Senators Burr & Feinstein Look To Bring Back Bill To Outlaw Real Encryption

from the apparently-they-didn't-get-the-message dept

Back in May we noted that the ridiculous and terrible anti-encryption bill from Senators Richard Burr and Dianne Feinstein was dead in the water. The bill had all sorts of problems with incredibly broad and vague requirements, but the quick summary was that tech companies would have to figure out a way to backdoor all encryption, because if they received a warrant, they'd be required to decrypt any communication.

Rather than get the message that this was a really, really bad idea, it appears that Burr and Feinstein have just gone back to the drawing board, trying to recraft the bill. Julian Sanchez got his hands on one of a few prospective new drafts that are being floated around and has an analysis of the update. The draft that Sanchez has seen tries to fix some of the problems, but doesn't really fix the main problems of the bill. As Sanchez points out he sees four major changes in the draft:
(1) Narrower scope
The original discussion draft required a “covered entity” to render encrypted data “intelligible” to government agents bearing a court order if the data had been rendered unintelligible “by a feature, product, or service owned, controlled, created, or provided, by the covered entity or by a third party on behalf of the covered entity.” This revision would delete “owned,” “created,” and “provided”—so the primary mandate now applies only to a person or company that “controls” the encryption process.
(2) Limitation to law enforcement
A second change would eliminate section (B) under the bill’s definition of “court order,” which obligated recipients to comply with decryption orders issued for investigations related to “foreign intelligence, espionage, and terrorism.” The bill would then be strictly about law enforcement investigations into a variety of serious crimes, including federal drug crimes and their state equivalents.
(3) Exclusion of critical infrastructure
A new subsection in the definition of the “covered entities” to whom the bill applies would specifically exclude “critical infrastructure,” adopting the definition of that term from 42 USC §5195c.
(4) Limitation on “technical assistance” obligations
The phrase “reasonable efforts” would be added to the definition of the “technical assistance” recipients can be required to provide. The original draft’s obligation to provide whatever technical assistance is needed to isolate requested data, decrypt it, and deliver it to law enforcement would be replaced by an obligation to make “reasonable efforts” to do these things.
The first change seems like a big deal, but it also is hard to parse out and seems rather meaningless. Changing the requirement from covered entities to those who "control" the encryption? So what. That basically still means backdooring encryption, it just might mean going up a step or two in the ladder. Sanchez reads this as possibly being an attempt to effectively backdoor future types of encryption, less so than what we have today. I won't repeat his whole argument here -- go read it yourself -- but as he notes, this might be a way to calm people down to pass this bill:
If this interpretation of idea behind the proposed narrowing is right, it’s particularly politically canny. You declare you’re going to saddle every developer with a backdoor mandate, or break the mechanism everyone’s Web browser uses to make a secure connection, and you can expect a whole lot of pushback from both the tech community and the Internet citizenry. Tell people you’re going to mess with technology their security already depends upon—take away something they have now—and folks get upset. But, thanks to a well-known form of cognitive bias called “loss aversion,” they get a whole lot less upset if you prevent them from getting a benefit (here, a security improvement) most aren’t yet using. And that will be true even if, in the neverending cybersecurity arms race, it’s an improvement that’s going to be necessary over the long run even to preserve current levels of overall security against increasingly sophisticated attacks.
As for the other changes, saying that this can't be used for intelligence purposes, but just law enforcement, is also kind of meaningless. The intel community has actually been somewhat opposed to the Burr Feinstein bill anyway -- in part because they can already break into lots of encryption. And if this new backdoor is required, then they'll be able to break into more. The warrants are meaningless to the intel community for the most part, so this "limitation" is no limitation at all.

The final change about "reasonable efforts" is clearly an attempt to appease the tech companies that spoke out loudly against the bill. It's definitely better than the "you must decrypt" kind of language in the original, but it's hardly comforting. Remember, the FBI/DOJ insisted that what it was asking of Apple in the San Bernardino iPhone case was a perfectly "reasonable" effort as well.

