|
|
|
|
|||||||||||||||||||
Did the Government give your telephone privacy rights away! The US Government Seeks To Get The Goods On YOU? EXECUTIVE OFFICE OF THE PRESIDENT Washington, D.C. 20503-0001 Thursday, August 5, 1999 LEGISLATIVE REFERRAL MEMORANDUM
In accordance with OMB Circular A-19, OMB requests the views of your agency on the above subject before advising on its relationship to the program of the President. Please advise us if this item will affect direct spending or receipts for purposes of the "Pay-As-You-Go" provisions of Title XIII of the Omnibus Budget Reconciliation Act of 3-990, COMENTS: This is a revised version of the draft bill that was circulated on June 29, 1999, with LRM JAW121. Justice has included a memo addressing the agency comments on the earlier draft bill. Please provide only policy level objections, if any, to the revised draft bill. If necessary, a meeting w1ll be scheduled to resolve any of the policy objections that are raised. DISTRIBUTION LIST AGENCIES:
Attached please find revised copies of the proposed Cyberspace Electronic Security Act (CESA), the accompanying section-by-section analysis, and letters of transmittal to the President of the Senate and Speaker of the House. Copies of each document are provided in both clean and redline/strikeout form, showing the changes made in response to agency comments that were made when CESA was circulated earlier. We believe we have addressed in substance the comments raised by the agencies. In particular, we have the following specific responses to the comments made: Department of Commerce. After reviewing the comments of the Department of Commerce, DOJ representatives met with Commerce representatives. During that meeting we explained in more detail the purposes and mechanisms of CESA. Most of the points raised by Commerce related to presentation rather than to substance, and, to address them, we have added a number of "whereas" clauses to the start of CESA, added additional text in the introduction to the section-by-section analysis, and completely rewritten the transmittal letters. In addition, at the suggestion of Commerce, we have: eliminated references to the use of encryption keys to authenticate or validate data, and to export controls on encryption, except to add exclusionary language where requested; added explanatory text to the section-by-section analysis to explain points of confusion where appropriate; limited the language in the bill concerning "trade secrets"; and deleted the limitation of liability for persons who report that decryption keys have been improperly disclosed. Department of Treasury. FinCEN raised three concerns about how CESA might be interpreted. We believe, however, that the language of CESA already addresses the concerns raised by FinCEN. That said, to address FinCEN's concerns and make the appropriate interpretations clear, we have added text to the section-by-section analysis on each of the points raised by FinCEN. ONDCP. We reviewed ONDCP's comments, but did not make the suggested changes, after consultation with DOD. ONDCP's comments focused on the application of CESA to military bases. And although ONDCP's concerns are valid, DOD preferred not to make the suggested changes. Because the concerns raised fall particularly within the expertise of DOD, we deferred to that agency. Privacy Counselor. We met several times with Peter Swire, and made most of the changes he suggested, including adding a provision protecting the privacy of customer information held by recovery agents. Mr. Swire is aware of the changes that were made and the few that were not made, and the reasons for each. Thank you for your assistance in this matter. We stand ready to assist you in whatever way may be needed in order to obtain clearance of this important draft legislative proposal. cc: Phil Reitinger, CRM/CCIPS
Dear Mr. Speaker: Enclosed for your review and consideration is a legislative proposal entitled the "Cyberspace Electronic Security Act of 1999" (CESA). A detailed section-by-section analysis follows the text of the proposal. An identical copy has been provided to the President of the United States Senate. There is little question that continuing advances in technology are changing forever the way in which people live, the way they communicate with each other, and the manner in which they work and conduct commerce. In just a few years, the Internet has shown the world a glimpse of what is attainable in the information age. As a result, the demand for more and better access to information and electronic commerce continues to grow - among not just individuals and consumers, but also among financial, medical and educational institutions, manufacturers and merchants, and state and local governments. This increased reliance on information and communications raises important privacy issues, because Americans want assurance that their sensitive personal and business data is protected from unauthorized access as it resides on and traverses national and international communications networks. For Americans to trust this new electronic environment, and for the promise of electronic commerce and the global information infrastructure to be fully realized, information systems must provide methods to protect the data and communications of legitimate users. Encryption can address this need, because encryption can be used to protect the confidentiality of both stored data and communications. Therefore, the Administration continues to support the development, adoption, and use of robust encryption by legitimate users. At the same time, however, the same encryption products that help facilitate confidential communications between law-abiding citizens also pose a significant and undeniable public safety risk when used to facilitate and mask illegal and criminal activity. While cryptography has many legitimate and important uses, it is also increasingly used as a means to promote criminal activity, such as drug trafficking, terrorism, white collar crime, and the distribution of child pornography. In brief, the advent and eventual widespread use of encryption poses significant and heretofore unseen challenges to law enforcement and public safety. While under existing law, both statutory and