A discussion draft version of a bill from the leaders of the Senate Intelligence Committee pressures technology companies to design their encryption so that they can provide government investigators with user data when presented with a warrant.
A version of the Compliance with Court Orders Act of 2016 mandates that U.S. technology companies must provide the government with “intelligible data” or “technical assistance” to access that unencrypted data when presented with a court order.
Although the bill from Sens. Richard Burr (R-N.C.), the committee’s chairman, and Dianne Feinstein (D-Calif.), its top Democrat, does not require companies to adopt “any specific design or operating system,” the legislation effectively makes it impossible for firms to implement unbreakable encryption in their products and still comply with the law.
The draft legislation does not currently include specific penalties a company would face for refusing to comply with a court order under this legislation. The bill is reportedly still undergoing review before a final version is introduced in Congress. On Thursday, Feinstein and Burr told reporters that they had sent the draft back to the White House for further review.
“It would force companies to deliberately weaken the security of their products by providing backdoors into the devices and services that everyone relies on.”
“It did get kicked over to the White House because I think the chief of staff wanted to brief the president on it,” Burr told The Hill.
In a joint statement emailed to the Daily Dot, Feinstein and Burr emphasized that the language of the bill is not yet finalized.
“We’re still working on finalizing a discussion draft and as a result can’t comment on language in specific versions of the bill,” Burr and Feinstein said. “However, the underlying goal is simple: When there’s a court order to render technical assistance to law enforcement or provide decrypted information, that court order is carried out. No individual or company is above the law. We’re still in the process of soliciting input from stakeholders and hope to have final language ready soon.”
Privacy advocates and technologists were quick to condemn the draft legislation, arguing that it would require companies to weaken their encryption to comply with the law.
“This bill is a clear threat to everyone’s privacy and security. Instead of heeding the warnings of experts, the senators have written a bill that ignores economic, security, and technical reality,” Neema Singh Guliani, legislative counsel with the American Civil Liberties Union, said in a statement. “It would force companies to deliberately weaken the security of their products by providing backdoors into the devices and services that everyone relies on. Senators Burr and Feinstein should abandon their efforts to create a government backdoor.”
Kevin Bankston, director of New America’s Open Technology Institute, condemned the draft bill as a threat to Americans security and privacy.
“This leaked draft of the upcoming Feinstein-Burr bill instructs every tech vendor in America to use either backdoored encryption or no encryption at all, even though practically every security expert in the country would tell you that means laying down our arms in the constant fight to secure or data against thieves, hackers, and spies,” Bankston said in an emailed statement to the Daily Dot.
Bankston also said that the legislation would also result in “massive Internet censorship” because it would require “online platforms like Apple’s App Store and the Google Play Store [to] police their platforms to stop the distribution of secure apps.”
“Indeed,” Bankston added, “I can say without exaggeration that this draft bill is the most ludicrous, dangerous, technically illiterate tech policy proposal of the 21st century so far.”
Sen. Ron Wyden (D-Ore.), one of Congress’s most ardent supporters of privacy rights, agreed that the Feinstein-Burr legislation as written would require technology firms to build so-called “backdoors” for law-enforcement access.
“This legislation says a company can design what they want their backdoor to look like, but it would definitely require them to build a backdoor,” Wyden said in a statement emailed to the Daily Dot. “For the first time in America, companies who want to provide their customers with stronger security would not have that choice—they would be required to decide how to weaken their products to make you less safe.”
The legislation comes as Congress also considers legislation to establish a digital-security commission that would produce a report tackling, among other things, the encryption debate.
Both bills reflect the renewed interest in the topic sparked by a court battle between the Justice Department and Apple over the locked iPhone of one of the San Bernardino shooters.
Apple vigorously fought a court order compelling it to help the government unlock that phone by writing special code, arguing that it would set a dangerous precedent and lead to more intrusive demands—including court orders requiring it to weaken its encryption and spy on its customers. The government eventually dropped its demand when a third party presented it with an alternate method, and local police are now asking to use the tool to unlock other suspects’ devices.
Law-enforcement and intelligence officials have argued for years that tech companies should design their encryption so that they can always bypass it if investigators bring them a warrant. They say that criminals and terrorists are using encrypted devices and messaging apps to communicate beyond the reach of police and spies, and they warn that they are losing access to critical evidence as a result.
A series of terrorist attacks in Paris and San Bernardino, California, in 2015 revived the long running “crypto wars” debate, which began in the 1990s when Congress passed a law requiring phone and Internet providers to ensure that their equipment was wiretap-friendly. Some senior officials, like FBI Director James Comey, now want to extend that requirement to hardware and software makers like Apple and Google.
“This legislation says a company can design what they want their backdoor to look like, but it would definitely require them to build a backdoor.”
Tech companies, security experts, and privacy advocates have strenuously objected to this push. They argue that strong encryption is fundamental to everyday life, from email applications to online banking portals. They point out that a backdoor designed for law enforcement can be discovered and exploited by bad actors, from foreign governments to rogue hackers. And they note that any attempt to mandate backdoors in the United States will only push criminals onto one of the many available foreign platforms.
“This bill would not only be surrendering America’s cybersecurity but also its tech economy, as foreign competitors would continue to offer—and bad guys would still be able to easily use!—more secure products and services,” Bankston said. “The fact that this lose-lose proposal is coming from the leaders of our Senate’s intelligence committee, when former heads of the NSA, DHS, the CIA and more are all saying that we are more secure with strong encryption than without it, would be embarrassing if it weren’t so frightening.”
It remains unclear whether the White House, which backed down from pursuing encryption legislation last October, will support Burr and Feinstein’s bill. The administration reviewed a draft of the bill, but a White House spokesman declined to say whether it would endorse the legislation.
Update 9:39am CT, April 8: Added statement from Burr and Feinstein.
Update 10:30am CT, April 8: Added statement from ACLU, Kevin Bankston.
Update 11:20am CT, April 8: Added statement from Wyden.
Additional reporting by Andrew Couts.
H/T The Hill