Back in May we noted that the ridiculous and terrible anti-encryption bill from Senators Richard Burr and Dianne Feinstein was dead in the water. The bill had all sorts of problems with incredibly broad and vague requirements, but the quick summary was that tech companies would have to figure out a way to backdoor all encryption, because if they received a warrant, they’d be required to decrypt any communication.
Feinstein did not get the message from the last setback. Hellbent on criminalizing encryption a new draft of the bill has already been leaked. It appears Burr and Feinstein have made four major amendments to the bill.
(1) Narrower scope
The original discussion draft required a “covered entity” to render encrypted data “intelligible” to government agents bearing a court order if the data had been rendered unintelligible “by a feature, product, or service owned, controlled, created, or provided, by the covered entity or by a third party on behalf of the covered entity.” This revision would delete “owned,” “created,” and “provided”—so the primary mandate now applies only to a person or company that “controls” the encryption process.
(2) Limitation to law enforcement
A second change would eliminate section (B) under the bill’s definition of “court order,” which obligated recipients to comply with decryption orders issued for investigations related to “foreign intelligence, espionage, and terrorism.” The bill would then be strictly about law enforcement investigations into a variety of serious crimes, including federal drug crimes and their state equivalents.
(3) Exclusion of critical infrastructure
A new subsection in the definition of the “covered entities” to whom the bill applies would specifically exclude “critical infrastructure,” adopting the definition of that term from 42 USC §5195c.
(4) Limitation on “technical assistance” obligations
The phrase “reasonable efforts” would be added to the definition of the “technical assistance” recipients can be required to provide. The original draft’s obligation to provide whatever technical assistance is needed to isolate requested data, decrypt it, and deliver it to law enforcement would be replaced by an obligation to make “reasonable efforts” to do these things.
Section 4, subsection 12, would read:
(12) TECHNICAL ASSISTANCE.— The term “technical assistance”, with respect to a covered entity that receives a court order pursuant to a provision of law for information or data described in section 3(a)(1), includes reasonable efforts to—
(A) isolate such information or data;
(B) render such information or data in an intelligible format if the information or data has been made unintelligible by a feature, product, or service controlled by the covered entity or by a third party on behalf of the covered entity; and
(C) delivering such information or data—
(i) concurrently with its transmission; or
(ii) expeditiously, if stored by the covered entity or on a device.
The final change about “reasonable efforts” is clearly an attempt to appease the tech companies that spoke out loudly against the bill. It’s definitely better than the “you must decrypt” kind of language in the original, but it’s hardly comforting. Remember, the FBI/DOJ insisted that what it was asking of Apple in the San Bernardino iPhone case was a perfectly “reasonable” effort as well.
The bill attempts to make it illegal to secure your own personal data on your own personal computer, in your own y, even if you are not interacting with any other computers or networks. Essentially this bill hopes to abolish privacy once and for all.
Dozens of nonprofit organizations, companies, and academics sent a joint letter on Monday urging President Obama to take a strong stance against backdoors and oppose legislation that would undermine security.
It is beyond dispute that this bill would threaten the safety of billions of internet users, including journalists, activists, and ordinary people exercising their right to free expression, as well as critical infrastructure systems and government databases. However, it would likely to do very little to assist in investigations of crime or terrorism, since those who engage in illegal activities will have access to other means to protect their own devices and communications.