Modernizing Authentication — What It Takes to Transform Secure Access
Proposed anti-encryption legislation known as "Burr-Feinstein," filed in the wake of Apple's legal showdown with the FBI, had such alarmingly broad business ramifications that apparently common sense prevailed. According to a Reuters report, sources in Congress say the bill had trouble gaining support and will probably not be introduced this year.
Ever since Apple's refusal to assist the FBI in unlocking an iPhone used by one of the San Bernardino shooters -- and the subsequent legal battles -- encryption has been on the minds of law enforcement and national security hawks.
U.S. Senators Richard Burr (R–N.C.) and Dianne Feinstein (D–Calif.) in April introduced legislation known as the Compliance with Court Orders Act of 2016 as a legislative response to Apple's legal victory against the FBI in refusing to unlock a terrorist's iPhone. The Burr-Feinstein bill was roundly and frequently denounced across the tech sector as aiming to make U.S. data less secure than any other data elsewhere in the world.
Concerns over privacy and civil libertarianism aside, the Big Brother-ish legislation presented big economic and business problems for enterprise IT.
Ever since NSA whistleblower Edward Snowden's leaks of documents demonstrating the depth and breadth of widespread domestic surveillance by the NSA and other government agencies, U.S. cloud companies and other service providers have faced costs of dozens of billions of dollars. The costs include lost foreign business (especially in the case of organizations in privacy-sensitive regions like the EU) and, in some cases, the funding needed to build additional data centers overseas to – presumably -- be safe from the reach of the NSA.
'Worse Encryption than the Rest of the World'
"If Burr-Feinstein passes, it guarantees that Americans will have worse encryption than the rest of the world," lambasted X-Lab workers Sascha Meinrath and Sean Vitka in an opinion piece for CSM Passcode – going on to note that, historically, anti-encryption national policy has led to such prolific vulnerabilities as the FREAK Attack, reported to suscept 36 percent of all HTTPS sites to interception and encryption-weakening. "This bill would make us all less safe by requiring that our data be stored in ways that dramatically increase its susceptibility to malicious hackers, identity thieves and other malfeasance," they wrote.
Why was Burr-Feinstein so bad?
Here are four reasons why -- along with some basics that you need to know about Burr-Feinstein and related policy proposals, and how future proposals could impact your business.
Pundits like Meinrath and Vitka are right. Burr-Feinstein would -- de facto -- outlaw secure encryption for any technology company, telecom carrier, service provider or other person or entity who gets a covered court order. By extension, this means that users of U.S.-based services and products subject to and in compliance with this law cannot trust any of their data or transmissions to be private.
To clarify the point: Burr-Feinstein outlines that any covered party who receives a covered court order (see below for what these terms mean) must provide the requested information "in an intelligible format" (or otherwise provide "technical assistance" to the government to accomplish this goal) "if such data has been made unintelligible by a feature, product or service owned, controlled, created or provided, by the covered entity or by a third party on behalf of the covered entity."
With the legalese stripped away, if Burr-Feinstein became law, an organization that creates encryption or other security measures that it itself is unable to break (to, for instance, protect it against insider attacks, inter alia), that organization might doom itself to being in violation of the law should it ever receive a covered court order.
Who Is a Covered Party?
Those directly subject to Burr-Feinstein are beneath a large umbrella indeed. To be clear, the proposed bill expressly states that a "covered party" includes:
- Device manufacturers
- Software manufacturers
- Electronic communication services
- Remote computing services
- Providers of these services
- People "who provide a product or method to facilitate a communication or the processing or storage of data" -- whether that communication be oral, electronic or via wire
Under a separate section of this proposed law, Burr-Feinstein even extends its reach to license distributors, such as retail outlets and independent software vendors (ISVs), charging them with the cost and burden of ensuring that what they sell is capable of Burr-Feinstein compliance.
Unclear Penalties for Violating Burr-Feinstein
The Burr-Feinstein bill includes no provision for penalties for failure to comply -- and it is unclear if such failure would be deemed criminal or civil, while providing zero indication on the extent of any penalties. While Reuters has disputed that criminal penalties are on the table, that question would only be resolved upon the House passing its own version of the bill and what the president ultimately winds up signing -- if such legislation ever makes it to the Oval Office.
Burr-Feinstein's Wide Reach
Burr-Feinstein, however, goes further than seeking a balance between security interests for cases of terrorism, child exploitation and even murder plots -- seeking to break encryption for mere street crimes as well. Section 4(D) of the bill explicitly notes that the court orders the bill covers go beyond those narrow boundaries to cover any "serious violent felony" defined by 18 U.S.C. § 3559.
Extrapolating from § 3559 to put this in layman's terms, Burr-Feinstein would compel technology companies and service providers to break their own encryption and other security measures for court orders in cases of such relatively minor crimes as arson, carjacking, extortion and even simple firearms use or possession when associated with a drug-related crime.
Patriotism vs. Data Privacy
According to the Reuters report, neither the CIA nor the NSA got on board with the bill. It was also unpopular in the House of Representatives and failed to gain traction among Senate colleagues of Burr and Feinstein. While both senators promised to try to drum up more support for the bill, it appears dead for now.
The takeaway for this proposed bill and other such legislation: Eschew the notion that it is only about getting companies to fulfill some patriotic duty. Like it or not, Burr-Feinstein is about enhancing police powers at the expense of privacy and economic interests – your users' privacy and your IT organization's economic interests.
Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, speaker and bridge player. Follow him on Twitter at @JoeStanganelli.
(Disclaimer: This article is provided for informational, educational and/or entertainment purposes only. Neither this nor other articles here constitute legal advice or the creation, implication or confirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney licensed to practice in your jurisdiction.)