(S. 909) |
(Amendments to SAFE) |
(Amendments to SAFE ) | |
| Focus | |||
| Encourages the use of Key Recovery by making Key Recovery use a prerequisite to obtaining a digital "certificate" from a government-registered Certificate Authority. Provides strong incentives for CAs to become government-registered. | Strengthens existing export control regime which encourages the inclusion of key recovery in software with encryption features by restricting the export of encryption software without key recovery to weak levels of security. | Mandates that all encryption software manufactured for distribution, distributed, sold or imported into the US after 1/31/2000 include key recovery.
Arguable extraterritorial application to any US entity that "sells in... foreign commerce any encryption product" even if product was never in US and sale occurs abroad. | |
| Prohibits domestic use/sale of encryption without key recovery? | No. | No | Yes: prohibits sale/distribution.
Permits use of products sold before deadline. Also, items manufactured, but not for distribution or sale, (e.g. for internal use by the same entity) are arguably permitted. |
| Restricts domestic use/sale of encryption without key recovery? | Yes - if key recovery not used, no certificate from registered CA. | No (Prohibits mandatory use of key escrow) | [See above.] |
| Criminal Penalties for the use of encryption related to a crime? | Yes. If used in furtherance of a crime, up to 5 years first offense, 10 yrs thereafter or fine or both. Specifies that the use of encryption alone is not probable cause to believe a crime is being committed. | Yes. If used in furtherance of a crime, up to 5 years first offense, 10 yrs thereafter, or fine or both. | Yes. If used in furtherance of a crime, up to 5 years first offense, 10 yrs thereafter or fine or both. Terms to run consecutively, not concurrently with the underlying sentence. Specifies that the use of encryption alone is not probable cause to believe a crime is being committed. |
| Export Controls | |||
| Authority over export controls/licenses: | Sec. of Commerce in consultation with relevant executive agencies. | Secretary of Commerce with concurrence of Secretary of Defense | Sec. of Commerce in "close coordination" with Secretary of Defense. |
| Decisions of Executive Branch are judicially reviewable? | Certain determinations (harm to national security etc.) not reviewable. | No. | No. |
| Encryption products may be controlled even if not on munitions list? | N/A | Yes | Yes. |
| Government sets level of (non-key recovery) encryption which may be exported? | Yes but even products under that level must undergo a one time review (and may not be exported to countries ruled ineligible to receive such products). Initially 56 bit DES or equivalent. | Yes but even products under that level must undergo a one time review (and may not be exported to countries ruled ineligible to receive such products). President sets initially w/in 30 days of enactment. | No. All encryption products exported after 1/31/2000 must include immediate access to plaintext or key recovery and must undergo a one time review (and may not be exported to countries ruled ineligible to receive such products). However, for export, decryption capabilities can be off by default to be enabled by purchaser (§302b). |
| Review of permissible encryption level thereafter? | President reviews at least annually. In addition, President shall increase level if he finds similar products widely available from other nations. | President reviews at least annually. Note: new level doesn't take effect for 60 days, not counting when Congress is not in session. | N/A |
| President can waive provisions of the export controls in the interest of national security? | Yes. | N/A | Yes. |
| Separate treatment for telecommunications products? | No. | N/A | Yes. |
| If so, may communications products be exported without key recovery? | N/A | N/A | Yes, but Secretary shall authorize export without decryption capabilities only if 1) information recovery requirements would disadvantage US exporters and 2) exports would not create a risk to the foreign policy, non-proliferation, or national security of the US. |
| Separate treatment for certain institutions? | Yes. Expedited review for use of products by qualified banks, health care providers, subsidiaries of US companies or others specifically authorized by Sec. of Commerce. | N/A | Yes. Expedited review for use of products by qualified banks, subsidiaries of US companies or others specifically authorized by Sec. of Commerce. |
| Specifies Penalty for unauthorized export? | Yes. Up to 5 years per occurrence. | No. | No. |
| Government Registration of Certificate Authorities and Key Recovery Agents | |||
| Government to issue regulations for creating key management infrastructures? | Yes | N/A | Yes, may promulgate regulations establishing standards. Private sector participation voluntary. |
| Government to offer registration for certificate authorities and key recovery agents? | Yes | N/A | Yes, government may offer registration under standards set by Secretary of Commerce. CAs and KRAs may identify themselves as being federally registered. No further specifics. |
| Issuance of Certificates conditioned on use of key recovery? | Yes, or alternate arrangements for timely access to plaintext of data without notice to subject. | N/A | Not mentioned, required or prohibited. Presumably standards could condition issuance of Certificates on use of key recovery. |
| Key Recovery/Key Management Infrastructure Issues | |||
| Unauthorized access to or decryption of data or communications prohibited? | Yes, intentional access unlawful:
- without lawful authority - exceeding lawful authority - breaking encryption code without authority to violate privacy or security or property rights - disclosing decryption information in violation of the Act. | N/A | Yes, intentional access unlawful:
- without lawful authority - exceeding lawful authority - breaking encryption code without authority to violate privacy or security or property rights - disclosing decryption information in violation of the Act. |
| Third-Party Liability for encryption? | N/A | N/A | Illegal to assist in or facilitate encryption knowing that such data are to be used in furtherance of a crime. |
| Penalty for unlawful access as above: | up to five years or fine or both. | N/A | up to 10 years or fine or both. |
| Liability Exemptions for persons providing law enforcement access to plaintext? | N/A | N/A | Yes, unless person is not authorized by court order to disclose the information.
