Critics on Friday slammed the leaked draft of a bill from Senators Richard Burr and Dianne Feinstein that would outlaw unbreakable encryption, calling the bill “dangerous” in its entirety and a vehicle of “massive Internet censorship.”
The draft bill, per the text circulating on Friday, invokes the rule of law to require “covered entities” to “provide responsive, intelligible information or data, or appropriate technical assistance to a government pursuant to a court order.”
But while this requirement is troublesome in and of itself, it’s the scope and vagueness of the bill that really presents a shock.
The covered entities cited in the bill refer not just to device manufacturers, but also software manufacturers, electronic communication services, remote computing services, providers of wire or electronic communication services, providers of remote computing services or “any person who provides a product or method to facilitate a communication or the processing or storage of data.”
Yeesh.
The bill says those entities will only be responsible for providing data of the requested information has been “made unintelligible by a feature, product or service owned, controlled, created, or provided, by the covered entity or by a third party on behalf of the covered entity.”
But don’t worry, guys. The bill says it shouldn’t be interpreted to “require or prohibit any specific design or operating system to be adopted by any covered authority”….right before the part where it states providers “shall ensure that any such products, services, applications, or software distributed by any such person be capable of complying with (the requirement to provide data upon request).”
The bill comes in the context of a growing battle between technology companies and government and law enforcement over the merits of encryption. The issue was most recently highlighted in a high-profile spat between the FBI and Apple over access to the contents to an iPhone 5c used by one of the San Bernardino shooters, but is continually being echoed in smaller, local battles across the country.
New America’s Open Technology Institute director Kevin Bankston on Friday blasted the bill as both a threat to cyber security and an order tantamount to Internet censorship. Bankston said the legislation would require the use of “either backdoored encryption or no encryption at all,” and would essentially force companies like Apple and Google to “police their platforms to stop the distribution of secure apps.”
“Practically every security expert in the country would tell you that means laying down our arms in the constant fight to secure or data against thieves, hackers, and spies,” Bankston said. “This bill would not only be surrendering America’s cybersecurity but also its tech economy, as foreign competitors would continue to offer—and bad guys would still be able to easily use!—more secure products and services. The fact that this lose-lose proposal is coming from the leaders of our Senate’s intelligence committee, when former heads of the NSA, DHS, the CIA and more are all saying that we are more secure with strong encryption than without it, would be embarrassing if it weren’t so frightening.”
That sentiment was seconded Johns Hopkins University cryptology professor Matthew Green.
“Well, the Feinstein-Burr bill is pretty much as clueless and unworkable as I expected it would be,” Green tweeted. “How secure can your encryption be when any court in the land, including Indian tribes, can send you a piece of paper asking to undo it?”
Digital forensics and security specialist Jonathan Zdziarski called the bill “a hodgepodge of technical ineptitude combined with pockets of contradiction.”
“The absurdity of this bill is beyond words,” Zdziarski wrote in a blog post. “Due to the technical ineptitude of its authors, combined with a hunger for unconstitutional governmental powers, the end result is a very dangerous document that will weaken the security of America’s technology infrastructure. This will affect everything from the iPhone you hold in your pocket to how data is transmitted over the Internet, allowing the government to effectively break all electronic commerce and Internet security.”
But there is still hope.
The White House has reportedly declined to publicly support the legislation and the draft bill has already provoked backlash from Feinstein and Burr’s colleagues in the Senate, including Senator Ron Wyden of Oregon.
“For the first time in America, companies who want to provide their customers with stronger security would not have that choice – they would be required to decide how to weaken their products to make you less safe,” Wyden said in a statement.
Despite the recent passage of similar anti-encryption legislation in France’s lower house of Parliament, Recon Analytics’ Roger Entner on Friday said the draft U.S. bill is “dead in the water” and stands “no chance” of making it through Congress.
Let’s hope he’s right.
Filed Under: Industry regulations + certifications