Rietta: Web Apps Where Security Matters
You are reading The Rietta Blog, a publication about the web since 2005.

U.S. Senate Bill Seeks to Ban Effective Encryption, Making Security Illegal


The anticipated Feinstein-Burr Compliance with Court Orders Act, an anti-security bill, would require the provision of data in an intelligible format to a government pursuant to a court order (scribd.com). A draft copy was uploaded by The Hill reporter Cory Bennett, though whether it has been submitted officially within the Senate is not yet clear (vice.com).

This bill essentially says you can not have any conversation or data exchange that the government can not access if it wants to. It is the legal culmination of what the FBI has been lobbying Congress for years. If Feinstein-Burr becomes law, it will be illegal to deploy strong encryption without key escrow maintained by each company. Cryptographers and computer scientists near-unanimously assert key backup systems are insecure at scale.

The first read of the bill is chilling. Strong cryptography within the United States would effectively be banned, preventing U.S. companies from building secure software. These companies would be mandated to provide real technical assistance. Unlike the best effort of today, they would be required to give plain-text data in its original format or risk penalties for violating the law.

Specifically, any U.S company would be required to maintain the ability, through unspecified means, to retrieve the plain-text from any data “made unintelligible by a feature, product, or service owned, controlled, created, or provided by the [company].” And the company would then be required to turn over such data in real-time “concurrently with its transmission” or “expeditiously, if stored by the [company] or on a device.”

This would appear to mean that any U.S. organization involved in the design and programming of software, the packing of the software, the creation of any device that runs such software, and any service provider who sells such device and software to connect to their network would all be required by law to decrypt your data on short notice and provide it real-time to the government.

This is far, far more insidious than going after unlocking an iPhone. If this becomes law, the mere existence of the means to be able to decrypt your data can be potentially exploited by any private party, not just the U.S. government. Unnecessary liabilities for data breaches will now be required for every company dealing with data digitally, no matter how private. This mandates the creation of back-doors without prescribing the exact nature of those back-doors.

Let that sink in.

Social media discussion

There is also a good discussion over on the Technology Subreddit (reddit.com).

Another good discussion was in the Hacker News comments section of the Hill article that broke this story Senate encryption bill draft mandates ‘technical assistance’ (news.ycombinator.com).

About Frank Rietta

Frank Rietta's photo

Frank Rietta is a web application security consultant, software developer, author, and speaker. He is a computer scientist with a Masters in Information Security from the College of Computing at the Georgia Institute of Technology. He teaches about security topics and is a contributor to the security chapter of the 7th edition of the "Fundamentals of Database Systems" textbook published by Addison-Wesley.