Burr And Feinstein Release Their Anti-Encryption Bill... And It's More Ridiculous Than Expected
from the are-they-serious? dept
They've been threatening this for months now, but Senators Richard Burr and Dianne Feinstein have finally released a "discussion draft" of their legislation to require backdoors in any encryption... and it's even more ridiculous than originally expected. Yesterday, we noted that the White House had decided to neither endorse nor oppose the bill, raising at least some questions about whether or not it would actually be released. Previously, Feinstein had said she was waiting for the White House's approval -- but apparently she and Burr decided that a lack of opposition was enough.The basics of the bill are exactly what you'd expect. It says that any "device manufacturer, software manufacturer, electronic communication service, remote computing service, provider of wire or electronic or any person who provides a product or method to facilitate communication or the processing or storage of data" must respond to legal orders demanding access to said information. First off, this actually covers a hell of a lot more than was originally expected. By my reading, anyone providing PGP email is breaking the law -- because it's not just about device encryption, but encryption of communications in transit as well. I wonder how they expect to put that genie back in the bottle.
But, let's dig into a few other bits of insanity in the bill. It starts out with an insane assertion, right upfront:
It is the sense of Congress that--What an absurd way to start the bill. As we've discussed over and over again, despite FBI director James Comey's statements, no one is claiming to be "above the law" here. When they offer end-to-end encryption they're not "above the law," they're just building a system to which they don't have the key. That's like saying that the safe maker who doesn't keep copies of the keys to every safe they sell is above the law. But no one requires safemakers to keep copies of every key.
- no person or entity is above the law;
- economic growth, prosperity, security, stability, and liberty require adherence to the rule of law;
Next, the claim that economic growth, prosperity, security, stability and liberty somehow depend on all of this is ridiculous. The second this bill becomes law, the US loses a massive economic advantage. Basically all of our technology becomes suspect globally, and the entire cybersecurity industry moves off shore. It will devastate American businesses outside of the US. Burr and Feinstein are basically offering a bill that completely undermines the economic prosperity of the American tech industry. This is especially insane coming from Feinstein, given that she supposedly represents so many tech companies in California.
all providers of communications services and products (including software) should protect the privacy of United States persons through implementation of appropriate data security and still respect the rule of law and comply with all legal requirements and court orders;And they do... when they can. But what this bill requires is for tech companies to undermine the basics of encryption to make everyone less safe. This is not about disrespecting the rule of law, but about building systems as secure as possible to protect people from malicious attacks. You know, the very kinds of attacks that Senators Burr and Feinstein kept screaming about just months ago when they were demanding a bogus cybersecurity (really: surveillance) bill get passed by Congress. And yet now they want to undermine the very core concept of cybersecurity in the US.
to uphold both the rule of law and protect the interests and security of the United States, all persons receiving an authorized judicial order for information or data must provide, in a timely manner, responsive, intelligible information or data, or appropriate technical assistance to obtain such information or data;And if that's literally impossible, as is the case with strong encryption or end-to-end encryption?
Let's be clear, here. This bill makes effective cybersecurity illegal. Think about that for a second. This is insane.
Then there's this kicker:
Nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by any covered entity.Yeah, except for the entire bill which absolutely prohibits the kind of design that basically all security experts say you need to adequately protect data and communications.
There are lots of other issues as well. As Jonathan Zdziarski notes, the bill is so ridiculously drafted that it doesn't distinguish between encrypted data and deleted data. Thus, if someone deletes all their data, companies are still on the hook to magically get it back. It also requires that any information that is requested be delivered "in an intelligible format." But what if the information itself is not intelligible? What if, prior to encrypting the data through technological means, the people doing the communications used some sort of cypher or code themselves to further obfuscate the information?