constitutional in nature, law enforcement is provided with different means to collect evidence of illegal activity - in the form of communications, stored data on computers, etc. - these means are rendered wholly insufficient when encryption is utilized to scramble the information in such a manner that law enforcement, acting pursuant to lawful authority, cannot decipher the evidence in a timely manner, if at all. In the context of law enforcement operations, for example, stopping a terrorist attack or seeking to recover a kidnaped child, time is of the essence and may mean the difference between success and catastrophic failure. While existing means of obtaining evidence would remain applicable in a fully-encrypted world, the failure to provide law enforcement with the necessary ability to obtain the plaintext or "readable" version of the evidence makes existing authorities useless. A sound and effective public policy must support the development and use of encryption for legitimate purposes but allow access to plaintext by law enforcement when encryption is utilized by criminals. This requires an approach which properly balances critical privacy interests with the need to preserve public safety. As is explained more fully below, CESA provides such a balance by simultaneously creating significant new privacy protections for lawful users of encryption, while allowing law enforcement to preserve existing and constitutionally supported means of responding to criminal activity. CESA first addresses the need for greater privacy protections for lawful users of encryption. Because the security of any encryption system depends on the security of the keys that can be used to decrypt data, clear procedures are needed to ensure that these keys are protected by "recovery agents" who are in the business of storing keys on behalf of others, as well as by law enforcement agencies that may obtain decryption keys pursuant to lawful authority in order to investigate criminal activity. Therefore, when a person stores a decryption key or other "recovery information" with a recovery agent, CESA creates significant new protections. It explicitly prohibits the recovery agent from disclosing such information or using it to decrypt data except under limited circumstances, such as with the consent of the person who stored the key or under a court order. The Act also regulates how government agencies must handle decryption keys they obtain (see below), and promotes privacy and security by prohibiting a recovery agent from selling or otherwise disclosing its customer lists to other parties. CESA also provides mechanisms to allow law enforcement to keep pace with technology and lawfully obtain, in certain specific and narrow instances, access to information which has been encrypted in furtherance of criminal activity. While decryption keys must be protected from improper disclosure, CESA recognizes that law enforcement agencies may need access to decryption keys during the course of investigations. The Act, therefore, authorizes a recovery agent to disclose "stored recovery information" - stored decryption keys - to the government, or to use stored recovery information on behalf of the government, in a narrow range of circumstances, for example, pursuant to a search warrant or in accordance with a court order under the Act. Such a court order must be based on a finding that, among other things, there is no constitutionally protected expectation of privacy in the plaintext of encrypted data or the privacy interest created by such expectation has been overcome by consent, warrant, order, or other authority. By incorporating these specific privacy protections, CESA reflects a careful and essential balancing of the interests of public safety and privacy. CESA recognizes that law enforcement personnel may need to obtain the plaintext of encrypted evidence when a decryption key for the data is not held by, or is not obtained from, a recovery agent. For example, a child pornographer may encrypt the illegal material he keeps on his computer, and may not store the key with a recovery agent, so that if law enforcement officers conduct a judicially authorized search, the most critical evidence - the child pornography itself - will be unreadable and unusable as evidence. The Act therefore sets forth procedures for a mechanism for government access to essential evidence - through a search warrant with the possibility of delayed notice. To obtain such a warrant, the government must meet the standards specified by the Constitution and the Federal Rules of Criminal Procedure, including establishing probable cause to the court. In addition, to delay notice, the government must prove that it has good cause to do so. Once lawfully obtained from the court, the search warrant may authorize, depending upon the circumstances of the criminal activity, the search and seizure of decryption keys or the installation of a recovery device that allows plaintext to be obtained even if attempts were made to protect it through encryption. However, when executing a warrant using these procedures, in order to protect privacy, the government must take care to minimize its intrusion into the privacy of the subject of the warrant. While CESA recognizes the need for law enforcement access to decryption keys, it also imposes limitations on the government's use and disclosure of decryption keys obtained through compulsory process. For example, the government is required to destroy the keys when their use is completed and after any statutory period for retention of records has expired. These limitations reflect CESA's balancing of the need for privacy against the need for law enforcement access in appropriate circumstances to decryption keys. Historically, our nation has sought the proper balance between protecting the rights of individuals and the need of law enforcement to protect public safety. Although the emerging technological advances of the current information revolution are, in many ways, unlike any before, the challenge of striking the proper balance remains the same. The Administration fully supports the development and use of encryption products in order to protect the confidentiality of the communications and data of law-abiding