UPDATE: This is bill is apparently worse than I thought.
The Register says that a petition calling for the bill to be withdrawn has gathered 43,000 signatures in less than 24 hours.
Other comments include that the bill is so poorly written that it would outlaw the NSA’s encryption, unless they add a backdoor to it.
Bruce Schneier says that the bill, as written, would also make lossy compression – as is used in Jpeg photos, MP4 movies and many web sites, as it is impossible to recreate the original photos or movies.
Even delete files on web sites, phones and computers would be illegal as it would not be possible to recover deleted data.
Suffice it to say, this bill has more than a few problems.
A Draft of the Burr – Feinstein bill was published last night by The Hill. The Wired headline called it ‘Ludicrous, Dangerous, Technically Illiterate”. Glad Wired is not letting us know how they really feel.
Joseph Lorenzo, chief technologist at the Center for Democracy and Technology said “This basically outlaws end to end encryption,”. He said “It’s effectively the most anti-crypto bill of all anti-crypto bills”.
Before I elaborate on the bill, let me explain my headline.
U.S. software and hardware vendors sell tens of billions of dollars of product outside the United States. If a non-U.S. customer knows that if they buy, say, a Microsoft or Cisco product, it will have a back door in it which would allow an unknown number of people to listen in to their conversations – including, likely, the Russians and Chinese, do you think they would buy a U.S. product or product from another country that does not have those backdoors in it?
I think the answer is pretty clear – many businesses would choose to buy non U.S. products. The sound you hear is money and jobs draining out of the U.S. economy.
Assuming this horrific piece of legislation actually gets through Congress and signed by the President, which is far from certain, what would likely happen is that those same U.S. companies would open subsidiaries in friendly countries – say Germany, which has been adamantly against crypto backdoors, and the jobs and revenue will move from the U.S. to the German economy. Companies are certainly not going just give up and cede that market to foreign businesses.
And, of course, hackers and terrorists will get their software and hardware from those same countries, so unless those terrorists are really stupid, we won’t be able to get into their encrypted documents and messages anyway. So what we will have done is destroyed a very important business segment for the U.S. economy, driven jobs out of the U.S. and not really done anything to reduce the risk of terrorism, except from stupid terrorists – which are a pretty low risk anyway.
What the bill does – and it is mercifully short – is say that the event of a court order, untelligible data be made intelligible. I guess that might outlaw most bills passed by Congress.
It does not say how that should occur; it says that communications firms must make unencrypted data available to law enforcement. In fact, the bill goes further than the All Writs Act by saying that firms must provide “assistance as is necessary”.
Further, it says that license distributors must ensure that all applications, services, products or software they distribute provide the same easy access for law enforcement.
Exactly how Google and Apple, as just two distributors of software, could actually test the millions of applications that are distributed on their platforms comply with this law is unclear.
On top of all these problems, there is a huge compliance problem. A recent survey of encryption products found that the majority of products were manufactured outside the United States. Exactly how these two Senators propose to force non U.S. companies to comply with a law that they are not interested in complying with is unclear.
Next, there is an issue of open source. That is software that is not “sold’ or even “licensed”. It is just distributed. If this software does not comply with the law, there is no company to go after. The Free Software Foundation could be a co-sponsor of this bill, because it could certainly be a boon for free and open source software.
Then there is the issue of hackers. Does anyone really think that hackers won’t find those back doors?
Finally, it attempts to outlaw math. Since all of the main encryption algorithms are public, it would be RELATIVELY easy for software developers to roll their own encryption. Would these products be bug free? Not likely. Could they be more private than some commercial software – yes likely.
This bill has a long way to go before it becomes law. For example, Sen. Ron Wyden has vowed to filibuster the bill if it makes to to committee.
Historically, the tech industry has been effective at getting people’s attention when it comes to these issues and it may do so in this case. It certainly would require many software and hardware manufacturers in the United States and any international manufacturer that wants to legally sell in the United States to modify their software.
I think, if they do, they should be required to put a warning on the product, similar to the surgeon’s general’s warning on tobacco products:
This product has been made intentionally non secure in order to comply with U.S. government law. Use of this product may be hazardous to your privacy.
I guess you can tell which side of the argument I am on.
Information for this post came from Wired.