Originally posted 1999
An introductory note by The Mental Militia:
The following lengthy article will take some time to read, as will pursuit of provided links to other web-pages. Why anyone would want to read through this article has to do with gaining access to the currently nationalized governmental attitude about you, your private office, your private home, and, particularly, your private “cyber-storage facilities”, should you make use of such. The short take on this legislation is most clearly obvious when we recall Klinton’s repeated efforts to cause the installation of the “Clipper Chip” in ALL computers, both personal and business.
This was reported on USA Today’s site on 8/20/99. It was taken from an original publication by the Washington Post.
Thirty days later, on 9/20/99, I found the page still up at this URL:
http://www.usatoday.com/life/cyber/tech/ctf905.htm
08/20/99- Updated 09:28 AM ET
Feds want authority to crack PCs
WASHINGTON (AP) – Law enforcers would have the authority to
secretly crack the security codes of crime suspects’ home and office
personal computers, under a Clinton administration plan reported Friday in
The Washington Post.
The Justice Department has drafted legislation that, if approved by
Congress, would allow federal agents to obtain search warrants from a
judge to enter private property, search through computers for passwords
and override encryption programs.
According to an Aug. 4 department memo that lays out the proposal,
encryption software for scrambling computer files ”is increasingly used as a
means to facilitate criminal activity, such as drug trafficking, terrorism,
white-collar crime and the distribution of child pornography.”
Under the measure, investigators would obtain sealed search warrants
signed by a judge as a prelude to getting further court permission to
wiretap, extract information from computers or conduct further searches.
Privacy advocates have objected to the plan, dubbed the Cyberspace
Electronic Security Act by the Justice Department.
”They have taken the cyberspace issues and are using it as justification for
invading the home,” James Dempsey, an attorney for the Center for
Democracy and Technology, told the Post.
Peter Swire, the White House’s chief counselor for privacy, told the
newspaper the administration supports encryption as a way to provide
privacy for computer users.
”But it has to be implemented in a way that’s consistent with other values,
such as law enforcement,” Swire said. ”In this whole issue we have to
strike the right balance.”
The administration has for years been seeking a law to require computer
makers to include a so-called Clipper Chip in their products that would
give police a ”back door” into computers despite any encryption software
they may contain
@@@@@@@@@@
WND article on feds trying again to get CESA through Congress…..
http://www.worldnetdaily.com/bluesky_metaksa/19990826_xctme_try_again_.shtml
@@@@@@@@@@
from a link off a link provided by jmaynen in May, 2000…..
http://www.cdt.org/crypto/CESA/
Cyberspace Electronic Security Act (CESA)
In August 1999, the Justice Department proposed an initial draft of the CESA bill that would have expanded law
enforcement authority by allowing federal agents armed with search warrants to secretly break into homes and offices to
obtain decryption keys or passwords or to implant “recovery devices” or otherwise modify computers to ensure that any
encrypted messages or files can be read by the government. Although these “secret search” provisions were later removed, CDT remains concerned that the current version of CESA does not require the more stringent showing of “probable cause” and notice of a seizure that the Fourth Amendment would demand of keys taken from a person’s own computer or data seized from one’s own house.
CESA Bill (officially Proposed in September 1999)
– White House Statement to Congress on CESA
http://www.cdt.org/crypto/CESA/adminstatement.shtml
for text of this link, see #1, below…
~
– White House Fact Sheet on CESA
see #2, below…..
– White House Analysis of CESA
– Text of The Cyberspace Electronic Security Act of 1999 (CESA)
see #3 below….
http://www.cdt.org/crypto/CESA/CESArevised.shtml
CDT Analysis
– Initial CDT Analysis of CESA
(see #4 below….. http://www.cdt.org/crypto/CESA/cdtcesaanalysis.shtml
– CDT Policy Post 5.22 The Proposed CESA Bill and Government Access to Keys
Draft CESA Bill (circulated in June 1999 by the Justice Department)
– OMB Referral Memo
– Draft Transmittal Letter
– Draft Bill
sec. 2713 – Secret Searches (The Secret Searches provision was droppeed by Sept 1999.)
see # 5 below….
http://www.cdt.org/crypto/CESA/draftCESAbill.shtml#secret
– DOJ Section by Section Analysis
see #6 below…..
http://www.cdt.org/crypto/CESA/CESAanalysis.shtml
DOJ Analysis of sec. 2713 – Secret Searches
– CDT Analysis of draft CESA bill
~~~~~~~~~~~~~~~~
#1…. from above, “White House Statement To Congress on CESA…..
THE WHITE HOUSE
September 16, 1999
TO THE CONGRESS OF THE UNITED STATES:
I am pleased to transmit for your early consideration and speedy enactment a legislative proposal entitled the
“Cyberspace Electronic Security Act of 1999” (CESA). Also transmitted herewith is a section-by-section analysis.
There is little question that continuing advances in technology are changing forever the way in which people live, the
way they communicate with each other, and the manner in which they work and conduct commerce. In just a few
years, the Internet has shown the world a glimpse of what is attainable in the information age. As a result, the
demand for more and better access to information and electronic commerce continues to grow — among not just
individuals and consumers, but also among financial, medical, and educational institutions, manufacturers and
merchants, and state and local governments. This increased reliance on information and communications raises
important privacy issues, because Americans want assurance that their sensitive personal and business information is
protected from unauthorized access as it resides on and traverses national and international communications
networks. For Americans to trust this new electronic environment, and for the promise of electronic commerce and
the global information infrastructure to be fully realized, information systems must provide methods to protect the
data and communications of legitimate users. Encryption can address this need, because encryption can be used to
protect the confidentiality of both stored data and communications. Therefore, my Administration continues to
support the development, adoption, and use of robust encryption by legitimate users.
At the same time, however, the same encryption products that help facilitate confidential communications between
law-abiding citizens also pose a significant and undeniable public safety risk when used to facilitate and mask illegal
and criminal activity. Although cryptography has many legitimate and important uses, it is also increasingly used as a
means to promote criminal activity, such as drug trafficking, terrorism, white collar crime, and the distribution of child
pornography.
The advent and eventual widespread use of encryption poses significant and heretofore unseen challenges to law
enforcement and public safety. Under existing statutory and constitutional law, law enforcement is provided with
different means to collect evidence of illegal activity in such forms as communications or stored data on computers.
These means are rendered wholly insufficient when encryption is utilized to scramble the information in such a
manner that law enforcement, acting pursuant to lawful authority, cannot decipher the evidence in a timely manner, if
at all. In the context of law enforcement operations, time is of the essence and may mean the difference between
success and catastrophic failure.
A sound and effective public policy must support the development and use of encryption for legitimate purposes but
allow access to plaintext by law enforcement when encryption is utilized by criminals. This requires an approach that
properly balances critical privacy interests with the need to preserve public safety. As is explained more fully in the
sectional analysis that accompanies this proposed legislation, the CESA provides such a balance by simultaneously
creating significant new privacy protections for lawful users of encryption, while assisting law enforcement’s efforts to
preserve existing and constitutionally supported means of responding to criminal activity.
The CESA establishes limitations on government use and disclosure of decryption keys obtained by court process
and provides special protections for decryption keys stored with third party “recovery agents.” CESA authorizes a
recovery agent to disclose stored recovery information to the government, or to use stored recovery information on
behalf of the government, in a narrow range of circumstances (e.g., pursuant to a search warrant or in accordance
with a court order under the Act). In addition, CESA would authorize appropriations for the Technical Support
Center in the Federal Bureau of Investigation, which will serve as a centralized technical resource for Federal, State,
and local law enforcement in responding to the increasing use of encryption by criminals.
I look forward to working with the Congress on this important national issue.
THE WHITE HOUSE
~~~~~~~~
#2. White House Fact Sheet On CESA.
http://www.cdt.org/crypto/CESA/CESArevfactsheet2.shtml
THE WHITE HOUSE
Office of the Press Secretary
For Immediate Release September 16, 1999
FACT SHEET
The Cyberspace Electronic Security Act of 1999
Today, the President is transmitting to the Congress a legislative proposal entitled the “Cyberspace Electronic Security Act
of 1999″ (CESA). This legislation would protect the growing use of encryption for the legitimate protection of privacy and
confidentiality by businesses and individuals, while helping law enforcement obtain evidence to investigate and prosecute
criminals despite their use of encryption to hide criminal activity.
Encryption is an important tool for protecting personal privacy and is essential for the expansion of electronic commerce.
Yet, the advent and eventual widespread use of encryption poses significant challenges to law enforcement and public
safety. Under existing law, investigators have a variety of legal tools to collect electronic evidence of illegal activity. These
tools are rendered useless when encryption is used to scramble evidence so that law enforcement cannot decipher it in a
timely manner, if at all. Timely action against terrorists, drug dealers, or kidnappers may require rapid access to electronic
information that must not be thwarted by encryption.
CESA balances the needs of privacy and public safety. It establishes significant new protections for the privacy of persons
who use encryption legally. The bill is technology neutral, and does not presuppose technology solutions. CESA also
provides mechanisms to help maintain law enforcement’s current ability to obtain useable evidence as encryption becomes
more common. More specifically, CESA would:
Ensure that law enforcement maintains its ability to access decryption information stored with third parties, while
protecting such information from inappropriate release. Law enforcement must inform a person whose key is
obtained using court process, and must destroy the keys after their use is complete and when Federal records laws
permit. Law enforcement may only use decryption keys obtained from a key recovery agent for an explicitly
authorized purpose. A key recovery agent may not disclose or use a decryption key, nor disclose the identity of a
customer, except under explicit and limited circumstances. Individuals remain completely free to use — or not to use
— the services of a recovery agent.
Authorize $80 million over four years for the FBI’s Technical Support Center, which will serve as a centralized
technical resource for Federal, State, and local law enforcement in responding to the increasing use of encryption by
criminals.
Ensure that sensitive investigative techniques and industry trade secrets remain useful in current and future
investigations by protecting them from unnecessary disclosure in litigation or criminal trials involving encryption.
Orders protecting such techniques and trade secrets must be consistent with fully protecting defendants’ rights to a
fair trial under the Constitution’s Due Process clause and the Sixth Amendment. Protection of techniques requires a
judicial finding in accordance with specified criteria. Firms’ competitive and liability positions are protected when
lawfully assisting law enforcement through the sharing of trade secrets.
In contrast to an early draft version of the bill, the Administration’s legislation does not provide new authority for search
warrants for encryption keys without contemporaneous notice to the subject. The bill also does not regulate the domestic
development, use or sale of encryption. Americans will remain free to use any encryption system domestically.
~~~~~~~~~
#3……. Text of CESA
http://www.cdt.org/crypto/CESA/CESArevised.shtml
A BILL
To protect the privacy, security and safety of the people of the United States through support for the widespread use of
encryption, protection of the security of cryptographic keys, and facilitation of access to the plaintext of data for legitimate
law enforcement purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
TITLE I–GENERAL PROVISIONS
SEC. 101. SHORT TITLE.
This Act may be cited as the “Cyberspace Electronic Security Act of 1999”.
SEC. 102. FINDINGS.
The Congress finds the following:
(a) The development of the information superhighway is fundamentally changing the way we interact. The nation’s
commerce is moving to networking. Individuals, government entities, and other institutions are communicating across common links.
