|
Draft of Promote Reliable On Line Transactions to
Encourage Commerce and Trade (PROTECT) Act.
Re: encryption.
Sponsor: Sen. John McCain (R-AZ).
Date introduced: April 14, 1999.
Source: Office of Sen. Conrad Burns (R-MT).
Editors Notes:
(1) Tech Law Journal created this document by scanning a paper copy of the bill, and
converting it into HTML.
(2) The draft used is file named "S:\WPSHR\LEGCNSL\XYWRITE\COMMS\ENCRYPT.2", and
dated "April 12, 1999 (4:26 p.m.)".
(2) The draft used lists four sponsors in print (McCain, Burns, Wyden, and Leahy), and two
in a handwritten insertion ("Abraham, Kerry").
Copyright 1999 Tech Law Journal. All rights reserved.
106TH CONGRESS
1ST SESSION |
S. _____ |
|
To promote electronic commerce by encouraging and facilitating the use of encryption in
interstate commerce consistent with the protection of national security, and for other
purposes.
IN THE SENATE OF THE UNITED STATES
APRIL ___, 1999
Mr. McCAIN (for himself, Mr. BURNS, Mr. Wyden and Mr. LEAHY) introduced the following
bill; which was read twice and referred to the Committee on ___________
A BILL
To promote electronic commerce by encouraging and facilitating the use of encryption in
interstate commerce consistent with the protection of national security, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the United States of
America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the "Promote Reliable On Line Transactions to Encourage
Commerce and Trade (PROTECT) Act of 1999".
SEC. 2. PURPOSES.
The purposes of this Act are---
[begin page 2]
(1) to promote electronic growth foster electronic commerce;
(2) create consumer confidence in electronic commerce;
(3) meet the needs of businesses and individuals using electronic networks;
(4) prevent crime; and
(5) improve national security by facilitating the widespread use of encryption and
assisting the United States Government in developing the capability to respond to the
challenges posed by new technological developments.
SEC. 3. FINDINGS.
Congress Ends the following:
(1) The ability to digitize information makes carrying out tremendous amounts of
commerce and personal communication electronically possible.
(2) Miniaturization, distributed computing, and reduced transmission costs make
communication via electronic networks a reality.
(3) The explosive growth in the Internet and other computer networks reflects the
potential growth of electronic commerce and personal communication.
[begin page 3]
(4) The Internet and the global information infrastructure have the potential to
revolutionize the way individuals and businesses conduct business.
(5) The full potential of the Internet for the conduct of business cannot be realized
as long as it is an insecure medium in which confidential business information and
sensitive personal information remain at risk of unauthorized viewing, alteration, and
use.
(6) The United States' critical infrastructures increasingly rely on vulnerable
commercial information systems and electronic networks and represent a growing risk to
national security and public safety because the security and privacy of those systems and
networks is not assured.
(7) Encryption of information enables businesses and individuals to protect themselves,
their commercial information and networks, and the United States' critical infrastructures
against unauthorized viewing, alteration, and abuse ensuring the security,
confidentiality, authenticity, and integrity of information.
(8) American computer software and hardware, communications, and electronics businesses
are leading the world technology revolution, and the American [begin
page 4] information technology industry is a vital sector of the United States
economy. These businesses have developed in the commercial marketplace, and are prepared
to offer immediately to computer users worldwide, a variety of communications and computer
hardware and software that provide strong, robust, and easy-to-use encryption.
(9) Notwithstanding American preeminence in information technology, many foreign
companies currently manufacture products and services that are comparable in quality and
capabilities to United States products and frequently provide stronger encryption. These
foreign companies are competing fiercely with United States companies for sales not only
of the encryption product or service, but also for the ultimate product that uses the
encryption capability, including applications ranging from online banking to electronic
mail to banking.
(10) The leading survey of available encryption products reports that, as of December,
1997, there were 656 foreign encryption products (out of 1619 encryption products produced
worldwide) available from 474 vendors in 29 different foreign countries.
(11) To promote economic growth, foster electronic commerce, meet the needs of
businesses and [begin page 5] individuals using electronic
networks, prevent crime, and improve national security, Americans should be free to
continue using lawfully any encryption products and programs, and American companies
should be free to sell, license, or otherwise distribute such encryption products and
programs worldwide so long as national security is not put at risk.
