home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Shareware Overload Trio 2
/
Shareware Overload Trio Volume 2 (Chestnut CD-ROM).ISO
/
dir33
/
hr_5199.zip
/
EN.DRA
< prev
next >
Wrap
Text File
|
1994-07-16
|
19KB
|
374 lines
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
U.S. House of Representatives
Washington, DC 20515
July 13, 1994
MEMORANDUM
To: ALL INTERESTED PARTIES
From: Tony Clark
Professional Staff Member
Subject: Encryption Standards and Procedures Act
Attached for your review and comment is a staff discussion draft
of legislation to authorize the Administration to develop and issue,
by regulation, federal encryption standards for ensuring the privacy,
security, and authenticity of domestic and international electronic
communications in a way that preserves privacy rights and
maintains the government's authority and ability to conduct
electronic surveillance. The bill has been drafted as a means to
facilitate debate and resolve differences on the controversial
"Clipper Chip" encryption standard that the Administration formally
adopted in February.
The proposed legislation would allow the Administration to issue
voluntary encryption standards for public and private use, but only
under a rulemaking process where all stakeholders would have an
opportunity to influence the final program. With respect to policy, it
would permit wider use of encryption technology while reasserting
Fourth Amendment privacy rights and the government's authority to
conduct electronic surveillance. To ensure those rights are
preserved, the bill would impose new legal requirements on escrow
agents that may be part of an encryption standard established under
the legislation. It would also establish an R&D program at NIST to
develop next generation encryption technology, and would authorize
funding to implement the legislation.
I would welcome your views and comments on the draft bill. You
can reach me by phone at 202-225-9662 or by fax at 202-225-8057.
Attachment:
[STAFF DISCUSSION DRAFT]
July 12, 1994
103D CONGRES H.R. ___________
2D SESSION
IN THE HOUSE OF REPRESENTATIVES
Mr. ______________ introduced the following bill; which was referred to
the Committee on ______________________
A BILL
To amend the National Institute of Standards and Technology Act to
provide for the establishment and management of voluntary encryption
standards to protect the privacy and security of electronic
information, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the "Encryption Standards
and Procedures Act of 1994".
SEC. 2. FINDINGS AND PURPOSES.
(a) FINDINGS.╤The Congress finds the following:
(1) Advancements in communications and information technology and
the widespread use of that technology have enhanced the volume and value
of domestic and international communication of electronic information as
well as the ability to secure the privacy and authenticate the origin of
that information.
(2) The proliferation of communications and information technology
has made it increasingly difficult for the government to obtain and
interpret, in a timely manner, electronic information that is necessary
to provide for public safety and national security-
(3) The development of the Nation's information infrastructure and
the realization of the full benefits of that infrastructure require that
electronic information resident in, or communicated over, that
infrastructure is sufficiently secure, private, and authentic.
(4) Security, privacy, and authentication of electronic information
resident in, or communicated over, the Nation's information
infrastructure are enhanced with the use of encryption technology.
(5) The rights of individuals and other persons to security,
privacy, and protection in their communications and in the dissemination
and receipt of electronic information should be preserved and protected.
(6) The authority and ability of the government to obtain and
interpret, in a timely manner, electronic information necessary to
provide for public safety and national security should also be
preserved.
(7) There is a national need to develop, adopt, and use encryption
methods and procedures that advance the development of the Nation's
information infrastructure and that preserve the personal rights
referred to in paragraph (5) and the governmental authority and ability
referred to in paragraph (6).
(b) PURPOSES.╤It is the purpose of this Act╤
(1) to promote the development of the Nation's information
infrastructure consistent with public welfare and safety, national
security, and the privacy and protection of personal property;
(2) to encourage and facilitate the development, adoption, and use
of encryption standards and procedures that provide sufficient privacy,
protection, and authentication of electronic information and
that reasonably satisfy the needs of government to provide for public
safety and national security; and
(3) to establish federal policy governing the development,
adoption, and use of encryption standards and procedures and a federal
program to carry out that policy.
