
Intelligence Committee Leaders Release Discussion Draft of Encryption Bill - david90
http://www.feinstein.senate.gov/public/index.cfm/press-releases?ID=EA927EA1-E098-4E62-8E61-DF55CBAC1649
======
mangeletti
Government is trying to make it illegal for one person to keep secrets and
whisper them into another's ear.

We can argue all day about how the law doesn't prevent criminals from using
technologies (it doesn't, which makes the law idiotic, from a logic
perspective), but that's not the important part.

The important part is that this group of folks we're calling Government is
trying to prevent us from being allowed to have secrets and whisper to each
other.

Government is not as stupid as we'd like to think. Government doesn't believe
that "terrorists" will stop using encryption. These laws are not for
"terrorists". They're for us. Take away somebody's ability to keep secrets,
and you've gained a pretty good advantage over their position[1].

This is about only one thing: leverage; and leverage is power.

1\.
[https://en.wikipedia.org/wiki/Enigma_machine#Breaking_Enigma](https://en.wikipedia.org/wiki/Enigma_machine#Breaking_Enigma)

~~~
rayiner
> Government is trying to make it illegal for one person to keep secrets and
> whisper them into another's ear.

That is already the case. If you whisper a secret into my ear, the government
can subpoena me and force me to tell a court what you said. They can force you
to tell a court what you said so long as it's not incriminating to you, and
even then they can do it if they give you immunity.

We can debate about what the law _should be_ , but for the last several
hundred years, the law has not really contemplated people keeping secrets from
the Government. "Privacy" as it has been understood to date means protection
from the government fishing for evidence without probable cause, not an
absolute right to keep secrets.

Pervasive, unbreakable encryption is a game-changer that requires rethinking
the existing framework. We're not just talking about not being able to get
data from a terrorist's phone. We're talking about the bread-and-butter of
many sorts of criminal prosecutions being opaque to the government. Good luck
convicting someone on insider trading when all the relevant communications are
opaque to the government.

I happen to think that the benefits of encryption outweigh the challenges to
law enforcement. But its disingenuous to pretend that the government is trying
to "take away" a right to "keep secrets" that you already had. Our whole legal
system is built on being able to get whatever evidence is relevant wherever it
may be found, with extremely narrow exceptions.

~~~
JoeAltmaier
With a subpoena or warrant, yes. But not pervasively.

And while we're at it, why is the existing state of affairs not good enough?
Why the attempts to subvert the message pipe? After all, the govt can still
compel people to talk, and its people receiving those secret messages.

The reason is, to my cynical mind, that they're interested to avoiding the
work of warrants etc. They'd like to sidestep privacy entirely, and just
record everything in the pipe. Not entirely cynical; its exactly what they've
done with the tools they already have.

In my mind there's an enormous gulf between subpoenas of a person for
information, and the ability to get that information secretely and
continuously.

~~~
rayiner
You make a good point, which is that if companies have to weaken their
encryption in order to be able to comply with this law, that opens up the
possibility for easier surveillance without a warrant. I think that's a huge
concern, because in my opinion the 4th amendment only provides limited
protections to bits travelling over third-party pipes on the Internet, so
effective end-to-end encryption is essential for privacy.

That being said, the ostensible purpose of this bill is to govern what happens
in response to a valid court order.

------
callcallcall
Instead of complaining into the echo chamber of comments, here are some things
you can do to fight back:

Donate to the EFF:
[https://supporters.eff.org/donate/button](https://supporters.eff.org/donate/button)

Call your Reps: [http://TryVoices.com](http://TryVoices.com)

Petition the President: [https://savecrypto.org/](https://savecrypto.org/)

~~~
vox_mollis
I am gobsmacked by the tenor of comments here. At what point will HN posters
finally realize that participation in the democratic process does precisely
nothing against naked power?

~~~
callcallcall
In 2014 Americans made over a million public comments to the FCC in support of
net neutrality. The FCC sided in favor of net neutrality. [1]

In 2011 Americans made over 8 million phone calls to their representatives in
opposition to SOPA/PIPA. The bills were defeated. [2]

[1] [http://techcrunch.com/2014/08/05/inside-the-
fccs-1-1-million...](http://techcrunch.com/2014/08/05/inside-the-
fccs-1-1-million-net-neutrality-comments/)

[2] [http://www.sopastrike.com/numbers](http://www.sopastrike.com/numbers)

~~~
verusfossa
And then CISA, arguably worse than SOPA, passes both houses in 2015 tucked in
a budget bill.

[0] [http://www.theverge.com/2015/12/18/10582446/congress-
passes-...](http://www.theverge.com/2015/12/18/10582446/congress-passes-cisa-
surveillance-cybersecurity)

~~~
djejjehje
Not to mention more restrictions to come via the various secret international
trade pacts being made.

People must understabd this, to disagree is to be disingenuous on the face of
mountains of evidence. The American people have zero say on policy, the laws
the government wants the government will get, it may take a few more years but
it will happen.

The system cannot be reformed, it's very core is corrupt, those who disagree
are for the status quo of the police state and they are our enemy and the
enemy of justice.

------
tbrake
> "Today, terrorists and criminals are increasingly using encryption to foil
> law enforcement efforts, even in the face of a court order."

How can you utter that sentence and simultaneously not understand why your
bill is effectively worthless for its stated purpose?

~~~
bjt2n3904
When encryption is outlawed, only outlaws will have encryption.

~~~
ythl
When guns are outlawed, only outlaws will have guns.

~~~
chx
When guns are outlawed, only lawmen and outlaws will have guns. Good. That's
the state of affairs in every developed country except one and it's
demonstrably better in every way.

~~~
abfan1127
except for all of these demonstrable ways: [http://www.amazon.com/More-Guns-
Less-Crime-Understanding/dp/...](http://www.amazon.com/More-Guns-Less-Crime-
Understanding/dp/0226493660)

~~~
loup-vaillant
(Dunno what's in the book)

I hear hand guns in particular are quite accident prone. Even if there's less
_crime_ , we might still have more _deaths_.

~~~
abfan1127
I'd check your sources. Hand Guns are no more accident prone than long guns.

