A draft of a highly anticipated Senate encryption bill was leaked to The Hill late on Thursday night, sparking a swift backlash from technology and privacy groups even before the legislation has been introduced.
The bill is co-sponsored by Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.), the chairman and ranking Democrat on the Senate Intelligence Committee. Both senators are leading advocates for encryption “backdoors” that would allow law enforcement and intelligence agencies to read secure messages. Some government officials, led by FBI Director James Comey, say such access is needed because criminals and terrorists are increasingly using encryption to dodge surveillance as they plot crimes and attacks. But tech and privacy advocates say there’s nothing to prevent cybercriminals and hackers from exploiting the same backdoors.
The Burr-Feinstein bill would require companies to respond to court orders for data by providing decrypted information or giving the government “such technical assistance as is necessary to obtain such information or data in an intelligible format.” The bill covers virtually every company involved with providing secure internet services, from device manufacturers and the makers of encrypted chat apps to “any person who provides a product or method to facilitate a communication or the processing or storage of data.” The bill does not lay out the penalties for refusing to comply with such court orders, as Apple recently did when it rejected the FBI’s request to help unlock an iPhone belonging to one of the San Bernardino shooters. An Apple lawyer declined to comment on the bill during a conference call with reporters on Friday.
Cryptography experts and privacy advocates immediately and overwhelmingly condemned the bill. “I could spend all night listing the various ways that Feinstein-Burr is flawed & dangerous. But let’s just say, ‘in every way possible,'” wrote Matt Blaze, a prominent cryptographer and professor at the University of Pennsylvania, in a tweet late on Thursday night. Julian Sanchez, a privacy and technology expert at the libertarian Cato Institute, responded similarly:
Burr-Feinstein may be the most insane thing I’ve ever seen seriously offered as a piece of legislation. It is “do magic” in legalese.
— Julian Sanchez (@normative) April 8, 2016
Advocates charge that the bill’s broad language will act as a dragnet, making nearly every tech company that provides an encrypted service subject to decryption requests that smaller companies may be unable to handle. “It will force companies that have implemented the strongest security measures to backtrack in order to poke holes in their own systems, and will prevent others from developing those systems in the first place,” said Amie Stepanovich, the US policy director for the digital freedom advocacy group Access Now, in a statement.
Reuters reported on Thursday that the White House would not support the bill, in keeping with its pledge last year not to demand any laws mandating backdoors into encryption. But White House deputy press secretary Eric Schultz insisted the report was wrong and that the bill was still under review. “The idea that we’re going to withhold support for a bill that’s not introduced yet is inaccurate,” he told reporters aboard Air Force One.