------- Forwarded Message Follows -------
Date: Mon, 31 Mar 1997 06:40:13 -0800 (PST)
From: Phil Agre <pagre(a)weber.ucsd.edu>
To: rre(a)weber.ucsd.edu
Subject: key management infrastructure
Reply-to: rre-maintainers(a)weber.ucsd.edu
[I've enclosed the full text of draft legislation on key recovery that the
administration is circulating in Congress. You won't like it.]
_____________________________________________________________________
[From CDT.]
105th CONGRESS DRAFT 3/12/97
1st Session H.R. _________________
________________________________________
Mr. _________________ of _________________ introduced the following
bill; which was referred to the Committee on _____________________
A BILL
To enable the development of a key management infrastructure for
public-key-based encryption and attendant encryption products that will
assure that individuals and businesses can transmit and receive
information electronically with confidence in the information's
confidentiality, integrity, availability, and authenticity, and that
will promote timely lawful government access.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
TITLE I -- GENERAL PROVISIONS
SEC. 101. SHORT TITLE
This Act may be cited as the "Electronic Data Security Act of 1997".
SEC. 102. FINDINGS
The Congress finds the following:
(A) The development of the information superhighway is fundamentally
changing the way we interact. The nation's commerce is moving to
networking. Individuals, government entities, and other institutions
are communicating across common links.
(B) The Internet has provided our society with a glimpse of what is
possible in the information age, and the demand for information access
and electronic commerce is rapidly increasing. The demands are arising
from all elements of society, including banks, manufacturers, service
providers, state and local governments, and educational institutions.
(C) Today, business and social interactions occur through face-to-face
discussions, telephone communications, and written correspondence. Each
of these methods for interacting enables us to recognize the face, or
voice, or written signature of the person with whom we are dealing. It
is this recognition that permits us to trust the communication.
(D) In the information age, however, those personal attributes will be
replaced with digital equivalents upon which we will rely. Electronic
digital transmissions, through which many businesses and social
interactions will occur, inherently separate the communication from the
person, forsaking confidence once derived from a handshake or a signed
document.
(E) At the same time, society's increasing reliance on information
systems in this new environment exposes U.S. citizens, institutions, and
their information to unprecedented risks.
(F) In order for the global information infrastructure and electronic
commerce to achieve their potential, information systems must e imbued
with the attributes that overcome these risks and must provide trusted
methods to identify users.
(G) Cryptography can meet these needs. Cryptography can be used to
digitally sign communications ore electronic documents such that a
recipient can be confident that any message he or she received could
only have come from the apparent sender. Moreover, cryptography is an
important tool in protecting the confidentially of wire and electronic
communications and stored data. Thus,. there is a national need to
encourage the development, adoption, and use of cryptographic products
that are consistent with the foregoing considerations and are
appropriate for use both in domestic and export markets by the United
States Government.
(H) The lack of a key management infrastructure impedes the use
cryptography and, there fore, the potential of electronic commerce.
Users cannot encrypt messages without keys, therefore, they need a
secure and standardized mechanism for the generation of keys, storage of
keys, and transfer of keys between users. There is currently no
standardized mechanism for the generation of keys, storage of keys, and
transfer of keys between users. There is currently no standardized
method in the private sector to accomplish all of these tasks, thus
users must individually assume these burdens or forego the use of
cryptography.
(I) Industry must work with government to develop a public-key-based
key management infrastructure and attendant products that will ensure
participants can transmit, receive, and use information electronically
with confidence in the information's integrity, confidentiality,
authenticity, and origin, while also allowing timely lawful government
access.
(J) To this end, the government should issue appropriate public key
encryption standards for federal systems and encourage the development
of interoperable private sector standards for use across border.
However, the architecture(s) the government endorses in its standards
must permit the use of any encryption algorithm.
(K) To effectively serve the public, such a key management
infrastructure must be founded upon a system of trusted service
providers to ensure acceptable standards of security, reliability, and
interoperability.
(L) While cryptographic products and services are useful for protecting
information and its authenticity, such products also can be sued by
terrorists, organized crime syndicates, drug trafficking organizations,
and other dangerous and violent criminals to avoid detection and to hide
evidence of criminal activity, thereby jeopardizing effective law
enforcement, public safety, and national security.
(M) Any effective key management infrastructure must not hinder the
ability of government agencies, pursuant to lawful authority, to
decipher in a timely manner and obtain the plaintext of communications
and stored data.
SEC. 103. LAWFUL USE OF ENCRYPTION.