~~~
Retric
Not if you adjust for usage. On average people use Long guns more than hand
guns.

------
bcg1
Yikes, "license distributors" are covered entities:

"c) LICENSE DISTRIBUTORS. - A provider of remote computing service or
electronic communication service to the public that distributes licenses for
products, services, applications, or software of or by a covered entity shall
ensure that any such products, services, applications, or software distributed
by such person be capable of complying with subsection (a)."

I suspect it would practically impossible for FOSS projects to comply, and
everyone who creates or distributes free and open source software that is
capable of encrypting anything would fall under this definition. Also I don't
see any provision for existing software... if this bill passes, are we just
supposed to stop distributing software on Day 1 until it can be rewritten to
make it possible to comply?

This bill is astonishingly stupid, even when compared to the unusually high
level of stupidity of federal legislators.

------
tptacek
I'm getting pretty deep into bets on Twitter AGAINST this bill having a chance
of passing. My logic is simple: this bill outlaws all sorts of things huge
corporations use to protect their networks. No big company I've ever done
security work for has ever been OK with crypto keys being escrowed by vendors;
in fact, we were often instructed to look for exactly those kinds of features
as disqualifiers for products.

I do not believe this Congress will succeed in passing a bill that would
require Bank of America to escrow keys with IBM and Symantec.

~~~
Veratyr
If it passes, what are the chances of it being struck down as a first
amendment violation?

~~~
CoryG89
The first amendment does not guarantee the right to privacy. Most Americans
would be surprised to know that the Constitution does not guarantee privacy at
all.

The closest you get is the 4th amendment which only protects against
unreasonable search and seizure (without a warrant).

Some argue that the 3rd amendment implies a right to privacy and was the
intent of the amendment, but alas it only protects against being forced to
house soldiers.

Disclaimer: IANAL

~~~
tptacek
The 1A argument is that code is a form of expressive speech, and that laws
that limit what kind of speech you can make are in effect prior restraints.

------
coroutines
Feinstein is just the worst.

She is the equivalent of Mitch McConnell for the Democrats.

She fully understands exactly what she's proposing and she's the biggest
hypocrite for it.

~~~
numbsafari
I don't know enough about California politics, how is it that Feinstein is
able to be a proponent of these crazy ideas and somehow get elected in the
home state of Silicon Valley and many of the companies who will be ruined by
these proposals?

~~~
cuckcuckspruce
Because Harvey Milk and George Moscone are dead - she wasn't killed by Dan
White[1].

[1]
[https://en.wikipedia.org/wiki/Moscone%E2%80%93Milk_assassina...](https://en.wikipedia.org/wiki/Moscone%E2%80%93Milk_assassinations)

(Edit: What I'm trying to say is that she was the person that found Harvey
Milk shot and was one of the people that police asked to identify the bodies
of both Milk and Moscone. Certainly being that close to the aftermath of
violence changes a person.)

~~~
coldpie
Wow, I had no idea Feinstein was so close to the assassinations. That's
traumatic. I wonder if those events lead to her positions on defense and
privacy which are so uncharacteristic of the rest of her party.

~~~
NoGravitas
Her positions on defense and privacy are actually pretty representative of the
establishment wing of her party. The Democratic party has some pretty severe
divisions in it, and has for years.

~~~
coldpie
That's a fair point. Obama is in the anti-encryption camp too, after all.

------
onetwotree
So I work for a company that sells a security related appliance. We sell to
mid to large sized enterprise customers.

We made the decision to go with an appliance over hosted services because this
way if we get hacked, our customers don't.

Part of our product is a secure secret store, and of course we use encryption
for many other purposes. Our customers use our software (or standard tools) to
generate their own key material to encrypt their secrets.

Very importantly, we can't help the government, or anyone else, get access to
our customers secrets. We can't reasonably be asked to backdoor the software,
because many of our customers do code reviews and audits on it before buying.

Can someone help me understand how this law would affect my company and others
like it, our customers, and their users?

------
ewindisch
What this does and doesn't do:

This bill effectively makes it illegal for US companies and persons to build
or use secure enclaves / TPMs and to publish cryptosystems without either
including backdoors or retaining and storing keys. It also implies that
companies would need to store keys indefinitely, otherwise they would not be
able to decrypt data, as no time limitations are set on the capability of
accessing data.

This would not make SSH or TLS illegal or require users to hand over keys. It
could mean that if a US person or corporation contributed to an SSH or TLS
library, they could be expected to provide a backdoor mechanism to the
government. (EDIT: would not require to hand over keys enmass, or in any way
above and beyond current statutes)

Interestingly, this bill covers vendors and presumably US persons that
"provide a product or method". You'll still be able to legally use foreign-
developed tools. The US would have grounds to ask those foreign agents to
decrypt data, but would have limited means of enforcement.

~~~
spdustin
Respectfully, I disagree WRT SSH/TLS

Section 2 (4) spells it out: communication service and software providers.
That's the maker of every app on your phone, the phone manufacturer, your
phone company, emails provider, retailer (they're communicating your data to
their data warehouses).

The summary clearly says "software manufacturers" (aside: manufacture
software? _facepalm_ ), "providers of wire...electronic...[or] remote
communications services, or any person that provides a product or method to
facilitate a communication or to process or store data" are all "covered
entities" and that they're responsible when they or "another party on their
behalf" have made data unintelligible.

The bill, in section 3 (c) includes "license distributors", e.g. thr App Store
and Google Play.

Now that I've typed all that out, and please pardon the profanity, but:

What. The. Actual. Fuck.

"No one is above the law", except clearly the legislators and enforcers
themselves. "Protect ... Privacy with strong data security", which doesn't
exist with the sort of recovery mechanism the bill would require.

If the data is made intelligible again by a party other than the person who
uttered it and their intended recipient, it has, by definition, been breached.
You've been pwned. Game over. Full stop. You've lost control of your data.

(Edit: clarity)

~~~
ewindisch
It would cover your use of SSH/TLS for providing a service, but they can
already subpoena those keys under existing law, so it's of limited relevance
in a conversation about what this bill introduces.