Either way, this shouldn't be much of a surprise, but it's clear that the whole push to outlaw real encryption may have had a setback, but is far from dead.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    John David Galt (profile), 9 Sep 2016 @ 7:58pm

    When does DiFi come up for reelection? We've just GOT to agree on someone who can defeat her.

    reply to this | link to this | view in chronology ]

    • icon
      madasahatter (profile), 10 Sep 2016 @ 7:56am

      Re:

      Given she is from CA, I would think Silicon Valley could find and found someone to trash her in the primaries when she does come up for reelection.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 12 Sep 2016 @ 6:07am

        Re: Re:

        Under the jungle primary system she could end up facing a Democrat in the general election. They only need to be the top 2 vote getters to get to the general election.

        A democrat would stand a much better chance beating her then a republican in the general election, but it would still be a tough fight.

        reply to this | link to this | view in chronology ]

    • identicon
      Unanimous Cow Herd, 11 Sep 2016 @ 10:37pm

      Re:

      We've just GOT to agree on someone who can defeat her.

      Diebold?

      reply to this | link to this | view in chronology ]

    • icon
      JBDragon (profile), 12 Sep 2016 @ 7:30am

      Re:

      I know I've never voted for that criminal!!! Once you get a Democrat into office, it's pretty much impossible to get them out unless they die of old age. Which that may happen in this case also.

      reply to this | link to this | view in chronology ]

    • icon
      JBDragon (profile), 12 Sep 2016 @ 9:56am

      Re:

      Once you get a Democrat in office, it's almost impossible to get them out. I'v never once voted for her. Who in the right mind would being the huge Criminal that she is, but in general, the only way to get rid of them is to die of old age. That old hag will be around forever.

      reply to this | link to this | view in chronology ]

  • icon
    Tom Mink (profile), 9 Sep 2016 @ 9:07pm

    Encryption control

    It would certainly be up a courts to interpret (potentially badly) but the one ultimately in control of real encryption is the person with the password. Since compelling people to divulge passwords has generally been found to be unconstitutional, I don't know if this section really accomplishes anything other than more theater and potential litigation ammunition

    reply to this | link to this | view in chronology ]

    • icon
      Padpaw (profile), 11 Sep 2016 @ 7:30am

      Re: Encryption control

      the US government seems to pride itself on ignoring people's constitutional rights for the last several decades. So that's next to no defense for the people.

      reply to this | link to this | view in chronology ]

  • icon
    David (profile), 9 Sep 2016 @ 10:20pm

    Easy to get around

    The whole thing is stupid. If I have something I want to hide, I would just use a version of the code written before the backdoor was added. If I'm using open source, I can modify the code so the backdoor won't work. This is harder if I'm using a closed system like a cell phone but it isn't impossible.

    reply to this | link to this | view in chronology ]

    • icon
      JBDragon (profile), 12 Sep 2016 @ 7:35am

      Re: Easy to get around

      There's enough 3rd party open encryption you can install onto phones with no backdoor and not a single thing the U.S. Government can do to change that. 2/3rd of the encryption software made is made outside of the U.S. It's that way because of the U.S. Government!!!

      Any backdoor the U.S. Government demands put in, also means other countries will want that same access and they would have to give it out. It's American citizen's that end up being screwed as your phones are hacked inside China, if it does need to be hacked ass the key to get into the phone gets passed around and around, I'm sure it'll leak at some point someplace.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Sep 2016 @ 10:45pm

    Garbage in, garbage out. This is the best we have to offer folks, how sad for us.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 9 Sep 2016 @ 11:41pm

    'No' yesterday, 'No' today, and 'No' tomorrow

    Any bill that requires backdoors or broken encryption is one that should be voted against, if it's not killed off before it even reaches the point of a vote.

    It doesn't matter how 'good' the language is, you're still talking about a measure that will cause vastly more problems than could ever solve by deliberately weakening security that millions rely on to keep their personal data safe, and for no other reason than the voyeurs couldn't be bothered to show the slightest bit of restraint and people and companies are taking steps to protect their privacy.

    Encryption is already difficult enough to manage, intentionally crippling it and/or keeping it from being truly secure is nothing less than intentionally putting millions of people at risk, and anyone who suggests doing so deserves to be called out for their incredibly hostile stance towards public safety and security.

    reply to this | link to this | view in chronology ]

  • identicon
    peter, 10 Sep 2016 @ 1:39am

    definition is key (encryption...key...geddit?)

    Please define "controls". Is the person/entity who makes the encryption software, the person/entity who distributes it, the person/entity who uses encrypts a message with it, the person/entity who transports the message or the person entity who decrypts the message.

