A draft copy of a US law to criminalize strong encryption, thought to be authored by Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA), has been leaked online. And the internet is losing its shit.
"We're still working on finalizing a discussion draft and as a result can't comment on language in specific versions of the bill," the pair said in a joint statement to The Register.
We note that the proposed legislation hasn't been formally published yet: the document is still being hammered out by the Senate intelligence select committee, which Burr chairs and Feinstein is vice-chair. Curiously, the leaked copy has no one's name on it, and no one wants to admit they wrote it.
"The underlying goal is simple," the senators continued, "when there's a court order to render technical assistance to law enforcement or provide decrypted information, that court order is carried out. No individual or company is above the law. We're still in the process of soliciting input from stakeholders and hope to have final language ready soon."
The draft legislation, first leaked to Washington DC insider blog The Hill, is named the Compliance with Court Orders Act of 2016, and would require anyone who makes or programs a communications product in the US to provide law enforcement with any data they request in an "intelligible format," when presented with a court order.
The bill stems from Apple's refusal to help the FBI break into the San Bernardino shooter's iPhone, but goes well beyond that case. The bill would require companies to either build a backdoor into their encryption systems or use an encryption method that can be broken by a third party.
The bill's text has the authors' names redacted, and it begins by noting that "no person or entity is above the law." It also notes that "economic growth, prosperity, security, stability, and liberty require adherence to the rule of law," just in case anyone needed reminding.
The response to the leaked draft from the tech industry is understandably irate. The industry fought and won this fight in the 1990s during the first crypto wars, and it is now having to go over the same ground again on encryption.
"The absurdity of this bill is beyond words," wrote computer forensics expert and police trainer Jonathan Ździarski.
"Due to the technical ineptitude of its authors, combined with a hunger for unconstitutional governmental powers, the end result is a very dangerous document that will weaken the security of America's technology infrastructure."
Which is a good reason why the authors haven't put their name to it. El Reg suspects the draft is a trial balloon leaked deliberately by someone within or close to the committee to gauge reactions before amendments. Burr and Feinstein have both been touting the legislation around Washington and yesterday sources in the White House said the executive branch wasn't going to support the legislation, and it won't be alone.
"This legislation says a company can design what they want their back door to look like, but it would definitely require them to build a back door," said Senator Ron Wyden (D-OR).
"For the first time in America, companies who want to provide their customers with stronger security would not have that choice – they would be required to decide how to weaken their products to make you less safe."
For one thing, it will kill end-to-end encryption.
Well, the Feinstein-Burr bill is pretty much as clueless and unworkable as I expected it would be.— Matthew Green (@matthew_d_green) April 8, 2016
If the bill is the work of Burr and Feinstein, it's a little worrying, as they are the chairman and vice-chair of the Senate Intelligence committee, which is supposed to oversee US law enforcement. But they do have form in the area.
Last year the dunderheaded duo coauthored the "Requiring Reporting of Online Terrorist Activity Act," which would require social media companies to monitor all comments for anything related to terrorism. That bill is currently going nowhere and it's likely this one will do the same. ®