|
THE WHITE HOUSE
TO THE CONGRESS OF THE UNITED STATES: I am pleased to transmit for your early consideration and speedy enactment a legislative proposal entitled the "Cyberspace Electronic Security Act of 1999" (CESA). Also transmitted herewith is a section-by-section analysis. There is little question that continuing advances in technology are changing forever the way in which people live, the way they communicate with each other, and the manner in which they work and conduct commerce. In just a few years, the Internet has shown the world a glimpse of what is attainable in the information age. As a result, the demand for more and better access to information and electronic commerce continues to grow -- among not just individuals and consumers, but also among financial, medical, and educational institutions, manufacturers and merchants, and State and local governments. This increased reliance on information and communications raises important privacy issues because Americans want assurance that their sensitive personal and business information is protected from unauthorized access as it resides on and traverses national and international communications networks. For Americans to trust this new electronic environment, and for the promise of electronic commerce and the global information infrastructure to be fully realized, information systems must provide methods to protect the data and communications of legitimate users. Encryption can address this need because encryption can be used to protect the confidentiality of both stored data and communications. Therefore, my Administration continues to support the development, adoption, and use of robust encryption by legitimate users. At the same time, however, the same encryption products that help facilitate confidential communications between law-abiding citizens also pose a significant and undeniable public safety risk when used to facilitate and mask illegal and criminal activity. Although cryptography has many legitimate and important uses, it is also increasingly used as a means to promote criminal activity, such as drug trafficking, terrorism, white collar crime, and the distribution of child pornography. The advent and eventual widespread use of encryption poses significant and heretofore unseen challenges to law enforcement and public safety. Under existing statutory and constitutional law, law enforcement is provided with different means to collect evidence of illegal activity in such forms as communications or stored data on computers. These means are rendered wholly insufficient when encryption is utilized to scramble the information in such a manner that law enforcement, acting pursuant to lawful authority, cannot decipher the evidence in a timely manner, if at all. In the context of law enforcement operations, time is of the essence and may mean the difference between success and catastrophic failure. A sound and effective public policy must support the development and use of encryption for legitimate purposes but allow access to plaintext by law enforcement when encryption is utilized by criminals. This requires an approach that properly balances critical privacy interests with the need to preserve public safety. As is explained more fully in the sectional analysis that accompanies this proposed legislation, the CESA provides such a balance by simultaneously creating significant new privacy protections for lawful users of encryption, while assisting law enforcement's efforts to preserve existing and constitutionally supported means of responding to criminal activity. The CESA establishes limitations on government use and disclosure of decryption keys obtained by court process and provides special protections for decryption keys stored with third party "recovery agents." CESA authorizes a recovery agent to disclose stored recovery information to the government, or to use stored recovery information on behalf of the government, in a narrow range of circumstances (e.g., pursuant to a search warrant or in accordance with a court order under the Act). In addition, CESA would authorize appropriations for the Technical Support Center in the Federal Bureau of Investigation, which will serve as a centralized technical resource for Federal, State, and local law enforcement in responding to the increasing use of encryption by criminals. I look forward to working with the Congress on this important national issue. WILLIAM J. CLINTON THE WHITE HOUSE, THE WHITE HOUSE
FACT SHEET The Cyberspace Electronic Security Act of 1999 Today, the President is transmitting to the Congress a legislative proposal entitled the "Cyberspace Electronic Security Act of 1999" (CESA). This legislation would protect the growing use of encryption for the legitimate protection of privacy and confidentiality by businesses and individuals, while helping law enforcement obtain evidence to investigate and prosecute criminals despite their use of encryption to hide criminal activity. Encryption is an important tool for protecting personal privacy and is essential for the expansion of electronic commerce. Yet, the advent and eventual widespread use of encryption poses significant challenges to law enforcement and public safety. Under existing law, investigators have a variety of legal tools to collect electronic evidence of illegal activity. These tools are rendered useless when encryption is used to scramble evidence so that law enforcement cannot decipher it in a timely manner, if at all. Timely action against terrorists, drug dealers, or kidnappers may require rapid access to electronic information that must not be thwarted by encryption. CESA balances the needs of privacy and public safety. It establishes significant new protections for the privacy of persons who use encryption legally. The bill is technology neutral, and does not presuppose technology solutions. CESA also provides mechanisms to help maintain law enforcement's current ability to obtain useable evidence as encryption becomes more common. More specifically, CESA would: Ensure that law enforcement maintains its ability to access decryption information stored with third parties, while protecting such information from inappropriate release. Law enforcement must inform a person whose key is obtained using court process, and must destroy the keys after their use is complete and when Federal records laws permit. Law enforcement may only use decryption keys obtained from a key recovery agent for an explicitly authorized purpose. A key recovery agent may not disclose or use a decryption key, nor disclose the identity of a customer, except under explicit and limited circumstances. Individuals remain completely free to use -- or not to use -- the services of a recovery agent. Authorize $80 million over four years for the FBI's Technical Support Center, which will serve as a centralized technical resource for Federal, State, and local law enforcement in responding to the increasing use of encryption by criminals. Ensure that sensitive investigative techniques and industry trade secrets remain useful in current and future investigations by protecting them from unnecessary disclosure in litigation or criminal trials involving encryption. Orders protecting such techniques and trade secrets must be consistent with fully protecting defendants' rights to a fair trial under the Constitution's Due Process clause and the Sixth Amendment. Protection of techniques requires a judicial finding in accordance with specified criteria. Firms' competitive and liability positions are protected when lawfully assisting law enforcement through the sharing of trade secrets. In contrast to an early draft version of the bill, the Administration's legislation does not provide new authority for search warrants for encryption keys without contemporaneous notice to the subject. The bill also does not regulate the domestic development, use or sale of encryption. Americans will remain free to use any encryption system domestically. THE WHITE HOUSE