It shall be lawful for any person within any State of the United States,
the District of Columbia, the Commonwealth of Puerto Rico, and any
territory or possession of the United States, to use any encryption,
regardless of the encryption algorithm selected, encryption key length
chosen, or implementation technique or medium used, except as provided
in this Act or in any other law. Participation in the key management
infrastructure enabled by this Act is voluntary.
TITLE II -- REGISTRATION OF CERTIFICATE AUTHORITIES AND KEY
RECOVERY AGENTS
SEC. 201. REGISTRATION OF CERTIFICATE AUTHORITIES
The Secretary may register any suitable private sector entity,
government agency, or foreign government agency to act as a Certificate
Authority in the Secretary determines that the entity or agency meets
minimum standards, as specified in regulations promulgated by the
Secretary. for security, performance, and practices in order to
accomplish the duties of a Certificate Authority registered under this
Act. The Secretary may condition, modify or revoke such a registration
if the registered entity or agency has violated any provision of this
Act or any rule, regulation, or requirement prescribed by the Secretary
under this Act, or for any other reasons specified by the Secretary in
rule or regulation.
SEC. 202. REGISTRATION OF KEY RECOVERY AGENTS.
(A) Registration by the Secretary. The Secretary may register a
suitable private sector entity or government agency to act as a Key
Recovery Agent if the Secretary determines that the entity or agency
possesses the capability, competency, trustworthiness and resources to
safeguard sensitive information entrusted to it, to carry out the
responsibilities set forth in subsection (B) of this section, and to
comply with the Secretary's regulations.
(B) Responsibilities of Key Recovery Agents. A Key Recovery Agent
registered under subsection (A) of this section shall, consistent with
regulations issued by the Secretary, establish procedures and take other
appropriate steps --
(1) to ensure the confidentiality, integrity, availability and
timely release of recovery information held by the Key Recovery
Agent;
(2) to protect the confidentiality of the identity of the person
or persons for whom such Key Recovery Agent holds recovery
information;
(3) to protect the confidentiality of lawful requests for recovery
information and the identity of the individual or government agency
requesting recovery information and all information concerning such
individual's or agency's access to and sue of recovery information;
(4) to carry out the responsibilities set forth in this Act and
implementing regulations.
(C) Revocation of Key Recovery Agent Registration. The Secretary may
condition, modify, or revoke a Key Recovery Agent's registration if the
registered entity or agency has violated nay provision of this Act or
any rule, regulation, or requirement prescribed by the Secretary under
this Act, or for any other reasons specified by the Secretary in rule or
regulation.
SEC. 203. PUBLIC KEY CERTIFICATES FOR ENCRYPTION KEYS.
The Secretary or a Certificate Authority registered under this Act may
issue to a person a public key certificate that certifies a public key
that can be used for encryption only if the person:
(A) stores with a Key Recovery Agent registered by the Secretary
under this Act sufficiently information, as specified by the
Secretary in regulations, to allow lawful recovery of the plaintext
of that person's encrypted data and communications; or
(B) makes other arrangements, approved by the Secretary pursuant
to regulations acceptable to the Attorney General, that assure that
lawful recovery of the plaintext of encrypted data and
communications can be accomplished confidentially when necessary.
TITLE III -- RELEASE OF RECOVERY INFORMATION
BY KEY RECOVERY AGENTS
SEC. 301. CIRCUMSTANCES IN WHICH INFORMATION MAY BE RELEASED
A Key Recovery Agent, whether or not registered by the Secretary under
this Act, is prohibited from disclosing recovery information stored by a
persons unless the disclosure is --
(A) to that person, or an authorized agent thereof;
(B) with the consent of that person, including pursuant to a
contract entered into with that person;
(C) pursuant to a court order upon a showing of compelling need
for the information that cannot be accommodated by any other
means, if --
(1) the person who stored the information is given reasonable
notice, by the person seeking the disclosure of the court
proceeding relevant to the issuance of the court order; and
(2) the person who stored the information is afforded the
opportunity to appear in the court proceeding and contest the
claim of the person seeking the
disclosure;
(D) pursuant to a determination by a court of competent
jurisdiction that another person is lawfully entitled to hold such
recovery information, particularly including determinations arising
from legal proceedings associated with the death or dissolution of
any person; or
(E) as otherwise permitted by this Act or other law, particularly
including release of recovery information pursuant to section 302
of this Act.
SEC. 302. RELEASE OF RECOVERY INFORMATION TO GOVERNMENT AGENCIES.
