PRIVACY

Senators Release “Backdoor” Anti-Encryption Bill

Last week, a leaked draft of the anti-encryption bill draws enormous criticism from the tech world

PRIVACY
(Photo Illustration: R. A. Di Ieso)
Apr 08, 2016 at 12:46 PM ET

UPDATE: Feinstein and Burr have finally introduced their draft discussion bill, five days after it a former version was leaked. The new version is almost identical.

“Today, terrorists and criminals are increasingly using encryption to foil law enforcement efforts,” Feinstein said in a statement accompanying the draft, adding that “if a court of law issues an order to render technical assistance or provide decrypted data, the company or individual would be required to do so.” Both senators pledged their support to “strong encryption,” despite wide industry consensus that secure encryption is incompatible with so-called backdoors.

In the statement, the senators said they “will now solicit input from the public and key stakeholders before formally introducing the bill into the Senate.” Neither’s office immediately responded to Vocativ’s question of who those stakeholders will be, or if they would specifically seek out Silicon Valley encryption experts.

This story was originally published on April 8, 2016.

A controversial, long-promised bill to keep American companies from providing truly encrypted communications hasn’t actually been introduced yet. But a working version of the bill, revealed late Thursday evening and apparently already abandoned in hopes of writing one with a better chance of becoming law, shed light on its authors’ intent—and enraged experts.

The bill is coauthored by senators Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.). Titled the Compliance with Court Orders Act of 2016, it seeks to force American companies, and perhaps international companies licensed in the United States, to turn over a suspect’s clear data when served with a warrant. That’s a problem when that data is protected with end-to-end encryption, like Apple iMessage or WhatsApp, meaning that by design, even that company doesn’t possess the keys to decrypt that data. This is a problem for some law enforcement proponents, like FBI director James Comey, who fear not being able to get total access to a suspect’s information.

Encryption experts, however, have long pushed back on that idea, stressing that if end-to-end encryption is an absolute proposition, and that if companies build so-called “backdoors” to read them, those are inherently exploitable by state-sponsored and individual hackers

The White House, which as a matter of policy doesn’t comment on legislation until it’s formally introduced, reportedly balked at the draft. Feinstein said Thursday that she planned to continue working to make the bill something the White House might find more palatable.

Legal experts who specialize in technology and privacy, however, were willing to talk. “This draft bill contains so many problems and errors that it is difficult to imagine this becoming a bill that could achieve support in the U.S. Senate or anywhere else,” Nathan White, Senior Legislative Manager at Access Now, told Vocativ. “This bill is extraordinarily poorly thought-through and would be ineffective, destructive to U.S. business and an unconstitutional prior restraint on speech,” said Nate Cardozo, a senior staff attorney at the Electronic Frontier Foundation.

“This bill would not only be surrendering America’s cybersecurity but also its tech economy, as foreign competitors would continue to offer—and bad guys would still be able to easily use!—more secure products and services,” said Kevin Bankston, Director of New America’s Open Technology Institute. “I can say without exaggeration that this draft bill is the most ludicrous, dangerous, technically illiterate tech policy proposal of the 21st century so far.”

On Twitter, technologists and encryption experts similarly mocked and criticized the bill.

It wasn’t immediately clear who had leaked the bill. In a statement provided to Vocativ, the two senators stressed it was a work in progress. “We’re still working on finalizing a discussion draft and as a result can’t comment on language in specific versions of the bill,” they said. “However, the underlying goal is simple: when there’s a court order to render technical assistance to law enforcement or provide decrypted information, that court order is carried out. No individual or company is above the law.”

No matter how the language is altered in the next version of the bill, a requirement of backdoors would fundamentally undermine user privacy. “This legislation says a company can design what they want their back door to look like, but it would definitely require them to build a back door,” said Senator Ron Wyden (D-Oreg.), a longtime proponent of online civil liberties. “For the first time in America, companies who want to provide their customers with stronger security would not have that choice—they would be required to decide how to weaken their products to make you less safe.”