Senators Burr & Feinstein Look To Bring Back Bill To Outlaw Real Encryption

from the apparently-they-didn't-get-the-message dept

Back in May we noted that the ridiculous and terrible anti-encryption bill from Senators Richard Burr and Dianne Feinstein was dead in the water. The bill had all sorts of problems with incredibly broad and vague requirements, but the quick summary was that tech companies would have to figure out a way to backdoor all encryption, because if they received a warrant, they’d be required to decrypt any communication.

Rather than get the message that this was a really, really bad idea, it appears that Burr and Feinstein have just gone back to the drawing board, trying to recraft the bill. Julian Sanchez got his hands on one of a few prospective new drafts that are being floated around and has an analysis of the update. The draft that Sanchez has seen tries to fix some of the problems, but doesn’t really fix the main problems of the bill. As Sanchez points out he sees four major changes in the draft:

(1) Narrower scope

The original discussion draft required a ?covered entity? to render encrypted data ?intelligible? to government agents bearing a court order if the data had been rendered unintelligible ?by a feature, product, or service owned, controlled, created, or provided, by the covered entity or by a third party on behalf of the covered entity.? This revision would delete ?owned,? ?created,? and ?provided??so the primary mandate now applies only to a person or company that ?controls? the encryption process.

(2) Limitation to law enforcement

A second change would eliminate section (B) under the bill?s definition of ?court order,? which obligated recipients to comply with decryption orders issued for investigations related to ?foreign intelligence, espionage, and terrorism.? The bill would then be strictly about law enforcement investigations into a variety of serious crimes, including federal drug crimes and their state equivalents.

(3) Exclusion of critical infrastructure

A new subsection in the definition of the ?covered entities? to whom the bill applies would specifically exclude ?critical infrastructure,? adopting the definition of that term from 42 USC ?5195c.

(4) Limitation on ?technical assistance? obligations

The phrase ?reasonable efforts? would be added to the definition of the ?technical assistance? recipients can be required to provide. The original draft?s obligation to provide whatever technical assistance is needed to isolate requested data, decrypt it, and deliver it to law enforcement would be replaced by an obligation to make ?reasonable efforts? to do these things.

The first change seems like a big deal, but it also is hard to parse out and seems rather meaningless. Changing the requirement from covered entities to those who “control” the encryption? So what. That basically still means backdooring encryption, it just might mean going up a step or two in the ladder. Sanchez reads this as possibly being an attempt to effectively backdoor future types of encryption, less so than what we have today. I won’t repeat his whole argument here — go read it yourself — but as he notes, this might be a way to calm people down to pass this bill:

If this interpretation of idea behind the proposed narrowing is right, it?s particularly politically canny. You declare you?re going to saddle every developer with a backdoor mandate, or break the mechanism everyone?s Web browser uses to make a secure connection, and you can expect a whole lot of pushback from both the tech community and the Internet citizenry. Tell people you?re going to mess with technology their security already depends upon?take away something they have now?and folks get upset. But, thanks to a well-known form of cognitive bias called ?loss aversion,? they get a whole lot less upset if you prevent them from getting a benefit (here, a security improvement) most aren?t yet using. And that will be true even if, in the neverending cybersecurity arms race, it?s an improvement that?s going to be necessary over the long run even to preserve current levels of overall security against increasingly sophisticated attacks.

As for the other changes, saying that this can’t be used for intelligence purposes, but just law enforcement, is also kind of meaningless. The intel community has actually been somewhat opposed to the Burr Feinstein bill anyway — in part because they can already break into lots of encryption. And if this new backdoor is required, then they’ll be able to break into more. The warrants are meaningless to the intel community for the most part, so this “limitation” is no limitation at all.

The final change about “reasonable efforts” is clearly an attempt to appease the tech companies that spoke out loudly against the bill. It’s definitely better than the “you must decrypt” kind of language in the original, but it’s hardly comforting. Remember, the FBI/DOJ insisted that what it was asking of Apple in the San Bernardino iPhone case was a perfectly “reasonable” effort as well.

Either way, this shouldn’t be much of a surprise, but it’s clear that the whole push to outlaw real encryption may have had a setback, but is far from dead.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Senators Burr & Feinstein Look To Bring Back Bill To Outlaw Real Encryption”

Subscribe: RSS Leave a comment
Tom Mink (profile) says:

Encryption control

It would certainly be up a courts to interpret (potentially badly) but the one ultimately in control of real encryption is the person with the password. Since compelling people to divulge passwords has generally been found to be unconstitutional, I don’t know if this section really accomplishes anything other than more theater and potential litigation ammunition

JBDragon (profile) says:

Re: Easy to get around

There’s enough 3rd party open encryption you can install onto phones with no backdoor and not a single thing the U.S. Government can do to change that. 2/3rd of the encryption software made is made outside of the U.S. It’s that way because of the U.S. Government!!!

