The Information The FBI Found After Unlocking The San Bernardino Attacker's iPhone
Justice Department Withdraws Lawsuit in Brooklyn To Force Apple To Unlock iPhone

Open Letter By Tech Industry Associations Calls The Burr-Feinstein Anti-Encryption Proposal 'Unworkable'

Several technology industry associations have sent a joint, open letter to U.S. Senators Richard Burr (R-NC) and Dianne Feinstein (D-Calif.) about proposed legislation the Senators drafted. The Compliance with Court Orders Act of 2016 (CCOA) would force companies to de-encrypt communications on demand for law enforcement agencies.

The industry associations described the proposed legislation as "unworkable" in that it would "create government mandated security vulnerabilities" in digital products and services. The letter stated in part:

"We write to express our deep concerns about well-intentioned but ultimately unworkable policies around encryption that would weaken the very defenses we need to protect us from people who want to cause economic and physical harm. We believe it is critical to the safety of the nation’s, and the world’s, information technology infrastructure for us all to avoid actions that will create government-mandated security vulnerabilities in our encryption systems... Any mandatory decryption requirement, such as that included in the discussion draft of the bill that you authored, will to lead to unintended consequences. The effect of such a requirement will force companies to prioritize government access over other considerations, including digital security. As a result, when designing products or services, technology companies could be forced to make decisions that would create opportunities for exploitation by bad actors seeking to harm our customers... The bill would force those providing digital communication and storage to ensure that digital data can be obtained in “intelligible” form by the government, pursuant to a court order. This mandate would mean that when a company or user has decided to use some encryption technologies, those technologies will have to be built to allow some third party to potentially have access.  This access could, in turn, be exploited by bad actors... such a technological mandate fails to account for the global nature of today’s technology. For example, no accessibility requirement can be limited to U.S. law enforcement; once it is required by the U.S., other governments will surely follow. In addition, the U.S. has no monopoly on these security measures. A law passed by Congress trying to restrict the use of data security measures will not prevent their use. It will only serve to push users to non-U.S. companies, in turn undermining the global competitiveness of the technology industry in the United States..."

Four groups signed the open letter: Reform Government Surveillance (RGS), the Computer & Communications Industry Association (CCIA), the Internet Infrastructure Coalition (I2C), and the Entertainment Software Association (ESA). RGS members include Apple, Dropbox, Facebook, Google, LinkedIn, Microsoft, Twitter, and others. CCIA members include Amazon, Ebay, Google, Microsoft, Netflix, Pandora, PayPal, Samsung, Sprint, and others. I2C members include Amazon, Google, GoDaddy, HostGator, Verisign, and many more companies worldwide. ESA members include Activision, Disney Interactive Studios, EA, Konami, Nintendo, and others.

Privacy and security advocates itemized several problems with the CCOA. Some experts warn that the proposed legislation makes encryption illegal:

"... if the court orders you to provide the contents of a phone you made, a conversation on your messaging service, an account on your social network, or basically anything that has been made “unintelligible” using encryption, you are required by law to decrypt that information... the very foundation of encrypted communication is the deliberate and transparent impossibility of a third party listening in, service providers and manufacturers included. If it can be accessed, it isn’t encrypted. If it can’t be accessed, it isn’t legal..."

Earlier this month, Congressman Darrell Issa (R-CA), Chairman of the House Judiciary subcommittee responsible for the nation’s Internet policy, described the CCOA as:

“... about as flawed and technically-naive as a piece of legislation can get. Mandating that companies weaken our security to give government secret backdoor access into our devices would be a massive blow to American’s right to privacy and frankly would also be downright dangerous...”

The The full text of the CCOA discussion draft is available at Senator Burr's website and here (Adobe PDF, 35k).

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Chanson de Roland

The problem with both the CCOA and open Letter to Chairman Burr and Vice-Chairman Feinstein Regarding Encryption (Open Letter) is that neither recognize the dilemma of the situation but are either, as is true of CCOA, all for unlocking and decryption (Unlocking), or, as is true for the Open Letter, are all for strong, if not unbreakable, locking and encryption (Locking) of our computing devices. But this ignores the dilemma. To wit: Locking, as advocated by the Open Letter, while offering the best protection for security and privacy, may so greatly impair law enforcement and/or intelligence gathering as to lead to disastrous, if not catastrophic, breach of national security, leading to a great loss of life and destruction of property and the resulting disruption of society, and quite likely a call for abandoning constitutional protections altogether in the mistaken belief that such extreme measures would prevent another such attack, and, of course, Locking would make ordinary law enforcement much less effective, perhaps leading to public corruption and resulting in society’s general decadence; while CCOA’s Unlocking would probably greatly reduce the risks of such harms, as described, supra, Unlocking may open the way for the transformation of the United States into a surveillance state, Eric Blair’s, a.k.a., George Orwell’s, Big Brother, leading to a despotic and fascist state, or, at least, it would create the immediately potential for such a Big-Brother state, and, at the very least, Unlocking would expose the intentionally created backdoors to criminals and others of nefarious intent; it would also result in other governments, some of which would be nasty despotic governments, demanding the same type of backdoors for their law enforcement and intelligence services.