SEC. 3. ENCRYPTION STANDARDS AND PROCEDURES.
The National Institute of Standards and Technology
Act is amended╤
(1) by redesigning section 31 as section 32;
and
(2) by inserting after section 30 the following new section 31:
"SEC. 31. ENCRYPTION STANDARDS AND PROCEDURES.
"(a) ESTABLISHMENT AND AUTHORITY.╤The Secretary, acting through
the Director, shall establish an Encryption Standards and Procedures
Program to carry out this section. In carrying out this section, the
Secretary, acting through the Director, may (in addition to the
authority provided under section 2) conduct research and development on
encryption standards and procedures, make grants, and enter into
contracts, cooperative agreements, joint ventures, royalty arrangements,
and licensing agreements on such terms and conditions the Secretary
considers appropriate.
"(b) FEDERAL ENCRYPTION STANDARDS.╤
"(1) IN GENERAL.╤The Secretary, acting through the Director
and after providing notice to the public and an opportunity for comment,
may by regulation develop encryption standards as part of
the program established under subsection (a)
"(2) REQUIREMENTS.╤Any encryption standard developed under
paragraph (1)╤
"(A) shall seek to ensure and verify, to the maximum extent
practicable, the confidentiality, integrity, or authenticity of
electronic information;
"(B) shall advance the development of the Nation's information
infrastructure;
"(C) shall contribute to public safety and national security;
"(D) shall not diminish existing privacy rights of individuals and
other persons;
"(E) shall preserve the functional ability of the government to
interpret, in a timely manner, electronic information that has been
obtained pursuant to an electronic surveillance permitted by law;
"(F) may be implemented in software, firmware, hardware, or any
combination thereof; and
"(G) shall include a validation program to determine the extent to
which such standards have been implemented in conformance with the
requirements set forth in this paragraph.
"(3) PROCEDURES.╤Standards developed
under paragraph (1) shall be developed in colsulta-tion with the
Attorney General, the Director of the Federal Bureau of Investigation,
the Director of the National Security Agency, and the heads of other
appropriate federal agencies. The Computer Systems and Privacy Advisory
Board established in section shall review any such standards before such
standards are issued and submit recommendations and advice regarding
such standards to the Secretary.
"(e) PERMITTED USE OF STANDARDS.╤The federal
Government shall make available for public use any standard established
under subsection (b), except that nothing
in this Act may be construed to require such use by any
individual or other person.
"(d) ESCROW AGENTS.╤
"(1) DESIGNATION.╤If a key escrow encryption standard is
established under subsection (b), the President shall designate at least
2, but not more than 3, Federal agencies that satisfy the
qualifications referred to in paragraph (2) to act as key escrow agents
for that standard.
" (2) QUALIFICATIONS╤A key escrow agent designated under paragraph
(1) shall be a Federal agency that╤
"(A) possesses the capability, competency, and resources to
administer the key escrow encryption standard, to safeguard sensitive
information related to it, and to carry out the responsibilities set
forth in paragraph (3) in a timely manner; and
"(B) is not a Federal agency that is authorized by law to
conduct electronic surveillance.
"(3) RESPONSIBILITIES.╤A key escrow agent
designated under paragraph (1) shall, by regulation and in consultation
with the Secretary and any other key escrow agent designated under such
paragraph, establish procedures and take other appropriate steps╤
" (A) to safeguard the confidentiality of keys or components
thereof held by the agent pursuant to this subsection;
"(B) to preserve the integrity of the key escrow encryption
standard established under subsection (b) for which the agent holds the
keys or components thereof;
"(C) to hold and manage the keys or components thereof consistent
with the requirements of this section and the encryption standard
established under subsection (b); and
"(D) to carry out the responsibilities set forth in this paragraph
in the most effective and efficient manner practicable.
