105th CONGRESS DRAFT 3/12/97 1st Session H.R. _________________ ________________________________________ Mr. _________________ of _________________ introduced the following bill; which was referred to the Committee on _____________________
To enable the development of a key management infrastructure for public-key-based encryption and attendant encryption products that will assure that individuals and businesses can transmit and receive information electronically with confidence in the information's confidentiality, integrity, availability, and authenticity, and that will promote timely lawful government access.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
(A) The development of the information superhighway is fundamentally changing the way we interact. The nation's commerce is moving to networking. Individuals, government entities, and other institutions are communicating across common links.
(B) The Internet has provided our society with a glimpse of what is possible in the information age, and the demand for information access and electronic commerce is rapidly increasing. The demands are arising from all elements of society, including banks, manufacturers, service providers, state and local governments, and educational institutions.
(C) Today, business and social interactions occur through face-to-face discussions, telephone communications, and written correspondence. Each of these methods for interacting enables us to recognize the face, or voice, or written signature of the person with whom we are dealing. It is this recognition that permits us to trust the communication.
(D) In the information age, however, those personal attributes will be replaced with digital equivalents upon which we will rely. Electronic digital transmissions, through which many businesses and social interactions will occur, inherently separate the communication from the person, forsaking confidence once derived from a handshake or a signed document.
(E) At the same time, society's increasing reliance on information systems in this new environment exposes U.S. citizens, institutions, and their information to unprecedented risks.
(F) In order for the global information infrastructure and electronic commerce to achieve their potential, information systems must be imbued with the attributes that overcome these risks and must provide trusted methods to identify users.
(G) Cryptography can meet these needs. Cryptography can be used to digitally sign communications or electronic documents such that a recipient can be confident that any message he or she received could only have come from the apparent sender. Moreover, cryptography is an important tool in protecting the confidentially of wire and electronic communications and stored data. Thus, there is a national need to encourage the development, adoption, and use of cryptographic products that are consistent with the foregoing considerations and are appropriate for use both in domestic and export markets by the United States Government.
(H) The lack of a key management infrastructure impedes the use cryptography and, there fore, the potential of electronic commerce. Users cannot encrypt messages without keys, therefore, they need a secure and standardized mechanism for the generation of keys, storage of keys, and transfer of keys between users. There is currently no standardized mechanism for the generation of keys, storage of keys, and transfer of keys between users. There is currently no standardized method in the private sector to accomplish all of these tasks, thus users must individually assume these burdens or forego the use of cryptography.
(I) Industry must work with government to develop a public-key-based key management infrastructure and attendant products that will ensure participants can transmit, receive, and use information electronically with confidence in the information's integrity, confidentiality, authenticity, and origin, while also allowing timely lawful government access.
(J) To this end, the government should issue appropriate public key encryption standards for federal systems and encourage the development of interoperable private sector standards for use across border. However, the architecture(s) the government endorses in its' standards must permit the use of any encryption algorithm.
(K) To effectively serve the public, such a key management infrastructure must be founded upon a system of trusted service providers to ensure acceptable standards of security, reliability, and interoperability.
(L) While cryptographic products and services are useful for protecting information and its authenticity, such products also can be sued by terrorists, organized crime syndicates, drug trafficking organizations, and other dangerous and violent criminals to avoid detection and to hide evidence of criminal activity, thereby jeopardizing effective law enforcement, public safety, and national security.
(M) Any effective key management infrastructure must not hinder the ability of government agencies, pursuant to lawful authority, to decipher in a timely manner and obtain the plaintext of communications and stored data.
(B) Responsibilities of Key Recovery Agents. A Key Recovery Agent registered under subsection (A) of this section shall, consistent with regulations issued by the Secretary, establish procedures and take other appropriate steps --
(2) to protect the confidentiality of the identity of the person or persons for whom such Key Recovery Agent holds recovery information;
(3) to protect the confidentiality of lawful requests for recovery information and the identity of the individual or government agency requesting recovery information and all information concerning such individual's or agency's access to and sue of recovery information; (4) to carry out the responsibilities set forth in this Act and implementing regulations.
(B) makes other arrangements, approved by the Secretary pursuant to regulations acceptable to the Attorney General, that assure that lawful recovery of the plaintext of encrypted data and communications can be accomplished confidentially when necessary.
(B) with the consent of that person, including pursuant to a contract entered into with that person;
(C) pursuant to a court order upon a showing of compelling need for the information that cannot be accommodated by any other means, if --
(2) the person who stored the information is afforded the opportunity to appear in the court proceeding and contest the claim of the person seeking the disclosure;
(E) as otherwise permitted by this Act or other law, particularly including release of recovery information pursuant to section 302 of this Act.
(2) to a law enforcement or national security government agency upon receipt of written authorization in a form to be specified by the Attorney General.
(B) Civil Penalties. Any person who violates section 403 of this Act shall be subject to a civil penalty in an amount assessed by a court in a civil action.
(2) a civil action to recover such a civil penalty may be commenced by the Attorney General.
