Burr-Feinstein Encryption Bill Rankles Tech Community - InformationWeek
IoT
IoT
Government // Cybersecurity
News
4/21/2016
01:05 PM
50%
50%

Burr-Feinstein Encryption Bill Rankles Tech Community

A coalition of tech groups called proposed encryption legislation "well-intentioned but ultimately unworkable," while an op-ed deemed it grounds for the dismissal of Senators Dianne Feinstein and Richard Burr, the bill's sponsors.

iPhone Encryption: 5 Ways It's Changed Over Time
iPhone Encryption: 5 Ways It's Changed Over Time
(Click image for larger view and slideshow.)

Prompted by Apple's refusal to create new software to unlock an encrypted iPhone for the FBI, US Sens. Richard Burr (R-NC) and Dianne Feinstein (D-CA.), chairman and vice chairman, respectively, of the Senate Select Committee on Intelligence, introduced draft legislation April 13 that's receiving pushback of its own.

The bill, titled the "Compliance with Court Orders Act of 2016," would ensure that "everyone must comply with court orders to protect America from criminals and terrorists."

A coalition of technology organizations posted an open letter to Burr and Feinstein April 19, expressing concern about what they call "well-intentioned but ultimately unworkable policies around encryption that would weaken the very defenses we need to protect us from people who want to cause economic and physical harm."

(Image: Heather Dillon/iStockphoto)

(Image: Heather Dillon/iStockphoto)

The organizations included Reform Government Surveillance (RGS), the Computer & Communications Industry Association, the Internet Infrastructure Coalition (I2C) and the Entertainment Software Association. These groups posted the letter to the RGS Tumblr site.

The Burr-Feinstein bill states that requested information must be provided in "intelligible" formats, i.e., "decrypted, deciphered, decoded, demodulated, or deobfuscated to its original form." In order to meet this requirement, wrote the organizations, they would need to make design decisions that would "create opportunities for exploitation by bad actors."

Further, such legislation would simply prompt such bad actors to use technologies made by companies outside of US jurisdiction, "in turn undermining the global competitiveness of the technology industry in the U.S. and resulting in more and more data being stored in other countries," the organizations wrote.

The letter concluded:

We support making sure that law enforcement has the legal authorities … it needs to solve crime, prevent terrorism, and protect the public. However, those things must be carefully balanced to preserve our customers' security and digital information.

Create a culture where technology advances truly empower your business. Attend the Leadership Track at Interop Las Vegas, May 2-6. Register now!

An opinion piece in the Christian Science Monitor April 19 was less careful in its language.

In their column, Sascha Meinrath, the director of X-Lab and the Palmer Chair in Telecommunication at Penn State University, and Sean Vitka, the counsel for Fight for the Future and a fellow with X-Lab, write that the bill is "evidence of a dangerous incompetence in congressional leadership that is undermining America's security."

Further, the pair believe it to be evidence that Burr and Feinstein should be stripped of their positions on the Senate Select Committee on Intelligence, or at least not reappointed.

"To put it plainly, this bill would, for example, empower the 11 members of the Augustine Band of Cahuilla Indians to demand that every corporation be able to decrypt all online information of any kind, on any American, and be delivered to that tribe," Meinrath and Vitka wrote.

They added, "If Burr-Feinstein passes, it guarantees that Americans will have worse encryption than the rest of the world."

Burr and Feinstein, announcing their bill, said the proposal had received the support of New York City Police Commissioner William Bratton, the FBI Agents Association, the National District Attorneys Association, and others.

"I've spent the better part of the last year exploring the challenges associated with criminal and terrorist use of encrypted communications," Burr wrote in an April 18 statement. "Our draft legislation requires entities to provide law enforcement with data in a readable format when served with a court order."

Reynaldo Tariche, president of the FBI Agents Association, wrote in an April 14 letter to Burr and Feinstein, "If your legislation becomes law, individuals and companies will enjoy the privacy protections that have been established and refined under our laws over the course of hundreds of years …"

The encryption conversation was also had by a US House Energy & Commerce Committee hearing April 19, where all parties were respectful and willing, but none could spot a useful middle ground.

Michelle Maisto is a writer, a reader, a plotter, a cook, and a thinker whose career has revolved around food and technology. She has been, among other things, the editor-in-chief of Mobile Enterprise Magazine, a reporter on consumer mobile products and wireless networks for ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
4/24/2016 | 5:00:15 PM
Re: What a shocker!
Heck, isn't Estonia more advanced in cyber security than the us? Little Estonia who needs to protect itself from its bigger malevolent neighbor. The real shame is that there more than enough talent to make the us tops on this space but in public and private --- but don't expect the two worlds to meet in the middle anytime soon now.
WSnorthwest
50%
50%
WSnorthwest,
User Rank: Apprentice
4/22/2016 | 4:29:42 PM
Re: What a shocker!
Exactly! You said what I did in my post, but more concisely. My added point is that the police don't even know technology to begin with, so of what value is their opinion on this? It is indeed them just saying "make my job easier" instead of focusing on the bigger and more important issues of how to properly secure data. I'd rather it be too secure and they have to do some legwork to catch criminals. I work with the police, and they have no concept of technology at all. If they want to make law enforcement more effective, quit shelling out billions of $ in grants to local law enforcement where they buy toys they don't know how to use, when what they need to do is an epic reorganizaiton of how law enforcefment functions. They are still stuck in the early 90s approach of buying whatever product each agency wants or even writing their own over and over again, so that data is not shared and manpower is wasted continually reinventing the wheel.

 

How about they show they can run their operations better before dictating to others?
WSnorthwest
50%
50%
WSnorthwest,
User Rank: Apprentice
4/22/2016 | 4:24:33 PM
Government can't even follow its own rules, but keep legislating more for others.
First of all, spending the "better part of a year" researching to write this bill is a joke. Congressmen don't do their own research, and they don't understand the technology and topics they are dealing with. They need to work with industry groups to write the legislation in the first place - not with government entities.

Secondly, getting an endorsement from NYC police or an association of FBI agents is ridiculous. I have worked for and supported the law enforcement community for the past 9 years, and what I"ve learned is this: they don't believe in security. They don't even follow their own requirements for data that are dicatated by law and by the FBI. Even when they do, they are only audited once every one to two years by state police, and onely once every three years by the FBI, whereas every publicly traded company is mandated by SarbOx to be audited by two different 3rd party entities every year - and to test their DR plans every year as well. Guess what? Law enforcement doesn't have to test DR plans at all. In other words, they are no better equipped to handle another New Orleans-like disaster than they were back then, but they want to dictate to the rest of the world how to do operations and security? They simply are not equipped for it.

Politics is government. Not technology, not business... They simply don't get it. They look at the U.S. like it can dictate so many things based on a land mass border instead of realizing the Internet and technology really have no borders, no walls, no guard at the gate by yourself. In the end, the government wants a key to your door, just like any other intruder, but they don't know how to keep that key safe for you at all, because they don't adequately protect their own doors.

As people have pointed out the obvious over and over: encryption technologies aren't magically created ONLY IN THE U.S. ! Some of the best crypto algorithms and tools are developed outside of the U.S. and are not subject to any of this silly legislation. We really need to get over our self-important behavior or be left behind!

If I was starting a tech company that dealt with security products and technologies, I wouldn't start it here. Maybe Costa Rica.
Banacek
50%
50%
Banacek,
User Rank: Ninja
4/22/2016 | 12:24:54 PM
Finally...
"If your legislation becomes law, individuals and companies will enjoy the privacy protections that have been established and refined under our laws over the course of hundreds of years ..."

Um, you mean we don't have those protections without this law?

And will this law prevent, say, the government from letting out all my personal information to hackers through their OPM incident? Or keep hackers and theives from filing false tax returns in other's names? Or help the citizens in the US in any way other than make them more susceptible to electronic crime against them, but that's made up for all the terrorist plots and criminal activities they will prevent?

BTW, the terrorists in the France shootings last year all used burner phones - this stuff wouldn't help at all. And where's the legislation to ban burner phones, anyway? Or free and anonymous wi-fi? Or even having an open-wifi router? Terrorists could be communicating on-line right now from McDonalds with no way to trace them! This needs to be stopped!
Banacek
50%
50%
Banacek,
User Rank: Ninja
4/22/2016 | 12:18:22 PM
Single-mindedness
"I've spent the better part of the last year exploring the challenges associated with criminal and terrorist use of encrypted communications,"

OK, but how much time have you spent exploring the challenges of keeping people's data safe from neer-do-wells, hackers, and other folks?

How much time did you spend researching and exploring the issues with the OPM breach and the escape of millions of peoples vital and most personal information, which can be used for all sorts of nefarious activities (the least of which is identity theft for monetary gain, the worst of which can be used to take over identities to get jobs or access to information they themselves should not have!).

And when your bill becomes law, and your constituents and US citizens become easier targets for hackers and their ilk to steal our information and use it to disrupt our lives, are you just going to stand there and tell us how it's OK, because the country is 'safer and more secure'?

 
Banacek
100%
0%
Banacek,
User Rank: Ninja
4/22/2016 | 12:11:21 PM
What a shocker!
"Burr and Feinstein, announcing their bill, said the proposal had received the support of New York City Police Commissioner William Bratton, the FBI Agents Association, the National District Attorneys Association, and others."

So, basically, the groups that are the only benefactors of this legislation support it? Wow, I'm shocked. Of course, they would support legislation that said "No encryption is allowed, period" because all it does is help them.

One wonders, however, if any of these organizations will be required to follow these laws too. That is, make sure all their data is easily decryptable when needed. Or would that be a security issue because it would make it easier for the bad guys to break into their devices and networks, so they need to be excluded?
rlee280
50%
50%
rlee280,
User Rank: Apprentice
4/22/2016 | 9:11:38 AM
How to make money without even thinking
How to fund your next campaign:

 

1. Find deep-pocketed companies

2. Propose legislation that the companies find outrageous and intrusive

3. Companies send lobbyists to counteract the legislation and money for your next campaign

4. Become new buddies with the deep-pocketed companies

5. Get re-elected easily with money from new friends

6. Lather, risne, repeat
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll