A much-anticipated Senate bill forcing tech companies to allow court-ordered police access to their customers’ data has been greeted with a chorus of complaint from security experts — who see the proposed law as a de facto ban on encryption.
The draft legislation, which is to be introduced by Sens. Richard Burr, R-N.C. and Dianne Feinstein, D-Calif., would compel companies that receive a warrant or other judicial order to give law enforcement all data they ask for in a timely manner and an ‘intelligible format.’ The law goes beyond communication devices, covering any company that makes communication software or provides licensing for such software — and compelling them to comply with court-ordered demands from law enforcement.
The draft law comes after a year-plus-long period of complaint from the FBI and other law enforcement agencies about the phenomenon they’ve dubbed “going dark” — the fear that criminals and terrorists will hide behind encryption to plan their offenses. The recent, inconclusive court showdown between Apple and the FBI over the contents of an iPhone belonging to the San Bernardino gunman renewed interest on Capitol Hill for a legislative response.
The draft does not specify any penalties for companies who refuse to comply with a court order.
Multiple reports say Burr and Feinstein’s office consider the document a draft, with a final version possibly changing before it is introduced to Congress. That did not stop various security and privacy groups from denouncing the bill, referring to it as “disastrous” and “ludicrous” in various releases.
“This bill would not only be surrendering America’s cybersecurity but also its tech economy, as foreign competitors would continue to offer—and bad guys would still be able to easily use!—more secure products and services,” Kevin Bankston, director of New America’s Open Technology Institute, said in a release. “The fact that this lose-lose proposal is coming from the leaders of our Senate’s intelligence committee, when former heads of the NSA, DHS, the CIA and more are all saying that we are more secure with strong encryption than without it, would be embarrassing if it weren’t so frightening.”
“This draft bill contains so many problems and errors it is difficult to imagine that it would be able to achieve support in the U.S. Senate or anywhere else,” said Nathan White, senior legislative manager at Access Now. “One can only hope that the reaction to this draft will spur the bill’s sponsors to learn how digital security actually works.”
Information Technology and Innovation Foundation Vice President Daniel Castro pointed out that if this bill is to become law, a number of services that offer end-to-end encryption would not be able to comply unless they modified their systems — despite the fact the bill doesn’t authorize governments to require design changes.
“While companies should comply with lawful requests, it is simply not possible for a company to do so when the customer controls the only keys used to encrypt the data,’ Castro said.
“In short, this bill sets up a legal paradox that would further muddy the waters about how and when the government can compel the private sector to assist in gaining access to private information.”
Earlier this week, the White House declined to weigh in on the proposed legislation. While President Barack Obama weighed both sides in comments made last month, White House Press Secretary Josh Earnest said he was “skeptical of Congress’ ability to handle such a complicated policy area.”
Read the full text of the draft bill here.