(b) The Internet has provided our society with a glimpse of what is possible in the information age, and the demand
for information access and electronic commerce is rapidly increasing. This demand is arising from all elements of
society, including individuals, banks, manufacturers, online merchants, service providers, State and local
governments, and educational institutions.
(c) At the same time, society’s increasing reliance on information systems in this new environment exposes U.S.
citizens, institutions, and their information to unprecedented risks.
(d) In order for the global information infrastructure and electronic commerce to achieve their potential, information
systems must overcome these risks and must provide trusted methods to identify users and keep data and
communications confidential.
(e) Cryptography can meet these needs. In particular, cryptography, through the technique of encryption, is an
important tool in protecting the confidentiality of wire and electronic communications and stored data. Thus, there is
a national need to encourage the development, adoption, and use of cryptographic products that are consistent with
the foregoing considerations and are appropriate for use by private parties and by the United States Government.
(f) While encryption is an important tool for protecting the privacy of legitimate communications and stored data, it
has also been used to facilitate and hide unlawful activity by terrorists, drug traffickers, child pornographers, and
other criminals.
(g) The advent and eventual widespread use of encryption poses significant and heretofore unseen challenges to law
enforcement and public safety. While under existing law, both statutory and constitutional in nature, law enforcement
is provided with different means to collect evidence of illegal activity – in the form of communications, stored data on
computers, etc. – these means are rendered wholly insufficient when encryption is utilized to scramble the
information in such a manner that law enforcement, acting pursuant to lawful authority, cannot decipher the evidence.
(h) Technology does not presently exist that allows law enforcement timely to decrypt such information. In the
context of law enforcement operations, for example, stopping a terrorist attack or seeking to recover a kidnaped
child, time is of the essence and may mean the difference between success and catastrophic failure. While existing
means of obtaining evidence would remain applicable in a fully-encrypted world, the failure to provide law
enforcement with the necessary ability to obtain the plaintext, or decrypted “readable” version, of the evidence
makes existing authorities useless.
(i) A sound and effective public policy must support the development and use of encryption for legitimate purposes
but allow access to plaintext by law enforcement when encryption is utilized by criminals. Law enforcement entities
have a critical need to decrypt communications and stored data that they are lawfully authorized to access in order to
obtain the plaintext that is necessary to conduct investigations and prosecutions of such unlawful activity, and there is
a compelling national interest in preserving law enforcement entities’ ability to obtain such plaintext. Appropriate
means must be available to fulfill these law enforcement objectives, consistent with existing legal authorities and
constitutional principles, in order to protect public safety. This requires an approach which properly balances critical
privacy interests with the need to preserve public safety.
(j) While means to aid investigators’ and prosecutors’ efforts to obtain plaintext are needed, this Act is not intended
to make it unlawful for any person to use encryption in the United States for otherwise lawful purposes, regardless of
the encryption algorithm selected, key length chosen, or implementation technique or medium used. Similarly, this
Act is not intended to require anyone to use third parties for storage of decryption keys, and this Act does not
establish any regulatory regime for entities engaging in such an activity. Finally, this Act is not intended to affect
export controls on cryptographic products.
TITLE II–ACCESS TO AND USE OF STORED RECOVERY INFORMATION HELD BY RECOVERY
AGENTS, ACCESS TO RECOVERY INFORMATION, PROTECTION OF CONFIDENTIAL
INFORMATION, AND FBI TECHNICAL SUPPORT
SEC. 201. REDESIGNATION OF DEFINITIONAL SECTION.
Section 2711 of title 18, United States Code, is redesignated as section 2718.
SEC. 202. AMENDMENTS TO SECTIONS 2703 AND 2707 OF TITLE 18.
(a) Subsection 2703(d) of title 18, United States Code, is amended by striking “described in section 3127(2)(A)
and”.
(b) Section 2707 of title 18, United States Code, is amended–
(1) in subsection (a) by striking “section 2703(e)” and inserting “sections 2703(e) and 2715”; and
(2) in subsection (e)
(i) by redesignating paragraphs (2) and (3) as paragraphs (3) and (4), respectively;
(ii) inserting after paragraph (1) the following:
“(2) a request of a governmental entity under section 2703(f) of this chapter;” and
(iii) in redesignated paragraph (e)(3), striking “section 2518(7)” and inserting “sections 2518(7) or
2712(a)(4)”.
SEC. 203. AMENDMENTS OF CHAPTER 121 OF TITLE 18, UNITED STATES CODE, RELATED TO
RECOVERY INFORMATION.
Chapter 121 of title 18, United States Code, is amended by adding the following after section 2710:
Ҥ 2711. Disclosure or use of stored recovery information and customer information by recovery agents;
notification of storage location
“(a) Prohibitions and requirements.–
“(1) Except as provided in subsections (b) and (d), a recovery agent shall not–
“(A) disclose stored recovery information;
“(B) use stored recovery information to decrypt data or communications; or
“(C) disclose any other information or record that identifies a person or entity for whom the recovery
agent holds or has held stored recovery information.
“(2) No person or entity shall knowingly obtain stored recovery information from a recovery agent knowing or
having reason to know he has no lawful authority to do so.
“(3) A recovery agent shall inform any person or entity who stores recovery information with the recovery
agent of the location or locations where the recovery information is stored.
“(b) Authorizations for disclosure or use.–
(1) Recovery information.–A recovery agent may disclose stored recovery information, or use stored
recovery information to decrypt data or communications, only–
“(A) in the case of disclosure to or use on behalf of any person or entity, including a governmental
entity–
“(i) with the consent of the person or entity who stored such recovery information, or the agent
of such person or entity; or
“(ii) pursuant to an order of a court of competent jurisdiction, if such court has found that another
person or entity is legally entitled pursuant to generally applicable law to receive, possess, or use
such recovery information and has, if practicable, provided the person or entity who has stored
the recovery information with an opportunity to be heard; or
“(B) in the case of disclosure to or use on behalf of a governmental entity, as specified in section 2712
of this title.
“(2) Customer information.–A recovery agent may disclose information or a record, other than stored
recovery information, that identifies a person or entity for whom the recovery agent holds or has held stored
recovery information only–
“(A) with the consent of the person or entity who stored such recovery information, or the agent of
such person or entity;
“(B) if the disclosure is necessarily incident to the rendition of the service provided to the person or
entity who has stored such recovery information, or to the protection of the rights or property of the
recovery agent;
“(C) pursuant to an order of a court of competent jurisdiction based upon a showing of compelling
need for the information, if such court has, if practicable, provided the person or entity who has stored
such recovery information with an opportunity to be heard; or
“(D) to a governmental entity pursuant to a warrant issued pursuant to the Federal Rules of Criminal
Procedure or equivalent State warrant, a court order, or a federal or State subpoena; provided,
however, that notice to the person or entity who stored such recovery information is not required under
this subparagraph, and, furthermore, that a court of competent jurisdiction may for good cause order
that the recovery agent not disclose the government request for 90 days, which period may be
extended upon further showings of good cause.
“(c) Confidentiality.– Except as otherwise provided by law, or by order of a court of competent jurisdiction, a
recovery agent who is requested or ordered to disclose stored recovery information to, or to use stored recovery
information on behalf of, a governmental entity pursuant to paragraph (b)(1) above shall not reveal to any person or
entity the fact that the governmental entity has requested or received stored recovery information from, or has
required the use of stored recovery information by, the recovery agent, and shall not disclose to any other person or
entity any decrypted data or communications that are provided to the governmental entity.
“(d) Exclusions.–Nothing in this section or section 2712 of this title shall be construed to prohibit a recovery agent
from:
“(1) except as provided in subsection (c), using or disclosing plaintext in its possession, custody, or control;
“(2) using or disclosing recovery information that is not stored recovery information held by it under the
circumstances described in section 2718(7); or
“(3) using stored recovery information in its possession, custody, or control to decrypt data or
communications in its possession, custody, or control, if applicable statutes, regulations, or other legal
authorities otherwise require the recovery agent to provide such data or communications to a governmental
entity in plaintext or other form which can be readily understood by the governmental entity.
“(e) Criminal sanctions.–Whoever knowingly violates or attempts to violate subsection (a) or subsection (c) of this
section shall be fined under this title, or imprisoned for not more than one year, or both.
Ҥ 2712. Requirements for governmental access to, use of, and disclosure of stored recovery information
“(a) Compelled disclosure and use of stored recovery information in the possession of recovery
agents.–A governmental entity may require a recovery agent to disclose stored recovery information to the
governmental entity, or to use stored recovery information to decrypt data or communications–
“(1) pursuant to a warrant issued pursuant to the Federal Rules of Criminal Procedure or an equivalent State
warrant, or an order issued under section 2518 of this title;
“(2) pursuant to any process under federal or State law to compel disclosure that is permitted by section
2711(b)(1)(A)(i);
“(3) pursuant to a court order issued under subsection (b); or
“(4) when an investigative or law enforcement officer, specially designated by the Attorney General, the
Deputy Attorney General, the Associate Attorney General, any Assistant Attorney General, any acting
Assistant Attorney General, or any Deputy Assistant Attorney General, or by the principal prosecuting
attorney of any State or subdivision thereof acting pursuant to a statute of that State, reasonably determines
that–
“(A) an emergency situation exists that involves–
“(i) immediate danger of death or serious physical injury to any person,
“(ii) conspiratorial activities threatening the national security interest, or
“(iii) conspiratorial activities characteristic of organized crime or terrorism, requiring that
recovery information be obtained or used before an order authorizing the same can, with due
diligence, be obtained; and
“(B) there are grounds upon which an order could be entered under this section to authorize such
disclosure by a recovery agent of stored recovery information, or the decryption of data or
communications by a recovery agent using stored recovery information;
but an order under this section must be sought within forty-eight hours after the stored recovery
information has been released or the decryption has occurred. In the event no order is requested within
that time or the request for an order is denied, the governmental entity shall not further use or disclose
the recovery information received or plaintext recovered, shall seal such information or plaintext under
the direction of a court of competent jurisdiction, and shall serve notice as provided for in subsection
(c) of this section;
A federal governmental entity may require a recovery agent to disclose stored recovery information to
it or another federal governmental entity, or to use stored recovery information to decrypt data or
communications, under paragraphs (1), (2), (3), or (4) for the benefit of a foreign government, pursuant
to a request of a foreign government under applicable legislation, treaties, or other international
agreements.
“(b) Requirements for court order for disclosure or use of stored recovery information by a recovery
agent.–A court order requiring a recovery agent to disclose stored recovery information to a governmental entity or
to use stored recovery information to decrypt data or communications on behalf of a governmental entity shall be
issued by a court of competent jurisdiction upon a finding, based on specific and articulable facts, that–
“(1) the use of the stored recovery information is reasonably necessary to allow access to the plaintext of data
or communications;
“(2) such access is otherwise lawful;
“(3) the governmental entity will seek such access within a reasonable time; and
“(4) there is no constitutionally protected expectation of privacy in such plaintext, or the privacy interest
created by such expectation has been overcome by consent, warrant, order, or other authority.
An order under this section directing the disclosure of stored recovery information shall be limited to the extent
practicable to directing the disclosure of only that stored recovery information that is necessary to allow access to
the plaintext of the relevant data and communications.
“(c) Notice.– Within 90 days after receiving stored recovery information or decrypted data or communications from
a recovery agent, the governmental entity shall notify the person or entity, if known, who stored the recovery
information that stored recovery information was disclosed or used by the recovery agent, and such notice shall state
the date on which the stored recovery information or decrypted data and communications were disclosed. On the
government’s ex parte showing of good cause, the giving of notice may be postponed by a court of competent
jurisdiction. Notice under this section shall be provided by personal service, or by delivery by registered or
first-class mail.
