Note: This document is the unofficial version of thea Bill. The printed Bill and Resolution produced by the Government Printing Office is the only official version. 103d CONGRESS H. R. 5199 As Introduced in the House VERSION As Introduced in the House CONGRESS 103d CONGRESS 2d Session BILL H. R. 5199 TITLE To amend the National Institute of Standards and Technology Act to provide for the establishment and management of voluntary encryption standards to protect the privacy and security of electronic information, and for other purposes. -------------------- IN THE HOUSE OF REPRESENTATIVES OCTOBER 6, 1994 Mr. Brown of California introduced the following bill; which was referred to the Committee on Science, Space, and Technology -------------------- TEXT A BILL To amend the National Institute of Standards and Technology Act to provide for the establishment and management of voluntary encryption standards to protect the privacy and security of electronic information, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the `Encryption Standards and Procedures Act of 1994`. SEC. 2. FINDINGS AND PURPOSES. (a) Findings . - The Congress finds the following: (1) Advancements in communications and information technology and the widespread use of that technology have enhanced the volume and value of domestic and international communication of electronic information as well as the ability to preserve the confidentiality, protect the privacy, and authenticate the origin, of that information. (2) The proliferation of communications and information technology has made it increasingly difficult for the government to obtain and decipher, in a timely manner and as provided by law, electronic information that is necessary to provide for public safety and national security. (3) The development of the Nation`s information infrastructure and the realization of the full benefits of that infrastructure require that electronic information resident in, or communicated over, that infrastructure is secure, confidential, and authentic. (4) Security, privacy, and authentication of electronic information resident in, or communicated over, the Nation`s information infrastructure are enhanced with the use of encryption technology. (5) The rights of individuals and other persons to security, privacy, and protection in their communications and in the dissemination and receipt of electronic information should be preserved and protected. (6) The authority and ability of the government to obtain and decipher, in a timely manner and as provided by law, electronic information necessary to provide for public safety and national security should also be preserved. (7) There is a national need to develop, adopt, and use encryption methods and procedures that advance the development of the Nation`s information infrastructure and that preserve the personal rights referred to in paragraph (5) and the governmental authority and ability referred to in paragraph (6), as provided by law. (b) Purposes . - It is the purpose of this Act - (1) to promote the development of the Nation`s information infrastructure consistent with public welfare and safety, national security, and the privacy and protection of personal property; (2) to encourage and facilitate the development, adoption, and use of encryption standards and procedures that provide sufficient privacy, protection, and authentication of electronic information and that reasonably satisfy the needs of government to provide for public safety and national security; and (3) to establish Federal policy governing the development, adoption, and use of encryption standards and procedures and a Federal program to carry out that policy. SEC. 3. ENCRYPTION STANDARDS AND PROCEDURES. (a) Computer System Security and Privacy Advisory Board. - (1) Requirement of privacy expertise . - Section 21(a)(2) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-4(a)(2)) is amended by inserting `(including computer systems privacy)' after 'related disciplines'. (2) Expanded functions . - Section 21(b) of such Act (15 U.S.C. 278g-4(b)) is amended - (A) by striking `and` at the end of paragraph (2); (B) by striking the period at the end of paragraph (3) and inserting `; and`; and (C) by adding after paragraph (3) the following new paragraph: (4) to advise the Institute and the Congress on privacy issues pertaining to electronic information and on encryption standards develped under section 31(b).`. (b) Standards and Procedures . - The National Institute of Standards and Technology Act is further amended - (1) by redesignating section 31 as section 32; and (2) by inserting after section 30 the following new section 31: [ `SEC. 31. ENCRYPTION STANDARDS AND PROCEDURES. `(a) Establishment and Authority . - The Secretary, acting through the Director, shall establish an Encryption Standards and Procedures Program to carry out this section. In carrying out this section, the Secretary, acting through the Director, may (in addition to the authority provided under section 2) conduct research and development on encryption standards and procedures, make grants, and enter into contracts, cooperative agreements, joint ventures, royalty arrangements, and licensing agreements on such terms and conditions the Secretary considers appropriate. `(b) Federal Encryption Standards . - `(1) In general . - The Secretary, acting through the Director and