Why Doesn't The Anti-Encryption Bill List Any Penalties?
from the they'll-be-added-in-later dept
We've already written a bit about the technologically ignorant bill from Senators Richard Burr and Dianne Feinstein that basically outlaws any encryption system that doesn't include backdoors for law enforcement. However, there are still some points in the bill that have left some folks scratching their heads. In particular, the lack of any penalty at all has some commenters wondering what the bill actually does. The bill both says that it doesn't "require or prohibit any specific design or operating system," but at the same time does require that anyone offering or supporting any kind of encryption be able to pass along unencrypted versions of the communication to law enforcement when presented with a legitimate court order or warrant (so not just a warrant...). As Orin Kerr noted, the bill mandates assistance, rather than using the more typical requirement of "reasonable" assistance.Instead, the bill is explicit that if you receive an order, you have to hand over the unencrypted data. The law specifically reads: "a covered entity that receives a court order from a government for information or data shall provide such information or data to such government in an intelligible format; or provide such technical assistance as is necessary to obtain such information or data in an intelligible format or to achieve the purpose of the court order." No best efforts. No reasonable assistance in the face of situations where that can't be done. The bill requires that you provide unencrypted data. Or else.
Or else... what? The bill includes absolutely nothing on the penalties for failing to comply. This has led some on Twitter (including a guy I've been discussing it with who deletes all his tweets after tweeting them or I'd post them here...) to argue that the bill actually promotes encryption, since if a company can't provide unencrypted data, then the law has no impact. That's not true however. First of all, both Burr and Feinstein have been going on and on about demanding backdoors and whining about encryption for a long time. There's no way they wrote a bill that would support stronger encryption. Second, all of the rest of the language in the bill includes various statements like "shall provide" and other items that leave no wiggle room at all. Providing any kind of encryption without providing a backdoor for law enforcement would violate this law.
So... why the lack of penalties? There are a few theories floating around. (1) This is still a draft of the bill. Those penalties will be added in later, after everyone's fought over the rest of the bill. Leaving out the penalties at this stage lets Feinstein and Burr focus the fight. (2) The bill will allow courts to claim that any company not providing such unencrypted text is in contempt and issue increasingly large fines that make it practically impossible to be a business in the US without providing backdoors to encryption and basically demolishing everyone's security. Neither option is appealing.
This bill is bad in so many ways and no one's focusing on the punishment part because it's not even in the bill yet -- but make no mistake -- if this bill passes, there will be punishment (potentially severe punishment) for any company that wants to use actual encryption.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: dianne feinstein, encryption, going dark, penalties, richard burr
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
For any American company, operating in America.
Encryption and privacy will still be very much in demand in other countries. There would simply be American versions of products sold without it.
Apple and other American-based multinational companies would do this too. Otherwise Samsung, HTC and others will use it as a selling point against them elsewhere.
How to prevent Americans from using foreign-made phones and encryption apps is a problem for Burr and Feinstein to explain.
[ link to this | view in chronology ]
Something must be done!
Something must be done!
In response, a law is passed such that any company selling products or offering services in the US that includes encryption is forced to deliberately cripple said encryption, causing a great many of them to shut down or shift elsewhere, leading to a hefty blow to the economy short-term and long.
Something has been done!
However, there's still the problem with products and software created and sold outside the US which contains working encryption, and is shipped over or simply downloaded from any computer with a working connection to the internet, allowing criminals to continue to use encryption to protect their privacy and deeds.
Something must be done!
In response, a new law is passed that criminalizes second-hand sales of such products, and the mere possession of 'unauthorized' encryption software is now considered a crime.
Something has been done!
As a result any law abiding person or company in the US is forced to use deliberately weak encryption in their products and services, leading to an absolute explosion in crime related to electronic devices and digital information.
Something... has been done?
And meanwhile the theoretical targets of the anti-encryption laws, terrorists, criminals, and communists continue to completely ignore the law as they are known to do, and are the only ones with working encryption to protect their data and hide their activity.
... victory at last?
[ link to this | view in chronology ]
Re: Something must be done!
Then build a statue for Feinstein and Burr for actually managing to do what no terrorist could: destroy the whole country.
[ link to this | view in chronology ]
Re: Something must be done!
Also, you forgot to add the part where the terrorists will use that weak encryption to their benefit.
As in, you know what a ITS is? That thing you got on cars to aid with your driving.
Imagine what an evil terrorist can do with access to what your car tells you, or even better, to the controls of your car...
Why would you need to send guys with AKs when you can always have some car hitting a gas truck at max speed in a crowded highway?
[ link to this | view in chronology ]
Re: Something must be done!
