the freedom to use and sell strong encryption products, it also contains criminal penalties for encryption use.[3] ECPA II's penalties, however, are narrower in that they apply only where encryption is used to obstruct, impede or prevent the communication of information to law enforcement in furtherance of a felony. ECPA II is unique among the liberalizing bills in that it explicitly deals with the responsibilities, liabilities and standards for the provision of keys or decryption assistance to law enforcement. Although ECPA II does not require or encourage key recovery, it recognizes that in some cases, entities will turn voluntarily to key recovery solutions to prevent the irretrievable loss of critical data if an employee holding a key is killed, for example, or if she leaves her employer suddenly on bad terms. The bill requires a court order, pursuant to a judicial finding that a) provision of the key or decryption assistance is necessary to obtain the plaintext (e.g. that the plaintext cannot be obtained in any other way) and b) that the government entity is entitled to the information under the wiretap law or ECPA (I) (18 U.S.C. Chapter 119, 121 or section 2703, respectively) or other authorizing law. The bill also sets controls on the disclosure of information and the destruction of key information when the order expires. Finally, the bill sets a tough standard for the provision of decryption information to a requesting foreign government. It requires not only that the foreign country be authorized to intercept the information under its own law, but also that its law provides adequate protection of privacy rights, and that the conduct under investigation would be a violation of U.S. criminal law. The civil damages obtainable for unauthorized disclosures are weighted to deter law enforcement abuses. These damages include lost profits and statutory damages, as well as attorneys' fees, costs and the possibility of punitive damages in some cases.
Notwithstanding the fact that ECPA II and ProCODE have been discussed in hearings, they have not widely been considered viable candidates for passage in the Senate, due in part to the progress of the opposing McCain-Kerrey bill. This may be changing, however, for the Senate Majority Leader Trent Lott (R-MI) recently stated in the Congressional Record that the approach of Senator Conrad Burns (R-MO) "has always been fair and equitable, attempting to balance industry wants with law enforcement requirements." [4] It is unclear, however, whether Lott referred to ProCODE, which is Burns' original proposal, or a compromise proposal Burns made before the Senate Commerce Committee in an attempt to stave off passage of McCain-Kerrey. SAFE, on the other hand, is the primary piece of encryption legislation in the House of Representatives and has been considered by five House Committees (Judiciary, International Relations, National Security, Intelligence and Commerce). SAFE gained its powerful momentum from the fact that at approximately 250 members of Congress are currently co-sponsors of the bill. Assuming that these co-sponsors continue to support the bill substantially as written - there are indications that this may not be - SAFE may still not pass. Without any additional votes from members not co-sponsoring the bill, the 250 votes will still fall shy of the two-thirds majority necessary for the override of a threatened presidential veto.
The House committees, when considering the SAFE bill, made, on the whole, only minor amendments to it. The exceptions were the National Security and Intelligence committees, which rewrote the bill to make it tighten regulations. The Commerce committee, attempted more concretely to address law enforcement concerns without fundamentally altering the bill. Their changes included first a doubling of the criminal penalty for the use of encryption in furtherance of a crime, and the specification that any licensure system for encryption products cannot require key escrow. Second, the amendment provided sturdy liability exemptions for persons providing law enforcement access to keys or plaintext. Finally, the amendment would have established a center to study ways of effectively decrypting data. The Committee mandated a) studies both on the possible impact of a mandatory key recovery system, and on impediments in other countries to trade in encryption technologies, and b) regular reports to Congress of instances where encryption has interfered with the enforcement of federal criminal laws. Assuming arguendo that a political compromise is possible, the Commerce committee's version of SAFE might provide the model. The amendment provides stringent, but not fundamentally coercive disincentives for antisocial uses of encryption - perhaps, however, the broad sweep of the criminal penalties could be narrowed slightly by making them apply only to non-key recovery encryption. Alternatively, the tighter language from ECPA II might be incorporated. The amendment also demonstrates genuine efforts to compensate for the inability to decrypt encrypted communications without compromising the security of the system.
Outside the halls of the Capitol, crypto friends and foes alike were startled
by the decision of Judge Marilyn Hall Patel, a federal district court judge for
the Northern District of California, that encryption software is protectable
first amendment speech and that the controls forbidding its export are
unconstitutional.[5] Bernstein v. U.S. Department Of State involved a professor who had developed an
encryption algorithm which he wished to publish in a book, along with a
diskette containing the source code for the algorithm. The State Department
ruled that the software was subject to export restrictions because, as an
algorithm with a key length greater than 40 bits, it was a "munition" under
ITAR (International Traffic in Arms Regulations). Reiterating her earlier
decision in the case that encryption software is expressive speech, Judge Patel
observed that "the most common expressive activities of scholars -- teaching a
class, publishing their ideas, speaking at conferences, or writing to
colleagues over the Internet -- are subject to a prior restraint by the export
controls when they involve cryptographic source code or computer programs."
Certain aspects of the export regulations seemed particularly to disturb the court. First, the Court attacked those provisions, on the one hand, which exempt cryptographic source code published in book form, while on the other hand, restricting the same source code when embodied in an electronic text file on a disk. Becoming one of the first courts to interpret Reno v. ACLU, Judge Patel interpreted the landmark decision as decreeing "the distinction between print and electronic media increasingly untenable" with regard to the protection afforded by the First Amendment.[6] "[N]ational security alone is insufficient without more" to justify a prior restraint on speech, Patel further decided. She cited in support of this holding a majority of justices in the splintered opinions of the Pentagon Papers case.[7] Third, Patel decided that some form of judicial review would be necessary to support a prior restraint on the export of cryptographic software.
Judge Patel suggested, however, a possible constitutional method for regulating encryption exports: regulation on the basis its "secondary effects." Although this exception has only been applied to restrictions on sexually explicit speech, in such cases as Young v. American Mini-Theaters, Inc. and Renton v. Playtime Theaters, Inc., zoning ordinances aimed at curbing the blight, crime and reduced property values caused by porn shops have been upheld.[8] Despite the fact that Reno v. ACLU rejected this line of cases as an analogy for content restrictions on the internet as a whole, such secondary effect regulation might be more apt where applied to a concrete technology with specifically identifiable effects. The Bernstein case was granted an expedited appeal to the Ninth Circuit and was argued before a three judge panel of that court on December 8, 1997. Observers have suggested there is a strong likelihood of the decision being overturned, if not by the circuit court, then by the Supreme Court which has, of late, been in particular disagreement with the decisions of the Ninth Circuit. However, at the appellate arguments, the justices reportedly were skeptical about the government's argument that the regulations do not stifle speech because they merely regulate one possible medium for that expression.[9]
In addition to domestic developments on the judicial and legislative fronts, the European Commission issued a communique on October 8, which advocated a policy for member nations regarding the use of encryption for commerce and security.[10] While concerned with the recognition of encryption techniques for digital signatures and the regulation of Certificate Authorities for authentication purposes, the communique concurrently addressed encryption used for security and the balance of commercial, privacy and law enforcement concerns about its proliferation. It must be noted, however, that the Commission does not itself have jurisdiction over export controls in Europe.
For years, U.S. proponents of strong cryptography have argued that encryption controls would be ineffective because foreign vendors would be able to offer comparable products, thus creating an opportunity for foreign software companies to chip away at U.S. domination of the software industry. Seemingly expressing the EC's willingness to leap at that opportunity, one of the goals in issuing the communique was that of "stimulating a European industry for cryptographic services and products." The EC feels that growing demand for encryption products "provides substantial opportunities for the industry and job creation in Europe," and that, "The exclusive character of encryption [as both a military-dominated and U.S.-dominated technology] belongs to the past."
Most importantly, the communique stated a very different opinion from that of the Clinton Administration concerning whether encryption controls could be effective at all. Citing several widely circulated reports on the technical weaknesses of key recovery systems and the ineffectiveness of encryption controls, the Commission found that, "Any involvement of a third party in confidential communication increases its vulnerability." The communique came to the conclusion that "restricting the use of encryption could well prevent law-abiding companies and citizens from protecting themselves against criminal attacks. It would not however prevent... criminals from using these technologies."
These limitations, while down-played by the Clinton Administration, are not news. The U.S. government has responded by pressing all the more strongly for encryption controls and law enforcement access in order to increase the likelihood that the benefits would outweigh the disadvantages. This is another respect in which the EC differed with the U.S. The Commission suggests that a minimalist approach to regulation is necessary. "National restrictions must respect the principle of proportionality (be appropriate, effective and not go beyond what is necessary for attaining the objective pursued)." To this end, the communique also discusses other ways of obtaining adequate intelligence in lieu of governmental access to keys. For one thing, traffic analysis, or intelligence gathering based on data showing who is communicating to whom and when, is increasingly becoming a gold-mine of information for law enforcement. The Commission noted that, if the availability of encryption raises criminal confidence in the security of their communications, the increase in electronic communications traffic will offer better information for law enforcement. Even considering access to the content of communications, the communique noted, "The ultimate objective for government agencies is to see plaintext and not necessarily to have access to keys. . . . Information, even encrypted for communication, can often be found unencrypted at the source. . . for instance with banks, shops, travel agencies involved in communication with a suspect, or can be tapped unencrypted at certain points in a communication link." According to the Commission's reasoning, the requirement or encouragement of the provision of keys to law enforcement may be a superfluous intrusion into personal privacy.
