Congress's New Encryption Bill Just Leaked, And It's As Bad As Experts Imagined
Congress once again ignores experts’ warnings with bill that force companies to create backdoors.
Photo: David Lee/Flickr
In the aftermath of Apple and the FBI's high-profile battle over an iPhone used by one of the San Bernardino shooter suspects, observers on Capitol Hill have been anxiously awaiting the arrival of new Congressional bill that would force tech companies to provide assistance to police in accessing their customers' data, even if it means building software tools to circumvent their own security measures.
Now a leaked draft reportedly obtained by The Hill has provided our very first glimpse at that bill, which has been promised for months by Senators Dianne Feinstein (D-California) and Richard Burr (R-North Carolina). And despite multiple delays, it seems to be exactly as tone-deaf and poorly-considered as security and legal experts expected.
The legislation's nine-page discussion draft, which the senators tacitly acknowledged as a version of the final bill, seems to completely ignore the strongly-worded advice of experts during the San Bernardino fight. It would require companies faced with a court order to provide either the "information or data" requested by the government or "technical assistance as is necessary to obtain such information in an intelligible format or to achieve the purpose of the court order." The draft bill only vaguely defines this technical assistance, implying it would be up to the companies to decide how to comply, as long as the government gets what it's looking for.
The bill "would be embarrassing if it weren't so frightening"
In other words, the draft bill is an encryption-specific version of the All Writs Act, the controversial 1789 statute that the US government invoked to force Apple to build software capable of hacking into the San Bernardino shooter's iPhone.
"While the bill claims that it in no way is designed to force companies to redesign their products, this is a subtle hypocrisy," writes computer forensics and encryption expert Jonathan Zdziarski in a blog post. "The reality is that there is no possible way to comply with it without intentionally backdooring the encryption in every product that may be used in the United States."
Experts have repeatedly warned that forcing companies to help circumvent their own encryption would catastrophically weaken the security of average users, endanger US national security and economic competitiveness, and ultimately wouldn't thwart terrorists and other criminals, who would simply switch to foreign apps and devices that the law doesn't cover.
"This bill would not only be surrendering America's cybersecurity but also its tech economy, as foreign competitors would continue to offer—and bad guys would still be able to easily use!--more secure products and services," said Kevin Bankston, director of the New America Foundation's Open Technology Institute, in a statement emailed to Motherboard.
"The fact that this lose-lose proposal is coming from the leaders of our Senate's intelligence committee, when former heads of the NSA, DHS, the CIA and more are all saying that we are more secure with strong encryption than without it, would be embarrassing if it weren't so frightening."
The American Civil Liberties Union also released a statement condemning the draft bill.
"Instead of heeding the warnings of experts, the senators have written a bill that ignores economic, security, and technical reality," said Neema Singh Guliani, a legislative counsel for the ACLU.
It's worth emphasizing that this is a leaked discussion draft of the bill, and the final version introduced in Congress (if it isn't abandoned outright) could differ significantly. President Obama has refused to support the bill in its current form, Reuters reports.
"We're still working on finalizing a discussion draft and as a result can't comment on language in specific [versions] of the bill," Senators Feinstein and Burr said on Friday.
Which is probably for the best, because the current draft is such a mess of technical incompetence that it's unlikely to pass muster in Congress, privacy advocates say.
"I can say without exaggeration that this draft bill is the most ludicrous, dangerous, technically illiterate tech policy proposal of the 21st century so far," Bankston told Motherboard.