10 Apr 2016 inSecurity
There’s fortunately been a lot of media coverage of a typically ham-fisted attempt to legislate technology:
- The Senate’s Draft Encryption Bill Is ‘Ludicrous, Dangerous, Technically Illiterate’ | WIRED
- Leak of Senate Encryption Bill Prompts Swift Backlash – Fortune
- Leak of Senate encryption bill prompts swift backlash | Reuters
- Senate’s Attempt at Encryption Bill Would Destroy the Very Idea of Cybersecurity – Hit & Run : Reason.com
For once, it’s not just been technology blogs: Fortune, Reuters, and USA Today are among those covering the legislative failure.
The fact that one of the cosponsors is one of my own Senators (Dianne Feinstein) makes this all the more painful for me. She claims to be a Democrat, but her legislative agenda has shown her to be more of right-wing police-state NSA-apologist than a California liberal. I’m sure it’s no coincidence that her husband has significant holdings in military complex corporations that benefit from her anti-American police-state tactics.
I should mention at this point that, in case it hasn’t been obvious, I’m not a lawyer. I had to consult a dictionary for some of the words in this bill (“ notwithstanding
” is a word that seems to only be used in legislation, and is very important here), but I think my interpretation of their intent is different from many of the blogs, based on the following language:
Nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by any covered entity.
Now while the current text does seem to require a backdoor in any cryptography, I don’t think that was the intent
. I think the intent
was only to require the provider to turn over plaintext if they were capable of doing so under the current design. Unfortunately, it doesn’t seem they wrote it that way, as is typical when legislators who don’t know what they’re doing, don’t understand technology, and don’t get input try to legislate technology.
I completely agree that we need legislation regarding encryption and searches, but I take a little bit of a different spin from Senator Feinstein. We should have federal legislation prohibiting
lower levels from requiring backdoors, as is being tried in California. Law-abiding citizens shouldn’t have their security weakened (and there’s a general consensus among cryptographers that it’s impossible to create backdoors in cryptography without weakening the general security of the system) because of the fearmongering tactics of law enforcement.
Yes, if a service has access to plaintext and is served with a valid 4th ammendment warrant (not a NSL or a kangaroo court FISA order), I believe they should provide the plaintext. We’ve seen what happens with secret warrants and warrantless searches: both with the NSA scandal, but also with Hoover and McCarthy, the Stasi in Germany, and other over-powerful police services. The founders of this country were clearly aware of the risk when they stated:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Weakening American-made crypto only weakens America. “Bad guys” will still have access to crypto without backdoors from other countries or from before any legislation, so any legislation to weaken cryptography will only serve to enable unconstitutional mass surveillance, weaken American’s rights, all without improving national security one iota.