Happy Burr-Feinstein legislation day! Late last night the long-awaited text of the dynamic senatorial duo’s encryption legislation was leaked, and boy is it bad. Really bad.
The text, as drafted, states that
“a covered entity that receives a court order … shall be responsible only for providing data in an intelligible format if such data has been made unintelligible by a feature, product, or service owned, controlled, created, or provided, by the covered entity or by a third party on behalf of the covered entity.”
And then there’s this:
“A provider of remote computing service or electronic communication service to the public that distributes licenses for products, services, applications, or software of or by a covered entity shall ensure that any such products, services, applications, or software distributed by such person be capable of complying” [with the bill’s requirements.]
In other words, all your encrypted data belongs to the government.
This bill, as written, effectively outlaws the type of encryption currently used not only on our iPhones, but in online life as well. As I’ve discussed previously, even leaving aside the clear issues of privacy and civil liberties, the economic ramifications of a move to weaken encryption would have profoundly negative consequences.
Many questions still abound, however.
To begin, there’s no clear provision that deals with penalties. What would happen if a company refused, or was unable, to comply? The bill doesn’t say.
Intelligible data, as defined by the bill, includes information that has never been encrypted, but also data that has been encrypted and then decrypted. In short, it covers it all. But there are other means of rendering data unintelligible other than encryption and it’s not clear that the provisions of this bill wouldn’t ban the willful destruction of data. Does that mean Snapchat would be in violation of the provision?
Additionally, there are major First Amendment concerns associated with the provision that mandates app stores serve as compliance enforcers. Do we really want app stores to serve the role of deputized encryption police?
The bill also requires technical assistance be provided to the government in order to render any unintelligible data, intelligible. So how are companies providing end-to-end encryption (E2E) for consumers supposed to comply? Well, the bill doesn’t say. That means, all else considered, companies like Apple will necessarily need to retain the ability (keys) to access encrypted communications. Where previously you, the consumer, were the arbiter of your personal device security, now the burden shifts back to companies. No more E2E for your iPhone. No more guarantee of secure SSL/TLS security when making purchases from Amazon. No more secure encryption at all.
But here’s the big kicker, and one that was only just brought to my attention by Morgan Reed, executive director of the App Association, during a telephone conversation we had right before this posting: nowhere in this draft legislative text does it state that anything more than a court order or warrant is required for providing unencrypted, intelligible data. This text doesn’t refer specifically to criminal cases, but rather “any order or warrant” (emphasis mine) issued by a court. Divorce proceedings, civil investigations, custody battles, civil suits—indeed, any and all civil proceedings are swept up in this legislation as well. That’s a problem. A big problem.
Everything about this text is concerning. As if the confusion of this bill wasn’t enough to make you pull out your hair, earlier today White House Deputy Press Secretary Eric Schultz denied previous reports that the Administration would not support the Burr-Feinstein legislation. And while the President has repeatedly reiterated his support for strong encryption, if he were to support this legislation, the sincerity of those statements would be in question. While the text is only a discussion draft, it seems likely that whatever final version is finally released is bound to be only marginally better. Here’s hoping the senators rethink their approach.
With that, I’ll just leave a tweetstorm from the Cato Institute’s Julian Sanchez to wrap up my thoughts.