An Encryption Bill From Two Senators Who Have No Idea How Math Works

Seriously, can we talk about this for a second?

In 2016, this year, Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA) released a draft bill that would require companies to build encryption backdoors into the software and devices that they sell. In 1897, over a hundred years ago, an Indiana legislator proposed a bill that would have had the unintended consequence of legally declaring the value of Pi to be 3.2.

At the end of the day, encryption is math. You can’t regulate the outcomes of mathematical formulas and magically define them to work differently based on the “rule of law.”

A Selection of My Favorite Quotes From the Compliance With Court Orders Act of 2016

“It is the sense of the Congress that no person or entity is above the law…”

Yeah, no kidding. Whether accidentally or intentionally, this conflates someone’s willingness to comply with someone’s ability to comply. If some enterprising Congressperson wanted to ban dying, for example, I’d be more than willing to comply, but I’m not sure I’d have the ability to comply forever.

“A covered entity that receives a court order [to provide data] shall only be responsible for providing data in an intelligible format if such data has been made unintelligible by a feature, product, or service owned, controlled, created, or provided, by the covered entity or by a third party on behalf of the covered entity.”

Oh, that’s alright then. Let’s just leave an elephant-sized open source software loophole in the law. Example: I could use GPG to encrypt the files on my laptop instead of Apple’s FileVault (which would be covered under this law.) I could use Cryptocat instead of iMessage. You get the idea.

Here’s why this matters: people who have a strong incentive to protect their activities with encryption will continue to have the means to do so, while the average American consumer gets screwed over by the lack of strong encryption in their day-to-day life.

“The term ‘technical assistance’… includes… delivering such information or data concurrently with its transmission”

In other words, the government should have the ability to intercept and decrypt communications in real-time. How could this possibly go wrong?

Hint: It Can Go Very Wrong.

We need look no further than the exploitation of existing so-called “lawful intercept systems” by intelligence agencies and hackers:

From security expert Bruce Schneier:

In order to comply with [US] government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access….

In Greece, between June 2004 and March 2005, someone wiretapped more than 100 cell phones belonging to members of the Greek government: the prime minister and the ministers of defense, foreign affairs and justice.

Ericsson built this wiretapping capability into Vodafone’s products and enabled it only for governments that requested it. Greece wasn’t one of those governments, but someone still unknown — A rival political party? Organized crime? Foreign intelligence? — figured out how to surreptitiously turn the feature on.

So yeah. Let Senators Feinstein and Burr know that you don’t appreciate their attempt to undermine your security. Let your Senator and Congressperson know, if you’re not a Feinstein or Burr constituent. And tell them that we don’t want Pi to equal 3.2.