Skip to main content

Security Experts React Negatively To Burr-Feinstein Anti-Encryption Bill

Sen. Dianne Feinstein, CA

Senators Richard Burr from North Carolina and Dianne Feinstein from California, who are the Republican and Democratic leaders of the Senate Intelligence Committee, have been crafting an anti-encryption bill over the past few months. The bill recently came out in "discussion draft" form. Perhaps not unexpectedly, many security experts are reacting negatively to it.

Compelling Companies, Developers To Decrypt

The gist of the bill, called Compliance with Court Orders Act of 2016, requires “the provision of data in an intelligible format to a government pursuant to a court order, and for other purposes.” It’s not clear what the bill means by “other purposes” here, but it may refer to non-judicial orders, such as National Security Letters, which can be handed to companies by the FBI alone with no judicial oversight.

The bill refers to “covered entities,” which include device manufacturers, software manufacturers, wire or electronic communication service providers, providers of remote computing services, or “any person who provides a product or method to facilitate a communication or the processing or storage of data.”

The last part sounds as if the bill would affect open source developers, as well as companies such as Spideroak or Lastpass, which only store end-to-end encrypted data.

Contradictory Language

The bill contradicts itself somewhat as well, as it also contains language such as:

“Nothing in this act may be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by any covered entity.”

Sen. Richard Burr, NC

This part may have been written to refer to a situation such as the one where the FBI intended to compel Apple to create a “GovtOS,” as the company called it. However, it also means that the government shouldn’t be able to ban end-to-end encrypted systems, even if that means the companies won’t be able to assist in decrypting them. The companies should be free to design whatever systems they wish, including end-to-end encrypted ones.

The problem is this is not as clear-cut as the language that says companies must provide the data in an intelligible form to authorities. In practice, the government would likely be successful most of the time in convincing companies and even judges to order the decryption of devices and communications. That’s because it’s likely that not all companies will posses the legal know-how or the willpower to fight the government over some murky language in the bill.

It’s likely that the language of the bill here would change by the time it reaches President Obama, so these confusions may be “fixed.” The President recently said that he wouldn't publicly endorse the bill, but he also didn’t say whether he would veto it or not. He doesn’t have a long record of vetoing bills, so if it passes the House and Senate with a strong majority (even below the 66% veto-proof majority), he would probably sign it.

To make things even more confusing, the bill doesn’t specify any penalties for companies that refuse to follow the orders, although it’s possible that the companies could still be held in contempt of the Court, so this may differ from one judge to another. What this shows is that the bill wasn’t very well-thought out so far, and if you believe the vast majority of security experts, nothing in the bill was.

Security Experts React

Security experts that have been following the “Crypto War II,” as they tend to call it, have come out strongly against the bill, warning about all the dangers to which it would expose Americans.

Matt Blaze, a cryptography and security professor at the University of Pennsylvania, participated in the first Crypto War when he spoke out against the government’s creation of the Clipper Chip. He recently wrote a paper called “Keys Under Doormats” where he talked about why encryption backdoors and master keys are bad. He now also summarized what the bill would mean for U.S. tech companies in a couple of tweets:

Jonathan Zdziarski, iOS forensics and security expert, wrote an entire blog post about why the bill is, as he called it, “a hodgepodge of technical ineptitude combined with pockets of contradiction.”

“Its broad wording allows the government to hold virtually anyone responsible for what a user might do with encryption. A good parallel to this would be holding a vehicle manufacturer responsible for a customer that drives into a crowd. Only it’s much worse: The proposed legislation would allow the tire manufacturer, as well as the scientists who invented the tires, to be held liable as well,” Zdziarski wrote.“Due to the backdooring of encryption that this legislation implies, American electronics will be dangerously unsafe compared to foreign versions of the same product. Diplomats, CEOs, scientists, researchers, politicians, and government employees are just a few of the people whose data will be targeted by foreign governments and hackers both while traveling, but also whenever they’re connected to a network,” he added.

This comment is interesting, because Senator Feinstein was the de facto champion of the “Cyber-Patriot Act” bill called CISA, and the reason she was for it was “cybersecurity.” Yet, the new bill she proposed seems to attack cybersecurity in the U.S. at its core. It’s not clear why the Senator, who was the Senate Intelligence Committee head until 2014, can’t see just how contradictory in their goals the two bills really are.

Matthew Green, cryptography professor at Johns Hopkins University, who recently released a paper on why iMessage’s encryption is fundamentally broken, also criticized the bill for its naivety and broadness:

Kevin Bankston, the Director of Open Technology Institute (OTI), also pointed out on Twitter that the bill could also affect even things it may not have intended to affect, such as forward secrecy in TLS encryption.

