Stanford CIS

Here’s What the Burr-Feinstein Anti-Crypto Bill Gets Wrong

By Riana Pfefferkorn on

The latest Crypto War is being fought on multiple fronts: behind closed doors, in thecourts, and now in Congress. On April 13, Sens. Richard Burr (R-NC) and Dianne Feinstein (D-Calif.), leaders of the Senate Intelligence Committee, officially released adiscussion draft of the anti-encryption bill they had been promising since last December. Called the Compliance with Court Orders Act of 2016 (CCOA), the result of four-plus months of work is a misguided, dangerous, and technologically tone-deaf piece of legislation that would create far more problems than it could possibly solve. This post will summarize the bill, then discuss some of the copious problems it poses.

What the Bill Says

What does the CCOA require? Upon receipt of a court order or warrant for “information or data” sought by a federal, state, local, or tribal government in specific types of investigations or prosecutions, the CCOA requires covered entities to give the government the information or data in an “intelligible” (i.e., unencrypted) format, or to provide any “necessary” technical assistance to render it intelligible. The CCOA only kicks in if the data is “unintelligible” (i.e., encrypted) due to “a feature, product, or service” that is “owned, controlled, created, or provided” by the entity (or by a third party on its behalf). The bill says that no government officer can dictate or prohibit specific design requirements to comply with the law.

Who is covered? “Covered entities” include device manufacturers, software manufacturers, providers of wire or electronic communications services (ECS) or remote computing services (RCS), and “any person who provides a product or method to facilitate a communication or the processing or storage of data.” If a covered entity licenses its products, services, applications, or software, any ECS or RCS provider that “distributes” the licenses must ensure they can comply with the law’s requirements.

What must be provided? “Information” is not defined, but “data” is defined to include the contents of communications, identifying information about communications and the parties to them (i.e., metadata), information stored remotely or on a device made by a covered entity, and information identifying a specific device. The bill also indicates that covered entities must provide “technical assistance” to “isolat[e]” the information or data, decrypt it (if it was encrypted by the covered entity or a third party acting on its behalf), and deliver the information or data as it’s transmitted or expeditiously (if it’s stored “by a covered entity or on a device”).

Which court orders qualify? The official discussion draft narrowed the very broad definition of “court order” contained in an earlier leaked draft to orders or warrants issued by a “court of competent jurisdiction” in investigations or prosecutions of certain enumerated types of offenses. Those include violent crimes, serious drug crimes, federal crimes against children, espionage, and terrorism, as well as their state-law equivalents.

Where the Bill Goes Wrong

In short, the bill prohibits covered entities from designing encryption and other security features so encrypted data is accessible only to the user, not law enforcement nor the entity itself. This is what I would call “effective encryption,” but law enforcement derisively calls “warrant-proof” encryption. If you’ve been following the encryption debate over the past year and a half, you’ll recognize instantly that this bill is not the innocuous public safety measure that its name implies or that its sponsors would have the public think.

They aren’t fooling anyone (or at least anyone who’s been paying attention). The White House has refused to endorse the bill. Other members of Congress have condemned it, including Rep. Darrell Issa (R-Calif.) and Sen. Ron Wyden (D-Ore.), who has promised to filibuster the bill if it reaches the Senate floor. Perhaps sensing an uphill battle ahead, Burr and Feinstein scheduled an April 13 staff briefing (not an actual hearing) about the “going dark” issue with a lineup composed entirely of police and prosecutors. Not a single cryptographer or security expert, no one from civil society, no industry representatives for entities that would be subject to the bill.

Read the full post at Just Security.