“(d) Cost reimbursement.–A governmental entity obtaining stored recovery information from a recovery agent or
directing a recovery agent to decrypt the data or communications pursuant to subsection (b) shall pay to the
recovery agent a fee for reimbursement for such costs as are reasonably necessary and which have been directly
incurred in providing such information or decrypting such data and communications. The amount of the fee shall be
as mutually agreed by the governmental entity and the recovery agent, or, in the absence of agreement, shall be as
determined by the court which issued the order pursuant to subsection (b).
Ҥ 2713. Use, disclosure, and destruction of recovery information obtained by a governmental entity by
compulsory process.
“(a) Limitations on use.–
“(1) Authorized use in orders under section 2712.–Any order, warrant, or determination under section
2712 of this title granting a governmental entity access to stored recovery information, or authorizing a
recovery agent to decrypt data or communications on behalf of a governmental entity, shall, either in its text or
in a separate document that is served only on the governmental entity, specify the categories of data and
communications that may be decrypted using such stored recovery information. Unless otherwise specified in
a further order of a court of competent jurisdiction, such stored recovery information shall be used to decrypt
data and communications only as specified in the order, warrant, or other determination.
“(2) Limitations on use in other circumstances.–Unless otherwise specified in an order of a court of
competent jurisdiction, a governmental entity that has obtained recovery information by compulsory process
other than under section 2712 of this title may use such recovery information to decrypt data or
communications only in connection with the matter for which the recovery information was obtained and
related matters, and only if the decryption is appropriate to the proper performance of the official functions of
the governmental entity.
“(b) Limitations on disclosure and subsequent use.–Unless otherwise specified in an order of a court of
competent jurisdiction, a governmental entity that has obtained recovery information by compulsory process
may knowingly disclose recovery information only to the extent that such disclosure is in connection with the
matter for which the recovery information was obtained and any related matters, and only if the disclosure is
appropriate to the proper performance of the official functions of the governmental entity making the
disclosure. Unless otherwise specified in an order of a court of competent jurisdiction, any person or entity
receiving a disclosure under this section shall not further disclose the recovery information, and shall be
subject to the limitations on the use of the recovery information imposed by subsection (a).
“(c) Destruction of recovery information.—Unless otherwise specified in an order of a court of
competent jurisdiction, once the authorized use of recovery information obtained by compulsory process, and
all investigations, trials, and appeals related to that use are completed, after the time period for filing a request
for post-conviction relief has expired, and after any statutory period for retention of records has expired, a
governmental entity, a recovery agent assisting a governmental entity, or other person or entity who has
received a disclosure under this section, shall destroy such recovery information in its possession and the
governmental entity shall make a record documenting the destruction of such recovery information that is in its
possession and shall maintain that record for at least 10 years.
Ҥ 2714. Notice of access to recovery information held by third parties and obtained by a governmental entity
A governmental entity that has knowingly obtained recovery information by compulsory process other than under section
2712 of this title, shall, if such recovery information is held by the compelled party on behalf of another person or entity,
notify such person or entity, if known, that the recovery information was obtained. Such notice shall be provided within 90
days of the date on which the government obtains the recovery information, and shall state the date on which the recovery
information was disclosed. On the government’s ex parte showing of good cause, the giving of notice may be postponed by
a court of competent jurisdiction. Notice under this section shall be provided by personal service, or by delivery by
registered or first-class mail.
Ҥ 2715. No cause of action against a provider or recovery agent for compliance with legal demands
“No cause of action shall lie in any court against any provider of wire or electronic communications service or recovery
agent, its officers, employees, agents, or other specified persons for providing information, facilities, or assistance in
accordance with the terms of a court order, emergency request, warrant, or other process under sections 2711 or 2712 of
this title, or against any person or entity for disclosing information to a governmental entity to assist it in obtaining lawful
access to data and communications protected by encryption or other security techniques or devices unless the disclosure is
otherwise prohibited by this chapter.
Ҥ 2716. Protection of confidential information
“(a) Confidentiality of access techniques.–In any civil or criminal case where a party seeks (1) to discover or
introduce plaintext that had been encrypted or protected by other security techniques or devices, and which plaintext
had been obtained by or for a governmental entity using government methods of access to such protected
information, or (2) to discover or introduce evidence or information concerning government methods of access to
such protected information, if such evidence or information is sought or obtained from a governmental entity or a
past or present agent thereof, an attorney for the government (as that term is defined in the Federal Rules of Criminal
Procedure), whether or not the government is a party, may file an application requesting that the court enter an order
pursuant to subsection (b) protecting the confidentiality of the technique or mechanism that provided access to that
evidence or information.
“(b) Confidentiality orders.–If the court finds that disclosure of a technique or mechanism used by a
governmental entity to obtain access to information protected by encryption or other security techniques or devices,
or of a trade secret relating to such technique or mechanism–
“(1) is likely to:
“(A) jeopardize an on-going investigation;
“(B) compromise the technique or mechanism for the purposes of future investigations;
“(C) result in physical injury to any individual; or
“(D) seriously jeopardize public health and safety; or
“(2) could reasonably be expected to affect the national security;
then the court shall enter such orders and take such other action as may be necessary and appropriate to preserve
the confidentiality of the technique used by the governmental entity or the trade secret, consistent with constitutional
principles. A confidentiality order under this subsection entered in a civil or criminal case may direct the use of
special procedures, as appropriate, relating to the admissibility of evidence obtained through such technique used by
a governmental entity. An interlocutory appeal by the United States shall lie from a decision or order of a district
court with respect to a request for an order under this subsection.
“(c) Nondisclosure of trade secrets.–Notwithstanding any other provision of law, trade secrets (as that term is
defined in section 1839 of this title) disclosed to a governmental entity pursuant to section 2518 of this title, or
otherwise disclosed to a governmental entity to assist it in obtaining access to information protected by encryption or
other security techniques or devices, shall not be disclosed by any governmental entity unless such disclosure is to
another governmental entity, is necessary to implement such methods of access, is with the consent of the person or
entity that owns the trade secret, is ordered by a court of competent jurisdiction pursuant to a request of the
disclosing governmental entity, or is required to be disclosed to a defendant in a criminal case after giving an attorney
for the government an opportunity to seek an order pursuant to subsection (b).
“(d) Interaction with the Classified Information Procedures Act.–Nothing in this section shall be deemed to
affect the Classified Information Procedures Act, Pub. L. 96-456, 94 Stat. 2025 (1980), or as hereafter amended.
Ҥ 2717. Foreign intelligence information
“Sections 2711, 2712, 2713, and 2714 of this title shall not apply to the acquisition by the United States of foreign
intelligence information as defined in section 101(e) of the Foreign Intelligence Surveillance Act of 1978 or otherwise affect
any lawfully authorized intelligence activity of an officer, agent or employee of the United States, or a person acting
pursuant to a contract with the United States.”.
SEC. 204. DEFINITIONS.
Section 2718 of title 18, United States Code, as redesignated by section 201 of this Act, is amended –
(a) in paragraph (1), by striking “and”;
(b) in paragraph (2), by striking the period and inserting a semicolon; and
(c) by adding at the end the following:
“(3) the term ‘encryption’ means the electronic transformation of data (including communications) in order to
obscure or hide their content;
“(4) the term ‘decryption’ means the electronic retransformation of data (including communications) that have
been encrypted into the data’s form prior to encryption;
“(5) the term ‘plaintext’ means decrypted or unencrypted data (including communications);
“(6) the term ‘recovery information’ means a parameter that can be used with an algorithm, or other data or
object, that can be used to decrypt data or communications;
“(7) the term ‘stored recovery information’ means recovery information held by a recovery agent on behalf of
a person or entity who is not an officer, agent, or employee of the recovery agent acting in that capacity,
which information–
“(a) can be used to decrypt the data or communications of that person or entity;
“(b) remains the exclusive property of that person or entity, and must be returned to such person or
entity by the recovery agent on that person or entity’s demand; and
“(c) except as provided otherwise by this chapter, can be disclosed or used in any manner by the
recovery agent only with the consent of that person or entity or such person or entity’s agent;
“(8) the term ‘recovery agent’ means a person or entity who provides recovery information storage services in
the United States to the public, or is a person or entity, other than an individual, who provides recovery
information storage services in the United States to more than one other person or entity as a business
practice, and includes any officer, employee, or agent thereof;
“(9) the term ‘governmental entity’ includes the Government of the United States and any agency or
instrumentality thereof, and any State as defined in section 2510(3) of this title, and any agency,
instrumentality, or political subdivision thereof;
“(10) the term ‘court of competent jurisdiction’ has the meaning assigned by section 3127 of this title, and
includes any federal court within that definition, without geographic limitation.”.
SEC. 205. TECHNICAL AMENDMENTS
(a) Chapter title.–The title of chapter 121 of title 18, United States Code, is amended by adding “AND
RECOVERY INFORMATION ACCESS” to the end thereof.
(b) Chapter analysis.–The chapter analysis for chapter 121 of title 18, United States Code, is amended by
striking the last item and inserting the following:
“2711. Disclosure or use of stored recovery information and customer information by recovery agents;
notification of storage location.
“2712. Requirements for governmental access to, use of, and disclosure of stored recovery information.
“2713. Use, disclosure, and destruction of recovery information obtained by a governmental entity by
compulsory process.
“2714. Notice of access to recovery information held by third parties and obtained by a governmental entity.
“2715. No cause of action against a provider or recovery agent for compliance with legal demands.
“2716. Protection of confidential information.
“2717. Foreign intelligence information.
“2718. Definitions for chapter.”.
(c) Part analysis.–The part analysis for Part I of title 18, United States Code, is amended by inserting “and
recovery information access” after “access” in the item for chapter 121.
SEC. 206. CONFORMING AMENDMENT
Section 227(a)(2) of the Victims of Child Abuse Act of 1990 (42 U.S.C. 13032(a)(2)) is amended by striking “2711” and
inserting “2718”.
SEC. 207. FBI TECHNICAL SUPPORT
There are authorized to be appropriated for the Technical Support Center in the Federal Bureau of Investigation,
established pursuant to section 811(a)(1) of the Antiterrorism and Effective Death Penalty Act of 1996 (Public Law
104-132)–
(1) $25,000,000 for fiscal year 2000 for building and personnel costs;
(2) $20,000,000 for fiscal year 2001 for personnel and equipment costs;
(3) $20,000,000 for fiscal year 2002; and
(4) $15,000,000 for fiscal year 2003.
TITLE III–INTERCEPTION OF INFORMATION
SEC. 301. MODIFICATION OF SECTION 2516 OF TITLE 18, UNITED STATES CODE, TO PERMIT
INTERCEPTION OF INFORMATION IN CERTAIN CASES.
Section 2516(1)(c) of title 18, United States Code, is amended by inserting “, a felony violation of section 1030 (relating to
computer fraud and abuse)” after “section 1341 (relating to mail fraud)”.
TITLE IV– MISCELLANEOUS PROVISIONS
SEC. 401. DIRECTIVES TO THE SENTENCING COMMISSION.
