Encryption

Senate's Attempt at Encryption Bill Would Destroy the Very Idea of Cybersecurity

It wouldn't make a 'back door'-it would make a gigantic crater.

|

Probably thinks an encryption "back door" is an actual physical object.
U.S. Senate Photo

The Senate Intelligence Committee's draft legislation to require tech companies assist federal authorities in bypassing the security of their products and software could have well been titled the "Shut Up and Do What You're Damn Well Told, Nerdlinger, Act of 2016."

Actually, it very nearly is. The short title for legislation drafted by Senate surveillance worshippers Dianne Feinstein (D-Calif.) and Richard Burr (R-N.C.) is the "Compliance with Court Orders Act of 2016." That's remarkably blunt for a bill title, but as with much legislation, it still manages to conceal what it really means.

The good news is that it's really easy to explain what this encryption bill does. That's also—oddly enough—the bad news. The bill is a scant nine pages long, most of which is taken up with definitions. The meat of it declares that a tech or communications company covered by the law must, when given a court order to provide them information of data, "provide such information or data to such government in an intelligible format; or provide such technical assistance as is necessary to obtain such information or data in an intelligible format or to achieve the purpose of the court order" if this information has been "made unintelligible" by security features or encryption by either the company or a third party on behalf of the company.

The court fight between FBI and Apple over whether Apple should be required to assist the government in breaking the passcode of San Bernardino terrorist Syed Farook's work iPhone brought to the forefront a significant debate over the importance of encryption to cybersecurity and protecting everybody's data and communications from crooks and predatory or authoritarian governments. This draft bill does not engage in this debate in any way, shape, or form. Similarly, it does not acknowledge the development of end-to-end encryption, like WhatsApp recently implemented, nor does it consider the possibility of the development of encryption methods designed so that the company itself cannot bypass them.

Instead the bill treats an encrypted device or program like it's a stuck pickle jar, and the government is doing the equivalent of handing it over to an older brother while muttering, "Here, open this for me." The bill doesn't say what would happen if the company is actually unable to comply. It doesn't present any criminal penalties, but presumably a judge could find companies in contempt. I imagine that this law could potentially put us right back into the situation between Apple and the FBI, where they would have to convince the judge that they couldn't or shouldn't have to do what's asked of them, and it would be up to the judge to make the determination.

It's just a terrible, poorly thought out law that shows, as I have mentioned before, that Feinstein, Burr and similarly situated government representatives that support his kind of legislation are not listening or (more likely) simply don't care about the potential threats to the average American's data security. Eric Geller at the Daily Dot worries this bill would essentially mean that companies cannot "implement unbreakable encryption in their products and still comply with the law."

Read the draft of the bill here. The text is not yet finalized and may see further changes. As I noted yesterday, the White House is allegedly not supporting this version of the law. It's no wonder. Though, as I warned yesterday, the Obama administration likes to secretly massage these laws into a fashion that better suits the executive branch's needs. It doesn't necessarily mean the administration is a big protector of our right to privacy and secure data.