Burr And Feinstein Release Their Anti-Encryption Bill... And It's More Ridiculous Than Expected

from the are-they-serious? dept

It is the sense of Congress that-- no person or entity is above the law; economic growth, prosperity, security, stability, and liberty require adherence to the rule of law;

all providers of communications services and products (including software) should protect the privacy of United States persons through implementation of appropriate data security and still respect the rule of law and comply with all legal requirements and court orders;

to uphold both the rule of law and protect the interests and security of the United States, all persons receiving an authorized judicial order for information or data must provide, in a timely manner, responsive, intelligible information or data, or appropriate technical assistance to obtain such information or data;

Nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by any covered entity.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

They've been threatening this for months now, but Senators Richard Burr and Dianne Feinstein have finally released a "discussion draft" of their legislation to require backdoors in any encryption... and it's even more ridiculous than originally expected. Yesterday, we noted that the White House had decided to neither endorse nor oppose the bill, raising at least some questions about whether or not it would actually be released. Previously, Feinstein had said she was waiting for the White House's approval -- but apparently she and Burr decided that a lack of opposition was enough.The basics of the bill are exactly what you'd expect. It says that any "device manufacturer, software manufacturer, electronic communication service, remote computing service, provider of wire or electronic or any person who provides a product or method to facilitate communication or the processing or storage of data" must respond to legal orders demanding access to said information. First off, this actuallythan was originally expected. By my reading, anyone providing PGP email is breaking the law -- because it's not just about device encryption, but encryption of communications in transit as well. I wonder how they expect to put that genie back in the bottle.But, let's dig into a few other bits of insanity in the bill. It starts out with an insane assertion, right upfront:What an absurd way to start the bill. As we've discussed over and over again, despite FBI director James Comey's statements, no one is claiming to be "above the law" here. When they offer end-to-end encryption they're not "above the law," they're just building a system to which they don't have the key. That's like saying that the safe maker who doesn't keep copies of the keys to every safe they sell is above the law. But no one requires safemakers to keep copies of every key.Next, the claim that economic growth, prosperity, security, stability and liberty somehow depend on all of this is ridiculous. The second this bill becomes law, the US loses aeconomic advantage. Basically all of our technology becomes suspect globally, and the entire cybersecurity industry moves off shore. It willAmerican businesses outside of the US. Burr and Feinstein are basically offering a bill that completely undermines the economic prosperity of the American tech industry. This is especially insane coming from Feinstein, given that she supposedly represents so many tech companies in California.And they do.... But what this bill requires is for tech companies to undermine the basics of encryption to make everyone less safe. This is not about disrespecting the rule of law, but about building systems as secure as possible to protect people from malicious attacks. You know, the very kinds of attacks that Senators Burr and Feinstein kept screaming about just months ago when they were demanding a bogus cybersecurity (really: surveillance) bill get passed by Congress. And yet now they want to undermine the very core concept of cybersecurity in the US.And if that's literally impossible, as is the case with strong encryption or end-to-end encryption?Let's be clear, here.. Think about that for a second. This is insane.Then there's this kicker:Yeah, except forwhich absolutely prohibits the kind of design that basically all security experts say you need to adequately protect data and communications.There are lots of other issues as well. As Jonathan Zdziarski notes, the bill is so ridiculously drafted that it doesn't distinguish between encrypted data and deleted data . Thus, if someone deletes all their data, companies are still on the hook to magically get it back. It also requires that any information that is requested be delivered "in an intelligible format." But what if the information itself is not intelligible? What if, prior to encrypting the data through technological means, the people doing the communications used some sort of cypher or code themselves to further obfuscate the information?The whole thing is a mess and provides much more evidence for the fact that Feinstein and Burr have absolutely no clue what they're talking about on this particular issue. Of course, there are lots of clueless people, but it's pretty disturbing that these two particularly clueless people happen to be the highest ranking members on the Senate Intelligence Committee. Perhaps, like some others , they should talk to actual intelligence community professionals, who have also been arguing that backdooring encryption is a bad idea and puts Americans at much greater risk of being victims of computer attacks.

Filed Under: backdoors, dianne feinstein, encryption, richard burr