back to article Line by line, how the US anti-encryption bill will kill our privacy, security

In the wake of the FBI's failed fight against Apple, Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA) have introduced a draft bill that would effectively ban strong crypto. The bill would require tech and communications companies to allow law enforcement with a court order to decrypt their customers' data. Last week a …

Silver badge

Re: I don't see how this would be a problem for Apple

And when a court orders them to "render appropriate assistance to decrypt the device", they can send them complete and detailed documentation describing exactly how it was made.

Sounds reasonable.

8
0
Silver badge

Re: I don't see how this would be a problem for Apple

On its face, the draft law requires in Section 3a that a company that provides a device or encryption system "shall" perform certain actions under specified circumstances. How they provide for that (Section 3b) is up to them; the government cannot require a specific implementation (similar to the fact that they did not require a specific implementation in the recent California case). The imperative "shall" does not, on its face, allow for a "covered entity" such as Apple, for example, to evade this by implementing a security system in their product that they cannot, in fact, circumvent; the law, if enacted, will impose a requirement

The draft does not provide any information about the consequences for a "covered entity" that either will not or cannot comply. I can imagine a fine, possibly quite large, for covered entities that refuse and possibly injunctions shutting down sales of non-compliant products which the covered entity has designed so that it cannot bypass the product security. That would be a sad outcome indeed.

The proposed law still is pretty rough, and does not cover things, such as fraud, money laundering, and other financial crimes that seem fairly obvious. There seems no very good reason, for example, to single out any particular type of crime for this treatment; it ought to be enough for a US or District Attorney to be able to convince a judge to issue a search warrant based on probable cause. (I expect that other types of court order, if included in an enacted version, would be thrown out on the basis of Riley v California, which found a warrant necessary for search of a cell phone, even incident to an arrest).

5
0
Silver badge

Re: I don't see how this would be a problem for Apple

Apple would not be "refusing" to comply, they would be unable to comply. It would be no different than the FBI trying to get Apple to break into a phone that had been damaged by fire, and Apple telling them "it has been destroyed too badly".

The law says the covered entity 'shall' provide certain things, but does not specify that they must design their products to be capable of providing those things. That's a whole different law, and Apple will already be at that point before this law can ever pass - congress would never pass something so controversial during an election year, and by the time there is a lame duck session in November Apple will have already changed iOS 10 so they cannot comply.

2
0
Silver badge

@P. Lee - passcodes

Passcodes - i.e. 4 digits PINs are definitely a problem, but you do not have to use them. iOS supports using passwords. You don't need too much entropy before brute force becomes utterly unwieldly - this isn't like password cracking where can try a rainbow attack using a dictionary of billions of pre-encrypted passwords.

If your password was a single lowercase dictionary word you'd be vulnerable, but if you simply added a couple digits or punctuation marks to it, you'd have enough entropy to be safe as the solution space would too large for a dictionary attack to be practical given the limitations of being able to enter them (even if you bypassed the delays for wrong passwords and the ten try limit)

1
0
Silver badge

Re: I don't see how this would be a problem for Apple

> They are going to make it so it is impossible to get at the data under any circumstances. ... if presented with an iPhone running iOS 10 that includes the changes that make it impossible to Apple to help, the FBI will get the court order and Apple will say "what you are asking is impossible".

And that's where this law kicks in, such a phone would be illegal - it would be illegal for Apple to make it (or import it), illegal to sell it, and if Apple ever turned round and said "impossible" then that's a complete admission that they broke this new law banning unbreakable crypto.

In fact, their current models would be illegal under this law - and that's the problem.

"Anything" with crypto where TPTB can't be given the decrypted data on demand is basically illegal. So Apple must water down their protection to render it insecure - and so must anyone else making or importing anything in the US.

As pointed out, this would render the USA "out of bounds" for pretty much anything technology related. The current "discussions" regarding Privacy Shield would be moot - it would be illegal to provide proper security of any data held in the US even if the government completely backed down and accepted the principle of privacy.

What would happen is that a good chunk of US technology business would be very quickly offshored. There'd be (sticking with Apple for a moment) a "US iPhone" and a "rest of world" iPhone - the RoW version would have security, the US one wouldn't, and the security software would have to be developed outside of the US. A bit like certain encryption tools had to be developed outside the US to avoid their "encryption is a weapon of mass destruction" laws.

