The Senate Intelligence Committee unveiled legislation this week that would require technology companies to give up your encrypted iPhone messages to law enforcement. The bill shares a bit with similar legislation China adopted last year.
The Senate’s Compliance with Court Orders Act of 2016 wants to make technology companies like Apple comply with court orders and give “intelligible information or data, or appropriate technical assistance to obtain such information or data,” to law enforcement.
In other words, the bill says that communications companies no longer could provide end-to-end encryption to consumers that the providers can’t break (even under court order.) That means that they can’t offer actual end-to-end encryption.
So far, the bill has earned predictable condemnation from the technology community, whose reaction has run the spectrum from mockery to alarm. Kevin Bankston, who directs New America’s Open Technology Institute, described it to Wired as “easily the most ludicrous, dangerous, technically illiterate” proposal he had seen in 20 years. Reuters reports that the White House is hesitant.
Two law-enforcement associations are backing the measure. The National District Attorneys Association and the International Association of Chiefs of Police sent a letter to committee heads Thursday, thanking them for their efforts to rein in Apple and other communications companies run amok (by offering security features that make devices safer for consumers to the inconvenience of law enforcement.)
“We saw recently in the San Bernardino case, Apple refused to comply with a valid, legally issued search warrant obtained by establishing probable cause before a judge. This unfortunate decision by Apple only serves to highlight the fact that Apple and other companies currently have the ability to unilaterally decide who has access to evidence that is essential to day to day investigations. Simply put, this allows for profit companies to determine what they believe is the appropriate balance between customer data security, versus the security of our communities,” the groups argue in the letter.
The proposed law resembles new Chinese rules that also demand companies help authorities access user data.
In 2014, a committee within the National People’s Congress was considering legislation that would have required technology companies to build encryption backdoors into systems and devices for the Chinese government to use as part of investigations into terrorism (though the definition of terrorism was fairly broad.) The rule also would have mandated that companies store customer data on servers located in China.
U.S. Secretary of State John Kerry, U.S. Treasury Secretary Jacob Lew, and other U.S. officials objected to the legislation. The U.S. technology community also presented a united front on the issue, and the pleas worked. The legislation that passed at the end of last year removed the controversial part about housing data onshore in China, and forcing companies to share encryption keys with the government. But it did require them to offer “technical means of assistance” to law enforcement.
Chinese parliament law division head Li Shouwei told reporters that the law was “the same as what other major countries in the world do.”
The Compliance With Court Orders Act is not expected to pass. If it does, companies like Apple will face similar pressure from the U.S. and China, the technology industry’s number one target market for future sales. Smartphone penetration into the Chinese market is at about 50 percent.
If the legislation were to pass, consumers from Boston to Beijing could lose security features that protect data from hackers, and, yes, governments.
Robert Atkinson, president of the Information Technology and Innovation Foundation, or ITIF, a Washington think tank, says the two bills differ substantially in terms of intent.
“China’s legislation on encryption is in part designed to squelch free speech; ours is designed to help prevent crime and terror,” he said, but added “that’s not to say that the Senate bill is the right bill. It’s not.”
Reason? The bill overlooks the importance of “strong encryption to U.S. cybersecurity,” Atkinson argued, something that they cover in this new report.