since 1999

 

3 minutes estimated reading time.

U.S. Senate Bill Seeks to Ban Effective Encryption, Making Security Illegal

The anticipated Feinstein-Burr Compliance with Court Orders Act, an anti-security bill, would require the provision of data in an intelligible format to a government pursuant to a court order (scribd.com). A draft copy was uploaded by The Hill reporter Cory Bennett, though whether it has been submitted officially within the Senate is not yet clear (vice.com).

This bill essentially says you can not have any conversation or data exchange that the government can not access if it wants to. It is the legal culmination of what the FBI has been lobbying Congress for years. If Feinstein-Burr becomes law, it will be illegal to deploy strong encryption without key escrow maintained by each company. Cryptographers and computer scientists near-unanimously assert key backup systems are insecure at scale.

The first read of the bill is chilling. Strong cryptography within the United States would effectively be banned, preventing U.S. companies from building secure software. These companies would be mandated to provide real technical assistance. Unlike the best effort of today, they would be required to give plain-text data in its original format or risk penalties for violating the law.

Specifically, any U.S company would be required to maintain the ability, through unspecified means, to retrieve the plain-text from any data “made unintelligible by a feature, product, or service owned, controlled, created, or provided by the [company].” And the company would then be required to turn over such data in real-time “concurrently with its transmission” or “expeditiously, if stored by the [company] or on a device.”

This would appear to mean that any U.S. organization involved in the design and programming of software, the packing of the software, the creation of any device that runs such software, and any service provider who sells such device and software to connect to their network would all be required by law to decrypt your data on short notice and provide it real-time to the government.

This is far, far more insidious than going after unlocking an iPhone. If this becomes law, the mere existence of the means to be able to decrypt your data can be potentially exploited by any private party, not just the U.S. government. Unnecessary liabilities for data breaches will now be required for every company dealing with data digitally, no matter how private. This mandates the creation of back-doors without prescribing the exact nature of those back-doors.

Let that sink in.

Social media discussion

There is also a good discussion over on the Technology Subreddit (reddit.com).

Another good discussion was in the Hacker News comments section of the Hill article that broke this story Senate encryption bill draft mandates ‘technical assistance’ (news.ycombinator.com).