Burr And Feinstein Release Their Anti-Encryption Bill... And It's More Ridiculous Than Expected

from the are-they-serious? dept

They've been threatening this for months now, but Senators Richard Burr and Dianne Feinstein have finally released a "discussion draft" of their legislation to require backdoors in any encryption... and it's even more ridiculous than originally expected. Yesterday, we noted that the White House had decided to neither endorse nor oppose the bill, raising at least some questions about whether or not it would actually be released. Previously, Feinstein had said she was waiting for the White House's approval -- but apparently she and Burr decided that a lack of opposition was enough.

The basics of the bill are exactly what you'd expect. It says that any "device manufacturer, software manufacturer, electronic communication service, remote computing service, provider of wire or electronic or any person who provides a product or method to facilitate communication or the processing or storage of data" must respond to legal orders demanding access to said information. First off, this actually covers a hell of a lot more than was originally expected. By my reading, anyone providing PGP email is breaking the law -- because it's not just about device encryption, but encryption of communications in transit as well. I wonder how they expect to put that genie back in the bottle.

But, let's dig into a few other bits of insanity in the bill. It starts out with an insane assertion, right upfront:
It is the sense of Congress that--
  1. no person or entity is above the law;
  2. economic growth, prosperity, security, stability, and liberty require adherence to the rule of law;
What an absurd way to start the bill. As we've discussed over and over again, despite FBI director James Comey's statements, no one is claiming to be "above the law" here. When they offer end-to-end encryption they're not "above the law," they're just building a system to which they don't have the key. That's like saying that the safe maker who doesn't keep copies of the keys to every safe they sell is above the law. But no one requires safemakers to keep copies of every key.

Next, the claim that economic growth, prosperity, security, stability and liberty somehow depend on all of this is ridiculous. The second this bill becomes law, the US loses a massive economic advantage. Basically all of our technology becomes suspect globally, and the entire cybersecurity industry moves off shore. It will devastate American businesses outside of the US. Burr and Feinstein are basically offering a bill that completely undermines the economic prosperity of the American tech industry. This is especially insane coming from Feinstein, given that she supposedly represents so many tech companies in California.
all providers of communications services and products (including software) should protect the privacy of United States persons through implementation of appropriate data security and still respect the rule of law and comply with all legal requirements and court orders;
And they do... when they can. But what this bill requires is for tech companies to undermine the basics of encryption to make everyone less safe. This is not about disrespecting the rule of law, but about building systems as secure as possible to protect people from malicious attacks. You know, the very kinds of attacks that Senators Burr and Feinstein kept screaming about just months ago when they were demanding a bogus cybersecurity (really: surveillance) bill get passed by Congress. And yet now they want to undermine the very core concept of cybersecurity in the US.
to uphold both the rule of law and protect the interests and security of the United States, all persons receiving an authorized judicial order for information or data must provide, in a timely manner, responsive, intelligible information or data, or appropriate technical assistance to obtain such information or data;
And if that's literally impossible, as is the case with strong encryption or end-to-end encryption?

Let's be clear, here. This bill makes effective cybersecurity illegal. Think about that for a second. This is insane.

Then there's this kicker:
Nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by any covered entity.
Yeah, except for the entire bill which absolutely prohibits the kind of design that basically all security experts say you need to adequately protect data and communications.

There are lots of other issues as well. As Jonathan Zdziarski notes, the bill is so ridiculously drafted that it doesn't distinguish between encrypted data and deleted data. Thus, if someone deletes all their data, companies are still on the hook to magically get it back. It also requires that any information that is requested be delivered "in an intelligible format." But what if the information itself is not intelligible? What if, prior to encrypting the data through technological means, the people doing the communications used some sort of cypher or code themselves to further obfuscate the information?

The whole thing is a mess and provides much more evidence for the fact that Feinstein and Burr have absolutely no clue what they're talking about on this particular issue. Of course, there are lots of clueless people, but it's pretty disturbing that these two particularly clueless people happen to be the highest ranking members on the Senate Intelligence Committee. Perhaps, like some others, they should talk to actual intelligence community professionals, who have also been arguing that backdooring encryption is a bad idea and puts Americans at much greater risk of being victims of computer attacks.

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Anonymous Coward, 8 Apr 2016 @ 12:53pm

    Obama waffles

    Yesterday, we noted that the White House had decided to neither endorse nor oppose the bill
    Notwithstanding yesterday's Reuters report discussed in the previous Techdirt article, in a competing story from yesterday, The Hill's Cory Bennett reports that deputy White House press secretary Eric Schultz says the President hasn't reached any decision. (“Encryption bill sent back to White House for Obama review”)
     . . . After the administration reviewed an initial draft and offered edits in March, several people with knowledge of the discussions said this week that officials had chosen to publicly stay out of the heated debate.

    The White House shot down those reports on Thursday.

    “I am sure we will take a look at what they are proposing and be in touch,” White House deputy press secretary Eric Schultz told reporters aboard Air Force One. “The idea that we’re going to withhold support for a bill that’s not introduced yet is inaccurate.”

    Burr said he was hearing the same thing from the administration.

    “A decision has not been made,” he told reporters.
    This is at least a different spin than the Reuters story, and offers the highlighted statement from the White House deputy press secretary. (Contrast with the Reuters story, which says: “A White House spokesman declined to comment on the pending legislation, but referred to White House press secretary Josh Earnest's statements on encryption legislation.”)

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories


Email This

This feature is only available to registered users. Register or sign in to use it.