A bill that would force companies to decrypt messages and unlock devices if ordered to do so by government court order, surfaced Friday and is rattling security and privacy advocates and IT business leaders. They contend the bill is misguided and will have a detrimental effect on civil liberties and business.
The issue came to head after a draft version of the bill, sponsored by Senate Intelligence Committee Chairman Richard Burr (R., N.C.) and Sen. Dianne Feinstein (D., Calif.), made its way to the internet late Thursday. Called Compliance with Court Orders Act, the bill turns the clock back to the stone ages in regards to digital privacy and security, according to critics.
“It’s crazy. I’m shocked that this bill has gone even gone this far,” said Kim Phan, an attorney with Ballard Spahr, a legal firm specializing in privacy and data security.
“This bill is so far outside the norm. It doesn’t have a chance of passing,” Phan said “Many companies are looking at end-to-end encryption as part of their compliance obligations. So this bill would directly goes against what companies have been moving toward when it comes to data security,” she said.
The nine-page draft bill would require an “entity” that receives a court order from the government to hand over “information or data” in an “intelligible format.” More controversial is a provision that the entity supply “such technical assistance as is necessary to obtain such information or data.”
“The draft reflects an ignorance of everyday computer security practices that safeguard your devices and information from criminals,” said Cindy Cohn, executive director of the Electronic Frontier Foundation in a statement. “Millions of Americans suffer the loss, theft, or compromise of intimate communications, trade secrets, and identities each year. We desperately need more security, not less.”
The draft Compliance with Court Orders Act surfaces just as the encryption debate seems to be reaching its apex. In the FBI’s battle with Apple, the Justice Department had demanded Apple’s assistance in unlocking an iPhone used by San Bernardino shooter Syed Farook. Weeks after the FBI and Apple battle was sidelined by a court order by the government to vacate its case, communications titan WhatsApp stirred the encryption pot introducing end-to-end encryption to its one billion users.
“This bill is a clear threat to everyone’s privacy and security. Instead of heeding the warnings of experts, the senators have written a bill that ignores economic, security, and technical reality,” wrote Neema Singh Guliani, legislative counsel with the American Civil Liberties Union in a statement. “It would force companies to deliberately weaken the security of their products by providing backdoors into the devices and services that everyone relies on.”
The Compliance with Court Orders Act (PDF) also requires companies to supply metadata of the messages along with the message itself. Metadata includes how a message was sent, routing information, addressing, signaling, switching processing, transmitting and other information, according to the draft bill.
The bill would cover device makers, software publishers, electronic communication services, remote computing services or anyone facilitating communication, processing or storing data.
“This basically outlaws end-to-end encryption,” said Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology in a public statement. “It’s effectively the most anti-crypto bill of all anti-crypto bills.”
The Information Technology Industry Council, a trade association representing dozens of high-tech companies such as Apple, EMC, IBM and Samsung, called the bill “misguided.”
“Our ability to constantly innovate and deploy strong security technology is key to protecting not just people’s privacy, but their security – including their physical security,” said Dean Garfield, ITI president and CEO in a prepared statement. “We must constantly innovate to stay at least one step ahead of those who would do us harm. This proposal would actually freeze in place the technology we need for protection, leaving all of us extraordinarily vulnerable.”
As Democrats and Republicans focus more on the November elections, issues such as encryption are not anticipated to picked up by either Congress or the Senate. However, that’s not to say the public debate on encryption won’t intensify. For its part, the White House has urged that law enforcement and tech companies work together to find common ground on this topic.
Last Thursday, President Barack Obama mentioned encryption in the context of the Supreme Court and his nominee Justice Merrick Garland. He said, privacy expectations have changed over the years. For consumers, “they also expect, though, that since their lives are all digitized, that the digital world is safe, which creates a contradictory demand on government — protect me from hackers, protect me from terrorists, protect me from et cetera, et cetera, et cetera, but I don’t want you to know any of your [sic] business and I don’t even want you to have the ability to investigate some of that business when it happens because there’s broader implications and we’re worried about Big Brother.”
He said, issues around encryption are the just the tip of the iceberg when it comes to figuring out privacy and security in the digital age.