Burr And Feinstein Release Their Anti-Encryption Bill… And It's More Ridiculous Than Expected

from the are-they-serious? dept

They’ve been threatening this for months now, but Senators Richard Burr and Dianne Feinstein have finally released a “discussion draft” of their legislation to require backdoors in any encryption… and it’s even more ridiculous than originally expected. Yesterday, we noted that the White House had decided to neither endorse nor oppose the bill, raising at least some questions about whether or not it would actually be released. Previously, Feinstein had said she was waiting for the White House’s approval — but apparently she and Burr decided that a lack of opposition was enough.

The basics of the bill are exactly what you’d expect. It says that any “device manufacturer, software manufacturer, electronic communication service, remote computing service, provider of wire or electronic or any person who provides a product or method to facilitate communication or the processing or storage of data” must respond to legal orders demanding access to said information. First off, this actually covers a hell of a lot more than was originally expected. By my reading, anyone providing PGP email is breaking the law — because it’s not just about device encryption, but encryption of communications in transit as well. I wonder how they expect to put that genie back in the bottle.

But, let’s dig into a few other bits of insanity in the bill. It starts out with an insane assertion, right upfront:

It is the sense of Congress that–

  1. no person or entity is above the law;
  2. economic growth, prosperity, security, stability, and liberty require adherence to the rule of law;

What an absurd way to start the bill. As we’ve discussed over and over again, despite FBI director James Comey’s statements, no one is claiming to be “above the law” here. When they offer end-to-end encryption they’re not “above the law,” they’re just building a system to which they don’t have the key. That’s like saying that the safe maker who doesn’t keep copies of the keys to every safe they sell is above the law. But no one requires safemakers to keep copies of every key.

Next, the claim that economic growth, prosperity, security, stability and liberty somehow depend on all of this is ridiculous. The second this bill becomes law, the US loses a massive economic advantage. Basically all of our technology becomes suspect globally, and the entire cybersecurity industry moves off shore. It will devastate American businesses outside of the US. Burr and Feinstein are basically offering a bill that completely undermines the economic prosperity of the American tech industry. This is especially insane coming from Feinstein, given that she supposedly represents so many tech companies in California.

all providers of communications services and products (including software) should protect the privacy of United States persons through implementation of appropriate data security and still respect the rule of law and comply with all legal requirements and court orders;

And they do… when they can. But what this bill requires is for tech companies to undermine the basics of encryption to make everyone less safe. This is not about disrespecting the rule of law, but about building systems as secure as possible to protect people from malicious attacks. You know, the very kinds of attacks that Senators Burr and Feinstein kept screaming about just months ago when they were demanding a bogus cybersecurity (really: surveillance) bill get passed by Congress. And yet now they want to undermine the very core concept of cybersecurity in the US.

to uphold both the rule of law and protect the interests and security of the United States, all persons receiving an authorized judicial order for information or data must provide, in a timely manner, responsive, intelligible information or data, or appropriate technical assistance to obtain such information or data;

And if that’s literally impossible, as is the case with strong encryption or end-to-end encryption?

Let’s be clear, here. This bill makes effective cybersecurity illegal. Think about that for a second. This is insane.

Then there’s this kicker:

Nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by any covered entity.

Yeah, except for the entire bill which absolutely prohibits the kind of design that basically all security experts say you need to adequately protect data and communications.

There are lots of other issues as well. As Jonathan Zdziarski notes, the bill is so ridiculously drafted that it doesn’t distinguish between encrypted data and deleted data. Thus, if someone deletes all their data, companies are still on the hook to magically get it back. It also requires that any information that is requested be delivered “in an intelligible format.” But what if the information itself is not intelligible? What if, prior to encrypting the data through technological means, the people doing the communications used some sort of cypher or code themselves to further obfuscate the information?