(a) Amendment of sentencing guidelines.–Pursuant to its authority under section 994(p) of title 28, United
States Code, the United States Sentencing Commission shall review the federal sentencing guidelines and, if
appropriate, shall promulgate guidelines or policy statements or amend existing guidelines or policy statements to–
(1) ensure that the guidelines provide sufficiently stringent penalties to deter and punish persons who
knowingly use encryption in connection with the commission or concealment of criminal acts sentenced under
the guidelines;
(2) provide appropriate penalties for persons who violate this Act; and
(3) address any other factor the Commission considers appropriate in connection with this Act.
(b) Emergency authority.–The Commission may promulgate the guidelines or amendments provided for under this
section in accordance with the procedures set forth in section 21(a) of the Sentencing Act of 1987, as though the
authority under that Act had not expired.
SEC. 402. PROCUREMENT.
Notwithstanding any other provision of law, if the head of a federal law enforcement agency determines that disclosure of
agency needs pertaining to procurement of sensitive equipment, goods, or services associated with access to the plaintext
of data and communications, might reasonably jeopardize an ongoing or future investigation or the use of such equipment,
goods, or services by the agency, then the agency head may limit the number of sources from which the agency solicits bids or proposals, but should use best efforts to solicit bids from at least two sources, and the agency is not required to
advertise the solicitation of such equipment, goods, or services.
SEC. 403. PERSONNEL EXCHANGE PROGRAMS
Section 3371(4) of title 5, United States Code, is amended–
(a) by striking “or” at the end of subparagraph (C);
(b) by striking the period at the end of subparagraph (D) and inserting “; or” and
(c) by adding at the end the following new subparagraph:
“(E) a provider of wire, electronic communications or data encryption or related services, or a recovery agent,
or any other entity, for the limited purpose of carrying out the duties and furthering the purposes set forth in
the Cyberspace Electronic Security Act of 1999.”.
SEC. 404. SEVERABILITY.
If any provision of this Act, or the application thereof, to any person or circumstance, is held invalid, the remainder of this
Act, and the application thereof, to other persons or circumstances shall not be affected thereby.
~~~~~~~~~~~~~~~~~~~~~~~~
#4…..CDT (Center for Democracy and Technology) Initial Analysis of CESA
http://www.cdt.org/crypto/CESA/cdtcesaanalysis.shtml
text ….
September 23, 1999
Initial CDT Analysis of the Clinton Administration’s Proposed Cyberspace
Electronic Security Act (CESA): Standards for Government Access to
Decryption Keys
As part of its package of encryption policy reforms announced on September 16, the Clinton Administration is transmitting
to Congress draft legislation entitled the Cyberspace Electronic Security Act (“CESA”). The proposal raises important
issues concerning the application of Fourth Amendment search and seizure standards to the digital age. However, critical
details of the draft are ambiguous or objectionable:
The standard proposed by the Administration for government access to decryption keys falls far short of Fourth
Amendment privacy protections.
A provision for foreign governments to access passwords and keys of US citizens or foreigners using US recovery
agents raises a host of questions.
Another provision allowing courts to cast a cloak of secrecy over government decryption methods and product
vulnerabilities raises due process concerns, implicating the Sixth Amendment right of defendants to cross-examine
government witnesses.
Finally, by narrowly focusing only on access to keys and passwords, the legislation fails to address the much larger
question of privacy for documents and information stored in the emerging networked environment.
The proposal does not include the highly objectionable secret search provision previously circulated within the
Administration.
Summary
This is our initial analysis of the proposed access provisions. We conclude that CESA does not set adequate privacy
standards. The difficult issues it raises require hearings and deliberate consideration. The basic laws governing privacy in
cyberspace have not been updated since 1986 — well before the full emergence of the Internet. Last year, CDT convened
a consultation with civil liberties groups, industry, and government officials to begin exploring privacy standards for
decryption keys and networked information. CDT will be working to learn more about CESA and to promote through the
Digital Privacy and Security Working Group a dialogue among policymakers and all interested parties aimed at developing
a consensus on better privacy protections.
CESA has four primary components, which would —
prohibit “recovery agents” (those who hold keys, passwords or other decryption information for others under a
confidentiality arrangement) from disclosing recovery information without a court order;
establish standards for courts to issue orders for government access to escrowed keys or passwords;
authorize courts to issue protective orders to block disclosure of trade secrets and government information about
decryption techniques;
authorize funds for the FBI Tech Center, to assist the FBI in building up a decryption capability.
CESA would establish a statutory standard for law enforcement access to decryption information held by third parties:
courts would issue orders compelling disclosure of decryption information —
“upon a finding, based on specific and articulable facts, that — (1) the use of the stored recovery information is
reasonably necessary to allow access to the plaintext of data or communications .. and (4) there is no
constitutionally protected expectation of privacy in such plaintext, or the privacy interest created by such
expectation has been overcome by consent, warrant, order, or other authority.”
The draft also would prohibit immediate notice to the person whose decryption information is being given to the
government.
This standard falls far short of the standard in the Constitution for government access to keys held by encryption users —
probable cause to believe that a crime is being committed and notice at the time of the seizure. The CESA standard is not
found in any other statute. It was apparently created solely for CESA. The section by section analysis of the Justice
Department does not cite any judicial precedent for it. It requires a magistrate or trial court judge, based on the
unchallenged presentation of the government, to determine whether there is a “constitutionally” protected privacy interest in
certain plaintext. This means that any statutory privacy interest in the plaintext is irrelevant.
Background
Technological starting points: (1) A major technological trend today is the movement of information out of people’s
homes and onto networks. While most computerized information used to be stored locally on disks and hard-drives, the
Internet offers considerable incentives to store information on networks, so that it can be accessed remotely from any
location. (2) Communications that travel over networks and information stored on networks are technologically vulnerable
unless protected by encryption. (3) For some applications, particularly those involving stored data, encryption users will
place their keys or other decryption information in the hands of third parties so they can recover their encrypted data if they lose or forget their key (or password).
Legal starting point: These technological trends give rise to difficult questions under the Fourth Amendment. Information
stored on a computer in your home or office is entitled to full Fourth Amendment protection: in order to seize it, the
government needs a warrant issued by a judge on a finding of probable cause served on you at the time of the search. But if you store information with a third party, do you retain a Fourth Amendment protection in it? The courts have held in a
number of situations that if you give information to a third party, you lose constitutional privacy rights in it. Therefore,
people have absolutely no constitutionally protected privacy interest in their bank records in the hands of banks; their
medical records in the hands of HMOs, pharmacies and insurance companies; their book store purchases; their credit card records, etc.
With the rise of networking, this problem is exacerbated. Do people have a constitutionally protected privacy interest in
their calendars stored on Yahoo? In their data on remote servers they do not own or control? In passwords or decryption
keys stored with third party recovery agents? At best, the answer is unclear.
In the past, when the privacy status of communications and information created by emerging technologies was unclear,
Congress acted to create statutory privacy rights. Most notable is the Electronic Communications Privacy Act of 1986
(ECPA), which established probable cause requirements for access to e-mail and cellular phone conversations.
Analysis of the CESA Access Standard
As people begin to use key recovery and engage the services of key recovery agents, do escrowed keys lose the probable cause and notice protections of the Fourth amendment? CDT has argued that keys even in the hands of third parties are so sensitive and will play such a vital role in the still emerging world of cyberspace that they should be protected by the Fourth Amendment. No court has considered the issue. The Justice Department’s analysis of CESA clearly states, “there is no constitutionally protected expectation of privacy in recovery information held by a third party but not under a confidentiality arrangement.” Thus, in the Justice Department’s view, key recovery agents, in the absence of a contractual confidentiality agreement, could voluntarily disclose keys to the government, and even with such an agreement, the government might be able to compel disclosure of a key with a mere grand jury or administrative subpoena issued without judicial approval and without notice to the person who created the key.
CESA seeks to moot the constitutional question by creating a narrow statutory privacy right in escrowed keys, while
simultaneously providing a mechanism for the government to get those keys.
But the protections in CESA fall short of the privacy standard established by the Fourth Amendment. CESA requires
disclosure of keys to government agents with a court order, when needed to decrypt information where there is no
“constitutionally protected expectation of privacy” in the underlying plaintext. This is a new formulation, with no track
record. Many privacy protections stem from laws passed by Congress and not from the Constitution directly. Under this
provision, keys could be readily accessible for sensitive encrypted information stored with third parties such as financial
records, medical records, or in fact any encrypted data stored on a network server or with an ISP. It is not even clear that there is a constitutionally protected expectation of privacy in email. (There is a certain circularity to privacy law. The
Constitution honors “reasonable expectations of privacy.” Does the statutory right of privacy in email established by ECPA before the courts could rule on its constitutional status give rise to a reasonable expectation of privacy such that it is now “constitutionally protected?”)
Probable cause lacking: CESA does not require the more stringent showing of “probable cause” that the Fourth
Amendment would demand of keys taken from a person’s own computer or data seized from one’s own house. Instead,
CESA relies on a bootstrapping exercise: the authority to seize the key depends on a finding of no constitutional privacy
interest in the plaintext. Normally, when the government executes a warrant and learns there is something else it wants in
another location, it must go back to the judge and obtain a second warrant for that second location. Under CESA,
obtaining of a warrant for seizure of information in the hands of one party would serve as the basis for the seizure of
different information in the hands of a different party. This is not what the Fourth Amendment would require. Why not
adhere to the standards of the Fourth Amendment and get a second warrant to seize the keys?
Notice: Under the Fourth Amendment, when the government wants to seize something from you, it must not only obtain a
warrant from a judge based on a finding of probable cause, it also must serve the warrant on you at the time of the seizure, giving you the opportunity to protect your interests. CESA prohibits the contemporaneous notice required in a normal search, and allows even after-the-fact notice to be delayed indefinitely.
In the case of stored records, there is no justification for delayed notice. If the government seizes stored records and finds
they have been encrypted, it can serve notice on the encryption user at the same time that keys are seized from a recovery
agent, with no ill effect on its investigation.
In the case of communications, the government would want to delay notice in order to be able to continue to intercept and
decrypt communications surreptitiously. But it is not clear that there will be very many situations where individuals escrow
keys for their communications.
Foreign access: CESA also provides that a federal government entity may require a recovery agent to disclose stored
recovery information “for the benefit of a foreign government, pursuant to a request of a foreign government under
applicable legislation, treaties, or other international agreements.” This one sentence masks a host of issues. How will the
US government respond when a government like China’s seeks the keys of human rights activists? Or when France seeks
the keys of US corporations doing business in France, claiming that the keys are necessary for a tax evasion investigation?
Emergency access: CESA also has an emergency access provision, under which the Attorney General or other senior
Justice Department officials can designate any federal law enforcement officer (park police, poultry inspector, building
guard) to make the determination that there is an emergency and to demand a key from a recovery agent. The emergency
language is similar to language in the wiretap law, but the justification for it here is hard to understand. The emergency
procedures in the wiretap law are themselves outdated, having been enacted in 1968, before there were fax machines,
pagers, cell phones and email, which make it always possible to find a federal judge on duty and able to review and
approve a search warrant application. It should be noted that in 1997 the Federal Rules of Criminal Procedure were
amended to allow for telephonic submission of search warrant applications and affidavits in emergency situations, with
procedures for the contemporaneous recording of the oral testimony supporting probable cause. Fed. R. Crim. P.
41(c)(2). This keeps judges in the process and seems to be a far more appropriate model for emergency authority under a CESA.