(A) A Key Recovery Agent, whether or not registered by the Secretary
under this Act, shall disclose recovery information stored by a person:
(1) to a government agency acting pursuant to a duly authorized
warrant or court order, a subpoena authorized by Federal or State
statute or rule, a certification issued by the Attorney General
under the Foreign Intelligence Surveillance Act, or other lawful
authority that allows access to recovery information by such
agency; or
(2) to a law enforcement or national security government agency
upon receipt of written authorization in a form to be specified by
the Attorney General/
(B) The Attorney General shall issue regulations governing the use of
written authorizations to require release of recovery information to law
enforcement and national security government agencies. Those
regulations shall permit the use of written authorizations only when the
government agency is lawfully entitled to determine the plaintext of
wire or electronic communications or of electronic information and will
use the recovery information for that purpose, to test products in the
agency+s possession, to prove facts in legal proceedings, or to comply
with a request from a duly authorized agency or a foreign government.
SEC. 303. USE AND DESTRUCTION OF RECOVERY INFORMATION RELEASE TO A
GOVERNMENT AGENCY.
A government agency to which recovery information has been release in
response to a written authorization issued under section 302()A)(2) or
the Act, by a Key Recovery Agent registered under this Act, may use the
recovery information only to determine the plaintext of any wire or
electronic communication or of any stored electronic information that
the agency lawfully acquires or intercepts, to test cryptographic
products in the agency+s possession, to prove facts in legal
proceedings, or to comply with the request of a duly authorized agency
of a foreign government. Once such lawful use is completed, the
government agency shall destroy the recovery information in its
possession and shall make a record documenting such destruction. The
government agency shall not use the recovery information to determine
that plaintext of any wire or electronic communication or of any stored
electronic information unless it has lawful authority to do so apart
from the Act.
SEC. 304. CONFIDENTIALITY OF RELEASE OF RECOVERY INFORMATION.
A Key Recovery Agent or other person shall not disclose to any person,
except as authorized by this Act or regulations promulgated thereunder
or except as ordered by a federal court of competent jurisdiction, the
facts or circumstances of any release of recovery information pursuant
to section 302(A)(2) of the Act or requests therefor.
TITLE IV -- LIABILITY
SEC. 401. CIVIL ENFORCEMENT
(A) Enforcement by the Secretary. The Secretary may, when appropriate
in fulfilling his or her duties under this Act or the regulations
promulgated thereunder, make investigations, obtain information, take
sworn testimony, and require reports or the keeping of records by, and
make inspection of the books, records, and other writings, premises or
property of registered entities.
(B) Civil Penalties. Any person who violates section 403 of this Act
shall be subject to a civil penalty in an amount assessed by a court in
a civil action.
(1) The amount of the civil penalty may not exceed $10,000 per
violation, unless the violation was willful, or was committed by a
Key Recovery Agent or a Certificate Authority not registered under
this Act. In determining the amount of the penalty the court shall
consider the risk of harm to law enforcement, public safety, and
national security the risk of harm to affected persons, the gross
receipts of the charged party, the judgment of the Attorney General
concerning the appropriate penalty, and the willfulness of the
violation.
(2) a civil action to recover such a civil penalty may be
commenced by the Attorney General.
(3) A civil action under this subsection may not be commenced
later than 5 years after the cause of the action accrues.
(C) Injunctions. The attorney General may bring an action to enjoin
any person from committing any violation of any provision of the Act or
regulations promulgated thereunder.
(D) Jurisdiction. The district courts of the Untied States shall have
original jurisdictions over any actions brought by the Attorney General
under this section.
SEC. 402. CIVIL CAUSE OF ACTION AGAINST THE UNITED STATES GOVERNMENT.
(A) Cause of Action. Except as otherwise provided in this Act, any
person whose recovery information is knowingly obtained without lawful
authority by an agent of the United States Government from a registered
Key Recovery Agent, or, if obtained by an agent of the United States
Government with lawful authority from a registered Key Recovery Agent,
is knowingly used or disclosed without lawful authority, may, in a civil
action, recover from the United States Government the actual damages
suffered by the plaintiff, and reasonable attorney+s fee and other
litigation costs reasonably incurred.
(B) Limitations. a civil action under this section may not be
commenced later than two years after the date upon which the claimant
first discovered or had a reasonable opportunity to discover the
violation.
SEC. 403. CRIMINAL ACTS.
