Summary of Encryption Bills
in the 106th Congress

This page summarizes the following bills:

HR 850, the Security and Freedom through Encryption (SAFE) Act.

This page was last updated on November 12, 1999.

Sponsors. Rep. Bob Goodlatte (R-VA) (web site | bio), Rep. Zoe Lofgren (D-CA) (web site | bio), and over 250 others. See, list of original cosponsors.

Summary. HR 850 IH provides that people in the United States can use any kind of encryption. It also provides that any person in the U.S. may sell in interstate commerce any encryption product. Moreover, the government cannot mandate any kind of key escrow.

However, the bulk of the seventeen page bill deals with the export of encryption products. Section 3 of the bill would amend the Export Administration Act of 1979 in many ways. First, it would place all encryption products, except those specifically designed or modified for military use, under the jurisdiction of the Secretary of Commerce.

Second, it would provide that after a one-time, 15-day technical review by the Secretary, no export license may be required for generally available encryption software and hardware products, generally available products containing encryption, generally available products with encryption capabilities, technical assistance and data used to install or maintain generally available encryption products, products containing encryption, and products with encryption capabilities, and encryption products not used for confidentiality purposes.

Third, it would provide that after a one-time, 15-day technical review by the Secretary, the Secretary shall allow the export of custom-designed encryption products and custom-designed products with encryption capabilities if those products are permitted for use by banks or if comparable products are commercially available outside the U.S.

Fourth, it would provide that encryption products that do not require an export license as of the date of enactment of the bill would not require an export license on or after that date.

Finally, the bill provides that nothing in the bill would limit the authority of the President to prohibit the export of encryption products to terrorist nations or nations that have been determined to repeatedly support acts of international terrorism, or to impose an embargo on exports to and imports from a specific country. The bill would also allow the Secretary of Commerce to prohibit the export of specific encryption products to specific individuals or organizations in specific foreign countries, if the Secretary determines that there is substantial evidence that such products will be used for military or terrorist purposes.

See also, Sponsors' Summary.

Status. HR 850 was re-introduced on February 25, 1999. The House Courts and Intellectual Property Subcommittee approved it on March 4. The House Judiciciary Committee approved it on March 24. All other committees with jurisdiction have passed some version of HR 850.

Legislative History with Links to Related Materials.

S 798, the Promote Reliable On Line Transactions to Encourage Commerce and Trade (PROTECT) Act.

Sponsor. Sen. John McCain (R-AZ). Cosponsors. Conrad Burns (R-MT), Patrick Leahy (D-VT), Ron Wyden (R-OR), Spencer Abraham (R-MI), John Kerry (D-MA), Russ Feingold (D-WI).

Summary. S 798 IS is a 34 page bill covering use and export of encryption products. It contains strong guarantees of rights to use encryption domestically. It includes very similar language to HR 850 on domestic use. It also liberalizes export restraints, but not nearly as much as HR 850.

Table of Contents of the PROTECT Act

Sec. 1. Short Title.
Sec. 2. Purposes.
Sec. 3. Findings.
Sec. 4. Definitions.
Title I - Domestic Encryption Provisions.
Sec. 101. Development and Deployment of Encryption a Voluntary Private Sector Activity.
Sec. 102. Sale and Use of Encryption Lawful.
Sec. 103. Mandatory government access to plaintext prohibited.
Title II - Government Procurement.
Sec. 201. Policy.
Sec. 202. Federal Purchases of Encryption Products.
Title III - Advanced Encryption Standard.
Sec. 301. Deadline for Final Selection of Algorithm or Algorithms by NIST.
Sec. 302. Commerce Department Encryption Standards and Exports Authority Restricted.
Title IV - Improvement of Governmental Technological Capability.
Sec. 401. Information Technology Laboratory.
Sec. 402. Advisory Board on Computer System Security and Privacy.
Sec. 403. Authorization of Appropriations.
Title V - Export of Encryption Products.
Sec. 501. Commercial Encryption Products.
Sec. 502. Presidential Authority.
Sec. 503. Exportation of Encryption Products with not more than 64-bit Key Length.
Sec. 504. Exportability of Certain Encryption Products Under a License Exception.
Sec. 505. Exportability of Encryption Products Employing a Key Length Greater Than 64 Bits.
Sec. 506. Exportability of Encryption Products Employing AES or its Equivilent.
Sec. 507. Elimination of Reporting Requirements.

Status. This bill was introduced on April 14, 1999. The Senate Commerce Committee held a hearing on June 10, but no other action has been taken.

Legislative History with Links to Related Materials.

S 854, the Electronic Rights for the 21st Century Act.

Sponsor. Sen. Patrick Leahy (D-VT).

Summary. S 854 IS is a huge bill which deals with encryption, and a myriad of other privacy related topics. Title II of the bill covers encryption. This bill contains several provisions that are very similar to the SAFE Act, HR 850.