    Any lawyer could put up an argument to the court that any one of those people/entities in some way 'controls' the encryption process.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Sep 2016 @ 4:03am

    Play ball then we can talk

    Seems like a legislator who conspires with our enemies is a huge threat that should be prevented.

    When the legislators supporting encryption backdoors are willing to let the public decrypt and look through all their communications then we can have a conversation.

    If they have nothing to hide I'm sure they would have no problem with this request.

    reply to this | link to this | view in chronology ]

  • icon
    afn29129 (profile), 10 Sep 2016 @ 5:49am

    Being a hardliner

    There are issue where a person must be a hardliner, a fundamentalist, and this one of those issue. Just say no to backdoored / broken crypto. Compromise isn't possible. Fixed legislative language? Clever legislative language? No it's actually deceitful legislative language.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Sep 2016 @ 7:31am

    The bill is self defeating, unless the intent is to spy on the citizens, while telling terrorists and criminals to look else where to protect their communications.

    reply to this | link to this | view in chronology ]

  • icon
    edinjapan (profile), 10 Sep 2016 @ 7:41am

    Something you've forgotten

    The US forces companies to add backdoors to their products. Companies that can, flip the US the bird and leave the US taking their business elsewhere.
    Poverty ensues.

    reply to this | link to this | view in chronology ]

    • icon
      madasahatter (profile), 10 Sep 2016 @ 7:59am

      Re: Something you've forgotten

      That is one of the major fears this type of stupidity causes. However, the local "Criminal Class" aka legislature is likely to come up with something equally as stupid.

      reply to this | link to this | view in chronology ]

  • identicon
    John Q., 10 Sep 2016 @ 1:37pm

    Daily Flickers

    Da fix is in. It is just one big Dog & Pony show for the unwashed. think of a political The Truman Show. The clowns with guns are cutouts for entertainment only. Pass the popcorn and practice your Dodgeball skills.

    reply to this | link to this | view in chronology ]

  • identicon
    Justme, 10 Sep 2016 @ 3:25pm

    Security Theater!

    If you extinguish the fire that warms a thousand souls, you will ignite a thousand fires.


    I know very little about encryption but this is my attempt using nothing but a shell script. I would be interested to see if someone can tell me what it say's and how long it took them to decrypt it. [it's not a one time pad]


    # b9a8207db0cde67f982303b7f6d330b88bb04af4bf2bfb3af165648d3c1fdfac
    #
    snabeuoxg gticlvdtt acpnvoanv brtrkypxu qscfbvzzm xhqndipcv brgniojeh
    fpoigonyh tcerxbpil ushfscbml ouabqclkx htjbrwmfi hmbppnroo hdawlciyr
    sgynsnabe umrnwpsgs bbmaoeyix gsbmzxvrj scfxttvai ezogmolgs nqcpjrzab
    zactzrono menqdjhgd yfkbpstfu rdaqlfspk nymvixvjr gxudozicw frqgthdil
    tjzhvfsyz srxchdymw pqdxbbjsf waxznsqox gtieclwrh nypdtzrgq fxabluamu
    ghypjvtsc fanwamypo mucykujtv brfmfwbil iomscdted wvuiyzfgs neprwrqgh
    gdweuivzs nsndbrqcf nqeepwltb gzapquafk fnqwxtljj mwxyivhbh myfpclpui
    pcmqcucmj vvscxkfmo mjrpjcgyk dhtlsidvl ucyjprzrf tqehpwbtq uiudtnqdb
    muipklpje tyrsgynet rwofdvely wejbskabj uisksaqda tkujfkxxk vptmzrgqf
    xgmieplew rkkhttbuz tvtrmyphd dlcgiyzsg shcdrwcli osiewetrj iabqmxmsn
    ubrbmujjf cemivpzhg szeiffsnd velywejbx xnvprznkf nqwxezrcl orhlfudts
    qoyowaiik ljkgkypzv atiohsvon yrrjufkye jvwscbaca aiuuokkcq kuttvjrxx
    fmvmjmpzg ogxddilul yptebqkif gaiiayvrh xeaxxnvpb mtngditot ykypaqcsc
    fgxyqognv gmieplvoh ndzdltcfh cwonyrrjm yphpdzsgu kfbrwiuuo kkcqkddel
    urwmfihqu iajynqdda wwefbsxiv wlwzngiec kqdhnybgz apquafkfn qwxtljjmw
    xyivhbmbn gmoxhaipc lrrhhyzwt tiohsvony rrjufkotk tvurxwaus iedqemmze
    tbvrstesz lbqjifzsu pfkrnwefb szavquifn snmrntkmj fyosnbzdg tqdhndoug
    kxnfvasbl uttnohomg ajeczvrgn yddtuqozn vseybljcg kqpjpastf azwaqlufm
    knykxhtjb rwmfihrzr wyhaprdsg sxb

    reply to this | link to this | view in chronology ]

  • identicon
    Justme, 10 Sep 2016 @ 3:26pm

    Opps..

    Sorry for the wrap around it looked fine in the preview.

    reply to this | link to this | view in chronology ]

  • icon
    Steve R. (profile), 10 Sep 2016 @ 4:30pm

    Financial Repercussions

    So what happens when the "backdoor" is hacked to our financial institutions, such as Discover Card?

    The pro-encryption crowd seems unable to comprehend that the "good" guys need encryption. Technology is a two edged sword. Need to take the "bad" along with the "good".

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 10 Sep 2016 @ 10:49pm

      Re: Financial Repercussions

      Oh you can be sure that important people and companies will be exempt from the requirements, as it would be too risky to deliberately sabotage their security, despite it being completely and utterly safe(promise!) to intentionally cripple the security the peo- I mean citizens use.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Sep 2016 @ 9:25pm

    These two don't even have the common courtesy to give you a reach around. I will be sponsoring a bill next month to outlaw senators Burr & Feinstein. Subversives like these are the reason I won't do business on line.

    reply to this | link to this | view in chronology ]

  • icon
    Avantare (profile), 10 Sep 2016 @ 10:20pm

    The tighter you squeeze...

    the more will slip through your fingers.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Sep 2016 @ 1:44am

    Need a bill to send that foreign agent back to Israel.

    reply to this | link to this | view in chronology ]

  • icon
    Roger Strong (profile), 11 Sep 2016 @ 8:06am

    What Happens Next.

    Right now the talk is of mandatory back doors for OS's. People can negate those with encryption in their apps. Apps from countries without mandatory back doors, if need be.

    Ban those with a new bill, and then what about programming tools? Functions for AES and other encryption standards are built right into the .NET framework. An amateur can implement them with no real understanding of how they work. (I know; I've done it.) Presumably frameworks for Mac and Linux have them too. It follows that these frameworks will get their own bill demanding back doors.

    The only thing this bill will do is force people and companies to other countries for OS's, apps and programming tools. Making Ted Cruz's grandstanding over ICANN's IANA seem even more silly.

    reply to this | link to this | view in chronology ]

  • identicon
    Praedor, 11 Sep 2016 @ 9:03am

    Good luck with that

    Good luck "outlawing" Gnugp or PGP and similar. Impossible. Encryption, STRONG encryption, is here to stay.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 11 Sep 2016 @ 1:14pm

      Re: Good luck with that

      Getting rid of encryption entirely simply isn't possible.

      Criminals/terrorists/communists will just ignore the law and use non-crippled encryption, tech savy people will do the same, the goal is to make the majority of people, who don't fit into those groups, vulnerable. To allow the 'Grab it all!' voyeurs to continue on, business as usual grabbing everything they can, and if they're really lucky maybe finding an actual criminal at some point in the process.

      That crippled encryption will result in a massive number of preventable crimes and violations of privacy is just a sacrifice the public(not the politicians of course) will have to make in order to protect the public's security and privacy.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Sep 2016 @ 2:18pm

    Put it in a way they can understand it

    The issue, as I see it, is that we have lawyers trying to dictate how tech works. This is like trying to pass a law to make Pi equal to 3 or that water runs uphill. Pass all the laws you want, it won't change de facto situations.

    So, the way I would phrase it is "Trying to backdoor encryption is like trying to unring a bell. It's just not possible."

    reply to this | link to this | view in chronology ]

  • identicon
    Stosh, 11 Sep 2016 @ 10:04pm

    A "reasonable efforts" is a great loophole for tech companies. They can make "reasonable efforts" with a super-computer to decrypt a properly encrypted email or hard drive....it just make take a couple THOUSAND YEARS.

    reply to this | link to this | view in chronology ]

  • icon
    Eldakka (profile), 12 Sep 2016 @ 2:47am

    Reasonable Effort?