The whole thing is a mess and provides much more evidence for the fact that Feinstein and Burr have absolutely no clue what they're talking about on this particular issue. Of course, there are lots of clueless people, but it's pretty disturbing that these two particularly clueless people happen to be the highest ranking members on the Senate Intelligence Committee. Perhaps, like some others, they should talk to actual intelligence community professionals, who have also been arguing that backdooring encryption is a bad idea and puts Americans at much greater risk of being victims of computer attacks.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, dianne feinstein, encryption, richard burr
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Response to: Anonymous Coward on Apr 8th, 2016 @ 8:59am
[ link to this | view in chronology ]
Intelligence Committee lacking Intelligence
[ link to this | view in chronology ]
Re: Intelligence Committee lacking Intelligence
[ link to this | view in chronology ]
Re: Re: Intelligence Committee lacking Intelligence
[ link to this | view in chronology ]
Re: Re: Intelligence Committee lacking Intelligence
[ link to this | view in chronology ]
Re: Re: Re: Intelligence Committee lacking Intelligence
[ link to this | view in chronology ]
Re: Re: Intelligence Committee lacking Intelligence
Yeah, ain't it beautiful?
[ link to this | view in chronology ]
Re: Re: Intelligence Committee lacking Intelligence
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: Feinstein is clearly under the thumb of the TLAs.
[ link to this | view in chronology ]
Outlawing forward secrecy
[ link to this | view in chronology ]
What was the point of this part? It's like putting a comment in source code that completely contradicts what the source code actually does.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
we know it says it does this, but "trust us" it doesn't require or prohibit any specific designs, see we even said that out loud
[ link to this | view in chronology ]
Beyond Belief
The issue of encryption also raises "slippery slope" concerns. The argument is made that encryption has to be weak to facilitate law enforcement. By that train of logic, search warrants should be abolished as an impediment to "facilitating law enforcement".
I hope that those proposing a "back door" will finally give-up based on logic. Unfortunately, I suspect that after a suitable waiting period, those proposing weak encryption will once again hysterically start beating the war drums and foaming at the mouth.
[ link to this | view in chronology ]
Re: Beyond Belief
I used "dropped" in the sense of "released." The bill hasn't been discarded -- it's been released. I changed the text in the post to clarify... sorry...
[ link to this | view in chronology ]
Re: Re: Beyond Belief
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Except
no person or entity is above the law;”
Unless you’re a member of the ruling class.
[ link to this | view in chronology ]
Oh, but it is
If this law or any like it pass, I will have a tremendous amount of disrespect for the rule of law.
(I am already maxed out on my disrespect for these specific lawmakers.)
[ link to this | view in chronology ]
Keys
Encryption Keys in use by our technology include numbers from one to infinity. We do not track which key goes to which device so we have instead given you all of the keys.
[ link to this | view in chronology ]
Re: Keys
It doesn't say they have to provide the keys. It says they have to provide the actual data. Completely removes any possibility of getting around it and making actually useful security.
[ link to this | view in chronology ]
Re: Re: Keys
"Sorry Senators Burr and Feinstein, but in order to properly facilitate access to decrypt the information in accordance with the Anti-Encryption Law that you put in place, your new passwords for all your current and future accounts shall be the following: 12345"
Malicious Compliance for the win.
If the little people are going down with the ship, make damn sure those responsible for hitting the iceberg go down with it too.
[ link to this | view in chronology ]
Re: Re: Keys
[ link to this | view in chronology ]
Re: Re: Re: Keys
[ link to this | view in chronology ]
Re: Re: Keys
We cannot decrypt the message, so our system will start emailing you every possible message that it could have been. This process will be complete in never.
[ link to this | view in chronology ]
Shakedown
[ link to this | view in chronology ]
Bicycle manufacturers must provide a way to facilitate a government request to read something that was sent by messenger?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
"Above the law"
Whenever somebody trots out the old "no person or entity is above the law" argument outside of a superhero movie or a classroom, it is not to to reinforce that everybody is equal.
No, what they are saying is something entirely different: I am the Law and you are my subject.