(12) The United States government should promote the use of the United States
encryption products and expedite its work with the industry to update the United States
Data Encryption Standard (DES).
(13) NIST has proposed requirements and established procedures for adopting a new,
stronger, private sector--developed Advanced Encryption Standard (AES).
(14) Similar to DES, it is anticipated that AES will become an international encryption
standard adopted by individuals and companies worldwide.
(15) NIST has requested candidate algorithms, evaluated candidate algorithms, and
encouraged public comment at each step of the process. NIST's open and public process for
developing and testing the new AES should be applauded and supported.
[begin page 6]
(16) Further demonstrating the worldwide availability, use, and sophistication of
encryption abroad, only 5 of the 15 AES candidate algorithms submitted to NIST for
evaluation that complied with all requirements and procedures for submission were proposed
by companies and individuals in the United States. The remaining 10 candidate algorithms
were proposed by individuals and companies from 11 different countries (Australia's
LOKI97; Belgium's RIJNDAEL; Canada's CAST-256 and DEAL; Costa Rica's FROG; France's
DFC; Germany's MAGENTA; Japan's E2; Korea's CRYPTON; and the United Kingdom, Israel, and
Norway's SERPENT algorithms).
(17) NIST's efforts to create the AES to replace DES are important to the development
of adequate global information security to a degree that Congress should explicitly
authorize and support NIST's efforts and establish a deadline of January 1, 2002, for
finalizing the new standard.
(18) Once NIST finalizes AES, the Federal Government should permit all United States
products meeting the new AES standards or its equivalent to be exported worldwide to
ensure global security and to permit United States companies to compete [begin page 7] effectively with their foreign competitors
consistent with the national security requirements of the United States.
(19) The United States Government has legitimate law enforcement and national security
objectives, which can be met by permitting American companies to compete globally, while
at the same time recognizing the challenges to law enforcement and national security posed
by quickly advancing technological developments and providing for research, development,
and adoption of new technology to respond to these challenges.
(20) As part of its efforts to fight crime with technology and ensure the safety of
commercial networks, the United States government should establish a mechanism for
facilitating communications with experts in information security industries, including
cryptographers, engineers, software publishers, and others involved in the design and
development of information security products and should ensure that such sums as necessary
are appropriated to ensure and enhance national security and law enforcement.
(21) The United Government also should expand and expedite its computer security
research activities [begin page 8] at NIST and the Federal
laboratories, work with industry to recommend priority activities at university research
facilities, and fund scholarships in information security.
SEC. 4. DEFINITIONS.
In this Act:
(1) COMPUTER HARDWARE.---The term "computer hardware" includes computer
systems, equipment, application-specific assemblies, smart cards, modules, integrated
circuits, printed circuit board assemblies, and devices that incorporate 1 or more
microprocessor-based central processing units that are capable of accepting, storing,
processing, or providing output of data.
(2) ENCRYPT AND ENCRYPTION.---The term "encrypt" and "encryption"
means the scrambling (and descrambling) of wire communications, electronic communications,
or electronically stored information, using mathematical formulas or algorithms to
preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized
recipients from accessing or altering, such communications or information.
(3) ENCRYPTION PRODUCT.---The term "encryption product"---
[begin page 9]
(A) means computer hardware, computer software, or technology with encryption
capabilities; and
(B) includes any subsequent version of or update to an encryption product, if the
encryption capabilities are not changed.
(4) EXPORTABLE.---The term "exportable" means the ability to transfer, ship,
or transmit to foreign users.
(5) GENERALLY AVAILABLE OR GENERAL AVAILABILITY.---The terms "generally
available" or "general availability" mean---
(A) in the case of computer hardware or computer software (including encryption
products), computer' hardware, or computer software that is---
(i) distributed via the Internet;
(ii) widely offered for sale, license, or transfer (without regard to whether it is
offered for consideration), including over-the-counter retail sales, mail order
transactions, telephone order transactions, electronic distribution, or sale on approval;
(iii) preloaded on computer hardware that is widely available; or
[begin page 10]
(iv) assembled from computer hardware or computer software components that are
generally available;
(B) not designed, developed, or tailored by the manufacturer for specific purchasers,
except that the purchaser or user may---
(i) supply certain installation parameters needed by the computer hardware or computer
software to function properly with the computer system of the user or purchaser; or
(ii) select from among options contained in the computer hardware or computer software;
and (C) are available in more than 1 country through a means described in subparagraph
(A).
