Leaked Senate encryption bill called 'ludicrous, dangerous' by security experts
A proposed U.S. Senate draft bill that would give courts the authority to compel tech company compliance in law enforcement requests to encrypted data leaked online Thursday night, and by Friday security experts and civil rights advocates were dismantling the policy, calling it ill-informed and potentially dangerous.
The proposed bill, authored by U.S. Senate Intelligence Committee Chairman Sen. Richard Burr (R-NC) and Vice Chair Sen. Dianne Feinstein (D-CA), has been circulating amongst key members of Congress for the past two weeks in a bid to build support prior to vote. According to people familiar with the matter, the version that leaked online is current, Reuters reports.
As described by Open Technology Institute Director Kevin Bankston, the draft bill is the "most ludicrous, dangerous, technically illiterate tech policy proposal of the 21st century."
While not in its final form, the legislation's language appears to offer judges authority to force tech companies like Apple to hand encrypted data over to law enforcement agencies, even if that means breaking into their own devices.
In particular, tech companies furnished with data request warrants would have to deliver said data in "an intelligible format" or provide "technical assistance" to agencies seeking access to passcode protected information. As reported in March, the bill does not stipulate specific penalties for noncompliance, nor does it suggest methods or means by which compelled companies must provide access.
Following last night's leak, Burr and Feinstein issued a joint statement attempting to explain their bill and why it is necessary.
"The underlying goal is simple: when there's a court order to render technical assistance to law enforcement or provide decrypted information, that court order is carried out," the statement reads. "No individual or company is above the law."
Reuters cites source as saying President Obama is scheduled to be briefed on the bill by White House chief of staff Denis McDonough next Monday. However, a report on Thursday said the administration is split on the issue, suggesting the White House is unlikely to support the proposal, at least not publicly.
The bill is being floated in direct response to growing concern that law enforcement agencies, unable to break increasingly sophisticated consumer level encryption protocols, lack judicial instruments to force compliance in evidence gathering operations. Speaking to issue was the recent court kerfuffle between the FBI and Apple.
Apple in February was ordered by a federal court to assist the FBI in gaining access to an iPhone tied to San Bernardino terror suspect Syed Rizwan Farook. A day before federal prosecutors were scheduled to meet Apple lawyers in the case's first evidentiary hearing, the government withdrew its motion to compel citing an outside party who demonstrated an eleventh hour passcode workaround. With a working exploit, the FBI's case was rendered moot.
Since then, the FBI has promised to assist in multiple ongoing investigations involving locked iPhones, though whether or not the agency plans to apply its new data access technique is unknown. As it stands, the vulnerability can only be leveraged on older handsets. FBI Director James Comey this week confirmed the exploit does not work on hardware above an iPhone 5c, and the agency is already running into problems newer devices.
Earlier today, the U.S. Justice Department said it plans to continue a long-running Brooklyn court case compelling Apple's assistance in accessing a target iPhone 5s running iOS 7. As in San Bernardino, the company is resisting the All Writs Act order.
The proposed bill, authored by U.S. Senate Intelligence Committee Chairman Sen. Richard Burr (R-NC) and Vice Chair Sen. Dianne Feinstein (D-CA), has been circulating amongst key members of Congress for the past two weeks in a bid to build support prior to vote. According to people familiar with the matter, the version that leaked online is current, Reuters reports.
As described by Open Technology Institute Director Kevin Bankston, the draft bill is the "most ludicrous, dangerous, technically illiterate tech policy proposal of the 21st century."
While not in its final form, the legislation's language appears to offer judges authority to force tech companies like Apple to hand encrypted data over to law enforcement agencies, even if that means breaking into their own devices.
In particular, tech companies furnished with data request warrants would have to deliver said data in "an intelligible format" or provide "technical assistance" to agencies seeking access to passcode protected information. As reported in March, the bill does not stipulate specific penalties for noncompliance, nor does it suggest methods or means by which compelled companies must provide access.
Following last night's leak, Burr and Feinstein issued a joint statement attempting to explain their bill and why it is necessary.
"The underlying goal is simple: when there's a court order to render technical assistance to law enforcement or provide decrypted information, that court order is carried out," the statement reads. "No individual or company is above the law."
Reuters cites source as saying President Obama is scheduled to be briefed on the bill by White House chief of staff Denis McDonough next Monday. However, a report on Thursday said the administration is split on the issue, suggesting the White House is unlikely to support the proposal, at least not publicly.
The bill is being floated in direct response to growing concern that law enforcement agencies, unable to break increasingly sophisticated consumer level encryption protocols, lack judicial instruments to force compliance in evidence gathering operations. Speaking to issue was the recent court kerfuffle between the FBI and Apple.
Apple in February was ordered by a federal court to assist the FBI in gaining access to an iPhone tied to San Bernardino terror suspect Syed Rizwan Farook. A day before federal prosecutors were scheduled to meet Apple lawyers in the case's first evidentiary hearing, the government withdrew its motion to compel citing an outside party who demonstrated an eleventh hour passcode workaround. With a working exploit, the FBI's case was rendered moot.
Since then, the FBI has promised to assist in multiple ongoing investigations involving locked iPhones, though whether or not the agency plans to apply its new data access technique is unknown. As it stands, the vulnerability can only be leveraged on older handsets. FBI Director James Comey this week confirmed the exploit does not work on hardware above an iPhone 5c, and the agency is already running into problems newer devices.
Earlier today, the U.S. Justice Department said it plans to continue a long-running Brooklyn court case compelling Apple's assistance in accessing a target iPhone 5s running iOS 7. As in San Bernardino, the company is resisting the All Writs Act order.
Comments
You know how they plant evidence on you?
This is 10x worse. Anyone they wanna lock up, they can with ease. Either for political reasons or just for laughs.
They want Apple to find a way to decrypt the encrypted (destroyed) data for them and give them either an encryption key, access to the key (as in unlocking a passcode or password on a phone) or decrypted data they can read.
On the less funny side, these are exactly examples why trust in government and all institutions around is fading away. Some things simply won't be remedied by saying "oops" and "we're so sorry that this sensitive information has leaked"/"we were not knowing about the full consequences of our proposition".
To be clear: I do not claim politicians and officials must be flawless, they are human after all. However, my perception is that more and more they don't care about hiding incompetence, or hidden agendas, or whatever keeps them from performing in the people's best interest.
This is not one of those "if you're not doing anything wrong, then you've got nothing to worry about" situations. It's more like, political adversaries could hack each other, nations could steal state secrets of other nations, companies could steal R&D from each other, politicians' personal lives could be hacked, etc.
Bad guys will just use other means to plot & scheme their nefarious deeds. Ordinary citizens will be vulnerable to these bad guys. But, ironically, it's the powerful people and institutions who are under the greatest threat from "backdoored" personal devices.
But it makes no sense to make them decrypt it, or to force them to make products with weaker security. It's just not what they do, or should have to do. Perhaps weapons manufacturers should be forced to decrypt the handset data, or manufacturers of fertilizer and hydrogen peroxide, or whatever else they're using to make bombs these days. And maybe shoe manufacturers (since we all know how dangerous shoes can be in the wrong...hands). And of course drug dealers. Or they could all take turns, since they're all somehow connected to the bad things happening in the world these days. And why should the government have to do this if they can force a private company to do it?