The Electronic Data Security Act of 1997


105th CONGRESS							DRAFT 3/12/97
1st Session


                       H.R. _________________

                   ________________________________________

Mr. _________________ of _________________ introduced the following 
bill;  which was referred to the Committee on _____________________

A BILL

To enable the development of a key management infrastructure for public-key-based encryption and attendant encryption products that will assure that individuals and businesses can transmit and receive information electronically with confidence in the information's confidentiality, integrity, availability, and authenticity, and that will promote timely lawful government access.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

TITLE I -- GENERAL PROVISIONS

SEC. 101. SHORT TITLE

This Act may be cited as the "Electronic Data Security Act of 1997".

SEC. 102. FINDINGS

The Congress finds the following:

(A) The development of the information superhighway is fundamentally changing the way we interact. The nation's commerce is moving to networking. Individuals, government entities, and other institutions are communicating across common links.

(B) The Internet has provided our society with a glimpse of what is possible in the information age, and the demand for information access and electronic commerce is rapidly increasing. The demands are arising from all elements of society, including banks, manufacturers, service providers, state and local governments, and educational institutions.

(C) Today, business and social interactions occur through face-to-face discussions, telephone communications, and written correspondence. Each of these methods for interacting enables us to recognize the face, or voice, or written signature of the person with whom we are dealing. It is this recognition that permits us to trust the communication.

(D) In the information age, however, those personal attributes will be replaced with digital equivalents upon which we will rely. Electronic digital transmissions, through which many businesses and social interactions will occur, inherently separate the communication from the person, forsaking confidence once derived from a handshake or a signed document.

(E) At the same time, society's increasing reliance on information systems in this new environment exposes U.S. citizens, institutions, and their information to unprecedented risks.

(F) In order for the global information infrastructure and electronic commerce to achieve their potential, information systems must be imbued with the attributes that overcome these risks and must provide trusted methods to identify users.

(G) Cryptography can meet these needs. Cryptography can be used to digitally sign communications or electronic documents such that a recipient can be confident that any message he or she received could only have come from the apparent sender. Moreover, cryptography is an important tool in protecting the confidentially of wire and electronic communications and stored data. Thus, there is a national need to encourage the development, adoption, and use of cryptographic products that are consistent with the foregoing considerations and are appropriate for use both in domestic and export markets by the United States Government.

(H) The lack of a key management infrastructure impedes the use cryptography and, there fore, the potential of electronic commerce. Users cannot encrypt messages without keys, therefore, they need a secure and standardized mechanism for the generation of keys, storage of keys, and transfer of keys between users. There is currently no standardized mechanism for the generation of keys, storage of keys, and transfer of keys between users. There is currently no standardized method in the private sector to accomplish all of these tasks, thus users must individually assume these burdens or forego the use of cryptography.

(I) Industry must work with government to develop a public-key-based key management infrastructure and attendant products that will ensure participants can transmit, receive, and use information electronically with confidence in the information's integrity, confidentiality, authenticity, and origin, while also allowing timely lawful government access.

(J) To this end, the government should issue appropriate public key encryption standards for federal systems and encourage the development of interoperable private sector standards for use across border. However, the architecture(s) the government endorses in its' standards must permit the use of any encryption algorithm.

(K) To effectively serve the public, such a key management infrastructure must be founded upon a system of trusted service providers to ensure acceptable standards of security, reliability, and interoperability.

(L) While cryptographic products and services are useful for protecting information and its authenticity, such products also can be sued by terrorists, organized crime syndicates, drug trafficking organizations, and other dangerous and violent criminals to avoid detection and to hide evidence of criminal activity, thereby jeopardizing effective law enforcement, public safety, and national security.

(M) Any effective key management infrastructure must not hinder the ability of government agencies, pursuant to lawful authority, to decipher in a timely manner and obtain the plaintext of communications and stored data.

SEC. 103. LAWFUL USE OF ENCRYPTION.

