Summary of S 909
written by the Library of Congress

Secure Public Networks Act

Title I: Domestic Uses of Encryption - Makes it lawful to use any encryption, except as otherwise provided by this Act or by law. Defines "encryption" as the electronic transformation of data (including communications) in order to hide its information content.

(Sec. 102) Prohibits the Federal Government or a State from requiring the escrow of an encryption key with a third party in the case of a key used solely to encrypt communications between private persons within the United STATES.

(Sec. 103) Makes the participation of private persons in the key management infrastructure enabled by this Act voluntary.

(Sec. 104) Establishes criminal penalties for specified knowing acts related to encryption, decryption, breaking of encryption codes, interception of intellectual property, impersonation, issuance of keys, and disclosure of information.

(Sec. 106) Requires key recovery agents (agents entrusted by other persons to hold information to allow access to data or communications of such persons) to disclose recovery information (a key or other information used to decrypt data or communications) to government entities requesting such information for specified lawful purposes. Sets forth subpoena procedures for entities seeking such disclosures.

(Sec. 107) Authorizes civil recovery of damages and litigation costs by persons affected by unlawful disclosures or use of recovery information by the U.S. Government.

(Sec. 108) Sets forth procedures for the use and handling of decrypted and recovery information obtained by government entities. Prohibits such entities from using recovery information obtained under this Act to determine the plaintext of wire or electronic communications or of stored electronic information unless granted lawful authority to do so under other provisions of law.

(Sec. 110) Prohibits disclosures of the facts or circumstances of releases of recovery information except under order of a Federal court.

Title II: Government Procurement - Requires the following to be based on a qualified system of key recovery: (1) encryption products procured by the U.S. Government or purchased with Federal funds for use in secure government or public networks; and (2) communications networks established by the U.S. Government or with Federal funds that use encryption products.

(Sec. 207) Prohibits the U.S. Government from mandating the use of encryption standards for the private sector other than for use with U.S. Government computer systems or networks or those created using Federal funds.

Title III: Export of Encryption - Grants the Secretary of Commerce jurisdiction over the export of commercial encryption products and the sole duty to issue export licenses on such products.

(Sec. 302) Sets forth license exceptions for the exports of specified encryption products.

(Sec. 303) Authorizes the President to increase the encryption strength for products permitted to be exported.

(Sec. 306) Prohibits exports if the Secretary finds that a product would be: (1) used in acts against the national security, public safety, transportation systems, communications networks, or essential systems of interstate commerce; (2) diverted to a military, terrorist, or criminal use; or (3) re-exported without authorization.

(Sec. 308) Establishes criminal penalties for specified violations of this title.

Title IV: Voluntary Registration System - Authorizes the Secretary to register any person or government or foreign government agency as a certificate authority if such person or agency meets required standards under this Act.

Authorizes registered certificate authorities to issue public key certificates which may be used for encryption or to verify the identity of a person engaged in encrypted communications.

(Sec. 403) Authorizes the Secretary to register persons or government entities as key recovery agents, subject to certain requirements.

Permits the Secretary to condition or revoke certificate or key recovery registrations for violations of this Act.

(Sec. 405) Sets forth conditions under which: (1) a person may receive a public key certificate for encryption issued by the Secretary or a certificate authority; and (2) a key recovery agent may disclose recovery information.

(Sec. 407) Establishes criminal penalties for specified violations of this title.

Title V: Liability Limitations - Set forth: (1) limitations on liability for key recovery agents and the United States under this Act; and (2) complete defenses to actions brought under this Act.

Title VI: International Agreements - Requires the President to: (1) conduct negotiations with other countries for mutual recognition of key recovery agents and certificate authorities and to safeguard privacy and prevent commercial espionage; (2) consider a country's refusal to negotiate such agreements when considering U.S. participation in any cooperation or assistance program with such country; and (3) report to the Congress if negotiations are not complete by the end of 1999.

Title VII: General Authority and Civil Penalties - Sets forth authorities of the Secretary to obtain information and impose civil penalties under this Act.

Title VIII: Research and Monitoring - Directs the President to establish an Information Security Board to make recommendations to ensure the security of networks, protection of intellectual property and privacy, the national security, and the promotion of U.S. software exports.

(Sec. 804) Requires the National Telecommunications and Information Administration to report annually to the Congress and the President on developments in the creation of secure public networks.

(Sec. 805) Provides for evaluations by the National Performance Review and the Department of Education with respect to secure public networks.

Title IX: Waiver Authority - Authorizes the President to waive provisions of this Act based on national security interests.

Title X: Miscellaneous Provisions - Authorizes appropriations.