What changes here is that if you deployed SSH/TLS using a HSM (Hardware
security module), you'd need to be prepared to provide a plaintext stream upon
a court order. Obviously, the alternative is to choose the non-HSM route which
is, and has always been, vulnerable to subpoena.

I would say the HSM example is likely the government's understanding of the
law as it exists today anyway. This is a matter of codifying and clarifying
that position.

All of the above-such systems are such where the vendor or operator already
controls the means and mechanisms for encryption and decryption. These are
already vulnerable to subpoena.

The serious changes in this bill are around building systems where only the
end-user can control access to their data.

~~~
cesarb
> What changes here is that if you deployed SSH/TLS using a HSM (Hardware
> security module), you'd need to be prepared to provide a plaintext stream
> upon a court order. Obviously, the alternative is to choose the non-HSM
> route which is, and has always been, vulnerable to subpoena.

Forgive me if I'm wrong, but doesn't SSH always use a Diffie-Hellman key
agreement, where the keys are destroyed after their use? No subpoena has the
power to recover keys destroyed in the past, even if no HSM had been used. The
same applies to modern TLS using DHE or ECDHE suites, and AFAIK the current
TLS 1.3 proposal allows only these suites.

They might be able to subpoena the authentication keys, but these are useless
to recover the ephemeral keys of past connections (except from older TLS
cipher suites which didn't use DHE/ECDHE), and even for future connections
they would have to be used with an active attack.

~~~
ewindisch
I hadn't considered DH, but if this bill would be used as basis for a court
order to decrypt data obtained via a wiretap, then yes, it would be
problematic for PFS cryptosystems. :(

------
studentrob
Voices [1] is a free app that lets you call, email, or tweet representatives
from your phone

It's free and I have no affiliation. I just saw it on r/apple's monthly
appreciation thread [2]

Representatives _do_ care about your calls. They get reports on them every day

[1] [http://tryvoices.com/](http://tryvoices.com/)

[2]
[https://www.reddit.com/r/apple/comments/4d71kg/monthly_appre...](https://www.reddit.com/r/apple/comments/4d71kg/monthly_appreciation_thread_for_april_2016/)

------
tobbyb
There is something inherently despotic about framing seeking basic
accountability as questioning the legitimacy of government.

Security has always been the first resort of tinpots and despots for self
seeking behavior. Only those ignorant of history or too distracted with
material gain and hubris will fall for it. There always has to be a balance
because ultimately everyone is safe in a cage. But that's not what we mean by
free democratic societies.

Spying on everyone gives some individuals a sense of power and the logical
response to that must be to prosecute them in open courts so their regressive
mindsets can be exposed for the sickness they perpetuate. Privacy is much more
important and valuable than making day to day law enforcement and governance
easier.

Now back to the real world if there was any serious interest in dealing with
terrorism Saudi Arabia would have been tackled 30 years ago rather than let
them fund and spread Wahhabi ideology globally and the latest round of terror.
Yet even today they are the USA and UK's closest allies in the middle east
while Iraq, Libya, Syria and Iran who have nothing to do with global terror
campaigns are casually destroyed with millions dead and millions in disarray
making a complete mockery of the world we live in and the humanity we claim
for ourselves.

There is no legitimate argument for a surveillance society other than coming
from ignorance of history or narrow self interest. It's high time this country
makes an example of those emboldened enough to advocate it and reiterate its
commitment to its fundamental values.

------
p01926
They're really hitting the "nobody should be above the law" talking point
hard. How fortunate for us — it sounds good but doesn't survive even casual
scrutiny. Crypto might interfere with investigations, but that is very
different from being above the law. There are huge numbers of cases where some
perp used encryption and was still bought to justice.

The best analogy I can think of is the document shredder. As a society we
accept that individuals can protect their personal privacy and safety even if
this occasionally frustrates law enforcement investigations. Shedder
manufacturers aren't forced to limit how good a job they do to potentially aid
LE as this would do more harm than good. And, after all, if you banned
shredders, criminals would still be able to just burn their incriminating
papers.

~~~
Kenji
Banning the shredders is not a solution, you're right. The correct thing to do
would be to legally require every shredder producer to include a little
scanner right above the blades. This scanner would then take a copy and
wirelessly send it back to a server, where it gets stored for 3 months. If
there is no internet connection, the shredder must refuse to work. Living the
dream!

------
mtgx
> _The bill establishes that: No one is above the law._

Yes - except diplomats, journalists, doctors, as well as conversations between
people in person are all "warrant-proof", and therefore "above the law" as
Feinstein calls it.

As Zdziarski also says in his post below [1], the 4th amendment doesn't
_grant_ the U.S. government anything. It tries to restrict the U.S. government
from overreach. It says only upon probable cause can the government request
personal information, but it doesn't say the government MUST get that
information and in a format that's intelligible as well.

But when the U.S. government has started interpreting the Constitution however
it gives it more power, even saying that your "emails" can be obtained without
a warrant because they've been "opened" [2], or when it believes that spying
on millions of people at once is "relevant" to a _specific_ investigation
(3-hop spying) then it's no surprise that they also believe the 4th amendment
gives it the power to require the data in an intelligible format.

> _No new collection authorities. The bill does not create any new collection
> authorities for the government to obtain communications. The bill simply
> requires covered entities to ensure that the government’s lawfully-obtained
> evidence is readable—so that law enforcement can solve crimes and protect
> our communities from criminal and terrorist activities._

Well, that's a lie. Until now, only "covered entities" under CALEA could be
forced to facilitate spying. Now everyone else can be forced as well,
including open source developers. I'd say that's quite an expansion of its
"collection abilities", no?

[1] -
[http://www.zdziarski.com/blog/?p=5912](http://www.zdziarski.com/blog/?p=5912)

[2] - [https://www.eff.org/deeplinks/2016/04/eff-supports-rep-
goodl...](https://www.eff.org/deeplinks/2016/04/eff-supports-rep-goodlattes-
managers-amendment-email-privacy-act-hr-699)

~~~
FussyZeus
Don't forget the politicians. Remember, we're all equal, just some of us are
more equal than others.

