A draft of a US senate bill was leaked online today, which would compel providers of end-to-end encryption technology to be able to decrypt users' data if given a court order. The bill, called the 'Compliance with Court Orders Act of 2016' and sponsored by Sen. Richard Burr (R-NC) and Dianne Feinstein (D-CA), would effectively kill privacy features provided by applications and services like WhatsApp.
The bill seems to be aimed at companies like Apple, which recently had a court standoff with the FBI over an encrypted iPhone. While the FBI backed out of the case after a third party was able to defeat the phone's security, the legal precedent of requiring companies to be able to decrypt data when issued a court order was left on the table. This bill seems to be meant to take the fight out of the courts and bring it to Congress.
The bill is summarized as, "To require the provision of data in an intelligible format to a government pursuant to a court order, and for other purposes."
The law would require in section 3, subsection (a), paragraph (3) that any "covered entity" that receives a court order be "responsible only for providing data in an intelligible format if such data has been made unintelligible by a feature, product, or service owned, controlled, created, or provided by the covered entity or by a third party on behalf of the covered entity."
As if that's not shocking enough, subsections (b) and (c) seem to contradict. In subsection (b), the bill reads:
"Nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by any covered entity.
Meanwhile, the next subsection implies requirements of design:
A provider of remote computing service or electronic communication service to the public that distributes licenses for products, services, applications, or software of or by a covered entity shall ensure that any such products, service, applications, or software distributed by such person be capable of complying with subsection (a).
If legalese isn't your thing, this bill basically says that the creators of any service must be able to decrypt any data to comply with a court order. On top of that, the software or service would have to be designed in such a way that the entity would be able to comply with the court order.
Matthew Green, a professor who teaches cryptography at Johns Hopkins University, had a few thoughts on the issue:
"How secure can your encryption be when any court in the land, including Indian tribes, can send you a piece of paper asking to undo it?" -- Matthew Green, April 8, 2016
"I don't *think* Feinstein-Burr intended to make your TLS connections retrospectively tappable, but that's one reading." -- Matthew Green, April 8, 2016
What Green is saying in the last tweet is that any encrypted information sent over the internet—like encrypted communication between you and Gmail, your bank, Facebook, or Steam—could be affected by this law. Those services would be required to make that encrypted traffic available.
"If this dangerous bill passes, it would outlaw not just end-to-end encrypted communications but also the tools that protect our information from criminals, hackers and foreign governments working to undermine the security of millions of people and businesses," said Gaurav Laroia, policy counsel at the Free Press Action Fund. "Our right to privacy should extend beyond in-person conversations to include communications made via the internet and wireless networks. Encryption is the tool that makes this possible."
The text of the draft bill is available online at cryptome.org.