Last Thursday the United States Congress published the draft “Compliance with Court Orders Act of 2016” bill (full text available here), created by Senators Diane Feinstein and Richard Burr. In line with similar draconian legislation recently passed in the UK and France, the draft bill will effectively ban end-to-end encryption.
As Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology observed to Wired,
“It’s effectively the most anti-crypto bill of all anti-crypto bills.”
This sentiment was confirmed by Senator Ron Wyden, who told The Intercept that,
“This legislation says a company can design what they want their back door to look like, but it would definitely require them to build a back door. For the first time in America, companies who want to provide their customers with stronger security would not have that choice – they would be required to decide how to weaken their products to make you less safe.”
The bill, if passed, will require communications companies to provide law enforcement agencies with unencrypted data, or with the means for them to obtain it themselves,
“To uphold the rule of law and protect the security and interests of the United States, all persons receiving an authorized judicial order for information or data must provide, in a timely manner, responsive and intelligible information or data, or appropriate technical assistance to obtain such information or data.”
Key problems with the proposed law are:
It goes far beyond the order to provide “reasonable assistance” that was issued to Apple using the All Writs act in the recent San Bernadino iPhone court case, requiring instead “assistance as is necessary” to decrypt data. In other words, when issued with a court order to decrypt data, a tech company cannot say, “We can’t, because it’s impossible.”
All providers of “communications products” are responsible for any third party encrypted product they provide. This means that shops and online platforms such as Google Play and the Apple App store will be made responsible for censoring encrypted apps.
In a statement made on behalf of Feinstein, a spokesman said that,
“We’re still working on finalizing a discussion draft and as a result can’t comment on language in specific versions of the bill. However, the underlying goal is simple: when there’s a court order to render technical assistance to law enforcement or provide decrypted information, that court order is carried out. No individual or company is above the law.”
Security experts have lined up to pour scorn on proposed bill:
I could spend all night listing the various ways that Feinstein-Burr is flawed & dangerous. But let’s just say, “in every way possible.”
— matt blaze (@mattblaze) April 8, 2016
It’s not hard to see why the White House declined to endorse Feinstein-Burr. They took a complex issue, arrived at the most naive solution.
— Matthew Green (@matthew_d_green) April 8, 2016
If Grandpa Simpson was a Senator who was afraid of and confused by encryption, I think he’d write something like the Feinstein/Burr bill.
— Kevin Bankston (@KevinBankston) April 8, 2016
Burr-Feinstein may be the most insane thing I’ve ever seen seriously offered as a piece of legislation. It is “do magic” in legalese.
— Julian Sanchez (@normative) April 8, 2016
So what can we do to save encryption?
As Wired observes, the bill is so terrible that the backlash against it may actually strengthen the position of privacy advocates. The bill does not have the support of the White House, and its extravagant scope means that many feel it has no chance of becoming law in its current form.
I strongly encourage our readers (particularly those based in the US), however, to take immediate action to help ensure this appalling legislation never sees the light of day:
- Contact Senator Feinstein and Senator Burr to tell them what you think of their bill.
- Contact your own Congressional representative to demand what they are doing about it. If you are unsure who your two state senators and the representative in the House for your district are, the 4USXUS website will tell you.
- Sign the savecrypto.org petition. It is now 167 days since this petition hit the 10,000 signatures required receive an official response from the president. To date the government has not responded, despite the petition now containing over 100,000 signatures.