------
noobie
This is hilariously absurd.

So let's say Microsoft provides me with a computer.

I go make some cool encryption program on the computer. Now I can use the
computer to encrypt data.

One court order later and Microsoft is now required to decrypt the data I
encrypted using their computer.

All Microsoft did was provide a programmable computer. Now they must do the
impossible. This bill is ungodly horrible.

~~~
ewindisch
This is not true. The bill would only apply to encryption mechanisms provided
by Microsoft or a third-party application installed by Microsoft as part of
the operating system.

Interestingly, this bill covers vendors and presumably US persons that
"provide a product or method". You'll still be able to legally use foreign-
developed tools. The US would have grounds to ask those foreign agents to
decrypt data, but would have limited means of enforcement.

~~~
spdustin
It covers anything that's been licensed into the software, which would include
encryption libraries. It covers _hard drive manufacturers_ (provides a product
or method of to facilitate a communication or the processing or storage of
data).

Communication, by their definition btw, includes electronic and ORAL
communication. As others have mentioned, it literally covers whispering if
someone or something amplifies or transmits your whisper thus facilitating a
communication.

~~~
ewindisch
Absolutely, but the bill does nothing to prevent users from installing
hardware or software that has been built without a backdoor. You will still be
able to use Veracrypt, if you'd like, without backdoors. I do not see in this
bill provisions which prevent vendors building equipment that can run
arbitrary code, use arbitrary devices, or arbitrary mechanisms. (However, I'll
look again)

The assumption of liability is on vendors. Vendors are expected to sell you
broken goods. Developers of VeraCrypt in the above example would be expected
to provide a backdoor. If they're foreign, then it will be largely
unenforceable, although those developers will likely face difficulties
visiting the USA.

Where users are restricted is wherein they become vendors or providers of
software or services. Running a Tor server may require being prepared to
provide keys or offer a backdoor, for instance. I think the bill as written
could have trouble with distributing VM and container images as well, although
a case may be made that they are not operating as "software manufacturers" and
are simply distributors, with the liabilities reaching back to Canonical,
RedHat, Microsoft, etc.

------
ipsin
The plain-spoken language of the bill is irritating, because it hides how much
assistance it provides to the existing surveillance machinery.

For example, it doesn't exempt the FISA court, as far as I can tell, and seems
to embrace that use.

I'm having a little trouble with the paradoxes... "Nothing in this Act may be
construed to authorize any government officer to require or prohibit any
specific design". Is this a fig leaf? If you design a system that makes it
impossible for you to comply with the act, you're still required to comply,
right?

I pray this can't pass in my country.

~~~
iNate2000
I think the part about requiring a design means: we won't require what method
you use, just get us the data.

------
mattherman
If you disagree with the contents of this bill, EFF supplies a helpful form
for emailing your representatives to express those feelings.

[https://act.eff.org/action/tell-congress-stop-the-burr-
feins...](https://act.eff.org/action/tell-congress-stop-the-burr-feinstein-
backdoor-proposal)

~~~
akerro
They don't care about your emails...

~~~
NoGravitas
They care very little about your emails. They care slightly more about your
phone calls and snail mails, and still slightly more about your office visits.
Each increment is tiny, but enough of them add up.

------
srj
Secure communication between terrorists is impossible to stop if they show any
inclination to do so. This will only impact normal people using major online
services.

Right off the top of my head a few ways terrorists would thwart this:

\- Use end-to-end encryption that's easy to overlay on an existing medium
(e.g. PGP).

\- Create or use an app that doesn't comply with this law and use that for
communication. At least on android all you need to do is allow 'Unknown
sources' and you can install apps outside of the play store.

-Use something other than text. Go in an online game and spell something out on the wall.

By repeatedly trying to start this "conversation" it really seems the
politicians don't want to accept that it's impossible to prevent encryption at
the long tail of users (where the terrorists would be). Instead they're going
to stick their heads in the sand. It could be a deliberate attempt to gather
session keys for the intelligence services to do their bulk harvesting, but
what it definitely won't do is stop terrorism.

------
phkahler
How can they not see the contradiction? "We want your data to be secure, but
we also want US to be able to see it." Technology and math in particular
doesn't know who is who, and equations don't behave differently because
someone writes a law. Seriously, RSA is just M' = M^E mod N. You can publish
your public key in the newspaper and have people send you encrypted messages
on a postcard and nobody - even the government - can decrypt it without your
private key. A law can't change that, although forcing back doors into OSes
will eventually lead people to using end-to-end encryption more.

------
vermontdevil
Key for me is to identify certain dangerous provisions that has a high chance
of sneaking through and becoming law.

I'm sure the senators involved put in as much outrageous stuff knowing it'll
be watered down. This with the hopes a few key provisions are not watered
down.

That's why in my opinion that bills like these should not be put up for
discussions, amendments, and vote. I fear the worst though.

------
roldie
I wish Congresspeople were held to the same standard as the rest of us. This
kind of lack of understanding of technology (intentional or not) is evidence
of gross incompetence. Feinstein/Burr should be expelled. We all would fired
if we demonstrated this lack of ability

------
rwhitman
How is it that lobbies from oil, guns, banks, telecom have historically been
so powerful in passing legislation through Washington, yet the software
industry is still so completely limp at protecting it's political interests?

I feel like politicians see tech as an easy target to walk all over to rally
the technophobe base, and with good reason - there's really no consequences
for doing so.

Why is a company like Apple, at time when it has a historic stockpile of cash,
trying to duke out political battles by writing open letters to the press and
appealing for public support to uphold basic security practices when other
industries manage to bend political will in their favor to do truly greedy
things at the public's expense on a regular basis?

------
TazeTSchnitzel
From reading the draft, it doesn't seem to say what happens if it is not
technically possible (or practical, anyway) for the entity being ordered to
comply.

Will they simply be held in contempt of court until they finish brute forcing
an encryption key at the heat death of the Universe?

