Surviving longer than any other bill to ease encryption export rules so far, the SAFE Act was approved by a key congressional committee today.
The House Judiciary Committee approved the bill after an 11th-hour move yesterday to scrap a provision that would have made the use of encryption "in furtherance of a crime" punishable by up to five years in prison. Opponents had said the condition could potentially make just about anyone who used encryption a criminal.
The SAFE law would also eliminate the Clinton administration's requirement to build so-called key recovery systems, which let law enforcement officials with court orders unscramble encrypted communications. Federal agencies say they need this ability because criminals can use encrypted data to help them commit crimes.
Rep. Bill Delahunt (D-Massachusetts) introduced the amendment to the bill, which was sponsored by Rep. Bob Goodlatte (R-Virginia).
The revision states that the punishable crime must be a felony. Further, the perpetrator must "knowingly and willfully encrypt incriminating information relating to that felony with the intent to conceal such information for the purpose of avoiding detection by law enforcement agencies or prosecution."
SAFE will now go before the International Relations Committee, the next step being a House vote. The bill also includes an amendment that requires the Justice Department to report instances in which encryption has hampered law enforcement methods on a yearly basis.
"It's very significant because this is the furthest that any encryption legislation to [lessen export regulations] has moved in Congress," David Sobel, staff counsel to Electronic Privacy Information Center, said today. "This process is far from over, however."
The Software Publishers Association, which represents companies who make encryption, applauded the bill's progress.
"If U.S. software companies are not allowed to freely compete in the growing market for Internet and electronic commerce products, then all U.S. businesses will suffer," said Lauren Hall, SPA chief technologist expert. "Export restrictions only serve to keep personal and corporate data vulnerable, threaten U.S. technical superiority, and undermine the competitiveness of U.S. software manufacturers."
The White House opposes the SAFE Act and Senate legislation known as the Pro-Code bill, which would also overturn federal limits on the export of strong encryption.
But SAFE has fared better with privacy advocates because Pro-Code would create an information security board made of federal agency members to review software security issues. The board is drawing fire because it would not have to comply with federal open-meeting laws.
"If the House passes SAFE and the Senate passes Pro-Code, there will have to be some reconciliation between the two bills," Sobel said.
The White House floated its own proposal in March that would create a voluntary "key management infrastructure" for domestic encryption. The bill has yet be sponsored, but an outline of a new bill by Sen. Bob Kerrey (D-Nebraska) seems similar.
Kerrey's effort would require universities and other online networks funded by the federal government to give up keys to their encryption data. It also allows for a "fast-track review" for encryption used in financial transaction software, but this provision was already granted by the government last week. (See related story.)