The stated intention of these bills is unachievable. I don't mean technologically - key escrow is certainly possible. I mean as a practical matter, given the makeup of the commercial sector in the US. The capability to render plaintext to authorities on request is incompatible with how large companies handle information security.
That being the case, why is this bill still being pursued, given that it's a dead letter?
1. By continuing the kabuki dance, legislators and regulators may hope to spook companies like Apple into self-regulating, to avoid public regulation. Good luck with that.
2. Legislators might be doing this mostly for show.
3. Legislators might keep pushing the bill until all the meaningful bits have been planed off (an option compatible with (2)), and further might not realize that their resulting product is toothless.
NB: I am talking my book a little here, since I'm a party to several bets that meaningful crypto regulation in the US will never happen.
The budget figures surrounding these repeated, "whack-a-mole" efforts should be forcibly transparent to the public. And reported.
If the public could readily see how much of their tax dollars (and, as well, what percentage of public employees' schedules / work hours) were being poured into trying the same thing -- already just decided -- over and over again...
Well, it's the only thing I can think of. Make this self-serving, lobby-machine-service activity and expense as transparent as possible.
Preferably with criminal penalties for hiding it from public examination and accounting.
I found it interesting that intelligence and terrorism investigations would no longer be covered by the bill. You read that right - what seems like the primary justification is no longer covered. As the article's author says, it seems particularly odd given that the bill’s sponsors are, after all, members of their respective chambers’ intelligence committees:
A second change would eliminate section (B) under the bill’s definition of “court order,” which obligated recipients to comply with decryption orders issued for investigations related to “foreign intelligence, espionage, and terrorism.” The bill would then be strictly about law enforcement investigations into a variety of serious crimes, including federal drug crimes and their state equivalents.
The article author makes a few guesses about why that would be: 1) A concession in a recurring jurisdictional turf war with the judiciary committees; I understand turf wars and concessions; though I don't quite understand how this change fits that description, I'll take his word for it. 2) Intelligence agencies have opposed back doors; and 3) major tech companies are worried about a high volume of requests from intelligence agencies.
But what about this possibility: Intelligence agencies and/or tech companies don't want intelligence investigations to be codified and legalized, giving all parties laws that can be broken. Better to be in a legal gray area. (I don't know what already is codified or how much gray area there is.)
My take is that this law would force companies to structure their services in a way that made plaintext recoverable. And then intelligence agencies could continue to use National Security Letters and their special secret court to get the material they wanted. Or do their fancy hacking.
In other words, a side-effect of the law is to outlaw NSA-hard security design, and that's enough for them.
This is an interesting case. What if a law is passed that is impossible to comply with? For example, what happens if all CEOs are required to flap their arms and fly to the moon to sign something? How does that get overturned?
This is a line too far for me. I will not comply. I think we should all insist that we build systems where the encryption is open source, out of our control and we never have access to the keys.
It's time to get rid of passwords too. Start, step by step, getting users used to keys, and used to being responsible for them. IT won't happen overnight.
Doing this takes care of a whole lot of social engineering problems too where hackers could call your customer support reps and get access to an account via an out of band password reset.
It's not just about not trusting the government, it's about not trusting yourself. Your company could make mistakes procedurally, your employees can make mistakes via human weakness or trickery, and as a society we need the trust that comes with real security.
That being the case, why is this bill still being pursued, given that it's a dead letter?
1. By continuing the kabuki dance, legislators and regulators may hope to spook companies like Apple into self-regulating, to avoid public regulation. Good luck with that.
2. Legislators might be doing this mostly for show.
3. Legislators might keep pushing the bill until all the meaningful bits have been planed off (an option compatible with (2)), and further might not realize that their resulting product is toothless.
NB: I am talking my book a little here, since I'm a party to several bets that meaningful crypto regulation in the US will never happen.