Draft Feinstein-Burr Anti-Encryption Bill Would Seriously Harm Security, Speech, and Innovation Online

BY CCIA Staff
April 8, 2016

Washington — A discussion draft of Senators Feinstein and Burr’s long-awaited encryption access bill was released late Thursday night. The “Compliance with Court Orders Act of 2016” purports to require that digital service providers produce “intelligible data” in response to government demands pursuant to a court order, or provide “technical assistance” to achieve that end.

This bill would threaten the Internet’s viability as a platform for expression and commerce. Its most basic requirements are anathema to ensuring continued security and privacy online, and would do little to aid law enforcement efforts.

Encryption undergirds almost all financial transactions and communications on the Internet and connected devices. Requiring that companies either: 1) only employ encryption with keys they hold in escrow in anticipation of a government request, or 2) otherwise develop tools to undermine existing security measures would be a grave risk to the safety of users of digital devices and services. Both those keys and designed vulnerabilities would be prized targets for any bad actors seeking to have easy access to the communications, personal data, or financial information of any people or entities relying on readily available encryption. Of course, given the bill’s limited domestic jurisdiction, bad actors would themselves have easy access to secure products without imposed vulnerabilities from competitors abroad.

Worse still, the draft legislation goes far beyond even those untenable and unproductive requirements. The unprecedented breadth of the bill’s definitions of, among other things, “covered entities” and “intelligible” data, would extend to any person or company that develops a product or app that might encrypt or even delete data. It would further impress those companies or individuals who license software or operate third party app or software stores into policing the software and services they make available to ensure that they are compliant with the aforementioned broad “intelligible data” and “technical assistance” requirements in the bill. This content policing imposition runs counter to longstanding intermediary protections for providers of digital services.

The draft “Compliance with Court Orders Act” is a misguided attempt at addressing the suspect claim that encrypted devices and services hinder the work of law enforcement. Encryption is fundamental to almost all expressive and productive activity on the the Internet—Congress should strive to promote its availability and use, rather than undermine it.

Related Articles

EU Top Court Strikes Down Privacy Shield, CCIA Calls for Urgent Legal Certainty and Solutions

Jul 16, 2020

Brussels, BELGIUM — The European Court of Justice (CJEU) issued a landmark ruling today that invalidates Privacy Shield, a key legal mechanism which thousands of companies use to transfer commercial data from the EU to the United States. The CJEU ruled that the Privacy Shield decision does not comply with EU law. Among other things,…

Senate Judiciary Advances Measure To Give Government Greater Control Over Online Content, Opens Risks For Online Security Through Patchwork Of State Laws

Jul 2, 2020

Washington — The Senate Judiciary Committee took a step toward approving legislation, S. 3398, the “Eliminating Abusive and Rampant Neglect of Interactive Technologies” (EARNIT) Act, which would weaken the law companies rely upon to address objectionable activity online, commonly referred to as Section 230. In March, when the bill was introduced, the Computer & Communications…

CCIA Raises Privacy and Security Concerns Regarding Brazil’s Proposed ‘Fake News’ Law

Jun 24, 2020

Washington — The Senate of Brazil is likely to soon consider Bill number 630/2020, the “Fake News Law” ostensibly aimed at combating online disinformation. Recent amendments to this legislation have raised significant privacy and security concerns among Brazilian experts and pose risks to citizens and organizations doing business in Brazil. Requirements include the expansive collection…