Senators Burr & Feinstein Look To Bring Back Bill To Outlaw Real Encryption
from the apparently-they-didn't-get-the-message dept
Back in May we noted that the ridiculous and terrible anti-encryption bill from Senators Richard Burr and Dianne Feinstein was dead in the water. The bill had all sorts of problems with incredibly broad and vague requirements, but the quick summary was that tech companies would have to figure out a way to backdoor all encryption, because if they received a warrant, they’d be required to decrypt any communication.
Rather than get the message that this was a really, really bad idea, it appears that Burr and Feinstein have just gone back to the drawing board, trying to recraft the bill. Julian Sanchez got his hands on one of a few prospective new drafts that are being floated around and has an analysis of the update. The draft that Sanchez has seen tries to fix some of the problems, but doesn’t really fix the main problems of the bill. As Sanchez points out he sees four major changes in the draft:
(1) Narrower scope
The original discussion draft required a ?covered entity? to render encrypted data ?intelligible? to government agents bearing a court order if the data had been rendered unintelligible ?by a feature, product, or service owned, controlled, created, or provided, by the covered entity or by a third party on behalf of the covered entity.? This revision would delete ?owned,? ?created,? and ?provided??so the primary mandate now applies only to a person or company that ?controls? the encryption process.
(2) Limitation to law enforcement
A second change would eliminate section (B) under the bill?s definition of ?court order,? which obligated recipients to comply with decryption orders issued for investigations related to ?foreign intelligence, espionage, and terrorism.? The bill would then be strictly about law enforcement investigations into a variety of serious crimes, including federal drug crimes and their state equivalents.
(3) Exclusion of critical infrastructure
A new subsection in the definition of the ?covered entities? to whom the bill applies would specifically exclude ?critical infrastructure,? adopting the definition of that term from 42 USC ?5195c.
(4) Limitation on ?technical assistance? obligations
The phrase ?reasonable efforts? would be added to the definition of the ?technical assistance? recipients can be required to provide. The original draft?s obligation to provide whatever technical assistance is needed to isolate requested data, decrypt it, and deliver it to law enforcement would be replaced by an obligation to make ?reasonable efforts? to do these things.
The first change seems like a big deal, but it also is hard to parse out and seems rather meaningless. Changing the requirement from covered entities to those who “control” the encryption? So what. That basically still means backdooring encryption, it just might mean going up a step or two in the ladder. Sanchez reads this as possibly being an attempt to effectively backdoor future types of encryption, less so than what we have today. I won’t repeat his whole argument here — go read it yourself — but as he notes, this might be a way to calm people down to pass this bill:
If this interpretation of idea behind the proposed narrowing is right, it?s particularly politically canny. You declare you?re going to saddle every developer with a backdoor mandate, or break the mechanism everyone?s Web browser uses to make a secure connection, and you can expect a whole lot of pushback from both the tech community and the Internet citizenry. Tell people you?re going to mess with technology their security already depends upon?take away something they have now?and folks get upset. But, thanks to a well-known form of cognitive bias called ?loss aversion,? they get a whole lot less upset if you prevent them from getting a benefit (here, a security improvement) most aren?t yet using. And that will be true even if, in the neverending cybersecurity arms race, it?s an improvement that?s going to be necessary over the long run even to preserve current levels of overall security against increasingly sophisticated attacks.
As for the other changes, saying that this can’t be used for intelligence purposes, but just law enforcement, is also kind of meaningless. The intel community has actually been somewhat opposed to the Burr Feinstein bill anyway — in part because they can already break into lots of encryption. And if this new backdoor is required, then they’ll be able to break into more. The warrants are meaningless to the intel community for the most part, so this “limitation” is no limitation at all.
The final change about “reasonable efforts” is clearly an attempt to appease the tech companies that spoke out loudly against the bill. It’s definitely better than the “you must decrypt” kind of language in the original, but it’s hardly comforting. Remember, the FBI/DOJ insisted that what it was asking of Apple in the San Bernardino iPhone case was a perfectly “reasonable” effort as well.
Either way, this shouldn’t be much of a surprise, but it’s clear that the whole push to outlaw real encryption may have had a setback, but is far from dead.
Filed Under: dianne feinstein, encryption, going dark, richard burr
Comments on “Senators Burr & Feinstein Look To Bring Back Bill To Outlaw Real Encryption”
When does DiFi come up for reelection? We’ve just GOT to agree on someone who can defeat her.
Re: Re:
Given she is from CA, I would think Silicon Valley could find and found someone to trash her in the primaries when she does come up for reelection.
Re: Re: Re:
Under the jungle primary system she could end up facing a Democrat in the general election. They only need to be the top 2 vote getters to get to the general election.
A democrat would stand a much better chance beating her then a republican in the general election, but it would still be a tough fight.
Re: Re:
Diebold?
Re: Re:
I know I’ve never voted for that criminal!!! Once you get a Democrat into office, it’s pretty much impossible to get them out unless they die of old age. Which that may happen in this case also.