citizens. However, in so doing public policy must reflect the pressing and undeniable need to afford law enforcement the means to sustain the ability to collect evidence of criminal activity, even when encryption is utilized. Failure to adequately address this need provides criminals with a safe-haven not available before. CESA establishes new protections for individuals and limits the ability of government to obtain plaintext to specific circumstances, while at the same time providing law enforcement the ability, with a proper factual showing, to respond to criminals who utilize encryption. We believe that CESA strikes the appropriate balance in this regard and look forward to working with you and the Congress on this issue of significant national importance. The Office of Management and Budget has advised that there is no objection from the standpoint of the Administration's program to the presentation of this proposal and that its enactment would be in accord with the program of the President. Please let us know if we may be of additional assistance in connection with this or any other matter. Sincerely, Jon P. Jennings
To protect the privacy, security and safety of the people of the United States through support for the widespread use of encryption, protection of the security of cryptographic keys, and facilitation of access to the plaintext of data for legitimate law enforcement purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, TITLE I - GENERAL PROVISIONS SEC. 101. SHORT TITLE. This Act may be cited as the "Cyberspace Electronic Security Act of 1999". SEC. 102. FINDINGS. The Congress finds the following: (a) The development of the information superhighway is fundamentally changing the way we interact. The nation's commerce is moving to networking. Individuals, government entities, and other institutions are communicating across common links. (b) The Internet has provided our society with a glimpse of what is possible in the information age, and the demand for information access and electronic commerce is rapidly increasing. This demand is arising from all elements of society, including individuals, banks, manufacturers, online merchants, service providers, State and local governments, and educational institutions. (c) At the same time, society's increasing reliance on information systems in this new environment exposes U.S. citizens, institutions, and their information to unprecedented risks. (d) In order for the global information infrastructure and electronic commerce to achieve their potential, information systems must overcome these risks and must provide trusted methods to identify users and keep data and communications confidential. (e) Cryptography can meet these needs. In particular, cryptography, through the technique of encryption, is an important tool in protecting the confidentiality of wire and electronic communications and stored data. Thus, there is a national need to encourage the development, adoption, and use of cryptographic products that are consistent with the foregoing considerations and are appropriate for use by private parties and by the United States Government. (f) While encryption is an important tool for protecting the privacy of legitimate communications and stored data, it has also been used to facilitate and hide unlawful activity by terrorists, drug traffickers, child pornographers, and other criminals. (g) The advent and eventual widespread use of encryption poses significant and heretofore unseen challenges to law enforcement and public safety. While under existing law, both statutory and constitutional in nature, law enforcement is provided with different means to collect evidence of illegal activity - in the form of communications, stored data on computers, etc. - these means are rendered wholly insufficient when encryption is utilized to scramble the information in such a manner that law enforcement, acting pursuant to lawful authority, cannot decipher the evidence. (h) Technology does not presently exist that allows law
enforcement timely to decrypt such information. In the context of law enforcement
operations, for example, stopping a terrorist attack or seeking to recover a kidnaped
child, time is of the essence and may mean the difference between success and catastrophic
failure. While: existing means of obtaining evidence would remain applicable in a
fully-encrypted world, the failure to provide law enforcement with the necessary ability
to obtain the plaintext, or decrypted "readable" version, of the evidence makes (i) A sound and effective public policy must support the development and use of encryption for legitimate purposes but allow access to plaintext by law enforcement when encryption is utilized by criminals. Law enforcement entities have a critical need to decrypt communications and stored data that they are lawfully authorized to access in order to obtain the plaintext that is necessary to conduct investigations and prosecutions of such unlawful activity, and there is a compelling national interest in preserving law enforcement entities' ability to obtain such plaintext. Appropriate means must be available to fulfill these law enforcement objectives, consistent with existing legal authorities and constitutional principles, in order to protect public safety. This requires an approach which properly balances critical privacy interests with the need to preserve public safety. (j) While means to aid investigators' and prosecutors' efforts to obtain plaintext are needed, this Act is not intended to make it unlawful for any person to use encryption in the United States for otherwise lawful purposes, regardless of the encryption algorithm selected, key length chosen, or implementation technique or medium used. Similarly, this Act is not intended to require anyone to use third parties for storage of decryption keys, and this Act does not establish any regulatory regime for entities engaging in such an activity. Finally, this Act is not intended to affect export controls on cryptographic products. TITLE II - ACCESS TO AND USE OF STORED RECOVERY INFORMATION HELD BY RECOVERY AGENTS, ACCESS TO RECOVERY INFORMATION, AND PROTECTION OF CONFIDENTIAL INFORMATION SEC. 201. REDESIGNATION OF DEFINITIONAL SECTION. Section 2711 of