The tension between the FBI and Apple may have subsided, but that doesn’t mean Washington is no longer focusing on encrypted communications. A pair of senators is circulating a draft bill that would require communications providers to maintain a method of giving law enforcement agencies cleartext communications, a requirement that could effectively prevent the use of strong end-to-end encryption.
The bill is sponsored by Sen. Diane Feinstein and Sen. Richard Burr and says that while communications providers have a responsibility to protect their users’ data with “appropriate data security”, they are not above the law and must “comply with all legal requirements and court orders.” The bill, which reads like a direct response to the Apple-FBI conflict, includes language that would make it necessary for communications providers and software vendors to have the ability to give plaintext data to law enforcement.
“To uphold both the rule of law and protect the interest and security of the United States, all persons receiving an authorized judicial order for information or data must provide, in a timely manner, responsive, intelligible information or data, or appropriate technical assistance to to obtain such information or data,” the bill says.
The discussion in Washington and technical circles on the use of encryption and what rights law enforcement has to pressure vendors and providers to turn over encrypted data has shown no signs of abating in the wake of the resolution of the Apple case. Security experts say that the language in the Feinstein-Burr bill will only add fuel to the fire.
“It’s not hard to see why the White House declined to endorse Feinstein-Burr. They took a complex issue, arrived at the most naive solution,” cryptographer Matthew Green of Johns Hopkins University said on Twitter.
“You don’t need to be a computer scientist or lawyer to see the most likely outcome of that law. Most firms will just avoid using encryption.”
Handing over plaintext data is much easier and cheaper if it’s never encrypted, to begin with, and that could be the choice facing providers and vendors if such a bill passed. Many of the larger Internet companies have spent the last few years encrypting many of their core services. Google, Yahoo, and other providers have made encrypted email and Web traffic the standard, while Apple and Google have moved to encrypt their mobile phones, as well.
The draft bill doesn’t propose and specific penalties for companies that don’t comply, and it also says that the bill shouldn’t be read as preventing companies from using specific technologies.
“Nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by any covered entity,” the bill, known as the “Compliance with Court Orders Act of 2016”, says.