The strong House support for SAFE, the Bernstein decision, and the growing appearance of a rift between the Clinton Administration and Europe over encryption policy have instilled a certain degree of confidence in those corporations and civil liberties groups that want to see encryption rules drastically liberalized. This confidence, along with vehement opposition to restrictions from prominent elements of the internet community, has perhaps made these parties less receptive to compromise proposals. Likewise, the strength of SAFE and the possibility of the export scheme's unconstitutionality have also prompted law enforcement and national security groups to toughen their stance, and to be less willing to compromise.
III. FBI and NSA Raise Demands for Encryption Restrictions
Historically, for three years after the original Clipper Chip proposal was made in 1993, the Clinton Administration's encryption policy was based on encouraging (although critics claimed `coercing' would have been a better verb) the use of key recovery or key escrow. This encouragement took the form of making key recovery or key escrow a prerequisite for a) the export of software or hardware which included encryption (manufacturers would otherwise have to produce separate `domestic' and `export' versions of their product) b) the use of encryption by the government or in communication with the government (using the government's position as the largest purchaser of computer products as leverage) or c) the use of encryption on government-funded networks (which would include, for example, the proposed Internet II). This changed in late 1996 when, as part of the transfer of jurisdiction over encryption exports from the Department of State to the Department of Commerce, another `encouragement' for the development of key recovery products was added. Any software company would be allowed slightly more rigorous encryption (56-bit versus 40-bit) provided that the company promised, and then continued, to develop encryption products with key recovery features for sale by the end of 1998.[11] Even through the present day, no government proposal has required the use of key recovery encryption software for general domestic use although restrictions exist that might require it of individuals - government employees, for example - in certain situations.
The spring spring and particularly the summer of 1997, marked the introduction of three bills aimed at placing further restrictions on non-key recovery encryption, or at least aimed at trying alternate ways of eliciting participation in a key recovery infrastructure. First, S. 909, known for its sponsors as the McCain-Kerrey bill, encourages the use of key recovery by making it a prerequisite to obtaining a digital "certificate" from a government-registered Certificate Authority.[12] Critics have complained that this is an inappropriate linkage between the use of encryption for confidentiality, and the use for authenticating the author of a document. Cryptographic authentication is technically the reverse of the cryptographic scrambling, for the sender uses her private key to sign an electronic message and the recipient uses the sender's public key to verify the message. A Certificate Authority is a known or reputable entity which vouches in the `certificate' portion of the signature that the private key in fact belongs to the person who is listed as the owner (this certification is theoretically verified through security procedures such as checking a driver's license or other real world i.d.). Certificate Authority services are generally thought to be an essential element of more secure on-line transactions in the future. Coupled with powerful legal incentives for authorities to become government-registered, it is thought that while participation is technically voluntary, being unable to use a certificate from a registered authority would make individuals second class citizens in the information economy. In addition, the bill stipulates criminal penalties for the use of encryption in committing crimes. Although hailed by its backers as a compromise between a draft Administration proposal circulating at the time of the bill's introduction and pro-crypto bills such as SAFE, critics were eventually successful in the press in portraying the McCain-Kerrey bill as a carbon copy of the Administration's proposal.
Within days of its introduction, the McCain-Kerrey bill was approved by the
Senate Commerce Committee. However, at hearings in July before the Judiciary
Committee, criticism came from not only from opponents of encryption controls,
but from supporters as well. Senator Charles Grassley (R-IO) mentioned a report
of a teen boy who had been abducted and killed. It was thought that the boy had
mentioned the name of his abductor in his diary which was kept in encrypted
form on his personal digital assistant (or PDA). Hearing witnesses, including
Senator Kerrey and FBI Director Louis Freeh, as well as other Senators, pointed
out that neither the existing law nor the McCain-Kerrey bill would have
affected the case because it involved the domestic use of encryption. As the
encryptor was the victim, not the perpetrator, criminal penalties would not
have applied either. Senators from both parties favoring tougher encryption
controls were uneasy that the bill under consideration would not have brought
critical and, perhaps in other cases, lifesaving evidence such as the boy's
diary within the reach of law enforcement. As the debate progresses, it would
not be alarming to see some of these Senators support proposals which would
address this problem.
