Senators Diane Feinstein and Richard Burr have released a discussion draft on providing technical assistance to law enforcement seeking to gain access to encrypted information pursuant to a court order. The draft has been available for a while, and the internet is littered with hot takes and reactions. Some segments of law enforcement are supportive, while the privacy community is almost uniformly appalled. In the interest of giving it a fair reading, let’s break down the important parts of the bill.
Duty to provide or assist
Section Three of the draft requires an entity presented with a court order compelling them to provide information or data to:
(A) provide such information or data to such government in an intelligible format; or
(B) provide such technical assistance as is necessary to obtain such information or data in an intelligible format or to achieve the purpose of the court order.
The scope of the data production requirement is instances where data “has been made unintelligible by a feature, product, or service owned, controlled, created, or provided, by the covered entity or by a third party on behalf of the covered entity.”
So, basically: “if your product or service has made the data we want unintelligible, give it to us or help us get it.”
There are a few ways companies could position themselves to be compliant with this draft in the event of a court order. One is to retain encryption keys, administrative passwords, etc. for all clients. Another is to build “backdoors” into systems, or purposeful weaknesses that can be exploited to gain access.
Neither compliance option is particularly appealing. A sales pitch on the security and privacy measures taken by your company that includes the caveat “we’re going to need copies of your encryption keys and administration passwords,” or “we promise the weakness we built into this system on purpose won’t be discovered,” is like expounding on the benefits of a screen door on a submarine. Neither inspires a supreme level of confidence.
What is “intelligible?”
Perhaps the most important defined term in the bill is “intelligible”, which is defined as:
(A) the information or data has never been encrypted, enciphered, encoded, modulated, or obfuscated; or
(B) the information or data has been encrypted, enciphered, encoded, modulated, or obfuscated and then decrypted, deciphered, decoded, demodulated, or deobfuscated to its original form.
Looking at the definition, we run into problems immediately.
Take for example the text you’re reading right now. It has been encoded and is (your feelings on my writing notwithstanding) by a dictionary definition, intelligible. But because it has been encoded, it fails to meet the definition of intelligible in (A). To meet the definition in (B), the text would have to be in its original encoding. So in order for what you’re reading right now to “intelligible” under this draft it would either have to be unencoded (enjoy binary or hexadecimal) or in the encoding in which it was originally created (“sorry, you gave this to me in UTF-8, it’s supposed to be in Unicode.”)
This problem becomes more acute when discussing images. Images stored in common formats like .jpg or .png are compressed to save storage space and to make the images practical to share over the internet. This is a form of encoding. When an image is compressed, there is basically no way to get it back to exactly its original form.
I could go on with other technical implications outside of encoding, but you have other things to do today.
This draft would have a major impact on how systems are designed, implemented, and deployed.
While the bill specifically states “nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by any covered entity,” this is hollow comfort and is limited solely to actions taken under administrative authority or judicial authority. The draft itself places enormous limitations on design.
The bottom line is that a device manufacturer, software manufacturer, or a service provider that utilizes encryption would have to maintain a way to bypass or defeat the encryption in order to be compliant in the event of a court order. Further, the broad definition of “intelligible” makes true compliance all but unattainable.
It’s also worth mentioning that the enactment of this draft would likely be unwelcome news in Brussels in the midst all the uncertainty surrounding EU US Privacy Shield.
It’s not clear that draft is going anywhere fast as industry groups in opposition are mobilizing, but this is certainly something to monitor.