The whole thing is a mess and provides much more evidence for the fact that Feinstein and Burr have absolutely no clue what they’re talking about on this particular issue. Of course, there are lots of clueless people, but it’s pretty disturbing that these two particularly clueless people happen to be the highest ranking members on the Senate Intelligence Committee. Perhaps, like some others, they should talk to actual intelligence community professionals, who have also been arguing that backdooring encryption is a bad idea and puts Americans at much greater risk of being victims of computer attacks.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Burr And Feinstein Release Their Anti-Encryption Bill… And It's More Ridiculous Than Expected”

Subscribe: RSS Leave a comment
113 Comments
Anonymous Coward says:

“Nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by any covered entity. “

What was the point of this part? It’s like putting a comment in source code that completely contradicts what the source code actually does.

That One Guy (profile) says:

Re: Re:

A distractions for the stupid and the ‘news’ groups basically. By putting that in there they can try to dodge any criticism aimed at the bill by pointing to that line and saying ‘No, but see, we’re not requiring any changes or prohibiting any from being implemented’, and ‘conveniently’ leave out that the bill absolutely does impose restrictions and requirements.

Steve R. (profile) says:

Beyond Belief

Thankfully, the proposal has been dropped. What continues to amaze me is that the positive legitimate uses of encryption are purposely ignored by those proposing a so-called “back door”.

The issue of encryption also raises “slippery slope” concerns. The argument is made that encryption has to be weak to facilitate law enforcement. By that train of logic, search warrants should be abolished as an impediment to “facilitating law enforcement”.

I hope that those proposing a “back door” will finally give-up based on logic. Unfortunately, I suspect that after a suitable waiting period, those proposing weak encryption will once again hysterically start beating the war drums and foaming at the mouth.

DogBreath says:

Re: Re: Keys

The ideal response to the bill if it passes is to make the key so easy to remember it can be used across all hardware and platforms, and watch the system eat itself including those idiots in power.

“Sorry Senators Burr and Feinstein, but in order to properly facilitate access to decrypt the information in accordance with the Anti-Encryption Law that you put in place, your new passwords for all your current and future accounts shall be the following: 12345”

Malicious Compliance for the win.

If the little people are going down with the ship, make damn sure those responsible for hitting the iceberg go down with it too.

Michael (profile) says:

device manufacturer, software manufacturer, electronic communication service, remote computing service, provider of wire or electronic or any person who provides a product or method to facilitate communication or the processing or storage of data

Bicycle manufacturers must provide a way to facilitate a government request to read something that was sent by messenger?

Anonymous Coward says:

"Above the law"

No, no you missed the point.

Whenever somebody trots out the old “no person or entity is above the law” argument outside of a superhero movie or a classroom, it is not to to reinforce that everybody is equal.

No, what they are saying is something entirely different: I am the Law and you are my subject.

Anonymous Coward says:

It seems to me that automatic bank machines communicate. I sure hope they use encrypted communications. The same for personal banking over the web. So this law requires a “backdoors” for such banking, making bank robbery so much easier and cheaper (as no firearms and/or/masks, getaway cars and so on will be required). But at least it will reduce the likelihood of modern bank robbers killing or injuring bystanders and bank employees.

Ryunosuke (profile) says:

this bill is counter-intuitive and counterproductive.

Part 1 is at odds with part 2, as has been stated, but lets take a closer look, shall we?

1)no person or entity is above the law.

In regards to this bill, that means NO entity is above this law, that includes the FBI, Congress, The Pentagon, The White House, the CIA, NSA, etc. because they are entities, and they cannot be above the law.

2) economic growth, prosperity, security, stability, and liberty require adherence to the rule of law;

I am sure that because of (1) that entities like China, Russia, Daesh, Al-Qaeda will take that with good will and NEVER EVER exploit those systems.

Bullshit, I am sure that Russia, China would LOVE to get their hands on NSA/CIA/Pentagon deep cover operatives/operations currently in the field or in planning. I am SURE Al-Qaeda and Daesh would LOVE to get into the FBI/NSA to see which of THEIR deep cover operatives are being monitored. I am *SURE* the Pentagon would LOVE to have AF1’s schematics broadcasted to the world.