(6) KEY.---The term "key" means the variable information used in a
mathematical formula, code, or algorithm, or any component thereof, used to decrypt wire
communications, electronic communications, or electronically stored information, that has
been encrypted.
(7) LICENSE EXCEPTION.---The term "license exception" means an authorization
by the Bureau of [begin page 11] Export Administration of the
Department of Commerce that allows the export or re-export, under stated conditions, of
items subject to the Export Administration Regulations that otherwise would require a
license.
(8) NIST.---The term "NIST" means the National Institute of Standards and
Technology in the Department of Commerce.
(9) ON-LINE MERCHANT.---The -term "on-line merchant" means either a person or
a company or other entity engaged in commerce that, as part of its business, uses
electronic means to conduct commercial transactions in goods (including, but not limited
to, software and all other forms of digital content) or services, whether delivered in
tangible or electronic form.
(10) PERSON.---The term "person" has the meaning given the term in section
2510(1) of title1, United States Code.
(11) PUBLICLY AVAILABLE OR PUBLIC AVAILABILITY.---The terms "publicly
available" or "public availability" mean---
(A) information that is generally accessible to the interested public in any form; or
[begin page 12]
(B) technology and software that are already published or will be published, arise
during, or result from fundamental research, are educational, or are included in certain
patent applications.
(12) RECOVERABLE PRODUCT.---The term "recoverable product" means an
encryption product that---
(A) incorporates an operator-controlled management interface enabling real-time access
to specified network traffic prior to encryption, or after decryption, at a designated
access point under the control of the network owner or operator (utilizing a protocol such
as IPSec);
(B) permits access to data prior to encryption, or after decryption, at a server under
the control of a network owner or operator (utilizing a protocol such as SSL, TLS, or
Kerberos);
(C) includes a key or data recovery system which, when activated, enables a system
administrator or user to recover plaintext or keys to decrypt data transmitted or stored
in encrypted form; or
[begin page 13]
(D) offers the system administrator or end-user the capability to create a duplicate
key (or keys) for archival and other purposes.
(13) SECRETARY.---The term Secretary" means the Secretary of Commerce.
(14) STATE.---The term "State" means any State of the United States and
includes the District of Columbia and any commonwealth, territory, or possessions of the
United States.
(15) STRATEGIC PARTNERS.---The term "strategic partners" means 2 or more
entities that---
(A) have a business need to share the proprietary information of 1 or more United
States companies; and
(B) are contractually bound to one another; or
(C) have an established pattern on continuing or recurring contractual relations.
(16) TECHNICAL ASSISTANCE.---The term "technical assistance" includes
assistance such as instructions, skills training, working knowledge, and consulting
services, and may involve transfer of technical data.
(17) TECHNICAL DATA.---The term "technical data" may include data such as
blueprints, plans, [begin page 14] diagrams, models,
formulae, tables, engineering designs and specifications, manuals, and instructions
written or recorded on other media or devices such as disk, tape, or read-only memories.
(18) TECHNICAL REVIEW.---The term "technical review" means a review by the
Secretary of an encryption product, based on information about a product's encryption
capabilities supplied by the manufacturer, that an encryption product works as
represented.
(19) UNITED STATES PERSON.---The term "United States person" means any---
(A) United States citizen; or
(B) legal entity that---
(i) is organized under the laws of the United States, or any States, the District of
Columbia, or any commonwealth, territory, or possession of the United States; and
(ii) has its principal place of business in the United States.
(20) UNITED STATES SUBSIDIARY.---The term "United States subsidiary" means---
(A) a foreign branch of a United States company; or
[begin page 15]
(B) a foreign subsidiary or entity of a United States entity in which---
(i) a United States company or entity beneficially owns or controls (whether directly
or indirectly) 25 percent or more of the voting securities of the foreign subsidiary or
entity, if no other person owns or controls (whether directly or indirectly) an equal or
larger percentage;
(ii) the foreign subsidiary or entity is operated by a United States company or entity
pursuant to the provisions of an exclusive management contract;
(iii) the majority of the members of the Board of Directors of the foreign subsidiary
or entity also are members of the comparable governing body of the United States company
or entity;
(iv) a United States company or entity has the authority to appoint the majority of the
members of the Board of Directors of the foreign subsidiary; or
(v) a United States company or entity has the authority to appoint the Chief Operating [begin page 16] officer of the foreign subsidiary or entity.
