Why Doesn't The Anti-Encryption Bill List Any Penalties?
We've already written a bit about the technologically ignorant bill from Senators Richard Burr and Dianne Feinstein that basically outlaws any encryption system that doesn't include backdoors for law enforcement. However, there are still some points in the bill that have left some folks scratching their heads. In particular, the lack of any penalty at all has some commenters wondering what the bill actually does. The bill both says that it doesn't "require or prohibit any specific design or operating system," but at the same time does require that anyone offering or supporting any kind of encryption be able to pass along unencrypted versions of the communication to law enforcement when presented with a legitimate court order or warrant (so not just a warrant...). As Orin Kerr noted, the bill mandates assistance, rather than using the more typical requirement of "reasonable" assistance.
Instead, the bill is explicit that if you receive an order, you have to hand over the unencrypted data. The law specifically reads: "a covered entity that receives a court order from a government for information or data shall provide such information or data to such government in an intelligible format; or provide such technical assistance as is necessary to obtain such information or data in an intelligible format or to achieve the purpose of the court order." No best efforts. No reasonable assistance in the face of situations where that can't be done. The bill requires that you provide unencrypted data. Or else.
Or else... what? The bill includes absolutely nothing on the penalties for failing to comply. This has led some on Twitter (including a guy I've been discussing it with who deletes all his tweets after tweeting them or I'd post them here...) to argue that the bill actually promotes encryption, since if a company can't provide unencrypted data, then the law has no impact. That's not true however. First of all, both Burr and Feinstein have been going on and on about demanding backdoors and whining about encryption for a long time. There's no way they wrote a bill that would support stronger encryption. Second, all of the rest of the language in the bill includes various statements like "shall provide" and other items that leave no wiggle room at all. Providing any kind of encryption without providing a backdoor for law enforcement would violate this law.
So... why the lack of penalties? There are a few theories floating around. (1) This is still a draft of the bill. Those penalties will be added in later, after everyone's fought over the rest of the bill. Leaving out the penalties at this stage lets Feinstein and Burr focus the fight. (2) The bill will allow courts to claim that any company not providing such unencrypted text is in contempt and issue increasingly large fines that make it practically impossible to be a business in the US without providing backdoors to encryption and basically demolishing everyone's security. Neither option is appealing.
This bill is bad in so many ways and no one's focusing on the punishment part because it's not even in the bill yet -- but make no mistake -- if this bill passes, there will be punishment (potentially severe punishment) for any company that wants to use actual encryption.
Permalink | Comments | Email This Story
Instead, the bill is explicit that if you receive an order, you have to hand over the unencrypted data. The law specifically reads: "a covered entity that receives a court order from a government for information or data shall provide such information or data to such government in an intelligible format; or provide such technical assistance as is necessary to obtain such information or data in an intelligible format or to achieve the purpose of the court order." No best efforts. No reasonable assistance in the face of situations where that can't be done. The bill requires that you provide unencrypted data. Or else.
Or else... what? The bill includes absolutely nothing on the penalties for failing to comply. This has led some on Twitter (including a guy I've been discussing it with who deletes all his tweets after tweeting them or I'd post them here...) to argue that the bill actually promotes encryption, since if a company can't provide unencrypted data, then the law has no impact. That's not true however. First of all, both Burr and Feinstein have been going on and on about demanding backdoors and whining about encryption for a long time. There's no way they wrote a bill that would support stronger encryption. Second, all of the rest of the language in the bill includes various statements like "shall provide" and other items that leave no wiggle room at all. Providing any kind of encryption without providing a backdoor for law enforcement would violate this law.
So... why the lack of penalties? There are a few theories floating around. (1) This is still a draft of the bill. Those penalties will be added in later, after everyone's fought over the rest of the bill. Leaving out the penalties at this stage lets Feinstein and Burr focus the fight. (2) The bill will allow courts to claim that any company not providing such unencrypted text is in contempt and issue increasingly large fines that make it practically impossible to be a business in the US without providing backdoors to encryption and basically demolishing everyone's security. Neither option is appealing.
This bill is bad in so many ways and no one's focusing on the punishment part because it's not even in the bill yet -- but make no mistake -- if this bill passes, there will be punishment (potentially severe punishment) for any company that wants to use actual encryption.
Permalink | Comments | Email This Story