home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Shareware Overload Trio 2
/
Shareware Overload Trio Volume 2 (Chestnut CD-ROM).ISO
/
dir33
/
hr_5199.zip
/
EN.BIL
next >
Wrap
Text File
|
1994-10-28
|
21KB
|
318 lines
103d CONGRESS H. R. 5199 As Introduced in the House
Note: This document is the unofficial version of a Bill or Resolution.
The printed Bill and Resolution produced by the Government Printing
Office is the only official version.
VERSION As Introduced in the House
CONGRESS 103d CONGRESS
2d Session
BILL H. R. 5199
TITLE To amend the National Institute of Standards and Technology Act to
provide for the establishment and management of voluntary
encryption standards to protect the privacy and security of
electronic information, and for other purposes.
--------------------
IN THE HOUSE OF REPRESENTATIVES
OCTOBER 6, 1994
Mr. Brown of California introduced the following bill; which was
referred to the Committee on Science, Space, and Technology
--------------------
TEXT A BILL
To amend the National Institute of Standards and Technology Act to
provide for the establishment and management of voluntary
encryption standards to protect the privacy and security of
electronic information, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the `Encryption Standards and Procedures
Act of 1994`.
SEC. 2. FINDINGS AND PURPOSES.
(a) Findings . - The Congress finds the following:
(1) Advancements in communications and information technology
and the widespread use of that technology have enhanced the
volume and value of domestic and international communication of
electronic information as well as the ability to preserve the
confidentiality, protect the privacy, and authenticate the
origin, of that information.
(2) The proliferation of communications and information
technology has made it increasingly difficult for the
government to obtain and decipher, in a timely manner and as
provided by law, electronic information that is necessary to
provide for public safety and national security.
(3) The development of the Nation`s information
infrastructure and the realization of the full benefits of that
infrastructure require that electronic information resident in,
or communicated over, that infrastructure is secure,
confidential, and authentic.
(4) Security, privacy, and authentication of electronic
information resident in, or communicated over, the Nation`s
information infrastructure are enhanced with the use of
encryption technology.
(5) The rights of individuals and other persons to security,
privacy, and protection in their communications and in the
dissemination and receipt of electronic information should be
preserved and protected.
(6) The authority and ability of the government to obtain and
decipher, in a timely manner and as provided by law, electronic
information necessary to provide for public safety and national
security should also be preserved.
(7) There is a national need to develop, adopt, and use
encryption methods and procedures that advance the development
of the Nation`s information infrastructure and that preserve
the personal rights referred to in paragraph (5) and the
governmental authority and ability referred to in paragraph
(6), as provided by law.
(b) Purposes . - It is the purpose of this Act -
(1) to promote the development of the Nation`s information
infrastructure consistent with public welfare and safety,
national security, and the privacy and protection of personal
property;
(2) to encourage and facilitate the development, adoption,
and use of encryption standards and procedures that provide
sufficient privacy, protection, and authentication of
electronic information and that reasonably satisfy the needs of
government to provide for public safety and national security;
and
(3) to establish Federal policy governing the development,
adoption, and use of encryption standards and procedures and a
Federal program to carry out that policy.
SEC. 3. ENCRYPTION STANDARDS AND PROCEDURES.
(a) Computer System Security and Privacy Advisory Board. -
(1) Requirement of privacy expertise . - Section 21(a)(2) of
the National Institute of Standards and Technology Act (15 U.S.C.
278g-4(a)(2)) is amended by inserting `(including computer systems
privacy)` after `related disciplines`.
(2) Expanded functions . - Section 21(b) of such Act (15
U.S.C. 278g-4(b)) is amended -
(A) by striking `and` at the end of paragraph (2);
(B) by striking the period at the end of paragraph (3)
and inserting `; and`; and
(C) by adding after paragraph (3) the following new
paragraph:
`(4) to advise the Institute and the Congress on privacy
issues pertaining to electronic information and on encryption
standards developed under section 31(b).`.
(b) Standards and Procedures . - The National Institute of
Standards and Technology Act is further amended -
(1) by redesignating section 31 as section 32; and
(2) by inserting after section 30 the following new section
31:
`SEC. 31. ENCRYPTION STANDARDS AND PROCEDURES.