Any backdoor the U.S. Government demands put in, also means other countries will want that same access and they would have to give it out. It’s American citizen’s that end up being screwed as your phones are hacked inside China, if it does need to be hacked ass the key to get into the phone gets passed around and around, I’m sure it’ll leak at some point someplace.

That One Guy (profile) says:

'No' yesterday, 'No' today, and 'No' tomorrow

Any bill that requires backdoors or broken encryption is one that should be voted against, if it’s not killed off before it even reaches the point of a vote.

It doesn’t matter how ‘good’ the language is, you’re still talking about a measure that will cause vastly more problems than could ever solve by deliberately weakening security that millions rely on to keep their personal data safe, and for no other reason than the voyeurs couldn’t be bothered to show the slightest bit of restraint and people and companies are taking steps to protect their privacy.

Encryption is already difficult enough to manage, intentionally crippling it and/or keeping it from being truly secure is nothing less than intentionally putting millions of people at risk, and anyone who suggests doing so deserves to be called out for their incredibly hostile stance towards public safety and security.

peter says:

definition is key (encryption...key...geddit?)

Please define “controls”. Is the person/entity who makes the encryption software, the person/entity who distributes it, the person/entity who uses encrypts a message with it, the person/entity who transports the message or the person entity who decrypts the message.

Any lawyer could put up an argument to the court that any one of those people/entities in some way ‘controls’ the encryption process.

Anonymous Coward says:

Play ball then we can talk

Seems like a legislator who conspires with our enemies is a huge threat that should be prevented.

When the legislators supporting encryption backdoors are willing to let the public decrypt and look through all their communications then we can have a conversation.

If they have nothing to hide I’m sure they would have no problem with this request.

Justme says:

Security Theater!

If you extinguish the fire that warms a thousand souls, you will ignite a thousand fires.

I know very little about encryption but this is my attempt using nothing but a shell script. I would be interested to see if someone can tell me what it say’s and how long it took them to decrypt it. [it’s not a one time pad]

# b9a8207db0cde67f982303b7f6d330b88bb04af4bf2bfb3af165648d3c1fdfac
snabeuoxg gticlvdtt acpnvoanv brtrkypxu qscfbvzzm xhqndipcv brgniojeh
fpoigonyh tcerxbpil ushfscbml ouabqclkx htjbrwmfi hmbppnroo hdawlciyr
sgynsnabe umrnwpsgs bbmaoeyix gsbmzxvrj scfxttvai ezogmolgs nqcpjrzab
zactzrono menqdjhgd yfkbpstfu rdaqlfspk nymvixvjr gxudozicw frqgthdil
tjzhvfsyz srxchdymw pqdxbbjsf waxznsqox gtieclwrh nypdtzrgq fxabluamu
ghypjvtsc fanwamypo mucykujtv brfmfwbil iomscdted wvuiyzfgs neprwrqgh
gdweuivzs nsndbrqcf nqeepwltb gzapquafk fnqwxtljj mwxyivhbh myfpclpui
pcmqcucmj vvscxkfmo mjrpjcgyk dhtlsidvl ucyjprzrf tqehpwbtq uiudtnqdb
muipklpje tyrsgynet rwofdvely wejbskabj uisksaqda tkujfkxxk vptmzrgqf
xgmieplew rkkhttbuz tvtrmyphd dlcgiyzsg shcdrwcli osiewetrj iabqmxmsn
ubrbmujjf cemivpzhg szeiffsnd velywejbx xnvprznkf nqwxezrcl orhlfudts
qoyowaiik ljkgkypzv atiohsvon yrrjufkye jvwscbaca aiuuokkcq kuttvjrxx
fmvmjmpzg ogxddilul yptebqkif gaiiayvrh xeaxxnvpb mtngditot ykypaqcsc
fgxyqognv gmieplvoh ndzdltcfh cwonyrrjm yphpdzsgu kfbrwiuuo kkcqkddel
urwmfihqu iajynqdda wwefbsxiv wlwzngiec kqdhnybgz apquafkfn qwxtljjmw
xyivhbmbn gmoxhaipc lrrhhyzwt tiohsvony rrjufkotk tvurxwaus iedqemmze
tbvrstesz lbqjifzsu pfkrnwefb szavquifn snmrntkmj fyosnbzdg tqdhndoug
kxnfvasbl uttnohomg ajeczvrgn yddtuqozn vseybljcg kqpjpastf azwaqlufm
knykxhtjb rwmfihrzr wyhaprdsg sxb

Roger Strong (profile) says:

What Happens Next.

