Can Feds Compromise on Data Privacy?
As hawkish U.S. legislators seek to weaken encryption, a bill up for consideration welcomes private-sector interests to the table for a "dialogue." But is it a trap?
To the tech community and privacy advocates, U.S. Senator Richard Burr is a menace.
A damning April opinion piece on the Christian Science Monitor's Passcode website accuses the North Carolina Republican of actively being "so against overseeing U.S. intelligence agencies that he actively stops other senators from conducting due diligence on U.S. surveillance activities." The article's authors and others have accused Burr and fellow Senator Dianne Feinstein (D-Calif.) of intentionally obfuscating the domestic surveillance reach of the recently passed Cybersecurity Information Sharing Act while supporting restrictions on surveillance reporting requirements.
Burr's Anti-privacy Legislation
More recently, Burr, along with Senator John McCain (R-Ariz.), introduced a measure -- narrowly defeated on June 22 -- to attempt to increase federal law enforcement authority to conduct electronic surveillance over the currently protected electronic communications of private persons without the need for a warrant or other court order.
In April, Burr and Feinstein introduced perhaps their most bald-faced anti-privacy and anti-technology measure yet: the Compliance with Court Orders Act of 2016. Known colloquially as Burr-Feinstein, the bill -- if enacted into law -- would effectively ban non-backdoored encryption.
The bill's pathway to passage was forced back by ferocious objections from the technology sector and privacy-right lobbyists. Today, it lies dormant as both Burr and Feinstein -- once gung-ho over the legislation -- have walked back their enthusiasm and insisted that the bill presently has no timeline.
It is worth noting that this is a major presidential election year. Reportedly, Obama administration insiders have indicated that one reason for Burr-Feinstein's lackluster support was the reticence of otherwise hawkish politicians fearfully declining to take on the powerful tech industry with 34 U.S. Senate seats, the entire U.S. House of Representatives and the U.S. presidency at stake in November.
Digital Security Commission Act of 2016
There is an alternative to the Burr-Feinstein bill that some observers see as a more measured approach to encryption and other matters related to digital security and privacy. Introduced in February by Senator Mark Warner (D-Va.) and Representative Mike McCaul (R-Tex.), The Digital Security Commission Act of 2016 would establish a National Commission on Security and Technology Challenges -- more popularly known as the McCaul-Warner Commission -- to be comprised of 16 Congressionally appointed members from both the public sector and private sector (and one non-voting member appointed by the president).
The commission would make non-binding recommendations on encryption policy and related matters. The bill would also mandate a special Steering Committee within the Department of Commerce to issue reports and communications on these policy concerns.
"We want to maintain American innovation, but we also need to maintain American security. Encryption is part of the fabric of American security. We also need to have ways we can go after criminals and terrorists," said Warner at a recent event at the Bipartisan Policy Center. "There is no easy knee-jerk legislative response at this time."
Encryption and the Feds
Make no mistake that this legislation is geared toward regulating encryption in a way that is favorable to the federal government. Warner is a member of the Senate Intelligence Committee, while McCaul chairs the Homeland Security Committee -- and the bill is clearly geared toward getting Silicon Valley to cave on encryption issues that, to the minds of privacy activists like the EFF, have been long settled.
Consider this language from McCaul and Warner's proposed legislation:
"Despite years of dialogue between the technology sector, law enforcement, national security professionals, and others, no clear path forward has been developed that would benefit each of the critical security interests simultaneously[.]"
Although the bill would bring private technology-sector interests to the table (Apple CEO Tim Cook, for instance, has expressed a willingness to participate in this commission), it does so under the implicit, ever-hanging threat that if the tech community obstructs government interests too much, Burr-Feinstein -- or an even more encryption-hostile law -- may result. Hence, the goal of the law is clearly one of compromise -- pragmatically taking into account the inability to steamroll sweeping anti-encryption reforms like Burr-Feinstein in the current political environment.
Room for Compromise?
As to the issue of compromise, however, the question is one of who will do the most compromising. Those professionally concerned with data privacy and ICT-network integrity suspect that it will not be the data-hungry feds.
"McCaul-Warner is a complete fantasy," charged technology blogger Stephen Gallagher in a recent interview. "[T]he utopian ideal here is that everything is perfectly secure except -- and only -- when it's absolutely necessary for law enforcement to have access. I don't think anyone would disagree with that as an outcome if it was actually possible. Of course, it is not actually possible."
Gallagher argues that the "encryption cat is already out of the bag" and that, because strong encryption is already widely deployed in the private sector, there is -- from a practical, technological standpoint -- no practical compromise to be had that would not completely break encryption Burr-Feinstein style. Indeed, Gallagher goes on to clarify that the most typical "solution" to this type of impasse is a government-controlled skeleton key for all encryption.
Regardless of the exact mechanism that the public-sector members of the commission attempt to persuade or pressure the private-sector members to agree to and recommend, however, it will still necessarily and fundamentally involve a technological solution that ultimately renders encryption nearly meaningless.
"Essentially, the InfoSec community has been asked by the government if they would mind drinking a gallon of antifreeze. When they balked at this, the government proposed a conversation in which a group of interested parties would discuss exactly how much antifreeze they would be comfortable drinking," Gallagher analogized. "At the end of the day, the government is asking us to change the rules of math so it obeys the whims of the judiciary system."
Gallagher is not alone in these views on what a court order truly means to an IT organization. Ed Felten, a professor of computer science at Princeton University, opined in 2013 that "[a] court order is an insider attack from a purely technological standpoint" because of the way compliance with one works; it still necessarily involves an insider in the organization copying proprietary or otherwise private data and making it available to an outside party for purposes not intended by the organization when it collected or created the data.
(Ironically, Felten is now Deputy CTO for the U.S. government.)
Gallagher adds that although the government may be hoping that the tech community will cave enough to give hawks like Burr the political high ground, a more likely scenario is that the tech community will stand firm and nothing will really change -- essentially keeping the encryption and data-privacy wars on the level of a "gun control debate."
"I [am] opting to assume good intentions for the purposes of this discussion, [but anti-encryption legislative proposals are] trying to assign policy to math problems. There is simply no physical way to determine intent from a stream of encrypted bits," insisted Gallagher. "You cannot possibly know the content of a message without first decrypting it -- so you can't assign policy without already having broken the encryption."
Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate communications and data privacy consultant, writer, speaker and bridge player. Follow him on Twitter at @JoeStanganelli.
September 15, 2016
Hacks happen. But sometimes organizations seem to make themselves targets with behavior that is a bit too boastful, judgmental or egotistical.