Eimi Harris Society, Culture, and Security

Burr-Feinstein Draft Bill: A Study in Why the Anti-Encryption Approach Will Not Work

The Apple v. FBI case may have been resolved at the end of March when the FBI found a technical loophole into the iPhone without needing Apple’s assistance, but the encryption debate that it brought into the public’s eye is far from over. What was helpful about the Apple v. FBI case was that it forced representatives from both the US government and tech firms to discuss their concerns regarding encryption. When both sides presented their positions, there was a general agreement that there must be a balance between national security and privacy when it comes to access to encryption.

Despite that compromise, the balance was upset by the draft of the Burr-Feinstein encryption bill, which was leaked from the Senate Select Committee on Intelligence on Thursday April 7, 2016. The bill, if passed through Congress, would force technology companies to break into encrypted data when given a court order – a provision that has received serious backlash from both tech firms and other US lawmakers.

In response to the leak, the authors of the bill, Senate Committee on Intelligence Chairman Richard Burr and Vice Chairman Dianne Feinstein released an official draft bill, titled the “Compliance with Court Orders Act of 2016,” online a week later. The bill’s driving theme is that “no one is above the law.” To be fair, the goal of placing everybody under the same rules of law is one that should be merited by lawmakers; especially after the recent Panama Paper leaks, there is an expectation that no one individual is above the law. However, good intentions may not necessarily justify the means to achieving a goal.

While it does not place direct restrictions against the use of encryption, it mandates that entities covered by the bill (an extensive range of technology firms between product producers and service providers) must comply with court orders for data requested for law-enforcement purposes. If the data is encrypted, it must be “decrypted, deciphered, decoded, demodulated, or deobfuscated to its original form” before it complies with the court order.

The bill, even in draft form, has been vocally opposed by figures from both the tech community and a number of US legislators. Technology experts have pointed out a number of problems with the Burr-Feinstein proposal, particularly that the bill implicitly demands the end of encryption (the exact outcome that tech firms wanted to avoid).

As pointed out by the Information Technology Innovation Foundation, while the bill does not explicitly regulate how encryption is designed or employed, the requirement that encrypted data always be accessible completely undermines encryption in general. It means that companies that do not have “backdoors” in encryption have to build them, which many tech firms have already argued will weaken information security and make data more vulnerable to hackers. It essentially outlaws end-to-end encryption (which by nature cannot have backdoors), forcing applications such as WhatsApp and Apple products to revise and weaken their security structures to comply.

By weakening encryption, this legislation could undermine the US’ ability to have access to information even if both government security agencies and tech firms ever agree on a case that finds breaking encryption completely necessary. As Gary Shapiro, president of the Consumer Technology Association, suggested, if American tech firms comply with the the bill and weaken their encryption, consumers seeking full security and privacy can turn to foreign companies for fully encrypted tools. This takes any pertinent information further away from American jurisdiction.

With those possible consequences on the table, it is understandable that technology companies are arguing adamantly against Burr and Feinstein. Tech firms are not the only ones who do not support the bill. The White House has already indicated that it will probably not support the bill. US Senator Ron Wyden, as well as others, has promised to filibuster the bill to prevent it from passing in the Senate, arguing that “this legislation would effectively prohibit Americans from protecting themselves as much as possible. It would outlaw the strongest types of encryption and undermine the foundation of cybersecurity for millions of Americans.”

As much as Burr and Feinstein have individually acknowledged that encryption is important for the protection of US citizens’ data, this bill comes down to anti-encryption. Joseph Lorenzo Hall, chief technologist at the Centre for Democracy and Technology, even went as far as calling the Burr-Feinstein bill as “the most anti-crypto bill of all anti-crypto bills.” But anti-encryption bills are the last thing the encryption debate needs because it is more likely to turn tech firms and civil society on the defensive to protect privacy, rather than the cooperation needed to achieve a national security balance best for everyone.

Interestingly enough, there is another encryption-related bill in development in Congress right now. House Homeland Security Committee Chairman Michael McCaul and Senator Mark Warner are working on a proposal for a 16-person digital security commission that would include  representatives from tech firms, law enforcement and intelligence agencies, and civil liberties advocates. Even Apple has voiced support for a commission to further discussion on encryption.

It important to remember that where people are sensitive about their privacy, a hardline response against one of the most popular security measures is only going to lead to a backlash. There are alternatives to taking hardline stances in encryption, particularly cooperative discussions, and we should seriously consider taking that alternative before attacking encryption at the source.

Eimi Harris
Eimi Harris is a student working towards her undergraduate degree in International Relations and Economics at the University of Toronto. Her main focus in international affairs is cybersecurity, particularly diplomatic relations and normative development in the cybersphere. On the side, she enjoys watching films and is also working towards her Cinema Studies degree.