The Congressional Record is a unique source of public documentation. It started in 1873, documenting nearly all the major and minor policies being discussed and debated.
“THE SECURE PUBLIC NETWORKS ACT” mentioning the U.S. Dept. of Commerce was published in the Senate section on pages S4684-S4686 on May 19, 1997.
The publication is reproduced in full below:
THE SECURE PUBLIC NETWORKS ACT
Mr. KERREY. Mr. President, over the last several weeks, I have been meeting with colleagues about the need to aggressively pursue legislation to facilitate the creation of secure public networks for communication, commerce, education, research, telemedicine, and Government. There is an urgent need to enact legislation this year which can advance the creation of new networks and balance America's compelling interests in commerce and security.
Secure networks are critical for the protection of personal privacy and the promotion of commerce on the Internet and other interactive computer systems.
The Congress has been gridlocked for more than a year in a debate about the Nation's export policy for encryption software. I believe that meaningful compromise can be found on this issue which can clear the way for the consideration of broader legislation which fosters the creation of secure networks.
If we are successful, a powerhouse of economic activity and opportunity can be unleashed.
Senators Burns and Leahy as well as Congressman Goodlatte have introduced legislation which identifies a real problem with the current law on the export of encryption software. Thanks to their leadership, there is a growing consensus that reform is needed. In many ways, the introduction of their legislation has already motivated meaningful changes in the administration's policy on software exports. Yet, even with those changes, the underlying law needs to be changed and a broader agenda for secure networks needs to be adopted.
What must happen in a relatively quick fashion is an agreement on a bipartisan, bicameral process to enact secure network legislation which includes a solution to the encryption export riddle. Our goal should be to enact legislation which the President can sign by October 1, 1997.
The ability to use strong encryption is an important element in creating secure networks. Through encryption, messages are encoded and decoded. Encryption protects privacy and security. The American people need to know that their communications are safe and that the most private, confidential personal information can be confidentially communicated on computer networks.
Encryption however, poses some very serious problems for law enforcement and national security which cannot be ignored. The challenge is to promote the use of encryption in a manner that does not unduly compromise national security or public safety and does not unnecessarily burden industry.
What needs to be created is an electronic environment which gives users total confidence in the security of commercial transactions and personal communications. To do so, a largely private infrastructure must be developed to provide for authentication of messages, keys, and digital signatures and when necessary, the recovery of keys.
As the largest purchaser of computer software and hardware, the Federal Government can create important incentives to help the market swiftly respond to this need.
I see three big interests at stake--network commerce, network government, and network security. First, the need to facilitate commerce, both in advancing America's leading position as an exporter of software and in the promotion of commerce on the Internet, grows in importance every day. Second, there is the civic interest of Government. The American people should be able to have secure access to their Government, for the resolution of problems, the communication of ideas and access to services via electronic networks. Third, there is a security interest of law enforcement and national defense. Defensively, that interest is to protect citizens from foreign or criminal violations of privacy. Offensively, there needs to be a means fully consistent with our Constitution for discreet access to communications. That digital access should be no more or less expansive than exists in the nondigital world.
Mr. President, there needs to be a commitment to a process for resolving a host of issues. First and foremost what is needed is a commitment by the leadership of this Congress to work together in good faith to find a resolution that can be signed into law by the President.
I have proposed a discussion outline for compromise. If there can be agreement on principle and process, I am confident good faith negotiations between all interested parties can meet the ambitious goal of new legislation before the end of this session of Congress. This outline is meant to spark discussion and facilitate compromise on some very challenging issues. It is by no means etched in stone and I welcome suggestions for improvement and additions.
Mr. President, I ask that the text of the Secure Public Networks Act discussion outline be printed in the Record.
The material follows:
The Secure Public Network Act Discussion Points
Purpose
To encourage and facilitate the creation of secure public networks for communication, commerce, education, research, tele-medicine and government.
A. DOMESTIC USES OF ENCRYPTION
(1) Lawful Use of Encryption: Domestic use of encryption for any lawful purpose shall be permitted. No mandatory third party key escrow system for domestic encryption.
(2) Unlawful Use of Encryption: Penalty for the use of encryption technology in the furtherance of a crime--5 years or fine for 1st offense, and 10 years or fine for 2nd offense.
(3) Privacy Protection:
Penalties for:
(a) Unauthorized use of keys, authentication or identity;
(b) Unauthorized breaking of another's encryption codes;
(c) Theft of intellectual property on line through unauthorized interception of messages;
(d) Issuing key to unauthorized person;
(e) Impersonating another to obtain key;
(f) Knowingly issuing key in furtherance of criminal activity.
(4) Access to Encrypted Messages by U.S. Government Agencies: Access to encryption key by government entities only through properly executed court order (or certification under Foreign Intelligence Surveillance Act).
(5) Access to Encrypted Messages by Foreign Governments: Attorney General may seek a court order for a foreign government pursuant to treaty and U.S. law.
(6) Civil Recovery: Recovery against the USA when information is improperly obtained or released.
(7) Destruction of intercepted information: Once lawful use of intercepted information is complete, intercepted information shall be destroyed.