TITLE I---DOMESTIC ENCRYPTION PROVISIONS
SEC. 101. DEVELOPMENT AND DEPLOYMENT OF ENCRYPTION A
VOLUNTARY PRIVATE SECTOR ACTIVITY.
(a) STATEMENT OF POLICY.---The use, development, manufacture, sale, distribution, and
importation of encryption products, standards, and services for purposes of assuring the
confidentiality, authenticity, or integrity of electronic information shall be voluntary
and market driven.
(b) LIMITATION ON REGULATION.---Neither the Federal Government nor a State may
establish any conditions, ties, or links between encryption products, standards, and
services used for confidentiality, and those used for authenticity or integrity purposes.
SEC. 102. SALE AND USE OF ENCRYPTION LAWFUL.
Except as otherwise provided by this Act, it is lawful for any person within any State,
and for any United States person in a foreign country, to develop, manufacture, sell,
distribute, import, or use any encryption product, regardless of the encryption algorithm
selected, encryption length chosen, existence of key recovery, or [begin
page 17] other plaintext access capability, or implementation or medium used.
SEC. 103. MANDATORY GOVERNMENT ACCESS TO PLAINTEXT
PROHIBITED.
(a) IN GENERAL.---No department, agency, or instrumentality of the United States or of
any State may---
(1) require that;
(2) set standards for;
(3) condition any approval on;
(4) create incentives for; or
(5) tie any benefit to, a requirement that, a decryption key, access to a key, key
recovery information, or any other plaintext access capability be---
(A) required to be built into computers hardware or software for any purpose;
(B) given to any other person (including a department, agency, or instrumentality of
the United States or an entity in the private sector that may be certified or approved by
the United States or a State); or
(C) retained by the owner or user of an encryption key or any other person, other than
for encryption products for the use of the [begin page 18] United
States Government or a State government.
(b) EXISTING ACCESS PROTECTED.---Subsection (a) does not affect the authority of any
investigative or law enforcement officer, or any member of the intelligence community (as
defined in section 3 of the National Security Act of 1947 (50 U.S.C. 401a)), acting under
any law in effect on the date of enactment of this Act, to gain access to encrypted
communications or information.
TITLE II---GOVERNMENT PROCUREMENT
SEC. 201. POLICY.
It is the policy of the United States---
(1) to permit the public to interact with government through commercial networks and
infrastructure; and
(2) to protect the privacy and security of any electronic communication from, or stored
information obtained from, the public.
SEC. 202. FEDERAL PURCHASES OF ENCRYPTION PRODUCTS.
(a) IN GENERAL.---Any department, agency, or instrumentality of the United States may
purchase encryption products for use by officers and employees of [begin
page 19] the United States to the extent and in the manner authorized by law.
(b) INTEROPERABILITY REQUIRED.---No department, agency, or instrumentality of the
United States, nor any department, agency, or political subdivision of a State, may
purchase an encryption product for its use unless the product will interoperate with other
commercially-available encryption products, including products without a decryption key,
access to a key, key recovery information, or any other plaintext access capability.
(c) CITIZENS NOT REQUIRED TO PURCHASE SPECIFIED PRODUCT.---No department, agency, or
instrumentality of the United States, nor any department, agency, or political subdivision
of a State, may require any person in the private sector to use any particular encryption
product or methodology, including products with a decryption key, access to a key, key
recovery information, or any other plaintext access capability, to communicate with, or
transact business with, the government.
[begin page 20]
TITLE III---ADVANCED ENCRYPTION
STANDARD
SEC. 301. DEADLINE FOR FINAL SELECTION OF ALGORITHM OR
ALGORITHMS BY NIST.
(a) AES PROCESS.---The NIST shall continue and complete the AES process initiated on
January 2, 1997, including---
(1) establishing performance requirements,
(2) setting procedures for submitting, testing, evaluating, and judging proposals; and
(3) finally selecting one or more new private sector-developed encryption algorithms.
(b) DEAD DEADLINE.---Notwithstanding subsection (a), NIST shall make a final selection
of one or more new private sector-developed encryption algorithms by January 1, 2002.
