Privacy and Encryption Protection Act Exposed
The Privacy and Encryption Protection Act is a draft model policy considered by ALEC's Communications and Technology Task Force at the 2016 States and Nation Policy Summit in December, 2016. (Accessed October 27, 2016).
ALEC Bill Text
Summary
The proliferation of encryption technologies that protect Americans’ private electronic information against hackers, criminals, and government surveillance presents new challenges for legitimate law enforcement investigations. This model act aims to provide some clarity for the courts, law enforcement, and consumers by stating that a warrant is required prior to the search of encrypted private information.
SECTION 1. {Title}
This Act may be cited as the Electronic Data Defense Act.
SECTION 2. {Purpose}
The purpose of this Act is to clarify requirements for searches of Encrypted Private Information.
SECTION 3. {Definitions}
(A) As used in this subchapter, unless the context otherwise indicates, the following terms have the following meanings.
- 1. Adverse Result. “Adverse Result” means:
- a. Immediate danger of death or serious physical injury;
- b. Flight from prosecution;
- c. Destruction of or tampering with evidence;
- d. Intimidation of a potential witness; or
- e. Substantially jeopardizes an investigation.
- 2. Computer. “Computer” means an electronic, magnetic, optical, electrochemical, or other high-speed data processing device that performs logical, arithmetic, or memory functions by the manipulations of electronic or magnetic impulses and includes all input, output, processing, storage, or communication facilities that are connected or related to the device.
- 3. Computer System. “Computer system” means any combination of a computer or computer network with the documentation, computer software, or physical facilities supporting the computer or computer network.
- 4. Decryption, Decrypt and Decrypted. “Decryption,” “decrypt,” or “decrypted” means the decoding of encrypted communications or information, whether by use of a decryption key or by breaking an encryption formula or algorithm, or the interference with a person’s use of an encryption service that causes information or communications to be stored or transmitted without encryption.
- 5. Decryption Key. “Decryption key” means the variable information used in or produced by a mathematical formula, code, or algorithm, or any component thereof, including an initiating passcode, used to encrypt or decrypt communications or information.
- 6. Domestic Entity. “Domestic Entity” has the meaning assigned by the state business organizations code.
- 7. Electronic Communication. “Electronic Communication” means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system, but does not include—
- a. any wire or oral communication;
- b. any communication made through a tone-only paging device;
- c. any communication from a tracking device (as defined in section 3117 of this title); or
- d. electronic funds transfer information stored by a financial institution in a communications system used for the electronic storage and transfer of funds.
- 8. Electronic Communication Service. “Electronic Communication Service” means a service that provides to users the ability to send or receive Wire or Electronic Communications, as defined in 18 U.S.C. § 2510(15).
- 9. Encrypted Private Information. “Encrypted Private Information” means encrypted data, documents, wire or electronic communications, or other information stored on a computer or computer system, whether in the possession of the owner or a provider of an Encryption Service, Electronic Communications Service, or Remote Computing Service, and which has not been exposed to the general public.
- 10. Encryption, Encrypt or Encrypted. “Encryption,” “Encrypt” or “encrypted” means the encoding of data, documents, wire or electronic communications, or other information, using mathematical formulas or algorithms in order to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized access to, such information.
- 11. Encryption Service. “Encryption Service” means a computing service, computer device, computer software, or technology with encryption capabilities, and includes any subsequent version of or update to an Encryption Service.
- 12. Government Entity. “Government Entity” means a department or agency of the United States or any State or political subdivision thereof.
- 13. Remote Computing Service. “Remote Computing Service” means, as defined in 18 U.S.C. § 2711(2), the provision to the public of computer storage or processing services by means of an electronic communications system, as defined in 18 U.S.C. § 2510(14).
- 14. Wire Communication. “Wire Communication” means any aural transfer made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection between the point of origin and the point of reception (including the use of such connection in a switching station) furnished or operated by any person engaged in providing or operating such facilities for the transmission of interstate or foreign communications or communications affecting interstate or foreign commerce.
SECTION 4. {Warrant required prior to Decryption of Electronic Private Information or compelled disclosure of Decryption Key}
(A) Except as provided in this subchapter or another provision of law, a Government Entity may not compel disclosure of a Decryption Key from a person or a provider of an Encryption Service without a valid search warrant, based upon probable cause, issued by a duly authorized judge or justice using state warrant procedures.