after providing notice to the public and an opportunity for comment, may by regulation develop encryption standards as part of the program established under subsection (a). `(2) Requirements . - Any encryption standard developed under paragraph (1) - `(A) shall, to the maximum extent practicable, provide for the confidentiality, integrity, or authenticity of electronic information; `(B) shall advance the development, and enhance the security, of the Nation`s information infrastructure; `(C) shall contribute to public safety and national security; `(D) shall not diminish existing privacy rights of individuals and other persons; `(E) shall preserve the functional ability of the government to decipher, in a timely manner, electronic information that has been obtained pursuant to an electronic surveillance permitted by law; `(F) may be implemented in software, firmware, hardware, or any combination thereof; and `(G) shall include a validation program to determine the extent to which such standards have been implemented in conformance with the requirements set forth in this paragraph. `(3) Consultation . - Standards developed under paragraph (1) shall be developed in consultation with the heads of other appropriate Federal agencies. `(c) Permitted Use of Standards . - The Federal Government shall make available for public use any standard established under subsection (b), except that nothing in this Act may be construed to require such use by any individual or other person. `(d) Escrow Agents . - `(1) Designation . - If a key escrow encryption standard is established under subsection (b), the President shall designate at least 2 Federal agencies that satisfy the qualifications referred to in paragraph (2) to act as key escrow agents for that standard. `(2) Qualifications . - A key escrow agent designated under paragraph (1) shall be a Federal agency that - `(A) possesses the capability, competency, and resources to administer the key escrow encryption standard, to safeguard sensitive information related to it, and to carry out the responsibilities set forth in paragraph (3) in a timely manner; and `(B) is not a Federal agency that is authorized by law to conduct electronic surveillance. `(3) Responsibilities . - A key escrow agent designated under paragraph (1) shall, by regulation and in consultation with the Secretary and any other key escrow agent designated under such paragraph, establish procedures and take other appropriate steps - `(A) to safeguard the confidentiality, integrity, and availability of keys or components thereof held by the agent pursuant to this subsection; `(B) to preserve the integrity of any key escrow encryption standard established under subsection (b) for which the agent holds the keys or components thereof; `(C) to hold and manage the keys or components thereof consistent with the requirements of this section and the encryption standard established under subsection (b); and `(D) to carry out the responsibilities set forth in this paragraph in the most effective and efficient manner practicable. `(4) Authority . - A key escrow agent designated under paragraph (1) may enter into contracts, cooperative agreements, and joint ventures and take other appropriate steps to carry out its responsibilities. `(e) Limitations on Access and Use . - `(1) Release of key to certain agencies . - A key escrow agent designated under subsection (d) may release a key or component thereof held by the agent pursuant to that subsection only to a Federal agency that is authorized by law to conduct electronic surveillance and that is authorized to obtain and use the key or component by court order or other provision of law. An entity to whom a key or component thereof has been released under this paragraph may use the key or component thereof only in the manner and for the purpose and duration that is expressly provided for in the court order or other provision of law authorizing such release and use. `(2) Limitation on use by private persons and foreign citizens . - `(A) In general . - Except as provided in subparagraph (B), a person (including a person not a citizen or permanent resident of the United States) that is not an agency of the Federal Government or a State or local government shall not have access to or use keys associated with an encryption standard established under subsection (b). `(B) Exception . - A representative of a foreign government may have access to and use a key associated with an encryption standard established under subsection (b) only if the President determines that such access and use is in the national security and foreign policy interests of the United States. The President shall prescribe the manner and conditions of any such access and use. `(3) Limit on use by government agencies . - A government agency, instrumentality, or political subdivision thereof shall not have access to or use a key or component thereof associated with an encryption standard established under subsection (b) that is held by a key escrow agent under subsection (d) unless such access or use is authorized by this section, by court order, or by other law. `(f) Review and Report . - `(1) In general . - Within 2 years after the date of the enactment of this Act and at least once every 2 years thereafter, the Secretary shall conduct a hearing on the record in which all interested parties shall have an