Cum catapultae proscriptae erunt tum soli proscript catapultas habebunt. (When catapults are outlawed, only outlaws will have catapults.)
[ link to this | view in chronology ]
Fun historical footnote.
Military belligerents used them anyway, since not using them against those who did multiplied casualties. The approach most was to use them and beg for forgiveness later (which was had when spoils were used to finance new churches).
So by the time we saw Arquebuses (hook gonnes, essentially hand cannons that had a handle), they fit right in.
[ link to this | view in chronology ]
Re: Something must be done!
[ link to this | view in chronology ]
Re:
Well the first problem is the obvious, "we will no longer allow your stuff through customs." It doesn't matter if they can't get the company directly, they'll just prevent their products from entering the US.
It also won't work for companies with any operations in America. If someone shows up with a foreign manufactured phone with encryption, the company would still be obligated to open it. Sure, they can't go after the foreign operations, but they can easily go after the American division.
[ link to this | view in chronology ]
Re: Re:
Going after the American division of a company for information held by their overseas divisions is problematic. Techdirt has covered the case where US magistrate judge ruled that Microsoft had to comply with a warrant asking for data held on servers in Dublin. (The Irish government has since disagreed, saying that the emails should be disclosed only on request to the Irish government.) It's not settled yet, but imagine the uproar after a Microsoft loss, when foreign governments cite the case to demand information about Americans on US servers.
What happens when Apple US (with a government back door on US phones) is ordered to unlock an Irish phone, and is unable to do so because the Irish phones don't have the back door?
[ link to this | view in chronology ]
Re: Re: Re:
Yes, but we're not talking about the existence of illegal phones, or the relative handful of tourists and business travelers. We're talking about denying companies access to one of the largest phone markets in the world. That is how companies die. This isn't about black markets or smuggling or installing your own encryption, it's about major corporations. And it's highly unlikely major multinational corporations are going to be able to smuggle their products into the US.
And really, "dozens of iphones?" That's an accounting error to Apple.
What happens when Apple US (with a government back door on US phones) is ordered to unlock an Irish phone, and is unable to do so because the Irish phones don't have the back door?
Then one of the most profitable segments of their business is going to be fined into oblivion until their shareholders demand they install backdoors, or they leave the US entirely. That is, if the US regulators will let them leave the US...
[ link to this | view in chronology ]
Re:
So americans would be forced to use non-encrypted unsecure "trump-branded" phones, computers etc.
It's such a terrible situation that if he IS elected, its actually possible that companies such as Microsoft, Apple and Google might relocate OUT of the US to protect their non-US customer base.
[ link to this | view in chronology ]
backdoor passwords...
[ link to this | view in chronology ]
Re: backdoor passwords...
[ link to this | view in chronology ]
More tools for abuse by LEOs coming
The new current. "I don't know what he said. It must have been code. Get the handcuffs! All communication must be in plain English and legible to Law Enforcement!" "Was that a mumble, or code directed at a partner? Draw!"
Of course the tools are mostly abused on those in our society that are already mostly abused. Racist? applied to dark skin. Sexist? applied to limp wrists. Classist? applied to empty wallets and dirty pants.
New tools for the lowest in our society.
[ link to this | view in chronology ]
2nd choice
My guess also is that this is only the first draft of many, which will likely die with the session ending after the election cycle is complete. The only way any of this is likely to pass is by congress critters who have been voted out, and who want to strike back with impunity.
[ link to this | view in chronology ]
No specified penalties is a feature...
[ link to this | view in chronology ]
ISDS action?
[ link to this | view in chronology ]
The technological equivalent of the 18th amendment
Clearly they don't understand the social or economic ramifications of what their saying. This law would massively increase barrier to entry for hundreds of burgeoning companies, and thousands more that don't yet exist.
This isn't about law enforcement. It is about discriminating against sophisticated technology and the people who use it. And while they probably don't think so, I imagine there were plenty of attendee's at the Wannsee conference who didn't go there thinking it was about, what it ended up being about.
This isn't about encryption. We know that because they don't know enough about the technology for it to BE about encryption. In the absence of plausible negligence, we are left with what remains: fear and malice steeping in a cauldron of ignorance.
Congressmen: You are flea bitten and lame. Please retire to pasture. We are saddened at seeing you pull futilely in your traces.
[ link to this | view in chronology ]
That is how far off-based Dianne Feinstein is on this issue.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Curious wording or bad wording?
I thought court orders come from judges, not governments. Does this mean there will never be a legal court order from a government?
Otherwise: This allows any government to `shop' for information via a court order in the US and any corporation that wants to sell in the US is bound to oblige.
