Earlier in the year, we finally got a look at a draft of Feinstein and Burr’s anti-encryption bill. The bill would require any company which provides encryption to be able to unencrypt it if served with a court order. This would require companies to put in backdoors in order to comply. Soon after the draft was revealed, the bill was widely declared dead due to a lack of support within congress. Julian Sanchez, posting at Just Security, reveals that Feinstein and Burr are still working on the bill. Sanchez was able to get access to a more recent draft thanks to an inside source, and he identifies four changes in the bill. The changes to the bill seem to narrow the scope, which will perhaps make it easier to convince legislators to vote in favor of the bill.
In the old draft, a “covered entity” must decrypt data if the encryption was implemented “by a feature, product, or service owned, controlled, created, or provided, by the covered entity or by a third party on behalf of the covered entity.” The revision removes the words “owned,” “created,” and “provided.” This means the law is only aimed at companies which “control” the encryption process.
Sanchez has some speculation as to what this change means. He suggests that encryption systems which are based on a user-generated key are not under the “control” of the entities which made the hardware or software. He believes this bill is targeted primarily at companies like Apple which are working on combining strong encryption with cloud services, so users can access their data across multiple devices while still keeping them private. He argues that such encryption is under the control of the cloud providers.
He believes this change is “politically canny” if his interpretation is correct. It may not draw as much criticism if most forms of encryption commonly in use are not affected, but it would weaken the security of encryption systems which may become more popular in the future. He does admit his analysis may be incorrect, and courts may interpret “control” more broadly than he has.
The second change limits the decryption requirements to investigations by law enforcement. A section was completely removed which authorized decryption orders during investigations relating to “foreign intelligence, espionage, and terrorism.” Sanchez considers this change odd, since the sponsors of the bill are part of the intelligence committee. He speculates about some behind the scenes political considerations which may have led to the change but it’s not entirely clear what the reason for this alteration is.
The third change is in the section which defines “covered entities” which must decrypt data if served with a court order. Critical infrastructure is specifically excluded from being a covered entity. This change may have been brought about by some security expert who convinced Burr and Feinstein that backdoors are a threat to national security, and this change will at least keep critical infrastructure secure. Sanchez expects that this could be a major loophole in the law, since telecommunications systems are typically considered critical infrastructure by the federal government.
The final change seemingly gives an out to companies who are unable to circumvent encryption measures they implemented. In the old draft, “covered entities” had to provide technical assistance to law enforcement to decrypt data. However, this version only requires them to provide “reasonable efforts” to decrypt the data. Courts will have to decide what constitutes “reasonable efforts” but the change does seem to weaken bill to some extent.
Another thing of note is what has stayed the same. In the old draft, digital stores like Google Play would have been required to police their platforms and make sure all the apps are in compliance with this law. According to Sanchez, that section of the law seems to be the same in this newer draft.