------
zmanian
What Silicon Valley needs to make it's voice heard here and to do that they
need to pull back donations not just to Feinstein but to the Democratic Party
until this disaster is withdrawn

~~~
studentrob
Good idea, here are her most recent top contributors [1]

[1]
[http://www.opensecrets.org/politicians/contrib.php?cid=n0000...](http://www.opensecrets.org/politicians/contrib.php?cid=n00007364&cycle=2016)

~~~
natch
Wow, the University of California is a top donor, and her husband is the
chairman of the UC regents? I smell conflict of interest.

------
idipous
What this bill says pretty much is that all US entities are not allowed to use
secure encryption methods and practices. They can offer encryption but at the
same time the implementation should be flawed in such a way that it can be
reversed via a "backdoor" or a vulnerability.

That is the essence of the bill in my opinion and nothing else.

------
andrewmutz
I genuinely don't understand what the bill would do. This section seems to
place no restrictions on the design of devices:

(b) DESIGN LIMITATIONS.—Nothing in this Act may be construed to authorize any
government officer to require or prohibit any specific design or operating
system to be adopted by any covered entity.

If the bill says the government cannot place restrictions on the design of
devices, but the bill says providers have to do things they can't do with
existing designs (e.g. Whatsapp end to end crypto) what does this bill
actually do?

~~~
spdustin
It says, in plain language, "we can't tell you which lock to use, just that
you must have the master key in case we need it."

~~~
andrewmutz
Interesting, I read it differently. I read it as being internally
inconsistent.

From my perspective it says "you need to hand over the plaintext if law
enforcement asks for it," which would imply that a master key of some sort
needs to exist.

But then it also says that nothing in this act can be construed to require a
specific design. But requiring a master key to exist would be requiring a
specific design.

The proposed law sounds internally inconsistent to me.

------
konceptz
>>or any person who provides a product or method to facilitate a communication
or to process or store data.

So any crypto researcher, in the USA, must be able to also defeat their own 2
channel crypto?

Also, since government compensation is listed, how does that work with
intractable cryptanalysis of said work?

------
zmanian
Technically literate folks need to treat encryption regulation the way gun
enthusiasts treat gun control. This must become utterly politically toxic to
get involved with.

------
sklivvz1971
This bill is a joke, right? Right? Anyone?

This would ironically only jeopardize the safety of law-abiding Americans and
lawful American interests. It would be utterly useless for anything else,
including terrorism, espionage, criminality and foreign interests.

------
Quanticles
As far as I can tell, this is a win for encryption. It says that device
manufacturers need to help law enforcement break into a device, but they do
not need to create any backdoors. If Apple/Google/etc make it impossible for
them to break into their own devices, then there is nothing that they can do.
As long as they are not required to include backdoors then encryption wins.

------
ipsin
Any odds-makers want to speculate on the odds of this going all the way?

It seems like this could be an anchoring tactic -- now that we've seen the
intelligence and law-enforcement wish-list, we should supposedly be happy with
any other "compromise" bill that's not quite as apocalyptic.

------
FussyZeus
Politicians legislating for technology is the best real life example of the
blind leading the deaf I've ever seen. We should add a constitutional
amendment that requires the voting representatives understand the topic for
which they're voting in order to have their votes count.

------
hathym
I believe that is someone hacked into the senate systems and exposed some
secret data, maybe they would change their mind about this law?

~~~
tshtf
Like this?

[http://www.washingtontimes.com/news/2014/jul/31/cia-
admits-i...](http://www.washingtontimes.com/news/2014/jul/31/cia-admits-
improperly-hacking-senate-computers-sea/?page=all)

------
peterwwillis
I would actually be okay with this if I had any faith whatsoever that court
orders would be issued based on significant evidence that a crime was planning
to be committed or had been committed. But as we've seen over the past 5
years, secret orders are given with gags based on practically zero evidence
and gather up the data on an unlimited number of people, for effectively no
purpose.

We can't trust the Government to properly issue court orders anymore, so it
would be irresponsible for the People to give them any more power than they've
abused already.

------
joesmo
This makes the FBI's requests to Apple look like child's play. I cannot
possibly see how our tech economy can survive once all these backdoors are in
the hands of criminals (other than the US govt) and enemy states. Feinstein is
especially known for her extreme stupidity but killing one of the last
prosperous industries in America (tech), this is just simply too much. At
least we'll know who to blame when no one wants to buy US tech anymore.

------
xupybd
"Certain communication service providers that distribute licenses for a
covered entity’s products and services also must ensure that these products
and services are capable of providing information or data in an intelligible
format."

I'm having trouble understanding the meaning of that, but is it saying if you
provide a means of encrypting customers data you must be able to access it
unencrypted?

~~~
iNate2000
I think it's saying that the app store will be prohibited from distribute
unbreakable encryption.

------
giaour
I'm not a lawyer, but it seems like complying with this law would preclude
compliance with HIPAA, ISO 9001, various NSA-IAD directives, etcetera.
Compliance with standards like those is often written into government
contracts and sometimes required by statute or policy.

If this law passed in its current form, wouldn't entire industries have to
choose which laws to break when storing data?

~~~
zbjornson
I was wondering about this, but the data can remain encrypted and compliant as
long as it's ultimately accessible by court order. I then assume the existing
laws regarding courts accessing private health data apply.

~~~
giaour
There's no stipulation that data needs to be decryptable by the party holding
it, is there? If the law passes in its current form, we'll probably see a slew
of client-side encryption and secure multiparty computation offerings from
providers.

------
irixusr
Another brick in the wall.

What are we going to do a out it? Maybe Wikipedia or Google will deface their
own websites, and the bill will die only to resurrect shortly after.

A better solution would be for the millions of tech workers to unite and vote
GOP just to send a message that we don't automatically vote for anyone or any
party.

If California's vote is locked for a certain party, then it is taken for
granted.

~~~
bobwaycott
Voting for GOP candidates isn't going to change anything.