" (4) AUTHORITY.╤A key escrow agent designated under paragraph (1)
may enter into contracts, cooperative agreements, and joint ventures and
take other appropriate steps to carry out its responsibilities.
(e) LIMITATIONS ON ACCESS AND USE.╤
" (1) RELEASE OF KEY TO CERTAIN AGENCIES.╤A key escrow agent designated
under subsection (d) may release a key or component thereof held by the
agent pursuant to that subsection only to a government agency,
instrumentality, or political subdivision thereof that is authorized by
law to conduct electronic surveillance and that is authorized to obtain
and use the key or component by court order or other provision of law.
An entity to whom a key or component thereof has been released under
this paragraph may use the key or component thereof only in the manner
and for the purpose and duration that is expressly provided for in the
court order or other provision of law authorizing such release and use.
"(2) LIMITATION ON USE BY PRIVATE PERSONS AND FOREIGN CITIZENS.╤
"(A) IN GENERAL.╤Except as provided in subparagraph (B), a person
(including a person not a citizen or permanent resident of the United
States) that is not an agency of the federal Government or a State or
local government shall not have access to or use keys associated with an
encryption standard established under subsection (b).
"(B) EXCEPTION.╤A representative of a foreign government may have access
to and use a key associated with an encryption standard established
under subsection (b) only if the President determines that such access
and use is in the national security and foreign policy interests of the
United States. The President shall prescribe the manner and conditions
of any such access and use.
"(3) LIMIT ON USE BY GOVERNMENT AGENCIES.╤A government agency,
instrumentality, or political subdivision thereof shall not have access
to or use a key or component thereof associated with an encryption
standard established under subsection (b) that is held by a key escrow
agent under subsection (d) unless such access or use is authorized by
this title, by court order, or by other law.
" (f) REVIEW AND REPORT.╤
"(1) IN GENERAL.╤Within 3 years after the date of the enactment of
this Act and at least once every 3 years thereafter, the Secretary shall
conduct a hearing on the record in which all interested parties shall
have an opportunity to comment on the extent to which encryption
standards, procedures, and requirements established under this section
have succeeded in fulfilling the purposes of this section and the manner
and extent to which such standards, procedures, and requirements can be
improved.
"(2) REPORT.╤Upon completion of a hearing conducted under paragraph
(1), the Secretary shall submit to the Congress a report containing a
statement of the Secretary's findings pursuant to the hearing along with
recommendations and a plan for correcting any deficiencies in achieving
the purposes of this section that are identified as a result of the
hearing.
" [ (g) VIOLATIONS, ENFORCEMENT, AND PEN
PENALTIES.╤
"[(1) CIVIL PENALTIES.╤
"[(A) IN GENERAL.╤The Attorney General may impose a civil penalty
against any individual or other person (including an officer or employee
of government) who commits any of the violations described in paragraph
(2). The amount of a civil penalty imposed under this paragraph may not
exceed $1,000 per day for each such violation.
"[(B) PROCEDURES FOR IMPOSITION O* CIVIL PENALTIES.╤The Attorney General
shall establish standards and procedures governing the imposition of
civil penalties under subparagraph (A). The standards and procedures
shall provide for the imposition of a penalty only after the individual
or other person has been given an opportunity for a hearing on the
record in accordance with section 554 of title 5, United States Code.
"[(2) VIOLATIONS.╤It shall be a violation of this section for╤
"[(A) any individual or other person (except an officer
or employee of government authorized by this section to hold or use a
key or component thereof) to hold or use a key or component thereof
other than a key or component thereof that corresponds to a device which
is
the property of that individual or person; or
"[(B) any officer or employee of government, including
a key escrow agent╤
"[(i) to intentionally make available a
key or component thereof to any person
not authorized to have access to or use
such key or component thereof under this
section; or
"[(ii) to use a key or component
thereof in a manner or for a purpose not
authorized under this section.