title 18, United States Code, is redesignated as section 2719. SEC. 202. AMENDMENTS TO SECTIONS 2703 AND 2707 OF TITLE 18. (a) Subsection 2703(d) of title 18, United States Code, is amended by striking "described in section 3127(2)(A) and". (b) Section 2707 of title 18, United States Code, is amended-- (1) in subsection (a) by striking "section 2703(e)" and inserting "sections 2703(e) and 2716"; and (2) in subsection (e) (i) by redesignating paragraphs (2) and (3) as paragraphs (3) and (4), respectively; (ii) inserting after paragraph (1) the following: "(2) a request of a governmental entity under section 2703(f) of this chapter;" and (iii) in redesignated paragraph (e)(3), striking "section 2518(7)" and inserting "sections 2518(7) or 2712(a)(4)". SEC. 203. AMENDMENTS OF CHAPTER 121 OF TITLE 18, UNITED STATES CODE, RELATED TO RECOVERY INFORMATION. Chapter 121 of title 18, United States Code, is amended by adding the following after section 2710: "§ 2711. Disclosure or use of stored recovery information and customer information by recovery agents; notification of storage location
"(a) Prohibitions and requirements.- "(1) Except as provided in subsections (b) and (d), a recovery agent shall not-- "(A) disclose stored recovery information; "(B) use stored recovery information to decrypt data or communications; or "(C) disclose any other information or record that identifies a person or entity for whom the recovery agent holds or has held stored recovery information. "(2) No person or entity shall knowingly obtain stored recovery information from a recovery agent knowing or having reason to know he has no lawful authority to do so. "(3) A recovery agent shall inform any person or entity who stores recovery information with the recovery agent of the location or locations where the recovery information is stored. " "(b) Authorizations for disclosure or use.- (1) Recovery information.-A recovery agent may disclose stored
recovery "(A) in the case of disclosure to or use on behalf of any person or entity, including a governmental entity- "(i) with the consent of the person or entity who stored such recovery information, or the agent of such person or entity; or "(ii) pursuant to an order of a court of competent
jurisdiction, if "(B) in the case of disclosure to or use on behalf of a governmental entity, as specified in section 2712 of this title. "(2) Customer information. -- A recovery agent may disclose information or a record, other than stored recovery information, that identifies a person or entity for whom the recovery agent holds or has held stored recovery information only- "(A) with the consent of the person or entity who stored such recovery information, or the agent of such person or entity; "(B) if the disclosure is necessarily incident to the rendition of the service provided to the person or entity who has stored such recovery information, or to the protection of the rights or property of the recovery agent; "(C) pursuant to an order of a court of competent jurisdiction based upon a showing of compelling need for the information, if such court has, if practicable, provided the person or entity who has stored such recovery information with an opportunity to be heard; or "(D) to a governmental entity pursuant to a warrant issued pursuant to the Federal Rules of Criminal Procedure or equivalent State warrant, a court order, or a federal or State subpoena; provided, however, that notice to the person or entity who stored such recovery information is not required under this subparagraph, and, furthermore, that a court of competent jurisdiction may for good cause order that the recovery agent not disclose the government request for 90 days, which period maybe extended upon further showings of good cause. "(c) Confidentiality -- Except as otherwise provided by law, or by order of a court of competent jurisdiction, a recovery agent who is requested or ordered to disclose stored recovery information to, or to use stored recovery information on behalf of, a governmental entity pursuant to paragraph (b)(1) above shall not reveal to any person or entity the fact that the governmental entity has requested or received stored recovery information from, or has required the use of stored recovery information by, the recovery agent, and shall not disclose to any other person or entity any decrypted data or communications that are provided to the governmental entity. "(d) Exclusions.-Nothing in this section or section 2712 of this title shall be construed to prohibit a recovery agent from: "(1) except as provided in subsection (c), using or disclosing plaintext in its possession, custody, or control; "(2) using or disclosing recovery information that is not stored recovery information held by it under the circumstances described in section 2719(7); or "(3) using stored recovery information in its possession, custody, or control to decrypt data or communications in its possession, custody, or control, if applicable statutes, regulations, or other legal authorities otherwise require the recovery agent to provide such data or communications to a governmental entity in plaintext or other form which can be readily understood by the governmental entity. "(e) Criminal sanctions. - Whoever knowingly violates or attempts to violate subsection (a) or subsection (c) of this section shall be fined under this title, or imprisoned for not more than one year, or both. "§ 2712. Requirements for governmental access to, use of, and disclosure of stored recovery information
