Line by line, how the US anti-encryption bill will kill our privacy, security
El Reg takes latest Burr-Feinstein legislation apart
Analysis In the wake of the FBI's failed fight against Apple, Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA) have introduced a draft bill that would effectively ban strong crypto.
The bill would require tech and communications companies to allow law enforcement with a court order to decrypt their customers' data. Last week a draft copy of the bill, dubbed the Compliance with Court Orders Act of 2016, was leaked, but the new version is even worse than the discussion draft.
The bill would apply to "device manufacturers, software manufacturers, electronic communication services, remote communication services, providers of wire or electronic communication services, providers of remote communication services, or any person who provides a product or method to facilitate a communication or to process or store data." That's a pretty wide net.
"No entity or individual is above the law," said Feinstein. "The bill we have drafted would simply provide that, if a court of law issues an order to render technical assistance or provide decrypted data, the company or individual would be required to do so.
"Today, terrorists and criminals are increasingly using encryption to foil law enforcement efforts, even in the face of a court order. We need strong encryption to protect personal data, but we also need to know when terrorists are plotting to kill Americans."
Not that it would stop terrorists – apart from the very, very stupid ones. This law would only apply to US companies or overseas firms with offices here, so anyone else who writes encryption software would still be able to sell their code online to the evil terrorists and their ilk.
"Encryption has proven to be one of our most effective tools to combat crime and is critical to keeping Americans safe and their private information secure," said Application Developers Alliance President and CEO Jake Ward.
"Efforts to undermine security – especially those compelling companies and developers to act against the best interests of their consumers – is short-sighted and will ultimately stifle the inventiveness and ingenuity that has made America the world's innovation leader. This is a trade-off that cannot be had."
Line by terrible line
Here at Vulture West we've gone through the legislation to see what exactly is in the bill. Here, for your delectation, are the worst bits:
All providers of communications services and products (including software) should protect the privacy of United States persons through implementation of appropriate data security and still respect the rule of law and comply with all legal requirements and court orders.
This is the crux of the issue. The senators want to have their cake – by requiring tech companies to protect their customers' data – and eat it too – by insisting that law enforcement can break the code.
According to the best minds in cryptography this simply can't be done – it's not a moral or legislative issue but a mathematical one. Once you introduce a flaw into an encryption system, it's impossible to stop others finding it, especially since you are mandating it is there by law and the prize is free access to all US data traffic, as evidenced in the Juniper case.
Burr and Feinstein don't specify how this police backdoor could be managed and still protect data. Instead they have just said: "Here's what we want – do it."
To uphold both the rule of law and protect the interests and security of the United States, all persons receiving an authorized judicial order for information or data must provide, in a timely manner, responsive, intelligible information or data, or appropriate technical assistance to obtain such information or data.
Covered entities must provide responsive, intelligible information or data, or appropriate technical assistance to a government pursuant to a court order.
With this clause, the onus is on companies to hand over the data, irrespective of what they might have promised customers in the past. There is no mention of what penalties could be brought against companies that aren't able to do this, or are perceived to be dragging their feet.
A covered entity that receives a court order from a government as described in paragraph (1) and furnishes technical assistance under subparagraph (B) of such paragraph pursuant to such order shall be compensated for such costs as are reasonably necessary and which have been directly incurred in providing such technical assistance or such data in an intelligible format.
On one level this is good news for technology companies, since they will be able to claim reasonable expenses for the direct costs of helping law enforcement.
But it ignores the indirect costs, and lawyers would have a field day with this clause. Apple, Google, Microsoft and others know they would be gutshot if this law came in, because who is going to want to buy insecure products that any US law enforcement agency can get into at will?
The iPhone would become as popular as a rattlesnake in a piñata, no business is going to entrust corporate secrets to a broken Microsoft encryption system, and Google can kiss goodbye to its cloud business.
Nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by any covered entity.
This is an odd one, since that is entirely the bill's purpose. The government can't tell you how to build your products, just as long as it can do what it wants with them. It's enough to give Descartes a migraine.
A rocky road ahead
Before everyone panics, it's highly unlikely that the Compliance with Court Orders Act of 2016 will make it onto the statute books.
Over the last decade, technology firms have seriously stepped up their Washington lobbying spend as Congress has taken more of an interest in their affairs. Google, Microsoft and Facebook all have serious money in the game and dollars work wonders on Capitol Hill.
The White House has declined to support the bill and legislators are also lining up against the proposed legislation. Senator Ron Wyden (D-OR), a strong privacy proponent, has already issued a statement saying he will filibuster any attempt to enact this legislation, calling it a "dangerous proposal."
"This legislation would effectively prohibit Americans from protecting themselves as much as possible. It would outlaw the strongest types of encryption and undermine the foundation of cybersecurity for millions of Americans," Wyden said.
"This flawed bill would leave Americans more vulnerable to stalkers, identity thieves, foreign hackers and criminals. And yet it will not make us safer from terrorists or other threats. Bad actors will continue to have access to encryption, from hundreds of sources overseas. Furthermore, this bill will empower repressive regimes to enact similar laws and crack down on persecuted minorities around the world."
As for the American public's reaction, well that's less certain. The US populace are largely complete pussies when it comes to terrorism and have – time and again – shown themselves willing to abandon hard-fought-for liberties whenever the T word comes up.
Good sense may prevail in the Land of the FreeTM, but don't bet on it. ®