One of the most anticipated pieces of cybersecurity legislation took a step forward late last week in the U.S. Congress, but most analysts have not been kind to the new measure.
The Hill newspaper published a discussion draft of the bill from Senator Richard Burr (R-NC) and Senator Dianne Feinstein (D-CA), who head the Senate Select Committee on Intelligence.
Discussion drafts are often short on detail, this one only nine pages in length, but they provide valuable insights into the priorities of its authors and the key principles they seek to establish.
The bill would require “covered entities”, including digital device manufacturers, software manufacturers, electronic communication services ... or "any person who provides a product” to comply with court orders seeking access to “information or data in an intelligible format” or assistance necessary to obtain such data.
That could cover many thousands of individuals as well as private tech companies, and includes emails, texts, contacts or any other information stored and shared digitally, an expansive definition.
George Washington University Distinguished Research Professor in Computer Science Lance Hoffman, who founded the school's Cyberspace Security Policy and Research Institute, says "It’s way too vague, there's too few safeguards, and I don't think there's any consequences enumerated if a covered entity doesn’t follow the law."
Hoffman says, "Worse though, is where it gets down to covered entities, well that could be anybody. It might even apply to any individual who happens to use an app that obscures data in any fashion."
Susan Hennessey, a Fellow in National Security in Governance Studies at the Brookings Institution says the bill "creates a generalized obligation for...covered entities...to preserve some ability to access communications. That’s sort of the formalized back door that Silicon Valley has always warned about.'
Ross Schulman, senior counsel with New America’s Open Technology Institute says the bill mandates, "Thou shalt do this’, but doesn’t grapple with any of the difficult questions of how one actually goes about doing it."
But Hennessey says the bill "preserves the kind of flexibility that legislation around technology needs to preserve." She told VOA the bill is tethered to responding to court orders and is not a limitless mandate, but a clarification of Congress' expectations regarding encryption.
"This is in some respects what Apple and others have been calling for: a decision from Congress, not the FBI resorting to the All Writs Act. So Congress is saying: we have decided, and this is our expectation," Hennessey says.
Schulman tells VOA the authors of the bill "didn’t do a whole lot of hard work to think about the implications. It would make illegal whole swathes of the infrastructure that we’ve painstakingly put in place over the last 25 years to make the Internet a secure place to live and do business."
Hoffman adds, "There’s little doubt this bill would certainly inhibit innovation in the United States."
"What I would say to members of Congress is first, do no harm. Don’t mess up something that's given the U.S. great advantages and continues to do so. What you really need is a solid risk analysis: an examination of the web’s architecture, its functioning, and the consequences of any new regulatory action," Hoffman told VOA.
"If you change the Internet’s architecture, you might be able to build a stronger, more secure system, but it would be a lot less useful.
Hoffman says the debate is difficult because of the balance it seeks to create.
"You're trying to strike a balancing act. On the one hand, you don't want to kill the goose that lays the golden egg – namely Silicon Valley. On the other hand, you don't want to give bad guys tools they can use. The way computer architecture works today, if you’re creating a powerful tool for one party, everybody and their brother will get access to it; there’s no way to filter the bad guys out."
Schulman says the debate between "privacy versus national security" is shifting "to security versus security." The phones in our pockets are little computers with phone numbers, texts, email, contacts, calendar, he says, so security is now the security of our everyday lives and encryption protects those digital lives.
Schulman says the FBI’s argument about “going dark” is a bit disingenuous.
He says, "Yes, there are some criminals who are using encryption to hide their tracks. But the reality actually is that the FBI now has more data than they can possibly analyze. The worry isn’t criminals going dark; it’s law enforcement being blinded by the light."
Hennessey says the debate has become emotional without getting into specifics of the facts and the law underlying the issues.
"In the United States we determine the scope of privacy through the Fourth Amendment," she says, "and the Supreme Court has determined that we do have Fourth Amendment rights when it comes to our smartphones.
Hennessey says, "What we’re really faced with here is a moment when technology is exceeding what we have all collectively agreed is the appropriate scope of privacy."
"There can be criticism of the substance" of the bill she says, "but it’s important to recognize this is the first attempt by Congress to clarify what their expectations are regarding encryption.
"Encryption is only one part of cybersecurity," Hoffman says, not the final answer to the issue because, "you'll always have bad guys doing bad things, and as long as there are computers, they’ll be there, too.
"You have to decide what you want, what price you're willing to pay, and what you're willing to give up, and we’re a long way from that."