There is much I could write about this week: Intel’s rumored layoffs in Oregon just ahead of its quarterly earnings release, president Obama’s support of the FCC’s open cable box proposal, Motor Trend’s shameless attempt to design the putative Apple Car by committee (with the regrettable participation of an otherwise-serious Apple blog), or rumors of an Apple App Store reorganization (about time) and paid-search app promotion (what?). Exciting as these all are, we have a more pressing matter before us: The just-released draft of the Compliance with Court Orders Act of 2016, an anti-encryption bill co-authored by Senate Select Committee on Intelligence chairman Richard Burr (North Carolina Republican) and vice chairman Dianne Feinstein (California Democrat). The purpose of the proposed law is stated clearly up front: “To require the provision of data in an intelligible format to a government pursuant to a court order, and for other purposes. ”
In other words, all US companies shall be obligated to decrypt any and all communications when so ordered by a court. No exceptions.
Our government’s displeasure with cryptography isn’t new. Once upon a time, strong cryptography was deemed a munition, which meant it couldn’t be exported or even discussed openly. Programmers made their sentiments known by printing forbidden encryption code on t-shirts:
In 1995, Daniel Bernstein, then a Berkeley student, wanted to publish and discuss an encryption algorithm he called “Snuffle,” but the government shut him down [as always, edits and emphasis mine]:
The Arms Export Control Act and the International Traffic in Arms Regulations (the ITAR regulatory scheme) required Bernstein to submit his ideas about cryptography to the government for review, to register as an arms dealer, and to apply for and obtain from the government a license to publish his ideas. Failure to do so would result in severe civil and criminal penalties.
After almost nine years of legal wrangling, the Ninth Circuit Court of Appeals ruled that software source code is a form of speech that’s protected by the First Amendment and that the government’s regulations were unconstitutional. Marylin Patel, the presiding magistrate, invited Bernstein to come back to her court “if and when there is a concrete threat of enforcement.”
Today, the export restrictions have mostly been lifted (although they remain in force against “rogue” states — as if these states can’t avail themselves of the unbreakable cipher technology that’s freely available on the internet), but that hasn’t relieved our Solons of their obdurate ignorance of simple mathematical facts.
As I explained in the “Let’s Outlaw Math“ Monday Note, there’s a fundamental disparity between the ease and speed of multiplying very long numbers and the astronomically long and complicated task of finding the original factors. This natural disparity, which is the basis of modern encryption, doesn’t bend to the will of politicians, so the encryption bill wants to force the issue: They want every tech company that provides or uses encryption to keep the encryption keys in a safe, ready to be handed over upon order of the court. At the same time, the proposed law commands that these companies also protect their customers’ privacy:
[…] all providers of communications services and products (including software) should protect the privacy of United States persons through implementation of appropriate data security and still respect the rule of law and comply with all legal requirements and court orders.
This is dangerously delusional. You can’t protect privacy and security when you have all of these encryption keys floating around. Pretending otherwise shows ignorance, delusion, or dishonesty, and it ignores very recent history: Recall that the Office of Personal Management couldn’t protect the privacy of 18 million government employees. Even the hypersecretive NSA couldn’t keep some of its own secrets.
Furthermore, the bill does nothing to stop bad actors from using freely and openly available unbreakable cipher technology, nor can it prevent them from using clever ways, such as steganography, to make their communications invisible. (One US Attorney came up with a novel idea for fighting unbreakable encryption: Just ban the import of open source encryption. So ordered!)
The bill’s greatest danger, however, is its disregard for the dire consequences of putting US tech companies at a competitive disadvantage in world markets. How does a company export communication technology that contains a US government backdoor? Overseas customers will balk. One might be tempted to suggest a compromise: Just offer two versions, domestic and exportable, backdoored and unbreakable. Right… And how does cross-border use work?
The draft’s lofty but empty opening statement hints at the authors’ contempt for modern technology companies: “It is the sense of Congress that no person or entity is above the law.”
Is this a dig at companies (guess which ones) that refuse to help the FBI and other police organizations and, by doing so, place themselves “above the law?” Let’s examine the nonsense that “No one is above the law.” Diplomatic pouches are above the law; so are client-attorney communications. I have no doubt that some government agencies—Defense and Intelligence are the obvious examples—use unbreakable encryption when State interests require the highest degree of security, as well they should. What happens when a government official is dragged into court with a demand for “data in an intelligible format” and the communications can’t be decrypted?
Unsurprisingly, such an unrealistic, ignorant, and poorly thought-through piece of legislative saber rattling hasn’t found support from the White House. Even some congress members are distancing themselves from it:
Other members of Congress have condemned it, including Rep. Darrell Issa (R-Calif.) and Sen. Ron Wyden (D-Ore.), who has promised to filibuster the bill if it reaches the Senate floor.
This leaves us with one question: How did the bill even get here?
Given the recent horrible incidents on our soil and abroad, it’s easy to understand the impetus for the bill. But if it were to pass in a form that’s close to the draft, we’d still have the incidents, as well as a series of security accidents that would range from embarrassing to expensive, and on to tragic. Perhaps then we’d make peace with mathematics and move back to sane, unbreakable encryption.
Or perhaps this bill is just for show, aired in order for the Senate to look busy, stern, watchful—without any actual intent of getting it passed. According to the JustSecurity article quoted above, the authors haven’t tried to win the hearts and minds of the tech companies that the bill will affect:
Burr and Feinstein scheduled an April 13 staff briefing (not an actual hearing) about the ‘going dark’ issue with a lineup composed entirely of police and prosecutors. Not a single cryptographer or security expert, no one from civil society, no industry representatives for entities that would be subject to the bill.
The authors will get to say that they tried; Congress will get to say that it listened; the Executive branch will get to complain that Congress can’t get them the tools they need. This is modern politics: Winning by losing.
This post originally appeared at Monday Note.