~~~
logfromblammo
Better to start up a new party with a clever nerd name--like Bitwise Party, or
Breakpoint Party, or similar--and run its own candidates. The automate the
hell out of political party organization. Make running for office as easy as
registering a new domain name.

But that will probably never happen, because forming and operating a political
party is too much like joining a union with its own PAC. And also, third
parties don't count for much in the US.

------
arnonejoe
How would this be enforceable with e to e encryption? The defendant could
simply claim the private key has been lost. Then what??

~~~
venomsnake
It has nothing to do with defendants. They already have the fifth.

It is about the service provider.

------
nxzero
Easily see criminals stealing non-criminal systems, user-accounts etc. - and
sending encrypted data from them.

Basically, hackers just offer plausible deniability as a service, ransom
evidence that you weren't the party sending the data, setup human targets,
etc.

To submit a bill like this shows a complete disregard for how it will function
in the wild.

------
irixusr
Think of every demographic in the US that politicians whore themselves to. The
most successful ones are not always large. But they vote as a block, in high
numbers, and are not overly faithful to any party.

Tech workers should support senators like Wyden or R. Paul and take steps to
really knock down Feinsteins or Burrs.

------
sbov
I'm always conflicted with this.

On one end, I feel like security is hard enough that we don't need to go
weakening it, in any way, to allow the government to be able to (with a lawful
warrant) read the data. I feel like the citizens of the US are overall more
secure with end to end encryption that no-one can backdoor.

On the other end, security is hard and we fail in so many other obvious,
exploitable ways. Even with mandating that e.g. Apple be able to decrypt the
contents of any iPhone it does not actually reduce our security in a
meaningful way because there's so many other ways we routinely fail at
security.

------
justinlardinois
Does this actually expand current law? The government already has the ability
to subpoena customer data, including encryption keys.

> The government cannot require or prohibit any specific design or operating
> system for any covered entity to use in complying with a court order.

This seems to specifically exclude one of the main concerns of the whole
Apple/FBI thing.

I also don't see anything explicitly requiring back doors or security
loopholes.

If a customer's data is encrypted and the service doesn't have the keys, I'm
not sure how this bill would help.

Of course, if it really doesn't change anything, I see that as a reason to
_not_ pass the bill.

~~~
studentrob
> Does this actually expand current law?

Of course they're trying to change something. But, the bill contradicts
itself. It was written by people who don't understand technology.

It's an attempt by the authors to outline goals without stating how to achieve
those goals.

They would be hard pressed to find a technologist who would support it.

------
elcct
So this is going to go level above War of Drugs in terms of US retardness.

------
tombert
Maybe I'm a bit confused; if this bill were to pass, would this make SSH
illegal? How about geli on FreeBSD? Am I going to be required to hand over my
encryption keys on my server?

------
tzaman
A not so rhetorical question: If a bill like this passes, would it make sense
for the privacy-aware companies to move completely overseas (like, to UK)
where these laws to not apply?

~~~
SXX
No idea about corporations, but for persons UK already have awful law
regarding encryption since 2007. They may put you in jail for up to two years
for simply not providing decryption keys if there is a court order.

------
nxzero
For anyone that thinks either the government, or that matter the general
public, doesn't understand the intent of the bill, you are wrong.

Government clearly understands what is going on and has every reason to
support laws like this.

What may not be clear, is that in my opinion, average person understands what
is going on, but is afraid. Understanding this fear, and how to counter it is
the key, not figuring out how to help people understand how the bill would
function in the real world.

------
digitalneal
Good time to try to push a bill like this thru. News is too obsessed with
Trump to try to dive into a critical thinking issue.

------
LinuxBender
Apologies, this will be an unpopular opinion.

If encryption is deemed illegal for whatever reason, then perhaps start
creating new things that legally don't fall under the category of encryption,
but accomplish the same thing.

There are countless creative, imaginative and intelligent people on this site.
PR teams, please let folks brainstorm first.

~~~
Veratyr
I'm more of the feeling that if the US outlaws encryption, business should
move elsewhere. Many electronic services could operate just fine without a
physical US presence.

------
zxv
The bill may allow the government to force a software vendor to perform work
without any agreement regarding costs. It allows the government to decide
"reasonably necessary costs".

Once any work has begun, the government can force (subpoena) the vendor to
testify regarding results, without any payment whatsoever.

------
tempodox
There was never any serious privacy in the U.S. but if that bill would pass
even the fig leaves would vanish.

------
artursapek
Would this outlaw PGP?

~~~
allemagne
It would outlaw Google and Microsoft from using PGP when designing mail apps.

------
hellbanner
This is requiring tech companies to provide decrypted data, yes.

I want a private key that is only creatable by N separate individuals, who
will only release their part of the key when they can ascertain I am not under
coercion. Is there a system that does this?

~~~
NoGravitas
Do you mean something like [Shamir's Secret Sharing][0]?

[0]:
[https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing](https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing)

~~~
hellbanner
Thank you, reading up on this! Any modern clients you use for this?

------
RIMR
Passing a law against strong encryption will totally prevent terrorists from
using it to conceal their communications. I mean, how are they going to
encrypt their data if it's illegal to do so? /s

------
ferongr
What's the probability of this bill actually becoming law?

~~~
mtgx
I think activism against it will matter a great deal. It should be close to
SOPA-levels or even greater to be _sure_ we can stop it.

That said, as it is, I think things are like this:

\- House majority will not support it, unless it's _dramatically_ watered down
(The House has been quite privacy-friendly/anti-backdoors lately). However,
that could still be bad news for us, if say they only demand large companies
to never use end-to-end encryption for any of their products, and to only make
local disk encryption optional on smartphones (but no backdoor). Apple would
have to sell iPhones unencrypted, Whatsapp would have to go back to Hangouts-
style encryption, and Google will never implement its End-to-End tool for
Gmail. You can forget about research for homomorphic encryption for healthcare
or other services (which I think Microsoft, for one, is doing right now).

\- Senate majority will likely support it _as is_.