Forward secrecy, which is essentially a short-term private key rotation for site traffic encryption, began gaining ground after the Snowden revelations, when big companies used it as protection against government hacking. State-sponsored hackers could eventually break into big companies’ servers and get their encryption keys, which is why it was important to rotate the keys as often as possible.

OTI also released an official statement saying that the bill could enable censorship of secure apps on the web and on mobile platforms as well:

"Not only does this bill undermine our security, it is also a massive Internet censorship bill, demanding that online platforms like Apple’s App Store and the Google Play Store police their platforms to stop the distribution of secure apps. Of course, just as the bill fails to explain how security engineers are supposed to keep our data secure while also making it completely available to the government on request, it also offers no clue as to how online providers are supposed to comprehensively audit and censor every app on the Internet," the statement said.

The Compliance with Court Orders Act of 2016 bill is only a draft so far, but it seems the two co-sponsors, Senators Richard Burr and Dianne Feinstein, haven’t asked too many cryptographers for their opinion on this. The bill may still change after seeing the criticism of many security experts, but its very existence and the idea of compelled decryption on which it is based probably means that the Senators aren’t going to like what they hear from the experts, either.

While the two Senators are trying to pass this anti-encryption bill in the Senate, California (Feinstein's own state) is trying to pass its own state-level anti-encryption bill, as well. The EFF has issued a call to action against it.

Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu. 

Follow us on FacebookGoogle+, RSS, Twitter and YouTube.

  • jimmysmitty
    SO two people who have no idea how invaluable encryption is, nor do they probably even understand what it is really used for call for it to not be used?

    Gotta love politics. People making decisions on things they have no real understanding of.
    Reply
  • harrkev
    Gotta love politics. People making decisions on things they have no real understanding of.

    Isn't this how it works all the time?
    Reply
  • DeadlyDays
    official reads negative article on *insert here" ; official writes bill against it based on poorly written negative article

    How a law is conceived
    Reply
  • jeremy2020
    SO two people who have no idea how invaluable encryption is, nor do they probably even understand what it is really used for call for it to not be used?

    Gotta love politics. People making decisions on things they have no real understanding of.

    How invaluable encryption is? They don't *what* encryption is...what the internet is...what a computer is..
    Reply
  • Jay E
    Feinstein is one of the most ridiculous politicians ever. If you think this is bad. You should see her on gun control.
    Reply
  • tamalero
    SO two people who have no idea how invaluable encryption is, nor do they probably even understand what it is really used for call for it to not be used?

    Gotta love politics. People making decisions on things they have no real understanding of.
    I actually why old hags who have absolutely no knowledge of technology.. are the ones drafting these kind of bills.
    Kinda reminds me of how males who have absolutely no experience in pregnancy or being a woman.. are the ones doing anti women legislation to control women bodies.
    Reply
  • Martell1977
    Feinstein probably thinks "encryption" is a cause for "global warming".

    Saddens me that I live in a state that would elect and reelect such a freak...
    Reply
  • Jr_tolls1
    Diane was born before computers existed, She will kick the bucket soon.
    Reply
  • Virtual_Singularity
    17788131 said:
    SO two people who have no idea how invaluable encryption is, nor do they probably even understand what it is really used for call for it to not be used?

    Gotta love politics. People making decisions on things they have no real understanding of.

    Tragically, they needn't know the least about what they're sponsoring or voting on. It's not their ideas or the will or interests of the people they promote. When it comes to bills like this one, they take their direction from those who quietly lobby on behalf of the moneyed interests which constitute the powers that be.

    Feinstien, Burr, McConnel, McCain, and many others of the senate repubs (dems too) will likely end up co-sponsoring and/or voting for this anti-constitutional abomination. Same as they did when they voted for TPP. The names above are few among many in the senate who are living, breathing examples of what Cicero meant by his quote on treason made so long ago. Same goes for many reps as well, on both sides of the aisle.

    Some may think this bill has a snowball's chance in hell of passing. Many Britons likely thought the same, and yet the sweeping legislation there depriving UK citizens/businesses of any semblance of privacy continues to proceed unabated. The same could happen here in the US. Those who'd like to say they at least did their part to oppose this bill should phone your senators and reps and impress upon them why it or any similar bill in the future should not be passed.
    Reply
  • gggplaya
    Diane was born before computers existed, She will kick the bucket soon.

    I hate feinstein, she's an old hypocritical crow that knows nothing about technology, yet somehow ends up on these committees. She's sponsored other bills without actually knowing how the objects she's against even operate. She's always trying to make a name for herself.
    Reply