SEC. 302. COMMERCE DEPARTMENT ENCRYPTION STANDARDS AND
EXPORTS AUTHORITY RESTRICTED.
(a) REGULATORY AUTHORITY.---Except as otherwise provided in this Act, the Secretary of
Commerce may not promulgate or enforce any regulation, adopt any standard, or carry out
any policy that establishes an encryption standard for use by businesses or other entities
other than [begin page 21] for computer systems operated by a
department, agency, or other entity of the United States government.
(b) EXPORT AUTHORITY.---Except as otherwise provided in this Act, the Secretary of
Commerce may not promulgate or enforce any regulation, adopt any standard, or carry out
any policy relating to encryption that has the effect of imposing government-designed
encryption standards on the private sector by restricting the export of encryption
products.
TITLE IV---IMPROVEMENT OF
GOVERNMENTAL TECHNOLOGICAL CAPABILITY
SEC. 401. INFORMATION TECHNOLOGY LABORATORY.
Section 20(b) of the National Institute or Standards and Technology Act (15 U.S.C.
278g-3(b)) is amended---
(1) by striking "and" at the end of paragraph (4);
(2) by striking "policy.'' in paragraph (5) and inserting "policy;"; and
(3) by adding at the end thereof the following:
"(6) to obtain information regarding the most current information security
hardware, software, telecommunications, and other electronic capabilities;
[begin page 22]
"(7) to research and develop new and emerging techniques and technologies to
facilitate lawful access to communications and electronic information;
"(8) to research and develop methods to detect and prevent unwanted intrusions
into commercial computer networks, particularly those interconnected with computer systems
of the United States government;
(9) to provide assistance in responding to information security threats and
vulnerabilities at the request of other departments, agencies, and instrumentalities of
the United States and State governments; and
"(10) to facilitate the development and adoption of the best information security
practices by departments, agencies, and instrumentalities of the United States, the
States, and the private sector.".
SEC. 402. ADVISORY BOARD ON COMPUTER SYSTEM SECURITY AND
PRIVACY.
Section 21(b) of the National Institute of Standards and Technology Act (15 U.S.C.
278g-4(b)) is amended---
(1) by redesignating paragraphs (2) and (3) as paragraphs (4) and (5), respectively;
and
(2) by inserting after paragraph (1) the following:
[begin page 23]
"(2) to provide a forum for communication and coordination between industry and
the Federal Government regarding information security issues;
"(3) to foster the aggregation and dissemination of general, nonproprietary, and
non-confidential developments in important information security technologies, including
encryption, by regularly reporting that information to appropriate Federal agencies to
keep law enforcement and national security agencies abreast of emerging technologies so
they are able effectively to meet their responsibilities;".
SEC. 403. AUTHORIZATION OF APPROPRIATIONS.
There are authorized to be appropriated to such departments and agencies as may be
appropriate such sums as may be necessary to ensure that United States law enforcement
agencies and agencies responsible for national security are able to complete any missions
or goals authorized in law regardless of technological advancements in encryption and
digital technology.
TITLE V---EXPORT OF ENCRYPTION
PRODUCTS.
SEC. 501. COMMERCIAL ENCRYPTION PRODUCTS.
(a) IN GENERAL.---This title applies to all encryption products, without regard to the
encryption algorithm selected, encryption key chosen, exclusion of plaintext access [begin page 24] capability, or implementation or medium used,
except those encryption products specifically designed or modified for military use
(including command, control, and intelligence applications).
(b) AUTHORITY OF SECRETARY OF COMMERCE.---Subject to the other provisions of this
title, and notwithstanding any other provision of law, the Secretary of Commerce has
exclusive authority to control the exportation of encryption products described in
subsection (a). In exercising that authority, the Secretary shall consult with the
Secretary of State and the Secretary of Defense.
SEC. 502. PRESIDENTIAL AUTHORITY.
(a) TERRORIST AND EMBARGO CONTROLS.---Nothing in this Act limits the authority of the
President under---
(1) the Trading with the Enemy Act (50 U.S.C. App. 1 et seq.); or
(2) the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.), but
only to the extent that the authority of that Act is not exercised to extend controls
imposed under the Export Administration Act of 1979 (50 U.S.C. 2401 et seq.)---
(A) to prohibit the export of encryption products to any country, corporation, or other
entity that has been determined to---
[begin page 25]
(i) provide support for acts of terrorism; or
(ii) pose an immediate threat to national security; or
(B) to impose an embargo on exports to, or imports from, a specific country,
corporation, or entity.