CESA vs Chairman Goss’ language: In matters of detail, there are significant differences between CESA and the access
language drafted by the House Intelligence Committee chairman Porter J. Goss.
The Goss amendment covers access to both plaintext and decryption information, while CESA covers only the
latter. (As the Justice Department’s analysis of CESA explains, “CESA is not intended to affect the standards for
government access to plaintext.”) The Goss bill does not specify the burden of proof that the government must meet: it simply requires a “factual basis” for the government’s assertion of relevance. CESA uses the phrase “specific and articulable facts,” which is a very low threshold. The standard in the Goss amendment is “relevance” to an ongoing investigation, relevance being the lowest standard for compelling disclosure of information, while CESA does not even require relevance. CESA merely says that there must be “no constitutionally protected expectation of privacy” or the expectation must be overcome by some means. The Goss amendment did not specify to whom a plaintext access order would be directed; CESA makes it clear that orders for decryption information are directed only to recovery agents.
What about the underlying data? CESA recognizes that keys stored with third parties are entitled to statutory privacy
protection. But if keys in the hands of third parties are not constitutionally protected, what about the substance of one’s
files? The technological trends toward hand-held computers with Internet access and other mobile devices that access the
data stored on networks mean that information may come more and more to be stored in configurations not protected by
the Fourth Amendment. (The Supreme Court’s statement that the Fourth Amendment “protects people, not places” clashes with its rulings that judge whether privacy expectation are “reasonable” based on where, with whom and how information is stored and accessed.) CESA does not address the privacy standards applicable to information stored on networks. A true Cyberspace Electronic Security Act would establish strong privacy protections for information stored on networks. (So far, the only statutory protection accorded networked information is under the obscure “remote computing provision of 18 USC 2703(b), adopted in 1986, before the World Wide Web existed, which provides less than the full Fourth Amendment protections.)
Conclusion
The challenge raised by CESA is to draft government access standards that map the privacy protections of the Fourth
Amendment onto the emerging networked environment. Technology is exploding the home – personal data is moving out of the desk drawer and off of the desktop computer and out onto the Internet. It is not the end of the privacy debate to say that this technological change takes information outside the protection of the Fourth Amendment. To stop there would leave the Fourth Amendment protections available in the home when increasingly information is not stored there anymore. Rather, it is necessary to adopt legislative protections that give to information on networks the same level of Fourth Amendment privacy protections that it would have in the home. CESA falls well short of that goal.
For more information, contact: Jim Dempsey
Senior staff counsel
(202) 637-9800
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#5 ….. Secret Searches (section 2713, which was dropped from bill in Sept. of 1999.)
http://www.cdt.org/crypto/CESA/draftCESAbill.shtml#secret
text…..
Ҥ 2713.- Obtaining recovery information or plaintext by other means
“(a) In general.– A federal governmental entity may seek a warrant, issued pursuant to the Federal Rules of Criminal
Procedure, to search for and obtain recovery information or other information necessary to obtain access to the
plaintext of data or communications, or to install and use a recovery device; provided, however, that nothing herein
shall be construed to limit the application of chapter 119 of this title.
“(b) Notice.– Upon an ex parte showing of good cause the court issuing the warrant may postpone the notice
required by Rule 41 (d) of the Federal Rules of Criminal Procedure for 30 days. Upon additional ex parte showings
of good cause, the serving of notice may be further postponed. Upon expiration of any court orders postponing
notice, the governmental entity shall provide notice to the person or entity subject to the search or recovery device
by personal service, or by delivery by registered or first-class mail, and shall file a copy of such notice with the court.
In the case of a recovery device, such notice shall include the period of time during which the recovery device was in
use and whether the recovery device was successfully disabled.
“(c) Assistance.-Upon the request of the applicant, a warrant issued under subsection (a) of this section shall direct
that a provider of wire or electronic communication service, landlord, custodian or other person shall furnish the
governmental entity forthwith all information, facilities; and technical assistance necessary to accomplish the
successful execution of the warrant unobtrusively and with a minimum of interference with the services accorded to
the persons affected by the search or installation of a recovery device. Any person providing facilities or assistance
shall be compensated therefor by the applicant for reasonable expenses directly incurred in providing the facilities or
assistance. The amount of the fee shall be as mutually agreed by the governmental entity and the person providing the
facilities or assistance, or, in the absence of agreement, shall be as determined by the court which issued the warrant.
“(d) Nondisclosure..-A warrant issued under subsection (a) shall direct that–
“(1) it be sealed until otherwise ordered by the court; and
“(2) any person who has been ordered by the court to provide assistance to a governmental entity not
disclose the existence of any search or recovery device, the existence of the investigation, any recovery
information, data, communications, or other information obtained through the investigation, or any techniques
or devices used by the governmental entity, to any other person, unless and until ordered otherwise by the
court.
“(e) Minimization.-A warrant issued pursuant to subsection (a) of this section shall be executed in such a manner so
as to minimize the obtaining of information other than the recovery information, other information, or plaintext sought,
and to minimize to the greatest extent feasible the possibility that unauthorized persons might obtain access to
recovery information or the plaintext of data and communications. Any challenges to the government’s compliance
with this provision shall be determined by a court in accordance with section 2717 of this title.
“(f) Termination of recovery devices.-To the extent practicable, if the system affected by a recovery device remains
in use, a governmental entity shall disable any recovery device after its use is completed, shall make a record
documenting such disabling, and shall return the system to its previous condition.
“(g) State law unaffected.-Nothing in this section shall be construed to prevent the adoption of analogous procedures
under State law.
“(h) Reports concerning warrants under this section.-
“(1) For the 3 years following the enactment of this Act, with respect to each application for a warrant with
delayed notice under subsection (b), within 30 days after the notice required by subsection (b) is filed with a
court or the application for delayed notice under this section is denied, the issuing or denying judge shall
report to the Administrative Office of the United States Courts-
“(A) the fact that a warrant was applied for;
“(B) the fact that notice was delayed or was not;
“(C) the total period for which notice was delayed, and, in the case of a recovery device, the period of
time during which the recovery device was in use and whether the recovery device was successfully
disabled;
“(D) the offense specified in the application or warrant; and
“(E) the name of the governmental entity making the application.
“(2) In April of each year the Director of the Administrative Office of the United States Courts shall transmit
to the Congress a summary and analysis of the data required to be filed with the Administrative Office by
paragraph (h)(1). The Director of the Administrative Office of the United States Courts is authorized to issue
binding regulations dealing with the content and form of the reports required to be filed by paragraph (h)(1).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#6 …… DOJ Section by Section Analysis
http://www.cdt.org/crypto/CESA/CESAanalysis.shtml
text….
Cyberspace Electronic Security Act
August 4,1999
DOJ Section by Section analysis
THE CYBERSPACE ELECTRONIC SECURITY ACT OF 1999
The Cyberspace Electronic Security Act of 1999 (CESA) updates law enforcement and privacy rules for our emerging
world of widespread cryptography, which is a too to protect the confidentiality of wire and electronic communications and stored data. Cryptography has many legitimate and important uses. It also is increasingly used as a means to facilitate
criminal activity, such as drug trafficking, terrorism, white collar crime, and the distribution of child pornography. The Act
responds to both the legitimate and unlawful uses of cryptography, building a legal infrastructure for these emerging issues.
CESA recognizes that the use of cryptography for legitimate purposes should be protected. Currently there are no federal
statutory protections for the privacy of decryption keys per se. CESA would create such protections, limiting in many cases the disclosure of decryption keys to both public and private entities. In particular, CESA recognizes the role of “recovery agents” in today’s information age. Recovery agents provide storage services for keys that can be used to decrypt data and communications. Such storage services play an important role in protecting encrypted data because of the possibility, for example, that a person who encrypts data will lose the decryption key and later need it to decrypt the data, or that such person’s heirs will require a decryption key for legitimate purposes. When a person stores a decryption key or other recovery information with a recovery agent, the Act creates new protections. It prohibits the recovery agent from disclosing such information or using it to decrypt data except under limited circumstances, such as with the consent of the person who stored the key or under a court order. The Act also promotes privacy and security by prohibiting a recovery agent from selling or otherwise disclosing its customer lists to other parties.
While decryption keys must be protected from improper disclosure, CESA recognizes the need for government access to
keys for legitimate law enforcement purposes. The Act, therefore, authorizes a recovery agent to disclose stored recovery
information to the government, or to use stored recovery information on behalf of the government, in a narrow range of
circumstances, for example, pursuant to a search warrant or in accordance with a court order under the Act. Such a court
order must be based on a finding that, among other things, there is no constitutionally protected expectation of privacy in
the plaintext of encrypted data or that the privacy interest created by such expectation has been overcome by consent,
warrant, order, or other authority. Thus, CESA reflects a careful balancing of the interests of public safety and privacy.
Currently, in the absence of statutory protections for the privacy of stored recovery information, the government may be
able to obtain stored recovery information from a recovery agent with, for example, a grand jury subpoena. CESA makes
clear that the government may not seek stored recovery information from a recovery agent through such a mechanism,
standing alone.
CESA also recognizes that law enforcement personnel may need the plaintext of encrypted data when a decryption key for the data is not held by, or is not obtained from, a recovery agent. In the pre-encryption world, this problem did not arise. Today, when law enforcement personnel obtain written materials, they can normally read them. In the future, as encryption becomes more widespread, “written” materials may often not be readable without a decryption key, and, when the key is not stored with a recovery agent, the government will need another way to obtain decryption keys. The Act therefore sets forth procedures for a mechanism for government access to decryption keys or plaintext through a search warrant with the possibility of delayed notice. The search warrant may authorize the search and seizure of decryption keys and other recovery information or the alteration of hardware or software that allows plaintext to be obtained even if attempts were made to protect it through encryption. In addition, CESA recognizes the need to keep government techniques for obtaining access to recovery information confidential. It provides for the issuance of court orders to protect confidentiality under specified circumstances (such as upon a finding that disclosure is likely to compromise a technique for purposes of future investigations or to result in injury to any person) and requires such orders to be consistent with constitutional principles.
While CESA reflects the need for law enforcement access to recovery information, it also provides limitations on the use
and disclosure or such information obtained through compulsory process. For example, CESA requires that a court order
authorizing government access to recovery information specify the categories of data and communications that may be
decrypted using the recovery information. In addition, CESA requires the eventual destruction of recovery information
obtained through compulsory process. The limitations on the use and disclosure of recovery information obtained through
compulsory process and the requirement for the destruction of such information reflect CESA’s balancing of the need for
privacy against the need for law enforcement access in appropriate circumstances to such information.
Section 201
Section 201 of CESA redesignates the definitional provision of chapter 121 of title 18, United States Code, which
concerns stored wire and electronic communications and transactional records access. Currently, the definitional provision
is in section 2711 but would be expanded and redesignated as section 2719 by CESA.
Section 202
Section 202 amends sections 2703(d) of title 18, United States Code which concerns government access to the contents
of electronic communications held by an electronic communications service or a remote computing service and to
subscriber information and related records held by such entities. Currently, under section 2703(d) a court order for
disclosure may be issued by a federal district court (including a magistrate of such court) or a federal court of appeals.
Under the amendment such an order could be issued by any “court of competent jurisdiction.” Section 2719 defines this
term to include both a court of general criminal jurisdiction of a State authorized by state law to enter orders authorizing the use of a pen register or trap and trace device and also a federal court in the categories specified under current law, without geographic limitation. Thus, the amendment provides that a State court can issue an order under section 2703(d), and it clarifies that any federal court may issue an order under that section, not just a federal court in the district of the entity served with the order.
