Wednesday, April 13, 2016

4 Things You Need To Know About New Bill Requiring Weak Encryption On Devices

A week after it was first reported that Senators Dianne Feinstein (CA) and Richard Burr (NC) were prepping a bipartisan bill that would compel tech companies to build their devices and software with weakened encryption or built-in backdoors for law enforcement, the actual bill has been introduced. Here’s what you need to know about why consumer and privacy advocates are concerned.

The Compliance with Court Orders Act of 2016 [PDF] states that “to uphold both the rule of law and protect the interests and security of the United States, all persons receiving an authorized judicial order for information or data must provide, in a timely manner, responsive, intelligible information or data, or appropriate technical assistance to obtain such information or data.”

What does that mean exactly, and what are the implications?

1. It’s An Attempt To Update & Strengthen A 227-Year-Old Law

Way back in 1789, Congress passed the All Writs Act, which allows a judge to compel a person or group to assist in the enforcement of a court order — but only if that assistance is both necessary and “agreeable to the usages and principles of law.”

Law enforcement has long used the All Writs Act to nudge private businesses to aid in an investigation. In fact, the government has used this law more than 60 times in recent years to compel Apple and Google to help with unlocking smartphones and other tasks.

And since the companies had easy ways to comply with these court orders, they did.

But in 2014, both Apple and Google updated their mobile device operating systems so that not even the makers of the software had a way around the encryption. Thus, when a newer iPhone or Android device is locked, only the user can unlock it without having to reset it and lose the stored data.

This is what caused the recent very public spat between Apple and the FBI, which was trying to unlock an iPhone that had belonged to one of the terrorists who killed 14 people on Dec. 2, 2015 in San Bernardino, CA.

Apple has no built-in work-around for its own encryption, but the FBI used the All Writs Act to try to compel them to figure out a way to do so. Apple argued that the relatively ancient law doesn’t require companies to go to such lengths and that this would just be the thin edge of the wedge, setting a precedent whereby Apple would — as additional court-ordered demands for assistance pile up — either need to permanently weaken its encryption or constantly be trying to poke holes in the walls its own employees built.

The bill from Feinstein and Burr would, if passed, make Apple’s argument moot. The company would have no choice — comply with the court order in a timely manner or violate the law.

2. Unbreakable Encryption Could Be Against The Law

The language of the proposed makes it clear that if the company’s encryption is the reason that the sought-after data is unintelligible, then it’s the company’s responsibility to make it intelligible.

Thus, if a company were to make an unbreakable form of encryption — or one that it lacks the ability to break — they would not be able to comply with the law.

This means that tech companies have no incentive — and may even be dis-incentivized — to create world-class encryption.

“This legislation would effectively prohibit Americans from protecting themselves as much as possible,” says Sen. Ron Wyden (OR). “It would outlaw the strongest types of encryption and undermine the foundation of cybersecurity for millions of Americans.”

3. Tech Companies Would Be Forced To Release Poorly Secured Products

While the proposed legislation says that it is not forcing companies to adopt “any specific design or operating system,” it ultimately has the effect of requiring that tech companies include a backdoor to their encryption so it can be decrypted whenever a court order pops up.

Sens. Burr and Feinstein say the believe that data encryption is important, but critics of the bill point out that encryption with a backdoor is like a submarine with a leaky window.

“Data is either encrypted or it is not, and the technical assistance that this legislation mandates is not feasible nor is it in the country’s best interest,” says Jake Ward, CEO of the Application Developers Alliance. “Despite the Act’s Design Limitation provision, these requirements would compel companies and developers to create a specific design or operating system with inherent security flaws.”

4. Weak Encryption Puts All Our Information At Risk

While much of the discussion regarding encryption has centered on criminals and terrorists, with some proponents of backdoors wondering what everyday law-abiding citizens are so eager to keep private, giving hackers a built-in entry point puts us all at risk.

A hacker might not be able to crack the encryption on an online retailer’s credit card database, but if he knows that an employee at that retailer has a hackable phone, that could be the beginning of a path leading to yet another big data breach. One of the largest breaches in history — the 2013 holiday shopping season attack on Target — was achieved by attacking the retailer through one of its air-conditioning vendors.

In a letter sent earlier this week to President Obama, dozens of privacy advocates — including the Electronic Frontier Foundation, the PEN American Center, and the American Library Association — argue that government-mandated weakened encryption would hurt many and provide few, if any, benefits.

“It is beyond dispute that this bill would threaten the safety of billions of internet users, including journalists, activists, and ordinary people exercising their right to free expression, as well as critical infrastructure systems and government databases,” reads the letter. “However, it would likely to do very little to assist in investigations of crime or terrorism, since those who engage in illegal activities will have access to other means to protect their own devices and communications.”

Sen. Wyden echoes that sentiment, saying, “This flawed bill would leave Americans more vulnerable to stalkers, identity thieves, foreign hackers and criminals. And yet it will not make us safer from terrorists or other threats. Bad actors will continue to have access to encryption, from hundreds of sources overseas.”

Congressman Jerry McNerney (CA) argues that, far from helping the government fight crime and terrorism, requiring backdoors could encourage that sort of activity.

“Such a mandate, if enforced, could introduce vulnerabilities into our national security, making it easier for criminals, terrorists, and other bad actors to gain access to secure information,” says the congressman. “Our national security would be best served by an expert-level policy debate on how to ensure that law enforcement has access to necessary information without weakening our security or individual liberties.”


by Chris Morran via Consumerist

No comments:

Post a Comment