News Stay informed about the latest enterprise technology news and product updates.

Burr-Feinstein draft bill fuels encryption debate

The encryption debate continues with release of the official draft of Burr-Feinstein 'Compliance with Court Orders Act of 2016' mandating court order compliance.

This week the encryption debate continued with Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.) releasing...

their first official draft of their long-awaited encryption bill, titled Compliance with Court Orders Act of 2016. The next step, according to the statement released by both senators, is to "solicit input from the public and key stakeholders before formally introducing the bill."

Earlier versions of the bill have been circulating more or less publicly for some weeks, though an unofficial copy of the bill was published last week, which is quite similar to the draft released this week.

"Providers of communications services and products should protect United States persons' privacy with strong data security while still complying with court orders and other legal requirements," was the keystone message from the draft, which mandates that "covered entities" -- hardware, software and services providers whose products facilitate data communication or storage -- "must provide responsive, intelligible information or data, or appropriate technical assistance to a government pursuant to a court order."

"I have long believed that data is too insecure, and feel strongly that consumers have a right to seek solutions that protect their information -- which involves strong encryption," Burr said. "I do not believe, however, that those solutions should be above the law."

"No entity or individual is above the law," Feinstein said. "The bill we have drafted would simply provide that, if a court of law issues an order to render technical assistance or provide decrypted data, the company or individual would be required to do so. Today, terrorists and criminals are increasingly using encryption to foil law enforcement efforts, even in the face of a court order. We need strong encryption to protect personal data, but we also need to know when terrorists are plotting to kill Americans."

The draft bill provides for payment of reasonable expenses incurred by companies in the course of responding to court orders. As in the previous versions of the draft, penalties were not specified but the newly released draft specifies that orders or warrants by courts be limited to crimes that result in or threaten death or serious injury; foreign intelligence, espionage or terrorism; crimes against minors; serious violent felonies and serious drug crimes -- in both Federal and state cases.

While the White House has not publicly weighed in on the encryption debate in support or opposition of the legislation after reviewing the draft, it was reported to have provided some feedback earlier this month, according to Reuters. And despite wide reports of the lack of support from the Obama administration, officials insisted this week that no decisions had been made to support or oppose the bill, according to The Hill.

Critics remain unconvinced

Despite inclusion of a clause that states: "Nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by any covered entity," critics pointed to the inconsistency that in order to comply with the law, backdoors would be required to be installed by all hardware, software and services providers whose products depend on encryption.

And there were many critics, including Matt Blaze, associate professor of computer and information science at the University of Pennsylvania, and author of the paper that sank the U.S. government's Clipper chip key escrow proposal in 1994, who noted that the draft lacks security considerations:

Senator Ron Wyden (D-Ore.), who promised to oppose the bill and to filibuster it if it reached the Senate floor, tweeted:

"The encryption debate is about having more security or having less security," Wyden said about the draft in a statement issued by his office. "This legislation would effectively outlaw Americans from protecting themselves. It would ban the strongest types of encryption and undermine the foundation of cybersecurity for millions of Americans. This flawed bill would leave Americans more vulnerable to stalkers, identity thieves, foreign hackers and criminals. And yet it will not make us safer from terrorists or other threats. Bad actors will continue to have access to encryption, from hundreds of sources overseas. Furthermore, this bill will empower repressive regimes to enact similar laws and crack down on persecuted minorities around the world."

"Legal mandates to weaken encryption, such as the proposed Burr-Feinstein bill, are dangerous and troubling. At a time when consumers, companies, and governments seek stronger cybersecurity and privacy protections, this draft bill pursues the opposite goal," said Harley Geiger, director of public policy at security firm Rapid7 in Boston. The bill, as it stands, would mandate that technology services and products be "inherently insecure" and "surveillance-ready," according to Geiger, "putting the privacy of end users at grave risk and ceding a competitive business advantage to other countries that allow more secure products."

"Not only is the Burr-Feinstein draft unlikely to keep strong encryption out of the hands of well-resourced criminals and terrorists, it fundamentally undermines organizations' ability to protect their trade secrets and customer data from malicious attackers."

