Late on Friday in the US there was an online leak of a draft version of a US Senate bill known as the Feinstein-Burr bill or, to give it its full title, the Compliance with Court Orders Act of 2016. The bill would allow judges to order technology companies to provide a version of encrypted data in an intelligible format.
The bill dances around the rights of privacy by saying: “the providers of communications services and products (including software) should protect the privacy of United States persons through implementation of appropriate data security and still respect the rule of law and comply with all legal requirements and court orders.” In other words privacy matters until the government wants access to your data.
The US is not the only government going down this line. The current Draft Investigatory Powers Bill going through the UK courts is heading in the same direction. Both countries now see personal and corporate encryption as a threat to military, commercial and judicial intelligence gathering and are making similar noises on how to block or severely limit its effectiveness.
What does intelligible mean?
In the section on definitions the bill defines intelligible as:
- The information or data has never been encrypted, enciphered, encoded, modulated, or obfuscated; or
- The information or data has been encrypted, enciphered, encoded, modulated, or obfuscated and then decrypted, deciphered, decoded, demodulated or deobfuscated to its original form
In short, the bill wants technology companies to deliver information in clear, via the courts, to whomever the courts deems should have access to the data. This latter is interesting because the bill stops short of defining who can request such information. For example it doesn’t say that the data is only available to government agencies such as military, intelligence, FBI, CIA and law enforcement. This means that anyone involved in a court case would be able to ask a judge to order technology companies to decrypt corporate or personal data.
App stores and cloud stores in the cross hairs
It is not just technology companies that have to comply with this act. Section 3 places a requirement on License Distributors saying: “A provider of remote computing service or electronic communication service to the public that distributes licenses for products, services, applications, or software of or by a covered entity shall ensure that any such products, services, applications, or software distributed by such person be capable of complying.”
In other words any app store or cloud provider would have to ensure that any product it offered to customers, where the data was encrypted, could result in the vendor agreeing to decrypt the data. This is a serious and onerous risk for License Distributors especially when they are dealing with companies who are not based inside the US. The US Justice Department came under fire for its use of extraterritoriality when it tried to force Microsoft to hand over data held in Dublin. Here is seems to be looking to make private companies do that same job for it.
The bill is stuffed full of contradictions. For example it states: “Nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by any covered entity.” It then puts in place a series of options that would, for example, ban end-to-end encryption.
Similarly the requirement for License Distributors to vet applications could reasonably lead to the US government beginning to publish a list of banned applications where vendors won’t weaken encryption. Such a list would pressure companies to drop support and sales for those products.
The bill also places the onus on vendors to ensure protection of privacy and data which is reasonable but then wants that privacy to be circumvented as and when the courts deem appropriate. Having then required them to provide a way to access the data the bill provides no protection whatsoever from class action lawsuits. This could mean that even if the bill is passed into law it could be struck down as forcing companies to fail in their obligations to protect customer data, something which is enshrined in other legislation.
Conflict with other countries and regions
There is little doubt that the provisions in this bill will raise further tensions between the EU and the US. The recent debacle over safe harbor and the replacement agreement which contains only limited additional protection already shows a widening gap between privacy between these two trading blocs. This is not helped by the current secrecy in Europe around the Transatlantic Trade and Investment Partnership which is believed to offer secret courts to US companies where issues such as data privacy are raised.
With the GDPR coming into force soon will the EU be willing to accept that hackers stole personal data because the backdoor used to steal the data was required by the US government? Will the EU support its own technology companies by defending them if they are charged by the US for supplying software to US companies and refusing to decrypt data? There will be a lot of small security start-ups that will want the same protection from Europe as Israel, for example, gives to its security start-ups.
A windfall for cybercriminals and state sponsored hackers
For cybercriminals and state sponsored hacking teams both this bill and its counterpart in the UK will seem like an unexpected windfall. If there is a way for the vendor to decrypt data then it follows that they will be able to find and use it. The emergence of cloud computing is already beginning to take its toll on security protocols and encryption algorithms.
For many years browsers used SHA-1 to protect messages even after it was shown that given enough resources it could be breached. In June all the major browsers will drop support for SHA-1 as the cost of developing a successful practical attack against it has dropped from $700,000 three years ago to between $75,000 and $120,000 today. This has been achieved as the result of cloud computing and it is reasonable to assume that a similar approach is already being undertaken to find holes in many software products today.
Will this law as it currently stands make it on to the US Stature Book? It’s a good question. This is an election year so there is plenty of scope for its authors to do deals with other members of both the US Senate and the US House of Representatives to push it through. The worrying thing for many is that in its current form it is seriously flawed and needs significant thought to improve it.
For those in charge of corporate security there is a clear message here. Your reliance on encryption to protect everything is being undermined by governments. The question is where do you now store your data and how do you protect it from those who are supposed to protect you?