Section 202 of CESA also amends section 2707 of title 18, United States Code, concerning civil actions for persons
aggrieved by a violation of chapter 121 of that title. First, this amendment makes a conforming change to recognize the
exception to civil liability provided in proposed section 2716, discussed below. It also amends subsection (e) of section
2707 to add two new bases for a defense to civil or criminal liability. The first is a good faith reliance on a request of a
governmental entity under section 2703(f) for a provider of wire or electronic communication services or a remote
computing service to preserve records and other evidence in its possession pending the issuance of a court order or other
process. The second is a good faith reliance on an emergency request under proposed section 2712(a)(4) for the
disclosure to a governmental entity by a recovery agent of stored recovery information or the use of it to decrypt data or
communications (discussed below in the analysis of proposed section 2712). This amendment is parallel to the existing
defense in section 2707(e) based on a good faith reliance on an emergency request under the wiretap statute, 18 U.S.C.
§2518(7). While requests under section 2703(f) or proposed section 2712(a)(4) are already included in the good faith
defense because each provides a “statutory authorization” under section 2707(e)(1), this amendment makes the existence
of such defense clear.
Section 203
Section 203 adds a number of new provisions to chapter 121 of title 18, United States Code, to address decryption keys
and other recovery information.
Proposed 18 U.S.C. § 2711
New section 2711 in title 18 addresses the disclosure or use of stored recovery information, such as decryption keys that
can be used to decrypt data or communications, and notification of storage location. This proposed section prohibits a
recovery agent [ 1 ] from disclosing decryption keys and other stored recovery information, [ 2 ] from using such
information to decrypt data or communications, and from disclosing any other information or record that identifies a person or entity for whom the recovery agent holds or has held stored recovery information, except as specifically provided.
Proposed section 2711 also prohibits a person from knowingly obtaining stored recovery information from a recovery
agent if the person knows or has reason to know recovery he or she has no lawful authority to do so. In addition, this
section requires a recovery agent to inform any person who stores recovery information with that agent of the location or
locations where the recovery information is stored ie., the country and/or state in which the recovery information is stored,
but not the actual physical address.
The confidentiality of decryption keys stored with recovery agents is increasingly important as the use of encryption grows. The public must have confidence that storage is safe, much the same as the public must have confidence in the protection provided to papers stored in a safe deposit box at a bank. However, in limited circumstances third parties must be able to obtain access to decryption keys. Thus, proposed section 2711 (b)(1)(A)(ii) authorizes the disclosure or use of stored recovery information by a recovery agent in the case of a person who is determined by a court to be legally entitled under generally applicable law to receive, possess, or use stored recovery information (e.g., an heir who is determined by a court to be legally entitled to obtain a decedent’s stored recovery information). In addition, a recovery agent may disclose or use stored recovery information with the consent of the person who stored. the recovery information or that person’s agent. Both of these permitted disclosures or uses apply when the disclosure is to, or use is on behalf of, any person or. entity, including a governmental entity. Proposed section 2711(b)(1)(B) also authorizes disclosure or use in the case of a governmental entity pursuant to a search warrant or other means set forth in proposed section 2712, discussed below.
It is important to note that a governmental entity need not seek access to recovery information under section 2712, but can also seek access based on the consent or “generally applicable law” provisions of section 2711 (b)(1)(A). “Generally
applicable law” is intended to include any law that generally covers ownership, control, or use of property or information,
such as contract, agency, property, and estate laws, but does not include laws specifically addressing ownership, control,
or use of recovery information only, or laws that support access to information in criminal investigations only. Therefore, the “generally applicable law” provision would not allow a State to pass a law lowering standards of access below those set by new section 2712.
It is also important to recognize that the definition of “recovery agent” in proposed section 2719 includes officers,
employees and agents of the recovery agent. A disclosure to such persons is not prohibited by the Act, for example, as
might occur incidentally in testing the security of the recovery agents systems, because there is no disclosure to a person
other than the recovery agent.
As noted above, section 2711, in order to protect privacy and to restrict the ability of criminals to target particular recovery agents, also limits the disclosure by a recovery agent of other information about those persons who store “stored recovery information” with the recovery agent. Section 2711 (b)(2) allows a recovery agent to disclose information or a record, other than stored recovery information, that identifies a person or entity for whom the recovery agent holds or has held stored recovery information, only with consent, as is necessarily incident to the rendition of the service provided to that person or entity or to the protection of the rights or property of the recovery agent, in response to a court order based on compelling need and after notice to the person who stored the recovery information and an opportunity for him to be heard, or to the government in response to a warrant, a court order, or a subpoena. No notice is required to the subscriber when providing such information to the government, and any notice can be delayed upon a showing of good cause.
Proposed section 2711 includes a confidentiality provision in subsection (c) that prohibits a recovery agent from disclosing the fact that a governmental entity has required a recovery agent to disclose or use stored recovery information. It also prohibits a recovery agent from disclosing to any other person any decrypted data or communications provided to the governmental entity. Without such a prohibition investigations that utilize stored recovery information obtained by the
government under CESA could be jeopardized when the person who stored a decryption key with a recovery agent learns of the disclosure to the government and re-encrypts using a new key or takes other action intended to thwart the
governments efforts.
Proposed section 2711 (d) provides exclusions. First, it clarifies that nothing in section 2711 or 2712 prohibits a recovery
agent from using or disclosing plaintext in its possession, custody, or control (except as provided in subsection (c)). This is
self-evident-CESA is not intended to affect the standards for government access to plaintext in the hands of a person
receiving appropriate process. In this regard, it is also appropriate to note that CESA does not prohibit or limit the ability of a person to respond to an authorized demand for plaintext information if such person has custody or control of the plaintext information, but maintains that same information in encrypted form. Thus, if an entity (which could be a recovery agent, or not) encrypted its own records and stored the recovery information with a recovery agent, CESA would not restrict the ability of the government to subpoena those records in plaintext form from the first entity – the one who owned the records – because the government would only be demanding the production of plaintext information from the custodian of that information. In other words, CESA does not require an enhanced legal showing for the government to obtain records from the owner of the records, even if that entity happens to be a recovery agent.
Section 2711 (d) also clarifies that nothing in proposed section 2711 or 2712 prohibits a recovery agent from using or
disclosing recovery information that is not “stored recovery information” held by it under the circumstances described in the definition of this term in proposed section 2719(7). The distinction between “recovery information” and “stored recovery information” is important. As provided in proposed section 2719, the former is merely a key or other data or object that can be used to decrypt data or communications. Stored recovery information differs in two particulars. It must be: 1) held by a recovery agent on behalf of someone else, and 2) stored under a confidentiality arrangement.
Each of the above elements must be present for recovery information to qualify for the enhanced protections of stored
recovery information. This is so because no new restrictions are necessary regarding a person’s disclosure or use of his or
her own recovery information, including when the government seeks it from the user, since the Fourth and Fifth
Amendments to the Constitution provide protections applicable to a person’s own recovery information in his or her
possession. Moreover, there is no constitutionally protected expectation of privacy in recovery information held by a third
party but not under a confidentiality arrangement. For example, if a person gives his or her recovery information to another with no limitations on its use, then the former has no reasonable expectation that the recovery information will be protected from further disclosure. In addition, if a person stores plaintext with a third party, such as an . electronic communications service, who on its own initiative encrypts the information to protect it, the person who stores the plaintext has no enhanced expectation of privacy unless the electronic communications service agrees that it will decrypt the information only as instructed by the person who stored the plaintext. For these reasons, “stored recovery information,” as defined in proposed section 2719, requires confidentiality. It remains the exclusive property of the person who arranged for its storage with a recovery agent and, except as provided by CESA, may be disclosed or used by the recovery agent only with the consent of that person or that person’s agent.
It should be noted that while the distinction between “recovery information” and “stored recovery information” is important
with respect to the prohibition against disclosure or use by recovery agents, including disclosure to government entities, other aspects of CESA do not make such a distinction and protect “recovery information” that is not “stored recovery information” in other ways. For example, CESA includes notification requirements for both recovery information and stored recovery information when obtained by a governmental entity by compulsory process from a third party who holds it on behalf of another, as explained below. (See discussion of proposed sections 2712(c and 2715.)
Proposed section 2711 (d)(3) specifically addresses “stored recovery information” and clarifies another exception to
prohibited disclosure. It states that nothing in section 2711 or 2712 prohibits a recovery agent from using stored recovery
information to decrypt data or communications if applicable statutes, regulations, or other legal authorities otherwise require the recovery agent to provide such data or communications to a governmental entity in plaintext or similar form. For example, CESA is not intended to limit any disclosure requirements of the Bank Secrecy Act and other laws that require institutions to disclose records to the government or to maintain records for government inspection. Proposed section 2711 (d)(3) is important in order to clarify that institutions required by law to disclose or maintain records for government inspection may not evade those obligations by encrypting the records.
Proposed section 2711 (e) would establish criminal penalties, with a one-year maximum prison term, for violations of the
disclosure prohibitions of section 2711.
Proposed 18 U.S.C. § 2712
Section 203 of CESA also creates a new section 2712 in title 18, United States Code, which sets forth special
requirements for governmental access to stored recovery information. This section provides protections for persons who
store recovery information with a recovery agent since the section limits the means of governmental access to such
information. [ 3 ] Existing means of government access to stored recovery information will no longer apply unless they are
authorized. For example, a governmental entity will not be able in a criminal investigation to compel disclosure of stored
recovery information from a recovery agent through a grand jury subpoena, unless disclosure is permitted by section 2711
(b)(1)(A)(i), which requires the consent of the person or entity who stored the recovery information.
It is important to note that new section 2712 reaches only the disclosure or use of “stored recovery information” (discussed above in connection with proposed section 2711 (d)). Just as CESA does not prohibit the use or disclosure either of recovery information that is not “stored recovery information” or of plaintext that is in the recovery
CESA recognizes that in certain circumstances the privacy interest of a person who has stored a decryption key with a
recovery agent must give way to the public interest in effective law enforcement. Proposed section 2712 allows a
governmental entity to require a recovery agent to disclose stored recovery information or to decrypt data or
communications using stored recovery information, but section 2712 authorizes compelling such disclosure or decryption
through four mechanisms only: (1) pursuant to a search warrant or wiretap order; (2) under federal or State process to
compel disclosure that is permitted by section 2711 (b)(1)(A)(i), which requires the consent of the person or entity who
stored the recovery information; (3) in accordance with a court order under proposed section 2712(b); or (4) pursuant to a determination by a qualifying law enforcement officer that a specified type of emergency situation exists.
The first and fourth mechanisms for governmental access to stored recovery information are set forth in proposed section
2712(a)(1) and (4) and are straightforward. The first is through a warrant under the Federal Rules of Criminal Procedure
or an equivalent State warrant or through a wiretap order under section 2518 of title 18, United States Code. The fourth
mechanism, the emergency authority provision, is modeled after a similar provision of the wiretap statute, 18 U.S.C. §
2518(7), and a similar provision of the pen register/trap and trace statute, 18 U.S.C. § 3125. The proposed provision
recognizes that an emergency situation may arise in which there is insufficient time to obtain a court order for the disclosure of stored recovery information or decryption by a recovery agent, for example, where there is immediate danger of death or serious physical injury to any person. However, disclosure is carefully restricted: the emergency basis may be determined only by a law enforcement officer specifically listed in the proposed amendment, there must be grounds upon which a court order under section 2712 could be entered, and such an order must be sought within 48 hours after the stored recovery information has been released or decryption has occurred.
The second and third approaches for governmental access to stored recovery information or decryption of data or
communications, as outlined in proposed section 2712(a)(2) and (3), reflect a careful balancing of the interests of public
safety and privacy. Currently there are no federal statutory protections for the privacy of stored recovery information per
se. Thus, for example, a grand jury subpoena may provide a mechanism for law enforcement personnel to obtain such
information from a recovery agent, without any independent basis for disclosure. CESA creates privacy protections in this
regard that do not exist under current law. Under proposed section 2712(a)(2) a grand jury or other subpoena only
provides a mechanism for a governmental entity to require a recovery agent to disclose or use stored recovery information
in the limited circumstances in which disclosure is permitted by section 2711 (b)(1)(A)(i), which requires the consent of the person or entity who stored the information, or such person’s or entity’s agent. In an unusual case a recovery agent may refuse to disclose stored recovery information to a governmental entity even though the person who stored the information has consented to disclosure. In such a case CESA authorizes the use of a subpoena or other process under federal or State law to compel disclosure of stored recovery information or the use of stored recovery information to decrypt data or communications. Thus, CESA strictly limits the use of subpoenas with respect to stored recovery information.
Not only does the restricted use of a subpoena under CESA reflect a careful balancing of privacy and public safety
interests, so does the court-order approach to governmental access to stored recovery information set forth in proposed
section 2712(a)(3). It authorizes a governmental entity to require a recovery agent to disclose stored recovery information
or to use stored recovery information to decrypt data or communications pursuant to a court order that meets the
requirements of section 2712(b). This provision sets forth four criteria for a court order: (1) the use of the stored recovery
information is reasonably necessary to allow access to the plaintext of data or communications; (2) access is otherwise
lawful; (3) the governmental entity will seek access within a reasonable time; and (4) there is. no constitutionally protected
expectation of privacy in the plaintext, or the privacy interest created by the expectation has been overcome by consent,
warrant, order, or other authority. A court must issue an order under section 2712(b) if it finds, based on “specific and
articulable facts,” that the above criteria are satisfied.
It is important to recognize that the key requested must, under section 2712(b)(1), be “reasonably necessary” to allow
access to the plaintext of the relevant data and communications. To make clear that this authorization must be limited to the extent possible to the information which is actually necessary to obtain the relevant plaintext, section 2712(b) also provides that an order under that section directing the disclosure of stored recovery information shall be limited to the extent practicable to directing the disclosure of only that stored recovery information that is necessary to allow access to the plaintext of the relevant data and communications.
The third criterion of section 2712(b) (proposed section 2712(b)(3))-that the governmental entity will seek access to the
plaintext within a reasonable time is a protection designed to eliminate the possibility that governmental entities could obtain decryption keys under CESA’s court-order provision and warehouse them for future use with respect to encrypted data, including data other than that for which the key was obtained. The fourth court-order criterion outlined above (proposed section 2712(b)(4), that there must be no constitutionally protected expectation of privacy in the plaintext the governmental entity is seeking through use of a key or through decryption by the recovery agent, or that the privacy interest created by such expectation has been overcome) is necessary to assure that the governmental entity’s use of a stored decryption key, or a recovery agent’s disclosure of plaintext obtained by using a stored key, would pass constitutional muster. In other words, the government may request a key under this provision only if it may use the key to decrypt the encrypted information, without violating a person’s constitutionally protected expectation of privacy. The requirement would likely be met, for example, where the governmental entity had obtained a search warrant that applies to the plaintext itself and later sought a court order for disclosure of the stored key. Under this theory the use of the key to obtain plaintext is authorized by the search warrant for plaintext.
Another feature of proposed section 2712 is the notice requirement in subsection (c). Within 90 days after receiving stored recovery information or decrypted data from a recovery agent, the governmental entity must notify the person, if known, who stored the recovery information that stored recovery information was disclosed or used by the recovery agent. Delay in notice is permitted for good cause.
Proposed section 2712(d) provides for cost reimbursement to the recovery agent of costs that are reasonably necessary
and directly incurred in providing stored recovery information or decrypting data or communications. However, this section is applicable only when the government proceeds under section 2712(b), requiring by order that a recovery agent provide stored recovery information (which must the decryption key of another person or entity) or use such information to decrypt data and communications. Because of the definition of “stored recovery information,” which requires that the information disclosed or used (the decryption key) be of another, and as made clear by the exclusions of section 2711 (d), no person may obtain reimbursement under this section for production of its own recovery information or for decrypting its own records, even if that person happens to be a recovery agent. In each case, no order under section 2712(b) is required.
Proposed section 2712 also contains a provision aimed at assistance to foreign governments. The last paragraph of
subsection (a) clarifies that a federal governmental entity-on behalf of and for the benefit of a foreign government-may
require a recovery agent to disclose stored recovery information to it or another federal governmental entity, or to use
stored recovery information to decrypt data or communications, pursuant to one of the mechanisms set forth in this
subsection (warrant, subpoena or other process under limited circumstances, court order, or emergency determination) and pursuant to a request of the foreign government under applicable legislation, treaties, or other international agreements. For example, under this provision a foreign government could request the assistance of the federal government, which could then seek a court order to require a recovery agent to disclose stored recovery information to the federal entity or to use stored recovery information to decrypt data that would ultimately benefit the foreign government.
The foreign government’s request for assistance to the federal government need not be limited to a formal request under a
mutual legal assistance treaty but may be any request made by a foreign government consistent with applicable legislation,
treaties, or other international agreements. For example, the United States has entered into and the Senate has ratified many mutual legal assistance treaties under which the United States gives and receives legal assistance to and from foreign
sovereigns. Foreign sovereigns also may seek assistance under an older letters rogatory regime that is supported by statute (see below), or under other international agreements not ratified by the Senate, including executive agreements between corresponding executive authorities in the United States and a foreign state. Such executive agreements are limited in scope by Congress’ grant of authority to the relevant agency. Long standing United States law governs the execution of any such request and effectively protects individual civil liberties.
Specifically, a well-established body of law and the relevant federal statute governing the execution of all foreign assistance requests bar the compelled production of anything “in violation of any legally applicable privilege.” 28 U.S.C. § 1782 (emphasis added). Moreover, the mutual legal assistance treaties ratified by the Senate (which have the force of law) explicitly refer to the obligation of the United States to protect the legal and constitutional rights of United States’ persons. Other international agreements similarly include such “essential interests” clauses. The United States has assisted, and will continue to assist, other sovereigns while simultaneously guarding civil liberties.
For example, a foreign sovereign may not share the United States’ essential interest in free speech under the First
Amendment, and, for example, may seek to investigate constitutionally protected activity. In such a case, whether the
request is made under a treaty or other international agreement, the United States asserts its essential interest in the
protection of speech and refuses to provide the assistance sought.
The foreign government provision is needed because the ability of the United States to assist foreign governments in
appropriate cases puts the United States in the best position to seek and obtain assistance that it will need to pursue its own critical investigations and interests: The nature of international commerce and crime is such that encrypted data containing information important to a domestic interest, such as a United States criminal prosecution, may be decrypted with a key held in another country. Obtaining that key may be critical to the United States prosecution. Further, the United States has an independent interest in assisting foreign authorities in enforcing their criminal laws and other enforcement schemes. For example, German investigators may be unable to uncover crimes by a computer hacker in Germany if that hacker has encrypted his or her communications and stored the key with a recovery agent in the United States. Assistance to foreign officials in such a case is important so that international borders do not impose insuperable burdens on criminal investigations.
While proposed section 2712(a) specifies its applicability in the context of assistance to a foreign government, this
provision is not intended to limit the applicability of other provisions of law upon which the federal government relies in
assisting foreign governments to obtain other types of information (i.e., information other than that addressed by proposed
section 2712) or in providing other types of law enforcement support to foreign governments. That is, the absence of such
provisions in other statutes does not imply that the United States lacks authority to use those provisions to assist foreign
governments. Proposed section 2712(a) merely clarifies that recovery agents may be required to disclose stored recovery
information or to decrypt data or communications when a federal governmental entity seeks such information for the benefit of a foreign government. By providing explicitly for foreign government assistance, the United States ensures that it will not become a data haven for those who would circumvent their national laws by storing recovery information in the United States.
Proposed 18 U.S.C. § 2713
Section 203 of CESA establishes another mechanism for obtaining recovery information-namely, through proposed section 2713 of title 18, United States Code. This section provides that a governmental entity may seek a warrant under the Federal Rules of Criminal Procedure to search for and obtain recovery information or other information necessary to obtain access to the plaintext of data or communications, or to install and use a recovery device. A recovery device, as defined in proposed section 2719, is any enabling or modification of any part of a computer or other system, including hardware or software, that allows plaintext to be obtained even if attempts are made to protect it through encryption or other security techniques or devices. This section also allows searches for other information necessary to obtain access to the plaintext of data or communications because access control devices such as passwords can also limit the ability of the government to obtain access to data, and searches under section 2713 may be necessary to obtain access to plaintext despite use of such measures.
A search warrant authorizing a governmental entity to search for and obtain recovery information or to install a recovery
device is especially important in situations in which the person who has used encryption has not stored a key with a
recovery agent. In such cases the only way to obtain needed information in plaintext form may be through a search of the
user’s computer for recovery information or an alteration of a user’s hardware or software that allows plaintext to be
obtained. For example, a distributor of child pornography may send encrypted images to members of a child pornography
ring who possess the key needed to decrypt these images. It is unlikely that the offenders would have stored the key with a recovery agent. Thus, the only means for law enforcement to obtain evidence of the transmission of child pornography may be through the execution of a warrant authorizing alteration of software.
Proposed section 2713 clarifies the power of a court to issue a warrant authorizing a federal governmental entity to search
for and obtain recovery information or other information necessary to obtain access to plaintext, or to install and use a
recovery device, without contemporaneous notice. Proposed section 2713 also establishes additional procedures needed
for the execution of such a warrant.
First, proposed section 2713 provides for delayed notice if approved by the court upon an ex parte showing of good
cause. Delayed notice will often be necessary to assure that a warrant can be executed without being thwarted by the
person affected. For example, in a case involving surreptitious action by law enforcement to install a recovery device,
notice at the time of the installation would cause the owner of the affected computer to attempt to disable the device or
simply to use another computer, making any attempt to search the affected computer ineffective. Proposed section 2713
also establishes authority for the warrant to direct landlords and others to assist the government in executing the warrant,
with compensation for expenses directly incurred in such assistance. The assistance provision is similar to a provision in the wiretap statute, 18 U.S.C. § 2518(4). Proposed section 2713 also provides for the sealing of a warrant issued under this
provision and the prohibition of the disclosure of information surrounding the existence of the search or modification and of information obtained through the investigation. In addition, proposed section 2713 mandates minimization of the impact of the intrusion and provides for disabling the recovery device after its use is completed. Finally, proposed section 2713
specifies that nothing in the section shall be construed to prevent the adoption of analogous procedures under State law.