Edit: Senator Ron Wyden promises to filibuster it, so we have that going for
us as well, although I'm not sure if this can guarantee it's dead. I think he
threatened a filibuster with the USA Freedom Act as well, but didn't go
through with it at the last moment, when they compromised on something else (I
may not be remembering this exactly):

[https://www.wyden.senate.gov/news/press-releases/wyden-
state...](https://www.wyden.senate.gov/news/press-releases/wyden-statement-on-
burr-feinstein-anti-encryption-bill)

\- Obama wants to look "neutral" right now, but I don't think he is. I think
he wants the Senate version passed as well. But he would probably accept a
watered down version as well.

Bottom line, if we want to stop it completely, as we did for SOPA, then we
need to organize, and we need companies to do what they did for SOPA, too, and
alert the public about it en masse.

~~~
studentrob
Yeah I don't think Obama is neutral. He says the same thing as this bill. He
says he "supports strong encryption", and says criminals should not be able to
hide their digital communications from government.

They still do not understand that it's not possible to force criminals to use
government-approved encryption software. Criminals can write their own
encryption.

The sooner we voice up and vote out those who support such unreasonable laws,
the sooner we can progress as a society towards finding the right ways to keep
each other safe.

Does anyone know if there is a list of representatives showing their positions
on this bill?

~~~
gr3yh47
>They still do not understand that it's not possible to force criminals to use
government-approved encryption software.

I think in this instance this is a case of you assuming ignorance where malice
is far more likely. Looking at the comprehensive mass surveillance of, well,
everyone (by the NSA et al), I think the point here is to further the goal of
population control i.e. they don't care about criminals who would write their
own, they just want always-on access to everyone.

~~~
studentrob
> I think in this instance this is a case of you assuming ignorance where
> malice is far more likely

I doubt it because (1) this would involve a wide-ranging conspiracy, and (2)
they won't achieve their goal. If they were informed, they would know they
will fail. As it is, Obama, Comey, etc will go down in history as asking
technologists to perform magic. Nothing about this law helps them catch
terrorists, and it hurts the US government's relationship with technologists
going forward.

> they don't care about criminals who would write their own, they just want
> always-on access to everyone

That will not happen without a fight from companies like Apple. Ultimately,
this just brings more awareness to users. It is not hard for companies to
convince their users that backdoors for government make their data less
secure. Tim Cook already took the first step.

More likely, I think, is technologists view government as lying about
everything. We are iconoclasts seeking to break down cultural conservatisms.
Also, we generalize too easily. We see government being disingenuous about one
thing and assume they're dishonest about everything.

Ultimately, it doesn't matter if certain members of government are lying or
not. We should be educating the public and our representatives about the fact
that we can't force criminals to use government-mandated encryption.

------
elcct
Speaking foreign language counts as use of encryption?

~~~
kirushik
Does hog latin qualifies as an encryption? ROT-13? Dictionary replacement?
XOR?

------
SeanDav
All I can say is George Orwell was a clairvoyant genius. Right now it looks
like his only mistake was he did not go far enough.

------
modscensor11
Just a reminder that trying to discuss these matters on HN is a bad idea as
the moderators routinely bury any anti government sentiments and articles, ban
accounts and IPs which are critical of the government and allow government
sock puppets to control the conversation.

Then mods only defense is to say trust them and none of this is true, but
ample evidence exists to the contrary.