It shall be lawful for any person within any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, and any territory or possession of the United States, to use any encryption, regardless of the encryption algorithm selected, encryption key length chosen, or implementation technique or medium used, except as provided in this Act or in any other law. Participation in the key management infrastructure enabled by this Act is voluntary.

TITLE II -- REGISTRATION OF CERTIFICATE AUTHORITIES AND KEY RECOVERY AGENTS

SEC. 201. REGISTRATION OF CERTIFICATE AUTHORITIES

The Secretary may register any suitable private sector entity, government agency, or foreign government agency to act as a Certificate Authority in the Secretary determines that the entity or agency meets minimum standards, as specified in regulations promulgated by the Secretary for security, performance, and practices in order to accomplish the duties of a Certificate Authority registered under this Act. The Secretary may condition, modify or revoke such a registration if the registered entity or agency has violated any provision of this Act or any rule, regulation, or requirement prescribed by the Secretary under this Act, or for any other reasons specified by the Secretary in rule or regulation.

SEC. 202. REGISTRATION OF KEY RECOVERY AGENTS.

(A) Registration by the Secretary. The Secretary may register a suitable private sector entity or government agency to act as a Key Recovery Agent if the Secretary determines that the entity or agency possesses the capability, competency, trustworthiness and resources to safeguard sensitive information entrusted to it, to carry out the responsibilities set forth in subsection (B) of this section, and to comply with the Secretary's regulations.

(B) Responsibilities of Key Recovery Agents. A Key Recovery Agent registered under subsection (A) of this section shall, consistent with regulations issued by the Secretary, establish procedures and take other appropriate steps --

(2) to protect the confidentiality of the identity of the person or persons for whom such Key Recovery Agent holds recovery information;

(3) to protect the confidentiality of lawful requests for recovery information and the identity of the individual or government agency requesting recovery information and all information concerning such individual's or agency's access to and sue of recovery information; (4) to carry out the responsibilities set forth in this Act and implementing regulations.

(C) Revocation of Key Recovery Agent Registration. The Secretary may condition, modify, or revoke a Key Recovery Agent's registration if the registered entity or agency has violated nay provision of this Act or any rule, regulation, or requirement prescribed by the Secretary under this Act, or for any other reasons specified by the Secretary in rule or regulation.

SEC. 203. PUBLIC KEY CERTIFICATES FOR ENCRYPTION KEYS.

The Secretary or a Certificate Authority registered under this Act may issue to a person a public key certificate that certifies a public key that can be used for encryption only if the person:

(B) makes other arrangements, approved by the Secretary pursuant to regulations acceptable to the Attorney General, that assure that lawful recovery of the plaintext of encrypted data and communications can be accomplished confidentially when necessary.

TITLE III -- RELEASE OF RECOVERY INFORMATION BY KEY RECOVERY AGENTS

SEC. 301. CIRCUMSTANCES IN WHICH INFORMATION MAY BE RELEASED

A Key Recovery Agent, whether or not registered by the Secretary under this Act, is prohibited from disclosing recovery information stored by a persons unless the disclosure is --

(B) with the consent of that person, including pursuant to a contract entered into with that person;

(C) pursuant to a court order upon a showing of compelling need for the information that cannot be accommodated by any other means, if --

(2) the person who stored the information is afforded the opportunity to appear in the court proceeding and contest the claim of the person seeking the disclosure;

(E) as otherwise permitted by this Act or other law, particularly including release of recovery information pursuant to section 302 of this Act.

SEC. 302. RELEASE OF RECOVERY INFORMATION TO GOVERNMENT AGENCIES.

(A) A Key Recovery Agent, whether or not registered by the Secretary under this Act, shall disclose recovery information stored by a person:

(2) to a law enforcement or national security government agency upon receipt of written authorization in a form to be specified by the Attorney General.