It should be noted that proposed section 2713 does not amend the requirements for or scope of an interception order
under existing section 2518 of title 18, United States Code. When the government seeks to perform a covert entry or to
take other action in aid of an authorized interception under section 2518, the government retains its existing authority to do so pursuant to an appropriate order of a court. Similarly, nothing in proposed section 2713 permits the government to
perform an interception within the parameters of chapter 119 without complying with the provisions of that chapter.
Although proposed section 2713 does not expressly address assistance to a foreign government, a federal governmental
entity may seek a warrant under this provision in order to assist a foreign government.
In addition, section 2713(h) requires reporting for the first three years it is in operation regarding the number and type of
warrants requested under the delayed notice provision of section 2713. For each application for a warrant with delayed
notice under section 2713, within 30 days after the notice required by section 2713(b) is filed with the court or the
application for delayed notice under section 2713 is denied, the issuing or denying judge shall report to the Administrative
Office of the United States Courts a number of facts concerning the application and warrant. In April of each year the
Director of the Administrative Office of the United States Courts shall transmit to the Congress a summary and analysis of
the data required to be filed.
Proposed 18 U.S.C. § 2714
Proposed section 2714 provides limitations on the use and disclosure of recovery information obtained by a governmental
entity by compulsory process and also requires destruction of such information. The protections established by this
provision are broad in scope and apply to recovery information obtained from a recovery agent, as well as to recovery
information obtained from other sources. Thus, proposed section 2714 has broader scope than section 2712, which only
addresses government access to stored recovery information (which, by definition, is held by a recovery agent).
The breadth of subsection (a) is reflected in its two paragraphs. Paragraph (1) limits the use of recovery information
obtained by a governmental entity from a recovery agent under proposed section 2712 or through a recovery device or
other search under proposed section 2713 in accordance with the order or warrant so issued, which must specify the
categories of data and communications that may be decrypted. A further court order would be necessary for any additional uses. Paragraph (2) addresses recovery information obtained by a governmental entity through compulsory process other than under sections 2712 and 2713. It authorizes the use of such information only in connection with the matter for which the recovery information was obtained and related matters, and only if the decryption is appropriate to the proper performance of the official functions of the governmental entity. Thus, for example, a governmental entity that uses a grand jury subpoena to obtain recovery information from a person who is not a recovery agent would be limited by subsection (a)(2) in its use of the recovery information obtained. A court of competent jurisdiction may permit further uses.
Subsection (b) of proposed section 2714 imposes limitations on the disclosure and subsequent use of recovery information obtained by a governmental entity through compulsory process. This provision applies to recovery information obtained from a recovery agent under proposed section 2712, to recovery information obtained through a delayed notice warrant under proposed section 2713, and to recovery information obtained through any other compulsory process, such as a grand jury subpoena issued to a third party key-holder who is not a recovery agent. Subsection (b) allows disclosure of recovery information obtained by the governmental entity only to the extent such disclosure is in connection with the matter for which the recovery information was obtained and any related matters, and only if the disclosure is appropriate to the proper performance of the official functions of the disclosing governmental entity. Further use by the receiving entity is governed by the limitations in subsection (a), and further disclosure by the receiving entity is also prohibited. As in
subsection (a), subsection (b) allows exceptions in accordance with an order of a court of competent jurisdiction.
Subsection (c) of proposed section 2714 concerns the destruction of recovery information. The scope of information to
which it applies is as broad as that to which subsection (b) applies. Subsection (c) requires the destruction of recovery
information obtained by compulsory process at a time specified by this provision and applies to a governmental entity, a
recovery agent assisting a governmental entity, and any other person or entity that has received disclosure under section
2714. Any exception to these requirements must be authorized by an order of a court of competent jurisdiction.
Proposed 18 U.S.C. § 2715
Proposed section 2715 requires notice of access to recovery information held by third parties and knowingly obtained by a governmental entity by compulsory process, other than under proposed sections 2712 or 2713, which contain their own
notice provisions. For example, under section 2715 a governmental entity would be required to notify a person who had
asked a friend to hold a decryption key on the former’s behalf if the governmental entity had knowingly obtained the key by compulsory process, such as through a grand jury subpoena. Thus, whether a person chooses a recovery agent or a friend to hold a decryption key on his or her behalf, notice must be provided to such person of the government’s access to the key. The notice must be provided within 90 days of the date on which the government obtains the key, unless the date is postponed by a court of competent jurisdiction on a showing of good cause.
Proposed 18 U.S.C. § 2716
Another amendment contained in section 203 of CESA is the addition of proposed section 2716 to title 18, United States
Code. This section would ban a cause of action against a provider of wire or electronic communications service or
recovery agent and others for providing information, facilities, or assistance in accordance with the terms of a court order,
emergency request, grand jury subpoena, warrant, or other process under proposed sections 2711, 2712 or 2713, or for
disclosing information to a governmental entity to assist it in obtaining lawful access to information protected by encryption
or other security techniques or devices, unless the disclosure is otherwise prohibited by chapter 121, as amended. This
provision serves as an exception to the cause of action provided for in 18 U.S.C. § 2707 (amended by section 202 of
CESA) and in effect parallels section 2703(e) of current law, which places a similar ban on a cause of action against a
provider of wire or electronic communication service for specified actions that accord with Chapter 121 of title 18, which is amended by CESA. The second part of this provision is necessary to protect those entities that assist governmental entities in obtaining access to plaintext particularly by sharing trade secret information pursuant to proposed section 2717, from litigation based on actions they take in interests of public safety.
Proposed 18 U.S.C. § 2717
Section 203 of CESA also contains a provision designed to protect, in appropriate circumstances, against disclosure in
court proceedings of government methods of access to information protected by encryption or other security techniques or devices. Proposed section 2717(a) of title 18, United States Code, would allow an attorney for the government to file, ex parte and in camera, an application requesting the court to enter an order protecting the confidentiality of a technique that provided access to such information. Section 2717(b) authorizes the court to enter such an order if the court finds that disclosure is likely to jeopardize an ongoing investigation, compromise the technique for the purposes of future
investigations, result in injury to any person, or jeopardize public health and safety, or if the court finds that disclosure could reasonably be expected to affect the national security. As the proposed statute makes clear, any such order must be consistent with constitutional requirements and limitations. Proposed section 2717(b) specifically provides that a
confidentiality order under this section may direct the use of special procedures, as appropriate, relating to the admissibility of evidence obtained through an access technique that the government seeks to protect from disclosure. Thus, for example, a court can devise procedures that guard a defendant’s Sixth Amendment right to the confrontation of witnesses while also preserving the confidentiality of the government’s access techniques.
Section 2717 applies to any civil or criminal case, whether or not the government is a party. In addition, although proposed section 2717(a) authorizes that such a request be filed by an “attorney for the government” as that term is defined in the Federal Rules of Criminal Procedure (see Rule 54), which generally limits the term to federal prosecutors, the court order under subsection (b) may protect the confidentiality of access techniques used by any “governmental entity.” This term includes State and local governments under proposed section 2719. Thus, for example, access techniques used by a State investigator and later disclosed to federal investigators for purposes of federal prosecution will be eligible for a court order of protection.
Proposed section 2717 also generally prohibits the government from disclosing trade secrets disclosed to it to assist it in
obtaining access to information protected by encryption. This section provides exceptions where disclosure is to another
governmental entity, is necessary to implement methods of access, is with the consent of the’person or entity that owns the
trade secret, or is ordered by a court of competent jurisdiction. Section 2717 also provides that it shall not be deemed to
affect the Classified Information Procedures Act.
Proposed 18 U.S.C. § 2718
The next provision in section 203 of CESA is proposed section 2718 of title 18, United States Code, which addresses
foreign intelligence information. It provides that sections 2711 through 2715 shall not apply to the acquisition by the United States of foreign intelligence information as defined in section 101(e) of the Foreign Intelligence Surveillance Act of 1978, or otherwise affect any lawfully authorized intelligence activity of an officer, agent, or employee of the United States, or a person acting pursuant to a contract with the United States. For example, under existing authorities, such as the Foreign Intelligence Surveillance Act, 50 U.S.C. § 1801 et seq., the government is authorized to engage in electronic surveillance for the purpose of collecting foreign intelligence and foreign counterintelligence information. These authorities permit the government to direct others to provide technical cooperation that the government deems necessary to obtain the plaintext of communications and data. Section 2718 makes clear that the government’s existing authority to secure such cooperation for the purpose of collecting foreign intelligence and counterintelligence information is in no way impaired, burdened, or otherwise restricted by any provision of CESA. Appropriate restrictions on the use of information derived from and related to such intelligence and counterintelligence investigations are already implemented under existing authorities.
Section 204
Proposed 18 U.S.C. § 2719
Section 204 of CESA contains definitions for Chapter 121 of title 18, United States Code. The definitions currently in this
chapter, 18 U.S.C., § 2711, would be retained as new section 2.719(l) and (2), and many new definitions would be
added. The distinction between “recovery information” and “stored recovery information” is discussed in the analysis of
proposed section 2711 (d).
Sections 205 and 206
Sections 205 and 206 provide technical and conforming amendments.
Section 301
Section 301 would amend section 2516(l)(c) to add felony violations of 18 U.S.C. § 1030, relating to computer fraud and abuse, to the list of offenses for which an order to intercept wire or oral communications may be sought. This amendment is needed because violations of section 1030 are sufficiently similar to and as serious as the other specified predicate offenses, e.g., violations of 18 U.S.C. § 1029. In addition, in order to obtain access to decryption keys used by persons engaged in computer intrusions-who are among those criminals most likely to use encryption to hide criminal activity-the government may find it necessary to intercept wire or oral communications.
such a change.
Section 402
Section 402 of CESA permits the head of a federal law enforcement agency to limit the number of sources from which it
solicits bids or proposals if he or she determines that disclosure of agency needs pertaining to the procurement of sensitive
equipment, goods, or services associated with obtaining plaintext might reasonably jeopardize an ongoing or future
investigation or the use of such equipment, goods, or services by the agency.
Section 403
Section 403 amends section 3371 of title 5, United States Code, to provide for personnel exchange programs between
industry and the federal government to further the purposes of CESA.
Section 404
Section 404 of CESA concerns severability and provides that if any provision of the Act is held invalid, the remainder of
the Act shall not be affected.
Footnotes
[1] A “recovery agent” is defined in proposed section 2719 as a person who provides recovery information storage
services in the United States to the public, or as a person, other than an individual, who provides recovery information
storage services in the United States to more than one other person as a business practice. Thus, it includes both entities
that provide storage services to the public and, for example, a trusted company that stores recovery information as a
business practice for more than one other company with which the former does business, but that does not provide such
storage services to the public at large.
[2] “Recovery information” is defined in proposed section 2719 to mean a parameter that can be used with an algorithm, or
other data or object, that can be used to decrypt data or communications, and “stored recovery information” is defined to
mean recovery information held in a confidentiality arrangement as described in proposed section 2719., by a recovery
agent on behalf of a person who is not an officer, agent, or employee of the recovery agent acting in that capacity.
[3] Of course, a governmental entity may still proceed under proposed section 2711 (b)(1)(A) if the requirements of that
provision are met.
agent’s possession, custody, or control, CESA does not present any obstacles to a governmental entity’s obtaining such
information. Further, section 2712 does not restrict the government’s access to recovery information held by someone who
is not a recovery agent, such as a neighbor or friend who holds another person’s decryption key for safekeeping. A
governmental entity may use existing means to obtain such plaintext or recovery information.
