The “discussion draft” for the Compliance with Court Orders Act of 2016 was officially released on Senator Feinstein’s Senate page, without many changes, other than some more specific language about the types of Court orders that can demand decryption. Senator Ron Wyden promised to filibuster the bill soon after the draft was published.
No Significant Change
When the leaked draft came out last week, many security and cryptography experts responded negatively to it. They warned that the bill would force anyone, including open source developers, to either stop using encryption completely, or make it so weak that malicious hackers could threaten the security of all services and products.
The main change from the previously leaked draft is that now not just any court order can decrypt the data, but a court order in cases involving “serious crimes,” such as those involving serious bodily harm, child exploitation, terrorism, espionage (which could likely be used against whistleblowers, too), violent felonies, or other “serious drug crimes.”
From the perspective of how this affects the state of encryption in services, this change is insignificant. Once the law exists as currently described, then companies would still have to either be able to decrypt everything their services or products encrypt, or if the burden to do that is too great, they might just stop using encryption altogether. Companies can’t just use “encryption for serious crimes” and “encryption for less serious crimes,” because there’s no clearly defined way to make that distinction.
“Above The Law”
The two Senators made the argument that the bill must pass because “nobody is above the law,” an argument similar to one the FBI has been making about “warrant-proof” devices. However, they neglected to mention that there are already things that are warrant-proof, and therefore “above the law,” as the Senators call it.
Jonathan Zdziarsky, famed mobile forensics expert, noted in a recent post that there are already other things that are protected against judicial warrants, such as journalist sources and documents, physician-patient records, attorney records, and diplomatic pouches, just to name a few examples. At some point in the past, the U.S. government determined that these things should be “above the law,” because the net benefit to keep them protected at all costs is much greater than allowing government access to them.
If journalists can’t have their documents and sources’ names taken away from them even with a judge’s order, then people can have a freer society protected against government as well as judicial abuse.
In the same way, one could make the argument that strong encryption is a net benefit to society, and should also be warrant-proof, if the entities dealing with sensitive data decide that such encryption would best protect that data against cybercriminals.
More Security Or Less Security?
Senator Ron Wyden, also a member of the Senate Intelligence Committee, promised to filibuster the bill.
“The encryption debate is about having more security or having less security. This legislation would effectively outlaw Americans from protecting themselves. It would ban the strongest types of encryption and undermine the foundation of cybersecurity for millions of Americans,” Wyden noted on his Senate page.
“This flawed bill would leave Americans more vulnerable to stalkers, identity thieves, foreign hackers and criminals. And yet it will not make us safer from terrorists or other threats. Bad actors will continue to have access to encryption, from hundreds of sources overseas. Furthermore, this bill will empower repressive regimes to enact similar laws and crack down on persecuted minorities around the world,” Wyden added.
He also asked the American public to organize and protest against this bill while at the same time he would try to stop it in Committee, or filibuster it on the Senate floor.
Wyden also reminded everyone that his Secure Data Act would ban any government backdoors or mandates to weaken encryption, implying that people should call their representatives and urge them to support it in Congress.
California’s Smartphone Decryption Bill Fails To Pass
While Senator Feinstein was working on this federal decryption bill, her own state was also trying to pass a similar bill that would have forced smartphone makers to add backdoors to their phones to be able to decrypt them on demand.
However, the bill didn’t even get a vote, as the members of the Assembly Committee on Privacy and Consumer Protection worried that the bill “would undermine data security and impose a logistically untenable requirement on California companies.”
It seems the California legislature realized that such anti-encryption bills would not only make security worse, but could also hurt companies economically due to the burden imposed on them.
California wasn't the only state to try and pass such a bill. New York is still discussing an almost identical bill, so it's now up to New York's legislature and its citizens to decide if this bill should pass.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.