Re: Re:
Once you get a Democrat in office, it’s almost impossible to get them out. I’v never once voted for her. Who in the right mind would being the huge Criminal that she is, but in general, the only way to get rid of them is to die of old age. That old hag will be around forever.
Encryption control
It would certainly be up a courts to interpret (potentially badly) but the one ultimately in control of real encryption is the person with the password. Since compelling people to divulge passwords has generally been found to be unconstitutional, I don’t know if this section really accomplishes anything other than more theater and potential litigation ammunition
Re: Encryption control
the US government seems to pride itself on ignoring people’s constitutional rights for the last several decades. So that’s next to no defense for the people.
Easy to get around
The whole thing is stupid. If I have something I want to hide, I would just use a version of the code written before the backdoor was added. If I’m using open source, I can modify the code so the backdoor won’t work. This is harder if I’m using a closed system like a cell phone but it isn’t impossible.
Re: Easy to get around
There’s enough 3rd party open encryption you can install onto phones with no backdoor and not a single thing the U.S. Government can do to change that. 2/3rd of the encryption software made is made outside of the U.S. It’s that way because of the U.S. Government!!!
Any backdoor the U.S. Government demands put in, also means other countries will want that same access and they would have to give it out. It’s American citizen’s that end up being screwed as your phones are hacked inside China, if it does need to be hacked ass the key to get into the phone gets passed around and around, I’m sure it’ll leak at some point someplace.
Garbage in, garbage out. This is the best we have to offer folks, how sad for us.
Re: Re:
nonsense. It’s the best ISRAEL has to offer.
'No' yesterday, 'No' today, and 'No' tomorrow
Any bill that requires backdoors or broken encryption is one that should be voted against, if it’s not killed off before it even reaches the point of a vote.
It doesn’t matter how ‘good’ the language is, you’re still talking about a measure that will cause vastly more problems than could ever solve by deliberately weakening security that millions rely on to keep their personal data safe, and for no other reason than the voyeurs couldn’t be bothered to show the slightest bit of restraint and people and companies are taking steps to protect their privacy.
Encryption is already difficult enough to manage, intentionally crippling it and/or keeping it from being truly secure is nothing less than intentionally putting millions of people at risk, and anyone who suggests doing so deserves to be called out for their incredibly hostile stance towards public safety and security.
definition is key (encryption...key...geddit?)
Please define “controls”. Is the person/entity who makes the encryption software, the person/entity who distributes it, the person/entity who uses encrypts a message with it, the person/entity who transports the message or the person entity who decrypts the message.
Any lawyer could put up an argument to the court that any one of those people/entities in some way ‘controls’ the encryption process.
Play ball then we can talk
Seems like a legislator who conspires with our enemies is a huge threat that should be prevented.
When the legislators supporting encryption backdoors are willing to let the public decrypt and look through all their communications then we can have a conversation.
If they have nothing to hide I’m sure they would have no problem with this request.
Being a hardliner
There are issue where a person must be a hardliner, a fundamentalist, and this one of those issue. Just say no to backdoored / broken crypto. Compromise isn’t possible. Fixed legislative language? Clever legislative language? No it’s actually deceitful legislative language.
The bill is self defeating, unless the intent is to spy on the citizens, while telling terrorists and criminals to look else where to protect their communications.
Something you've forgotten
The US forces companies to add backdoors to their products. Companies that can, flip the US the bird and leave the US taking their business elsewhere.
Poverty ensues.
Re: Something you've forgotten
That is one of the major fears this type of stupidity causes. However, the local “Criminal Class” aka legislature is likely to come up with something equally as stupid.
Daily Flickers
Da fix is in. It is just one big Dog & Pony show for the unwashed. think of a political The Truman Show. The clowns with guns are cutouts for entertainment only. Pass the popcorn and practice your Dodgeball skills.
Security Theater!
If you extinguish the fire that warms a thousand souls, you will ignite a thousand fires.
I know very little about encryption but this is my attempt using nothing but a shell script. I would be interested to see if someone can tell me what it say’s and how long it took them to decrypt it. [it’s not a one time pad]
Opps..
Sorry for the wrap around it looked fine in the preview.
Financial Repercussions
So what happens when the “backdoor” is hacked to our financial institutions, such as Discover Card?
The pro-encryption crowd seems unable to comprehend that the “good” guys need encryption. Technology is a two edged sword. Need to take the “bad” along with the “good”.
Re: Financial Repercussions
Oh you can be sure that important people and companies will be exempt from the requirements, as it would be too risky to deliberately sabotage their security, despite it being completely and utterly safe(promise!) to intentionally cripple the security the peo- I mean citizens use.
These two don’t even have the common courtesy to give you a reach around. I will be sponsoring a bill next month to outlaw senators Burr & Feinstein. Subversives like these are the reason I won’t do business on line.
The tighter you squeeze...
the more will slip through your fingers.
Need a bill to send that foreign agent back to Israel.
What Happens Next.
Right now the talk is of mandatory back doors for OS’s. People can negate those with encryption in their apps. Apps from countries without mandatory back doors, if need be.
