Draft encryption bill could spell the end of privacy and security as we know it
Apple's battle with the FBI has focused the attention of the technology community on encryption. But while just about all of the big players in the tech world backed Apple's refusal to create a backdoor for the FBI into iOS, Congress has a very different idea about how encryption and governmental access to data should be handled. This is perfectly demonstrated by a new bill.
The draft version of the Compliance with Court Orders Act of 2016 -- penned by Senators Diane Feinstein and Richard Burr -- would essentially force all US companies to decrypt data they may have encrypted, or to provide backdoors when asked. It's a bill described variously as 'dangerous', 'encryption-weakening', and 'anti-security', and it starts off aggressivley in stating that "no person or entity is above the law". In effect, it renders the encryption put in place by the likes of WhatsApp completely pointless as, if the bill is passed, companies would have to decrypt data on demand.
Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology says that "it's effectively the most anti-crypto bill of all anti-crypto bills" and that it "basically outlaws end-to-end encryption". What is particularly concerning about the bull is that it would force companies to comply with data requests from any court in the country. The draft says:
Notwithstanding any other provision of law and except as provided in paragraph (2) a covered entity that receives a court order from a government for information or data shall --
(A) provide such information or data to such government in an intelligible format; or
(B) provide such technical assistance as is necessary to obtain such information or data in an intelligible format or to achieve the purpose of the court order.
The mention of encryption comes when the bill says:
A covered entity that receives a court order referred to in paragraph (1) (A) shall be responsible for providing data in an intelligible format if such data has been made unintelligible by a feature, product, or service owned, controlled, created, or provided, by the cover entity or by a third party on behalf of the covered entity.
In other words, if the government wants to gain access to data that is encrypted, the company responsible for the hardware or software must either decrypt the data and hand it over, or help with the decryption process. It renders encryption and security -- and, by extension, privacy -- pointless.
The Information Technology and Innovation Foundation (ITIF) argues that the government should be looking to strengthen, not weaken, cybersecurity, saying that "insisting that the government always have a means to decrypt private data would limit innovation in cybersecurity".
This legislation places an unqualified demand on companies to decrypt their customers’ data upon receiving a court order from law enforcement. While companies should comply with lawful requests, it is simply not possible for a company to do so when the customer controls the only keys used to encrypt the data. For example, the popular messaging app WhatsApp, which provides end-to-end encryption on its platform, would not be able to comply with the legislation, unless it modified its system. Yet, the bill explicitly states that it is not authorizing the government to require or prohibit any specific design changes to software or hardware. In short, this bill sets up a legal paradox that would further muddy the waters about how and when the government can compel the private sector to assist in gaining access to private information.
The draft bill is incredibly one-sided, leaving no wriggle room whatsoever for companies or individuals to appeal against data requests. In its current form, once data has been requested, it is as good as belonging to the government.
Amnesty International argues that encryption is a human rights issue:
In the digital age, access to and use of encryption is an enabler of the right to privacy. Because encryption can protect communications from spying, it can help people share their opinion with others without reprisals, access information on the web and organize with others against injustice. Encryption is therefore also an enabler of the rights to freedom of expression, information and opinion, and also has an impact on the rights to freedom of peaceful assembly, association and other human rights. Encryption is a particularly critical tool for human rights defenders, activists and journalists, all of whom rely on it with increasing frequency to protect their security and that of others against unlawful surveillance.
It's hard to argue with the human rights group's stance, and it's impossible to describe the draft bill as anything other than out of touch and unfit for purpose. It's a serious threat to personal security and privacy, and we can expect to see a huge backlash against it.