`(a) Establishment and Authority . - The Secretary, acting
through the Director, shall establish an Encryption Standards and
Procedures Program to carry out this section. In carrying out this
section, the Secretary, acting through the Director, may (in
addition to the authority provided under section 2) conduct
research and development on encryption standards and procedures,
make grants, and enter into contracts, cooperative agreements,
joint ventures, royalty arrangements, and licensing agreements on
such terms and conditions the Secretary considers appropriate.
`(b) Federal Encryption Standards . -
`(1) In general . - The Secretary, acting through the
Director and after providing notice to the public and an
opportunity for comment, may by regulation develop encryption
standards as part of the program established under subsection (a).
`(2) Requirements . - Any encryption standard developed
under paragraph (1) -
`(A) shall, to the maximum extent practicable, provide
for the confidentiality, integrity, or authenticity of
electronic information;
`(B) shall advance the development, and enhance the
security, of the Nation`s information infrastructure;
`(C) shall contribute to public safety and national
security;
`(D) shall not diminish existing privacy rights of
individuals and other persons;
.
`(E) shall preserve the functional ability of the
government to decipher, in a timely manner, electronic
information that has been obtained pursuant to an
electronic surveillance permitted by law;
`(F) may be implemented in software, firmware, hardware,
or any combination thereof; and
`(G) shall include a validation program to determine the
extent to which such standards have been implemented in
conformance with the requirements set forth in this
paragraph.
`(3) Consultation . - Standards developed under paragraph
(1) shall be developed in consultation with the heads of other
appropriate Federal agencies.
`(c) Permitted Use of Standards . - The Federal Government shall
make available for public use any standard established under
subsection (b), except that nothing in this Act may be construed to
require such use by any individual or other person.
`(d) Escrow Agents . -
`(1) Designation . - If a key escrow encryption standard is
established under subsection (b), the President shall designate at
least 2 Federal agencies that satisfy the qualifications referred
to in paragraph (2) to act as key escrow agents for that standard.
`(2) Qualifications . - A key escrow agent designated under
paragraph (1) shall be a Federal agency that -
`(A) possesses the capability, competency, and resources
to administer the key escrow encryption standard, to
safeguard sensitive information related to it, and to carry
out the responsibilities set forth in paragraph (3) in a
timely manner; and
`(B) is not a Federal agency that is authorized by law to
conduct electronic surveillance.
`(3) Responsibilities . - A key escrow agent designated
under paragraph (1) shall, by regulation and in consultation with
the Secretary and any other key escrow agent designated under such
paragraph, establish procedures and take other appropriate steps -
`(A) to safeguard the confidentiality, integrity, and
availability of keys or components thereof held by the
agent pursuant to this subsection;
`(B) to preserve the integrity of any key escrow
encryption standard established under subsection (b) for
which the agent holds the keys or components thereof;
`(C) to hold and manage the keys or components thereof
consistent with the requirements of this section and the
encryption standard established under subsection (b); and
`(D) to carry out the responsibilities set forth in this
paragraph in the most effective and efficient manner
practicable.
`(4) Authority . - A key escrow agent designated under
paragraph (1) may enter into contracts, cooperative agreements, and
joint ventures and take other appropriate steps to carry out its
responsibilities.
`(e) Limitations on Access and Use . -
`(1) Release of key to certain agencies . - A key escrow
agent designated under subsection (d) may release a key or
component thereof held by the agent pursuant to that subsection
only to a Federal agency that is authorized by law to conduct
electronic surveillance and that is authorized to obtain and use
the key or component by court order or other provision of law. An
entity to whom a key or component thereof has been released under
this paragraph may use the key or component thereof only in the
manner and for the purpose and duration that is expressly provided
for in the court order or other provision of law authorizing such
release and use.
`(2) Limitation on use by private persons and foreign
citizens . -
`(A) In general . - Except as provided in subparagraph
(B), a person (including a person not a citizen or permanent
resident of the United States) that is not an agency of the Federal
Government or a State or local government shall not have access to
or use keys associated with an encryption standard established
under subsection (b).
`(B) Exception . - A representative of a foreign
government may have access to and use a key associated with an
encryption standard established under subsection (b) only if the
President determines that such access and use is in the national
security and foreign policy interests of the United States. The
President shall prescribe the manner and conditions of any such
access and use.
`(3) Limit on use by government agencies . - A government
agency, instrumentality, or political subdivision thereof shall not
have access to or use a key or component thereof associated with an
encryption standard established under subsection (b) that is held
by a key escrow agent under subsection (d) unless such access or
use is authorized by this section, by court order, or by other law.