(Expect a lot of embassies and/or consulates to appear in West Texas, if this gets through).
[ link to this | view in chronology ]
Don't need them
We got National Security Letters, and penalties for those. And rendition, lots of rendition. And government contracts to take away.
We don't need no penalties, not in this law.
[ link to this | view in chronology ]
I'm glad they left it out
[ link to this | view in chronology ]
Senator Burr: 'Every situation is going to be different'
[ link to this | view in chronology ]
White House skepticism [was Re: Senator Burr: 'Every situation is going to be different']
[ link to this | view in chronology ]
Re: White House skepticism [was Re: Senator Burr: 'Every situation is going to be different']
[ link to this | view in chronology ]
Re: Senator Burr: 'Every situation is going to be different'
"Obviously, the bill's authors are going to have to address the situation of being UNABLE to comply with an order versus being UNWILLING to do so for two important reasons: (1) It's only common sense that nobody under the sun is going to "dumb-down" a state of the art security algorithm to accommodate law enforcement later (it's so painfully obvious that's what their attempting to pull off here). To do so renders data vulnerable to theft and surveillance by any number of other third parties. And (2) a myriad of other perfectly valid technical difficulties that could easily stand in the way of successfully delivering intelligible data or fruitful assistance."
[ link to this | view in chronology ]
i wonder how long it will be and who will get the blame once this comes into being and things go totally shit-faced and someone gets into something, gains the info needed and really screws the USA? could be interesting to see which of these two clowns back pedals the quickest!
[ link to this | view in chronology ]
Re:
In this case the government has learnt from the discussion, and is making the companies that provide the backdoors responsible for the security of those backdoors; so when the inevitable happens, it is not the governments responsibility or problem.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
This proposed law is incomplete elsewhere as well
[ link to this | view in chronology ]
One strategem:
Step two: When court demands the plaintext via AWA or court order or whatevs, deploy one PC to break the encrypted code via brute force.
Step three: Implement another computer for each separate instance up to a reasonable number (two, a dozen, a hundred, depending on the size of your business). After that future cases go onto a queue.
Step four: Upon request for progress reports declare We're still working on it. So far, we've tried X keys. Or Your case is on our queue. You have Y cases ahead of you.
Step five: Insist repeatedly and without perjury your business is doing all it can reasonably do, and that more or faster computers is not going to unlock the data fast enough for it to be relevant (e.g. in our lifetime).
[ link to this | view in chronology ]
Re: One strategem:
The courts would not be amused by this. You build the wall and then try to point out it's too high to climb - at some point, the courts will order you to firmware update everyone's devices back to a level which can be climbed.
Your concept would be called "shooting yourself in the foot" except you would be both feet and perhaps a leg.
[ link to this | view in chronology ]
Re: Re: One strategem:
Then they can open it all they want and encounter nothing, and it's going to be difficult to detect hidden data without getting a lot of false positives.
Tell me Whatever, how many people incarcerated innocently by the state do you find to be acceptable collateral damage for the alleged guarantee of your personal safety?
[ link to this | view in chronology ]
Addressing the issue
That is why this whole bill and train of thought is stupid.
[ link to this | view in chronology ]
Re: One strategem:
this:---> http://www.motherjones.com/kevin-drum/2016/04/yet-another-feinstein-burr-bill-has-been-leaked
[ link to this | view in chronology ]
Re One Strategem
[ link to this | view in chronology ]
Does DRM = encryption?
[ link to this | view in chronology ]
A lot of scientist are in danger; for law enforcement there is no "intelligible format" for string theory.
[ link to this | view in chronology ]
Draft Bill Official Release
“Intelligence Committee Leaders Release Discussion Draft of Encryption Legislation” (Press release), Apr 13, 2016For those who weren't quite paying close attention, note that the purported discussion draft Techdirt discussed last Friday was a leaked copy. Following that leak, Senator Feinstein publicly refused to confirm the provenance of the leaked document.
So today the discussion draft is officially released.
(H/T Kevin Bankston—)
[ link to this | view in chronology ]
Re: Draft Bill Official Release
“The Senate’s Draft Encryption Bill Is ‘Ludicrous, Dangerous, Technically Illiterate’ ”, by Andy Greenberg, Wired, April 8, 2016I had recalled that it was Senator Feinstein who herself made some sort of statement using words close to ‘didn’t believe was consistent with the facts.’ But now I don't recall at all where that was reported.
Anyhow, now that the discussion draft has been officially released by Senator Burr's office, precise exactitude on this point probably doesn't matter that much anymore.
[ link to this | view in chronology ]