SAFE Act, Privacy Law, ISO 17799 and Cryptography Legislation

Security and Freedom Through Encryption Act (SAFE Act)

DMCA   |   HIPAA   |   Sarbanes-Oxley   |   SAFE   |   Can-Spam   |   Civil Rights   |   OSH   |   SB1386  ]


The contents of the bill are as follows:


A BILL

To amend title 18, United States Code, to affirm the rights of United States persons to use and sell encryption and to relax export controls on encryption.

    Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the `Security And Freedom through Encryption (SAFE) Act'.

SEC. 2. SALE AND USE OF ENCRYPTION.

    (a) IN GENERAL- Part I of title 18, United States Code, is amended by inserting after chapter 123 the following new chapter:

`CHAPTER 125--ENCRYPTED WIRE AND ELECTRONIC INFORMATION

    `2801. Definitions.

    `2802. Freedom to use encryption.

    `2803. Freedom to sell encryption.

    `2804. Prohibition on mandatory key escrow.

    `2805. Unlawful use of encryption in furtherance of a criminal act.

`Sec. 2801. Definitions

    `As used in this chapter--
      `(1) the terms `person', `State', `wire communication', `electronic communication', `investigative or law enforcement officer', and `judge of competent jurisdiction' have the meanings given those terms in section 2510 of this title;

      `(2) the term `decrypt' means to retransform or unscramble encrypted data, including communications, to its readable form;

      `(3) the terms `encrypt', `encrypted', and `encryption' mean the scrambling of wire communications, electronic communications, or electronically stored information, using mathematical formulas or algorithms in order to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering, such communications or information;

      `(4) the term `key' means the variable information used in a mathematical formula, code, or algorithm, or any component thereof, used to decrypt wire communications, electronic communications, or electronically stored information, that has been encrypted; and

      `(5) the term `key recovery information' means information that would enable obtaining the key of a user of encryption;

      `(6) the term `plaintext access capability' means any method or mechanism which would provide information in readable form prior to its being encrypted or after it has been decrypted;

      `(7) the term `United States person' means--

        `(A) any United States citizen;

        `(B) any other person organized under the laws of any State, the District of Columbia, or any commonwealth, territory, or possession of the United States; and

        `(C) any person organized under the laws of any foreign country who is owned or controlled by individuals or persons described in subparagraphs (A) and (B).

`Sec. 2802. Freedom to use encryption

    `Subject to section 2805, it shall be lawful for any person within any State, and for any United States person in a foreign country, to use any encryption, regardless of the encryption algorithm selected, encryption key length chosen, or implementation technique or medium used.

`Sec. 2803. Freedom to sell encryption

    `Subject to section 2805, it shall be lawful for any person within any State to sell in interstate commerce any encryption, regardless of the encryption algorithm selected, encryption key length chosen, or implementation technique or medium used.

`Sec. 2804. Prohibition on mandatory key escrow

    `(a) GENERAL PROHIBITION- Neither the Federal Government nor a State may require that, or condition any approval on a requirement that, a key, access to a key, key recovery information, or any other plaintext access capability be--
      `(1) built into computer hardware or software for any purpose;

      `(2) given to any other person, including a Federal Government agency or an entity in the private sector that may be certified or approved by the Federal Government or a State to receive it; or

      `(3) retained by the owner or user of an encryption key or any other person, other than for encryption products for use by the Federal Government or a State.

    `(b) PROHIBITION ON LINKAGE OF DIFFERENT USES OF ENCRYPTION- Neither the Federal Government nor a State may--

      `(1) require the use of encryption products, standards, or services used for confidentiality purposes, as a condition of the use of such products, standards, or services for authenticity or integrity purposes; or

      `(2) require the use of encryption products, standards, or services used for authenticity or integrity purposes, as a condition of the use of such products, standards, or services for confidentiality purposes.

    `(c) EXCEPTION FOR ACCESS FOR LAW ENFORCEMENT PURPOSES- Subsection (a) shall not affect the authority of any investigative or law enforcement officer, or any member of the intelligence community as defined in section 3 of the National Security Act of 1947 (50 U.S.C. 401a), acting under any law in effect on the effective date of this chapter, to gain access to encrypted communications or information.

`Sec. 2805. Unlawful use of encryption in furtherance of a criminal act

    `(a) ENCRYPTION OF INCRIMINATING COMMUNICATIONS OR INFORMATION UNLAWFUL- Any person who, in the commission of a felony under a criminal statute of the United States, knowingly and willfully encrypts incriminating communications or information relating to that felony with the intent to conceal such communications or information for the purpose of avoiding detection by law enforcement agencies or prosecution--
      `(1) in the case of a first offense under this section, shall be imprisoned for not more than 5 years, or fined in the amount set forth in this title, or both; and

      `(2) in the case of a second or subsequent offense under this section, shall be imprisoned for not more than 10 years, or fined in the amount set forth in this title, or both.

