Congress’s Latest Attempt to Criminalize Encryption-Fact Sheet & Conclusions
The tug of war with your privacy. High stakes, election year, and a power play by law enforcement.
In response to the whole affair, however, Senators Dianne Feinstein (D-CA) and Richard Burr (R-NC) are currently working on a bill to make sure law enforcement can get what they need without having to beg. The Feinstein-Burr bill would, if passed, force tech companies to comply with court orders to turn over data, even if that data is encrypted or if the company can’t actually access it. A preliminary version of the so-called “Compliance With Court Orders Act of 2016” was released last Friday. This version isn’t necessarily final, but it’s already pretty terrible. Unless major changes are made, this bill is dangerous to anyone who values their security.
What This Bill Would Do
According to the draft released on Friday, any time a tech company is provided with a court order for information, they must be capable of complying with it. Either by having access to the data itself, or by helping the government find a way to get access to the data. In other words, a company can’t say “That’s impossible” and call it a day. A tech company faced with such an order would have two options:
- Turn over the information directly. If a company has data on their servers relevant to the court order, they would be required to hand it over to law enforcement. It must be “in an intelligible format.” This means the company must have the ability to translate encrypted data to a readable format. That would require tech companies who offer encryption to either hold the keys to decrypt the data themselves, making their customers data more vulnerable, or worse, only use encryption that the company itself could break, making the encryption effectively worthless.
- Help law enforcement get access to the information. If a company doesn’t have the data stored somewhere, it would have to provide “technical assistance as is necessary” in order to help the government get access to the data. In other words, tech companies would be forced to throw their weight into investigative forensics until the government decided the job was done. Notably, there is no limitation in this bill on just how much effort the government can demand from a company. There is, however, a provision stated they will be “compensated” for any costs incurred by providing technical assistance.