Why Doesn't The Anti-Encryption Bill List Any Penalties?
from the they'll-be-added-in-later dept
We’ve already written a bit about the technologically ignorant bill from Senators Richard Burr and Dianne Feinstein that basically outlaws any encryption system that doesn’t include backdoors for law enforcement. However, there are still some points in the bill that have left some folks scratching their heads. In particular, the lack of any penalty at all has some commenters wondering what the bill actually does. The bill both says that it doesn’t “require or prohibit any specific design or operating system,” but at the same time does require that anyone offering or supporting any kind of encryption be able to pass along unencrypted versions of the communication to law enforcement when presented with a legitimate court order or warrant (so not just a warrant…). As Orin Kerr noted, the bill mandates assistance, rather than using the more typical requirement of “reasonable” assistance.
Instead, the bill is explicit that if you receive an order, you have to hand over the unencrypted data. The law specifically reads: “a covered entity that receives a court order from a government for information or data shall provide such information or data to such government in an intelligible format; or provide such technical assistance as is necessary to obtain such information or data in an intelligible format or to achieve the purpose of the court order.” No best efforts. No reasonable assistance in the face of situations where that can’t be done. The bill requires that you provide unencrypted data. Or else.
Or else… what? The bill includes absolutely nothing on the penalties for failing to comply. This has led some on Twitter (including a guy I’ve been discussing it with who deletes all his tweets after tweeting them or I’d post them here…) to argue that the bill actually promotes encryption, since if a company can’t provide unencrypted data, then the law has no impact. That’s not true however. First of all, both Burr and Feinstein have been going on and on about demanding backdoors and whining about encryption for a long time. There’s no way they wrote a bill that would support stronger encryption. Second, all of the rest of the language in the bill includes various statements like “shall provide” and other items that leave no wiggle room at all. Providing any kind of encryption without providing a backdoor for law enforcement would violate this law.
So… why the lack of penalties? There are a few theories floating around. (1) This is still a draft of the bill. Those penalties will be added in later, after everyone’s fought over the rest of the bill. Leaving out the penalties at this stage lets Feinstein and Burr focus the fight. (2) The bill will allow courts to claim that any company not providing such unencrypted text is in contempt and issue increasingly large fines that make it practically impossible to be a business in the US without providing backdoors to encryption and basically demolishing everyone’s security. Neither option is appealing.
This bill is bad in so many ways and no one’s focusing on the punishment part because it’s not even in the bill yet — but make no mistake — if this bill passes, there will be punishment (potentially severe punishment) for any company that wants to use actual encryption.
Filed Under: dianne feinstein, encryption, going dark, penalties, richard burr
Comments on “Why Doesn't The Anti-Encryption Bill List Any Penalties?”
Get the Police State first, then Capital punishment will work fine…you don’t need to include anything in the bill.
> …if this bill passes, there will be punishment (potentially severe punishment) for any company that wants to use actual encryption.
For any American company, operating in America.
Encryption and privacy will still be very much in demand in other countries. There would simply be American versions of products sold without it.
Apple and other American-based multinational companies would do this too. Otherwise Samsung, HTC and others will use it as a selling point against them elsewhere.
How to prevent Americans from using foreign-made phones and encryption apps is a problem for Burr and Feinstein to explain.
Re: Something must be done!
Companies in the US sell products or offer services with encryption, and criminals use it to avoid justice.
Something must be done!
In response, a law is passed such that any company selling products or offering services in the US that includes encryption is forced to deliberately cripple said encryption, causing a great many of them to shut down or shift elsewhere, leading to a hefty blow to the economy short-term and long.
Something has been done!
However, there’s still the problem with products and software created and sold outside the US which contains working encryption, and is shipped over or simply downloaded from any computer with a working connection to the internet, allowing criminals to continue to use encryption to protect their privacy and deeds.
Something must be done!
In response, a new law is passed that criminalizes second-hand sales of such products, and the mere possession of ‘unauthorized’ encryption software is now considered a crime.
Something has been done!
As a result any law abiding person or company in the US is forced to use deliberately weak encryption in their products and services, leading to an absolute explosion in crime related to electronic devices and digital information.
Something… has been done?
And meanwhile the theoretical targets of the anti-encryption laws, terrorists, criminals, and communists continue to completely ignore the law as they are known to do, and are the only ones with working encryption to protect their data and hide their activity.
… victory at last?
Re: Re: Something must be done!
Or, you know, companies can flee to friendlier countries and let the US implode under the weight of its own fear and legislative incompetence?
Then build a statue for Feinstein and Burr for actually managing to do what no terrorist could: destroy the whole country.
Re: Re: Something must be done!
You forgot pirates.
Also, you forgot to add the part where the terrorists will use that weak encryption to their benefit.
As in, you know what a ITS is? That thing you got on cars to aid with your driving.
Imagine what an evil terrorist can do with access to what your car tells you, or even better, to the controls of your car…
Why would you need to send guys with AKs when you can always have some car hitting a gas truck at max speed in a crowded highway?
Re: Re: Something must be done!
When encryption is outlawed, only outlaws will have encryption. You’re no doubt familiar with the age-old version of this argument:
Cum catapultae proscriptae erunt tum soli proscript catapultas habebunt. (When catapults are outlawed, only outlaws will have catapults.)
Re: Re: Re: Fun historical footnote.
Crossbows, which were much easier to use than bows and punched through all but the heaviest of armor were banned (allegedly only against Christians) by Pope Innocent II.
Military belligerents used them anyway, since not using them against those who did multiplied casualties. The approach most was to use them and beg for forgiveness later (which was had when spoils were used to finance new churches).
So by the time we saw Arquebuses (hook gonnes, essentially hand cannons that had a handle), they fit right in.
Re: Re: Something must be done!
If you mean US government when you say criminals and terrorists then yea that seems to be their goal.
Re: Re:
There would simply be American versions of products sold without it.
Well the first problem is the obvious, “we will no longer allow your stuff through customs.” It doesn’t matter if they can’t get the company directly, they’ll just prevent their products from entering the US.
It also won’t work for companies with any operations in America. If someone shows up with a foreign manufactured phone with encryption, the company would still be obligated to open it. Sure, they can’t go after the foreign operations, but they can easily go after the American division.
Re: Re: Re:
You might block bulk-importing of phones, but stopping visiting tourists and business people from bringing their phones with them probably won’t fly. One could also smuggle dozens of iPhones across the border, say, in a bale of marijuana.
Going after the American division of a company for information held by their overseas divisions is problematic. Techdirt has covered the case where US magistrate judge ruled that Microsoft had to comply with a warrant asking for data held on servers in Dublin. (The Irish government has since disagreed, saying that the emails should be disclosed only on request to the Irish government.) It’s not settled yet, but imagine the uproar after a Microsoft loss, when foreign governments cite the case to demand information about Americans on US servers.
What happens when Apple US (with a government back door on US phones) is ordered to unlock an Irish phone, and is unable to do so because the Irish phones don’t have the back door?
Re: Re: Re: Re:
You might block bulk-importing of phones, but stopping visiting tourists and business people from bringing their phones with them probably won’t fly. One could also smuggle dozens of iPhones across the border, say, in a bale of marijuana.
Yes, but we’re not talking about the existence of illegal phones, or the relative handful of tourists and business travelers. We’re talking about denying companies access to one of the largest phone markets in the world. That is how companies die. This isn’t about black markets or smuggling or installing your own encryption, it’s about major corporations. And it’s highly unlikely major multinational corporations are going to be able to smuggle their products into the US.
And really, “dozens of iphones?” That’s an accounting error to Apple.
What happens when Apple US (with a government back door on US phones) is ordered to unlock an Irish phone, and is unable to do so because the Irish phones don’t have the back door?
Then one of the most profitable segments of their business is going to be fined into oblivion until their shareholders demand they install backdoors, or they leave the US entirely. That is, if the US regulators will let them leave the US…
Re: Re:
Well if Trump gets to be president then he’ll just (as he said) make all non-whites into slaves producing goods for use within the US itself. Because as trump puts it, “they’re all criminals, rapists and thieves anyway”.
So americans would be forced to use non-encrypted unsecure “trump-branded” phones, computers etc.
It’s such a terrible situation that if he IS elected, its actually possible that companies such as Microsoft, Apple and Google might relocate OUT of the US to protect their non-US customer base.
backdoor passwords...
Let’s kickstart an encryption that complies… the backdoor password for the gov will be “f*ck the gov” or “i am an asshat” and only usable on December 25th, 3199… ensuring that it will be totally useless by that time… but hey, it’s a backdoor and it will provide legible data…
Re: backdoor passwords...
No! It must be magical. So it has to include moon phases, planet alignment, leprechauns and dwarvish doors that appear in the solstice. Or something.
More tools for abuse by LEOs coming
“Gang signs” turned into an abusive weapon, to arrest potential gang members because they made a shape with their fingers or hands. “Did you see what he did with his hands?”
The new current. “I don’t know what he said. It must have been code. Get the handcuffs! All communication must be in plain English and legible to Law Enforcement!” “Was that a mumble, or code directed at a partner? Draw!”
Of course the tools are mostly abused on those in our society that are already mostly abused. Racist? applied to dark skin. Sexist? applied to limp wrists. Classist? applied to empty wallets and dirty pants.
New tools for the lowest in our society.
2nd choice
I actually think your second option is the right one: Without specific penalties, it would pretty much be a contempt style situation. The implication here of course is that not only could the companies be in contempt, but individual from the company could also find themselves in the soup.
My guess also is that this is only the first draft of many, which will likely die with the session ending after the election cycle is complete. The only way any of this is likely to pass is by congress critters who have been voted out, and who want to strike back with impunity.
No specified penalties is a feature...
The lack of penalties would leave a gap in the law that clearly can be covered by the All Writs Act allowing the DOJ to ask a judge to assess whatever penalty they want regardless of how harsh and inappropriate it may be.
ISDS action?
I wonder if a company like Samsung could argue that such a law is a non-tariff barrier to selling their cellphones in the USA and then initiate an ISDS case against the US government (post TPP adoption, naturally).
The technological equivalent of the 18th amendment
In ten years high end crypto is going to be in EVERYTHING. These guys are essentially trying to ban responsible network engineering. And that is before we even bring up how this effects FOSS.
Clearly they don’t understand the social or economic ramifications of what their saying. This law would massively increase barrier to entry for hundreds of burgeoning companies, and thousands more that don’t yet exist.
This isn’t about law enforcement. It is about discriminating against sophisticated technology and the people who use it. And while they probably don’t think so, I imagine there were plenty of attendee’s at the Wannsee conference who didn’t go there thinking it was about, what it ended up being about.
This isn’t about encryption. We know that because they don’t know enough about the technology for it to BE about encryption. In the absence of plausible negligence, we are left with what remains: fear and malice steeping in a cauldron of ignorance.
Congressmen: You are flea bitten and lame. Please retire to pasture. We are saddened at seeing you pull futilely in your traces.
If Trump got the nomination and vowed to veto any encryption bill that made it to his desk, I would vote for him.
That is how far off-based Dianne Feinstein is on this issue.
Re: Re:
Thank god his current stance is anti encryption then. That said, He has flip-flopped a lot.
Curious wording or bad wording?
Quote: “a court order from a government“.
I thought court orders come from judges, not governments. Does this mean there will never be a legal court order from a government?
Otherwise: This allows any government to `shop’ for information via a court order in the US and any corporation that wants to sell in the US is bound to oblige.
(Expect a lot of embassies and/or consulates to appear in West Texas, if this gets through).
Don't need them
Penalties? We don’t need no stinking penalties.
We got National Security Letters, and penalties for those. And rendition, lots of rendition. And government contracts to take away.
We don’t need no penalties, not in this law.
I'm glad they left it out
If they included the penalties, then a lot of the debate would shift away from the principles involved and toward the severity of punishment.
Senator Burr: 'Every situation is going to be different'
“Intel chair: Encryption bill won’t specify noncompliance penalties”, by Julian Hattem, The Hill, Apr 12, 2016
Re: White House skepticism [was Senator Burr: 'Every situation is going to be different']
Another article today from The Hill expands on White House spokesman Josh Earnest’s remarks. Katie Bo Williams’ story situates the White House spokesman’s latest statement as a continuation of his position in March. (“White House doubts ‘constructive’ encryption legislation can pass”, Apr 12, 2016)
Re: Re: White House skepticism [was Senator Burr: 'Every situation is going to be different']
Press Briefing by Press Secretary Josh Earnest, The White House, Apr 12, 2016
Scanning quickly through the transcript of today’s White House press briefing, it looks like the question which begins with the partial extract blockquoted here, the press secretary’s response to this question, and the immediate followup question and response, are the only Q&As addressing the “encryption” topic at this briefing.
Re: Senator Burr: 'Every situation is going to be different'
As somebody at The Hill commented:
“Obviously, the bill’s authors are going to have to address the situation of being UNABLE to comply with an order versus being UNWILLING to do so for two important reasons: (1) It’s only common sense that nobody under the sun is going to “dumb-down” a state of the art security algorithm to accommodate law enforcement later (it’s so painfully obvious that’s what their attempting to pull off here). To do so renders data vulnerable to theft and surveillance by any number of other third parties. And (2) a myriad of other perfectly valid technical difficulties that could easily stand in the way of successfully delivering intelligible data or fruitful assistance.”
another example of a new law trying to be brought in by people who dont know what thw hell they are talking about, but want to make out to the public that they are doing SOMETHING that is for the good of all! had the government not got on such a high horse in the first place, expecting to get everything from everyone, while giving absolutely nothing out, this ridiculous situation wouldn’t exist.
i wonder how long it will be and who will get the blame once this comes into being and things go totally shit-faced and someone gets into something, gains the info needed and really screws the USA? could be interesting to see which of these two clowns back pedals the quickest!