"[(3) INJUNCTION.╤The Attorney General may
enjoin any individual or other person (including an
officer or employee of government) from committing
a violation of this section. The district courts of the
United States shall have jurisdiction of any action brought by
the Attorney General under this paragraph. ]
"(h) REGULATIONS.╤Within one year after the date of the enactment of
this Act, the Secretary and each key escrow agent designated by the
President under subsection (d) shall, after notice to the public and
opportunity for comment, issue any regulations necessary to carry out
this section.
"(i) LIABILITY╤The United States shall not be liable for any loss
incurred by any individual or other person resulting from any compromise
or security breach of any encryption standard established under
subsection (b) or 14 any violation of this section or any regulation or
procedure established by or under this section by╤
"(1) any person who is not an official or employee of the
United States; or
"(2) any person who is an official of the United States,
unless such compromise, breach, or violation is willful.
"(j) SEVERABILITY.╤If any provision of this section,
or the application thereof, to any person or circumstance, is held
invalid, the remainder of this section, and the application thereof, to
other persons or circumstances shall not be affected thereby.
"(k) DEFINITIONS.╤*Or purposes of this section:
"(1) The term 'content', when used with respect to electronic
information, includes the substance, purport, or meaning of that
information.
"(2) The term 'electronic communications system' has the meaning
given such term in section 2510(14) of title 18, United States Code.
"(3) The term 'encryption' means a method╤
"(A) to encipher and decipher the content
of electronic information to protect the privacy
and security of such information; or
" (B) to authenticate the origin of electronic information.
"(4) The term 'encryption standard' means a technical, management,
physical, or administrative standard or associated guideline or
procedure for conducting encryption, including key escrow encryption, to
ensure or verify the integrity, authenticity, or confidentiality of
electronic information that, regardless of application or purpose, is
stored, processed, transmitted, or otherwise communicated domestically
or internationally in any public or private electronic communications
system.
"(5) The term 'key escrow encryption' means an encryption method that
allows the government, pursuant to court order or other provision of
law, to decipher electronic information that has been encrypted with
that method by using a unique secret code or key that is, in whole or in
part, held by and obtained from a key escrow agent.
"(6) The term 'key escrow agent' means an entity designated by the
President under subsection (d) to hold and manage keys associated with
an encryption standard established under subsection (b)
"(7) The term 'key' means a unique secret code that enables a party
other than the sender, holder, or intended recipient of electronic
information to decipher such information that has be enciphered with a
corresponding encryption standard established under subsection (b).
" (8) The term 'electronic information' means
the content, source, or destination of any information in any
electronic form and in any medium which has not been specifically
authorized by a Federal statute or an Executive Order to be kept secret
in
the interest of national defense or foreign policy and which is stored,
processed, transmitted or otherwise communicated, domestically or
internationally, in an electronic communications system, and
"(A) electronic communication within the meaning of section
2510(12) of title 18, United States Code; or
"(B) wire communication within the meaning of section 2510(1) of
such title.
"(9) The term 'government' means the Federal Government, a State or
political subdivision of a State, the District of Columbia, or a
commonwealth, territory, or possession of the United States. " (l)
AUTHORIZATION OF APPROPRIATIONS.╤
"(1) IN GENERAL.╤There is hereby authorized to be appropriated to
the Secretary, to carry out this section, $50,000,000 for fiscal years
1995 through 1997, to remain available until e*pended. Of the amount
authorized by this paragraph, $1,000,000 shall be available for the
National Research Council study on national cryptography policy
authorized under section 267 of the National Defense Authorization Act
for Fiscal Year 1994 (10 U.S.C 421 note).
"(2) TRANSFER AUTHORITY.╤The Secretary may transfer funds
appropriated pursuant to paragraph (1) to a key escrow agent other than
the Secretary in amounts sufficient to cover the cost of carrying out
the responsibilities of the agent under this section. Funds so
transferred shall remain available until expended.".