(B) The Attorney General shall issue regulations governing the use of written authorizations to require release of recovery information to law enforcement and national security government agencies. Those regulations shall permit the use of written authorizations only when the government agency is lawfully entitled to determine the plaintext of wire or electronic communications or of electronic information and will use the recovery information for that purpose, to test products in the agency's possession, to prove facts in legal proceedings, or to comply with a request from a duly authorized agency or a foreign government.

SEC. 303. USE AND DESTRUCTION OF RECOVERY INFORMATION RELEASE TO A GOVERNMENT AGENCY.

A government agency to which recovery information has been released in response to a written authorization issued under section 302(A)(2) or the Act, by a Key Recovery Agent registered under this Act, may use the recovery information only to determine the plaintext of any wire or electronic communication or of any stored electronic information that the agency lawfully acquires or intercepts, to test cryptographic products in the agency's possession, to prove facts in legal proceedings, or to comply with the request of a duly authorized agency of a foreign government. Once such lawful use is completed, the government agency shall destroy the recovery information in its possession and shall make a record documenting such destruction. The government agency shall not use the recovery information to determine that plaintext of any wire or electronic communication or of any stored electronic information unless it has lawful authority to do so apart from the Act.

SEC. 304. CONFIDENTIALITY OF RELEASE OF RECOVERY INFORMATION.

A Key Recovery Agent or other person shall not disclose to any person, except as authorized by this Act or regulations promulgated thereunder or except as ordered by a federal court of competent jurisdiction, the facts or circumstances of any release of recovery information pursuant to section 302(A)(2) of the Act or requests therefor.

TITLE IV -- LIABILITY

SEC. 401. CIVIL ENFORCEMENT

(A) Enforcement by the Secretary. The Secretary may, when appropriate in fulfilling his or her duties under this Act or the regulations promulgated thereunder, make investigations, obtain information, take sworn testimony, and require reports or the keeping of records by, and make inspection of the books, records, and other writings, premises or property of registered entities.

(B) Civil Penalties. Any person who violates section 403 of this Act shall be subject to a civil penalty in an amount assessed by a court in a civil action.

(2) a civil action to recover such a civil penalty may be commenced by the Attorney General.

(3) A civil action under this subsection may not be commenced later than 5 years after the cause of the action accrues.

(C) Injunctions. The Attorney General may bring an action to enjoin any person from committing any violation of any provision of the Act or regulations promulgated thereunder.

(D) Jurisdiction. The district courts of the United States shall have original jurisdictions over any actions brought by the Attorney General under this section.

SEC. 402. CIVIL CAUSE OF ACTION AGAINST THE UNITED STATES GOVERNMENT.

(A) Cause of Action. Except as otherwise provided in this Act, any person whose recovery information is knowingly obtained without lawful authority by an agent of the United States Government from a registered Key Recovery Agent, or, if obtained by an agent of the United States Government with lawful authority from a registered Key Recovery Agent, is knowingly used or disclosed without lawful authority, may, in a civil action, recover from the United States Government the actual damages suffered by the plaintiff, and reasonable attorney's fee and other litigation costs reasonably incurred.

(B) Limitations. a civil action under this section may not be commenced later than two years after the date upon which the claimant first discovered or had a reasonable opportunity to discover the violation.

SEC. 403. CRIMINAL ACTS.

It shall be unlawful for any person --

(A) if a Certificate Authority registered under this Act, intentionally to issue a public key certificate in violation of section 203 of this Act;

(B) intentionally to disclose recovery information in violation of this Act;

(C) intentionally to obtain or use recovery information without lawful authority, or, having received such information with lawful authority, intentionally to exceed such authority for the purpose of decrypting data or communications;

(D) if a Key Recovery Agent, or officer, employee, or agent thereof, intentionally to disclose the facts or circumstances of any release of recovery information or requests therefor in violation of this Act;

(E) intentionally to issue a public key certificate under this Act, or to fail to revoke such a certificate, knowing that the person from whom the certificate is issued does not meet the requirements of this Act or the regulations promulgated thereunder;

(F) intentionally to apply for or obtain a public key certificate under this Act, knowing that the person to be identified in the public key certificate does not meet the requirements of this Act or the Regulations promulgated thereunder; or

(G) knowingly to issue a public key certificate in furtherance of the commission of a criminal offense which may be prosecuted in a court of competent jurisdiction.