Not only is this bill counter to free speech, economic security, but it *WILL* put American lives and national security at risk. And before you go, “Oh, but WE, in Congress and the govt is not bound to this law.” read again that the law specifically says “NO ENTITY”, including the Entity of the US Govt. BY THE LETTER OF THE LAW.

Anonymous Coward says:

Re: Re:

I quite agree – the ‘no entity is above the law’ would mean that all the federal ‘Except us’ language in various other laws doesn’t apply. Should (horrors) this abomination be passed, then I can only suggest that Lal, Shimpy, NSA, the Navy, et al be named as co-defendants to any suit brought under this. After all, as RSA, TOR, etc fail to provide backdoors in the algorithms employed – right?

Uriel-238 (profile) says:

Re: Re: Dogs are fairly harmless, politicians not so much

Dogs might have a hard time destroying the world with a supercollider, but they’ll wreck your day if you’re a lamb grazing on the field.

The problem is in this case, that these are idiots out of their league, but with power enough to be destructive.

It’s the same problem as we have with many entrenched representatives who cannot be voted out of position (the GOP can’t even create a candidate liberal enough to be palatable to California) so long as they’re worse than Joffrey-Satan-Hitler, we won’t vote Joffrey-Satan-Hitler in to replace them.

But seriously, I’d really like someone that’s actually intelligent and actually means to run California not into the ground.

It’s a pipe dream.

bshock says:

Sheep must not evolve armor, claws, or teeth

California — home of the embarrassing Ms. Feinstein — is an odd place. Far from being a Liberal paradise, it’s actually well on its way to becoming a feudal state, where the wealthy lords and ladies control the land, while peasants pay rent for the privilege of furthering the fortunes of their landlords. (Anybody who lives in the Bay Area knows exactly what I’m talking about.)

Her Majesty Lady Feinstein has decided that it’s too dangerous for the peasants to have secrets, and so she insists that we must divulge everything at the whims of her knights in blue. The wording of this bill suggests that she considers peasant vulnerability and rule of law to be inseparable.

This sort of attitude is not at all inconsistent with California law. This state has some of the most restrictive gun laws in the country. After all, an armed peasant is a less vulnerable peasant. Regardless of which side of the gun debate you happen to be on, though, you can probably agree that Lady Feinstein’s public pride in the fact of her own armed condition seems more than a little hypocritical. (Yes, Diane Feinstein famously has a permit to carry deadly weapons.) But of course self defense is a god-given right of the nobility, isn’t it?

We might excuse California if the restrictions stopped there; it’s easy to imagine that few people really need to own or carry firearms today. But in the spirit of keeping peasants vulnerable, California has even declared bullet-resistant clothing illegal. That’s right: apparently rule of law demands that peasants must be as vulnerable — i.e. easy to kill — as possible. Wear a bulletproof vest, go to jail.

So what’s next, Your Majesty? Are you going to take a cue from that silly David Lynch version of “Dune” and decree that all of us must be fitted with openly accessible “heart plugs” that allow our lives to be taken with the flick of the wrist from your deputized thugs? Or at the very least, should we all be forced by law to carry wrist restraints, so that we can truss up ourselves in an instant when so ordered?

Uriel-238 (profile) says:

Re: "Well on its way to becoming a feudal state"

The same is true of every state in the US. Ours is and has been for decades a corporate oligarchy in which the voters are disenfranchised unless they can rally tens of millions.

But yes, ours is a feudal state under Hollywood and Google that wishes it were a liberal democracy, rather than a feudal state under Monsanto or Pfizer or Chevron or Ford that wishes it were a conservative republic.

Anonmylous says:

Wrong analogy

“That’s like saying that the safe maker who doesn’t keep copies of the keys to every safe they sell is above the law.”

No, its like holding a paper manufacturer responsible for people burning letters after reading them.

Burning papers and mixing the ashes is what we did before digital communications. And they had a term for that: destruction of evidence. And it was still a bullshit charge as there was no clue as to what those papers really contained.

So now, we want to hold the paper manufacturers to blame for this huge problem (that really isn’t) and force them to make fire-proof paper or pay massive fines.

Brilliant!

Nick B (profile) says:

Coverage

The bill covers a ridiculous scope.

It would ban paper shredders, data storage places(paper or datacenters) from having fire suppression systems that could potentially damage documents/data.

If you offer a product or service that touches documents or data and have anything even remotely in your control (fire sprinklers) that can render the data unreadable you are on the hook to provide a clean copy to the government.

Anonymous Coward says:

This bill is hilarious. I can’t wait until someone sues General Dynamics (or the like) over the products they produce and SELL TO THE US GOVERNMENT.

https://gdmissionsystems.com/cyber/products/

As a long time Californian, I can never understand how in the world my fellow citizens continue to elect the likes of Boxer (or Diane Feinstein either).

Anonymous Coward says:

Obama waffles

Yesterday, we noted that the White House had decided to neither endorse nor oppose the bill

Notwithstanding yesterday’s Reuters report discussed in the previous Techdirt article, in a competing story from yesterday, The Hill’s Cory Bennett reports that deputy White House press secretary Eric Schultz says the President hasn’t reached any decision. (“Encryption bill sent back to White House for Obama review”)

 . . . After the administration reviewed an initial draft and offered edits in March, several people with knowledge of the discussions said this week that officials had chosen to publicly stay out of the heated debate.

The White House shot down those reports on Thursday.

“I am sure we will take a look at what they are proposing and be in touch,” White House deputy press secretary Eric Schultz told reporters aboard Air Force One. “The idea that we’re going to withhold support for a bill that’s not introduced yet is inaccurate.”

Burr said he was hearing the same thing from the administration.

“A decision has not been made,” he told reporters.

This is at least a different spin than the Reuters story, and offers the highlighted statement from the White House deputy press secretary. (Contrast with the Reuters story, which says: “A White House spokesman declined to comment on the pending legislation, but referred to White House press secretary Josh Earnest’s statements on encryption legislation.”)

Anonymous Coward says:

Re: Obama waffles

Yesterday’s Reuters report was bylined Mark Hosenball and Dustin Volz. In a story dated today (Friday) they update us with further information on the White House response to Burr-Feinstein.

Leak of Senate encryption bill prompts swift backlash”, by Dustin Volz and Mark Hosenball, Reuters, Apr 8, 2016

President Obama is expected to be personally briefed by White House chief of staff Denis McDonough on the proposal on Monday, sources said.

But the administration remains deeply divided over encryption and views it as too controversial to offer public support or opposition for the bill as it is currently written, according to sources.

A White House spokesman told reporters Thursday the administration had not decided whether to support the measure, as it is still in a draft stage.

That One Guy (profile) says:

Re: Re: Obama waffles

But the administration remains deeply divided over encryption and views it as too controversial to offer public support or opposition for the bill as it is currently written, according to sources.

Yeah, nice attempt at a dodge on their part, but no, I’m not buying it. There has been plenty of time to become educated on the subject, and more than enough people in the field have spoken up saying how dangerous undermining encryption is that to claim to be ‘undecided’ at this point is just an attempt to avoid voicing an opinion counter to the evidence that’s been presented.

I think the real ‘problem’ facing them is that they would really like to voice support for the bill, but they know the public backlash for doing so would likely be significant(and during election season at that), and so they’re stuck pretending to have to ‘consider the matter’ and ‘weigh the pros and cons’.

If by some disaster the bill does make it through and gets enough votes to pass I’m sure he will sign it, even as he pretends that he’s only doing so because he has to, the lawmakers have spoken and he has no choice but to go along with the general consensus.

Anonymous Coward says:

Re: Re: Re: Obama waffles

the public backlash for doing so would likely be significant (and during election season at that)

Don’t overestimate the level of popular concern about the issue.

