Senators Burr & Feinstein Write Ridiculous Ignorant Op-Ed To Go With Their Ridiculous Ignorant Bill

from the learn-something-people dept

Senators Richard Burr and Dianne Feinstein are not giving up that quickly on their ridiculous and technically ignorant plan to outlaw real encryption. The two have now penned an op-ed in the WSJ that lays out all the same talking points they’ve laid out before, without adding anything new. Instead, it just continues to make statements that show how incredibly ignorant they are. The piece is called Encryption Without Tears (and may be paywalled, though by now everyone knows how to get around that), which already doesn’t make any sense. What they’re pushing for is ending basic encryption, which will lead to many, many tears.

It starts out with their standard ridiculous line, pretending that because a company builds end-to-end encryption, it’s acting “above the law.”

In an increasingly digital world, strong encryption of devices is needed to prevent criminal misuse of data. But technological innovation must not mean placing individuals or companies above the law.

People have gone over this time and time again: this is not about anyone being “above the law.” It’s about whether or not companies can be forced to directly undermine the safety and security of their products (and the public). A paper shredder can destroy evidence. A paper shredder maker is not “above the law” when it decides not to build a system for piecing back together the shreds.

And speaking of “above the law” I still don’t see Feinstein or Burr commenting on the FBI/DOJ announcing that it will ignore a court order to reveal how it hacked into computers over Tor. That is being above the law. That involves a situation where a court has asked for information that the FBI absolutely has. The FBI is just saying “nope.” If Burr and Feinstein are really worried about being “above the law,” shouldn’t they worry about this situation?

Over the past year the two of us have explored the challenges associated with criminal and terrorist use of encrypted communications. Two examples illustrate why the status quo is unacceptable.

I love this. They give two examples that have been rolled out a bunch in the last few weeks. The attack in Garland, Texas, where the attackers supposedly exchanged some messages with potential ISIS people, and the case of Brittney Mills, who was tragically murdered, and whose case hasn’t been solved. Mills had her smartphone, but no one can get into it. Of course, it took nearly two years of fretting before law enforcement could dig up these two cases, and neither make a very strong argument for why we need to undermine all encryption.

It’s a simple fact that law enforcement never gets to have all of the evidence. In many, many, many criminal scenarios, that’s just the reality. People destroy evidence, or law enforcement doesn’t find it or law enforcement just doesn’t understand it. That’s not the end of the world. This is why we have police detectives, who are supposed to piece together whatever evidence they do have and build a picture for a case. Burr and Feinstein are acting like in the past, law enforcement immediately was handed all evidence. That’s never been the way it works. Yes, law enforcement doesn’t get access to some information. That’s how it works.

You don’t go and undermine the very basis of computer security just because law enforcement can’t find a few pieces of evidence.

Our draft bill wouldn?t impose a one-size-fits-all solution on all covered entities, which include device manufacturers, software developers and electronic-communications services. The proposal doesn?t define the technological solutions or tell businesses how to solve the problem.

This is also misleading. The bill requires an end to real encryption. That’s it. Real encryption means that only one person has the key. This is what Burr and Feinstein don’t seem to get. They seem to think it’s trivial to leave a key with Apple or whoever. But as basically every crypto expert has explained, it is not. Doing so creates a vulnerability… and worse, it’s a vulnerability that cannot be patched. That’s hellishly dangerous. Sure, the bill doesn’t tell them exactly how to do this, but it does make it clear: you cannot offer real encryption, you can only offer something that can be hacked. That’s a problem.

We want to provide businesses with full discretion to decide how best to design and build systems that maintain data security while at the same time complying with court orders.

We want to provide businesses with full discretion to decide how best to travel back in time, in order to prevent crimes.

Seriously: this is basically the same thing that Burr and Feinstein are saying here. They’re asking for something that’s impossible, and acting like it’s a routine suggestion. If they need to comply with these All Writs Act style orders, they cannot build systems that maintain data security. That’s a fact. It’s mind-boggling that Burr and Feinstein still can’t understand this.

Critics in the industry suggest that providing access to encrypted data will weaken their systems. But these same companies, for business purposes, already maintain and have access to vast amounts of encrypted personal information, such as credit-card numbers, bank-account information and purchase histories.