Right now the talk is of mandatory back doors for OS’s. People can negate those with encryption in their apps. Apps from countries without mandatory back doors, if need be.

Ban those with a new bill, and then what about programming tools? Functions for AES and other encryption standards are built right into the .NET framework. An amateur can implement them with no real understanding of how they work. (I know; I’ve done it.) Presumably frameworks for Mac and Linux have them too. It follows that these frameworks will get their own bill demanding back doors.

The only thing this bill will do is force people and companies to other countries for OS’s, apps and programming tools. Making Ted Cruz’s grandstanding over ICANN’s IANA seem even more silly.

That One Guy (profile) says:

Re: Good luck with that

Getting rid of encryption entirely simply isn’t possible.

Criminals/terrorists/communists will just ignore the law and use non-crippled encryption, tech savy people will do the same, the goal is to make the majority of people, who don’t fit into those groups, vulnerable. To allow the ‘Grab it all!’ voyeurs to continue on, business as usual grabbing everything they can, and if they’re really lucky maybe finding an actual criminal at some point in the process.

That crippled encryption will result in a massive number of preventable crimes and violations of privacy is just a sacrifice the public(not the politicians of course) will have to make in order to protect the public’s security and privacy.

Anonymous Coward says:

Put it in a way they can understand it

The issue, as I see it, is that we have lawyers trying to dictate how tech works. This is like trying to pass a law to make Pi equal to 3 or that water runs uphill. Pass all the laws you want, it won’t change de facto situations.

So, the way I would phrase it is “Trying to backdoor encryption is like trying to unring a bell. It’s just not possible.”

Eldakka (profile) says:

Reasonable Effort?

Apple to FBI:

“Sure, we could break the encryption on that message. It’ll be a brute-force attack, take 18 months and it’ll be $6.3Billion dollars in Amazon AWS fees for the compute power. Where should we send the bill?”

FBI: “This is a really important case, this person’s been leaking that the director spits his chewing gum on the sidewalk rather than into bins! We can cover that, send the bill to our head office. We’ll indicate the 150 text messages we want decrypted.”

Apple: “150? The quote we gave was for ONE message decryption.”

That One Guy (profile) says:

Re: Reasonable Effort?

Keep in mind the DOJ argued that forcing Apple to create a modified OS to bypass their own encryption was a ‘reasonable request’, so depending on who gets to decide what is and is not ‘reasonable’ all sorts of demands could get the greenlight. If the FISA ‘court’ got the job for example pretty much anything would be considered ‘reasonable’ to demand from a company, because that lot simply doesn’t have the ability to say ‘no’ on anything of substance.

mcinsand (profile) says:

Thank you, Senator Burr!

2016 is truly the worst of the elections that I have seen in my lifetime, and our candidate choices embarrass me as a US citizen. There is one exception, however, with respect to my state senator. I am a North Carolina resident, which means that Senator Burr will be on my voting ticket. The only vote that really excites and energizes me this year is voting for whoever has the best chance of sending Burr home. I haven’t heard or looked to see who is running against him, yet, but that doesn’t matter. To fail to see how weakening encryption weakens our national security is to demonstrate a lack of the reasoning skills that should be minimal when making national decisions. I feel much better rolling the dice on an unknown than continuing with such mental incompetence.

hack the planet er USA says:

i hope this passes

i hope this passes then the usa can get hacked so much you all will realize what kind of idiots you really have running your nation….

just think someone gave me all the fbi honey pots so i can easily get proper proxies ….and guess what boneheaded federal idiots….it wont be me doing nothing cause im not the only one that knows….

you want capitalism you get it my dearies!!!!!

John (profile) says:

Outlaw Real Encryption?!?!

Two issues.
1) How does one mandate “WORLD WIDE” encryption back doors?
Answer, one doesn’t! Won’t happen! Someone will always have a real encryption algorithm up and working. It/they may not be available in the USA, but overseas, open market, open access!
2) When the encryption is broken, and one knows the hacker/cracker crews will put in many sleepless knights to break it, who pays for the thousands of users millions if not billions of dollars needed to be spent on some new “back door” encryption?
I know it will NOT be the original programmer, NOR her company. The GOV. who mandated it now has to pay and big time for the new version and the dissemination of same.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...