In other news

  • The fallout continues from the battle between Apple and the FBI over the San Bernardino shooter's work iPhone this week. First, the FBI's solution for unlocking the iPhone was reportedly purchased from "professional hackers," unnamed sources told The Washington Post this week -- not from Israeli mobile forensic software provider Cellebrite, as had previously been reported, also by unnamed sources. Because they paid a "one-time fee" to the group, the FBI may not know what flaw was exploited and thus be unable to report that flaw to Apple. Meanwhile, with that iPhone unlocked, the FBI so far has been mum on what it contained -- although this week CBS News, quoting a "law enforcement source" reported (on Twitter) that "so far nothing of real significance" had been found on the iPhone unlocked by the FBI.
  • With little fanfare, Juniper Networks announced last week that it had "completed the process of updating ScreenOS, by implementing the same random number generation technology currently employed across our broad portfolio of Junos OS products, and by removing the DUAL_EC_DRBG and the ANSI X9.31 PRNG." The updates are available as part of the ScreenOS 6.3.0r22 software release. The move is in response to reports from last year that a backdoor found in Juniper's firewalls was made possible because it used DUAL_EC, a cryptographic algorithm for random number generation that had reportedly been purposely weakened by the National Security Agency.
  • The number of zero-day vulnerabilities discovered more than doubled in 2015, to 54 from 24 in 2014, Symantec reported this week in its 2016 "Internet Security Threat Report." Threats continue to multiply and expand, as Symantec also reported more than 430 million new, unique, pieces of malware in 2015, up 36% from 2014. The number of personal records reported to have been compromised in 2015 rose by 29%, to 429 million, but Symantec also found that the number of companies "choosing not to report the number of records lost increased by 85%," so the actual number of records lost may be well over half a billion.
  • Dell's cyber security unit SecureWorks said that it expected to raise as much as $157.5 million in an upcoming IPO, Reuters reported this week. SecureWorks could be valued at up to $1.42 billion in the IPO. Dell acquired SecureWorks for $612 million in 2011, and is currently in the middle of a planned acquisition of EMC.

Next Steps

Read about why, with metadata, the FBI has no need to worry about "going dark."

Learn more about how to weigh public safety costs against the benefits of end-to-end encryption.

Find out why EU data protection rules will have widespread effects.

Dig Deeper on Information security laws, investigations and ethics

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

7 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How can law enforcement agencies adapt to a world where strong encryption is the standard, short of legislating backdoors?
Cancel
I used to have a very secure garage where all my old records were stored. You know stuff like programs, tax returns, sketches of new ideas, plans for a startup business.... Then I lost the key and no one had a copy. We finally forced the door open, but by then a tiny spark must have set the room ablaze.

If only I'd had some other way to get to my data I'd be a zillionaire today. 
Cancel
It's always a delicate topic. Granted we want to keep prying eyes out.The issue becomes if there is encryption and password protection on our data, what happens if the key master decide to hold it for ransom or leaves the company with no key to their own data. I think there has to be a safeguard of some sort to make the data retrievable. 
Cancel
This is a highly-slippery slope. I'm pretty sure that once the big government spy door is open, we'll regret it. We may not fully understand the ramifications just yet, or even for decades to come, but I'm confident we will regret it. Remember - government grows out of control because we consent to it. Nothing more, nothing less. It's on us.
Cancel
Yes, government is the big bully on the block , stealing your lunch just because there is little we can do to stop them. If we surveyed the general population on everything the government wanted, I would be very surprised if they could get anything done. We don't get to vote on changes or policies. They just set the rules without asking us and make us follow them blindly.They also change the rules and laws as they see fit to suit their needs.
Cancel
I suspect law enforcement actors believe being able to scan all communications would let them prevent crimes and apprehend criminals, automatically.

But even if law abiding citizens are willing to submit all their data for scanning, criminals will avoid it.
Cancel
Tiresome, after a while. No matter what the verbiage, an all-knowing, all-ecompassing big brother overseeing and either authorizing or prohibiting every facet of life seems closer than ever. From food to information to self defense to personal standards on marriage we planned on teaching our children - there is no longer any subject for which bb isn't overlord.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close