Argh. This paragraph shows that whatever poor staffer Burr and Feinstein assigned to write this drivel doesn’t understand even the first thing about what he or she is talking about. Storing encrypted passwords, credit card info, bank account info, etc. is a totally different thing. Those are encrypted to keep them safe, and part of the reason they’re encrypted is so that even those companies cannot reveal them. This point is making the opposite point of what Burr and Feinstein think. Companies encrypt passwords and credit card info and the like so that they’re not storing the plaintext info, and there’s no easy way for anyone to get that info. This protects user data, and the companies cannot actually provide the plaintext. They’re comparing hashes. That’s what keeps it safe.

If we received a court order demanding our users’ passwords, we couldn’t provide them. Because they’re encrypted. We don’t know our users’ passwords and can’t give them to you. When someone logs in to our website, we can compare a hash of their password to our hashed version and then if they match, we let them in. But we don’t know what their password is. So this is a terrible example that actually goes against what Burr and Feinstein are saying. Those encrypted stores of information would be illegal under this bill!

We are not asking companies to provide law enforcement with unfettered access to encrypted data. We aren?t even asking companies to tell the government how they gain access to this encrypted data. All we are doing is asking companies to find a way to keep their data secure while also cooperating with law enforcement in terrorism and criminal investigations.

Again, that last line is impossible. They’re asking the impossible — and in the process, making everyone less safe. The only way to provide such info to law enforcement is to no longer keep the data truly secure. And the big concern is not unfettered access for law enforcement, but rather whatever this backdoor means for those with malicious intent, who will be very, very, very focused on finding these vulnerabilities and exploiting them.

President Obama said earlier this year, ?You cannot take an absolutist view on this.? We agree?and believe that strong data security and compliance with the justice system don?t have to be mutually exclusive.

Because you don’t know what you’re talking about.

American technology companies have done some amazing things that are the envy of the world. We think that finding a way to achieve both goals simultaneously is not beyond their capabilities.

So, in the end, despite basically every cryptography expert telling them this is impossible, Burr and Feinstein come back with “NERD HARDER, NERDS!”

Filed Under: , , , , , ,
Companies: apple

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Senators Burr & Feinstein Write Ridiculous Ignorant Op-Ed To Go With Their Ridiculous Ignorant Bill”

Subscribe: RSS Leave a comment
Mason Wheeler (profile) says:

Hashing is not encryption

Just a minor nitpick: a hash is not encryption, by definition. Encryption is something that can be decrypted back to the original plaintext if you have the key. With a hash, there is no key and no way to restore the original plaintext–which is why you use hashing, rather than encryption, to store passwords.

Mason Wheeler (profile) says:

Re: Re: Hashing is not encryption

No, it’s not encrypted data. The essential characteristic of encrypted data is that it can be decrypted. Hashed data can’t be un-hashed back to the original data, because it throws away information.

As for where I heard it, it’s common knowledge among people who work in this area. Simply Googling “difference between hashing and encryption” turns up plenty of useful references.

Anonymous Coward says:

If people are allowed to meet in private and hold conversations that are not recorded, they should also be allowed to use strong encryption. There is little difference between the two as far as the investigation of crime is concerned, except that with encryption a record of who is talking to who is available.
Banning strong encryption is the same as banning private conversations.

That One Guy (profile) says:

Re: Re:

And walls, curtains, locations which are not wired up for recording, speaking in code or even just in languages that the listener isn’t familiar with…

The specific that they are throwing fits about at the moment is encryption, but the general idea that they are so opposed to seems to be privacy itself, the idea that someone may say or write or receive something and that information might not available for those in authority to listen to or read.

Ryunosuke (profile) says:

If we received a court order demanding our users’ passwords, we couldn’t provide them. Because they’re encrypted.

This is the VERY same reason MMO’s/other services say regularly “If you receive an email requesting your password for verification, it is a scam” that hits every so often/regularly, it’s BECAUSE they CANNOT verify it themselves, and this has been going on since the mid-90’s.

so… ya… those who drafted and wrote this up have absolutely NO idea how the internet works.

That One Guy (profile) says:


On the one hand, ‘Politician harder, you could balance the country’s budget if you actually wanted to and tried’ would make for a fitting rebuttal, on the other hand I’m not sure if anyone could keep a straight face saying the other half, the ‘American politicians have done some amazing things that are the envy of the world’ bit.

Uriel-238 (profile) says:

Re: The stupidity

Considering this optimistically, Burr and Feinstein have just revealed their own technological incompetence, trying to insist on using logic that is eye-rollingly archaic, cliche and long debunked.

Hopefully it will soon go the way of Evolution is only a theory.

