The Burr-Feinstein Crypto Bill Would Gut Our Cybersecurity

Publication Type: 
Other Writing
Publication Date: 
April 26, 2016

In the name of saving cybersecurity, a new bill before Congress would kill cybersecurity. On April 13, Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA) released an official draft of their long-awaited anti-encryption bill. The sponsors of the “Compliance with Court Orders Act of 2016” (CCOA) call it an innocuous law-and-order measure to ensure that American companies comply with court orders. In truth, it is a technologically tone-deaf and downright dangerous piece of legislation.

The CCOA would apply to device manufacturers, software and app makers, social media companies, cloud storage providers, and many others. When the government obtains a court order or warrant while investigating serious crimes or terrorism, covered entities must either provide the requested information in “intelligible” –unencrypted – form or give law enforcement all technical assistance necessary to render it intelligible. In short, the CCOA requires that covered entities guarantee that law enforcement can access and understand their users’ information.

However appealing this might sound, it is actually an attack on security, something the public needs more, not less of. Strong security, including encryption, is critical for e-commerce, banking, national security, privacy, freedom of expression, protecting intellectual property, and the U.S. tech sector’s global competitiveness. As cryptography experts have repeatedly and consistently explained for over two decades (since the last time the U.S. government threatened strong encryption in the 1990s), we cannot make a “golden key” that only “good guys” with a court order can use to “unlock” encrypted information. Any built-in means for accessing encrypted data can, and will, be used by the bad guys too. That’s why the experts are against it. Yet the Burr-Feinstein bill perpetuates the “golden key” fantasy. In the pursuit of that impossible goal, the bill would effectively ban cornerstone security concepts such as end-to-end encryption, which makes communications readable only by the sender and intended recipient, and perfect forward secrecy, which protects previous encrypted communications even if an encryption key or password is compromised in the future.

The CCOA is a misguided reaction to law enforcement’s alarmist and unsupported claims that criminal activity is “going dark” due to encryption. Contrary to those claims, this is actually a “golden age for surveillance” where more information about people than ever before is available to law enforcement from smartphones, social networks, cloud storage providers, and text-messaging and email services. Given the plethora of information available to investigators, not to mention eyewitnesses, informants, and video surveillance, taking the risk of making communications information less secure is foolhardy. The CCOA would ban American entities from providing their customers the best data protection they possibly can. You’d think Congress would find better encryption desirable, given Washington’s embarrassing record of security snafus at federal agencies including the Office of Personnel Management, the IRS, and even the FBI, not to mention breaches at Sony or the multiple hospitals that have been subject to ransomware demands.

The punchline to this joke of a bill: The CCOA won’t keep the bad guys from hiding their activities. Even FBI Director James Comey has admitted that sophisticated criminals and terrorists will continue to use encryption that’s impervious to law enforcement, no matter what law the U.S. passes. Reports by security expert Bruce Schneier and New America’s Open Technology Institute found hundreds of effective encryption offerings that are readily available from open-source projects and entities outside the U.S., beyond the CCOA’s jurisdiction. Plus, there are already millions of existing devices, apps, and software programs that employ encryption designs the CCOA seeks to ban. Burr and Feinstein cannot hope to reach all of them.

The only good news about the Burr-Feinstein bill is that it has been given poor odds of passing. The White House has refused to endorse it, and other members of Congress including Rep. Darrell Issa (R-CA) and Sen. Ron Wyden (D-OR) have roundly condemned it. So has Reform Government Surveillance, a coalition of Internet companies. While the April 13 draft is clearly not finished, there is no amount of work that could fix it. Sens. Burr and Feinstein should finally start listening to what the experts have been saying for two decades: There is no golden key.

Cross-posted from Stanford Law School