We’ve got our first proper look at an attempt by US senators to legislate against encryption.
Senators Dianne Feinstein and Richard Burr, both of whom sit on the Senate Intelligence Committee, are introducing a bill intended to tackle the rising use of strong encryption technology that cannot be decrypted by anyone without the correct key — including law enforcement and the companies responsible for creating it.
Burr, a Republican, is the chair of the Senate Intelligence Committee. Feinstein, a Democrat, is the vice-chair.
A discussion draft of the bill began circulating on Thursday. (Scroll down for the full draft.)
Key points include:
- It forces tech companies to decrypt encrypted data when presented with a court order — or to provide any technical assistance required to decrypt it.
- It doesn’t provide any technical guidance on how companies can or should achieve this.
- Companies will be offered compensation for any assistance they are forced to provide.
The Feinstein-Burr efforts received a blow earlier this week when Reuters reported that the White House will not be endorsing it. President Obama has previously spoken out against the alleged dangers of encryption, warning against an “absolutist stance on privacy” and asserting people are “fetishizing our phones above every other value, and that can’t be the right answer.”
However, his administration will not be publicly supporting — or opposing — the bill.
The bill comes after a high-profile battle between Apple and the FBI over law enforcement access to smartphones, hinging on an encrypted iPhone linked to one of the shooters at the San Bernardino massacre. The FBI tried to compel Apple to develop software to help it unlock the device, but Apple resisted, arguing that creating the software would be dangerous and make all users less safe.
The FBI ultimately backed out of the fight after an unnamed third party was able to hack into the iPhone for it.
This retreat left important questions in the encryption debate unanswered — including whether the courts can compel tech companies to decrypt encrypted data, or to develop tools to enable access to it. The Burr-Feinstein bill is an attempt to provide clarity and a clear legal mandate for law enforcement to demand access to data that they believe is necessary for investigations.
The bill would require companies that receive court orders from the government to “provide such information to such government in an intelligible format; or provide such technical assistance as is necessary to obtain such information or data in an intelligible format to achieve the purpose of the court order.”
In plain English, that means companies — upon receipt of a court order — would be compelled to decrypt encrypted data, or develop the technological tools required to do so.
If passed, it would be a fundamental challenge to the kind of strong end-to-end encryption that has proliferated in consumer products in recent years. The entire point of the tech is that it can’t be decrypted by anyone without the correct key or password, a measure proponents assert is necessary for protecting users’ security and privacy.
Apple, Google, WhatsApp and others would all have to weaken their security measures, or be prepared to develop tools on demand to hack into their users.
Orin Kerr, a law professor at George Washington University, pointed out on Twitter that the bill’s forced decryption “doesn’t require only reasonable assistance: It’s ‘assistance as is necessary’ to decrypt.”
In other words, the bill doesn’t take into account the technical challenges that might be required for compliance by companies if their products are not already designed to allow for interception and decryption. When the FBI was trying to force Apple to build software to help it unlock an iPhone using the All Writs Act, some argued that what the FBI was demanding went far beyond “reasonable assistance” and would place an undue burden on the company.
Under the Feinstein-Burr bill, companies would not have this defence.
The draft provides no technical guidance on how companies should build products to comply, and claims that it is not trying to mandate how companies can design their products. “Nothing in this Act may be construed to authorise any government officer to require or prohibit any specific design or operating system to be adopted by any covered entity.”
And companies will receive “compensation” for any technical assistance they are compelled to provide.
Predictably, the draft has been received badly by some in the security community. Security researcher Matt Blaze Kevin Bankston, director at the Open Tech Institute, said: “Silicon Valley should be embarrassed by its Senator’s anti-encryption bill, which would undermine security, innovation, & the tech economy.”
John Hopkins cryptography professor Matthew Green tweeted that “it’s not hard to see why the White House declined to endorse Feinstein-Burr. They took a complex issue, arrived at the most naive solution.”
Journalist and policy analyst Julian Sanchez attacked the bill’s lack of technical detail on implementation, writing on Twitter: “They spent months, maybe years on this, & the best they could come up with was ‘love will find a way’?? This is embarrassing. Or should be.”
Here’s the full discussion draft:
EXCLUSIVE FREE REPORT:
25 Big Tech Predictions by BI Intelligence. Get the Report Now »