FACT SHEET Administration Updates Encryption Export Policy Today, the Clinton Administration announced a new approach to encryption policy that includes updates and simplifies export controls. The major components of this update are as follows: Global exports to individuals, commercial firms or other non-governmental entities Any encryption commodity or software of any key length can now be exported under a license exception (i.e., without a license) after a technical review, to commercial firms and other non-government end users in any country except for the seven state supporters of terrorism. Exports previously allowed only for a company's internal use can now be used for communication with other firms, supply chains and customers. Additionally, telecommunication and Internet service providers may use any encryption commodity or software to provide services to commercial firms and non-government end users. Previous liberalizations for banks, financial institutions and other approved sectors are subsumed under this Update. Exports to governments can be approved under a license. Global exports of retail products Retail encryption commodities and software of any key length may be exported under a license exception (i.e., without a license) after a technical review, to any recipient in any country except to the seven state supporters of terrorism. Retail encryption commodities and software are those products which do not require substantial support for installation and use and which are sold in tangible form through independent retail outlets, or products in tangible or intangible form, which have been specifically designed for individual consumer use. There is no restriction on the use of these products. Additionally, telecommunication and Internet service providers may use retail encryption commodities and software to provide services to any recipient. Implementation of the December 1998 Wassenaar Arrangement Revisions Last year, the Wassenaar Arrangement (33 countries which have common controls on exports, including encryption) made a number of changes to modernize multilateral encryption controls. As part of this update, the U.S. will allow exports without a license of 56 bits DES and equivalent products, including toolkits and chips, to all users and destinations (except the seven state supporters of terrorism) after a technical review. Encryption commodities and software with key lengths of 64-bits or less which meet the mass market requirements of Wassenaar?s new cryptographic note will also be eligible for export without a license after a technical review. U.S. Subsidiaries Foreign nationals working in the United States no longer need an export license to work for U.S. firms on encryption. This extends the policy adopted in last year?s update, which allowed foreign nationals to work for foreign subsidiaries of U.S. firms under a license exception (i.e., without a license). Export Reporting Post-export reporting will now be required for any export to a non-U.S. entity of any product above 64 bits. Reporting helps ensure compliance with our regulations and allows us to reduce licensing requirements. The reporting requirements will be streamlined to reflect business models and practices, and will be based on what companies normally collect. We intend to consult with industry on how best to implement this part of the update. THE WHITE HOUSE
STATEMENT BY THE PRESS SECRETARY Administration Announces New Approach to Encryption One year ago today, Vice President Gore announced updates to the Administration's encryption policy to serve the full range of national interests: promoting electronic commerce, supporting law enforcement and national security, and protecting privacy. The announcement permitted the export of strong encryption to protect sensitive information in the financial, health, medical, and electronic commerce sectors. It also included support for the continued ability of the nation's law enforcement community to access, under strictly defined legal procedures, the plain text of criminally related communications and stored information. At that time the Administration committed to reviewing its policy in one year. Today, the Administration announces the results of that review, conducted in consultation with industry and privacy groups and the Congress. The strategy announced today continues to maintain the balance among privacy, commercial interests, public safety and national security. This approach is comprised of three elements -- information security and privacy, a new framework for export controls, and updated tools for law enforcement. First, the strategy recognizes that sensitive electronic information -- government, commercial, and privacy information -- requires strong protection from unauthorized and unlawful access if the great promise of the electronic age is to be realized. Second, it protects vital national security interests through an updated framework for encryption export controls that also recognizes growing demands in the global marketplace for strong encryption products. Finally, it is designed to assure that, as strong encryption proliferates, law enforcement remains able to protect America and Americans in the physical world and in cyberspace. With respect to encryption export controls, the strategy announced today rests on three principles: a one-time technical review of encryption products in advance of sale, a streamlined post-export reporting system, and a process that permits the government to review the exports of strong encryption to foreign government and military organizations and to nations of concern. Consistent with these principles, the government will significantly update and simplify export controls on encryption. The updated guidelines will allow U.S. companies new opportunities to sell their products to most end users in global markets. Under this policy:
The Administration intends to codify this new policy in export regulations by December 15, 1999, following consultations on the details with affected stakeholders. In support of public safety, the President is today transmitting to the Congress legislation that seeks to assure that law enforcement has the legal tools, personnel, and equipment necessary to investigate crime in an encrypted world. Specifically, the Cyberspace Electronic Security Act of 1999 would:
In contrast to an early draft version of the bill, the Administration's legislation does not provide new authorities for search warrants for encryption keys without contemporaneous notice to the subject. The bill does not regulate the domestic development, use and sale of encryption. Americans will remain free to use any encryption system domestically. The Administration looks forward to continuing to work with the Congress, industry, and privacy and law enforcement communities to ensure a balanced approach to this issue. |
|