(8) Illegal Disclosure: Violation of law to disclose recovery of information or execution of order.
B. GOVERNMENT PROCUREMENT
(1) Policy: It is the policy of the U.S. Government to create secure networks which permit public to interact with government through networks which protect privacy, intellectual property and personal security of network users.
(2) Government Purchases of Software: All encryption software purchased by the U.S. Government for use in secure government networks shall be software based on a system of key recovery.
(3) Software Purchased With Federal Funds: All encryption software purchased with federal funds shall be software based on a system of key recovery.
(4) U.S. Government Networks: All networks established by the U.S. Government which use encryption shall use encryption based on a system of key recovery.
(5) Networks Established With Federal Funds: All encrypted networks established with the use of federal funds shall use encryption based on a system of key recovery.
(6) Product Labels: Products may be labeled to inform user such product is authorized for sale or use in transactions with the U.S. Government.
(7) No Private Mandate: No federal mandate of private sector encryption standards other than for use in federal computer systems, networks or systems created with federal funds.
C. EXPORT OF ENCRYPTION
(1) Department of Commerce: The Department of Commerce shall be the lead agency on encryption software exports and have sole duty to issue export licenses on commercial encryption products and technologies.
(2) General License: Exports of encryption software up to *
* * and software with encryption capabilities up to * * * shall be subject to a general license (license exception) provided, the product, or software being exported:
(a) Is otherwise qualified for export;
(b) Is otherwise legal;
(c) Does not violate U.S. law;
(d) Does not violate the intellectual property rights of another; and
(e) The recipient individual is otherwise qualified to receive such product or software.
The President may by executive order increase permissible encryption strength which is exportable under general license
(license exception).
(3) General License (license exception)--Unlimited Strength: Exports of encryption software with unlimited strength permitted under general license (license exception) provided there is a qualified key recovery system or trusted third party system for encryption product.
(4) Fast Track Review: Fast Track consideration of licenses for certain institutions:
(a) Banks;
(b) Financial Institutions; and
(c) Health Care Providers
(5) Prohibited Exports: Export shall be prohibited when Secretary of Commerce finds significant evidence that product for export would be used in acts against the national security, public safety, integrity of transportation, communications, financial institutions or other essential systems of interstate commerce; diverted to a military, terrorist or criminal use, or re-exported w/o US authorization.
(6) License Review: In evaluating requests for export licenses for products with encryption capabilities, (in strengths above the level described in (C)(2)), the following factors shall be among those considered by the Secretary:
(a) Whether a product is generally available and is designed for installation without alteration by purchaser;
(b) Whether the product is generally available in the country to which the product would be exported; and
(c) Whether products offering comparable security and level of encryption is available in the country to which the product would be exported.
Licenses will be granted at the Secretary's discretion.
D. VOLUNTARY REGISTRATION SYSTEM
(1) Certificate Authorities: Secretary may establish procedures to register certificate authorities. Certificate authorities shall verify use of public keys and digital signatures.
(2) Agent Registry: Secretary may establish procedures to register key recovery agents.
(3) Public Key Certificates: Secretary or Certificate Authority may issue public key certificates.
(4) Voluntary System: Use of key management system is voluntary.
(5) Incentive to Use Voluntary System: Use of registered key management system shall be treated as evidence of due diligence and reasonable care in any civil or criminal proceeding.
E. LIABILITY LIMITATIONS
(1) Compliance with request: No liability for disclosing recovery information to government agency with properly executed order;
(2) Compliance defense: No liability for complying with Act.
(3) Good Faith Defense: Good faith reliance on court order is a complete defense.
F. INTERNATIONAL AGREEMENTS
The President shall conduct negotiations with other countries for the purpose of mutual recognition of Key Recovery and Certificate Authorities registered in USA.
G. CIVIL PENALTIES
(1) Civil Penalties: In addition to criminal penalties, Secretary shall establish civil penalties for violations of this act.
(2) Injunctive Relief: Attorney General may bring action to enjoin violations of act and enforce recovery of civil penalties.
(3) Jurisdiction: Original Jurisdiction of Federal District Courts for actions under this section.
H. RESEARCH
(1) Information Security Board: The Information Security Board shall be established to make recommendations to President and Congress on measures to establish secure networks, protect intellectual property on computer networks; promote exports of software, protect national security and public safety.
(2) Coordination: Coordination between federal, state and local law enforcement shall be encouraged.
(3) Network Research: Secure network research shall be encouraged.
(4) Annual Report: The NTIA in consultation with other federal agencies shall issue an annual report on secure network developments. The report shall review available information and report to the Congress and the President on developments in encryption, authentication, identification and security on communications networks and make policy recommendations to the President and Congress.
I. PRESIDENTIAL POWER
The President may waive provisions of this Act with a finding of danger to national security, public safety, economic security, or public interest. President must report waiver to Congress in classified or unclassified form w/I 30 days of Presidential action.
J. MISC
(1) Severability.
(2) Interpretation: Will not affect intelligence activities outside USA; and will not weaken intellectual property protection.
(3) Definitions.
(4) Dates of regulations.
(5) Authority for fees.
____________________