This tacit endorsement apparently did not go unnoticed by the FBI, even though Director Freeh indicated that, at that time, he was not asking for domestic controls on encryption. Within weeks of the Senate Judiciary Committee hearings, much more restrictive proposals appeared. As the House continued consideration of the SAFE bill, the Judiciary and International Relations committees passed it essentially intact, and it was referred to the National Security Committee and the Intelligence Committee. The National Security Committee altered the SAFE bill so as to retain and to explicitly codify the export controls.[13] The amendment added criminal penalties for the use of encryption and set up a system for annual review of the acceptable level of non-key recovery encryption, which would initially be set by the President after enaction. One notable feature of the National Security amendment was that while the Secretary of Commerce would implement the controls and possess authority to issue licenses, this power would be exercised with the concurrence of the Secretary of Defense, thus giving the Defense Department a veto over such decisions. Furthermore, these decisions would be exempted from judicial review.
The Intelligence Committee completely rewrote the SAFE bill (as the Washington saying goes, the seven most dreaded words on Capitol Hill are "amendment in the nature of a substitute"). The extensive and carefully crafted amendment has changed the face of the encryption debate. The Intelligence Committee SAFE amendment became the first proposal to mandate the inclusion of key recovery in all encryption software "manufactured for distribution," distributed, sold or imported into the US.[14] These restrictions would become effective February 1, 2000. Arguably, the bill would also apply extraterritorially to any entity with a US presence that "sells in... foreign commerce any encryption product" even if the product was never in the US and the sale occurred abroad. Equally important, the amendment removed any differences in the treatment of weaker encryption; the key recovery provisions would apply to 128-bit systems and to 40-bit or weaker systems equally. The amendment would not affect the use of encryption, so any products sold before the deadline could continue to be used. Furthermore, it would arguably be permissible for an entity to manufacture a product as long as it was not sold and not "for distribution," for instance, if it was for free internal company use.
The export of encryption products likewise required that there either be immediate access to plaintext or key recovery. However, a cryptic provision (§ 302b) indicated that these capabilities, in products for export, could be deactivated by default to be enabled at the end user's option. A product with the dual capability of running in `key recovery mode' or `non-key recovery mode' might be ruled out by the restrictions on manufacturing and distribution mentioned above, but would arguably be permissible for export. Inexplicable in the light of its contradiction with past government policy, this provision, on its face, might allow companies to offer tougher encryption abroad than in the U.S. This provision (along with its permissiveness as to the use of prior products) thus begs consideration of an alternate interpretation: that it is a weaker instrument designed to proliferate products with key recovery options, rather than a bill to eradicate products offering non-key recovery encryption. Even if semantically colorable, such an interpretation seems unlikely. Interpreting section 302b as a drafting error is more credible.
Several other sections of the Intelligence Committee amendment indicate its truly comprehensive nature. First, the criminal penalties in the amendment go further than any others in specifying that the sentence is to be served consecutively, not concurrently, with the sentence for the underlying offense (although it also specifies that the use of encryption alone is not probable cause to believe a crime is being committed). Second, unlike the National Security bill, the Secretary of Defense does not have a veto over Commerce Department decisions. However, there is to be "close coordination." Third, while the Intelligence Committee bill does not condition the issuance of cryptographic certificates on key recovery participation (as the McCain-Kerrey bill does), brief references to Certificate Authority regulation would probably allow the Commerce Department to set such a prerequisite. Fourth, the amendment sets out the duty of network service providers to provide key recovery on all encryption services they offer, as well as extensive rules for the federal procurement and funding of encryption products including key recovery.
The Intelligence amendment does have lengthy limits on unauthorized access to decryption information or disclosure of decrypted information or keys. However, most of these controls may be undermined by extensive defenses for compliance with the act, good faith reliance on legal authority, sovereign immunity, and so on. Similarly, a court order is required to obtain key information, and law enforcement officials must have lawful authority to get the underlying data to be decrypted. The strictness of this requirement is also undermined because judges apparently lack discretion to deny a request for a court order when the government attorney demonstrates any factual basis for the relevance of information sought to the investigation and the officer is legally entitled to such plaintext or keys. Overall, these professed safeguards may just be paper tigers.
Senator Lott, in his recent statement on encryption called the FBI's domestic key recovery proposal (and by implication the similar Intelligence Committee amendment) a "large unfunded mandate on our high technology firms" and "simply wrong."[15] Furthermore, Lott claimed that, "I have learned that even the administration does not support this new FBI proposal." While this is not the first indication of policy disagreements between the White House and the FBI, it is the first indication that FBI may not be the Administration's voice on the encryption issue.
IV. Conclusion
In short, the debate over encryption regulations, which has been at a stalemate since the days of the Clipper Chip, seems no closer to resolution. On the one hand, the FBI and the law enforcement community appear to have sensed support for a proposal they had not dared to offer in the past: domestic mandatory key recovery encryption. On the other hand, pro-encryption entities, from the computer industry to civil liberties groups, seem emboldened by the breadth of congressional support for the SAFE bill. The Bernstein decision and the European Commission's recent findings have only provided them more ammunition in the debate. No less antagonistic, these two sides have each upped the stakes. This, combined with the urgent need for tougher encryption for on-line commerce and electronic security, makes the issue more explosive and less predictable than ever.
Footnotes - Note: See Appendix C for links to major cited sources, including text of all bills.
fnA. ©1998 Adam White Scoville. Published by permission of the copyright holder. Boston College Law School, class of 1999. Director, Intellectual Property and Technology Forum at Boston College Law School, 1997-1998. Though this article and particularly the accompanying appendices analyze the major encryption proposals with an eye toward identification rather than advocacy of particular policy decisions inherent therein, the author makes no attempt to conceal, deny or apologize for his personal preference for the immediate liberalization of encryption restrictions.
1. Security and Freedom through Encryption (SAFE) Act of 1997, H.R. 695, 105th Cong.
2. Promotion of Commerce On-Line in the Digital Era (Pro-CODE) Act of 1997, S. 377, 105th Cong.
3. Encrypted Communications Privacy Act of 1997, S. 376, 105th Cong. (ECPA II).
4. See 143 Cong. Rec. S10,879-81 (daily ed. Oct. 21, 1997) (statement of Sen. Lott).
5. See Bernstein v. U.S. Department Of State, No. C-95-0582 (N.D.Cal. Aug. 25, 1997)
6. SeeReno v. ACLU, No. 96-511, bench op. (U.S. June 26, 1997).
7., See, New York Times Co. v. US, 403 U.S. 713 (1971).
8. Young v. American Mini-Theaters, Inc., 427 U.S. 50 (1975), and Renton v. Playtime Theaters, Inc., 475 U.S. 41 (1986)
9. See John Markoff, Court Hears Appeal in Encryption Case, N.Y. Times, Dec. 9, 1997, at section A.
10. Communication of the European Commission: Towards A European Framework for Digital Signatures And Encryption, COM(97)503 final.
11. See Adam White Scoville, Executive Order Claims to Begin Relaxation of Encryption Controls, 1996 B.C. Intell. Prop. & Tech. F. 120902 (Dec. 9, 1996) <http://www.bc.edu/iptf>.
12. Secure Public Networks Act, S. 909, 105th Cong. (McCain-Kerrey Bill).
13. Security and Freedom through Encryption (SAFE) Act of 1997, H.R. 695, 105th Cong. (as amended by the Committee on National Security)
14. Security and Freedom through Encryption (SAFE) Act of 1997, H.R. 695, 105th Cong. (as amended by the Permanent Select Committee on Intelligence)
15. 143 Cong. Rec. S10879, 80.
(Original and Judiciary Committee versions) | (International Relations Committee version) | (Commerce Committee version) | (S. 377) | (S. 376) | |
| Declares freedom to use, freedom to sell encryption of any type? | Yes | Yes | Yes | No | Yes |
| Prohibits Mandatory Key Escrow | Yes | Yes | Yes | Yes | Yes |
| Restrictions on Regulation of Encryption | |||||
| General Prohibitions on Government Regulation: | N/A | N/A | Prohibits conditioning other regulatory approval of encryption use on the use of key recovery/key escrow: issuance of digital certificates may not be conditioned on escrow of private keys. May not require key escrow for licensure of any encryption product. | Prohibits Federal Government from setting encryption regulations or standards for use except for Federal computer systems, or as export controls. Prohibits restriction or regulation of products solely because they include encryption. | N/A |
| Authority of investigative or law enforcement officer acting under the law affected? | No | No | No - also unaffected are intelligence agents under the National Security Act. | N/A | N/A |
| Authority over export controls/licenses: | Commerce Dept., except for military use. | Commerce Dept., except for military use. | Commerce Dept., except for military use. | Commerce Dept., except for military use. | Commerce Dept., except for military use. |
| Commercially available consumer products or components where encryption is inaccessible to user exempt from controls? | N/A | Yes | N/A | N/A | N/A |
| "Generally available" software "designed for installation by purchaser" exempt from controls? | Yes | Yes. Also Generally available hardware. | Yes | Yes | Yes |
| Public domain software exempt from controls? | Yes | Yes | Yes | Yes, also if it is publicly available/ generally accessible | Yes, also if it is publicly available/ generally accessible |
| Can hardware be controlled solely because it contains encryption software? | No | No | No | No | No |
| Devices exempted which would be controlled solely because of interface mechanism for encryption hw/sw? | N/A | Yes | N/A | N/A | Yes |
| Sec. of Commerce must authorize export to countries where similar software can be sold to banks? [Note: The US government is reportedly considering eliminating the current exception allowing banks greater leeway. - See NY Times, 11/24/97 at D1.] | Yes, except if there is substantial evidence of diversion to military use or illegal reexport | Yes, except if there is substantial evidence of diversion to military use or illegal reexport | Yes for non-military end uses except if there is substantial evidence of diversion to military use or illegal reexport | Yes, for non-military end uses except if there is substantial evidence of diversion to or modification for military or terrorist use or illegal reexport or intentionally used to evade enforcement of United States law or taxation | N/A |
| Sec. of Commerce must authorize export of encryption hardware where comparable product is commercially available from foreign supplier? | Yes | N/A | Yes | N/A | Yes, if commercially available without effective restrictions, or generally available, or if US product incorporates a foreign encryption product. |
| Criminal Penalties for the use of encryption related to a crime? | |||||
| Yes. Original says: If used in furtherance of a crime, up to 5 years first offense, 10 yrs subsequently. Judiciary version: If used in commission of felony with the intent of avoiding law enforcement detection, up to 5 years first offense, 10 years subsequently. | As in original SAFE bill. | If used in commission of felony with the intent of avoiding law enforcement detection, up to 10 years first offense, 20 yrs subsequently | None. | Yes, for use of encryption to impede the communication of information to law enforcement in furtherance of a felony: 5 years first conviction, 10 years subsequently. | |
| Miscellaneous Provisions | |||||
(Original and Judiciary Committee versions) | |||||
| Judiciary version provides: Attorney General shall compile data on instances in which encryption has interfered with ability of DoJ to enforce federal criminal laws. Available to Congress on request. | |||||
(International Relations Committee version) | |||||
| Sense of Congress that export restrictions is detrimental to US competitiveness without concurrence of all producing nations, which President has not gotten. | |||||
(Commerce Committee version) | |||||
| Liability Exemptions for persons providing law enforcement access to plaintext pursuant to judicial process
Establishes National Electronic Technologies Center (NET Center) and advisory board under DOJ for studying methods for effective decryption and properties of encryption available, and dissemination of information to State & Fed law enforcement. NTIA (National Telecommunications and Industry Ass'n) to study and report 1) the effect of a mandatory key recovery system on electronic commerce, data security, privacy and law enforcement activities and 2) assesses other methods for access to encrypted communications for law enforcement. 6 month inquiry by Sec. of Commerce (and report to Congress) to identify impediments to trade in encryption products and foreign nations' import restrictions that constitute barriers to trade. W/in 6 months later Sec, & A.G. shall prescribe regulations to reduce impediments to trade for US companies. President shall negotiate any necessary international treaties. Attorney General shall compile data on instances in which encryption has interfered with ability of DoJ to enforce federal criminal laws. Available to Congress on request. | |||||
(S. 377) | |||||
| Exporter must, w/in 30 days after, report the export of encryption products and their capability.
Establishes governmental/non-governmental Information Security Board to foster aggregation and dissemination of nonconfidential developments in information security technologies. | |||||
(S. 376) | |||||
| Provisions as to Voluntary, Market-driven key recovery:
Criminal penalties for unauthorized release of keys. May only release key to owner, upon the owner's consent, or to authorized law enforcement.
| |||||
(S. 909) |
(Amendments to SAFE) |
(Amendments to SAFE ) | |
| Focus | |||
| Encourages the use of Key Recovery by making Key Recovery use a prerequisite to obtaining a digital "certificate" from a government-registered Certificate Authority. Provides strong incentives for CAs to become government-registered. | Strengthens existing export control regime which encourages the inclusion of key recovery in software with encryption features by restricting the export of encryption software without key recovery to weak levels of security. | Mandates that all encryption software manufactured for distribution, distributed, sold or imported into the US after 1/31/2000 include key recovery.
Arguable extraterritorial application to any US entity that "sells in... foreign commerce any encryption product" even if product was never in US and sale occurs abroad. | |
| Prohibits domestic use/sale of encryption without key recovery? | No. | No | Yes: prohibits sale/distribution.
Permits use of products sold before deadline. Also, items manufactured, but not for distribution or sale, (e.g. for internal use by the same entity) are arguably permitted. |
| Restricts domestic use/sale of encryption without key recovery? | Yes - if key recovery not used, no certificate from registered CA. | No (Prohibits mandatory use of key escrow) | [See above.] |
| Criminal Penalties for the use of encryption related to a crime? | Yes. If used in furtherance of a crime, up to 5 years first offense, 10 yrs thereafter or fine or both. Specifies that the use of encryption alone is not probable cause to believe a crime is being committed. | Yes. If used in furtherance of a crime, up to 5 years first offense, 10 yrs thereafter, or fine or both. | Yes. If used in furtherance of a crime, up to 5 years first offense, 10 yrs thereafter or fine or both. Terms to run consecutively, not concurrently with the underlying sentence. Specifies that the use of encryption alone is not probable cause to believe a crime is being committed. |
| Export Controls | |||
| Authority over export controls/licenses: | Sec. of Commerce in consultation with relevant executive agencies. | Secretary of Commerce with concurrence of Secretary of Defense | Sec. of Commerce in "close coordination" with Secretary of Defense. |
| Decisions of Executive Branch are judicially reviewable? | Certain determinations (harm to national security etc.) not reviewable. | No. | No. |
| Encryption products may be controlled even if not on munitions list? | N/A | Yes | Yes. |
| Government sets level of (non-key recovery) encryption which may be exported? | Yes but even products under that level must undergo a one time review (and may not be exported to countries ruled ineligible to receive such products). Initially 56 bit DES or equivalent. | Yes but even products under that level must undergo a one time review (and may not be exported to countries ruled ineligible to receive such products). President sets initially w/in 30 days of enactment. | No. All encryption products exported after 1/31/2000 must include immediate access to plaintext or key recovery and must undergo a one time review (and may not be exported to countries ruled ineligible to receive such products). However, for export, decryption capabilities can be off by default to be enabled by purchaser (§302b). |
| Review of permissible encryption level thereafter? | President reviews at least annually. In addition, President shall increase level if he finds similar products widely available from other nations. | President reviews at least annually. Note: new level doesn't take effect for 60 days, not counting when Congress is not in session. | N/A |
| President can waive provisions of the export controls in the interest of national security? | Yes. | N/A | Yes. |
| Separate treatment for telecommunications products? | No. | N/A | Yes. |
| If so, may communications products be exported without key recovery? | N/A | N/A | Yes, but Secretary shall authorize export without decryption capabilities only if 1) information recovery requirements would disadvantage US exporters and 2) exports would not create a risk to the foreign policy, non-proliferation, or national security of the US. |
| Separate treatment for certain institutions? | Yes. Expedited review for use of products by qualified banks, health care providers, subsidiaries of US companies or others specifically authorized by Sec. of Commerce. | N/A | Yes. Expedited review for use of products by qualified banks, subsidiaries of US companies or others specifically authorized by Sec. of Commerce. |
| Specifies Penalty for unauthorized export? | Yes. Up to 5 years per occurrence. | No. | No. |
| Government Registration of Certificate Authorities and Key Recovery Agents | |||
| Government to issue regulations for creating key management infrastructures? | Yes | N/A | Yes, may promulgate regulations establishing standards. Private sector participation voluntary. |
| Government to offer registration for certificate authorities and key recovery agents? | Yes | N/A | Yes, government may offer registration under standards set by Secretary of Commerce. CAs and KRAs may identify themselves as being federally registered. No further specifics. |
| Issuance of Certificates conditioned on use of key recovery? | Yes, or alternate arrangements for timely access to plaintext of data without notice to subject. | N/A | Not mentioned, required or prohibited. Presumably standards could condition issuance of Certificates on use of key recovery. |
| Key Recovery/Key Management Infrastructure Issues | |||
| Unauthorized access to or decryption of data or communications prohibited? | Yes, intentional access unlawful:
- without lawful authority - exceeding lawful authority - breaking encryption code without authority to violate privacy or security or property rights - disclosing decryption information in violation of the Act. | N/A | Yes, intentional access unlawful:
- without lawful authority - exceeding lawful authority - breaking encryption code without authority to violate privacy or security or property rights - disclosing decryption information in violation of the Act. |
| Third-Party Liability for encryption? | N/A | N/A | Illegal to assist in or facilitate encryption knowing that such data are to be used in furtherance of a crime. |
| Penalty for unlawful access as above: | up to five years or fine or both. | N/A | up to 10 years or fine or both. |
| Liability Exemptions for persons providing law enforcement access to plaintext? | N/A | N/A | Yes, unless person is not authorized by court order to disclose the information.
