Encryption and The Rule of Law
The Burr-Feinstein draft legislation is proposed to resounding opposition from everyone outside law enforcement, especially the tech community it would impact. Not only ill conceived and heavy handed, it is poorly drafted by an author who clearly has no understanding of the technical issues this would miserably complicate to no good end.
I want to focus on how this bill is philosophically misbegotten as I will explain — in addition to the absurdity and futility of attempting to enforce that any strong encryption has backdoor access. Set aside the inherent contradiction of making something secure with exceptions, how it only harms law abiding citizens while criminals are free to easily circumvent this, all the additional technical complexity and cost and overhead of attempting to comply with such measures and how it will hurt business as a disservice to customers. Here I just want to focus on the intention.
The bill makes its case from the premise that “no person or entity is above the law”. It’s remarkable that this needed to be stated as the Sense of Congress, but the set of things they agree on are quite limited. Then, in an epic leap of logic, it insists that upholding the rule of law requires that court orders must be immune to encryption. That is, this law would force the recent Apple-vs.-FBI confrontation requiring submission to the government.
First, we already have CALEA (Communications Assistance for Law Enforcement Act) giving law enforcement certain rights to wire tap. Since failing to slip this kind of backdoor requirement into that act, this bill is an apparent attempt to backdoor CALEA itself to get that power another way.
Given the power to wire tap, what more do they want?
It’s difficult but I think I have a glimpse of what goes on in the thinking of someone who believes that the use of encryption necessarily puts one “above the law.” This is a highly paranoid and fearful mindset that thinks anyone choosing to use encryption must have something to hide. Seeing themselves and their agents as the indisputable good guys, they not only want to know all hidden secrets, they believe they are entitled to it.
Think about what this means. So far as we know, conversations in a private home or in a public park, for instance, are not subject to law enforcement orders. Are people having a private chat on a park bench “above the law”?
Wire taps disclose conversations, time, and phone numbers. Decryption of someone’s phone tells you a whole lot more: for heavy smartphone users, it’s a big chunk of their life. Not only calls and messages, but also email, location history, calendar, browsing, passwords, social media, contacts, photos, e-books, music, videos, and more are all in our smartphones.
For many people hiding cameras and bugs in their homes would get you less than you can from their phone. So if we allow this, why not the other?
Why must we surrender this much privacy for “rule of law”?
The Panama Papers paint a very clear picture of all the holes in the international financial system that facilitate money laundering, tax evasion, and more. Laws and regulations that allow shell companies and other accounting tricks to obscure funds quite clearly make all kinds of illegal activity possible. True accountability so that funds used to perpetrate a crime to be traced would boost vastly law enforcement across the board, but that’s not their priority.
Nor is law enforcement pushing for more stringent control of firearms which seem to be a much more significant factor in maintaining the rule of law. For example, the United States did not even provide information to the 2015 UN study on firearms trafficking.
Investigation of money flows and weapons seems to be a lower priority for law enforcement than making the personal lives of citizens be an open book.
Lawyers should not attempt writing software requirements.
The core obligation this bill would mandate is in Section 3:
(A) provide information or data to such government in an intelligible format; or; (B) provide such technical assistance as is necessary to obtain such information or data in an intelligible format or to achieve the purpose of such court order
Misbegotten as this bill is, they have provided a helpful loophole here. Since iPhone encryption uses 256 bit AES encryption, Apple simply should have offered assistance by trying each of the possible 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936 keys. (For comparison, very roughly the estimated number of atoms in the universe.) The bill helpfully provides for compensation which in this case would be quite expensive, even by federal budget standards. Of course this is a complete waste of time, and hopefully that would be obvious enough that the attempt would be unnecessary.
The bill explicitly does not impose limitations on design, so the only way to crack any well built encryption would be such a brute force attempt.
So why are they focused on our phones?
Smartphones are so useful we can hardly live without them anymore it seems and carry them everywhere we go. Smartphones with a government sanctioned backdoor are the modern Panopticon: a means of being observed potentially, yet you never know if in fact you are being observed or not. Proposed by Jeremy Bentham as “a new mode of obtaining power of mind over mind” and modern technology has made them cheap, ubiquitous, and in works in real time. This explanation actually makes sense: the only one I’ve found that does.
UPDATE 2016/05/27: According to Reuters, Burr-Feinstein likely will not be introduced this year.