opportunity to comment on the extent to which encryption standards, procedures, and requirements established under this section have succeeded in fulfilling the purposes of this section and the manner and extent to which such standards, procedures, and requirements can be improved. `(2) Report . - Upon completion of a hearing conducted under paragraph (1), the Secretary shall submit to the Congress a report containing a statement of the Secretary`s findings pursuant to the hearing along with recommendations and a plan for correcting any deficiencies or abuses in achieving the purposes of this section that are identified as a result of the hearing. `(g) Regulations . - Within one year after the date of the enactment of this Act, the Secretary and each key escrow agent designated by the President under subsection (d) shall, after notice to the public and opportunity for comment, issue any regulations necessary to carry out this section. `(h) Liability . - The United States shall not be liable for any loss incurred by any individual or other person resulting from any compromise or security breach of any encryption standard established under subsection (b) or any violation of this section or any regulation or procedure established by or under this section by - `(1) any person who is not an official or employee of the United States; or `(2) any person who is an official or employee of the United States, unless such compromise, breach, or violation is willful. `(i) Severability . - If any provision of this section, or the application thereof, to any person or circumstance, is held invalid, the remainder of this section, and the application thereof, to other persons or circumstances shall not be affected thereby. `(j) Definitions . - For purposes of this section: `(1) The term `content`, when used with respect to electronic information, includes the substance, purport, or meaning of that information. `(2) The term `electronic communications system` has the meaning given such term in section 2510(14) of title 18, United States Code. `(3) The term `encryption` means a method - `(A) to encipher and decipher the content of electronic information to protect the privacy and security of such information; or `(B) to verify the integrity, or authenticate the origin, of electronic information. `(4) The term `encryption standard` means a technical, management, physical, or administrative standard or associated guideline or procedure for conducting encryption, including key escrow encryption, to ensure or verify the integrity, authenticity, or confidentiality of electronic information that, regardless of application or purpose, is stored, processed, transmitted, or otherwise communicated domestically or internationally in any public or private electronic communications system. `(5) The term `key escrow encryption` means an encryption method that allows the government, pursuant to court order or other provision of law, to decipher electronic information that has been encrypted with that method by using a unique secret code or key that is, in whole or in part, held by and obtained from a key escrow agent. `(6) The term `key escrow agent` means an entity designated by the President under subsection (d) to hold and manage keys associated with an encryption standard established under subsection (b). `(7) The term `key` means a unique secret code or character string that enables a party other than the sender, holder, or intended recipient of electronic information to decipher such information that has been enciphered with a corresponding encryption standard established under subsection (b) only with such code or string. `(8) The term `electronic information` means the content, source, or destination of any information in any electronic form and in any medium which has not been specifically authorized by a Federal statute or an Executive Order to be kept secret in the interest of national defense or foreign policy and which is stored, processed, transmitted or otherwise communicated, domestically or internationally, in an electronic communications system, and `(A) electronic communication within the meaning of section 2510(12) of title 18, United States Code; or `(B) wire communication within the meaning of section 2510(1) of such title. `(9) The term `government` means the Federal Government, a State or political subdivision of a State, the District of Columbia, or a commonwealth, territory, or possession of the United States. `(k) Authorization of Appropriations . - `(1) In general . - From amounts otherwise authorized to be appropriated to the Secretary of Commerce for fiscal years 1995 through 1997 to carry out the programs of the Institute, the amount of $50,000,000 shall be available for such fiscal years to carry out this section. Such amount shall remain available until expended. Of such amount, $1,000,000 shall be available for the National Research Council study on national cryptography policy authorized under section 267 of the National Defense Authorization Act for Fiscal Year 1994 (10 U.S.C 421 note). `(2) Transfer authority . - The Secretary may transfer funds appropriated pursuant to paragraph (1) to a key escrow agent other than the Secretary in amounts sufficient to cover the cost of carrying out the responsibilities of the agent under this section. Funds so transferred shall remain available until expended.`. ]