Comparison Matrix for Bills Relaxing Encryption Restrictions

Appendix A:
Comparison Matrix for Bills Relaxing Encryption Restrictions

N/A = Not Addresed by legislation or Not Applicable.

	SAFE (Original and Judiciary Committee versions)	SAFE (International Relations Committee version)	SAFE (Commerce Committee version)	ProCODE (S. 377)	ECPA II (S. 376)
Declares freedom to use, freedom to sell encryption of any type?	Yes	Yes	Yes	No	Yes
Prohibits Mandatory Key Escrow	Yes	Yes	Yes	Yes	Yes
Restrictions on Regulation of Encryption
General Prohibitions on Government Regulation:	N/A	N/A	Prohibits conditioning other regulatory approval of encryption use on the use of key recovery/key escrow: issuance of digital certificates may not be conditioned on escrow of private keys. May not require key escrow for licensure of any encryption product.	Prohibits Federal Government from setting encryption regulations or standards for use except for Federal computer systems, or as export controls. Prohibits restriction or regulation of products solely because they include encryption.	N/A
Authority of investigative or law enforcement officer acting under the law affected?	No	No	No - also unaffected are intelligence agents under the National Security Act.	N/A	N/A
Authority over export controls/licenses:	Commerce Dept., except for military use.	Commerce Dept., except for military use.	Commerce Dept., except for military use.	Commerce Dept., except for military use.	Commerce Dept., except for military use.
Commercially available consumer products or components where encryption is inaccessible to user exempt from controls?	N/A	Yes	N/A	N/A	N/A
"Generally available" software "designed for installation by purchaser" exempt from controls?	Yes	Yes. Also Generally available hardware.	Yes	Yes	Yes
Public domain software exempt from controls?	Yes	Yes	Yes	Yes, also if it is publicly available/ generally accessible	Yes, also if it is publicly available/ generally accessible
Can hardware be controlled solely because it contains encryption software?	No	No	No	No	No
Devices exempted which would be controlled solely because of interface mechanism for encryption hw/sw?	N/A	Yes	N/A	N/A	Yes
Sec. of Commerce must authorize export to countries where similar software can be sold to banks? [Note: The US government is reportedly considering eliminating the current exception allowing banks greater leeway. - See NY Times, 11/24/97 at D1.]	Yes, except if there is substantial evidence of diversion to military use or illegal reexport	Yes, except if there is substantial evidence of diversion to military use or illegal reexport	Yes for non-military end uses except if there is substantial evidence of diversion to military use or illegal reexport	Yes, for non-military end uses except if there is substantial evidence of diversion to or modification for military or terrorist use or illegal reexport or intentionally used to evade enforcement of United States law or taxation	N/A
Sec. of Commerce must authorize export of encryption hardware where comparable product is commercially available from foreign supplier?	Yes	N/A	Yes	N/A	Yes, if commercially available without effective restrictions, or generally available, or if US product incorporates a foreign encryption product.
Criminal Penalties for the use of encryption related to a crime?
	Yes. Original says: If used in furtherance of a crime, up to 5 years first offense, 10 yrs subsequently. Judiciary version: If used in commission of felony with the intent of avoiding law enforcement detection, up to 5 years first offense, 10 years subsequently.	As in original SAFE bill.	If used in commission of felony with the intent of avoiding law enforcement detection, up to 10 years first offense, 20 yrs subsequently	None.	Yes, for use of encryption to impede the communication of information to law enforcement in furtherance of a felony: 5 years first conviction, 10 years subsequently.
Miscellaneous Provisions
	SAFE (Original and Judiciary Committee versions)
Judiciary version provides: Attorney General shall compile data on instances in which encryption has interfered with ability of DoJ to enforce federal criminal laws. Available to Congress on request.
		SAFE (International Relations Committee version)
Sense of Congress that export restrictions is detrimental to US competitiveness without concurrence of all producing nations, which President has not gotten.
			SAFE (Commerce Committee version)
Liability Exemptions for persons providing law enforcement access to plaintext pursuant to judicial process Establishes National Electronic Technologies Center (NET Center) and advisory board under DOJ for studying methods for effective decryption and properties of encryption available, and dissemination of information to State & Fed law enforcement. NTIA (National Telecommunications and Industry Ass'n) to study and report 1) the effect of a mandatory key recovery system on electronic commerce, data security, privacy and law enforcement activities and 2) assesses other methods for access to encrypted communications for law enforcement. 6 month inquiry by Sec. of Commerce (and report to Congress) to identify impediments to trade in encryption products and foreign nations' import restrictions that constitute barriers to trade. W/in 6 months later Sec, & A.G. shall prescribe regulations to reduce impediments to trade for US companies. President shall negotiate any necessary international treaties. Attorney General shall compile data on instances in which encryption has interfered with ability of DoJ to enforce federal criminal laws. Available to Congress on request.
				ProCODE (S. 377)
Exporter must, w/in 30 days after, report the export of encryption products and their capability. Establishes governmental/non-governmental Information Security Board to foster aggregation and dissemination of nonconfidential developments in information security technologies.
					ECPA II (S. 376)
Provisions as to Voluntary, Market-driven key recovery: Criminal penalties for unauthorized release of keys. May only release key to owner, upon the owner's consent, or to authorized law enforcement. Standards for release of encryption information for communications: Court Order. Must specify the decryption assistance required and the date of authorization's termination. Need either: - Court determination that decryption assistance is necessary for decryption of a communication that law enforcement authorized to intercept per 18 USC Chap 119; or - Certification by AG that under other law, no court order is required, and the decryption assistance is required. Key holder must provide only the assistance necessary for the access specified in the order or certification. Notice to the subject of the interception (per 18 USC 2518 (7)(b) or (8)(d)) must include notice that keys or decryption assistance were provided. Standard for release of decryption information for stored information. Court order. Must find that decryption assistance is necessary for decryption of stored information which law enforcement is authorized to require (per 18 USC 2703), to seize, or to compel. Key holder must provide only the assistance necessary for the access specified in the order. Government access must be only for the duration and extent provided in the order. Keys or decryption information must be destroyed at the end of that period. Procedure for release to a Foreign Country Foreign Gov't makes request to Attorney General, which requests court order. Standard for release to a Foreign Country Court Order to be granted only if: The decryption assistance or key sought is necessary for the decryption of information the foreign country is authorized to intercept pursuant to its own law Foreign Country's law provides adequate protection of privacy rights The decryption assistance or key is being sought for a criminal investigation of conduct that would be a violation of US criminal law. Criminal Penalties for unauthorized disclosure If for tortuous, malicious, or illegal purpose, or for commercial gain: up to 1 year or fine for 1st offense, 2 years or fine thereafter. if otherwise recklessly or intentionally, fine up to $5,000 or up to 6 months. Civil Damages for unauthorized disclosure: Preliminary or equitable relief, attorneys fees and costs, and damages including greater of actual damages or profit made by violator or $5,000. Good faith reliance is defense to civil action.