As Apple battled the FBI for the last two months over the agency’s demands that Apple help crack its own encryption, both the tech community and law enforcement hoped that Congress would weigh in with some sort of compromise solution. Now Congress has spoken on crypto, and privacy advocates say its “solution” is the most extreme stance on encryption yet.
On Thursday evening, Senators Richard Burr and Diane Feinstein released the draft text of what they’ve called the “Compliance with Court Orders Act of 2016,” a nine-page piece of legislation that would require people to comply with any authorized court order for data. And if that data were “unintelligible,” the law demands that it be rendered “intelligible.” In other words, the bill would outlaw the sort of user-controlled encryption that’s in every modern iPhone, in all billion devices that run Whatsapp’s messaging service, and in dozens of other tech products. “This basically outlaws end-to-end encryption,” says Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology. “It’s effectively the most anti-crypto bill of all anti-crypto bills.”
It’s effectively the most anti-crypto bill of all anti-crypto bills. Technologist Joseph Lorenzo Hall
Kevin Bankston, the director of the New America Foundation’s Open Technology Institute, goes even further: “I gotta say in my nearly 20 years of work in tech policy this is easily the most ludicrous, dangerous, technically illiterate proposal I’ve ever seen,” he says.
The bill, Hall and Bankston point out, doesn’t specifically suggest any sort of backdoored encryption or other means to even attempt to balance privacy and encryption, and actually claims to not require any particular design limitations on products. Instead, it states only that communications firms must provide unencrypted data to law enforcement or the means for law enforcement to grab that data themselves. “To uphold the rule of law and protect the security and interests of the United States, all persons receiving an authorized judicial order for information or data must provide, in a timely manner, responsive and intelligible information or data, or appropriate technical assistance to obtain such information or data.”
Hall describes that as a “performance standard. You have to provide this stuff, and we’re not going to tell you how to do it,” he says. George Washington Law School professor Orin Kerr points out on Twitter that the text doesn’t even limit tech firms’ obligations to “reasonable assistance” but rather “assistance as is necessary,” a term that means the bill goes beyond current laws that the government has used to try to compel tech firms to help with data access such as the All Writs Act.
Even more extreme, the draft bill also includes the requirement that “license distributors” ensure all “products, services, applications or software” they distribute provide that same easy access for law enforcement. “Apple’s app store, Google’s play store, any platform for software applications somehow has to vet every app to ensure they have backdoored or little enough security to comply,” says Bankston. That means, he says, that this would “seem to also be a massive internet censorship bill.”
I could spend all night listing the various ways that Feinstein-Burr is flawed & dangerous. But let’s just say, “in every way possible.”
— matt blaze (@mattblaze) April 8, 2016
If Grandpa Simpson was a Senator who was afraid of and confused by encryption, I think he’d write something like the Feinstein/Burr bill.
— Kevin Bankston (@KevinBankston) April 8, 2016
It’s not hard to see why the White House declined to endorse Feinstein-Burr. They took a complex issue, arrived at the most naive solution.
— Matthew Green (@matthew_d_green) April 8, 2016
Burr and Feinstein’s bill disappoints its privacy critics in part because it seems to entirely ignore the points already made in a debate that’s raged for well over a year, and has its roots in the crytpo wars of the 1990s. Last summer, for instance, more than a dozen of the world’s top cryptographers published a paper warning of the dangers of weakening encryption on behalf of law enforcement. They cautioned that any backdoor created to give law enforcement access to encrypted communications would inevitably be used by sophisticated hackers and foreign cyberspies. And privacy advocates have also pointed out that any attempt to ban strong encryption in American products would only force people seeking law-enforcement-proof data protection to use encryption software created outside the U.S., of which there is plenty to choose from. Apple, in its lengthy, detailed arguments with the FBI in front of Congress and in legal filings, has called that weakening of Americans’ security a “unilateral disarmament” in its endless war with hackers to protect its users’ privacy.
More WIRED Encryption Coverage
Tom Mentzer, a spokesman for Senator Feinstein, told WIRED in an email that “qe’re still working on finalizing a discussion draft and as a result can’t comment on language in specific versions of the bill. However, the underlying goal is simple: when there’s a court order to render technical assistance to law enforcement or provide decrypted information, that court order is carried out. No individual or company is above the law. We’re still in the process of soliciting input from stakeholders and hope to have final language ready soon.” Senator Burr did not respond to our request for comment.
The Burr/Feinstein draft text may in fact be so bad for privacy that it’s good for privacy: Privacy advocates point out that it has almost zero likelihood of making it into law in its current form. The White House has already declined to publicly support the bill. And Adam Schiff, the top Democratic congressman on the House of Representatives’ intelligence committee, gave WIRED a similarly ambivalent comment on the upcoming legislation yesterday. “I don’t think Congress is anywhere near a consensus on the issue,” Schiff said, “given how difficult it was to legislate the relatively easy [Cyber Information Sharing Act], and this is comparatively far more difficult and consequential.”
Bankston puts it more simply. “The CCOA is DOA,” he says, coining an acronym for the draft bill. But he warns that privacy activists and tech firms should be careful nonetheless not to underestimate the threat it represents. “We have to take this seriously,” he says. “If this is the level of nuance and understanding with which are policymakers are viewing technical issues we’re in a profoundly worrisome place.”