A draft version of a bill on encryption sponsored by Senators Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.) has made its way to the internet, and it’s exactly as bad a proposed law as everyone worried it would be. The suspiciously (but mercifully) brief Compliance with Court Orders Act, as it stands in draft form, is the technological equivalent of requiring all pigs to fly.
“No person or entity is above the law,” it begins, pompously. Appropriate security should be employed in maintaining “the privacy of United States persons,” but companies must also comply with the law.
Fair enough. But what’s the law, exactly?
A covered entity that receives a court order from a government for information or data shall— (A) provide such information or data to such government in an intelligible format; or (B) provide such technical assistance as is necessary to obtain such information or data in an intelligible format or to achieve the purpose of the court order.
In other words, if the court orders you to provide the contents of a phone you made, a conversation on your messaging service, an account on your social network, or basically anything that has been made “unintelligible” using encryption, you are required by law to decrypt that information.
Of course, you may as well write a law requiring all animals to speak, or all stones to bleed: the very foundation of encrypted communication is the deliberate and transparent impossibility of a third party listening in, service providers and manufacturers included. If it can be accessed, it isn’t encrypted. If it can’t be accessed, it isn’t legal. The Venn diagram here is pretty simple.
The only way for an “entity” to comply with CCOA would be to compromise their encryption scheme with a back door or flaw. If they are unable to make any requested data “intelligible,” they would be in violation of this law, and any encrypted service or product worth its salt (and hash) is that way by design.
I don’t envy the difficulties law enforcement suffers in getting at critical information locked away on a phone or laptop. But it is absurd to legislate the impossible. Secrets used to be written on paper; that paper would be burned. No one tried to pass a law requiring people to unburn things.
With luck, CCOA will be laughed off the floor in Washington, but let’s try not to rely on luck.
Update: At least one Representative is taking the draft bill to task. The always outspoken Darrell Issa (R-Calif.) issued a statement calling CCOA “about as flawed and technically-naive as a piece of legislation can get.”
“This legislation would effectively prohibit any company who wants to improve the security of its products from doing so because government’s ability to access our personal and private information is more important than innovation.”
Representative Issa has weighed in on the encryption debate before, criticizing the Justice Department for its heavy-handed tactics.