(b) SPECIAL DENIALS FOR SPECIFIC REASONS. The Secretary of Commerce shall prohibit the
exportation of particular encryption products to an individual or organization in a
foreign country identified by the Secretary if the Secretary determines that there is
substantial evidence that the encryption products may be used or modified for military or
terrorist use, including acts against the national security of, public safety of, or the
integrity of the transportation, communications, or other essential systems of interstate
commerce in, the United States.
(c) OTHER EXPORT CONTROLS.---An encryption product is subject to any export control
imposed on that product for any reason other than the existence of encryption capability.
Nothing in this title alters the Secretary of Commerce's ability to control exports of
products for reasons other than encryption.
[begin page 26]
SEC. 503. EXPORTATION OF ENCRYPTION PRODUCTS WITH NOT MORE
THAN 64--BIT KEY LENGTH.
An encryption product that utilizes a key length or 64 bits or less, may be exported
without an export license or an export license exception, and without any other
restriction (other than a restriction imposed under this title).
SEC. 504. EXPORTABILITY OF CERTAIN ENCRYPTION PRODUCTS UNDER
A LICENSE EXCEPTION.
(a) LICENSE EXCEPTIONS.---Except as otherwise provided under this title, the export or
re-export of the following products shall be exportable under license exception:
(1) Recoverable products.
(2) Encryption products to legitimate and responsible entities or organizations and
their strategic partners, including---
(A) firms whose shares are publicly traded in global markets;
(B) firms subject to a governmental regulatory scheme;
(C) United States subsidiaries or affiliates of United States corporations;
(D) firms or organizations that are required by law to maintain plaintext records of
communications or otherwise maintain such [begin page 27]
records as part of their normal business practice;
(E) firms or organizations that are audited annually under widely accepted accounting
principles;
(F) strategic partners of United States companies; and
(G) on-line merchants who use encryption products to support electronic commerce,
including protecting commercial transactions as well as non-public information exchange
necessary to support such transactions.
(3) Encryption products sold or licensed to foreign governments that are members of the
North Atlantic Treaty Organization, Organization for Economic Cooperation and Development,
and Association of Southeast Asian Nations.
(4) Any computer hardware or computer software that does not itself provide encryption
capabilities, but that incorporates or employs in any form interface mechanisms for
interaction with other computer hardware and computer software, including encryption
products.
(5) Any technical assistance or technical data associated with the installation and
maintenance of [begin page 28] encryption products, or
products incorporating, enabling or employing encryption products, if such products are
exportable under this title.
(b) LICENSE EXCEPTION PROCESSING PERIOD INCLUDING ONE-TIME TECHNICAL
REVIEW.---Encryption products and related computer services shall be made eligible for a
license exception after a one-time technical review. Exporters' requests for license
exceptions, including the one-time technical review, must be processed within 15 working
days from receipt of a request. If the exporter is not contacted within this 15-day
processing period, the exporter's request for a license exception will be deemed granted,
and the exporter may export the encryption products or related computer services under the
license exception.
SEC. 505. EXPORTABILITY OF ENCRYPTION PRODUCTS EMPLOYING A
KEY LENGTH GREATER THAN 64 BITS.
(a) EXPORT RELIEF FOR ENCRYPTION PRODUCTS. Encryption products, or products that
incorporate or employ in any form, implementation, or medium an encryption product, are
exportable under a license exception if---
[begin page 29]
(1) the Secretary determines that the product or service is exportable under the Export
Administration Act of 1979 (50 U.S.C. 2401 et seq.); or
(2) the Encryption Export Advisory Board described in subsection (b) determines, and
the Secretary agrees, that the product or service is
(A) generally available;
(B) publicly available; or
(C) an encryption product utilizing the same or greater key length or otherwise
providing comparable security is, or will be within the next 12 months generally or widely
available outside the United States from a foreign supplier.