Even in Silicon Valley, encryption battle yields more yawns than yelps”, by Bruce Newman, Mercury News, Apr 8, 2016

With Congress poised to consider draft legislation that would give the FBI — or any law enforcement agency with a court-ordered warrant — the right to examine everyone’s encrypted data, the other back-door-kicking shoe appears ready to drop.

But even as the two sides square off in the ongoing struggle between security and privacy, Brent Fried — a UC Berkeley junior who was rushing into the International House Cafe to study for midterms this week — pulled out his iPhone’s earbuds and shrugged.

“I don’t understand why it’s such a huge deal,” he said. “It hasn’t been much of an issue for me.”

Perhaps even worse than overestimating the popular interest in the issue would be overestimating the level of popular opposition to something like Burr-Feinstein.

All too easy to get yourself in big room with a few thousand people mostly agreeing on something—and forget that a big room like that may not really be representative in a nation of 300 million and change.

nasch (profile) says:

Re: Re: Re: Obama waffles

If by some disaster the bill does make it through and gets enough votes to pass I’m sure he will sign it, even as he pretends that he’s only doing so because he has to, the lawmakers have spoken and he has no choice but to go along with the general consensus.

If Congress is in session when it hits his desk he can do nothing and hope nobody notices.

Anonymous Coward says:

“(b) DESIGN LIMITATIONS.—Nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by any covered entity.”

The inclusion of the above means, to me, that the requirement for providing the data or assistance with getting it applies only WHERE POSSIBLE, and does not mean systems or software must be dumbed down to provide for governmental wants later (no back-doors are required here). I admit I’ve only glossed over this so far, but am I misinterpreting anything here? If it does require back-doors, where exactly in the bill does it do so?

Anonymous Coward says:

Re: Re:

I admit I’ve only glossed over this so far, but am I misinterpreting anything here?

Yes. It does indeed appear you are misinterpreting the bill. Try reading it a little bit more slowly and carefully.

If English is not your first language, then you should consider indicating particular words that you’re having trouble translating into your native language.

Anonymous Coward says:

Re: Re:

The whole thing is ridiculous and very poorly written and even(hypothetically) if there isn’t something stating that there needs to be backdoors in there the government, law enforcement and the courts can very easily interpret it to mean that they will indeed have to have backdoors.

Leigh Beadon (profile) says:

Re: Re:

If it does require back-doors, where exactly in the bill does it do so?

The very next provision after the one you quoted.

“A provider … shall ensure that any such products, services, applications or software … be capable of complying.”

At best, the two provisions contradict each other. More accurately, the one you quoted is a weak attempt to deny that they are doing exactly what they are doing: mandating how software and devices must be designed. It’s providing some tiny, meaningless leeway.

Basically the part you quoted is saying “You can give us a master key, or a separate entrance, or a hidden recording device, or an infrared camera, or a doorman with orders to let us in – it’s totally up to you!”

Anonymous Coward says:

Re: Re: Re:

Thank you for laying that out clearly (and politely). So if I’m reading you correctly, you’re saying those two parts, taken together, require a back-door of some sort, but not of any particular sort. However, if I’m not mistaken, a court of law must also take into consideration “Notwithstanding any other provision of law”, in which, right off the bat, it conflicts with CALEA: “(1) Design of features and systems configurations. This subchapter does not authorize any law enforcement agency or office (a) to require any specific design of equipment, facilities, services, features, or system configurations to be adopted by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services; (b) to prohibit the adoption of any equipment, facility, service, or feature by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services.” I cant see the bill passing with such an immediate glaring conflict with existing law. Of course, I could be mistaken, but it just looks like they’re trying to project the illusion of doing something without actually doing anything (usually called grandstanding when so close to an election).

