Story: Compromise Encryption Bill Introduced in Senate, 5/14/98

New Encryption Bill Introduced in Senate

(May 14, 1998) Senators Leahy, Ashcroft, and Burns have introduced a "compromise" encryption bill, dubbed the "E-PRIVACY Act," which contains many of the same provisions as the "Pro CODE Act," but also some concessions to those who favor more law enforcement authority. The main opponent of pro-encryption legislation, the FBI, has not publicly commented on the bill.

Related Page: HTML Copy of E-PRIVACY Bill.

The bill is titled E-PRIVACY. It is an acronym for Encryption Protects the Rights of Individuals from Violation and Abuse in CYberspace.

Right to Use Encryption § 101(a) "... it shall be lawful for any person within the United States, and for any United States person in a foreign country, to use, develop, manufacture, sell, distribute, or import any encryption product, regardless of the encryption algorithm selected, encryption key length chosen, existence of key recovery or other plaintext access capability, or implementation or medium used."

"If anyone was looking for the compromise to resolve this difficult but important issue, this is it," said Sen. Conrad Burns (R-MT), who is Chairman of the Senate Subcommittee on Communications, and one of the leading proponents of encryption rights in the Congress. He is also the lead sponsor of S 377 -- the Pro CODE Act -- which has stalled in the Senate.

The twenty-two page bill would prevent the government from mandating key-recovery or key-escrow, guarantee the right of U.S. citizens to use whatever kind or strength of encryption software they choose, and relaxes current export controls on encryption technologies.

The bill would also create a NET Center, a new law enforcement entity at the Department of Justice, to study decryption, interception, and accessing of communications and stored data. The bill would also allow law enforcement access to decryption keys under existing wiretap authority, and allow law enforcement to obtain keys or third-party assistance for remotely stored data with a warrant or subpoena. It would also create a new federal crime of unlawful use of encryption.

Ban on Government Mandated Key Escrow § 101(b) "... no agency of the United States nor any State may require, compel, set standards for, condition any approval on, or condition the receipt of any benefit on, a requirement that a decryption key, access to a decryption key, key recovery information, or other plaintext access capability be (A) given to any other person, including any agency of the United States or a State, or any entity in the private sector; or (B) retained by any person using encryption."

The bill is described by its sponsors as "non-partisan" and a "compromise." Support for other pro-encryption bills has been non-partisan too, but failed to gain passage. Also, while industry and trade groups such as the Business Software Alliance and Americans for Computer Privacy have announced their support for the new bill, the administration has not.

The Federal Bureau of Investigation, which is the six hundred pound gorilla of the encryption issue, has not commented on the bill publicly. It has successfully sidetracked all legislative efforts that have not contained mandatory key escrow provisions.

Government Access to Encrypted Communications and Data

The E-PRIVACY Act provides that in a criminal investigation the government can compel a third party holding an encryption key, or otherwise capable of decrypting communications, to promptly provide decryption assistance, provided that the government first obtains a court order. (§ 2803(a).)

The Act also provides that the government can compel a third party to assist in decrypting stored data, provided that the government first obtains either a state or federal warrant, a subpoena, or the consent of the owner of the records. And in any case, the government would be required to serve a copy of the warrant or subpoena upon the owner of the records. (§ 2804.)

Criminalization of Unlawful Use of Encryption

Unlawful Use of Encryption § 2802 "Any person who, during the commission of a felony under Federal law, knowingly and willfully encrypts any incriminating communication or information relating to that felony, with the intent to conceal that communication or information for the purpose of avoiding detection by a law enforcement agency or prosecutor (1) in the case of a first offense under this section, shall be imprisoned not more than 5 years, fined under this title, or both ..."

The E-PRIVACY Act would create a new federal crime called unlawful use of encryption. This has drawn criticism from privacy groups who suggest that it would give prosecutors wide latitude to investigate where the only evidence of a crime is the use of encryption, and would create a disincentive to use encryption technology, thus leading to more computer crime.

The Center for Democracy and Technology wrote that "this provision in the legislation will send a mixed message to users and businesses -- that we want people to be free to use encryption but will be suspicious when it is used. ... [W]e submit that the better approach may be to rely on other provisions in the federal and state criminal codes (including sections relating to obstruction of justice or concealment) to address this problem if it arises." (Parentheses in original.)

NET Center

The Act also creates a new National Electronic Technologies Center (NET Center) in the Department of Justice, which would assist law enforcement at all levels with expertise in encryption technology. It is similar to the "Information Security Board" established in Pro-CODE Act.

Assistance of Other Federal Agencies § 2806(6) "Upon the request of the Director of the NET Center, the head of any department or agency of the Federal Government may, to assist the NET Center in carrying out its duties under this subsection (A) detail, on a reimbursable basis, any of the personnel of such department or agency to the NET Center; and (B) provide to the NET Center facilities, information, and other nonpersonnel resources."

It would serve as a center for federal, state, and local law enforcement authorities for information and assistance with decryption. It would facilitate the exchange of information, study encryption and develop methods to "facilitate the ability of law enforcement to gain efficient access to plaintext of communications and electronic information," and study interception and access techniques.

The NET Center provisions have raised concerns from privacy groups. In particular, § 2806(6) provides that other federal agencies may assist and work with the FBI. Since the other federal agencies involved in encryption are the National Security Agency and CIA, this allows the foreign intelligence agencies to become involved in domestic surveillance and law enforcement.

For example, the Center for Democracy and Technology has written that:

The NET Center proposal, if approved, would constitute a fundamental re-definition of the relationship between intelligence agencies and domestic law enforcement. Such an approach would ignore 50 years of experience and would pose a serious threat to the privacy and constitutional rights of Americans.

Other Resources

Related pages in this website.

Story: Americans for Computer Privacy Organizes, 3/5/98.
News Analysis: ACP Brings Together Strange Bedfellows, 3/16/98.
Story: Senate Holds Hearing on Encryption, 3/17/98.
Story: Democrats Write Clinton on Encryption, 4/6/98.
Story: Daley Condemns Encryption Policy, 4/16/98.
Story: Freeh Warns of Encryption Use, 4/23/98.

The following websites contain information about the E-PRIVACY Act and the encryption issue in general.