(b) BOARD DETERMINATION OF EXPORTABILITY.---
(1) ENCRYPTION EXPORT ADVISORY BOARD.---There is hereby established an Encryption
Export Advisory Board comprised of---
(A) a Chairman, who shall be the Under Secretary of Commerce for Export Administration;
(B) 7 individuals appointed by the President, as follows---
(i) 1 representative from the National Security Agency;
[begin page 30]
(ii) 1 representative from the Central Intelligence Agency;
(iii) 1 representative from the Office of the President; and
(iv) 4 representatives from the private sector who have expertise in the development,
operation, or marketing of information technology products; and
(C) 4 representatives from the private sector who have expertise in the development,
operation, or marketing of information technology products appointed by the Congress, as
follows---
(i) 1 representative appointed by the Majority Leader of the Senate;
(ii) 1 representative appointed by the Minority Leader of the Senate;
(iii) 1 representative appointed by the Speaker of the House of Representatives; and
(iv) 1 representative appointed by the Minority Leader of the House of Representatives.
(2) PURPOSE.---The Board shall evaluate and make recommendations by majority vote
within 30 [begin page 31] days with respect to general
availability, public availability, or foreign availability whenever an application for a
license exception based on general availability, public availability, or foreign
availability has been submitted to the Secretary.
(3) MEETINGS.---The Board shall meet at the call of the Under Secretary upon a request
for a determination, but at least every 30 days if a request is pending. The Federal
Advisory Committee Act (5 U.S.C. App.) does not apply to the Board or to meetings held by
the Board under this subsection.
(4) ACTION BY THE SECRETARY.---The Board shall make recommendations to the Secretary.
The Secretary shall specifically approve or disapprove of each finding of availability
within 30 days of receiving the recommendation and shall notify the Board and publish the
finding in the Federal Register. The Secretary shall explain in detail the reasons for any
disapproval, including why and how continued controls will be effective in achieving their
purpose and the amount of lost sales and loss in market share of United States encryption
products.
(5) JUDICIAL REVIEW.---Notwithstanding any other provision of law, a decision by the
Secretary disapproving of a Board finding of availability shall [begin
page 32] be subject to judicial review under the Administrative Procedure Act (5
U.S.C. 551 et seq.).
(6) PRESIDENTIAL OVERRIDE.---The Board shall report to the President within 30 days
after each meeting. The President may override any Board determination of exportability
and control the export and re-export of specified encryption products to specific
countries or individuals if he determines that such exports or re-exports would harm
United States national security, including United States capabilities in fighting drug
trafficking, terrorism, or espionage. If the President overrides a Board determination of
exportability and decides to control the export or re-export of any encryption product,
the President must inform the Board and Congress and detail the reasons for such controls
within 30 days of the determination. The action of the president under this paragraph is
not subject to judicial review.
(c) RELY ON DETERMINATION OF BOARD.---The manufacturer or exporter of an encryption
product or a product incorporating or employing an encryption product may rely upon the
Board's determination that the product is generally available or publicly available or if
a comparable foreign encryption product is available, and shall
[begin page 33] not be held liable or responsible or subject to sanctions for any
export of such products under the license exception.
(d) LICENSE EXCEPTION PROCESSING PERIOD INCLUDING ONE-TIME TECHNICAL
REVIEW.---Encryption products and related computer services shall be made eligible for a
license exception after a one-time technical review. Exporters' requests for license
exceptions, including the one-time technical review, must be processed within 15 working
days from receipt of a request. If the exporter is not contacted within this 15---day
processing period, the exporter's request for a license exception will be deemed granted,
and the exporter may export the encryption products or related computer services under the
license exception.
(e) GRANDFATHERING OF PRIOR DETERMINATIONS.---Any determination by the Secretary prior
to enactment of this Act that an encryption product with greater than a 64-bit key length,
or product incorporating or employing such an encryption product, and related services, is
eligible for export and re-export either without a license or under a license, a license
exception, or an encryption licensing arrangement will remain in effect after passage of
this Act.
[begin page 34]
SEC. 506. EXPORTABILITY OF ENCRYPTION PRODUCTS EMPLOYING AES
OR ITS EQUIVALENT.
Upon adoption of the AES, but not later than January 1, 2002, the Secretary may no
longer impose United States encryption export controls on encryption products if the
encryption algorithm and key length employed were incorporated in the AES, or have an
equivalent strength, and such product shall be exportable without the need for an export
license or license exception, and without restrictions other than those permitted under
this Act.
SEC. 507. ELIMINATION OF REPORTING REQUIREMENTS.
The Secretary may not impose any reporting requirements on any encryption product not
subject to United States export controls or exported under a license exception.
| 