    Apple to FBI:

    "Sure, we could break the encryption on that message. It'll be a brute-force attack, take 18 months and it'll be $6.3Billion dollars in Amazon AWS fees for the compute power. Where should we send the bill?"

    FBI: "This is a really important case, this person's been leaking that the director spits his chewing gum on the sidewalk rather than into bins! We can cover that, send the bill to our head office. We'll indicate the 150 text messages we want decrypted."

    Apple: "150? The quote we gave was for ONE message decryption."

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 12 Sep 2016 @ 3:52pm

      Re: Reasonable Effort?

      Keep in mind the DOJ argued that forcing Apple to create a modified OS to bypass their own encryption was a 'reasonable request', so depending on who gets to decide what is and is not 'reasonable' all sorts of demands could get the greenlight. If the FISA 'court' got the job for example pretty much anything would be considered 'reasonable' to demand from a company, because that lot simply doesn't have the ability to say 'no' on anything of substance.

      reply to this | link to this | view in chronology ]

  • icon
    leehb9 (profile), 12 Sep 2016 @ 4:15am

    These two are long overdue for a long rest!

    Isn't it about time these two morons were put 'out to pasture'??? They're becoming an embarrassment to rest of the folks up on the 'hill'!

    reply to this | link to this | view in chronology ]

  • icon
    leehb9 (profile), 12 Sep 2016 @ 4:17am

    These two are long overdue for a long rest!

    Isn't it about time these two morons were put 'out to pasture'??? They're becoming an embarrassment to the rest of the folks up on the 'hill'!

    reply to this | link to this | view in chronology ]

  • identicon
    mcinsand, 12 Sep 2016 @ 4:42am

    Thank you, Senator Burr!

    2016 is truly the worst of the elections that I have seen in my lifetime, and our candidate choices embarrass me as a US citizen. There is one exception, however, with respect to my state senator. I am a North Carolina resident, which means that Senator Burr will be on my voting ticket. The only vote that really excites and energizes me this year is voting for whoever has the best chance of sending Burr home. I haven't heard or looked to see who is running against him, yet, but that doesn't matter. To fail to see how weakening encryption weakens our national security is to demonstrate a lack of the reasoning skills that should be minimal when making national decisions. I feel much better rolling the dice on an unknown than continuing with such mental incompetence.

    reply to this | link to this | view in chronology ]

  • identicon
    hack the planet er USA, 12 Sep 2016 @ 6:08am

    i hope this passes

    i hope this passes then the usa can get hacked so much you all will realize what kind of idiots you really have running your nation....

    just think someone gave me all the fbi honey pots so i can easily get proper proxies ....and guess what boneheaded federal idiots....it wont be me doing nothing cause im not the only one that knows....

    FREE TRADE RIGHT....lol
    you want capitalism you get it my dearies!!!!!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Sep 2016 @ 8:36am

    It would be great if that old hag would just fucking die already.

    reply to this | link to this | view in chronology ]

  • identicon
    David, 12 Sep 2016 @ 9:14am

    "Critical Infrastructure"

    How about the technology businesses, that if foreign investments and usage dries up, will kill the US technology industry? Isn't that 'critical infrastructure'?

    reply to this | link to this | view in chronology ]

  • icon
    John (profile), 12 Sep 2016 @ 1:08pm

    Outlaw Real Encryption?!?!

    Two issues.
    1) How does one mandate "WORLD WIDE" encryption back doors?
    Answer, one doesn't! Won't happen! Someone will always have a real encryption algorithm up and working. It/they may not be available in the USA, but overseas, open market, open access!
    2) When the encryption is broken, and one knows the hacker/cracker crews will put in many sleepless knights to break it, who pays for the thousands of users millions if not billions of dollars needed to be spent on some new "back door" encryption?
    I know it will NOT be the original programmer, NOR her company. The GOV. who mandated it now has to pay and big time for the new version and the dissemination of same.

    reply to this | link to this | view in chronology ]

  • identicon
    Personanongrata, 12 Sep 2016 @ 3:25pm

    Know-Nothing Nitwits and You!

    Senators Burr & Feinstein Look To Bring Back Bill To Outlaw Real Encryption

    Lets just Outlaw Burr, Feinstein and all of the other know-nothing-nitwits infesting congress while they preen themselves in front of the cameras and pretend to be serious people.

    These idiots are dangerous.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.