    `(b) USE OF ENCRYPTION NOT A BASIS FOR PROBABLE CAUSE- The use of encryption by any person shall not be the sole basis for establishing probable cause with respect to a criminal offense or a search warrant.'.

    (b) CONFORMING AMENDMENT- The table of chapters for part I of title 18, United States Code, is amended by inserting after the item relating to chapter 123 the following new item:

2801'.

SEC. 3. EXPORTS OF ENCRYPTION.

    (a) AMENDMENT TO EXPORT ADMINISTRATION ACT OF 1979- Section 17 of the Export Administration Act of 1979 (50 U.S.C. App. 2416) is amended by adding at the end thereof the following new subsection:

    `(g) CERTAIN CONSUMER PRODUCTS, COMPUTERS, AND RELATED EQUIPMENT-

      `(1) GENERAL RULE- Subject to paragraphs (2) and (3), the Secretary shall have exclusive authority to control exports of all computer hardware, software, computing devices, customer premises equipment, communications network equipment, and technology for information security (including encryption), except that which is specifically designed or modified for military use, including command, control, and intelligence applications.

      `(2) ITEMS NOT REQUIRING LICENSES- After a one-time, 15-day technical review by the Secretary, no export license may be required, except pursuant to the Trading with the enemy Act or the International Emergency Economic Powers Act (but only to the extent that the authority of such Act is not exercised to extend controls imposed under this Act), for the export or reexport of--

        `(A) any computer hardware or software or computing device, including computer hardware or software or computing devices with encryption capabilities--
          `(i) that is generally available;

          `(ii) that is in the public domain for which copyright or other protection is not available under title 17, United States Code, or that is available to the public because it is generally accessible to the interested public in any form; or

          `(iii) that is used in a commercial, off-the-shelf, consumer product or any component or subassembly designed for use in such a consumer product available within the United States or abroad which--

            `(I) includes encryption capabilities which are inaccessible to the end user; and

            `(II) is not designed for military or intelligence end use;

        `(B) any computing device solely because it incorporates or employs in any form--

          `(i) computer hardware or software (including computer hardware or software with encryption capabilities) that is exempted from any requirement for a license under subparagraph (A); or

          `(ii) computer hardware or software that is no more technically complex in its encryption capabilities than computer hardware or software that is exempted from any requirement for a license under subparagraph (A) but is not designed for installation by the purchaser;

        `(C) any computer hardware or software or computing device solely on the basis that it incorporates or employs in any form interface mechanisms for interaction with other computer hardware or software or computing devices, including computer hardware and software and computing devices with encryption capabilities;

        `(D) any computing or telecommunication device which incorporates or employs in any form computer hardware or software encryption capabilities which--

          `(i) are not directly available to the end user; or

          `(ii) limit the encryption to be point-to-point from the user to a central communications point or link and does not enable end-to-end user encryption;

        `(E) technical assistance and technical data used for the installation or maintenance of computer hardware or software or computing devices with encryption capabilities covered under this subsection; or

        `(F) any encryption hardware or software or computing device not used for confidentiality purposes, such as authentication, integrity, electronic signatures, nonrepudiation, or copy protection.

      `(3) COMPUTER HARDWARE OR SOFTWARE OR COMPUTING DEVICES WITH ENCRYPTION CAPABILITIES- After a one-time, 15-day technical review by the Secretary, the Secretary shall authorize the export or reexport of computer hardware or software or computing devices with encryption capabilities for nonmilitary end uses in any country--

        `(A) to which exports of computer hardware or software or computing devices of comparable strength are permitted for use by financial institutions not controlled in fact by United States persons, unless there is substantial evidence that such computer hardware or software or computing devices will be--
          `(i) diverted to a military end use or an end use supporting international terrorism;

          `(ii) modified for military or terrorist end use; or

          `(iii) reexported without any authorization by the United States that may be required under this Act; or

        `(B) if the Secretary determines that a computer hardware or software or computing device offering comparable security is commercially available outside the United States from a foreign supplier, without effective restrictions.