"(a) Compelled disclosure and use of stored recovery information in the possession of recovery agents.-A governmental entity may require a recovery agent to disclose stored recovery information to the governmental entity, or to use stored recovery information to decrypt data or communications- "(1) pursuant to a warrant issued pursuant to the Federal Rules of Criminal Procedure or an equivalent State warrant, or an order issued under section 2518 of this title; "(2) pursuant to any process under federal or State law to compel disclosure that is permitted by section 2711 (b)(1)(A)(i); "(3) pursuant to a court order issued under subsection (b); or "(4) when an investigative or law enforcement officer, specially designated by the Attorney General, the Deputy Attorney General, the Associate Attorney General, any Assistant Attorney General, any acting Assistant Attorney General, or any Deputy Assistant Attorney General, or by the principal prosecuting attorney of any State or subdivision thereof acting pursuant to a statute of that State, reasonably determines that-" "(A) an emergency situation exists that involves- "(i) immediate danger of death or serious physical injury to any person, "(ii) conspiratorial activities threatening the national security interest, or "(iii) conspiratorial activities characteristic of organized crime or terrorism, requiring that recovery information be obtained or used before an order authorizing the same can, with due diligence, be obtained; and "(B) there are grounds upon which an order could be entered under this section to authorize such disclosure by a recovery agent of stored recovery information, or the decryption of data or communications by a recovery agent using stored recovery information; but an order under this section must be sought within forty-eight hours after the stored recovery information has been released or the decryption has occurred. In the event no order is requested within that time or the request for an order is denied, the governmental entity shall not further use or disclose the recovery information received or plaintext recovered, shall seal such information or plaintext under the direction of a court of competent jurisdiction, and shall serve notice as provided for in subsection (c) of this section; A federal governmental entity may require a recovery agent to disclose stored recovery information to it or another federal governmental entity, or to use stored recovery information to decrypt data or communications, under paragraphs (1), (2), (3), or (4) for the benefit of a foreign government, pursuant to a request of a foreign government under applicable legislation, treaties, or other international agreements. "(b) Requirements for court order for disclosure or use of stored recovery information by a recovery agent.-A court order requiring a recovery agent to disclose stored recovery information to a governmental entity or to use stored recovery information to decrypt data or communications on behalf of a governmental entity shall be issued by a court of competent jurisdiction upon a finding, based on specific and articulable facts, that- "(1) the use of the stored recovery information is reasonably necessary to allow access to the plaintext of data or communications; "(2) such access is otherwise lawful; "(3) the governmental entity will seek such access within a reasonable time; and "(4) there is no constitutionally protected expectation of privacy in such plaintext, or the privacy interest created by such expectation has been overcome by consent, warrant order, or other authority. An order under this section directing the disclosure of stored recovery information shall be limited to the extent practicable to directing the disclosure of only that stored recovery information that is necessary to allow access to the plaintext of the relevant data and communications. "(c) Notice.- Within 90 days after receiving stored recovery information or decrypted data or communications from a recovery agent, the governmental entity shall notify the person or entity, if known, who stored the recovery information that stored recovery information was disclosed or used by the recovery agent, and such notice shall state the date on which the stored recovery information or decrypted data and communications were disclosed. On the government's ex parte showing of good cause, the giving of notice may be postponed by a court of competent jurisdiction. Notice under this section shall be provided by personal service, or by delivery by registered or first-class mail. "(d) Cost reimbursement.-A governmental entity obtaining stored recovery information from a recovery agent or directing a recovery agent to decrypt the data or communications pursuant to subsection (b) shall pay to the recovery agent a fee for reimbursement for such costs as are reasonably necessary and which have been directly incurred in providing such information or decrypting such data and communications. The amount of the fee shall be as mutually agreed by the governmental entity and the recovery agent, or, in the absence of agreement, shall be as determined by the court which issued the order pursuant to subsection (b). "§ 2713.- Obtaining recovery information or plaintext by other means
"(a) In general.-- A federal governmental entity may seek a warrant, issued pursuant to the Federal Rules of Criminal Procedure, to search for and obtain recovery information or other information necessary to obtain access to the plaintext of data or communications, or to install and use a recovery device; provided, however, that nothing herein shall be construed to limit the application of chapter 119 of this title. "(b) Notice.-- Upon an ex parte showing of good cause the court issuing the warrant may postpone the notice required by Rule 41 (d) of the Federal Rules of Criminal Procedure for 30 days. Upon additional ex parte showings of good cause, the serving of notice may be further postponed. Upon expiration of any court orders postponing notice, the governmental entity shall provide notice to the person or entity subject to the search or recovery device by personal service, or by delivery by registered or first-class mail, and shall file a copy of such notice with the court. In the case of a recovery device, such notice shall include the period of time during which the recovery device was in use and whether the recovery device was successfully disabled. "(c) Assistance.-Upon the request of the applicant, a warrant issued under subsection (a) of this section shall direct that a provider of wire or electronic communication service, landlord, custodian or other person shall furnish the governmental entity forthwith all information, facilities; and technical assistance necessary to accomplish the successful execution of the warrant unobtrusively and with a minimum of interference with the services accorded to the persons affected by the search or installation of a recovery device. Any person providing facilities or assistance shall be compensated therefor by the applicant for reasonable expenses directly incurred in providing the facilities or assistance. The amount of the fee shall be as mutually agreed by the governmental entity and the person providing the facilities or assistance, or, in the absence of agreement, shall be as determined by the court which issued the warrant. "(d) Nondisclosure..