(B) Except as provided in this subchapter or another provision of law, a Government Entity may not Decrypt, by technological means, a person’s Encrypted Private Information, whether in the possession of the person, a provider of an Encryption Service, Electronic Communications Service or a Remote Computing Service, or other third party without a valid search warrant, based upon probable cause, issued by a duly authorized judge or justice using state warrant procedures.
(C) A warrant issued under this subchapter may be served only on an Encryption Service provider, Electronic Communications Service provide or a Remote Computing Service provider that is a Domestic Entity or a company or entity otherwise doing business in this state under a contract or terms of service agreement with a resident of this state, if any part of that contract or agreement is to be performed in this state, the service provider shall produce all information sought regardless of where the information is held and within the period allowed for under the state’s criminal code provisions for compliance with the warrant.
(D) A judge or justice may issue a search warrant under this subchapter for Encrypted Private Information, regardless of whether the Encrypted Private Information is held at a location in this state or at a location in another state.
SECTION 5. {Notice}
(A) Notice must be given to the person whose Encrypted Private Information was obtained, searched or Decrypted by a Government Entity.
(B) Timing and content of notice. Unless delayed notice is ordered under subsection C, the Government Entity shall provide notice to the person within three days of obtaining, searching or decrypting the Encrypted Private Information. The notice must be made by service or delivered by registered or first-class mail, e-mail or any other means reasonably calculated to be effective as specified by the court issuing the warrant. The notice must contain the following information:
- 1. The nature of the law enforcement inquiry, with reasonable specificity;
- 2. The specific Encrypted Private Information of the person that was obtained, searched or decrypted by the Government Entity and the date(s) on which such actions occurred;
- 3. If Encrypted Private Information or a Decryption Key was obtained from a provider of an Encryption Service, Electronic Communications Service or a Remote Computing Service, the identity of the provider from whom the information was obtained; and
- 4. Whether the notification was delayed pursuant to subsection C and, if so, the court that granted the delay and the reasons for granting the delay.
(C) Delay of notification. A Government Entity acting under section 4 may include in the application for a warrant a request for an order to delay the notification required under this section for a period not to exceed 90 days. The court shall issue the order if the court determines that there is reason to believe that notification may have an Adverse Result. Upon expiration of the period of delay granted under this subsection and any extension granted under subsection E, the Government Entity shall provide the person a copy of the warrant together with a notice pursuant to subsections A and B.
(D) Preclusion of notice. A Government Entity acting under section 4 may include in its application for a warrant a request for an order directing a provider of an Encryption Service, Electronic Communications Service or a Remote Computing Service to which a warrant is directed not to notify any other person of the existence of the warrant for a period of not more than 90 days. The court shall issue the order if the court determines that there is reason to believe that notification of the existence of the warrant may have an Adverse Result. Absent an order to delay notification or upon expiration of the period of delay, a provider of an Encryption Service, Electronic Communications Service or a Remote Computing Service to which a warrant is directed may provide notice to any other person.
(E) Extension. The court, upon application, may grant one or more extensions of orders granted under subsection C or D for up to an additional 90 days.
SECTION 6 {Preservation}
(A) A provider of an Encryption Service, Electronic Communications Service or a Remote Computing Service, upon the written request of a Government Entity, shall take all necessary steps to preserve Encrypted Private Information in its possession pending the issuance of a warrant.
(B) Period of retention. Except as provided below, Encrypted Private Information referred to in paragraph (1) shall be retained for a period of 90 days, which shall be extended for an additional 90-day period upon a renewed request by the Government Entity.
(C) Limitations. A preservation request under this subsection shall not require the provider to collect and store additional records on an ongoing basis after the initial preservation is complete. No Government Entity shall make a preservation request under this subsection with respect to any individual customer account more than twice in any 90-day period. Only the requesting Government Entity shall be entitled to receive the records preserved pursuant to a given request.
(D) Good-faith certification; release from obligation.
- 1. Any preservation request under this subsection shall include a statement that there are sufficient facts to establish probable cause that the records to be preserved constitute evidence of a criminal offense and that the requestor has a present intention to obtain a warrant for those records within the 90-day preservation period.
- 2. Upon determining that a need for the records (or any portion thereof) no longer exists, the requestor shall within 7 days thereafter rescind the preservation request in writing. Upon receiving such a notification, a provider shall be immediately relieved of the obligation to continue preservation of the specified records.
(E) Exclusivity. With the exception of 18 U.S.C. § 2703(f), the procedures in this subsection shall be the exclusive means by which a governmental may request that a provider of an Encryption Service, Electronic Communications Service or a Remote Computing Service preserve records and other evidence in its possession pending the issuance of a warrant.
