It is becoming increasingly clear that Senators Dianne Feinstein and Richard Burr, co-chairs of the US Senate Intelligence Committee, don't have the slightest clue about how encryption works. Good thing they're currently pushing disastrous legislation that would force tech companies to decrypt things for law enforcement! Today Feinstein and Burr co-authored an op-ed in the Wall Street Journal entitled "Encryption Without Tears", and wow, it is bad. They have yet again demonstrated a failure to grasp even the most basic principles of technology.
Let's walk through it:
In response to these cases, we are circulating a proposal in the Senate to ensure that technology does not undermine the justice system.
The draft proposal requires a person or a company -- when served with a court order -- to provide law enforcement with information (in readable form) or appropriate technical assistance that is responsive to the judicial request. This will enable law enforcement to conduct investigations using the communications involved in criminal and terrorist activities.
Sounds simple enough, right? All these tech companies have to do is turn over encrypted data in readable form! This is foolishness. Companies simply don't have access to the readable form of encrypted user data. That's the whole point! They can't help law enforcement even if they want to. What the senators are proposing would force companies to engineer backdoor access to their encryption algorithms, undermining the core principle of what allows encryption to protect you from hackers and criminals.
Feinstein and Burr's bill is not based in any technical reality. Companies like Apple, Microsoft and Google would have to entirely re-engineer how they encrypt user data, leaving it vulnerable to attackers in the process. No encryption expert has identified a way to allow law enforcement access to encrypted communications without also jeopardising the security of the everyday user.
The op-ed also cites sad stories in which law enforcement was unable to gain access to the communications of a terrorist and a murdered pregnant woman. Nobody denies that in some cases, encryption may be a hindrance to law enforcement. But what Feinstein and Burr seem to be conveniently forgetting is the amount of crime prevented by secure, backdoor-free encryption. Remember, law enforcement was able to solve crimes before our iPhones encrypted our pictures and text messages.
Our draft bill wouldn't impose a one-size-fits-all solution on all covered entities, which include device manufacturers, software developers and electronic-communications services. The proposal doesn't define the technological solutions or tell businesses how to solve the problem. It provides compensation for reasonable costs that businesses may incur when complying with a court order.
This is some really devious doublespeak. There is absolutely no doubt that this bill would require any tech company that encrypts the data of its users to entirely reengineer how it secures said data or run the risk of potentially ruinous fines. While the bill doesn't explicitly tell companies to build a backdoor into their encryption, it leaves them no other option.
We want to provide businesses with full discretion to decide how best to design and build systems that maintain data security while at the same time complying with court orders.
Again, this makes no sense. This bill would jeopardise the security of all encrypted data. Feinstein and Burr can employ whatever mental gymnastics they want to justify their bill, but there is no escaping this technical reality.
Critics in the industry suggest that providing access to encrypted data will weaken their systems.
Good point. They're right!
But these same companies, for business purposes, already maintain and have access to vast amounts of encrypted personal information, such as credit-card numbers, bank-account information and purchase histories.
What? Earlier in the op-ed, Feinstein and Burr weren't asking for credit-card numbers and purchase histories -- they were lamenting the fact that law enforcement doesn't have access to encrypted communications. They specifically cite "109 messages" from a shooter in Garland, Texas that investigators can't access.
All we are doing is asking companies to find a way to keep their data secure while also cooperating with law enforcement in terrorism and criminal investigations.
The implication that technology companies don't cooperate with law enforcement when it comes to terrorist investigations is flatly dishonest. Major tech companies routinely provide technical assistance as well as any data they have the ability to access to investigators.
Feinstein and Burr have yet again displayed total incompetence about how encryption works at a very basic level. They show a complete disregard for how vital encryption is when it comes to protecting our data and everything we do online. Aren't you glad they're in charge?
Top image via AP Images