(3) A civil action under this subsection may not be commenced later than 5 years after the cause of the action accrues.
(D) Jurisdiction. The district courts of the United States shall have original jurisdictions over any actions brought by the Attorney General under this section.
(B) Limitations. a civil action under this section may not be commenced later than two years after the date upon which the claimant first discovered or had a reasonable opportunity to discover the violation.
(A) if a Certificate Authority registered under this Act, intentionally to issue a public key certificate in violation of section 203 of this Act;
(B) intentionally to disclose recovery information in violation of this Act;
(C) intentionally to obtain or use recovery information without lawful authority, or, having received such information with lawful authority, intentionally to exceed such authority for the purpose of decrypting data or communications;
(D) if a Key Recovery Agent, or officer, employee, or agent thereof, intentionally to disclose the facts or circumstances of any release of recovery information or requests therefor in violation of this Act;
(E) intentionally to issue a public key certificate under this Act, or to fail to revoke such a certificate, knowing that the person from whom the certificate is issued does not meet the requirements of this Act or the regulations promulgated thereunder;
(F) intentionally to apply for or obtain a public key certificate under this Act, knowing that the person to be identified in the public key certificate does not meet the requirements of this Act or the Regulations promulgated thereunder; or
(G) knowingly to issue a public key certificate in furtherance of the commission of a criminal offense which may be prosecuted in a court of competent jurisdiction.
(B) It is an affirmative defense to a prosecution under this section that the defendant stored sufficient information to decrypt the data or communications with a Key Recovery Agent registered under Act if that information is reasonable available to the government. The defendant bears the burden of persuasion on this issue.
(C) The United States Sentencing Commission shall, pursuant to its authority under section 9944(p) of title 28, United States Code, amend the sentencing guidelines to ensure that any person convicted of a violation of subsection (A) of this section is imprisoned for not less than 6 months, and if convicted of other offenses at the same time, has the offense level increased by at least three levels.
(B) The provisions contained in subsection (A) shall not apply to persons engaged in business as wholesale or retail distributors of encryption products to users except to the extent such persons are (1) engaged in packaging or labeling of such products for sale to users, or (2) prescribe or specify by any means the manner in which such products are package or labeled.
(B) The Secretary may delay the date for compliance with the regulations issued for up to one year if the Secretary determines that the delay is necessary to allow for compliance with the regulations.
(C) The Secretary may charge such fees as are appropriate I order to accomplish his or her duties under this Act.
(2) The term "Secretary" means the Secretary of Commerce of the United States or his or her designee.
(3) The term "Secretary of State: means the Secretary of State of the United States or his or her designee.
(4) The term "Secretary of Defense" means the Secretary of Defense of the United States or his or her designee.
(5) The term "Attorney General" means the Attorney General of the United States or his or her designee.
(6) The term "encryption" means the transformation of data (including communications) in order to hide its information content. To "encrypt" is to perform encryption.
(7) The term "decryption" means the retransformation of data (including communications) that has been encrypted into the dataŐs original form.
(8) The term "plaintext" refers to data (including communications) that has not been encrypted, or if encrypted, has been decrypted.
(9) The term "ciphertext" refers to data (including communications) that has been encrypted.
(10) the term "key" means a parameter, or a component thereof, used with an algorithm to validate, authenticate, encrypt or decrypt a message.
(11) The term "public key" means for cryptographic systems that use different keys for encryption and decryption, the key that is intended to be publicly known.
(12) The term "public key certificate" means information about a public key and its user, particularly including information that identifies that public key with its user, which has been digitally signed by the person issuing the public key certificate, using a private key of the issuer.
(13) The term "Certificate Authority" means a person trusted by one or more persons to create and assign public key certificates.
(14) The term "Key Recovery Agent" means a person trusted by one or more persons to hold and maintain sufficient information to allow access to the data or communications of the person or persons for whom that information is held, and who holds and maintains that information as a business or governmental practice, whether or not for profit.
(15) The term "recovery information" means keys or other information provided to a Key Recovery Agent by a person, that can be used to decrypt that personŐs data and communications.
(16) The term "electronic information" includes but is not limited to voice communications, texts, messages, recordings, images or documents, in any electronic, electromagnetic, photoelectronic, photooptical, or digitally encoded computerreadable form.
(17) The term "electronic communication" has the meaning given such term in section 2510 (12) of title 18, United States Code.
(18) The term "wire communications" has the meaning given such term in section 2510(1) of title 18, United States Code.
(19) The term "government" means the government of the United States and any agency or instrumentality thereof, a State or political subdivision of a State, the District of Columbia, or commonwealth, territory, or possession of the United States.
(20) The term "cryptographic product" means any product (including, but not limited to, hardware, firmware, or software, or some combination thereof), that is designed, adapted, or configured to use a cryptographic algorithm to protect or assure the integrity, confidentiality and/or authenticity of information.
(21) The term "encryption product" means a cryptographic product that can be used to encrypt or decrypt data.