SECTION 7. {Conditions of use of information}
(A) Use of Encrypted Private Information obtained in violation of this subchapter not admissible. Except as proof of a violation of this subchapter, information obtained in violation of this subchapter is not admissible as evidence in a criminal, civil, administrative or other proceeding.
(B) Conditions of use of Encrypted Private Information in proceeding. Encrypted Private Information obtained pursuant to this subchapter or evidence derived from that information may be received in evidence or otherwise disclosed in a trial, hearing or other proceeding only if each party, before the trial, hearing or proceeding, has been furnished with a copy of the warrant and accompanying application under which the information was obtained pursuant to the state code of criminal procedure.
(C) Exception. The requirement under subsection B may be waived if a judge makes a finding that it was not possible to provide a party with the warrant and accompanying application prior to a trial, hearing or proceeding and that the party will not be prejudiced by the delay in receiving the information.
SECTION 8. {Action against a corporation}
(A) No cause of action shall lie in any court of this state against any provider of an Encryption Service, Electronic Communications Service or a Remote Computing Service, or its officers, employees, agents or other specified persons for providing information, facilities or assistance in accordance with the terms of a warrant under this subchapter or with a good faith reliance on a warrant.
SECTION 9 {Evidentiary Admissibility}
(A) An original or certified copy of Encrypted Private Information produced pursuant to a warrant in accordance with this Act shall be self-authenticating and admissible into evidence as provided in Fed. R. Evid. 902(11) and 803(6).
SECTION 10 {Reimbursement}
(A) Payment. Except as otherwise provided by law, a Government Entity obtaining Encrypted Private Information or a Decryption Key under this Act shall pay to the person or entity assembling or providing such information a fee for reimbursement for costs as are reasonably necessary and which have been directly incurred in searching for, assembling, reproducing, or otherwise providing such information. Such reimbursable costs shall include any costs due to necessary disruption of normal operations of any Encryption Service, Electronic Communications Service or Remote Computing Service in which such information may be stored.
(B) Amount. The amount of the fee provided by subsection (a) shall be as initially determined by the person or entity providing the information. If the Government Entity does not agree to such fee, the Government Entity may apply for a redetermination of the fee to the court which issued the warrant for production of such information (or the court before which a criminal prosecution relating to such information would be brought, if no warrant was issued for production of the information). If the fees initially determined by the person or entity providing the information are upheld by the court, the person or entity providing the information providing the shall be entitled, in addition to the fees initially determined, to recover its costs and reasonable attorney’s fees resulting from the Government Entity’s contest of its fees.
SECTION 11. {Reasonable Expectations of Privacy in Encrypted Private Information}
(A) Any person that uses an Encryption Service to protect the privacy or confidentiality of that person’s private communications or information shall maintain a reasonable expectation of privacy in such Encrypted Private Information, notwithstanding any attempts by a third party to decrypt the information or otherwise interfere with the person’s encryption service without authorization.
SECTION 12. {Presumption of Lawful Use of Encryption}
(A) A person’s use of Encryption or an Encryption Service shall be presumed a lawful and legitimate means of protecting the person’s privacy and no negative legal inferences may be drawn from such use. Encryption shall not constitute per se evidence of wrongdoing or guilt in any criminal, civil, administrative or other legal proceeding.
(B) This presumption may be overcome only on a showing of clear and convincing evidence that the person using Encryption has otherwise engaged in wrongdoing, unlawful, or harmful acts involving an Encryption Service.
SECTION 13. {Limitations}
(A) The repeal or amendment by this Act of any law, whether temporary or permanent or civil or criminal, does not affect pending actions, rights, duties, or liabilities founded thereon, or alter, discharge, release or extinguish any penalty, forfeiture, or liability incurred under the repealed or amended law, unless the repealed or amended provision shall so expressly provide. After the effective date of this Act, all laws repealed or amended by this Act must be taken and treated as remaining in full force and effect for the purpose of sustaining any pending or vested right, civil action, special proceeding, criminal prosecution, or appeal existing as of the effective date of this Act, and for the enforcement of rights, duties, penalties, forfeitures, and liabilities as they stood under the repealed or amended laws.
SECTION 14. {Effective Date}
(A) This Act takes effect upon approval by the Governor.
SECTION 15. {Severability Clause}
(A) Should any part of this Act be rendered or declared unconstitutional by a court of competent jurisdiction of the State, such invalidation of such part or portion of this Act should not invalidate the remaining portions thereof, and they shall remain in full force and effect.
SECTION 16. {Repealer Clause}
(A) The following laws are hereby repealed: