April 11, 2016
Encryption bill draft muddled, imposing
A “discussion draft” of a long-anticipated encryption bill sponsored by Sen. Dianne Feinstein (D-Calif.) and Senate Intelligence Committee Chairman Richard Burr (R-N.C.) and meant to compel tech companies to comply with government requests to crack smart encrypted devices seized during investigations made its wayonline late last week and immediately drew fire from opponents who characterized it as imposing and an affront to both security and U.S. competitiveness.
“This leaked draft of the upcoming Feinstein-Burr bill instructs every tech vendor in America to use either backdoored encryption or no encryption at all, even though practically every security expert in the country would tell you that means laying down our arms in the constant fight to secure or data against thieves, hackers, and spies,” Kevin Bankston, director of New America’s Open Technology Institute, said in a statement sent to SCMagazine.com of the draft published by The Hill and which neither Feinstein and Burr had confirmed at press time as legit. “This bill would not only be surrendering America’s cybersecurity but also its tech economy, as foreign competitors would continue to offer—and bad guys would still be able to easily use!—more secure products and services.”
Bankston noted “the fact that this lose-lose proposal is coming from the leaders of our Senate’s intelligence committee, when former heads of the NSA, DHS, the CIA and more are all saying that we are more secure with strong encryption than without it, would be embarrassing if it weren’t so frightening.”
Early Thursday, reports had circulated that the White House, which had previously offered comment on a draft of the bill, was going to stay out of the fray even as Feinstein said a copy had been sent to Chief of Staff Denis McDonough. And some speculated release of a draft bill would be delayed until this week as the White House mulled it.
The effort to get encryption legislation on the books has taken on a considerable sense of urgency since the Federal Bureau of Investigation (FBI) a few months ago began pressuring Apple to unlock an iPhone 5c used by one of the San Bernardino shooters. Though the heated conflict had simmered down a bit after the FBI was successful in cracking the phone without Apple’s help, popular opinion held that the reprieve simply staved off an inevitable confrontation between government and tech companies. Industry experts like privacy lawyer Lisa Sotto, title managing partner in the New York office of Hunton & Williams, said true resolution begged for Congress to craft meaningful legislation to address encryption. But, after glimpsing the so-called discussion draft, most agreed that this bill isn’t it and could do more harm than good.
“This bill is a clear threat to everyone’s privacy and security. Instead of heeding the warnings of experts, the senators have written a bill that ignores economic, security, and technical reality,” Neema Singh Guliani, legislative counsel with the American Civil Liberties Union (ACLU), said in a statement sent to SCMagazine.com. “It would force companies to deliberately weaken the security of their products by providing backdoors into the devices and services that everyone relies on. Senators Burr and Feinstein should abandon their efforts to create a government backdoor.”
According to the draft legislation posted on The Hill’s Scribd site, the bill would require that “to uphold the rule of law and protect the security and interests of the United States, all persons receiving an authorized judicial order for information or data must provide, in a timely manner, responsive and intelligible information or data, or appropriate technical assistance to obtain such information or data.”
Industry execs said this is both vague and broad enough to scoop up individuals using the normal security functions on their smart devices and to confuse companies as to how they would comply with these legislative requirements.
Furthermore, “all covered entities,” which include license distributors of software “must provide responsive, intelligible information or data, or appropriate technical assistance to a government pursuant to a court order.”
At the same time, the bill said its language shouldn’t “be construed to authorize any government office to require or prohibit any specific design or operating system to be adopted by any covered entity.” The upshot? Government would require companies to provide technical assistance but won’t specify how they do it, sidestepping the explicit demand for backdoors.
As currently worded, the bill is not feasible, experts said. “This legislation places an unqualified demand on companies to decrypt their customers’ data upon receiving a court order from law enforcement. While companies should comply with lawful requests, it is simply not possible for a company to do so when the customer controls the only keys used to encrypt the data, Information Technology and Innovation Foundation (ITIF) Vice President Daniel Castro said in a statement emailed to SCMagazine.com. “For example, the popular messaging app WhatsApp, which provides end-to-end encryption on its platform, would not be able to comply with the legislation, unless it modified its system.”
That’s in direct conflict with the bill’s stated claim “that it is not authorizing the government to require or prohibit any specific design changes to software or hardware. In short, this bill sets up a legal paradox that would further muddy the waters about how and when the government can compel the private sector to assist in gaining access to private information.”
Dave Wagner, CEO of email encryption provider ZixCorp, said the bill, if passed, would confound attempts by companies to better secure data. “People and businesses are already challenged to protect data and prevent breaches, and legally mandated backdoors would eliminate a very necessary security measure,” Wagner said in a statement emailed to SCMagazine.com
While he acknowledged that“The encryption debate has become so heated because both the FBI and Apple want to protect people, but in different ways,” Wagner noted that “the truth is backdoors would be accessible to more than just the government” and would leave information vulnerable to unsavory elements. “We don’t need to help criminals and hackers steal our data,” he said.