Compliance with the Act is a complete defense. Participation in government established key management infrastructure is evidence of reasonable care. Good faith reliance on legal authority is a complete defense. Sovereign immunity is not affected. |
| Sale of Encryption products w/out key recovery illegal? | N/A (No.) | N/A (No.) | Yes after 1/31/2000. Must enable immediate decryption or access to plaintext. Penalty up to 5 years or fine or both (presumably per offense). | Standard for products providing access? | N/A | N/A | "Duly authorized" | Service Providers providing encryption must use key recovery? | N/A | N/A | Yes after 1/31/2000. Must enable immediate decryption or access to plaintext. |
| Service Provider Standard for providing access: | N/A | N/A | Upon receipt of court order or warrant. | Manufacture/ Distribution/ Importation
requires key recovery? | N/A (No.) | N/A (No.) | Yes after 1/31/2000 unless product can only be used with systems that provide access or otherwise meets technical requirements. Must enable immediate decryption or access to plaintext without knowledge or cooperation of the person being investigated. | Standard for provision of decryption information for manufacture? | N/A | N/A | "Authorized party in possession of a facially valid order issued by a court of competent jurisdiction." | Setting of technical requirements: | N/A | N/A | A.G. sets technical requirements for compliance and procedures for advisory opinions on whether a product meets requirements. |
| Use of Non-Key Recovery Products (e.g. purchased or in use prior to deadline) prohibited? | N/A | N/A | No. Use or prior products is specifically declared lawful. |
| Injunctive Relief available to stop non-compliance? | N/A | N/A | When it appears that a product or service in violation is or is about to be sold/distributed etc., Gov't can sue to enjoin the violation. Court automatically issues a Temporary Restraining Order. Burden is on Government by preponderance of the evidence in showing that product does not meet requirements. Proceedings to be closed to the public at the request of defendant. An advisory opinion (by gov't that product is in compliance) is an absolute defense to the action. Appeals considered on an expedited basis. |
| Requirements for provision of keys to law enforcement? | Subpoena. Subpoena must be based on:
- a duly authorized warrant or court order authorizing interception of wire communications or electronic communications or stored wire and electronic communications and transactional records (18 USC 119, 121 or applicable State statute) - a subpoena authorized by or based on authority established by Federal or State law, statute, precedent or rule - a warrant or court order or certification under the Foreign Intelligence Surveillance Act - or other lawful authority. No authorization to obtain recovery information unless there is lawful authority to obtain the underlying communications or electronically stored information. | N/A | Court Order. However, court shall issue the order upon application by Attorney for the Government providing factual basis for relevance of information sought to investigation and court finds in writing that there is relevance and officer is entitled to such plaintext or keys.
Limitation: may not use decryption information to get the plaintext of any data which was not obtained under lawful authority. |
| Requirements for provision of keys to foreign governments? | US Government entity must have request from a foreign government that the US entity is authorized to execute. | N/A | US Gov't Attorney may apply to court upon request of government with which there is treaty agreement. |
| Notice to Subject/Owner of Keys of Provision to Law Enforcement: | No except pursuant to court order. | N/A | Within 90 days after the fact, but may be postponed (with no limit on amount of postponement) on an ex parte showing of good cause. Decrypted information may not be entered into evidence unless notice is given to each party at least 10 days before trial. |
| Suppression of Evidence if unlawfully obtained? | N/A | N/A | Yes, party may make a motion. US may appeal within 30 days. |
| Civil Action for violations? | Yes, but remedies are limited to actual damages plus costs and attorney's fees. Includes access without authorization or disclosure (where access was authorized) of key recovery information or plaintext of decrypted information. | N/A | Yes, but remedies are limited to actual damages plus costs and attorney's fees (except if separate violation of constitutional rights found). |
| Limitations on Disclosure to third parties? | Yes. | N/A | Yes. |
| Service Providers must provide technical assistance? | N/A | N/A | Yes. May move to quash order if decryption cannot be performed in a timely or reasonable fashion. |
| Government Procurement | |||
| Encryption products purchased by the government must include key recovery or features for immediate decryption? | Yes | N/A | Yes, starting 1/1/99. |
| Encryption products purchased with federal funds must include key recovery or features for immediate decryption? | N/A | N/A | Yes, starting 1/1/99. |
| Federally funded Communications Networks must include key recovery? | Yes. | N/A | Yes, starting 1/1/99. |
| Federal government may mandate private sector standards. | No, except for private sector communication with the government or networks using federal funds. However, Sec. must consider providing for interoperability of government key recovery systems with private, non-key recovery systems. | N/A | No, except for private sector communication with the government or networks using federal funds. |
| Other | |||
| Encryption Industry and Information Security Board established.
Attorney General shall compile data on instances in which encryption has interfered with ability of DoJ to enforce federal criminal laws. Available to Congress on request. No preemption of Arms Export Control Act, Export Administration Act, Int'l Emergency Economic Powers Act (IEEPA). No affect on foreign intelligence activities, no affect on intellectual property protections. | |||
Appendix C Encryption-Related Links
