The first proposed US federal encryption legislation has been released, and had it been established law earlier this year Apple would have had to provide the help the FBI asked for in accessing encrypted data on the iPhone used by a terrorist in San Bernardino.
The draft published by Sen. Richard Burr of North Carolina and Sen. Dianne Feinstein of California calls for encryption vendors and others to obey court orders that command them to deliver intelligible versions of encrypted data or to provide technical assistance to make it intelligible.
That’s exactly what the FBI was asking for earlier this year with a judge’s order to disarm the anti-brute-force mechanism on the terrorist’s iPhone. In the absence of a law as specific as the Burr-Feinstein draft, Apple appealed, saying it shouldn’t be forced to create new technology to break the security of its own products.
The FBI dropped the matter when it got a third party to break into the phone, so there was no court ruling on Apple’s argument.
On the one hand the Burr-Feinstein proposal prohibits government officials from requiring or prohibiting any specific design or operating system. On the other it requires that vendors and service providers covered by the law make sure products and services they license can make encrypted communications intelligible.
That doesn’t explicitly require encryption backdoors, but the only known way to reliably decrypt data and communications is to have a backdoor.
If required by a court order, vendors would have to isolate the requested data, make it intelligible, and do so either real-time as it is transmitted, or in the case of stored data, it would have to be decrypted expeditiously.
Vendors and service providers are only responsible for complying with the law if it is their product or service that rendered the requested data unintelligible in the first place. So an ISP couldn’t be held responsible for decrypting communications that cross its network unless they provided the encryption. They wouldn’t be responsible for traffic that was encrypted by the endpoints in the communication.
The proposal says that any entity that provides services or products that could be affected by the court orders must make their products and services able to comply. So if a service provider offered an encryption service powered by a third party’s software, they would have to make sure there was a means for decrypting whatever the software encrypted.
The draft specifies that the law would be applied only to certain crimes including those involving threat of or actual death or serious bodily harm; terrorism and espionage; federal crimes against minors; serious violent felonies; and serious federal drug crimes. It would also cover state crimes that are equivalent to those federal crimes mentioned.
The requirements would apply to device manufacturers, electronic communication or remote computing service providers, and anyone who “provides a product or method to facilitate a communication or the processing or storage of data.”
The proposal doesn’t touch on what the penalties are for failing to comply with the law.
Vendors that provide technical assistance would be paid for reasonable costs incurred in providing that assistance.