First, S 854 IS garuntees the right of Americans to use encryption: Sec. 201(a) provides:

"It shall be lawful for any person within the United States, and for any United States person in a foreign country, to use, develop, manufacture, sell, distribute, or import any encryption product, regardless of the encryption algorithm selected, encryption key length chosen, existence of key recovery or other plaintext access capability, or implementation or medium used."

While the list of verbs includes "use, develop, manufacture, sell," and so forth, one verb is left out: export. Much of HR 850 IH deals with export of encryption products. S 854 IS is silent on export restraints.

S 854 IS also prohibits the federal government from mandating key escow or key recovery. (Sec. 201(b).) HR 850 IH also prohibits the states from doing this.

S 854 IS also contains a long section dealing with assistance to law enforcement.

Status. This bill was introduced on April 21, 1999. No action has been taken.

Legislative History with Links to Related Materials.

HR 2616, the Encryption for the National Interest Act.

Sponsor. Rep. Porter Goss (R-FL). Original Cosponsors. Julian Dixon (D-CA), Jerry Lewis (R-CA), Michael Castle (R-DE), Sherwood Boehlert (R-NY), Charles Bass (R-NH), Jim Gibbons (R-NV), Ray LaHood (R-IL), Heather Wilson (R-NM), Sanford Bishop (D-GA), Norman Sisisky (D-VA), Gary Condit (D-CA), Alcee Hasting (D-FL), Benjamin Gilman (R-NY), Mike Oxley (R-OH), Cliff Stearns (R-FL).

Summary. This is a bill which is sponsored by, and reflects the views of, Representatives who oppose efforts to liberalize encryption export restraints, and guarantee Americans encryption rights. It is vastly different from HR 850.

On its face, there is some language in the bill that encryption proponents would appreciate. For example, on the domestic use issue, Section 102 provides: "Except as otherwise provided by this Act or otherwise provided by law, it shall be lawful for any person within any State and for any United States person to use any encryption product, regardless of encryption algorithm selected, encryption bit length chosen, or implementation technique or medium used."

However, what is important is what is missing. There is no language providing that it is lawful to produce, transfer, or sell any encryption products. Nor is there any requirement that any government systems be interoperable with encryption products that lack key escrow, backdoor access, or some access to the plaintext of encrypted data.

Another aspect of the bill is that it lacks any express requirement that encryption products provide for key escrow or backdoor access. However, the bill leaves the government plenty of opportunity to assure that most encryption products actually used will provide for government access to the plaintext of encrypted data.

For example, Section 201 and Section 203 provide that the government may require government agencies and those who do business with the government to allow backdoor access. It provides: "The President may require as a condition of any contract by the Government with a private sector vendor that any encryption product used by the vendor in carrying out the provisions of the contract with the Government include features and functions that enable the timely decryption of encrypted data, including communications, or timely access to plaintext, by an authorized party without the knowledge or cooperation of the person using such encryption products or services."

Also, nothing in the bill prevents the government from using software products that are not interoperable with software products that lack government backdoor access. This enables government agencies to deprive people from interacting with the government online if they do not use software products that provide access to plaintext.

The argument that proponents of encryption rights have advanced at Congressional hearings on HR 850 and S 798 is this. Americans will eventually need to interact online with both the government and entities that do business with the government. If they cannot do so with software products that do not allow access to plaintext, they will choose products that allow access. These products will become the industry standard. And the government will have achieved its goal of getting backdoor access, without a bill that actually mandates it.

Moreover, much of the bill deals with procedures to be followed by the government to gain access to plaintext or decryption information. (A court order is required.) Of course, this presumes that Americans will be using encryption products that allow access to plaintext. That is, that the government will succeed in compelling the widespread use of products that allow backdoor access.

The bill also addresses at length encryption export restraints. It lacks the relief provided by HR 850, or even that contained in S 798.

Finally, civil rights groups will take exception to a provision in the bill criminalizing certain uses of encryption. The new Section 2801 makes it a crime for "Whoever knowingly uses encryption in furtherance of the commission of a criminal offense for which the person may be prosecuted in a district court of the United States".  The maximum penalty for the first offense is five years.

This is very broad. First, the furtherance offense can be any federal offense, no matter how minor. Administration officials who have testified before Congressional committees have repeatedly claimed that their concerns are terrorists, drug lords, and pedophiles. The bill does not limit its criminal sanctions to the use of encryption in connection with terrorism, drug dealing, or sex crimes.

Second, one need not be convicted of the furtherance offense (or even charged). Indeed, one need not even meet all of the elements of any other criminal offense. It need only be "in furtherance of the commission".

Status. This bill was introduced on July 27, 1999.

Legislative History with Links to Related Materials.

Tech Law Journal Stories, 1999