The anti-nerd sentiment within our civic sectors is conspicuous, though I don’t know if that’s from 70s era academy culture or more general anti-intellectualism, which reoccurs whenever political discourse within a society gets too demagogy-esque. (e.g. Genocide more scapegoat minorities!) People don’t like the more deliberate folk going Um…that doesn’t sound like a very good idea.

Really they just want us brainy types to shut up and make them some better, faster, boomier nukes so they can blow each other to kingdom come.

Uriel-238 (profile) says:

Re: Banks are a big user of encryption

You think too small.

All business require encryption for their accountancy, not just banks. Then there’s company data and company secrets all of which can be problematic in the hands of rivals.

Your local corner store needs encryption for money management. Anything bigger needs a lot of encryption for data security.

Bergman (profile) says:

Re: Banks are a big user of encryption

It would require that banks — or more likely, the company they buy their security systems from — to have a well known security flaw in their systems that completely bypasses all security measures.

The hardest part of building absolutely anything is knowing if it is possible or not. Building a hacking tool to break through security you know nothing about, not even whether it has any exploitable weaknesses, is really damned hard outside of a Hollywood action movie — hard enough to be a daunting task even for the NSA. But if you know a flaw exists? It WILL be found, and probably not by the good guys (assuming government == good guys, they wouldn’t even go looking, they already have a key).

For such a key to be useful, it would need to be a master key — unlocking not just one lock, but all the locks the company makes. So once the bad guys crack into the system, it’s game over for everyone using that system.

Last time I checked, the federal government didn’t make its own encryption that it uses for national security purposes in house that often — this bill, as written, would mandate security flaws in those systems as well.

Dave Cortright says:

Might as well apply this template to other areas too

Doctors are not above the law. When a witness dies, valuable information is irretrievably lost. So we propose a bill that requires doctors to comply with court orders to bring these witnesses back from the dead so they can be questioned. We aren’t mandating how this is accomplished, only that they comply with our demands.

jilocasin (profile) says:

Quantum encryption will save them.

While it’s true that classical encryption won’t let them have a system that’s both completely secure and allows law enforcement to get at the unencrypted contents, there is such a system:

Quantum Encryption

Just like Schrödinger’s cat, the data will be both encrypted and plaintext at the same time.

If presented with the owner’s key or law enforcement’s warrant the quantum encryption wave function will collapse into plaintext. For everyone else (especially the bad guys) the wave function will collapse into a state of encrypted data.

So, Senators Richard Burr and Dianne Feinstein are right. As soon as we get our brightest minds to develop this special blend of mathematics, quantum physics, and computer science everyone will be both safe and private.

[ /sarc ]

Bergman (profile) says:

Criminal Court Evidence Standards

“This is why we have police detectives, who are supposed to piece together whatever evidence they do have and build a picture for a case. Burr and Feinstein are acting like in the past, law enforcement immediately was handed all evidence. That’s never been the way it works.”

This is one reason why courts operate on the evidence standard of ‘beyond a reasonable doubt’ — prosecutors CANNOT prove guilt to the ‘without doubt’ standard because they’ve never had that amount of proof before.

And yet, they have rarely had problems convicting people, even when those people were later exonerated of the charges.

If the government requires that they be allowed to know all of the information, we the people must require that they must present evidence beyond any doubt to get a conviction in court — after all, in the current privacy-rich environment, any competent prosecutor can get a grand jury to indict a ham sandwich. What will they be able to do when privacy no longer exists?

When they are able to meet the goal of ‘beyond any doubt’ evidence due to how much information they are able to gather on anyone they choose, then if the person is truly guilty, they really ought to be able to do it in order to convict that person.

Anonymous Coward says:

When you’re dealing with _discrete_ mathematics, not being absolute is … not just being wrong, it’s being wrong in the most ostentatious way.

If you don’t want absolutes, then go play with differential calculus. _That’s_ the kind of math that deals with fuzzy things.

Of course, we could always be stupidly wrong in the most ostentatious way about both sides of math–just add a rider to define “pi” equal to “4”.

SteveMB (profile) says:

Critics in the industry suggest that providing access to encrypted data will weaken their systems. But these same companies, for business purposes, already maintain and have access to vast amounts of encrypted personal information, such as credit-card numbers, bank-account information and purchase histories.

This “people let Google have personal information, so it’s okay for the government to get people’s personal information” argument is not only idiotic, it is offensive. It is precisely equivalent to “that stuck-up bitch has no business complaining that I pinched her butt when she goes out in public dressed like that”.

