Read America's insane draft crypto-borking law that no one's willing to admit they wrote

Understandable – it's more stupid than expected

A draft copy of a US law to criminalize strong encryption, thought to be authored by Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA), has been leaked online. And the internet is losing its shit.

"We're still working on finalizing a discussion draft and as a result can't comment on language in specific versions of the bill," the pair said in a joint statement to The Register.

We note that the proposed legislation hasn't been formally published yet: the document is still being hammered out by the Senate intelligence select committee, which Burr chairs and Feinstein is vice-chair. Curiously, the leaked copy has no one's name on it, and no one wants to admit they wrote it.

"The underlying goal is simple," the senators continued, "when there's a court order to render technical assistance to law enforcement or provide decrypted information, that court order is carried out. No individual or company is above the law. We're still in the process of soliciting input from stakeholders and hope to have final language ready soon."

The draft legislation, first leaked to Washington DC insider blog The Hill, is named the Compliance with Court Orders Act of 2016, and would require anyone who makes or programs a communications product in the US to provide law enforcement with any data they request in an "intelligible format," when presented with a court order.

The bill stems from Apple's refusal to help the FBI break into the San Bernardino shooter's iPhone, but goes well beyond that case. The bill would require companies to either build a backdoor into their encryption systems or use an encryption method that can be broken by a third party.

The bill's text has the authors' names redacted, and it begins by noting that "no person or entity is above the law." It also notes that "economic growth, prosperity, security, stability, and liberty require adherence to the rule of law," just in case anyone needed reminding.

The response to the leaked draft from the tech industry is understandably irate. The industry fought and won this fight in the 1990s during the first crypto wars, and it is now having to go over the same ground again on encryption.

"The absurdity of this bill is beyond words," wrote computer forensics expert and police trainer Jonathan Ździarski.

"Due to the technical ineptitude of its authors, combined with a hunger for unconstitutional governmental powers, the end result is a very dangerous document that will weaken the security of America's technology infrastructure."

Which is a good reason why the authors haven't put their name to it. El Reg suspects the draft is a trial balloon leaked deliberately by someone within or close to the committee to gauge reactions before amendments. Burr and Feinstein have both been touting the legislation around Washington and yesterday sources in the White House said the executive branch wasn't going to support the legislation, and it won't be alone.

"This legislation says a company can design what they want their back door to look like, but it would definitely require them to build a back door," said Senator Ron Wyden (D-OR).

"For the first time in America, companies who want to provide their customers with stronger security would not have that choice – they would be required to decide how to weaken their products to make you less safe."

For one thing, it will kill end-to-end encryption.

If the bill is the work of Burr and Feinstein, it's a little worrying, as they are the chairman and vice-chair of the Senate Intelligence committee, which is supposed to oversee US law enforcement. But they do have form in the area.

Last year the dunderheaded duo coauthored the "Requiring Reporting of Online Terrorist Activity Act," which would require social media companies to monitor all comments for anything related to terrorism. That bill is currently going nowhere and it's likely this one will do the same. ®

Similar topics

Broader topics

Other stories you might like

  • Protecting data now as the quantum era approaches
    Startup QuSecure is the latest vendor to jump into the field with its as-a-service offering

    Analysis Startup QuSecure will this week introduce a service aimed at addressing how to safeguard cybersecurity once quantum computing renders current public key encryption technologies vulnerable.

    It's unclear when quantum computers will easily crack classical crypto – estimates range from three to five years to never – but conventional wisdom is that now's the time to start preparing to ensure data remains encrypted.

    A growing list of established vendors like IBM and Google and smaller startups – Quantum Xchange and Quantinuum, among others – have worked on this for several years. QuSecure, which is launching this week after three years in stealth mode, will offer a fully managed service approach with QuProtect, which is designed to not only secure data now against conventional threats but also against future attacks from nation-states and bad actors leveraging quantum systems.

