Privacy and Security

Senators Threaten to Eradicate Device and End-to-End Encryption

Senators Feinstein and Burr Circulating Proposal, Which Would Mandate Backdoors for All Forms of Encrypted Products and Services

The end of encryption as we know it is near if Senators Diane Feinstein and Richard Burr have their way. The two senators have been circulating proposed legislation, entitled the “Compliance with Court Orders Act of 2016.”

The proposal is not just bad for privacy; it is horrible. The senators claim, at least in the first few phrases of the proposal, that they merely want to force companies to comply with the law and court orders. But the text of the proposal reveals that their intent is not about forcing companies like Apple to comply with court orders. It is about forcing companies like Facebook, owner of WhatsApp, and Telegram to create backdoors for their services, which will weaken security, allowing both hackers and foreign governments easier access to devices and communications.

The proposal would require a device manufacturer, app developer, cloud computing company, and other service providers to provide law enforcement with copies of data or communications in decrypted format. This is despite the fact that companies like Facebook or Apple have no connection to terrorism or crimes being investigated. The only common thread is that bad actors chose to purchase a particular device or use a particular software service.

The Feinstein-Burr proposal would mandate backdoors for both encrypted devices and products that offer end-to-end encryption for electronic communications.

To comply with the Senators’ proposals, manufacturers of encrypted devices, such as the iPhone or Android phones, would have to modify operating systems, building in a way either they or law enforcement can access devices.

Similarly, to comply with the proposal, end-to-end encryption services such as WhatsApp and Telegram would have to create special code allowing them to access users’ messages. If the government demands copies of the messages, the app companies would be forced either to decrypt the messages or provide the government with the technical assistance needed to decrypt the messages.

Imagine if the same concepts were applied to manufacturers of other products. Take cars, for example. Drug runners use cars, hiding their products throughout vehicles. Applying the logic and consequences of the Feinstein-Burr proposal, the government could require automobile manufacturers to provide blueprints of all cars, identifying where drugs could be hidden. In the event the manufacturer failed to identify a location, or refused to provide the blueprints, the government could require the vehicle’s engineers to pull the car apart, locating all potential hiding locations for contraband.

The illustration can go a step further: Criminals discuss plans to commit crimes in cars. Applying the concepts of the Feinstein-Burr proposal, the government could mandate that automobile manufacturers install microphones in every car. If the government secures a warrant, or other court order, it could compel the manufacturer to turn the microphone on remotely. The government could also demand access to all microphones, with the promise that it will only use them with an appropriate order.

The Feinstein-Burr proposal would end encryption as we know it by demanding that companies, with no connection to terrorism or criminal activities, create backdoors for encrypted devices and encryption services. It threatens to significantly weaken cyber security for all Americans by providing hackers and foreign governments the resources needed to access personal and sensitive information.


In Depth: Privacy and Security

A market environment is essential for future success of the Internet. A consumer and private-sector-driven approach to privacy via self-regulation avoids undue regulatory burden that would threaten a thriving electronic marketplace. The Internet has flourished due in large part to the unregulated environment in which it has developed and grown.

+ Privacy and Security In Depth

Privacy and Security