Burr-Feinstein Bill Shows Congress Misunderstands Encryption, Internet Says
Criminals and terrorists would still be able to use encrypted apps built by foreign companies.
The two U.S. senators with the most power to collect and analyze American intelligence don’t seem to understand encryption.
That’s the reaction from the international cybersecurity community and internet policy analysts on both sides of the aisle after a leaked draft of possible legislation that would reduce already weak protection on Americans’ communication data surfaced.
The tech industry has spent months waiting nervously for Democratic senator Dianne Feinstein and Republican senator Richard Burr to unveil a bill meant to give U.S. law enforcement agencies the ability to decipher encrypted messages sent via WhatsApp, iMessage, and other services. That day finally came late last week, when an unofficial version of the bill (dubbed the Compliance With Court Orders Act of 2016) was published by The Hill. The reaction was as immediate as it was fierce, with the director of the Open Technology Institute telling Wired, “this is easily the most ludicrous, dangerous, technically illiterate proposal I’ve ever seen.”
The bill demands that the communication companies Americans use everyday maintain the ability to provide “intelligible” data to U.S. police. Lawmakers say that’s a legitimate bid to identify terrorists before they launch an attack, though they usually forget to mention that this kind of measure would require internet companies to purposely implement weak security on the world’s most popular communication services.
Currently, Apple, Facebook (which owns WhatsApp), and other companies employ end-to-end encryption, which is meant to ensure that only a sender and intended recipient are able to view a message. End-to-end encryption scrambles messages to ensure they can’t be read if intercepted when they’re in transit or stored on a company’s server. That scrambling process has become so advanced that Apple and WhatsApp say they can’t decipher user’s messages, even if they’re served with a judge’s orders.
But it’s not just chat companies. “Intelligible” data could also mean retaining deleted emails or forcing companies to intentionally build products with security measures that enable government investigators to poke around whenever they want (known as “backdoors”). The legislation draft also fails to address security researchers’ longstanding warning that any backdoor that’s made available to the FBI can also be stolen from the FBI by, say, the Chinese government, which would then have a portal into American communications.
“Every service, person, human rights worker, protester, reporter, and company will be easier to spy on,����� Sean Vitka, legal counsel at the privacy organization Demand Progress, said in a statement Friday. “Even as this bill undermines every Americans’ privacy and safety, its jurisdictional narrowness is yet another catastrophic flaw. It does not control Russian products, or the North Korean government. Senators Burr and Feinstein are asking America to cripples its defensive information abilities.”
Feinstein, Burr, FBI Director James Comey, and the rest of the national security establishment have for years warned that terrorists, hackers, and other foreign adversaries use end-to-end encryption to hide their communications from public view. After ISIS killed 130 people in Paris last year anonymous public officials told CNN the attackers had WhatsApp and Telegram, another encrypted app, on their phones, which were recovered from the scene. But so far there’s almost no evidence to back up those claims, and a New York Times report last month indicated the perpetrators primarily used disposable burner phones to coordinate the attack, not end-to-end encryption.
The debate gets even more contentious when it becomes clear that investigators probably don’t need access to those encrypted messages, anyway. The FBI and NSA still have access to user metadata (including WhatsApp metadata), giving them the numbers dialed, conversation duration, common associates, and other information that’s sensitive enough for them to piece together a person’s life and tendencies. In fact, the government trusts metadata collection enough to launch drone strikes against targets that have been under surveillance.
Or, as former CIA and NSA chief Michael Hayden once put it, “We kill people based on metadata.”