Why Doesn't The Anti-Encryption Bill List Any Penalties?

from the they'll-be-added-in-later dept

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

We've already written a bit about the technologically ignorant bill from Senators Richard Burr and Dianne Feinstein that basically outlaws any encryption system that doesn't include backdoors for law enforcement. However, there are still some points in the bill that have left some folks scratching their heads. In particular, the lack of any penalty at all has some commenters wondering what the bill actually does. The bill both says that it doesn't "require or prohibit any specific design or operating system," but at the same timethat anyone offering or supporting any kind of encryption be able to pass along unencrypted versions of the communication to law enforcement when presented with a legitimate court order or warrant (so not just a warrant...). As Orin Kerr noted, the bill mandates assistance , rather than using the more typical requirement of "reasonable" assistance.Instead, the bill is explicit that if you receive an order, you have to hand over the unencrypted data. The law specifically reads: "a covered entity that receives a court order from a government for information or datasuch information or data to such government in an intelligible format; or provide such technical assistance as is necessary to obtain such information or data in an intelligible format or to achieve the purpose of the court order." No best efforts. No reasonable assistance in the face of situations where that can't be done. The billthat you provide unencrypted data. Or else.Or else... what? The bill includeson the penalties for failing to comply. This has led some on Twitter (including a guy I've been discussing it with who deletes all his tweets after tweeting them or I'd post them here...) to argue that the bill actuallyencryption, since if a company can't provide unencrypted data, then the law has no impact. That's not true however. First of all, both Burr and Feinstein have been going on and on about demanding backdoors and whining about encryption for a long time. There's no way they wrote a bill that would support stronger encryption. Second, all of the rest of the language in the bill includes various statements like "shall provide" and other items that leave no wiggle room at all. Providing any kind of encryption without providing a backdoor for law enforcement would violate this law.So... why the lack of penalties? There are a few theories floating around. (1) This is still a draft of the bill. Those penalties will be added in later, after everyone's fought over the rest of the bill. Leaving out the penalties at this stage lets Feinstein and Burr focus the fight. (2) The bill will allow courts to claim that any company not providing such unencrypted text is in contempt and issue increasingly large fines that make it practically impossible to be a business in the US without providing backdoors to encryption and basically demolishing everyone's security. Neither option is appealing.This bill is bad in so many ways and no one's focusing on the punishment part because it's not even in the bill yet -- but make no mistake -- if this bill passes, there will be punishment (potentially severe punishment) for any company that wants to use actual encryption.

Filed Under: dianne feinstein, encryption, going dark, penalties, richard burr