[ link to this | view in chronology ]
Re: "Above the law"
I am the Law and you are my suspect.
FTFY.
[ link to this | view in chronology ]
Outlaw strong encryption then only.....
section 1/1 file shortm~1.pgp
xbtoa5 78 shortm~1.pgp Begin
Vuojd:rXj)e'g)5"O6I'LqU7T45&QF
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Two traitors
[ link to this | view in chronology ]
Part 1 is at odds with part 2, as has been stated, but lets take a closer look, shall we?
In regards to this bill, that means NO entity is above this law, that includes the FBI, Congress, The Pentagon, The White House, the CIA, NSA, etc. because they are entities, and they cannot be above the law.
I am sure that because of (1) that entities like China, Russia, Daesh, Al-Qaeda will take that with good will and NEVER EVER exploit those systems.
Bullshit, I am sure that Russia, China would LOVE to get their hands on NSA/CIA/Pentagon deep cover operatives/operations currently in the field or in planning. I am SURE Al-Qaeda and Daesh would LOVE to get into the FBI/NSA to see which of THEIR deep cover operatives are being monitored. I am *SURE* the Pentagon would LOVE to have AF1's schematics broadcasted to the world.
Not only is this bill counter to free speech, economic security, but it *WILL* put American lives and national security at risk. And before you go, "Oh, but WE, in Congress and the govt is not bound to this law." read again that the law specifically says "NO ENTITY", including the Entity of the US Govt. BY THE LETTER OF THE LAW.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Dogs are fairly harmless, politicians not so much
[ link to this | view in chronology ]
Re: Dogs are fairly harmless, politicians not so much
The problem is in this case, that these are idiots out of their league, but with power enough to be destructive.
It's the same problem as we have with many entrenched representatives who cannot be voted out of position (the GOP can't even create a candidate liberal enough to be palatable to California) so long as they're worse than Joffrey-Satan-Hitler, we won't vote Joffrey-Satan-Hitler in to replace them.
But seriously, I'd really like someone that's actually intelligent and actually means to run California not into the ground.
It's a pipe dream.
[ link to this | view in chronology ]
Re:
FTFY
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Sheep must not evolve armor, claws, or teeth
Her Majesty Lady Feinstein has decided that it's too dangerous for the peasants to have secrets, and so she insists that we must divulge everything at the whims of her knights in blue. The wording of this bill suggests that she considers peasant vulnerability and rule of law to be inseparable.
This sort of attitude is not at all inconsistent with California law. This state has some of the most restrictive gun laws in the country. After all, an armed peasant is a less vulnerable peasant. Regardless of which side of the gun debate you happen to be on, though, you can probably agree that Lady Feinstein's public pride in the fact of her own armed condition seems more than a little hypocritical. (Yes, Diane Feinstein famously has a permit to carry deadly weapons.) But of course self defense is a god-given right of the nobility, isn't it?
We might excuse California if the restrictions stopped there; it's easy to imagine that few people really need to own or carry firearms today. But in the spirit of keeping peasants vulnerable, California has even declared bullet-resistant clothing illegal. That's right: apparently rule of law demands that peasants must be as vulnerable -- i.e. easy to kill -- as possible. Wear a bulletproof vest, go to jail.
So what's next, Your Majesty? Are you going to take a cue from that silly David Lynch version of "Dune" and decree that all of us must be fitted with openly accessible "heart plugs" that allow our lives to be taken with the flick of the wrist from your deputized thugs? Or at the very least, should we all be forced by law to carry wrist restraints, so that we can truss up ourselves in an instant when so ordered?
[ link to this | view in chronology ]
"Well on its way to becoming a feudal state"
But yes, ours is a feudal state under Hollywood and Google that wishes it were a liberal democracy, rather than a feudal state under Monsanto or Pfizer or Chevron or Ford that wishes it were a conservative republic.
