Draft Bill Would Compel Decryption by Communications Companies

Would need to be able to bypass individual privacy protections
Author:
Publish date:
Capitol-Senate.JPG

A bipartisan pair of powerful senators wants to make sure communications companies help the government unlock encrypted information.

According to a draft of the legislation, Sens. Dianne Feinstein (D-Calif.) and Richard Burr (R-N.C.) plan to introduce a bill, the Compliance With Court Orders Act, that would make it clear that communications companies have to provided unencrypted versions of encrypted user information when ordered to by a court or help the government unencrypt it.

Burr and Feinstein are chair and vice chair, respectively, of the Senate Intelligence Committee.

That would only apply if the target of the order, or a third party on its behalf, had done the encrypting. If the communications company provides technical assistance in decoding the data, they would be compensated for reasonable and necessary costs.

The bill would not authorize the government to require or prohibit any time of operating system, which means the bill would not prevent encryption but it would require companies to be able to defeat their own encryption in order to be able to make the info available.

The bill follows the privacy vs. security tug-of-war between Apple and the FBI, and among privacy groups, stakeholders and government more broadly, over accessing the phone of one of the San Bernardino shooters. A cable source said they believed the bill would apply to cable companies, too.

The FBI got a court order compelling Apple to help it access the encrypted information, but Apple did not comply and fought the order. The FBI ultimately got the information without Apple's help, so the company did not wind up having to comply by default—the FCC withdrew the request that the court compel them.

"All providers of communications services and products (including software) should protect the privacy of United States persons through implementation of appropriate data security and still respect the rule of law and comply with all legal requirements and court orders," the legislation says.

It did not sit well with privacy advocates, who slammed the draft.

"This leaked draft of the upcoming Feinstein-Burr bill instructs every tech vendor in America to use either backdoored encryption or no encryption at all, even though practically every security expert in the country would tell you that means laying down our arms in the constant fight to secure or data against thieves, hackers, and spies," said Kevin Bankston, director of New America’s Open Technology Institute. "This bill would not only be surrendering America’s cybersecurity but also its tech economy, as foreign competitors would continue to offer—and bad guys would still be able to easily use!—more secure products and services. The fact that this lose-lose proposal is coming from the leaders of our Senate’s intelligence committee, when former heads of the NSA, DHS, the CIA and more are all saying that we are more secure with strong encryption than without it, would be embarrassing if it weren’t so frightening."

“This bill is a clear threat to everyone’s privacy and security," said Neema Singh Guliani, legislative counsel with the American Civil Liberties Union. "Instead of heeding the warnings of experts, the senators have written a bill that ignores economic, security, and technical reality. It would force companies to deliberately weaken the security of their products by providing backdoors into the devices and services that everyone relies on. Senators Burr and Feinstein should abandon their efforts to create a government backdoor.”

The Information Technology & Innovation Foundation said the bill would put communications companies in an untenable position.

"While companies should comply with lawful requests, it is simply not possible for a company to do so when the customer controls the only keys used to encrypt the data. For example, the popular messaging app WhatsApp, which provides end-to-end encryption on its platform, would not be able to comply with the legislation, unless it modified its system. Yet, the bill explicitly states that it is not authorizing the government to require or prohibit any specific design changes to software or hardware. In short, this bill sets up a legal paradox that would further muddy the waters about how and when the government can compel the private sector to assist in gaining access to private information."

“The leaked draft shows that the Compliance with Court Orders Act of 2016 would undermine any technology that helps secure people’s private communications," said Free Press Action Fund policy counsel Gaurav Laroia. "It’s a massive overreach by Senators Burr and Feinstein, who appear to have forgotten the rights guaranteed to Americans under the Constitution."

The senators took a hit as well from the group.

“Our right to communicate in private is being threatened by the very people Americans rely on for these protections. Burr and Feinstein lead the Senate Select Committee on Intelligence, which is supposed to defend the rights of everyday Americans and prevent overreach from the intelligence community.

“If this dangerous bill passes, it would outlaw not just end-to-end encrypted communications but also the tools that protect our information from criminals, hackers and foreign governments working to undermine the security of millions of people and businesses. Our right to privacy should extend beyond in-person conversations to include communications made via the internet and wireless networks. Encryption is the tool that makes this possible."

“This legislation could establish standards that force companies to eliminate security features that may be exploited by others who do not share law enforcement’s good intentions,” said Linda Moore, president of TechNet.  “The results are that common transactions will become easy prey for bad actors and that customers around the world could lose faith in the trustworthiness of American products and choose alternatives that don’t have the same vulnerabilities.”

Related