Anonymous Coward says:

Re: Re: Re:2 Re:

Which is why I said, “require a back-door of some sort, but not of any particular sort”. And why I subsequently brought up CALEA, which doesn’t authorize law enforcement to make a “per se” requirement, which is exactly what is happening when someone legislates against specific circumstances (inability to comply) that can only be avoided by the inclusion of a back door, seeing as the end result is the same as requiring one to begin with. Feinstein thinks she’s being slick, but Homie don’t play that shit, etc..

Anonymous Coward says:

Re: Re: Re:4 Re:

Whether a court would buy that argument is unknown at this time.

Why would a court care?

Entrenchment of Ordinary Legislation: A Reply to Professors Posner and Vermeule”, by John C. Roberts and Erwin Chemerinsky, California Law Review, 2003, p.1783 (p.11 in PDF):

The Court applies this principle with equal force to the U.S. Congress. In Reichelderfer v. Quinn, the Court stated flatly that one Congress cannot impose its will on its successors.

(Hyperlink added. Note that footnote 34, while citing 287 U.S. 315, 318, appears to get the year of the case wrong. Google shows this case as 1932.)

The will of a particular Congress … does not impose itself upon those to follow in succeeding years.

So why would a court care that a later legislative enactment sub silentio amends an earlier act?

Anonymous Coward says:

Re: Re: Re:6 Re:

The argument would be that this bill does NOT do that. Am I not explaining this clearly?

You’re not explaining why it would matter whether it does or doesn’t.

I think that motivation is a necessary predicate for any worthwhile argument: Contrariwise, if it doesn’t matter, then it just doesn’t matter…

Anonymous Coward says:

Re: Re: Re:8 Re:

Are you saying it’s perfectly fine for this bill to conflict with CALEA, and that means CALEA is effectively amended?

CALEA was enacted by the 103rd Congress, and was signed by President Clinton in 1994.

If the current, 114th Congress duly enacts a new law, then we get a new law. Tell me why it wouldn’t just be that simple—especially in any question regarding interpretation and construction of the new statute?

Anonymous Coward says:

Re: Re: Re:10 Re:

I asked a yes or no question, you could just answer it…

Oh c’mon nasch. You’ve been hanging around here long enough to know the stock-off-the-shelf answer to any kind of question like that would usually be—

“Well, it depends.”

In this specific context, though, I’d continue to say that the question itself depends on whether its answer makes any kind of meaningful difference.

Uriel-238 (profile) says:

Re: "concerned about the economy or America's prosperity"

The GOP has? Ever? Reaganomics? Trickle-Down Theory? Opening the door for lobbyists? War-profiteering?

The problem with partisan thinking is that both sides are generally corporatist and protectionist and representatives need to be in order to get those sweet, sweet campaign contributions.

Our government is now intrinsically corrupt, and only serves the monied interests. It’s actually worse than Feudalism in a way since there is no acknowledgement of the value of the general population (as laborers, soldiers and consumers), so most of them are shortsighted enough to regard us shlubs as filth to be socially cleansed.

topfatcat says:

Burr-Feinstein bill

Suppose an encryption mechanism signed everything it encrypts with a unique pointer (unique to that data). That pointer only has meaning to the provider of the encryption mechanism. It is a pointer to the encryption key used to encrypt that data. The pointer is useless to anyone but the provider. When faced with a court order the provider may use the pointer to provide the required encryption key.
This should mean that I can encrypt my data with the confidence that it can only be read by me, some one I give the encryption key to, or someone who has a court order to read it. Of course, the provider has to be trustworthy, as my bank is now!

nasch (profile) says:

Re: Burr-Feinstein bill

Of course, the provider has to be trustworthy, as my bank is now!

Not just trustworthy, but secure. Criminal organizations and foreign nations would be trying to break in and steal the information needed to make use of the pointers you describe. And eventually one or more of them would probably succeed.

topfatcat says:

Re: Re: Burr-Feinstein bill

“trustworthy” would obviously include “secure”.
Criminal organizations can probably break any encryption if they think there’s enough money to be gained. We live in a world where everything has some risk. The goal is to reduce the risk while attaining other goals as well.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...