-A warrant issued under subsection (a) shall direct that-- "(1) it be sealed until otherwise ordered by the court; and "(2) any person who has been ordered by the court to provide assistance to a governmental entity not disclose the existence of any search or recovery device, the existence of the investigation, any recovery information, data, communications, or other information obtained through the investigation, or any techniques or devices used by the governmental entity, to any other person, unless and until ordered otherwise by the court. "(e) Minimization.-A warrant issued pursuant to subsection (a) of this section shall be executed in such a manner so as to minimize the obtaining of information other than the recovery information, other information, or plaintext sought, and to minimize to the greatest extent feasible the possibility that unauthorized persons might obtain access to recovery information or the plaintext of data and communications. Any challenges to the government's compliance with this provision shall be determined by a court in accordance with section 2717 of this title. "(f) Termination of recovery devices.-To the extent practicable, if the system affected by a recovery device remains in use, a governmental entity shall disable any recovery device after its use is completed, shall make a record documenting such disabling, and shall return the system to its previous condition. "(g) State law unaffected.-Nothing in this section shall be construed to prevent the adoption of analogous procedures under State law. "(h) Reports concerning warrants under this section.- "(1) For the 3 years following the enactment of this Act, with respect to each application for a warrant with delayed notice under subsection (b), within 30 days after the notice required by subsection (b) is filed with a court or the application for delayed notice under this section is denied, the issuing or denying judge shall report to the Administrative Office of the United States Courts- "(A) the fact that a warrant was applied for; "(B) the fact that notice was delayed or was not; "(C) the total period for which notice was delayed, and, in the case of a recovery device, the period of time during which the recovery device was in use and whether the recovery device was successfully disabled; "(D) the offense specified in the application or warrant; and "(E) the name of the governmental entity making the application. "(2) In April of each year the Director of the Administrative Office of the United States Courts shall transmit to the Congress a summary and analysis of the data required to be filed with the Administrative Office by paragraph (h)(1). The Director of the Administrative Office of the United States Courts is authorized to issue binding regulations dealing with the content and form of the reports required to be filed by paragraph (h)(1). "§ 2714. Use, disclosure, and destruction of recovery information obtained by a governmental entity by compulsory process.
"(a) Limitations on use.- (1) Authorized use in orders under sections 2712 and 2713. Any order, warrant, or determination under section 2712 or 2713 of this title granting a governmental entity access to recovery information or stored recovery information, or authorizing a recovery agent to decrypt data or communications on behalf of a governmental entity, shall, either in its text or in a separate document that is served only on the governmental entity, specify the categories of data and communications that may be decrypted using such recovery information. Unless otherwise specified in a further order of a court of competent jurisdiction, such recovery information shall be used to decrypt data and communications only as specified in the order, warrant, or other determination. "(2) Limitations on use in other circumstances.-Unless otherwise specified in an order of a court of competent jurisdiction, a governmental entity that has obtained recovery information by compulsory process other than under sections 2712 and 2713 of this title may use such recovery information to decrypt data or communications only in connection with the matter for which the recovery information was obtained and related matters, and only if the decryption is appropriate to the proper performance of the official functions of the governmental entity. "(b) Limitations on disclosure and subsequent use.-Unless otherwise specified in an order of a court of competent jurisdiction, a governmental entity that has obtained recovery information by compulsory process may knowingly disclose recovery information only to the extent that such disclosure is in connection with the matter for which the recovery information was obtained and any related matters, and only if the disclosure is appropriate to the proper performance of the official functions of the governmental entity making the disclosure. Unless otherwise specified in an order of a court of competent jurisdiction, any person or entity receiving a disclosure under this section shall not further disclose the recovery information, and shall be subject to the limitations on the use of the recovery information imposed by subsection (a). "(c) Destruction of recovery information.