Any person who violates this section shall be fined under title 18, United States Code, or imprisoned not more than five years, or both.

SEC. 404. USE OF ENCRYPTION IN FURTHERANCE OF CRIME.

(A) Whoever knowingly encrypts data or communications in furtherance of the commission of a criminal offense for which the person may be prosecuted in a court of competent jurisdiction shall, in addition to any penalties for the underlying criminal offense, be fined under title 18, United States Code, or imprisoned not more than five years, or both.

(B) It is an affirmative defense to a prosecution under this section that the defendant stored sufficient information to decrypt the data or communications with a Key Recovery Agent registered under Act if that information is reasonable available to the government. The defendant bears the burden of persuasion on this issue.

(C) The United States Sentencing Commission shall, pursuant to its authority under section 9944(p) of title 28, United States Code, amend the sentencing guidelines to ensure that any person convicted of a violation of subsection (A) of this section is imprisoned for not less than 6 months, and if convicted of other offenses at the same time, has the offense level increased by at least three levels.

SEC. 405. NO CAUSE OF ACTION FOR COMPLYING WITH GOVERNMENT REQUESTS.

No civil or criminal liability under this Act or any other law shall attach to any Key Recovery Agent, its officers, employees, agents, or any other persons specified by the Secretary in regulations, for disclosing recovery information or providing other assistance to a government agency in accordance with the terms of a court order, warrant, subpoena, certification, written authorization or other legal authority.

SEC. 406. COMPLIANCE DEFENSE.

Compliance with this Act and the regulations promulgated thereunder is a complete defense, for Certificate Authorities registered under this Act and Key Recovery Agents registered under this Act, to any noncontractual civil action for damages based upon activities regulated by this Act.

SEC. 407. GOOD FAITH DEFENSE.

A good faith reliance on a court warrant or order subpoena, legislative authorization, statutory authorization, a certification, a written authorization, or other legal authority for access to recovery information under this Act or its implementing regulations is a complete defense to any civil or criminal action brought under this Act.

SEC. 408. FEDERAL GOVERNMENT LIABILITY.

Except as provided otherwise in this Act, the United States shall not be liable for any loss incurred by any individual or entity resulting from any violation of this Act or the failure to exercise reasonable care in the performance of any duties under any regulation or procedure established by or under this Act, nor resulting from any action by any person who is not an official or employee of the United States.

TITLE V -- OTHER KEY RECOVERY PROVISIONS

SEC. 501. LABELING OF ENCRYPTION PRODUCTS.

(A) Any person engaged in manufacturing, importing, packaging, distributing or labeling of encryption products for purposes of sale or distribution in the United States shall package and label them so as to inform the user whether the products use Key Recovery Agents registered under this Act for storage of recovery information, and whether such products are authorized for use in transactions with the United States Government, as specified in regulations promulgated by the Secretary.

(B) The provisions contained in subsection (A) shall not apply to persons engaged in business as wholesale or retail distributors of encryption products to users except to the extent such persons are (1) engaged in packaging or labeling of such products for sale to users, or (2) prescribe or specify by any means the manner in which such products are package or labeled.

SEC. 502. CONTRACTS, COOPERATIVE AGREEMENTS, JOINT VENTURES AND OTHER TRANSACTIONS.

A Federal agency approved as a Key Recovery Agent under this Act may enter into contracts, cooperative agreements, joint ventures and other transactions and take other appropriate steps to carry out its responsibilities.

SEC 503. NEGOTIATION WITH OTHER COUNTRIES.