Compliance with the Act is a complete defense. Participation in government established key management infrastructure is evidence of reasonable care. Good faith reliance on legal authority is a complete defense. Sovereign immunity is not affected. |
| Sale of Encryption products w/out key recovery illegal? | N/A (No.) | N/A (No.) | Yes after 1/31/2000. Must enable immediate decryption or access to plaintext. Penalty up to 5 years or fine or both (presumably per offense). | Standard for products providing access? | N/A | N/A | "Duly authorized" | Service Providers providing encryption must use key recovery? | N/A | N/A | Yes after 1/31/2000. Must enable immediate decryption or access to plaintext. |
| Service Provider Standard for providing access: | N/A | N/A | Upon receipt of court order or warrant. | Manufacture/ Distribution/ Importation
requires key recovery? | N/A (No.) | N/A (No.) | Yes after 1/31/2000 unless product can only be used with systems that provide access or otherwise meets technical requirements. Must enable immediate decryption or access to plaintext without knowledge or cooperation of the person being investigated. | Standard for provision of decryption information for manufacture? | N/A | N/A | "Authorized party in possession of a facially valid order issued by a court of competent jurisdiction." | Setting of technical requirements: | N/A | N/A | A.G. sets technical requirements for compliance and procedures for advisory opinions on whether a product meets requirements. |
| Use of Non-Key Recovery Products (e.g. purchased or in use prior to deadline) prohibited? | N/A | N/A | No. Use or prior products is specifically declared lawful. |
| Injunctive Relief available to stop non-compliance? | N/A | N/A | When it appears that a product or service in violation is or is about to be sold/distributed etc., Gov't can sue to enjoin the violation. Court automatically issues a Temporary Restraining Order. Burden is on Government by preponderance of the evidence in showing that product does not meet requirements. Proceedings to be closed to the public at the request of defendant. An advisory opinion (by gov't that product is in compliance) is an absolute defense to the action. Appeals considered on an expedited basis. |
| Requirements for provision of keys to law enforcement? | Subpoena. Subpoena must be based on:
- a duly authorized warrant or court order authorizing interception of wire communications or electronic communications or stored wire and electronic communications and transactional records (18 USC 119, 121 or applicable State statute) - a subpoena authorized by or based on authority established by Federal or State law, statute, precedent or rule - a warrant or court order or certification under the Foreign Intelligence Surveillance Act - or other lawful authority. No authorization to obtain recovery information unless there is lawful authority to obtain the underlying communications or electronically stored information. | N/A | Court Order. However, court shall issue the order upon application by Attorney for the Government providing factual basis for relevance of information sought to investigation and court finds in writing that there is relevance and officer is entitled to such plaintext or keys.
Limitation: may not use decryption information to get the plaintext of any data which was not obtained under lawful authority. |
| Requirements for provision of keys to foreign governments? | US Government entity must have request from a foreign government that the US entity is authorized to execute. | N/A | US Gov't Attorney may apply to court upon request of government with which there is treaty agreement. |
| Notice to Subject/Owner of Keys of Provision to Law Enforcement: | No except pursuant to court order. | N/A | Within 90 days after the fact, but may be postponed (with no limit on amount of postponement) on an ex parte showing of good cause. Decrypted information may not be entered into evidence unless notice is given to each party at least 10 days before trial. |
| Suppression of Evidence if unlawfully obtained? | N/A | N/A | Yes, party may make a motion. US may appeal within 30 days. |
| Civil Action for violations? | Yes, but remedies are limited to actual damages plus costs and attorney's fees. Includes access without authorization or disclosure (where access was authorized) of key recovery information or plaintext of decrypted information. | N/A | Yes, but remedies are limited to actual damages plus costs and attorney's fees (except if separate violation of constitutional rights found). |
| Limitations on Disclosure to third parties? | Yes. | N/A | Yes. |
| Service Providers must provide technical assistance? | N/A | N/A | Yes. May move to quash order if decryption cannot be performed in a timely or reasonable fashion. |
| Government Procurement | |||
| Encryption products purchased by the government must include key recovery or features for immediate decryption? | Yes | N/A | Yes, starting 1/1/99. |
| Encryption products purchased with federal funds must include key recovery or features for immediate decryption? | N/A | N/A | Yes, starting 1/1/99. |
| Federally funded Communications Networks must include key recovery? | Yes. | N/A | Yes, starting 1/1/99. |
| Federal government may mandate private sector standards. | No, except for private sector communication with the government or networks using federal funds. However, Sec. must consider providing for interoperability of government key recovery systems with private, non-key recovery systems. | N/A | No, except for private sector communication with the government or networks using federal funds. |
| Other | |||
| Encryption Industry and Information Security Board established.
Attorney General shall compile data on instances in which encryption has interfered with ability of DoJ to enforce federal criminal laws. Available to Congress on request. No preemption of Arms Export Control Act, Export Administration Act, Int'l Emergency Economic Powers Act (IEEPA). No affect on foreign intelligence activities, no affect on intellectual property protections. | |||