Apple, Microsoft, IBM, Cisco, Juniper, and a long long list of US tech companies would very soon be deciding that the rest of the world was a more important market than the domestic US one !

10
0
Silver badge

Re: I don't see how this would be a problem for Apple

"In fact, their current models would be illegal under this law - and that's the problem."

Then the problem lies with Congress. The Constitution specifically forbids retroactive laws (Article I, Section 9). If an item exists legally, it cannot be made illegal after the fact.

0
0
Silver badge

Show me where

I have seen nothing in the text of the proposed law that makes it illegal to make, sell or import any sort of device based on government access. Only that tech companies have to help the government access them, but it is silent on what happens if the tech company is UNABLE to help.

0
0
Silver badge

Re: I don't see how this would be a problem for Apple

The question might well be whether Apple would be able to sell such equipment in the US. The draft law appears to require that they bypass, or help the government to bypass, security that they provide or have provided on their behalf by another party, given a constitutionally valid warrant or other court order, and maybe a lawful court order for assistance under the proposed act, to do so. One obvious solution to the "cannot bypass" claim would be a "cannot sell" injunction applicable to such equipment in the US.

I am not arguing that this would be good policy, or would not cause great uproar and discontent. However, it is not obviously inconsistent with anything in the Constitution. Moreover, if implemented subject to the same controls that Apple applies to iOS, it would not, in fact, pose any threat that does not now exist to users against whom the government does not obtain authority to breach privacy.

The draft act has numerous problems, but "cannot bypass my built in security" may not be the most serious of them.

0
0
Silver badge

Re: I don't see how this would be a problem for Apple

The prohibition of ex post facto laws probably would be effective exactly until they (for whatever value of "they") offer a new model or an update to the software or firmware of an existing model.

0
0
Silver badge

Re: I don't see how this would be a problem for Apple

There are a few other countries where law enforcement officials would be happy to be able to access data stored on smartphones (France, Belgium, and the UK come to mind rather quickly). It seems possible that these companies find few large markets in which to sell equipment that is immune to government authorized search.

Upvoted anyhow for clarity of analysis, although the bill, if enacted, is certain to differ from what we see now in draft.

0
0
Bronze badge

Re: I don't see how this would be a problem for Apple

If the data on the terrorists phone was encrypted, there wouldn't be anything that Apple could have done to help the FBI. Damn media outlets don't understand the difference between an encrypted file and a password protected device.

If a "terrorist" wanted to keep data secure, they'd use a third party encryption program if Apple's built in encryption was compromised or thought to be.

0
0
FAIL

Unwanted consequences

I wonder whether these congresspeople ever think their ideas through to the end. If they insist on weakened encryption, this encryption will not only be broken by law enforcement, but by criminals ranging from individual to corporate.

Which would put a stop to most high-value technological development.

Think about it. Boeing and Airbus would know exactly what the other company is developing. The 787 came out before the A350 in part because of industrial espionage by Boeing; with no secure encryption available, this kind of thing would not be a single occurrence but a constant one. So both companies would stop doing any high-risk development out of fear that they invest the billions into R&D only for the other company to file the patents first. You may replace "Airbus" and "Boeing" with the names of any other high-tech duopoly you like, there are quite a few. Think space booster development and defense contractors.

The same goes for scientific progress. In the higher academic circles, he who publishes first gets the Nobel Prize, not necessarily he who did the actual work. So work would get slowed significantly, because top-notch scientists would be unable to use electronic media for communication for their work any longer, lest another team grab the laurels of years of work they didn't do themselves. It has happened before, many times, just so far through negligence letting papers lying around and not by default decreed by law.

Those are only the two most obvious considerations, but I somehow doubt the congresspeople (and the many other legislators the world over demanding encryption be banned outright!) ever thought things through even this far.

14
0
Silver badge

Re: Unwanted consequences

Airbus would be fine - they're European!

Boeing would be utterly screwed.

13
0
Silver badge

Re: Unwanted consequences

US Intelligence has previously been known to pass on Airbus's confidential information on big deals to Boeing. This is known in the EU. So turnabout is fairplay, I guess. Even if it's self-inflicted on the US part.

8
0
Silver badge

Re: Unwanted consequences

"I wonder whether these congresspeople ever think their ideas through to the end. If they insist on weakened encryption, this encryption will not only be broken by law enforcement, but by criminals ranging from individual to corporate."

That's not a problem in the minds of the bill's authors. The vendor just has to provide encryption that criminals can't break but they, the vendors, can. How they do that is the vendors' problem: "Nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design ... to be adopted by any covered entity."

1
0
Silver badge

Re: Unwanted consequences

It's almost like they want to wipe out the US high tech sector...

... but life amd some exposure to politics on the local level has taught me that human supidity knows no bounds. It's either that, or they are North Korean sleeper agents. In any case, at least it would lower the rents in the SF area.

3
0
Bronze badge

Re: Unwanted consequences

"I wonder whether these congresspeople ever think their ideas through to the end. If they insist on weakened encryption, this encryption will not only be broken by law enforcement, but by criminals ranging from individual to corporate."

No. They think the keys well be safe in the hands of law enforcement, won't be abused, and won't be cracked independently by hackers or other governments.

After all, they're the good guys, right?

They really are that incredibly stupid and ignorant.

1
1
Silver badge

Re: Unwanted consequences

@stizzleswick

They do think these things through. Most anti-crime legislature in the US these days is geared toward non-criminals. Criminalizing constitutionally held rights all in the name of safety. Criminals don't give a rats ass about the law, that's why they are criminals... The senators know this. The goal is to remove power of the populace to protect themselves from, and hold accountable the very elected officials that are supposed to be working for the people, not for themselves. Sadly, it is probably horribly and irreversibly corrupted. As a US citizen it sickens me to no end.

3
0
Silver badge

Re: Unwanted consequences

The proposed act, like the court order in the Farook iPhone case, does not require that the government have any keys at all, or even be able to use whatever a vendor devises to comply with the act. It requires that the vendor decrypt or assist the government to do so.

0
0
Facepalm

Re: Unwanted consequences

Weak encryption is no encryption. Will anyone buy anything online again? Will the banks bear all the losses as thieves access bank accounts?

0
0
Anonymous Coward

ORLY?

> "No entity or individual is above the law," said Feinstein

So obviously, the architects of the 2008 financial meltdown are mostly behind bars? The people responsible for fabricating evidence of WMDs in Iraq, and taking half of the western world to war; they had their comeuppance didn't they? And when the CIA realised they'd accidentally provided self-incriminating documents to a Senate Committee, then hacked the senate computers to remove said evidence, they were brought swift justice after Dianne Feinstein herself brought it to light?

33
0
Silver badge

Re: ORLY?

Feinstein's contact page uses HTTPS, I cynically point out...

https://www.feinstein.senate.gov/public/index.cfm/e-mail-me

11
0
Gold badge

Re: ORLY?

Interestingly, the use of encryption in https is not to hide anything, merely to prove that it really is you.

I'm sure it is well understood in these forums that a back-door would not only blow open secrets, it would make it impossible to trust anything. However, I see no wording in this bill about making it possible to impersonate others (perhaps, for the purposes of emptying their bank accounts).

Perhaps the best response to this bill is "Please publish your online banking details.". The idiots will wonder what you are talking about and deny that it is relevant, but if it becomes the stock response to all such requests, perhaps the more curious idiots (like, the ones voting in November) might make further enquiries and enlighten themselves.

7
0
Silver badge

Re: ORLY?

'Perhaps the best response to this bill is "Please publish your online banking details.". The idiots will wonder what you are talking about and deny that it is relevant'

And they'd be right. Because apart from being able to decrypt on demand for law officers the vendor would be required to protect the data from everyone else. The fact that these requirements are mutually impossible is beside the point as far as the authors are concerned.

3
0
Silver badge

Re: ORLY?

"Interestingly, the use of encryption in https is not to hide anything, merely to prove that it really is you"

Wait, what?

I agree that there are two uses for encryption keys and that one of those is to digitally sign data to prove it was written by you, but I'm not sure you understand https as it isn't implemented like that.

The certificate exchange and verification process is to create an encryption key for the data flow between you and the web server. Anyone else looking at that data stream wouldn't know what it contained unless they had the key.

Unless I've totally misunderstood your point :/

6
0
Silver badge

Let's blow past all the ethical reasons why this is ridiculous and even past the reasons why weakening encryption is dangerous.

Instead, let's just focus on the practical, logistical implications for the existing technology companies who would be covered by this.

There are thousands of pieces of existing software, currently running on all manner of hardware, that would need to become compliant with this legislation. All that software would need to be re-written and re-deployed.

That's not quick and it's not free. So, while companies may be compensated (by the tax payer) for the effort requiured to hand over the data for each request, who pays for them to re-write their software? To delay product launches? Arranging for updating of existing devices? User communication? Support?

And that's before we talk about interoperability and communication between hetergenous systems - something that's sort of important in the modern, connected world.

How can you have software from different vendors across different hardware communicating without standards? And what standards can exist when each vendor is charged with coming up with their own solution?

So yes, the privacy and security issues are HUGE but even at the simplest level, this legislation is insane.

14
0

In the Land of the Free..

... you can have a gun, but you're not allowed to keep secrets.

17
2
Silver badge

Re: In the Land of the Free..

You are allowed now to keep whatever secrets you wish by default. The government (either federal or state) can get authorization from a judge to access those secrets by obtaining a warrant based on "probable cause, supported by Oath or affirmation." That is included in the Constitution's fourth amendment. The proposed law may be unworkable and it may be bad policy, but nothing in it affects legal rights of citizens or of non-citizens legally present in the US.

3
0
Facepalm

Re: In the Land of the Free..

It's more absurd than that. The politicotards don't get the fact that encryption is just maths, and it's piss easy to roll your own.

So they want to try to ban something (or, at least, render ineffective) something that anyone can make for themselves. An act that that will also have little effect on the safety of American ( or any other ) citizens.

Yet fail to do anything to control guns, which most people are incapable of making themselves and which kill over 10,000 Americans every year.

7
0
Silver badge

Re: In the Land of the Free..

You are aware that the guns are incapable of firing themselves?

I just want to be sure you grasp that basic fact...

1
4
(Written by Reg staff)

Re: Re: In the Land of the Free..

Ridiculous. Everyone knows guns themselves murder millions daily while their terrified owners cower in fear, meekly bombing up fresh magazines lest their property turn against them.

8
0
FAIL

Re: In the Land of the Free..

"You are aware that encryption algorithms are incapable of finding terrorist material themselves, eh?"

You are aware that encryption algorithms are incapable of finding terrorist material themselves, eh?

0
0
Silver badge

Re: In the Land of the Free..

"You are aware that the guns are incapable of firing themselves?"

So why does the term "spontaneous discharge" exist, then?

0
0

You have all been bamboozled.

This bill will never become law and they know it. It is really meant to force every rich tech company to open their wallets, not their encryption. This bill will have tech running so scared they they will pour mountains of cash through their lobbyists into congress critters' pockets. Congress, on its part, will equivocate, right up to the final vote, squeezing every last penny they can out of the Googles, Microsofts, Facebooks, etc. of America, before finally, at the last moment, allowing themselves to be convinced that this is a bad bill, then claiming they felt that all along. Everybody will then breathe a deep sigh of relief, and Congress will stash all that windfall cash.

10
0
Anonymous Coward

Re: You have all been bamboozled.

I agree. We're at the point where tech companies are globalised. They don't need government anymore and they chose where to pay tax and how much. Tech companies also command more respect, authority and credibility amongst the population as compared to goverment institutions and politicians. The recent support for Apple (vs FBI) is evidence of that.

The old way of politics where the Military & Industrial complex pours money into lobbyists and polticians is over.

The ban on encryption is a last ditch attempt at showing tech companies who's boss.(or who wants to stay boss).

In recent years technology has had a bigger(positive) impact on my life than politics. It is almost as if politicians are intentionally boring people to death, so they can get on unhindered, with whatever it is they do.

I find the efforts of Elon Musk more inspirational than any politician in the last few decades.

2
0
Silver badge

Re: You have all been bamboozled.

So, basically it's a protection racket?