383bigblock (profile) says:

Let's get started

I’m actually in the tech industry and find the claims and merits miss Feinstein has put out to be worthwhile and should definitely get traction in Congress.

I believe we should first start with the Banking industry. I can’t think of a better place to start implementing a mandatory back door to encryption. We all know terrorists and pedofiles need and use money. That’s a no-brainer we should move on the financial districts immediately.

Also, I want the encryption key to Feinsteins phone because I’m sure that bitch has nothing to hide, no back room deals or quid pro quo relationships in play.

Bergman (profile) says:

Re: Re: Let's get started

…except that in the incident you alluded to, he didn’t do anything of the sort.

He bought a small game hunting rifle that had purely cosmetic features that made it resemble a military rifle. A rifle that is illegal to use on human-size animals because it is so unlikely to kill them that using it on them constitutes animal cruelty.

If purely cosmetic looks can turn a weak hunting rifle into a high performance military weapon, then you really ought to be able to win a NASCAR race on your bicycle by covering it with sponsor stickers.

That One Guy (profile) says:

"Now I'm not an expert, or even have any knowledge in the field but..."

American technology companies have done some amazing things that are the envy of the world. We think that finding a way to achieve both goals simultaneously is not beyond their capabilities.

‘Meanwhile Burr and Feinstien were heard insisting that mathematicians can make two plus two equal five if they just tried harder, doctors could make people immortal if they just put their backs into it, and architects could make gravity defying housing if they just cared enough to attempt to do so.

Experts in the fields listed were unavailable for comment, having face-palmed so hard as to knock themselves unconscious, with the mathematician suffering a broken nose.’

freedomfan (profile) says:

Feinstein and Burr embarrass themselves with proposals like this. “We want strong security, but with an on-demand backdoor. We generously won’t specify how it has to be done.” Because it can’t be done, you idiots!

It’s hard to determine where their arrogance stops and their ignorance begins. Though, I suppose, the mistake is in thinking there are boundaries to either…

BTW, since any propose law will punish failure to provide the backdoor but not punish insufficiently strong security, you can guess where the compromises will come, if this nightmare passes.

Anonymous Coward says:

One of the major unspoken issues here is that especially Feinstein believes she is above the law. The very charge she levels at industries trying to keep customer’s faith in their products and services so they will buy them.

This was demonstrated when she was pushing to make drones a legal way to spy on the public. One protest group flew a drone to the window of her personal residence. Suddenly she could get to the news fast enough to protest her personal privacy being invaded. Good for the peons but not good for the overlords was the basic theme.

Another came up with the issue of Congress critters themselves being subject to having their phone calls monitored and I strongly suspect this was the driving reason behind why the House passed the newest email protection bill is to prevent these same security agencies from having a carte blanc to spying without any checks whatever on who they do it to without a warrant. It just so happened in the process of preventing the spying on their own personal uses that the public benefited.

On the whole each and every time this sort of thing is attempted to be justified it is because they are attempting to throw the Constitution out the window and want a convenient way around it.

Now if Feinstein, Burr, and the rest of the Intelligence Oversight Committee, were actually doing their jobs, I don’t think I’d have much trouble with their recommendations. So far it just looks like the usual, which is both parties are corrupt. Face it, spying on the average public has nothing to do with terrorism or even law enforcement. It has everything to do with the fear they’ve already went too far and want an early warning system in place to catch potential grass roots protesters that can and eventually will object to their methods.

As it is these spying agencies already have an information overload and can’t do the job they are claiming they are to do. It is only after the fact, when they have names, places, and methods of contact that they can find the perpetrators. It’s never before, only after the fact. It helped not at all in Boston, nor in Paris, despite both countries being able to spy. Encryption breaking won’t help either. The smart ones will just communicate face to face.

Bergman (profile) says:

Re: Re:

A further example of Feinstein’s hypocrisy is that for many years she held one of the seldom-seen California concealed gun permits.

Yes, the woman who insists that guns have no legitimate use, that they exist solely to commit murders and are useless for any other purpose owned and carried a gun for self defense purposes.

When called on it, she got rid of it. But it’s worth noting that her security detail IS still armed with items that are useless for defending people and can only be used to murder innocents. Or at least, that’s what she claims about them regularly anyway.

freedomfan (profile) says:

BTW, the Senators cluelessness about encryption is clear to many of us here because we have a basic understanding of the topic (or, at least, we are willing to listen to those who do). The terrible thing is that, what we spot here is the tip of the ignorance iceberg. If we were informed about other topic areas that come before legislatures and we watched the proceedings, it would quickly become clear that politicians are often similarly clueless about almost every topic where they propose bills, pontificate, and vote. My background is in engineering and when I listen to most legislators discuss a topic where I actually know what’s going on, I get the same sinking feeling I do when hearing these two clowns discuss encryption. I have friends with degrees in economics who almost can’t stand to watch congressional testimony on economic issues because the level of misunderstanding on display is so terrible. Same for medical doctors. Etc.