Re: Re:
In this case the government has learnt from the discussion, and is making the companies that provide the backdoors responsible for the security of those backdoors; so when the inevitable happens, it is not the governments responsibility or problem.
That is why it’s so important to publicly demand the inclusion of “where possible” in the bill. Far from just an “out” that would allow for the usage of state of the art uncrackable encryption (e.g. perfect forward secrecy, etc.,), but even when back doors ARE utilized, other things could go technically wrong that would stand in the way of delivering intelligible data whether directly, or through assistance.
They are anti-encryption because they want to catch whistle-blowers and journalists.
This proposed law is incomplete elsewhere as well
It doesn’t cover the possession and use of quality encryption. That is cryptography software that is installed my the user. If a telecomm provider detects any data-streams it cant decrypt, there would also need to be a reporting provision. But that can be dealt with in bill version 2.0
One strategem:
Step one: Implement practically impenetrable encryption.
Step two: When court demands the plaintext via AWA or court order or whatevs, deploy one PC to break the encrypted code via brute force.
Step three: Implement another computer for each separate instance up to a reasonable number (two, a dozen, a hundred, depending on the size of your business). After that future cases go onto a queue.
Step four: Upon request for progress reports declare We’re still working on it. So far, we’ve tried X keys. Or Your case is on our queue. You have Y cases ahead of you.
Step five: Insist repeatedly and without perjury your business is doing all it can reasonably do, and that more or faster computers is not going to unlock the data fast enough for it to be relevant (e.g. in our lifetime).
Re: One strategem:
“Step five: Insist repeatedly and without perjury your business is doing all it can reasonably do, and that more or faster computers is not going to unlock the data fast enough for it to be relevant (e.g. in our lifetime).”
The courts would not be amused by this. You build the wall and then try to point out it’s too high to climb – at some point, the courts will order you to firmware update everyone’s devices back to a level which can be climbed.
Your concept would be called “shooting yourself in the foot” except you would be both feet and perhaps a leg.
Re: Re: One strategem:
Well Whatever there’s always the strategem of last resort, using encryption with plausible deniability that makes your data indistinguishable (from the outside) from garbage data in unused data sectors.
Then they can open it all they want and encounter nothing, and it’s going to be difficult to detect hidden data without getting a lot of false positives.
Tell me Whatever, how many people incarcerated innocently by the state do you find to be acceptable collateral damage for the alleged guarantee of your personal safety?
Re: Re: Addressing the issue
Remember that any wall low enough to be climbed by agents of this state can also be climbed by agents of ISIL and China, and countless hackers and criminals.
That is why this whole bill and train of thought is stupid.
Re: One strategem:
Of course, the bill contains: “…must provide, in a timely manner…”, which is also, I suppose, the inspiration for
this:—> http://www.motherjones.com/kevin-drum/2016/04/yet-another-feinstein-burr-bill-has-been-leaked
Re One Strategem
Aside from the obvious folly of assuming total global US hegemony over encryption products of all sorts (just saying it is like reading Hunter Thompson out loud) there is the interesting point implied by Uriel-238 that only encryption which appears to be encryption can be unencrypted on demand. Automated book cyphers could be problematic for the feds and a consideration of Shannon’s Mathematical Theory of Communication might cast up other useful paradigms.
Does DRM = encryption?
So would this law require a backdoor in every DRM-implementation?
“such information or data to such government in an intelligible format”
A lot of scientist are in danger; for law enforcement there is no “intelligible format” for string theory.
Draft Bill Official Release
From Senator Burr’s official senate website—
“Intelligence Committee Leaders Release Discussion Draft of Encryption Legislation” (Press release), Apr 13, 2016
For those who weren’t quite paying close attention, note that the purported discussion draft Techdirt discussed last Friday was a leaked copy. Following that leak, Senator Feinstein publicly refused to confirm the provenance of the leaked document.
So today the discussion draft is officially released.
(H/T Kevin Bankston—
)
Re: Draft Bill Official Release
Hmmm… I may be misremembering the exact news coverage on this point.
“The Senate’s Draft Encryption Bill Is ‘Ludicrous, Dangerous, Technically Illiterate’ ”, by Andy Greenberg, Wired, April 8, 2016
I had recalled that it was Senator Feinstein who herself made some sort of statement using words close to ‘didn’t believe was consistent with the facts.’ But now I don’t recall at all where that was reported.
Anyhow, now that the discussion draft has been officially released by Senator Burr’s office, precise exactitude on this point probably doesn’t matter that much anymore.