Ban those with a new bill, and then what about programming tools? Functions for AES and other encryption standards are built right into the .NET framework. An amateur can implement them with no real understanding of how they work. (I know; I’ve done it.) Presumably frameworks for Mac and Linux have them too. It follows that these frameworks will get their own bill demanding back doors.
The only thing this bill will do is force people and companies to other countries for OS’s, apps and programming tools. Making Ted Cruz’s grandstanding over ICANN’s IANA seem even more silly.
Good luck with that
Good luck “outlawing” Gnugp or PGP and similar. Impossible. Encryption, STRONG encryption, is here to stay.
Re: Good luck with that
Getting rid of encryption entirely simply isn’t possible.
Criminals/terrorists/communists will just ignore the law and use non-crippled encryption, tech savy people will do the same, the goal is to make the majority of people, who don’t fit into those groups, vulnerable. To allow the ‘Grab it all!’ voyeurs to continue on, business as usual grabbing everything they can, and if they’re really lucky maybe finding an actual criminal at some point in the process.
That crippled encryption will result in a massive number of preventable crimes and violations of privacy is just a sacrifice the public(not the politicians of course) will have to make in order to protect the public’s security and privacy.
Put it in a way they can understand it
The issue, as I see it, is that we have lawyers trying to dictate how tech works. This is like trying to pass a law to make Pi equal to 3 or that water runs uphill. Pass all the laws you want, it won’t change de facto situations.
So, the way I would phrase it is “Trying to backdoor encryption is like trying to unring a bell. It’s just not possible.”
A “reasonable efforts” is a great loophole for tech companies. They can make “reasonable efforts” with a super-computer to decrypt a properly encrypted email or hard drive….it just make take a couple THOUSAND YEARS.
Reasonable Effort?
Apple to FBI:
“Sure, we could break the encryption on that message. It’ll be a brute-force attack, take 18 months and it’ll be $6.3Billion dollars in Amazon AWS fees for the compute power. Where should we send the bill?”
FBI: “This is a really important case, this person’s been leaking that the director spits his chewing gum on the sidewalk rather than into bins! We can cover that, send the bill to our head office. We’ll indicate the 150 text messages we want decrypted.”
Apple: “150? The quote we gave was for ONE message decryption.”
Re: Reasonable Effort?
Keep in mind the DOJ argued that forcing Apple to create a modified OS to bypass their own encryption was a ‘reasonable request’, so depending on who gets to decide what is and is not ‘reasonable’ all sorts of demands could get the greenlight. If the FISA ‘court’ got the job for example pretty much anything would be considered ‘reasonable’ to demand from a company, because that lot simply doesn’t have the ability to say ‘no’ on anything of substance.
These two are long overdue for a long rest!
Isn’t it about time these two morons were put ‘out to pasture’??? They’re becoming an embarrassment to rest of the folks up on the ‘hill’!
These two are long overdue for a long rest!
Isn’t it about time these two morons were put ‘out to pasture’??? They’re becoming an embarrassment to the rest of the folks up on the ‘hill’!
Thank you, Senator Burr!
2016 is truly the worst of the elections that I have seen in my lifetime, and our candidate choices embarrass me as a US citizen. There is one exception, however, with respect to my state senator. I am a North Carolina resident, which means that Senator Burr will be on my voting ticket. The only vote that really excites and energizes me this year is voting for whoever has the best chance of sending Burr home. I haven’t heard or looked to see who is running against him, yet, but that doesn’t matter. To fail to see how weakening encryption weakens our national security is to demonstrate a lack of the reasoning skills that should be minimal when making national decisions. I feel much better rolling the dice on an unknown than continuing with such mental incompetence.
i hope this passes
i hope this passes then the usa can get hacked so much you all will realize what kind of idiots you really have running your nation….
just think someone gave me all the fbi honey pots so i can easily get proper proxies ….and guess what boneheaded federal idiots….it wont be me doing nothing cause im not the only one that knows….
FREE TRADE RIGHT….lol
you want capitalism you get it my dearies!!!!!
It would be great if that old hag would just fucking die already.
"Critical Infrastructure"
How about the technology businesses, that if foreign investments and usage dries up, will kill the US technology industry? Isn’t that ‘critical infrastructure’?
Outlaw Real Encryption?!?!
Two issues.
1) How does one mandate “WORLD WIDE” encryption back doors?
Answer, one doesn’t! Won’t happen! Someone will always have a real encryption algorithm up and working. It/they may not be available in the USA, but overseas, open market, open access!
2) When the encryption is broken, and one knows the hacker/cracker crews will put in many sleepless knights to break it, who pays for the thousands of users millions if not billions of dollars needed to be spent on some new “back door” encryption?
I know it will NOT be the original programmer, NOR her company. The GOV. who mandated it now has to pay and big time for the new version and the dissemination of same.
Know-Nothing Nitwits and You!
Senators Burr & Feinstein Look To Bring Back Bill To Outlaw Real Encryption
Lets just Outlaw Burr, Feinstein and all of the other know-nothing-nitwits infesting congress while they preen themselves in front of the cameras and pretend to be serious people.
These idiots are dangerous.