The President shall conduct negotiations with other countries, on a bilateral or multilateral basis, for the purpose of seeking and concluding mutual recognition arrangements for Key Recovery Agents and Certificate Authorities registered by the United States and other countries.

TITLE VI -- MISCELLANEOUS PROVISIONS

SEC. 601. REGULATION AND FEES.

(A) Within one hundred and eighty days after the date of the enactment of this Act, the Secretary shall, in coordination with the Secretary of State, Secretary of Defense, and Attorney General, after notice to the public and opportunity for comment, issue any regulations necessary to carry out this Act.

(B) The Secretary may delay the date for compliance with the regulations issued for up to one year if the Secretary determines that the delay is necessary to allow for compliance with the regulations.

SEC. 602. INTERPRETATION.

Nothing contained in this Title shall be deemed to preempt or otherwise affect the applications of the Arms Export Control Act (22 U.S.C. 2751 et sec.) or any regulations promulgated thereunder. (Language concerning the Export Administration Act and/or IEEPA is under development.)

SEC. 603. SEVERABILITY.

If any provision of this Act, or the application thereof, to any person or circumstance, is held invalid, the remainder of this Act, and the application thereof, to other persons or circumstances shall not be affected thereby.

SEC. 604. AUTHORIZATION OF APPROPRIATIONS.

[This section is reserved pending discussions to develop language that is consistent with the President's budget.]

SEC. 605. DEFINITIONS.

For purposes of this Act:

(2) The term "Secretary" means the Secretary of Commerce of the United States or his or her designee.

(3) The term "Secretary of State: means the Secretary of State of the United States or his or her designee.

(4) The term "Secretary of Defense" means the Secretary of Defense of the United States or his or her designee.

(5) The term "Attorney General" means the Attorney General of the United States or his or her designee.

(6) The term "encryption" means the transformation of data (including communications) in order to hide its information content. To "encrypt" is to perform encryption.

(7) The term "decryption" means the retransformation of data (including communications) that has been encrypted into the data�s original form.

(8) The term "plaintext" refers to data (including communications) that has not been encrypted, or if encrypted, has been decrypted.

(9) The term "ciphertext" refers to data (including communications) that has been encrypted.

(10) the term "key" means a parameter, or a component thereof, used with an algorithm to validate, authenticate, encrypt or decrypt a message.

(11) The term "public key" means for cryptographic systems that use different keys for encryption and decryption, the key that is intended to be publicly known.

(12) The term "public key certificate" means information about a public key and its user, particularly including information that identifies that public key with its user, which has been digitally signed by the person issuing the public key certificate, using a private key of the issuer.

(13) The term "Certificate Authority" means a person trusted by one or more persons to create and assign public key certificates.

(14) The term "Key Recovery Agent" means a person trusted by one or more persons to hold and maintain sufficient information to allow access to the data or communications of the person or persons for whom that information is held, and who holds and maintains that information as a business or governmental practice, whether or not for profit.

(15) The term "recovery information" means keys or other information provided to a Key Recovery Agent by a person, that can be used to decrypt that person�s data and communications.

(16) The term "electronic information" includes but is not limited to voice communications, texts, messages, recordings, images or documents, in any electronic, electromagnetic, photoelectronic, photooptical, or digitally encoded computerreadable form.

(17) The term "electronic communication" has the meaning given such term in section 2510 (12) of title 18, United States Code.

(18) The term "wire communications" has the meaning given such term in section 2510(1) of title 18, United States Code.

(19) The term "government" means the government of the United States and any agency or instrumentality thereof, a State or political subdivision of a State, the District of Columbia, or commonwealth, territory, or possession of the United States.

(20) The term "cryptographic product" means any product (including, but not limited to, hardware, firmware, or software, or some combination thereof), that is designed, adapted, or configured to use a cryptographic algorithm to protect or assure the integrity, confidentiality and/or authenticity of information.

(21) The term "encryption product" means a cryptographic product that can be used to encrypt or decrypt data.