FYI.

This story is over 5 years old.

Tech

'Leaked' Burr-Feinstein Encryption Bill Is a Threat to American Privacy

Every service, person, human rights worker, protester, reporter, company—the list goes on—will be easier to spy on.
Senators Richard Burr and Dianne Feinstein. Photo: Tom Williams/CQ Roll Call

On Thursday, what appears to be a draft bill from Senators Richard Burr (R-North Carolina) and Dianne Feinstein (D-California) was uploaded by The Hill reporter Cory Bennett. The bill has not been confirmed as authentic, and even if it is authentic, may have changed since the version that was posted online. Regardless, it's worth critiquing the draft that was published, which aspires to kill end-to-end encryption in America—a move that, to lift a phrase from former NSA director Michael Hayden, only North Korean hackers could love.

Advertisement

Allow me to explain.

The bill, the "Compliance with Court Orders Act of 2016," requires that all companies providing any kind communications or data service be able to give information to the government in an "intelligible format." If the company made the data unintelligible, it must provide "technical assistance" to undo it. In case there is any question about the aim, the bill defines intelligible as "decrypted, deciphered, decoded, demodulated, or deobfuscated to its original form."

Instead of learning from the Department of Justice's ill-fated attempt to demonize services that rely on encryption to protect their customers and maintain user trust, these two Senators are doubling down. To make matters worse, Senators Burr and Feinstein chair the Senate Select Committee on Intelligence, which means they're the very people tasked with overseeing overreach by intelligence agencies. The White House, increasingly anti-encryption since the Apple-FBI flop, is reportedly deeply split on the proposal.

Simply put, this bill would flat-tire end-to-end encryption within America

If this bill were to pass, it would outlaw secure communications, which are heavily—and increasingly—dependent on end-to-end encryption. By definition, end-to-end encryption cannot be decrypted except by the credentials of the senders and receivers. This is how information that truly needs to be secure is protected, because it minimizes the ways highly sensitive information can be decrypted.

Advertisement

Simply put, this bill would flat-tire end-to-end encryption within America. Every service, person, human rights worker, protester, reporter, company—the list goes on—will be easier to spy on. It jams a crowbar into the gut of Americans' privacy and security. It sets the precedent that the Department of Justice sought in the Apple-FBI case. And by crippling encryption, it risks turning those compromised products into new funnels of information for the never-ending haystack of information. After all, finding vulnerabilities like these are gold mines for hackers, and many of the world's best work for American intelligence agencies. But, we're told, it will make us more secure overall.

But, in fact, the impact on American security is one of the biggest threats of this bill. The notion of a backdoor, or what Senators Burr and Feinstein euphemistically call "technical assistance," that can only be used by the government—whether law enforcement needs a warrant to do so or otherwise aside—has been unanimously rejected by every mathematician and cryptologist who studies it. That isn't an exaggeration. You can't have a backdoor that isn't a security vulnerability. And Congress knows that. This same fight happened in the 90s, during the Crypto Wars. It was literally the exact. Same. Argument. Loathe as I am to say it, even Michael Hayden, who oversaw the agency's rise to power and many, many disastrous decisions, agrees.

Advertisement

As far reaching as the effects of this bill would be on Americans' privacy and safety, its jurisdictional narrowness is yet another catastrophic flaw. At the risk of stating the obvious, this is a proposed American law. It does not control Russian companies, or the North Korean government. It is the modern equivalent of Congress passing a law that bans the development of intercontinental ballistic missiles. "Have fun with that," the rest of the world seems to say, while Senators Burr and Feinstein proclaim how much safer we are.

Even in draft form, this legislation is so short-sighted it calls into question the authors' ability to lead the Senate Select Committee on Intelligence, which, again, Senators Burr and Feinstein chair. Their positions are singularly powerful in their ability to ensure that intelligence collection is done effectively and legally. This bill is powerful evidence that they are not up for the job.

As egregious as the Compliance with Court Orders Act of 2016 is, it highlights yet again a decision Americans must make. Pew confirms that 30 percent of American adults have changed their online behavior since the Snowden leaks. Another study last month found that people who think mass surveillance is a lesser problem are actually more likely to self-censor their minority opinions. That means tens of millions of Americans: trying to hide their online activity, not reading something they would otherwise read, not saying something they would otherwise say, or not interacting with someone they would otherwise interact with—the definition of chilled speech. That number will get higher and higher as more information about the intelligence agencies comes out and as more people learn about it, and in particular as bills like this one pop up.

And then it will peak, and that number will drop. The percentage of people changing their behavior will decrease. That will be when Americans simply never expect to have digital privacy. That will be when we aren't progressing as a society because we've always acted like someone is watching us, watching our children, watching everything we do. Looking past all that, we're told, is necessary to fight the next drug dealer, the next terrorist, the next hacker, who, of course, doesn't listen to American law, doesn't sign up for compromised encryption, and doesn't need Senator Burr or Senator Feinstein's permission to attack us with the very security holes these people want to mandate.

May we never see that peak, and may Senator Burr and Senator Feinstein's ill-conceived bill never see the floor of the Senate.

UPDATE: This story has been updated to reflect the fact that Cory Bennett of The Hill was the one who published the alleged draft bill online.

Sean Vitka serves as counsel for Demand Progress and Fight for the Future and is a fellow with X-Lab.