And I believe that any government that adopted CCOA-like law would be transformed into a despotic state, for such power, the power to spy on virtually everyone’s most intimate, personal information, would be a temptation too great to resist and would ultimately and inexorably lead to despotism and fascism of either either a Right or Left wing government.

And let’s not forget the severe damage that a unilateral U.S. CCOA would do to the business prospects of U.S. tech firms, thought the idea of major nations collaborating on CCOA treaty sends chills down my spine, as Big Brother would then be created in every nation with the Internet and/or a cell network.

That is the dilemma, and neither CCOA or the Open Letter present a solution to it. I am not sure that there is a solution to it. But if there is a solution, I think that it will be found in Americans being true and steadfast in protecting and defending the rights manifest and mandated by our U.S. Constitution, balanced against the best means for maintaining our constitutional rights, while defending against the risks that we face, measured by their probability of occurrence. Neither CCOA or the Open Letter do that. And we must also accept, as has always been true, that the price of our liberty may well entail and almost certainly will cost some our blood and treasure, but we have always been willing to pay that cost, for ours is the land of the free and the home of the brave.

George

I, too, am not sure that there is a solution to balance competing interests.

Encryption is like social media. It's out there and available. You can't take it away. Consumers and businesses use it. People want effective encryption = end-to-end and under the user's control. Consider this ironic example:

Facebook's Tor Website Has Over One Million Users
http://www.theinquirer.net/inquirer/news/2455868/facebooks-tor-website-has-over-one-million-users

Now, if i can only get the folks at Typepad.com to enable https everywhere.

George
Editor
http://ivebeenmugged.typepad.com

Chanson de Roland

Let me elaborate on the principles that should guide and control a solution to the dilemma of Locking vs. Unlocking. We start with the principle that we shall preserve all of our constitutional rights, privileges, and immunities as a reasonable reading of the U.S. Constitution would understand and give effect to them, for that is the ground on which the United States and her people stand. Then we look at the threats that we face and their respective likelihood of occurrence, and what are the best means available for dealing with those threats, while maintaining our constitutional rights. And by best, I mean those methods that will least burden our rights, while providing for our security, so that the methods which place the greatest, yet always constitutional acceptable under the circumstances, burden on our rights is reserved for the most serious threats, while lesser threats won't be permitted to hinder our rights in any way, such that, for example, ordinary law enforcement won't be permitted to hinder our rights in any way. In this way, the degree of permitted burden on our rights will proportional to the threat as measured by its likelihood of occurrence multiplied by the magnitude of its harm, but with the burden on our rights always being cabined within the bounds of what is permitted by the U.S. Constitution. Even so, even with the wisest and best balance and matching of threat to the means for most effectively and appropriately dealing with it, being faithful to our constitution and being steadfast in honoring it can not be had without some risks of loss of our blood and treasure.

Now, of course the foregoing process will be dynamic, will depend upon the circumstances, and will require the constant application of the best or at least the wise and honest judgement of our leaders, our law makers, and particularly our judges. But the only alternative is to abandon our constitution and trust that the misery and enormities of despotism is will be less than the misery of the threats of terror and the decadence of crime, which is a proposition that both history and wise judgment have proved to be false time and time again.

My second point is to note the utter hypocrisy of nearly all the signatories to the Open Letter, for each of them routinely breaches our privacy in massive, pervasive, and relentless way to make their profits. The only exception may be Apple, but all of the rest, particularly the titans of social media and search, such as Google and Facebook, constantly violate our privacy far more frequently, far more pervasively, far more effectively, and far more intimately than anything that even the most despotic government has ever done. Indeed, governments took their early lesson and still lag behind their masters in e-commerce, social media, entertainment, and search when it comes breaching our privacy by probing our computer devices with impunity to collect, use, and trade in our personal data. For them to sign the Open Letter critical of the government should have cause their faces to glow brightly with the heat and light of shame and hypocrisy. For I say this: If government had access to what the likes of Google and Facebook know about us, it would have little occasion to resort to the warrants and the All Writs Act to discover the information about us that it seeks.

So Senators Burr and Feinstein could step back and concede that the Open Letter’s arguments are well taken, but demur that they will hold their ground until the titans of the tech industry lead by example by restoring to all of us our rights to privacy and our rights to property in our personal information, for if the Open Letter is well taken for governments, it is at least as well taken for the tech industry, and government will take its lead once again from the tech industry, waiving its power, to the extent that such a power is constitutional, to require their assistance in executing valid search warrants, as they, the firms of the tech industry, do not collect, use, and/or trade in our personal information, except by permission of a fairly and freely negotiated license from each user who authored that information through his acts on a network and the computers connected to it. What is good for the government is good for Google, Amazon, and Facebook and their ilk.

The comments to this entry are closed.