A Senate bill that critics say effectively mandates dangerous “backdoors” in commercial encryption has officially been released, five days after a leaked draft drew widespread condemnation from technologists and privacy activists.
The Compliance with Court Orders Act of 2016, co-sponsored by Senate Intelligence Committee chairman Richard Burr (R-N.C.) and ranking member Dianne Feinstein (D-Calif.), requires tech companies to respond to court orders demanding user data by either providing that data in an “intelligible” format or rendering any “technical assistance” necessary to read the data.
As a practical matter, this would force tech companies to design encryption that they can bypass when served with a warrant for user data, essentially outlawing unbreakable, “end-to-end” encryption.
Civil-liberties advocates and Silicon Valley trade groups slammed the bill after a draft version leaked last Friday. The final version is essentially the same, with the only change being a list of crimes that can trigger the bill’s requirements once a warrant for data is issued.
To clarify, it's an explanation of the applicable crimes for warrants triggering this requirement to assist. pic.twitter.com/oZ3updqdTa— Eric Geller (@ericgeller) April 13, 2016
“That’s a welcome but relatively meaningless change since companies will still need to be able to comply with whatever of those orders come their way, and distributors won’t be able to license software that can’t comply,” Kevin Bankston, director of New America’s Open Technology Institute, told the Daily Dot via Twitter DM, “so [the] impact of the bill is still pretty much the same: be prepared to decrypt anything and everything.”
Jake Ward, president and CEO of the Application Developers Alliance, said in a statement that “the technical assistance that this legislation mandates is not feasible nor is it in the country’s best interest.”
Bankston said via DM that it was “extremely disappointing to see the senators failing to try to substantially improve the bill even after it was universally panned by security experts, privacy advocates, and the tech industry.”
Sen. Ron Wyden (D-Ore.), one of the upper chamber’s leading privacy advocates, promised to filibuster the bill, which he said would “effectively prohibit Americans from protecting themselves as much as possible.”
“This flawed bill would leave Americans more vulnerable to stalkers, identity thieves, foreign hackers and criminals,” Wyden said in a statement. “And yet it will not make us safer from terrorists or other threats. Bad actors will continue to have access to encryption, from hundreds of sources overseas.”
Burr and Feinstein’s bill marks the latest shift in a decades-long encryption debate.
Senior law-enforcement and intelligence officials have warned for years that unbreakable encryption protects criminals and terrorists and stymies investigations, but Congress and the public generally ignored those warnings until the 2015 terrorist attacks in Paris and San Bernardino, California, raised the specter of homegrown extremism in Western countries.
The San Bernardino attack, and the government’s inability to access the iPhone of one of the shooters, led to a month-long standoff between the Justice Department and Apple that turned encryption into a major news story and accentuated the divide between the law-enforcement and technology communities.
In response to the rising fear of terrorism at home, officials like FBI Director James Comey—who has been warning about the problem he calls “going dark” for nearly two years—intensified their lobbying for legislation to address the use of strong encryption. The White House considered ways to achieve this goal but ultimately backed down from supporting a legislative approach and instead urged Silicon Valley to cooperate voluntarily.
As Comey and other officials agitated against unbreakable encryption, tech firms, security experts, and civil-liberties groups warned that the integrity of cryptographic code is paramount in modern society, and they urged lawmakers not to mandate backdoors.
Opponents of backdoors cited three major concerns: backdoors can be discovered and exploited by increasingly sophisticated hackers; a U.S. backdoor requirement would push people, including terrorists, onto unregulatable foreign platforms; and undermining American encryption would hurt U.S. companies’ economic standing and public image.
Burr acknowledged in a statement that strong encryption was important to protecting Americans’ data but said he did not accept that “those solutions should be above the law.”
Feinstein, too, nodded at encryption’s benefits but emphasized that catching terrorists should be the top priority.
“Today, terrorists and criminals are increasingly using encryption to foil law enforcement efforts, even in the face of a court order,” she said in a statement. “We need strong encryption to protect personal data, but we also need to know when terrorists are plotting to kill Americans.”
The White House reviewed the bill after Feinstein presented a copy to Denis McDonough, President Obama’s chief of staff. A Burr spokeswoman declined to comment on any suggestions the administration made.
Update 1:09pm CT, April 13: Added Kevin Bankston comments.
Update 2:14pm CT, April 13: Added comments from Ron Wyden and the Application Developers Alliance.