[ link to this | view in chronology ]
Re: "Well on its way to becoming a feudal state"
[ link to this | view in chronology ]
What about postal letters?
[ link to this | view in chronology ]
Wrong analogy
No, its like holding a paper manufacturer responsible for people burning letters after reading them.
Burning papers and mixing the ashes is what we did before digital communications. And they had a term for that: destruction of evidence. And it was still a bullshit charge as there was no clue as to what those papers really contained.
So now, we want to hold the paper manufacturers to blame for this huge problem (that really isn't) and force them to make fire-proof paper or pay massive fines.
Brilliant!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Coverage
It would ban paper shredders, data storage places(paper or datacenters) from having fire suppression systems that could potentially damage documents/data.
If you offer a product or service that touches documents or data and have anything even remotely in your control (fire sprinklers) that can render the data unreadable you are on the hook to provide a clean copy to the government.
[ link to this | view in chronology ]
Software which allows plugins
[ link to this | view in chronology ]
https://gdmissionsystems.com/cyber/products/
As a long time Californian, I can never understand how in the world my fellow citizens continue to elect the likes of Boxer (or Diane Feinstein either).
[ link to this | view in chronology ]
Re:
Selective enforcement.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
no person or entity is above the law;
economic growth, prosperity, security, stability, and liberty require adherence to the rule of law;
Why the hell aren't all laws started this way.
[ link to this | view in chronology ]
Re:
Run-time error '11':
Division by zero
[ link to this | view in chronology ]
Obama waffles
[ link to this | view in chronology ]
Re: Obama waffles
[ link to this | view in chronology ]
Re: Obama waffles
“Leak of Senate encryption bill prompts swift backlash”, by Dustin Volz and Mark Hosenball, Reuters, Apr 8, 2016
[ link to this | view in chronology ]
Re: Re: Obama waffles
[ link to this | view in chronology ]
Re: Re: Obama waffles
Yeah, nice attempt at a dodge on their part, but no, I'm not buying it. There has been plenty of time to become educated on the subject, and more than enough people in the field have spoken up saying how dangerous undermining encryption is that to claim to be 'undecided' at this point is just an attempt to avoid voicing an opinion counter to the evidence that's been presented.
I think the real 'problem' facing them is that they would really like to voice support for the bill, but they know the public backlash for doing so would likely be significant(and during election season at that), and so they're stuck pretending to have to 'consider the matter' and 'weigh the pros and cons'.
If by some disaster the bill does make it through and gets enough votes to pass I'm sure he will sign it, even as he pretends that he's only doing so because he has to, the lawmakers have spoken and he has no choice but to go along with the general consensus.
[ link to this | view in chronology ]
Re: Re: Re: Obama waffles
“Even in Silicon Valley, encryption battle yields more yawns than yelps”, by Bruce Newman, Mercury News, Apr 8, 2016 Perhaps even worse than overestimating the popular interest in the issue would be overestimating the level of popular opposition to something like Burr-Feinstein.
All too easy to get yourself in big room with a few thousand people mostly agreeing on something—and forget that a big room like that may not really be representative in a nation of 300 million and change.
[ link to this | view in chronology ]
Re: Re: Re: Obama waffles
If Congress is in session when it hits his desk he can do nothing and hope nobody notices.
[ link to this | view in chronology ]
Re: Re: Re: Re: Obama waffles
Either our President is a surveillance- / police-state- / national-security-maximalist, or the guy who has a gun to his head is.
We've not seen his opinion evolve until after it's clear the direction the votes are going.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Obama waffles
Toe-may-toe, toe-mah-toe.
[ link to this | view in chronology ]
Yup
[ link to this | view in chronology ]
Re: Yup
[ link to this | view in chronology ]
sorry
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The inclusion of the above means, to me, that the requirement for providing the data or assistance with getting it applies only WHERE POSSIBLE, and does not mean systems or software must be dumbed down to provide for governmental wants later (no back-doors are required here). I admit I've only glossed over this so far, but am I misinterpreting anything here? If it does require back-doors, where exactly in the bill does it do so?
