Draft Encryption Bill Criticized by Experts

A leaked draft of an encryption bill proposed by Senate Intelligence Committee leaders Sens. Diane Feinstein and Richard Burr has been heavily criticized by experts for its technical flaws, contradictions, and potentially dangerous effects.

Several countries around the world have been trying to pass legislation that would force companies to place backdoors in their encryption products to allow authorities to access encrypted data during their investigations. However, many experts have warned that the task is not as easy as it sounds for a non-technical person, such as the politicians who propose this type of legislation.

Studies have also shown that backdoors would be inefficient due to the large number of encryption products currently available. Some governments, such as the one in the Netherlands, appear to have understood that encryption backdoors could be used not only by law enforcement and intelligence agencies, but also by the “bad guys.”

However, Senators Feinstein and Burr have been working on a bill, called the “Compliance with Court Orders Act of 2016,” that would force companies to decrypt the data they handle when presented with a court order.

The leaked draft of the “Compliance with Court Orders Act of 2016” reads:

“A covered entity that receives a court order from a government for information or data shall — (A) provide such information or data to such government in an intelligible format; or (B) provide such technical assistance as is necessary to obtain such information or data in an intelligible format or to achieve the purpose of the court order.

A covered entity that receives a court order referred to in paragraph (1)(A) shall be responsible only for providing data in an intelligible format if such data has been made unintelligible by a feature, product or service owned, controlled, created or provided, by the covered entity or by a third party on behalf of the covered entity.”

The bill would require companies to ensure that the encryption systems they develop or ones provided by a third party for use in their products include backdoors that can be used to read encrypted information.

The draft bill, obtained by The Hill, has not been officially released and the senators say they are still working on finalizing a discussion draft. Reuters reported last week that the release of the draft legislation was close. The news agency also cited sources saying that the White House is declining to offer public support for the encryption bill, despite President Obama’s remarks that law enforcement agencies need the ability to access encrypted data.

Experts criticize the bill

Security and civil liberties experts have always opposed such encryption legislation, but now they have been offered a glimpse into what the U.S. government has been preparing.

“Despite being in a golden age of surveillance, the senators are pushing Congress to destroy fundamental aspects of computer security. We already use encryption every day to protect our devices from criminals, ensure the privacy of our communications, and protect routine online transactions. Forcing companies to undermine their products will stifle the very innovation that built the American tech industry. American innovators and companies will just lose out since foreign companies will still be offering these protections to their users,” the EFF’s Cindy Cohn said.

“We have no doubt that the Intelligence Committee will try to pass this draft out of committee behind closed doors and without any public input. That’s why we urge senators to oppose cosponsoring, or otherwise voting on advancing the measure,” Cohn added.

Cryptography expert Matthew Green said the bill is as “clueless and unworkable” as he expected it to be, noting that it proposes a “naive solution” to a complex issue.

You don’t need to be a computer scientist or lawyer to see the most likely outcome of that law. Most firms will just avoid using encryption.

— Matthew Green (@matthew_d_green) April 8, 2016

Forensics specialist Jonathan Zdziarski said the bill is very dangerous and called it a “a hodgepodge of technical ineptitude combined with pockets of contradiction.”

Zdziarski has been closely following the recent Apple-FBI case and even described some of the techniques that could have been used to hack the San Bernardino shooter’s iPhone. The expert pointed out that while the bill’s authors claim it’s not designed to force companies into changing their products, in reality, there is no way to comply without integrating backdoors into encryption products.

“The absurdity of this bill is beyond words. Due to the technical ineptitude of its authors, combined with a hunger for unconstitutional governmental powers, the end result is a very dangerous document that will weaken the security of America’s technology infrastructure,” Zdziarski noted. “This will affect everything from the iPhone you hold in your pocket to how data is transmitted over the Internet, allowing the government to effectively break all electronic commerce and Internet security.”

Related: Industry Reactions to FBI’s iPhone Hack