ARTICLE
8 October 1997

1997 Encryption Legislation

SJ
Steptoe LLP

Contributor

Steptoe LLP logo
In more than 100 years of practice, Steptoe has earned an international reputation for vigorous representation of clients before governmental agencies, successful advocacy in litigation and arbitration, and creative and practical advice in structuring business transactions. Steptoe has more than 500 lawyers and professional staff across the US, Europe and Asia.
Explore Firm Details
United States Information Technology and Telecoms
Name and Bill Number: Security and Freedom Through Encryption (SAFE) Act (H.R. 695)

Principal Sponsor: Bob Goodlatte (R-VA)

Summary

  • Freedom to use any type of encryption to secure data in the US.
  • Additional criminal penalties are impose for intentionally using encryption to commit or conceal a felony.
  • Free exportability is allowed for all mass market or public domain encryption software, as well as all hardware that merely incorporates such software, regardless of algorithm or key length.
  • For non-mass market encryption, any product approved for export to foreign banks would be exportable for all nonmilitary uses unless the Commerce Department finds substantial evidence that the encryption would be diverted to a military or terrorist end use or re-exported contrary to US law.
  • Free exportability of any encryption hardware products with security strengths comparable to those commercially available from foreign suppliers.

Status: The bill has been approved by the Intellectual Property Subcommittee of the House Judiciary Committee, the full Judiciary Committee, the Int'l Economic Policy & Trade Subcommittee of the House International Relations Committee, and the full IR Committee.

Name and Bill Number: Promotion of Commerce On-Line in the Digital Era (Pro-CODE) Act (S.377)

Principal Sponsor: Conrad Burns (R-MT)

Summary

  • A guarantee of free choice of encryption within the US, and a prohibition on the federal or any state government regulating the sale of encryption products within the United States.
  • Export liberalizations similar to those contained in the SAFE bill; Mass market software, and any computer hardware that incorporates such software, would be freely exportable. Any other software or hardware would be exportable if the product is approved for export to foreign banks, unless Commerce finds substantial evidence that the encryption would be diverted to a military or terrorist end use or re-exported contrary to US law. However, unlike the SAFE bill, the Pro-Code bill does not have a general foreign availability provision for hardware.
  • The establishment of an "Information Security Board" made up of representatives from the federal agencies involved in the formation of information security policy to foster communication between industry and the government and to keep national security and law enforcement agencies informed about emerging technologies.

Status: The Pro-CODE bill was referred to the Science, Technology, and Space Subcommittee of the Senate Committee on Commerce, Science, and Transportation. A markup has been expected for some time, but none has been scheduled. A Burns substitute for the McCain - Kerrey bill was rejected by the full Commerce Committee.

Name and Bill Number: Encrypted Communications Privacy Act (S.376)

Principal Sponsor: Patrick Leahy (D-LT)

  • The codification of free choice of encryption within the United States (like SAFE and Pro-CODE)
  • Criminal penalties for using encryption in furtherance of a felony.
  • The creation of broad liabilities (eg for the improper release of keys) for companies involved in key escrow services.
  • Export liberalization provisions that are substantially the same as those in the SAFE bill.

Status: The bill was referred to the Terrorism, Technology, and Government Information subcommittee of the Senate Judiciary Committee. Little attention has been paid to it, and no action is expected.

Name and Bill Number: The Administration Draft Bill

Sponsor: None

Summary

  • The Commerce Department "may" register entities as Key Recovery Agents or Certificate Authorities, but such registration is not required.
  • Limitations on liability: Penalties imposed for violations of the Act are limited, and compliance with the Act is a complete defense for all noncontractual civil actions.
  • Registered Certificate Authorities are prohibited from issuing a public key certificate to a person unless that person (1) stores key recovery information with a registered Key Recovery Agent or (2) makes other arrangements that ensure lawful and confidential access to this information pursuant to regulations acceptable to the Attorney General.
  • A Key Recovery Agent, whether registered or not, is required to disclose stored recovery information to a government agency under warrant or court order, and the Key Recovery Agent is required to keep confidential all requests for such information.

Status: The legislation was not introduced, but several drafts were formally circulated. The Administration has apparently refrained from introducing the legislation in order to wait and see what happens with the McCain -Kerrey bill.

Name and Bill number: Secure Public Networks Act (S.909)

Sponsors: John McCain(R-AZ) & Rob Kerrey(D-NE)

Summary

  • Free choice of encryption inside the US, but any encryption product procured by the US government or with Federal funds, and any encryption product for use in any communications network established by the US Government or with the use of Federal funds, shall use key recovery.
  • Encryption products up to 56 bits, and key recovery products (without regard to algorithm or key length), will be exportable under license exception, following a one-time review; other encryption products (ie non-recovery products greater than 56 bits) can qualify for individual licenses; and expedited review procedures will be established for exports involving banks, financial institutions, health care providers, and subsidiaries of US companies.
  • The bill provides for the voluntary registration of Certificate Authorities and Key Recovery Agents. There is nothing in the Act that prohibits unregistered Certificate Authorities or Key Recovery Agents from operating, but the Act does provide significant incentives to encourage registration - including limitations on liability.
  • Registered Certificate Authorities cannot issue a public key certificate for a key that can be used for encryption unless the person receiving that key stores sufficient recovery information with a registered Key Recovery Agent, or makes other arrangements approved by the Commerce Department to assure that lawful recovery of the plaintext of encrypted data and communications can be accomplished confidentially when necessary.
  • A key recovery agent must disclose recovery information to a government entity where that entity has a subpoena which is based upon either (1) some independent lawful authority to obtain the underlying encrypted data (ie a warrant or court order, a subpoena, a certification under the Foreign Intelligence Surveillance Act, or other lawful authority), or (2) a request from a foreign government that the government entity is authorised to execute.
  • Criminal and civil penalties for various violations of the Act, including use of encryption in the furtherance of a felony and unauthorised privacy violations.
  • The formation of a Board similar to that in the Pro-CODE bill.

Status: The bill was approved by the Senate Commerce Committee almost immediately upon its introduction. The bill has been referred to the Senate Judiciary Committee.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

For further information please contact L. Benjamin Ederington on Tel: + 202-429-6411, Fax: 202-429-3902 or E-mail: bedering@steptoe.com
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More