Senators Burr & Feinstein Look To Bring Back Bill To Outlaw Real Encryption
from the apparently-they-didn't-get-the-message dept
Back in May we noted that the ridiculous and terrible anti-encryption bill from Senators Richard Burr and Dianne Feinstein was dead in the water. The bill had all sorts of problems with incredibly broad and vague requirements, but the quick summary was that tech companies would have to figure out a way to backdoor all encryption, because if they received a warrant, they'd be required to decrypt any communication.Rather than get the message that this was a really, really bad idea, it appears that Burr and Feinstein have just gone back to the drawing board, trying to recraft the bill. Julian Sanchez got his hands on one of a few prospective new drafts that are being floated around and has an analysis of the update. The draft that Sanchez has seen tries to fix some of the problems, but doesn't really fix the main problems of the bill. As Sanchez points out he sees four major changes in the draft:
(1) Narrower scopeThe first change seems like a big deal, but it also is hard to parse out and seems rather meaningless. Changing the requirement from covered entities to those who "control" the encryption? So what. That basically still means backdooring encryption, it just might mean going up a step or two in the ladder. Sanchez reads this as possibly being an attempt to effectively backdoor future types of encryption, less so than what we have today. I won't repeat his whole argument here -- go read it yourself -- but as he notes, this might be a way to calm people down to pass this bill:The original discussion draft required a “covered entity” to render encrypted data “intelligible” to government agents bearing a court order if the data had been rendered unintelligible “by a feature, product, or service owned, controlled, created, or provided, by the covered entity or by a third party on behalf of the covered entity.” This revision would delete “owned,” “created,” and “provided”—so the primary mandate now applies only to a person or company that “controls” the encryption process.(2) Limitation to law enforcementA second change would eliminate section (B) under the bill’s definition of “court order,” which obligated recipients to comply with decryption orders issued for investigations related to “foreign intelligence, espionage, and terrorism.” The bill would then be strictly about law enforcement investigations into a variety of serious crimes, including federal drug crimes and their state equivalents.(3) Exclusion of critical infrastructureA new subsection in the definition of the “covered entities” to whom the bill applies would specifically exclude “critical infrastructure,” adopting the definition of that term from 42 USC §5195c.(4) Limitation on “technical assistance” obligationsThe phrase “reasonable efforts” would be added to the definition of the “technical assistance” recipients can be required to provide. The original draft’s obligation to provide whatever technical assistance is needed to isolate requested data, decrypt it, and deliver it to law enforcement would be replaced by an obligation to make “reasonable efforts” to do these things.
If this interpretation of idea behind the proposed narrowing is right, it’s particularly politically canny. You declare you’re going to saddle every developer with a backdoor mandate, or break the mechanism everyone’s Web browser uses to make a secure connection, and you can expect a whole lot of pushback from both the tech community and the Internet citizenry. Tell people you’re going to mess with technology their security already depends upon—take away something they have now—and folks get upset. But, thanks to a well-known form of cognitive bias called “loss aversion,” they get a whole lot less upset if you prevent them from getting a benefit (here, a security improvement) most aren’t yet using. And that will be true even if, in the neverending cybersecurity arms race, it’s an improvement that’s going to be necessary over the long run even to preserve current levels of overall security against increasingly sophisticated attacks.As for the other changes, saying that this can't be used for intelligence purposes, but just law enforcement, is also kind of meaningless. The intel community has actually been somewhat opposed to the Burr Feinstein bill anyway -- in part because they can already break into lots of encryption. And if this new backdoor is required, then they'll be able to break into more. The warrants are meaningless to the intel community for the most part, so this "limitation" is no limitation at all.
The final change about "reasonable efforts" is clearly an attempt to appease the tech companies that spoke out loudly against the bill. It's definitely better than the "you must decrypt" kind of language in the original, but it's hardly comforting. Remember, the FBI/DOJ insisted that what it was asking of Apple in the San Bernardino iPhone case was a perfectly "reasonable" effort as well.
Either way, this shouldn't be much of a surprise, but it's clear that the whole push to outlaw real encryption may have had a setback, but is far from dead.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: dianne feinstein, encryption, going dark, richard burr
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
Encryption control
[ link to this | view in thread ]
Easy to get around
[ link to this | view in thread ]
[ link to this | view in thread ]
'No' yesterday, 'No' today, and 'No' tomorrow
It doesn't matter how 'good' the language is, you're still talking about a measure that will cause vastly more problems than could ever solve by deliberately weakening security that millions rely on to keep their personal data safe, and for no other reason than the voyeurs couldn't be bothered to show the slightest bit of restraint and people and companies are taking steps to protect their privacy.
Encryption is already difficult enough to manage, intentionally crippling it and/or keeping it from being truly secure is nothing less than intentionally putting millions of people at risk, and anyone who suggests doing so deserves to be called out for their incredibly hostile stance towards public safety and security.
[ link to this | view in thread ]
definition is key (encryption...key...geddit?)
