Skip to content

Instantly share code, notes, and snippets.

@rietta

rietta/feinstein-burr.md

Last active April 8, 2016 15:57
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rietta/77bd4fe9d0496718b798219797c2da99 to your computer and use it in GitHub Desktop.
Save rietta/77bd4fe9d0496718b798219797c2da99 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
feinstein-burr.md

The anticipated Feinstein-Burr Compliance with Court Orders Act, an anti-security bill, would require the provision of data in an intelligible format to a government pursuant to a court order (scribd.com). A draft copy has appeared online though whether it has been submitted officially within the Senate is not yet clear (vice.com).

This bill essentially says you can not have any conversation or data exchange that the government can not access if it wants to. It is the legal culmination of what the FBI has been lobbying Congress for years. If Feinstein-Burr becomes law, it will be illegal to deploy strong encryption without key escrow maintained by each company. Cryptographers and computer scientists near-unanimously assert key backup systems are insecure at scale.

The first read of the bill is chilling. Strong cryptography within the United States would effectively be banned, preventing U.S. companies from building secure software. These companies would be mandated to provide real technical assistance. Unlike the best effort of today, they would be required to give plain-text data in it's original format or risk penalties for violating the law.

Specifically, any U.S company would be required to maintain the ability, through unspecified means, to retrieve the plain-text from any data "made unintelligible by a feature, product, or service owned, controlled, created, or provided by the [company]." And the company would then be required to turn over such data in real-time "concurrently with its transmission" or "expeditiously, if stored by the [company] or on a device."

This would appear to mean that any U.S. organization involved in the design and programming of software, the packing of the software, the creation of any device that runs such software, and any service provider who sells such device and software to connect to their network would all be required by law to decrypt your data on short notice and provide it real-time to the government.

This is far, far more insidious than going after unlocking an iPhone. If this becomes law, the mere existence of the means to be able to decrypt your data can be potentially exploited by any private party, not just the U.S. government. Unnecessary liabilities for data breaches will now be required for every company dealing with data digitally, no matter how private. This mandates the creation of back-doors without prescribing the exact nature of those back-doors.

Let that sink in.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment