Several technology industry associations have sent a joint, open letter to U.S. Senators Richard Burr (R-NC) and Dianne Feinstein (D-Calif.) about proposed legislation the Senators drafted. The Compliance with Court Orders Act of 2016 (CCOA) would force companies to de-encrypt communications on demand for law enforcement agencies.
The industry associations described the proposed legislation as "unworkable" in that it would "create government mandated security vulnerabilities" in digital products and services. The letter stated in part:
"We write to express our deep concerns about well-intentioned but ultimately unworkable policies around encryption that would weaken the very defenses we need to protect us from people who want to cause economic and physical harm. We believe it is critical to the safety of the nation’s, and the world’s, information technology infrastructure for us all to avoid actions that will create government-mandated security vulnerabilities in our encryption systems... Any mandatory decryption requirement, such as that included in the discussion draft of the bill that you authored, will to lead to unintended consequences. The effect of such a requirement will force companies to prioritize government access over other considerations, including digital security. As a result, when designing products or services, technology companies could be forced to make decisions that would create opportunities for exploitation by bad actors seeking to harm our customers... The bill would force those providing digital communication and storage to ensure that digital data can be obtained in “intelligible” form by the government, pursuant to a court order. This mandate would mean that when a company or user has decided to use some encryption technologies, those technologies will have to be built to allow some third party to potentially have access. This access could, in turn, be exploited by bad actors... such a technological mandate fails to account for the global nature of today’s technology. For example, no accessibility requirement can be limited to U.S. law enforcement; once it is required by the U.S., other governments will surely follow. In addition, the U.S. has no monopoly on these security measures. A law passed by Congress trying to restrict the use of data security measures will not prevent their use. It will only serve to push users to non-U.S. companies, in turn undermining the global competitiveness of the technology industry in the United States..."
Four groups signed the open letter: Reform Government Surveillance (RGS), the Computer & Communications Industry Association (CCIA), the Internet Infrastructure Coalition (I2C), and the Entertainment Software Association (ESA). RGS members include Apple, Dropbox, Facebook, Google, LinkedIn, Microsoft, Twitter, and others. CCIA members include Amazon, Ebay, Google, Microsoft, Netflix, Pandora, PayPal, Samsung, Sprint, and others. I2C members include Amazon, Google, GoDaddy, HostGator, Verisign, and many more companies worldwide. ESA members include Activision, Disney Interactive Studios, EA, Konami, Nintendo, and others.
Privacy and security advocates itemized several problems with the CCOA. Some experts warn that the proposed legislation makes encryption illegal:
"... if the court orders you to provide the contents of a phone you made, a conversation on your messaging service, an account on your social network, or basically anything that has been made “unintelligible” using encryption, you are required by law to decrypt that information... the very foundation of encrypted communication is the deliberate and transparent impossibility of a third party listening in, service providers and manufacturers included. If it can be accessed, it isn’t encrypted. If it can’t be accessed, it isn’t legal..."
Earlier this month, Congressman Darrell Issa (R-CA), Chairman of the House Judiciary subcommittee responsible for the nation’s Internet policy, described the CCOA as:
“... about as flawed and technically-naive as a piece of legislation can get. Mandating that companies weaken our security to give government secret backdoor access into our devices would be a massive blow to American’s right to privacy and frankly would also be downright dangerous...”