Any lawyer could put up an argument to the court that any one of those people/entities in some way 'controls' the encryption process.
[ link to this | view in thread ]
Play ball then we can talk
When the legislators supporting encryption backdoors are willing to let the public decrypt and look through all their communications then we can have a conversation.
If they have nothing to hide I'm sure they would have no problem with this request.
[ link to this | view in thread ]
Being a hardliner
[ link to this | view in thread ]
[ link to this | view in thread ]
Something you've forgotten
Poverty ensues.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Something you've forgotten
[ link to this | view in thread ]
Daily Flickers
[ link to this | view in thread ]
Security Theater!
I know very little about encryption but this is my attempt using nothing but a shell script. I would be interested to see if someone can tell me what it say's and how long it took them to decrypt it. [it's not a one time pad]
[ link to this | view in thread ]
Opps..
[ link to this | view in thread ]
Financial Repercussions
The pro-encryption crowd seems unable to comprehend that the "good" guys need encryption. Technology is a two edged sword. Need to take the "bad" along with the "good".
[ link to this | view in thread ]
[ link to this | view in thread ]
The tighter you squeeze...
[ link to this | view in thread ]
Re: Financial Repercussions
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Encryption control
[ link to this | view in thread ]
What Happens Next.
Ban those with a new bill, and then what about programming tools? Functions for AES and other encryption standards are built right into the .NET framework. An amateur can implement them with no real understanding of how they work. (I know; I've done it.) Presumably frameworks for Mac and Linux have them too. It follows that these frameworks will get their own bill demanding back doors.
The only thing this bill will do is force people and companies to other countries for OS's, apps and programming tools. Making Ted Cruz's grandstanding over ICANN's IANA seem even more silly.
[ link to this | view in thread ]
Good luck with that
[ link to this | view in thread ]
Re: Good luck with that
Criminals/terrorists/communists will just ignore the law and use non-crippled encryption, tech savy people will do the same, the goal is to make the majority of people, who don't fit into those groups, vulnerable. To allow the 'Grab it all!' voyeurs to continue on, business as usual grabbing everything they can, and if they're really lucky maybe finding an actual criminal at some point in the process.
That crippled encryption will result in a massive number of preventable crimes and violations of privacy is just a sacrifice the public(not the politicians of course) will have to make in order to protect the public's security and privacy.
[ link to this | view in thread ]
Put it in a way they can understand it
So, the way I would phrase it is "Trying to backdoor encryption is like trying to unring a bell. It's just not possible."
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
Diebold?
[ link to this | view in thread ]
Reasonable Effort?
"Sure, we could break the encryption on that message. It'll be a brute-force attack, take 18 months and it'll be $6.3Billion dollars in Amazon AWS fees for the compute power. Where should we send the bill?"
FBI: "This is a really important case, this person's been leaking that the director spits his chewing gum on the sidewalk rather than into bins! We can cover that, send the bill to our head office. We'll indicate the 150 text messages we want decrypted."
Apple: "150? The quote we gave was for ONE message decryption."
[ link to this | view in thread ]
These two are long overdue for a long rest!
[ link to this | view in thread ]
These two are long overdue for a long rest!
[ link to this | view in thread ]
Thank you, Senator Burr!
[ link to this | view in thread ]
Re: Re:
A democrat would stand a much better chance beating her then a republican in the general election, but it would still be a tough fight.
[ link to this | view in thread ]
i hope this passes
just think someone gave me all the fbi honey pots so i can easily get proper proxies ....and guess what boneheaded federal idiots....it wont be me doing nothing cause im not the only one that knows....
FREE TRADE RIGHT....lol
you want capitalism you get it my dearies!!!!!
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Easy to get around
Any backdoor the U.S. Government demands put in, also means other countries will want that same access and they would have to give it out. It's American citizen's that end up being screwed as your phones are hacked inside China, if it does need to be hacked ass the key to get into the phone gets passed around and around, I'm sure it'll leak at some point someplace.
[ link to this | view in thread ]
[ link to this | view in thread ]
"Critical Infrastructure"
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Outlaw Real Encryption?!?!
1) How does one mandate "WORLD WIDE" encryption back doors?
Answer, one doesn't! Won't happen! Someone will always have a real encryption algorithm up and working. It/they may not be available in the USA, but overseas, open market, open access!
2) When the encryption is broken, and one knows the hacker/cracker crews will put in many sleepless knights to break it, who pays for the thousands of users millions if not billions of dollars needed to be spent on some new "back door" encryption?
I know it will NOT be the original programmer, NOR her company. The GOV. who mandated it now has to pay and big time for the new version and the dissemination of same.
[ link to this | view in thread ]
Know-Nothing Nitwits and You!
Lets just Outlaw Burr, Feinstein and all of the other know-nothing-nitwits infesting congress while they preen themselves in front of the cameras and pretend to be serious people.
These idiots are dangerous.
[ link to this | view in thread ]
Re: Reasonable Effort?
[ link to this | view in thread ]