Senators Burr & Feinstein Look To Bring Back Bill To Outlaw Real Encryption
from the apparently-they-didn't-get-the-message dept
Back in May we noted that the ridiculous and terrible anti-encryption bill from Senators Richard Burr and Dianne Feinstein was dead in the water. The bill had all sorts of problems with incredibly broad and vague requirements, but the quick summary was that tech companies would have to figure out a way to backdoor all encryption, because if they received a warrant, they’d be required to decrypt any communication.
Rather than get the message that this was a really, really bad idea, it appears that Burr and Feinstein have just gone back to the drawing board, trying to recraft the bill. Julian Sanchez got his hands on one of a few prospective new drafts that are being floated around and has an analysis of the update. The draft that Sanchez has seen tries to fix some of the problems, but doesn’t really fix the main problems of the bill. As Sanchez points out he sees four major changes in the draft:
(1) Narrower scope
The original discussion draft required a ?covered entity? to render encrypted data ?intelligible? to government agents bearing a court order if the data had been rendered unintelligible ?by a feature, product, or service owned, controlled, created, or provided, by the covered entity or by a third party on behalf of the covered entity.? This revision would delete ?owned,? ?created,? and ?provided??so the primary mandate now applies only to a person or company that ?controls? the encryption process.
(2) Limitation to law enforcement
A second change would eliminate section (B) under the bill?s definition of ?court order,? which obligated recipients to comply with decryption orders issued for investigations related to ?foreign intelligence, espionage, and terrorism.? The bill would then be strictly about law enforcement investigations into a variety of serious crimes, including federal drug crimes and their state equivalents.
(3) Exclusion of critical infrastructure
A new subsection in the definition of the ?covered entities? to whom the bill applies would specifically exclude ?critical infrastructure,? adopting the definition of that term from 42 USC ?5195c.
(4) Limitation on ?technical assistance? obligations
The phrase ?reasonable efforts? would be added to the definition of the ?technical assistance? recipients can be required to provide. The original draft?s obligation to provide whatever technical assistance is needed to isolate requested data, decrypt it, and deliver it to law enforcement would be replaced by an obligation to make ?reasonable efforts? to do these things.
The first change seems like a big deal, but it also is hard to parse out and seems rather meaningless. Changing the requirement from covered entities to those who “control” the encryption? So what. That basically still means backdooring encryption, it just might mean going up a step or two in the ladder. Sanchez reads this as possibly being an attempt to effectively backdoor future types of encryption, less so than what we have today. I won’t repeat his whole argument here — go read it yourself — but as he notes, this might be a way to calm people down to pass this bill:
If this interpretation of idea behind the proposed narrowing is right, it?s particularly politically canny. You declare you?re going to saddle every developer with a backdoor mandate, or break the mechanism everyone?s Web browser uses to make a secure connection, and you can expect a whole lot of pushback from both the tech community and the Internet citizenry. Tell people you?re going to mess with technology their security already depends upon?take away something they have now?and folks get upset. But, thanks to a well-known form of cognitive bias called ?loss aversion,? they get a whole lot less upset if you prevent them from getting a benefit (here, a security improvement) most aren?t yet using. And that will be true even if, in the neverending cybersecurity arms race, it?s an improvement that?s going to be necessary over the long run even to preserve current levels of overall security against increasingly sophisticated attacks.
As for the other changes, saying that this can’t be used for intelligence purposes, but just law enforcement, is also kind of meaningless. The intel community has actually been somewhat opposed to the Burr Feinstein bill anyway — in part because they can already break into lots of encryption. And if this new backdoor is required, then they’ll be able to break into more. The warrants are meaningless to the intel community for the most part, so this “limitation” is no limitation at all.
The final change about “reasonable efforts” is clearly an attempt to appease the tech companies that spoke out loudly against the bill. It’s definitely better than the “you must decrypt” kind of language in the original, but it’s hardly comforting. Remember, the FBI/DOJ insisted that what it was asking of Apple in the San Bernardino iPhone case was a perfectly “reasonable” effort as well.
Either way, this shouldn’t be much of a surprise, but it’s clear that the whole push to outlaw real encryption may have had a setback, but is far from dead.