It shall be unlawful for any person --
(A) if a Certificate Authority registered under this Act,
intentionally to issue a public key certificate in violation of
section 203 of this Act;
(B) intentionally to disclose recovery information in violation of
this Act;
(C) intentionally to obtain or use recovery information without
lawful authority, or, having received such information with lawful
authority, intentionally to exceed such authority for the purpose
of decrypting data or communications;
(D) if a Key Recovery Agent, or officer, employee, or agent
thereof, intentionally to disclose the facts or circumstances of
any release of recovery information or requests therefor in
violation of this Act;
(E) intentionally to issue a public key certificate under this
Act, or to fail to revoke such a certificate, knowing that the
person from whom the certificate is issued does not meet the
requirements of this Act or the regulations promulgated thereunder;
(F) intentionally to apply for or obtain a public key certificate
under this Act, knowing that the person to be identified in the
public key certificate does not meet the requirements of this Act
or the Regulations promulgated thereunder; or
(G) knowingly to issue a public key certificate in furtherance of
the commission of a criminal offense which may be prosecuted in a
court of competent jurisdiction.
Any person who violates this section shall be fined under title 18,
United States Code, or imprisoned not more than five years, or both.
SEC. 404. USE OF ENCRYPTION IN FURTHERANCE OF CRIME.
(A) Whoever knowingly encrypts data or communications in furtherance
of the commission of a criminal offense for which the person may be
prosecuted in a court of competent jurisdiction shall, in addition to
any penalties for the underlying criminal offense, be fined under title
18, United States Code, or imprisoned not more than five years, or both.
(B) It is an affirmative defense to a prosecution under this section
that the defendant stored sufficient information to decrypt the data or
communications with a Key Recovery Agent registered under Act if that
information is reasonable available to the government. The defendant
bears the burden of persuasion on this issue.
(C) The United States Sentencing Commission shall, pursuant to its
authority under section 9944(p) of title 28, United States Code, amend
the sentencing guidelines to ensure that any person convicted of a
violation of subsection (A) of this section is imprisoned for not less
than 6 months, and if convicted of other offenses at the same time, has
the offense level increased by at least three levels.
SEC. 405. NO CAUSE OF ACTION FOR COMPLYING WITH GOVERNMENT REQUESTS.
No civil or criminal liability under this Act or any other law shall
attach to ant Key Recovery Agent, its officers, employees, agents, or
any other persons specified by the Secretary in regulations, for
disclosing recovery information or providing other assistance to a
government agency in accordance with the terms of a court order,
warrant, subpoena, certification, written authorization or other legal
authority.
SEC. 406. COMPLIANCE DEFENSE.
Compliance with this Act and the regulations promulgated thereunder is a
complete defense, for Certificate Authorities registered under this Act
and Key Recovery Agents registered under this Act, to any noncontractual
civil action for damages based upon activities regulated by this Act.
SEC. 407. GOOD FAITH DEFENSE.
A good faith reliance on a court warrant or order subpoena, legislative
authorization, statutory authorization, a certification, a written
authorization, or other legal authority for access to recovery
information under this Act or its implementing regulations is a complete
defense to any civil or criminal action brought under this Act.
SEC. 408. FEDERAL GOVERNMENT LIABILITY.
Except as provided otherwise in this Act, the United States shall not be
liable for any loss incurred by any individual or entity resulting from
any violation of this Act or the failure to exercise reasonable care in
the performance of any duties under any regulation or procedure
established by or under this Act, nor resulting from any action by any
person who is not an official or employee of the United States.
TITLE V -- OTHER KEY RECOVERY PROVISIONS
SEC. 501. LABELING OF ENCRYPTION PRODUCTS.
(A) Any person engaged in manufacturing, importing, packaging,
distributing or labeling of encryption products for purposes of sale or
distribution in the United States shall package and label them so as to
inform the user whether the products use Key Recovery Agents registered
under this Act for storage of recovery information, and whether such
products are authorized for use in transactions with the United States
Government, as specified in regulations promulgated by the Secretary.
(B) The provisions contained in subsection (A) shall not apply to
persons engaged in business as wholesale or retail distributors of
encryption products to users except to the extent such persons are (1)
engaged in packaging or labeling of such products for sale to users, or
(2) prescribe or specify by any means the manner in which such products
are package or labeled.
SEC. 502. CONTRACTS, COOPERATIVE AGREEMENTS, JOINT VENTURES AND OTHER
TRANSACTIONS.
