Feinstein, Burr Draft Encryption Bill Would Require Tech Companies To Decrypt Messages Under Court Order
UPDATE: 6:50 p.m. EDT — More responses emerged Friday evening after a leak of a draft encryption bill by Sens. Dianne Feinstein, D-Calif., and Richard Burr, R-N.C.
Reuters reported Friday that Kevin Bankston, director of the Open Technology Institute, called the draft legislation the “most ludicrous, dangerous, technically illiterate tech policy proposal of the 21st century.”
Other critics included Sen. Ron Wyden, D-Ore. “For the first time in America, companies that want to protect their customers with stronger security will not have that choice,” Wyden said, according to Reuters. “They will be required by federal law per this statute to decide how to weaken their products to make Americans less safe.”
Also weighing in was Matt Blaze, a professor and computer security expert at the University of Pennsylvania, who tweeted numerous critiques, including:
If you suffer from low blood pressure, here’s the Feinstein-Burr key escrow bill: https://www.scribd.com/doc/307378123/Burr-Encryption-Bill-Discussion-Draft …
Burr and Feinstein stressed Friday that they were still working to finalize the bill.
“The underlying goal is simple: When there’s a court order to render technical assistance to law enforcement or provide decrypted information, that court order is carried out,” they said. “No individual or company is above the law.”
The first major piece of legislation of the post-San Bernardino era has been drafted, and it’s guaranteed to make no one in Silicon Valley happy.
The long-awaited draft encryption bill from Sens. Dianne Feinstein, D-Calif., and Richard Burr, R-N.C., ranking members of the Senate Intelligence Committee, leaked Thursday night and immediately set an extreme starting point for a battle over encryption that will rage across parties and between lobbyists representing law enforcement and the tech industry in the coming months. The draft bill, dubbed the “Compliance with Court Orders Act of 2016,” boils down the complex issue of encryption to nine pages.
The bottom line: Tech companies must comply with court orders to assist the government in obtaining information, period. Specifically, anyone receiving a judicial order for information or data “must provide, in a timely manner, responsive, intelligible information or data, or appropriate technical assistance to obtain such information or data.”
Further, that data must be provided in “intelligible format if such data has been made unintelligible by a feature, product or service owned, controlled, created or provided by the covered entity or by a third party on behalf of the covered entity.”
The bill is the first major piece of legislation to emerge after the San Bernadino attacks and the ensuing battle between Apple and the FBI over access to an iPhone 5C that was used by one of the attackers. The FBI subsequently dropped its case and said it had acquired technology that allowed it to break the password protection on that device. It has not yet said whether anything was found that will further the investigation.
The draft bill does specify that it is not allowing the government to mandate design features in tech products such as a backdoors, just that they must provide the information somehow. It does, however, prohibit features that would keep them from complying with a court order, such as Facebook’s WhatsApp, which now has end-to-end encryption, meaning Facebook cannot provide the contents of messages, even if compelled to do so by a court.
“This basically outlaws end-to-end encryption,” Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, told Wired. “It’s effectively the most anti-crypto bill of all anti-crypto bills.”
The Information Technology and Innovation Foundation, a think tank, attacked the bill for creating a legal paradox: It explicitly states it does not mandate design changes, yet to comply any company with encrypted products would have to make design changes. The organization said Whatsapp “would not be able to comply with the legislation, unless it modified its system.”
Silicon Valley was quick to respond that building backdoors into systems is ultimately unworkable and will make citizens vulnerable. “The truth is backdoors would be accessible to more than just the government. We don’t need to help criminals and hackers steal our data,” said Dave Wagner, CEO of email encryption provider ZixCorp.
Burr and Feinstein declined to comment further on the draft bill saying they’re “still working on finalizing a discussion draft and as a result can’t comment on specific versions of the bill.”
“However, the underlying goal is simple: When there’s a court order to render technical assistance to law enforcement or provide decrypted information, that order is carried out. No individual or company is above the law,” the senators said in a statement.
To be sure, a draft bill is a starting point, and it could change a great deal before it gets to committee, let alone put up for a vote. The White House has signaled this week it will not support the bill in present form. But it does dovetail with the view of FBI Director James Comey, who told an audience at Kenyon College earlier this week there must not be subpoena-proof areas of communication, and that expectation of privacy is unrealistic.
“There is no such thing as absolute privacy in America,” he said. “There is no place outside of reach of judicial authority. That is a bargain we that we made with ourselves 240 years ago to acheive two things we all treasure: liberty and security.”
The Department of Justice declined to comment on the draft bill.
Manhattan District Attorney Cyrus R. Vance, who has been critical of Apple’s stance on locked iPhones, threw his support behind the Feinstein/Burr bill.
“For the past year and a half, Apple and other large technology companies have effectively decided who can and cannot access crucial evidence in criminal investigations,” he said, in a statement. “In the absence of legislation to address the seismic impact of warrant-proof encryption on public safety, they have rendered themselves – not judges – gatekeepers of critical information necessary to solving crimes on behalf of victims across the nation.”