Criminal Penalties for Companies that Won't Help Decrypt? Not Yet—But Keep Watching
The stick has been suggested. Now where is the carrot?
The Wall Street Journal appeared to have a scoop yesterday evening: Senate Intelligence Committee Chair Richard Burr (R-N.C.) was drafting legislation that would actually institute criminal penalties against companies (like Apple) who resist or refuse orders to decipher encrypted messages on the tech devices they've created.
Given that Apple CEO Tim Cook is being very vocal about his company's refusal to compromise iPhone security to help the FBI crack the phone possessed by deceased San Bernardino terrorist Syed Farook, the gesture appeared to be a threatening escalation in the conflict.
But it turns out such legislation is not happening … yet. A spokesperson for the senator said he was looking at tightening the rules surrounding encryption but was "not considering criminal penalties in his draft proposals."
Burr is famously one of the anti-encryption politicians who simply doesn't even want to listen to debate about the potential dangers of forcing tech device companies to compromise their security at the demands of law enforcement and prosecutors. He wants to push forward with legislation without a proposed commission to explore the solutions, saying "I don't think a commission is necessarily the right thing when you know what the problem is. And we know what the problem is."
But Burr has absolutely no interest in engaging or even acknowledging the potential negative consequences of his solutions, and he makes it abundantly clear in a USA Today commentary. All he cares about is Apple doing what they're told and helping the government fight crime. He simply dismisses any complaints by saying that Apple isn't being forced to decrypt the phone itself or provide an actual back door, a semantic argument that ignores a discussion of the potential consequences of what Apple is actually being asked to do. Indeed, even after attempting to suggest this is an isolated case, Burr makes it abundantly clear that he and like-minded folks want Apple to do this on demand in order to help fight the government fight crime. Every time security is deliberately weakened like this, the risk is elevated that the mechanism for breaching phones will escape the control of those responsible and will end up in the hands of criminals, hackers, or autocratic governments. (If you want to learn more about the risks from the government weakening encryption—read here).
It's easy to suspect that the leaking of the possibility of criminal sanctions was the deliberate floating of the "stick" to punish stubbornness. Now that it's been presented, stay tuned for the carrot. Here's what consumers should be worried about: If the government forces Apple and Google and other tech companies to compromise their security, they'll also have to shield these companies from the consequences if (and when) this all goes sour. If the government makes Apple compromise its security, and then mechanism for doing so gets out and Apple users are targeted for theft and fraud, the company would face tremendous liability. Say you have an iPhone. Apple creates a system to bypass your phone's security. Somebody uses that system to get into your phone data and get access to your credit card information, for example. Wouldn't you want to hold Apple legally responsible for knowingly compromising your security?
One likely solution: Shield Apple and other companies like it from legal liability for breaches. Keep consumers from suing them. The government would pretty much have to do this if it makes tech company cooperation mandatory. This was the "solution" in the Cybersecurity Act of 2015, included and passed in the recent budget omnibus. It encourages companies to share data about users and customers with government agencies for the goal of helping fight crime. But it also shields companies who participate from lawsuits over breaches as an incentive and a reward.
So as this fight spools out, definitely keep an eye out for that "compromise." I have doubts that companies like Google or Apple will deliberately accept it, given how important their users feel their security is (Burr is losing a USA Today poll that was embedded within his own commentary). But liability protection could be implemented in legislation regardless, and it will be consumers who will be screwed over, both by increased risk of fraud and the inability to turn to the courts to hold companies liable.