[ link to this | view in chronology ]
Re:
If English is not your first language, then you should consider indicating particular words that you're having trouble translating into your native language.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
Sorry assed, that is.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
The very next provision after the one you quoted.
"A provider ... shall ensure that any such products, services, applications or software ... be capable of complying."
At best, the two provisions contradict each other. More accurately, the one you quoted is a weak attempt to deny that they are doing exactly what they are doing: mandating how software and devices must be designed. It's providing some tiny, meaningless leeway.
Basically the part you quoted is saying "You can give us a master key, or a separate entrance, or a hidden recording device, or an infrared camera, or a doorman with orders to let us in - it's totally up to you!"
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Nor does it prohibit.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
“Entrenchment of Ordinary Legislation: A Reply to Professors Posner and Vermeule”, by John C. Roberts and Erwin Chemerinsky, California Law Review, 2003, p.1783 (p.11 in PDF): (Hyperlink added. Note that footnote 34, while citing 287 U.S. 315, 318, appears to get the year of the case wrong. Google shows this case as 1932.)
“The will of a particular Congress … does not impose itself upon those to follow in succeeding years.”
So why would a court care that a later legislative enactment sub silentio amends an earlier act?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
The argument would be that this bill does NOT do that. Am I not explaining this clearly?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
I think that motivation is a necessary predicate for any worthwhile argument: Contrariwise, if it doesn't matter, then it just doesn't matter…
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re:
Are you saying it's perfectly fine for this bill to conflict with CALEA, and that means CALEA is effectively amended? Maybe I misunderstood you.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
If the current, 114th Congress duly enacts a new law, then we get a new law. Tell me why it wouldn't just be that simple—especially in any question regarding interpretation and construction of the new statute?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
As for your question, ask the AC who thought it would be a problem.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Those 2 have proven they are traitors through and through.
[ link to this | view in chronology ]
I wonder how this is going to affect open source.
Can this be enforced?
Is this going to do anything but vector consumer dollars outside the US?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Open trolling?
Because that's not really a surprise.
[ link to this | view in chronology ]
Re: Open trolling?
[ link to this | view in chronology ]
Re: Re: Open trolling?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
When?
[ link to this | view in chronology ]
Typical Dem move
Since when is the Democratic party every been concerned about the economy or America's prosperity?
[ link to this | view in chronology ]
"concerned about the economy or America's prosperity"
The problem with partisan thinking is that both sides are generally corporatist and protectionist and representatives need to be in order to get those sweet, sweet campaign contributions.
Our government is now intrinsically corrupt, and only serves the monied interests. It's actually worse than Feudalism in a way since there is no acknowledgement of the value of the general population (as laborers, soldiers and consumers), so most of them are shortsighted enough to regard us shlubs as filth to be socially cleansed.
[ link to this | view in chronology ]
Burr-Feinstein bill
This should mean that I can encrypt my data with the confidence that it can only be read by me, some one I give the encryption key to, or someone who has a court order to read it. Of course, the provider has to be trustworthy, as my bank is now!
[ link to this | view in chronology ]
Re: Burr-Feinstein bill
Not just trustworthy, but secure. Criminal organizations and foreign nations would be trying to break in and steal the information needed to make use of the pointers you describe. And eventually one or more of them would probably succeed.
[ link to this | view in chronology ]
Re: Re: Burr-Feinstein bill
Criminal organizations can probably break any encryption if they think there's enough money to be gained. We live in a world where everything has some risk. The goal is to reduce the risk while attaining other goals as well.
[ link to this | view in chronology ]
Re: Re: Re: Burr-Feinstein bill
[ link to this | view in chronology ]
expel them
If they want to propose utterly idiotic legislation there is plenty of room in the House of Representatives.
[ link to this | view in chronology ]