`(f) Review and Report . -
`(1) In general . - Within 2 years after the date of the
enactment of this Act and at least once every 2 years thereafter,
the Secretary shall conduct a hearing on the record in which all
interested parties shall have an opportunity to comment on the
extent to which encryption standards, procedures, and requirements
established under this section have succeeded in fulfilling the
purposes of this section and the manner and extent to which such
standards, procedures, and requirements can be improved.
`(2) Report . - Upon completion of a hearing conducted under
paragraph (1), the Secretary shall submit to the Congress a report
containing a statement of the Secretary`s findings pursuant to the
hearing along with recommendations and a plan for correcting any
deficiencies or abuses in achieving the purposes of this section
that are identified as a result of the hearing.
`(g) Regulations . - Within one year after the date of the
enactment of this Act, the Secretary and each key escrow agent
designated by the President under subsection (d) shall, after
notice to the public and opportunity for comment, issue any
regulations necessary to carry out this section.
`(h) Liability . - The United States shall not be liable for any
loss incurred by any individual or other person resulting from any
compromise or security breach of any encryption standard
established under subsection (b) or any violation of this section
or any regulation or procedure established by or under this section
by -
`(1) any person who is not an official or employee of the
United States; or
`(2) any person who is an official or employee of the United
States, unless such compromise, breach, or violation is
willful.
`(i) Severability . - If any provision of this section, or the
application thereof, to any person or circumstance, is held
invalid, the remainder of this section, and the application
thereof, to other persons or circumstances shall not be affected
thereby.
`(j) Definitions . - For purposes of this section:
`(1) The term `content`, when used with respect to electronic
information, includes the substance, purport, or meaning of
that information.
`(2) The term `electronic communications system` has the
meaning given such term in section 2510(14) of title 18, United
States Code.
`(3) The term `encryption` means a method -
`(A) to encipher and decipher the content of electronic
information to protect the privacy and security of such
information; or
`(B) to verify the integrity, or authenticate the origin,
of electronic information.
`(4) The term `encryption standard` means a technical,
management, physical, or administrative standard or associated
guideline or procedure for conducting encryption, including key
escrow encryption, to ensure or verify the integrity,
authenticity, or confidentiality of electronic information
that, regardless of application or purpose, is stored,
processed, transmitted, or otherwise communicated domestically
or internationally in any public or private electronic
communications system.
`(5) The term `key escrow encryption` means an encryption
method that allows the government, pursuant to court order or
other provision of law, to decipher electronic information that
has been encrypted with that method by using a unique secret
code or key that is, in whole or in part, held by and obtained
from a key escrow agent.
`(6) The term `key escrow agent` means an entity designated
by the President under subsection (d) to hold and manage keys
associated with an encryption standard established under
subsection (b).
`(7) The term `key` means a unique secret code or character
string that enables a party other than the sender, holder, or
intended recipient of electronic information to decipher such
information that has been enciphered with a corresponding
encryption standard established under subsection (b) only with
such code or string.
`(8) The term `electronic information` means the content,
source, or destination of any information in any electronic
form and in any medium which has not been specifically
authorized by a Federal statute or an Executive Order to be
kept secret in the interest of national defense or foreign
policy and which is stored, processed, transmitted or otherwise
communicated, domestically or internationally, in an electronic
communications system, and
`(A) electronic communication within the meaning of
section 2510(12) of title 18, United States Code; or
`(B) wire communication within the meaning of section
2510(1) of such title.
`(9) The term `government` means the Federal Government, a
State or political subdivision of a State, the District of
Columbia, or a commonwealth, territory, or possession of the
United States.
`(k) Authorization of Appropriations . -
`(1) In general . - From amounts otherwise authorized to be
appropriated to the Secretary of Commerce for fiscal years 1995
through 1997 to carry out the programs of the Institute, the amount
of $50,000,000 shall be available for such fiscal years to carry
out this section. Such amount shall remain available until
expended. Of such amount, $1,000,000 shall be available for the
National Research Council study on national cryptography policy
authorized under section 267 of the National Defense Authorization
Act for Fiscal Year 1994 (10 U.S.C 421 note).
`(2) Transfer authority . - The Secretary may transfer funds
appropriated pursuant to paragraph (1) to a key escrow agent other
than the Secretary in amounts sufficient to cover the cost of
carrying out the responsibilities of the agent under this section.
Funds so transferred shall remain available until expended.`.