American government is corrupt and HN Moderation policy is to abide and abet
that corruption.

~~~
allemagne
I have yet to see a pro-government take on this issue in HN.

------
hawleyal
Dianne Feinstein doesn't understand the law.

------
prirun
I think policy makers do not understand how easy encryption is to use. I'm
sending this letter to help them understand a little better why this bill
makes no sense and will not prevent criminals nor terrorists from hiding data
if they want to.

Dear Senator,

I am writing today to explain how a draft bill, the Compliance with Court
Orders Act of 2017, will affect me.

For the last 7 years I have been developing a data backup program, HashBackup.
HashBackup allows people to securely backup their computer data to cloud
storage, without worrying about the storage company or one of its employees
accessing confidential data through the use of strong encryption.

There are many reasons for maintaining strict confidentiality: \- financial
records \- medical records \- company trade secrets \- top secret intelligence
\- general privacy protection \- and yes, committing crimes

The purpose of this bill as I understand it is to compel any person or company
who provides software or devices that can create unintelligible (encrypted)
data, to assist the goverment in producing the original, unencrypted data,
with a court order.

The critical piece of information to have in order to produce the original
data is the encryption key. Without that, no one in the world can produce the
original data, whether they wrote the software or not. So this bill's ultimate
purpose is to compel individuals and companies selling encryption products to
use subversive technical means to obtain encryption keys from its customers,
presumably without the customers' knowledge.

My backup program, HashBackup, creates keys on each customer's computer. The
customer is responsible for their key, just like the lock on their front door.
Similar to a lock manufacturer, I do not know or have access to any customers'
encryption keys. If the customer loses their key, they lose their backup, and
there is nothing I can do to help them recover it.

If my customer uses HashBackup to store their data at Amazon or Google, and
the government decides they want that data, I am the one who will get a court
order to provide it since I wrote the software that encrypted it. The only way
I could possibly comply with the order is to install special "backdoor" code
in HashBackup that relayed the customer's key to the government. If customers
realize that their encrypted backup data is not really secure and private, I
will be out of business.

Our government presents this issue as a way for law enforcement to prosecute
crime and prevent terrorism. But as we all know, criminals and terrorist do
not obey laws; the laws end up only affecting the law-abiding. If this law is
passed, criminals will be unaffected, as they can easily encrypt their own
data and hide their keys.

Some people may believe that encryption is a complex technology that only big
companies like Apple can use. It is not. Encryption is a simple technology
that anyone can use. It doesn't require any special computer skills, training,
or equipment. Criminals and terrorists will continue to use simple encryption
after this law is passed.

To show how easy it is to encrypt and decrypt messages, here are two very
simple programs to encrypt and decrypt messages. These are written in the
Python computer language, but similarly simple programs can be written in most
modern computer languages.

The first example program encrypts a message. The lines beginning with # are
comments to explain what the program is doing:

    
    
      import binascii
      import AES
      import os
    
      # create a key and display it
      key = os.urandom(16)
      print 'Key:', binascii.hexlify(key)
    
      # here's the message to protect;
      # add spaces until it a multiple of 16 letters
      message = 'this is a secret'
    
      # encrypt and display the same message 3 times
      for i in range(3):
          iv = os.urandom(16)
          encrypted = AES.new(key, AES.MODE_CBC, iv).encrypt(message)
          print 'Encrypted message:', binascii.hexlify(iv + encrypted)
    
    

The next example program decrypts an encrypted message and display the
original secret message:

    
    
      import binascii
      import AES
      import os
      import sys
    
      # get the key and encrypted message
      key = binascii.unhexlify(sys.argv[1])
      encrypted = binascii.unhexlify(sys.argv[2])
    
      # separate the iv
      iv = encrypted[:16]
      encrypted = encrypted[16:]
    
      # decrypt and display the original message
      print 'Original message:', AES.new(key, AES.MODE_CBC, iv).decrypt(encrypted)
    
    

Now we show the encryption program creating 3 completely different encryptions
of the same secret message, all using the same key:

    
    
      [jim@mb ~]$ py easy1.py
      Key: 9cba06caad965229457652b3ae760595
      Encrypted message: 4c77810f6f39946a2e525b2ef0e2fe6ed70201d22bb263734dd3aebbbf11af0d
      Encrypted message: d262cca8d9da4aa01c36be5dcf2809d212348438752ffea491a13dacd2999ba9
      Encrypted message: 0749d160d9e751a67bb908ba8df7800a177e53ea03fad3694bbeab54cd680469
    
    

Here is the decryption program changing all 3 encrypted messages back to the
original message:

    
    
      [jim@mb ~]$ py easy2.py 9cba06caad965229457652b3ae760595 4c77810f6f39946a2e525b2ef0e2fe6ed70201d22bb263734dd3aebbbf11af0d
      Original message: this is a secret
    
      [jim@mb ~]$ py easy2.py 9cba06caad965229457652b3ae760595 d262cca8d9da4aa01c36be5dcf2809d212348438752ffea491a13dacd2999ba9
      Original message: this is a secret
    
      [jim@mb ~]$ py easy2.py 9cba06caad965229457652b3ae760595 0749d160d9e751a67bb908ba8df7800a177e53ea03fad3694bbeab54cd680469
      Original message: this is a secret
    
    

An interesting fact you may not realize: one key can be used to encrypt the
same message in many different ways. These simple programs above can encrypt
the same message, using the same key,
340,282,366,920,938,463,463,374,607,431,768,211,456 different ways.

No matter what laws our government passes, criminals will not obey them. If a
criminal wants to keep something secret using technology, it is not hard: all
they have to do is privately share a key with someone, then send encrypted
message like the above.

An important point is that these encrypted messages can be sent over ANY
communication medium. Whether the government has access to them or not, they
cannot be decoded without the key. Criminals can encrypt GPS coordinates and
times for example, send them as a simple text message, and the government,
Apple, nor anyone else would be able to see the original message.

I have no problem with law enforcement doing an authorized search to obtain a
suspected criminal's encryption key(s) FROM THE SUSPECT. But as a producer of
software, I should not be compelled to violate my customers' trust by stealing
their key without their knowledge. Then I become the criminal.

Please do not pass this bill. It will not affect criminals or terrorists -
just the rest of us law-abiding citizens.

Thank you, Jim Wilcoxson

~~~
maxerickson
I haven't done it yet but I've contemplated sending a letter along the lines
of:

Dear Senator,

The draft bill, the Compliance with Court Orders Act of 2017, fails to take
into account the necessity of convenient, effective encryption for protecting
things like online commerce and it fails to account for how easy it is to
access encryption technology that is not compliant with the bill. An example
of readily available software that does not comply with the requirements of
the bill is "Pretty Good Privacy" often referred to as PGP. This software is
widely used and available outside of US jurisdiction.

Many well qualified technologists are speaking out against the bill. Their
reservations and the apparent lack of input from the broader technology
industry is very worrying.

I consider support for a bill with these issues disqualifying and will vote as
such in all future elections.

Thank you,

Max Erickson

------
antillean
It feels like everyone would be better served if the tech community admitted
the legitimacy of the government's (and many, MANY people's) security concerns
and stopped pretending that the right to privacy always trumps the right to
security of the person. (All occurrences of the string "secur" in that EFF
letter[1], for instance, are in reference to data and computer systems. Not
one is in [direct] reference to people.) Or, if we don't go that far, we need
to at least realise the need for political communities to have serious
discussions about how to reconcile those two rights without jeopardising
either of them.

The tech community's solutions WAY too often feel like they're motivated only
by libertarian concerns for freedom which, while extremely important, are not
exhaustively fundamental or final to -- and certainly do not settle the
question for -- non-libertarians.

1\. [https://act.eff.org/action/tell-congress-stop-the-burr-
feins...](https://act.eff.org/action/tell-congress-stop-the-burr-feinstein-
backdoor-proposal)

~~~
whatnotests
Government serves its people.

Period.

We are not surfs, we are not subjects.

Without the trust of its people, a government is not legitimate, has no
"right" to look at its people's behavior, is simply afraid of losing power.

If instead of spying, governments focused on increasing overall goodwill there
could be trust, not suspicion, on both sides of this encryption line.

~~~
antillean
There's a lot of trust of the government here[1] and in general[2] -- though,
as that Gallup link shows, it MASSIVELY depends on which arm of the government
you're talking about.

Again, not many people live in or around the libertarian bubble. And there are
lots of intelligent people who avoid it for very, very good reasons.

\-----

1\. [http://www.theatlantic.com/national/archive/2016/02/apple-
fb...](http://www.theatlantic.com/national/archive/2016/02/apple-fbi-
polls/470736/)

2\. [http://www.gallup.com/poll/1597/confidence-
institutions.aspx](http://www.gallup.com/poll/1597/confidence-
institutions.aspx)