Of course, it’s unreasonable to expect someone, especially a politician, to understand the intricate details of every issue. Nevertheless, we are supposed to trust them to get up to speed on the issues in front of them and to have staff who can provide them with sound advice when the issue is beyond their grasp. But, it’s clear they haven’t done either. How could these Senators, with the resources at their disposal, have never asked someone competent whether what they are proposing is technologically and practically realistic? Do they just not care?

Politicians often have a “magic faerie dust” view of the way legislation interacts with the world. They think that writing a law somehow rewrites reality, making the stated intent of the law happen and, if necessary, making the impossible possible. On the flip side of the coin, when some system works well, they assume it must be because good legislation made it happen.

Richard (profile) says:

Re: Re:

I have friends with degrees in economics who almost can’t stand to watch congressional testimony on economic issues because the level of misunderstanding on display is so terrible.

Actually this is the worst one. Politicians only occasionally interact with the other disciplines but they are involved with economics all the time. In fact they are pretty much in charge in the economic sphere in a way that they aren’t elsewhere.

btr1701 (profile) says:


This bill is worse than useless for many reasons, not the least of which is that it only applies to entities in the US. A software developer in Belize or Madagascar will still be able to write a messaging app without legal restriction or repercussion that offers end-to-end encryption, put it up on the web, and anyone in the US can download it and use it, and boom– the FBI and the cops are right back to where they started, not being able to decrypt the evidence.

And just on a more philosophical level, it find it offensive that the government in a supposedly free society is essentially announcing as a matter of fundamental policy that one citizen has no right to communicate with another citizen in any manner that is un-eavesdropable (yes, I made up a word there) by government surveillors.

freakanatcha (profile) says:

Senators Burr & Feinstein encription liability?

Question for any lawyer out there: If the govt requires a company to place a backdoor in its product, and the product gets hacked through the backdoor, is the company liable or will the govt have to indemnify the company?

Also, will the company even be able to get insurance against a hack?

Bergman (profile) says:

Re: Senators Burr & Feinstein encription liability?

Under current law, the company would be completely liable.

Unless Burr & Feinstein write some sort of liability shield into their bill, any company that complies with it would likely be out of business shortly after the black hats crack the backdoor. They’d go bankrupt trying to defend against all the lawsuits.

That One Guy (profile) says:

Re: Re: Government: "It's their fault, take it up with them. " Company: "No, it's their fault, take it up with them."

If companies were required to introduce security vulnerabilities, and when those vulnerabilities were found and exploited I imagine that any companies sued due to it would be very quick to point out that they didn’t want to have the vulnerability in place, they had to have it, which put the blame on the government. The government would turn around and so that no no, they just said that the vulnerability had to be there, they didn’t say it had to be vulnerable to bad people, so the company was at fault.

They’d continue pointing fingers, wasting time and stalling trying to blame the other person, and any potential lawsuit would go nowhere as a result.

That One Guy (profile) says:

Re: "Experts claim that 2+2 will always equal 4, but let's not take an absolutist view of the matter..."

Which would be funny if it weren’t so dangerous. On security you can and you should take an ‘absolutist view’ on it, because deliberately flawed security is not only bad, in a very real sense it’s worse than no security at all as it provides a false sense of security, and people will take risks they otherwise wouldn’t thinking that they’re safe when they’re not.

As such there is no ‘middle ground’, no ‘compromise’ available, those that are calling for deliberately installing or requiring security flaws are wrong and demanding the impossible, while those that are calling for strong security without deliberately created flaws are right and understand what can and can not be done.

Anonymous Coward says:

It is patently obvious – even to Feinstein (and the congressional hearings with Apple and the FBI) – that encryption software is widely available from outside the US. Susan Landau even testified before congress that it would be impossible to block the importation of foreign-made encryption software.

Thus this bill isn’t intended to block the actual use of crypto by “bad people”, most of which aren’t even in American jurisdiction.

Who will this bill actually affect? US businesses and US citizens. As the mythical “terrorists” cannot be the target, why is Feinstein trying to undermine domestic business and ruin our ability to export modern technology?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...