For a nation that was founded on the idea that every member of society should be guaranteed the opportunity for, “life, liberty, and the pursuit of happiness,” our government’s recent actions certainly lead to the belief that these are long since forgotten. Government policies have made a drastic move to being merely reactive to a specific set of circumstances. It is as if the most common comment heard on Capitol Hill is, “This is new. I don’t entirely understand it. So let’s build a regulation around it that I do understand so that it isn’t so scary anymore.” The prime example of this is the Compliance with Court Orders Act of 2016 to come out of the Senate Intelligence Committee.
In response to the recent situation where Apple refused to provide the FBI an encryption key that would allow the FBI unlimited attempts to unlock an iPhone without the data being erased, these Senators felt that law enforcement needed better legislative support than the over 100 year old All Writs Act to compel a company to provide aid to law enforcement in order to access information not readily available. The reason for this is that the All Writs Act wasn’t written with any concept of what the world would be today. At the time, they were considering things like opening a personal safe to gain access whatever materials or physical information was contained therein so that they could protect, prosecute, or otherwise act on behalf of the United States government. The All Writs Act, though, never accounted for the idea that compelling someone to use a single “key” could potentially be a piece of data that could unlock millions of devices across the planet.
The bill that was leaked in draft and then later released has no better description than utter incompetence. The definitions, the understanding, and the language demonstrate a complete lack of comprehension on how modern technology actually works.
The Act requiring data in an intelligible format reads,
“A covered entity…shall be responsible only for providing data in an intelligible format if such data has been made unintelligible by a feature, product, or service owned controlled, created, or provided, by the covered entity or by a third party on behalf of the covered entity.”
The Act later goes on to address License Distributors,
“A provider of remote computer service or electronic communication service to the public that distributes licenses for products, services, applications or software of or by a covered entity shall ensure that any such products services, applications, or software distributed by such person be capable of complying….”
Quite possibly the most dangerous language, though, is how those rules are applied to their definition of intelligible data,
“(A) [t]he information or data has never been encrypted, enciphered, encoded, modulated, or obfuscated; or (B) the information or data has been encrypted, enciphered, encoded, modulated, or obfuscated and then decrypted, deciphered, decoded, demodulated, or deobfuscated to its original form.”
Those statement taken collectively form language that is so broad it actually encompasses all data that’s transmitted from point to point in any way. Did you compile your data in a zip file and send that with a password protect? Then it applies. Did you compress that video signal to transmit it point-to-point to another device? Then it applies. There is no such thing as transmitted data that isn’t encoded.
So who can be compelled to provide information in this case?
A “Covered entity means a device manufacturer, a software manufacturer, an electronic communication service, a remote computing service, a provider of wire or electronic communication service, a provider of a remote computing service, or any person who provides a product or method to facilitate a communication or the processing or storage of data.”
The word “provider” in that sentence is extremely vague. Who is the provider of a unified communications solution? Is it the manufacturer? Is it the technology integrator? Who will be responsible for taking action once the court order compelling some body to provide access to the information being transmitted is made?
What’s being proposed here is the fact that if a court, the government, or even an Indian Tribe wishes to access information that might be locked on a device behind an encryption key then the manufacturer of that device or key must provide the information or aid the compelling party in the unlocking of the information.
Let’s apply that same language to go beyond personal devices and look at business communications.
The next to last statement in the Act states that the compelled party is also responsible for, “delivering such information or data – (i) concurrently with its transmission; or (ii) expeditiously, if stored by a covered entity or on a device.” Yes, you read that right. Based on the definitions of what the Senate is saying is required in this Act, compelled individuals or companies are not only required to provide the information quickly, but also responsible for eavesdropping and providing the data as it is being transmitted. It’s difficult to believe that any technology provider or creator could be compelled by legislative action to actually spy on their customers.
We are at a major breaking point in the way that technology integrates into our lives. With all the smart devices and sensors located in our devices the concept of true privacy is becoming a myth. That device in your pocket is reporting back to someone, even if it’s only when certain applications or services are accessed, it’s still happening. Encrypting that data is the only form of privacy that we still have. Consumers and corporations are entirely reliant on the developers to provide that and make sure the information is kept secure. This bill would negate all of that.
This is an example of a complete lack of understanding. Our policy makers have reached the point where they no longer understand aspects of the world over which they are governing. Rather than ask for help in public forums, rather than seek the advice of the experts as to what can be done, and rather than govern with the intent to not only create a better world for today but also for tomorrow, we get proposed legislation like this that holds no account for what it actually takes to make technology do all the things that it has been built to do.
With the election coming up in the fall this is just one of the dozens of issues that face the voting citizens of the United States. It might be at the back of your mind that encryption and the protection of your data isn’t part of your daily life, but that couldn’t be more wrong. Every single day that you access the Internet from your computer or phone your data is being made readily available. This bill opens that data up not only to hackers by weakening encryption but also to a government that is reacting with paranoia. Yes, there is a noble story to keep the country safe from attacks, but are you willing to give up your individual rights and privacies to achieve that?
To keep this bill from being passed, contact your congressional representative and tell them to protect encryption and your privacy.