EPIC logo

[White House Document]

FACT SHEET

THE CYBERSPACE ELECTRONIC SECURITY ACT OF 1999 (CESA)

For Immediate Release September 16, 1999

Today, the President is transmitting to the Congress a legislative proposal entitled the "Cyberspace Electronic Security Act of 1999" (CESA). This legislation would protect the growing use of encryption for the legitimate protection of privacy and confidentiality by businesses and individuals, while helping law enforcement obtain evidence to investigate and prosecute criminals despite their use of encryption to hide criminal activity.

Encryption is an important tool for protecting personal privacy and is essential for the expansion of electronic commerce. Yet, the advent and eventual widespread use of encryption poses significant challenges to law enforcement and public safety. Under existing law, investigators have a variety of legal tools to collect electronic evidence of illegal activity. These tools are rendered useless when encryption is used to scramble evidence so that law enforcement cannot decipher it in a timely manner, if at all. Timely action against terrorists, drug dealers, or kidnappers may require rapid access to electronic information that must not be thwarted by encryption.

CESA balances the needs of privacy and public safety. It establishes significant new protections for the privacy of persons who use encryption legally. The bill is technology neutral, and does not presuppose technology solutions. CESA also provides mechanisms to help maintain law enforcement's current ability to obtain useable evidence as encryption becomes more common. More specifically, CESA would:

  • Ensure that law enforcement maintains its ability to access decryption information stored with third parties, while protecting such information from inappropriate release. Law enforcement must inform a person whose key is obtained using court process, and must destroy the keys after their use is complete and when Federal records laws permit. Law enforcement may only use decryption keys obtained from a key recovery agent for an explicitly authorized purpose. A key recovery agent may not disclose or use a decryption key, nor disclose the identity of a customer, except under explicit and limited circumstances. Individuals remain completely free to use -- or not to use -- the services of a recovery agent.

  • Authorize $80 million over four years for the FBI's Technical Support Center, which will serve as a centralized technical resource for Federal, State, and local law enforcement in responding to the increasing use of encryption by criminals.

  • Ensure that sensitive investigative techniques and industry trade secrets remain useful in current and future investigations by protecting them from unnecessary disclosure in litigation or criminal trials involving encryption. Orders protecting such techniques and trade secrets must be consistent with fully protecting defendants' rights to a fair trial under the Constitution's Due Process clause and the Sixth Amendment. Protection of techniques requires a judicial finding in accordance with specified criteria. Firms' competitive and liability positions are protected when lawfully assisting law enforcement through the sharing of trade secrets.

In contrast to an early draft version of the bill, the Administration's legislation does not provide new authority for search warrants for encryption keys without contemporaneous notice to the subject. The bill also does not regulate the domestic development, use or sale of encryption. Americans will remain free to use any encryption system domestically.

 


Return to the CESA Page