    Continue reading
  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Europe proposes tackling child abuse by killing privacy, strong encryption
    If we're gonna go through this again, can we just literally go back in time?

    Proposed European regulations that purport to curb child abuse by imposing mass surveillance would be a "disaster" for digital privacy and strong encryption, say cybersecurity experts.

    A number of options have been put forward for lawmakers to mull that aim to encourage or ensure online service providers and messaging apps tackle the "detection, removal, and reporting of previously-known and new child sexual abuse material and grooming."

    These options range from voluntary detection and reporting of child sexual abuse material (CSAM) and grooming, to legally mandating that service providers find and report such material using whatever detection technology they wish — essentially scanning all private communications and, if necessary, breaking end-to-end (E2E) encryption for everyone.

    Continue reading
  • OpenSSH takes aim at 'capture now, decrypt later' quantum attacks
    Guarding against the forever almost-here crypto-cracking tech

    OpenSSH 9 is here, with updates aimed at dealing with cryptographically challenging quantum computers.

    The popular open-source SSH implementation aims to provide secure communication in a potentially unsecure network environments. While version 9 is ostensibly focused on bug-fixing, there are some substantial changes lurking within that could catch the unwary, most notably, the switch from the legacy SCP/RCP protocol to SFTP by default.

    The OpenSSH group warned the change was coming earlier this year, with a deprecation notice in February's version 8.9 release. Experimental support for transfers using the SFTP protocol as a replacement for the SCP/RCP protocol turned up in version 8.7 in August 2021 with the warning: "It is intended for SFTP to become the default transfer mode in the near future."

    Continue reading
  • IBM powers up cloud service for managing crypto keys
    As in encryption, not coins, thankfully

    IBM has unveiled a cloud-based key management service that should make it easier for organizations to manage encryption keys across complex multi-cloud hybrid environments, as well as on-premises.

    The new support comes in the form of the Unified Key Orchestrator, a multi-cloud key management product sold as a managed service as part of IBM's Cloud Hyper Protect Crypto Services.

    Many organizations have by now adopted a multi-cloud strategy, hosting workloads in the most advantageous location, whether that is in a public cloud or in the organization's own datacenter.

    Continue reading
  • Dems propose privacy-respecting digital dollar
    ECASH Act calls for Treasury to develop electronic currency, no blockchain required

    House Democrats on Monday plan to introduce a law bill that calls for the development of an electronic version of the US dollar that has the same legal status and privacy expectations as physical currency.

    The bill, titled Electronic Currency and Secure Hardware (ECASH) Act, would direct the US Treasury Department to establish a program to coordinate the development and implementation of e-cash and the technology necessary to support it, such as cryptographic hardware.

    Sponsored by Rep Stephen Lynch (D-MA), Chairman of the Task Force on Financial Technology, and by Rep Jesús "Chuy" García (D-IL), who serves on the Committee on Financial Services, the ECASH Act represents a response to recent calls by the US Federal Reserve and the Biden administration to promote the development of digital assets.

    Continue reading
  • Samsung shipped '100 million' phones with flawed encryption
    Academics found TrustZone-level code could not be trusted to keep secrets

    Academics at Tel Aviv University in Israel have found that recent Android-based Samsung phones shipped with design flaws that allow the extraction of secret cryptographic keys.

    The researchers – Alon Shakevsky, Eyal Ronen, and Avishai Wool – describe their work in a paper titled, "Trust Dies in Darkness: Shedding Light on Samsung's TrustZone Keymaster Design," which is scheduled for presentation at Real World Crypto and USENIX Security, 2022.

    Android smartphones, which pretty much all use Arm-compatible silicon, rely on a Trusted Execution Environment (TEE) supported by Arm's TrustZone technology to keep sensitive security functions isolated from normal applications. These TEEs run their own operating system, TrustZone Operating System (TZOS), and it's up to vendors to implement the cryptographic functions within TZOS.

    Continue reading

Biting the hand that feeds IT © 1998–2022