pogonici - Fotolia

Burr-Feinstein draft bill fuels encryption debate

The encryption debate continues with release of the official draft of Burr-Feinstein 'Compliance with Court Orders Act of 2016' mandating court order compliance.

This week the encryption debate continued with Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.) releasing their first official draft of their long-awaited encryption bill, titled Compliance with Court Orders Act of 2016. The next step, according to the statement released by both senators, is to "solicit input from the public and key stakeholders before formally introducing the bill."

Earlier versions of the bill have been circulating more or less publicly for some weeks, though an unofficial copy of the bill was published last week, which is quite similar to the draft released this week.

"Providers of communications services and products should protect United States persons' privacy with strong data security while still complying with court orders and other legal requirements," was the keystone message from the draft, which mandates that "covered entities" -- hardware, software and services providers whose products facilitate data communication or storage -- "must provide responsive, intelligible information or data, or appropriate technical assistance to a government pursuant to a court order."

"I have long believed that data is too insecure, and feel strongly that consumers have a right to seek solutions that protect their information -- which involves strong encryption," Burr said. "I do not believe, however, that those solutions should be above the law."

"No entity or individual is above the law," Feinstein said. "The bill we have drafted would simply provide that, if a court of law issues an order to render technical assistance or provide decrypted data, the company or individual would be required to do so. Today, terrorists and criminals are increasingly using encryption to foil law enforcement efforts, even in the face of a court order. We need strong encryption to protect personal data, but we also need to know when terrorists are plotting to kill Americans."

The draft bill provides for payment of reasonable expenses incurred by companies in the course of responding to court orders. As in the previous versions of the draft, penalties were not specified but the newly released draft specifies that orders or warrants by courts be limited to crimes that result in or threaten death or serious injury; foreign intelligence, espionage or terrorism; crimes against minors; serious violent felonies and serious drug crimes -- in both Federal and state cases.

While the White House has not publicly weighed in on the encryption debate in support or opposition of the legislation after reviewing the draft, it was reported to have provided some feedback earlier this month, according to Reuters. And despite wide reports of the lack of support from the Obama administration, officials insisted this week that no decisions had been made to support or oppose the bill, according to The Hill.

Critics remain unconvinced

Despite inclusion of a clause that states: "Nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by any covered entity," critics pointed to the inconsistency that in order to comply with the law, backdoors would be required to be installed by all hardware, software and services providers whose products depend on encryption.

And there were many critics, including Matt Blaze, associate professor of computer and information science at the University of Pennsylvania, and author of the paper that sank the U.S. government's Clipper Chip key escrow proposal in 1994, who noted that the draft lacks security considerations:

Senator Ron Wyden (D-Ore.), who promised to oppose the bill and to filibuster it if it reached the Senate floor, tweeted:

"The encryption debate is about having more security or having less security," Wyden said about the draft in a statement issued by his office. "This legislation would effectively outlaw Americans from protecting themselves. It would ban the strongest types of encryption and undermine the foundation of cybersecurity for millions of Americans. This flawed bill would leave Americans more vulnerable to stalkers, identity thieves, foreign hackers and criminals. And yet it will not make us safer from terrorists or other threats. Bad actors will continue to have access to encryption, from hundreds of sources overseas. Furthermore, this bill will empower repressive regimes to enact similar laws and crack down on persecuted minorities around the world."

"Legal mandates to weaken encryption, such as the proposed Burr-Feinstein bill, are dangerous and troubling. At a time when consumers, companies, and governments seek stronger cybersecurity and privacy protections, this draft bill pursues the opposite goal," said Harley Geiger, director of public policy at security firm Rapid7 in Boston. The bill, as it stands, would mandate that technology services and products be "inherently insecure" and "surveillance-ready," according to Geiger, "putting the privacy of end users at grave risk and ceding a competitive business advantage to other countries that allow more secure products."

"Not only is the Burr-Feinstein draft unlikely to keep strong encryption out of the hands of well-resourced criminals and terrorists, it fundamentally undermines organizations' ability to protect their trade secrets and customer data from malicious attackers."

In other news

  • The fallout continues from the battle between Apple and the FBI over the San Bernardino shooter's work iPhone this week. First, the FBI's solution for unlocking the iPhone was reportedly purchased from "professional hackers," unnamed sources told The Washington Post this week -- not from Israeli mobile forensic software provider Cellebrite, as had previously been reported, also by unnamed sources. Because they paid a "one-time fee" to the group, the FBI may not know what flaw was exploited and thus be unable to report that flaw to Apple. Meanwhile, with that iPhone unlocked, the FBI so far has been mum on what it contained -- although this week CBS News, quoting a "law enforcement source" reported (on Twitter) that "so far nothing of real significance" had been found on the iPhone unlocked by the FBI.
  • With little fanfare, Juniper Networks announced last week that it had "completed the process of updating ScreenOS, by implementing the same random number generation technology currently employed across our broad portfolio of Junos OS products, and by removing the DUAL_EC_DRBG and the ANSI X9.31 PRNG." The updates are available as part of the ScreenOS 6.3.0r22 software release. The move is in response to reports from last year that a backdoor found in Juniper's firewalls was made possible because it used DUAL_EC, a cryptographic algorithm for random number generation that had reportedly been purposely weakened by the National Security Agency.
  • The number of zero-day vulnerabilities discovered more than doubled in 2015, to 54 from 24 in 2014, Symantec reported this week in its 2016 "Internet Security Threat Report." Threats continue to multiply and expand, as Symantec also reported more than 430 million new, unique, pieces of malware in 2015, up 36% from 2014. The number of personal records reported to have been compromised in 2015 rose by 29%, to 429 million, but Symantec also found that the number of companies "choosing not to report the number of records lost increased by 85%," so the actual number of records lost may be well over half a billion.
  • Dell's cyber security unit SecureWorks said that it expected to raise as much as $157.5 million in an upcoming IPO, Reuters reported this week. SecureWorks could be valued at up to $1.42 billion in the IPO. Dell acquired SecureWorks for $612 million in 2011, and is currently in the middle of a planned acquisition of EMC.

Next Steps

Read about why, with metadata, the FBI has no need to worry about "going dark."

Learn more about how to weigh public safety costs against the benefits of end-to-end encryption.

Find out why EU data protection rules will have widespread effects.

Dig Deeper on Information security laws, investigations and ethics