0
0

This bill ensures that there can never be a safe harbour for EU data on any US server.

When this bill passes, the US ceases to be a part of the internet - no one will allow any of their data to ever reside on the US. I suspect many US citizens will insist their data go offshore as well.

We will have Data Havens popping up in small countries around the world - they will allow strong encryption and deny all access to the data. Data Havens will soon have a value beyond that of Tax Havens. Small islands will have to install nuclear reactors to power the server farms.

This may also mean owning an enigma machine will be illegal.

Science fiction writers are going to have a field day with this.

12
0
Silver badge

Science fiction writers are going to have a field day with this.

FTFY.

4
0
Silver badge

Data havens

They will also have to build up a nuclear deterrent. Just in case.

EDIT

OMG, I could see a business opportunity in this. For North Korea.

0
0
Silver badge
Devil

How to get a supercomputer, paid for by the USA Gov...

"shall be compensated for such costs as are reasonably necessary"

I see an opportunity...

1. Build popular app with strong encryption

2. Wait for USA Gov. to demand decryption

3. Ask for $$$ to buy f**ing big supercomputer...

4. "No, we don't have an answer yet, call again in 10 billion years..."

"and which have been directly incurred"

Damn, past tense, it's like they were anticipating this...

7
0
Silver badge

Re: How to get a supercomputer, paid for by the USA Gov...

Buy it online, submit invoice to US Gov.

If they don't pay inside the DLR time limit then return supercomputer to supplier...

0
0
Silver badge

Business opportunity

"No man's life, liberty, or property are safe while the legislature is in session." Mark Twain

Never were truer words spoken. Particularly in this case. I think we should setup legislation in a country that guarantees the availability of strong encryption and ensures that there are no backdoors. If we can couple that with low company taxes I am sure that a lot of high tech companies will want to setup there.

12
0

Re: Business opportunity

Elon Musk was mentioned earlier.

I doubt it was his plan, but who is better-placed to set up a data-haven outside all existing legislatures? On Mars, maybe?

1
1
Silver badge

Re: Business opportunity

"On Mars, maybe?"

Don't fancy your latency ...

1
0
Silver badge

I fired off a Nasty-Gram to Feinstein

I fired off a Nasty-Gram to my senator, Feinstein. I avoided profanity. It wasn't easy.

https://www.feinstein.senate.gov/public/index.cfm/e-mail-me

that's where ANYONE can send a Nasty-Gram. It helps if you live in Cali-fornicate-you, but ANYONE can say whatever they want.

It also helps if you give REAL contact information.

I'm sure there's a SIMILAR contact form for the other senator, the 'Establishment' RINO.

stoopid gummint.

9
0
Silver badge

Re: I fired off a Nasty-Gram to Feinstein

Kudos to you for doing the one thing that is really necessary in this case : showing your politician that his aides and yes-men are out of touch with his political base.

Because nothing sends a politician scurrying the other way like the perspective of losing votes. Remember Minister Hacker ? "You're not asking me to make a courageous decision, are you ?"

Make sure that hack knows the decision is courageous.

5
0

Re: I fired off a Nasty-Gram to Feinstein

Shouldn't we be firing off nicely supportive missives, encouraging him in his efforts to bankrupt the USA within the decade and to make the EU the best place in the world for businesses old and new?

1
0
Bronze badge

Re: I fired off a Nasty-Gram to Feinstein

Her. Dianne. https://en.m.wikipedia.org/wiki/Dianne_Feinstein

Not that I expect everybody in the world to know our politicians. The US citizenry are notorious in our own ignorance of global politics. Or culture. Or language. Or geography. I... May be slightly less parochial than most, but I'm guilty of it as well.

0
0
Anonymous Coward

Para 12(C)(i) is a good one

Providing technical assistance by delivering such information or data - concurrently with its transmission would require the OS used to encrypt a communication to provide a live feed, if requested.

Telemetry, telemetry, telemetry - now we know what Windows 10 is for.

5
0
Silver badge
Black Helicopters

Re: Para 12(C)(i) is a good one

Windows 10 allows MS to log in if you don't lower the diagnostic data level from full.

MS are practically complying with this bill already. Almost uncanny.

6
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017