In my last column I said I’d talk more about passwords, but unfortunately I have to postpone that discussion in the interest of covering current events.
On April 7, Senate Intelligence Committee Chairman Richard Burr (R-NC) and Vice Chair Dianne Feinstein (D-CA) published a draft bill, the Compliance with Court Orders Act (CCOA). Opening with “no person or entity is above the law,” the act proceeds to define a law that would essentially make encryption illegal in the United States.
There’s a lot to criticize, but I’ll reprint the most relevant section:
“A covered entity that receives a court order from a government for information or data shall— (A) provide such information or data to such government in an intelligible format; or (B) provide such technical assistance as is necessary to obtain such information or data in an intelligible format or to achieve the purpose of the court order.”
In plain terms: Companies are required to decrypt data upon receiving a court order. This is counter to the purpose of encryption, which is to ensure that only intended recipients can decipher a message.
The only way for a company to be able to comply with 100% of requests is to purposely introduce flaws in the encryption they use, whether it’s for credit card transactions, securing messages, or protecting against theft. We do not expect safe manufacturers to keep copies of all keys and combinations. If holes in encryption are produced for law enforcement, they can also be exploited by criminals or other governments.
The bill also has numerous jurisdiction issues. The matters addressed by the bill should fall under either the Judiciary or Commerce committee, rather than Intelligence.
The CCOA would also give every court jurisdiction over companies elsewhere in the US. Service providers, based anywhere in the US would be forced to comply with orders from any court regarding the encrypted communications of anyone, anywhere. A Texas state court could order a California-based company to decrypt a conversation between a person in New York City and another in Atlanta.
The tech sector’s response has been overwhelmingly negative. The Open Technology Institute’s director, Kevin Bankston, describes the bill as “easily the most ludicrous, dangerous, technically illiterate proposal I’ve ever seen [in my nearly 20 years of work in tech policy].”
Fortunately, politicians are balking as well. The White House has declined to support the bill. Meanwhile, it is being denounced by congressmen on both sides of the isle. Darrell Issa (R-CA) calls the bill “about as flawed and technically-naive as a piece of legislation can get.” House Intelligence Committee member Adam Schiff (D-CA) simply declared “The CCOA is DOA.”
When legislation goes against the overwhelming consensus of experts in academia and the private sector, it should be an indication that something is wrong. While CCOA is unlikely to pass, it serves as a reminder that many of America’s leaders know nothing about the technology that they seek to regulate.