A Federal agency approved as a Key Recovery Agent under this Act may
enter into contracts, cooperative agreements, joint ventures and other
transactions and take other appropriate steps to carry out its
responsibilities.
SEC 503. NEGOTIATION WITH OTHER COUNTRIES.
The President shall conduct negotiations with other countries, on a
bilateral or multilateral basis, for the purpose of seeking and
concluding mutual recognition arrangements for Key Recovery Agents and
Certificate Authorities registered by the United States and other
countries.
TITLE VI -- MISCELLANEOUS PROVISIONS
SEC. 601. REGULATION AND FEES.
(A) Within one hundred and eighty days after the date of the enactment
of this Act, the Secretary shall, in coordination with the Secretary of
State, Secretary of Defense, and Attorney General, after notice to the
public and opportunity for comment, issue any regulations necessary to
carry out this Act.
(B) The Secretary may delay the date for compliance with the
regulations issued for up to one year if the Secretary determines that
the delay is necessary to allow for compliance with the regulations.
(C) The Secretary may charge such fees as are appropriate I order to
accomplish his or her duties under this Act.
SEC. 602. INTERPRETATION.
Nothing contained in this Title shall be deemed to preempt or otherwise
affect the applications of the Arms Export Control Act (22 U.S.C. 2751
et sec.) or any regulations promulgated thereunder. (Language
concerning the Export Administration Act and/or IEEPA is under
development.)
SEC. 603. SEVERABILITY.
If any provision of this Act, or the application thereof, to any person
or circumstance, is held invalid, the remainder of this Act, and the
application thereof, to other persons or circumstances shall not be
affected thereby.
SEC. 604. AUTHORIZATION OF APPROPRIATIONS.
[This section is reserved pending discussions to develop language that
is consistent with the President+s budget.]
SEC. 605. DEFINITIONS.
For purposes of this Act:
(1) The term "person" means any individual, corporation, company,
association, firm, partnership, society, or joint stock company.
(2) The term "Secretary" means the Secretary of Commerce of the
United States or his or her designee.
(3) The term "Secretary of State: means the Secretary of State of
the United States or his or her designee.
(4) The term "Secretary of Defense" means the Secretary of Defense
of the United States or his or her designee.
(5) The term "Attorney General" means the Attorney General of the
United States or his or her designee.
(6) The term "encryption" means the transformation of data
(including communications) in order to hide its information content. To
"encrypt" is to perform encryption.
(7) The term "decryption" means the retransformation of data
(including communications) that has been encrypted into the data+s
original form.
(8) The term "plaintext" refers to data (including communications)
that has not been encrypted, or if encrypted, has been decrypted.
(9) The term "ciphertext" refers to data (including
communications) that has been encrypted.
(10) the term "key" means a parameter, or a component thereof,
used with an algorithm to validate, authenticate, encrypt or decrypt a
message.
(11) The term "public key" means for cryptographic systems that
use different keys for encryption and decryption, the key that is
intended to be publicly known.
(12) The term "public key certificate" means information about a
public key and its user, particularly including information that
identifies that public key with its user, which has been digitally
signed by the person issuing the public key certificate, using a private
key of the issuer.
(13) The term "Certificate Authority" means a person trusted by
one or more persons to create and assign public key certificates.
(14) The term "Key Recovery Agent" means a person trusted by one
or more persons to hold and maintain sufficient information to allow
access to the data or communications of the person or persons for whom
that information is held, and who holds and maintains that information
as a business or governmental practice, whether or not for profit.
(15) The term "recovery information" means keys or other
information provided to a Key Recovery Agent by a person, that can be
used to decrypt that person+s data and communications.
(16) The term "electronic information" includes but is not
limited to voice communications, texts, messages, recordings, images or
documents, in any electronic, electromagnetic, photoelectronic,
photooptical, or digitally encoded computerreadable form.
(17) The term "electronic communication" has the meaning given
such term in section 2510 (12) of title 18, United States Code.
(18) The term "wire communications" has the meaning given such
term in section 2510(1) of title 18, United States Code.
(19) The term "government" means the government of the United
States and any agency or instrumentality thereof, a State or political
subdivision of a State, the District of Columbia, or commonwealth,
territory, or possession of the United States.
(20) The term "cryptographic product" means any product
(including, but not limited to, hardware, firmware, or software, or some
combination thereof), that is designed, adapted, or configured to use a
cryptographic algorithm to protect or assure the integrity,
confidentiality and/or authenticity of information.
(21) The term "encryption product" means a cryptographic product
that can be used to encrypt or decrypt data.