      `(4) DEFINITIONS- As used in this subsection--

        `(A)(i) the term `encryption' means the scrambling of wire communications, electronic communications, or electronically stored information, using mathematical formulas or algorithms in order to preserve the confidentiality,

integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering, such communications or information;

    `(ii) the terms `wire communication' and `electronic communication' have the meanings given those terms in section 2510 of title 18, United States Code;

    `(B) the term `generally available' means, in the case of computer hardware or computer software (including computer hardware or computer software with encryption capabilities)--

      `(i) computer hardware or computer software that is--
        `(I) distributed through the Internet;

        `(II) offered for sale, license, or transfer to any person without restriction, whether or not for consideration, including, but not limited to, over-the-counter retail sales, mail order transactions, phone order transactions, electronic distribution, or sale on approval;

        `(III) preloaded on computer hardware or computing devices that are widely available for sale to the public; or

        `(IV) assembled from computer hardware or computer software components that are widely available for sale to the public;

      `(ii) not designed, developed, or tailored by the manufacturer for specific purchasers or users, except that any such purchaser or user may--

        `(I) supply certain installation parameters needed by the computer hardware or software to function properly with the computer system of the user or purchaser; or

        `(II) select from among options contained in the computer hardware or computer software; and

      `(iii) with respect to which the manufacturer of that computer hardware or computer software--

        `(I) intended for the user or purchaser, including any licensee or transferee, to install the computer hardware or software and has supplied the necessary instructions to do so, except that the manufacturer of the computer hardware or software, or any agent of such manufacturer, may also provide telephone or electronic mail help line services for installation, electronic transmission, or basic operations; and

        `(II) the computer hardware or software is designed for such installation by the user or purchaser without further substantial support by the manufacturer;

    `(C) the term `computing device' means a device which incorporates one or more microprocessor-based central processing units that can accept, store, process, or provide output of data;

    `(D) the term `computer hardware' includes, but is not limited to, computer systems, equipment, application-specific assemblies, smart cards, modules, integrated circuits, and printed circuit board assemblies;

    `(E) the term `customer premises equipment' means equipment employed on the premises of a person to originate, route, or terminate communications;

    `(F) the term `technical assistance' includes instruction, skills training, working knowledge, consulting services, and the transfer of technical data;

    `(G) the term `technical data' includes blueprints, plans, diagrams, models, formulas, tables, engineering designs and specifications, and manuals and instructions written or recorded on other media or devices such as disks, tapes, or read-only memories; and

    `(H) the term `technical review' means a review by the Secretary of computer hardware or software or computing devices with encryption capabilities, based on information about the product's encryption capabilities supplied by the manufacturer, that the computer hardware or software or computing device works as represented.'.

    (b) NO REINSTATEMENT OF EXPORT CONTROLS ON PREVIOUSLY DECONTROLLED PRODUCTS- Any encryption product not requiring an export license as of the date of enactment of this Act, as a result of administrative decision or rulemaking, shall not require an export license on or after such date of enactment.

    (c) APPLICABILITY OF CERTAIN EXPORT CONTROLS-

      (1) IN GENERAL- Nothing in this Act shall limit the authority of the President under the International Emergency Economic Powers Act, the Trading with the enemy Act, or the Export Administration Act of 1979, to--
        (A) prohibit the export of encryption products to countries that have been determined to repeatedly provide support for acts of international terrorism; or

        (B) impose an embargo on exports to, and imports from, a specific country.

      (2) SPECIFIC DENIALS- The Secretary may prohibit the export of specific encryption products to an individual or organization in a specific foreign country identified by the Secretary, if the Secretary determines that there is substantial evidence that such encryption products will be used for military or terrorist end-use.

      (3) DEFINITION- As used in this subsection and subsection (b), the term `encryption' has the meaning given that term in section 17(g)(5)(A) of the Export Administration Act of 1979, as added by subsection (a) of this section.

    (d) CONTINUATION OF EXPORT ADMINISTRATION ACT- For purposes of carrying out the amendment made by subsection (a), the Export Administration Act of 1979 shall be deemed to be in effect.

SEC. 4. EFFECT ON LAW ENFORCEMENT ACTIVITIES.

    (a) COLLECTION OF INFORMATION BY ATTORNEY GENERAL- The Attorney General shall compile, and maintain in classified form, data on the instances in which encryption (as defined in section 2801 of title 18, United States Code) has interfered with, impeded, or obstructed the ability of the Department of Justice to enforce the criminal laws of the United States.

    (b) AVAILABILITY OF INFORMATION TO THE CONGRESS- The information compiled under subsection (a), including an unclassified summary thereof, shall be made available, upon request, to any Member of Congress.



Digital Millennium Copyright Act 1998  Health Insurance Portability and Accountability Act 1996  Sarbanes-Oxley Act 2002  Security and Freedom Through Encryption Act  Can-Spam Act 2003  SB 1386  The Civil Rights Act 1991  OSH Act 1970  ISO 17799 Source 



HOME ~ CONTACT



This page embraces: The SAFE Act, Privacy Law, ISO 17799 and Cryptography