-Unless otherwise specified in an order of a court of competent jurisdiction, once the authorized use of recovery information obtained by compulsory process, and all investigations, trials, and appeals related to that use are completed, after the time period for filing a request for post-conviction relief has expired, and after any statutory period for retention of records has expired, a governmental entity, a recovery agent assisting a governmental entity, or other person or entity who has received a disclosure under this section, shall destroy such recovery jnformation in its possession and the governmental entity shall make a record documenting the destruction of such recovery information that is in its possession and shall maintain that record for at least 10 years. "§ 2715. Notice of access to recovery information held by third parties and obtained by a governmental entity A governmental entity that has knowingly obtained recovery information by compulsory process other than under sections 2712 and 2713 of this title, shall, if such recovery information is held by the compelled party on behalf of another person or, entity, notify such person or entity, if known, that the recovery information was obtained. Such notice shall be provided within days of the date on which the government obtains the recovery information, and shall state the date on which the recovery information was disclosed. On the government's ex parte showing of good cause, the giving of notice may be postponed by a court of competent jurisdiction. Notice under this section shall be provided by personal service, or by delivery by registered or first-class mail. "§ 2716. No cause of action against a provider or recovery agent for compliance with legal demands "No cause of action shall lie in any court against any provider of wire or electronic communications service or recovery agent, its officers, employees, agents, or other specified persons for providing information, facilities, or assistance in accordance with the terms of a court order, emergency request, warrant, or other process under sections 2711, 2712 or 2713 of this title, or against any person or entity for disclosing information to a governmental entity to assist it in obtaining lawful access to data and communications protected by encryption or other security techniques or devices, unless the disclosure is otherwise prohibited by this chapter. "§ 2717. Protection of confidential information "(a) Confidentiality of access techniques.-In any civil or criminal case where a party seeks (1) to discover or introduce plaintext that had been encrypted or protected by other security techniques or devices, and which plaintext had been obtained using government methods of access to such protected information, or (2) to discover or introduce evidence or information concerning government methods of access to such protected information, an attorney for the government (as that term is defined in the Federal Rules of Criminal Procedure), whether or not the government is a party, may file, ex parte and in camera, an application requesting that the court enter an order pursuant to subsection (b) protecting the confidentiality of the technique or mechanism that provided access to that evidence or information. "(b) Confidentiality orders. -If the court finds that disclosure of a technique or mechanism used by a governmental. entity to obtain access to information protected by encryption or other security techniques or devices- "(1) is likely to: "(A) jeopardize an on-going investigation "(B) compromise the technique or mechanism for the purposes of future investigations; "(C) result in injury to any person; or "(D) jeopardize public health and safety; or "(2) could reasonably be expected to affect the national security; then the court shall enter such orders and take such other action as may be necessary and appropriate to preserve the confidentiality of the technique used by the governmental entity, consistent with constitutional principles. A confidentiality order under this subsection entered in a civil or criminal case may direct the use of special procedures, as appropriate, relating to the admissibility of evidence obtained through such technique used by a governmental entity. An interlocutory appeal by the United States shall lie from a decision or order of a district court with respect to a request for an order under this subsection. "(c) Nondisclosure of trade secrets.-Notwithstanding any other provision of law, trade secrets (as that term is defined in section 1839 of this title) disclosed to the government pursuant to section 2518 or 2713 of this title, or otherwise disclosed to a governmental entity to assist it in obtaining access to information protected by encryption or other security techniques or devices, shall not be disclosed by any governmental entity unless such disclosure is to another governmental entity, is necessary to implement such methods of access, is with the consent of the person or entity that owns the trade secret, or is ordered by a court of competent jurisdiction pursuant to a request of that governmental entity. "(d) Interaction with the Classified Information Procedures Act.-Nothing in this section shall be deemed to affect the Classified Information Procedures Act, Pub. L. 96-456, 94 Stat. 2025 (1980), or as hereafter amended. "§ 2718. Foreign intelligence information "Sections 2711, 2712, 2713, 2714, and 2715 of this title shall not apply to the acquisition by the United States of foreign intelligence information as defined in section 101(e) of the Foreign Intelligence Surveillance Act of 1978 or otherwise affect any lawfully authorized intelligence activity of an officer, agent or employee of the United States, or a person acting pursuant to a contract with the United States.". SEC. 204. DEFINITIONS. Section 2719 of title 18, United States Code, as redesignated by section 201 of this Act, is amended
(a) in paragraph (1), by striking "and"; (b) in paragraph (2), by striking the period and inserting a semicolon; and (c) by adding at the end the following: "(3) the term 'encryption' means the electronic transformation of data (including communications) in order to obscure or hide their content; "(4) the term 'decryption' means the electronic retransformation of data (including communications) that have been encrypted into the data's form prior to encryption; "(5) the term 'plaintext' means decrypted or unencrypted data (including communications); "(6) the term 'recovery information' means a parameter that can. be used with an algorithm, or other data or object, that can be used to decrypt data or communications; "(7) the term 'stored recovery information' means recovery information held by a recovery agent on behalf of a person or entity who is not an officer, agent, or employee of the recovery agent acting in that capacity, which information-- "(a) can be used to decrypt the data or communications of that person or entity; "(b) remains the exclusive property of that person or entity, and must be returned to such person or entity by the recovery agent on that person or entity's demand; and "(c) except as provided otherwise by this chapter, can be disclosed or used in any manner by the recovery agent only with the consent of that person or entity or such person or entity's agent; "(8) the term 'recovery device' means any enabling or modification of any part of a computer or other system, including hardware and software, that allows plaintext to be obtained even if attempts are made to protect it through encryption or other security techniques or devices; "(9) the term 'recovery agent' means a person or entity who provides recovery information storage services in the United to the public, or is a person or entity, other than an individual, who provides recovery information storage services in the United States to more than one other person or entity as a business practice, and includes any officer, employee, or agent thereof, "(10) The term 'governmental entity' includes the Government of the United States and any agency or instrumentality thereof, and any State as defined in section 2510(3) of this title, and any agency, instrumentality, or political subdivision thereof; "(11) the term 'certificate authority' means a person or entity trusted by one or more persons or entities to certify that a key is associated with a particular person or persons, an entity or several entities, or another identifier such as a pseudonym; and "(12) the term 'court of competent jurisdiction' has the meaning assigned by section 3127 of this title, and includes any federal court within that definition, without geographic limitation.". SEC. 205. TECHNICAL AMENDMENTS (a) Chapter title.-- The title of chapter 121 of title 18, United States Code, is amended by adding "AND RECOVERY INFORMATION ACCESS" to the end thereof. (b) Chapter analysis.-- The chapter analysis for chapter 121 of title 18, United States Code, is amended by striking the last item and inserting the following: "2711. Disclosure or use of stored recovery information and customer information by recovery agents; notification of storage location. "2712. Requirements for governmental access to, use of, and disclosure of stored recovery information. "2713. Obtaining recovery information or plaintext by other means. "2714. Use, disclosure, and destruction of recovery information obtained by a governmental entity by compulsory process. "2715. Notice of access to recovery information held by third parties and obtained by a governmental entity. "2716. No cause of action-against a provider or recovery agent for compliance with legal demands. "2717. Protection of confidential information. "2718. Foreign intelligence information. "2719. Definitions for chapter.". (c) Part analysis.-The part analysis for Part I of title 18, United States Code, is amended by inserting "and recovery information access" after "access" in the item for chapter 121. SEC. 206. CONFORMING AMENDMENT Section 227(a)(2) of the Victims of Child Abuse Act of 1990 (42 U.S.C. 13032(a)(2)) is amended by striking "2711 " and inserting "2719". TITLE III-INTERCEPTION OF INFORMATION SEC. 301. MODIFICATION OF SECTIGN 2516 OF TITLE 18, UNITED STATES CODE, TO PERMIT INTERCEPTION OF INFORMATION IN CERTAIN CASES. Section 2516(l)(c) of title 18, United States Code, is amended by inserting ", a felony violation of section 1030 (relating to computer fraud and abuse)" after "section 1341 (relating to mail fraud)". TITLE IV- MISCELLANEOUS PROVISIONS SEC. 401. DIRECTIVES TO THE SENTENCING COMMISSION. (a) Amendment of sentencing guidelines.-- Pursuant to its authority under section 994(p) of title 28, United States Code, the United States Sentencing Commission shall review the federal sentencing guidelines and, if appropriate, shall promulgate guidelines or policy statements or amend existing guidelines or policy statements to-- (1) ensure that the guidelines provide sufficiently stringent penalties to deter and punish persons who knowingly use encryption in connection with the commission or concealment of criminal acts sentenced under the guidelines; (2) provide appropriate penalties for persons who violate this Act; and (3) address any other factor the Commission considers appropriate in connection with this Act. (b) Emergency authority -- The Commission may promulgate the guidelines, or amendments provided for under this section in accordance with the procedures set forth in section 21 (a) of the Sentencing Act of 1987, as though the authority under that Act had not. expired. SEC. 402. PROCUREMENT. Notwithstanding any other provision of law, if the head of a federal law enforcement agency determines that disclosure of agency needs pertaining to procurement of sensitive equipment, goods, or services associated with access to the plaintext of data and communications, might reasonably jeopardize an ongoing or future investigation or the use of such equipment, goods, or services by the agency, then the agency head may limit the number of sources from which the agency solicits bids or proposals, but should use best efforts to solicit bids from at least two sources, and the agency is not required to advertise the solicitation of such equipment, goods, or services. SEC. 403. PERSONNEL EXCHANGE PROGRAMS Section 3371(4) of title 5, United States Code, is amended--
"(a) by striking "of" at the end of subparagraph (C); (b) by striking the period at the end of subparagraph (D) and inserting "; or" and (c) by adding at the end the following new subparagraph: "(E) a provider of wire, electronic communications or data encryption or related services, or a recovery agent, or any other entity, for the limited purpose of carrying out the duties and furthering the purposes set forth in the Cyberspace Electronic Security Act of 1999.". SEC. 404. SEVERABILITY. If any provision of this Act, or the application thereof, to any person or circumstance, is held invalid, the remainder of this Act, and the application thereof, to other persons or circumstances shall not be affected thereby.
You may copy and distribute. Did the Government gave your telephone privacy rights away! |
|
|
|
|
