Tech

Tech Experts Condemn Proposed Law Targeting Apple, Secure Messaging

"Burr-Feinstein may be the most insane thing I've ever seen seriously offered as a piece of legislation. It is 'do magic' in legalese."

Originally posted on
Updated on

Technologists and policy experts wasted little time bashing soon-to-be-released encryption legislation, a draft of which was published online late Thursday night.

The full text of the Feinstein-Burr encryption backdoor bill is here and it's just as infuriating as you'd expect: https://t.co/4xU5g6xXL3

The preliminary version of the bill aims to resolve what the FBI and the Justice Department have deemed the "going dark" crisis by restricting the types of robust encryption that companies like Apple, Google, and WhatsApp offer to their customers.

Senators Dianne Feinstein and Richard Burr told BuzzFeed news they are still seeking input on the final bill, which will be released soon, and declined to comment on the draft. But in a joint statement they said, "the underlying goal is simple."

"When there's a court order to render technical assistance to law enforcement or provide decrypted information, that court order is carried out. No individual or company is above the law."

So roughly speaking, if you handle communications data and provide encryption, you have to be able to undo that encryption on demand.

The "Compliance with Court Orders Act of 2016" would require any American messaging app or device manufacturer to hand over plain-text communications in response to a judge's order.

The legislation does not propose how companies might work around their own encryption in order to give readable messages to law enforcement, it states only that they must do so.

Burr-Feinstein may be the most insane thing I've ever seen seriously offered as a piece of legislation. It is "do magic" in legalese.

A draft of the proposal states that "a covered entity that receives a court order from a government for information or data shall provide such information or data in an intelligible format."

In the instance that companies can't defeat their own security features, they must "provide such technical assistance as is necessary to obtain such information or data in an intelligible format or to achieve the purpose of the court order."

For businesses that provide the type of strong encryption where only intended recipients can read a message (and where the company itself does not have access to the secure communications) the bill poses an unprecedented challenge. The bill's critics — many of whom have rejected the proposal as unworkable and wrongheaded — say that seems to be precisely the point.

"Let's be really clear: The Feinstein/Burr bill outlaws the technologies that keep your data most secure, and/or require backdoors into them," wrote Kevin Bankston, the director of New America's Open Technology Institute.

"I could spend all night listing the various ways that Feinstein-Burr is flawed and dangerous. But let's just say, 'in every way possible,'" wrote Matt Blaze, a computer science professor at the University of Pennsylvania, who also played a key role in the Clinton-era policy debates around encryption.

For years, law enforcement officials have been warning policymakers of the potential challenges posed by widespread encryption. When speaking to Congress and to the public, FBI Director James Comey has shared his concerns over terrorists and criminals being able to conspire without fear of government eavesdropping.

Comey has been a vocal advocate for altering the types of encryption American companies offer, favoring older security protocols that allow firms to decrypt or recover the data of their customers. However, he has been careful to say that he does not wish to dictate the design specifications for communication services.

"The government doesn't want a backdoor," Comey said in a recent congressional hearing. "The government hopes to get to a place where if a judge issues an order, the company figures out how to supply that information to the judge, and figures out on its own what would be the best way to do that. The government shouldn't be telling people how to operate their systems."

While Feinstein and Burr can count Comey as an ally, along with the Justice Department and state and local police departments, Washington's appetite for controversial encryption legislation in an election year remains uncertain.

What's more, several lawmakers in both parties and in both chambers in Congress have recently committed to studying the encryption debate further, before forming any new, reactionary policies. Beyond that, some members have pledged to oppose any encryption-weakening legislation, including Senator Ron Wyden and Rep. Ted Lieu.

“This legislation says a company can design what they want their back door to look like, but it would definitely require them to build a back door," Sen. Wyden told BuzzFeed News in a statement. "For the first time in America, companies who want to provide their customers with stronger security would not have that choice — they would be required to decide how to weaken their products to make you less safe.”

Proponents of robust consumer encryption argue that the technology is vital to national security and to protecting the public from hackers, identity thieves, and sophisticated cyberattacks. Any effort to restrict the security products offered by U.S. companies would also jeopardize their business prospects, they say, as foreign firms would be free to offer superior encryption.

Privacy-minded lawmakers and cryptologists have also emphasized that such proposals would encourage criminals to seek secure messaging from foreign providers, leaving U.S. law enforcement with fewer leads and the American public with more vulnerable technology.

The appearance of the draft legislation comes after a high-profile legal battle between Apple and the FBI. Following the recovery of a locked iPhone used by the man behind the San Bernardino terrorist attack, the U.S. government urged a federal judge to force Apple to design new security-suppressing software that would help FBI technicians access the phone's encrypted data.

The Justice Department eventually called off the legal dispute after the FBI found a way into the device. But the larger battle over encryption and special access for law enforcement remains unresolved. Disagreement over the bill and the legal obligations of technology companies to assist with government surveillance may very well intensify the debate.

Hamza Shaban is a technology policy reporter for BuzzFeed News and is based in Washington, DC.

Contact Hamza Shaban at Hamza.Shaban@buzzfeed.com.

Got a confidential tip? Submit it here.