A discussion draft leaked online of the first legislation to tackle the heated encryption debate that has pit law enforcement agencies seeking access against privacy and consumer advocates lobbying to maintain strong security.
The leaning of the bill — put forward by Sens. Richard Burr, R-N.C., and Diane Feinstein, D-Calif. — is apparent in its short title: Compliance with Court Orders Act of 2016. Further, the first stipulation of the bill states, "No person or entity is above the law."
Discussion Draft: Compliance with Court Orders Act (h/t to Wired and Center for Democracy and Technology Chief Technologist Joseph Hall for the document)
At the same time, the text acknowledges the need for "appropriate data security," though it immediately reiterates that such measures must "still respect the rule of law and comply with all legal requirements and court orders."
Specifically, the bill requires any entity — a company or other producer or purveyor of encryption tools — to hand over information requested in a warrant or court order "in an intelligible format if such data has been made unintelligible by a feature, product or service owned, controlled, created or provided by the covered entity or by a third party."
The Burr-Feinstein bill is hardly the first encryption legislation to be put forward but it is the first major push since the "going dark" debate went into full gear in the high-profile fight between the FBI and Apple over an iPhone used by an alleged terrorist.
In such situations, the bill would also force companies to provide technical assistance accessing data on a device, even if that company doesn't have the means to do so readily at hand.
While privacy advocates would be expected to rail against this draft, technology groups are also coming out against what they perceive to be a blow to strong encryption.
"We are pleased that this legislation is only a draft because it requires more thinking and more work," said Dean Garfield, president and CEO of the Information Technology Industry Council (ITI). "We share Sens. Burr and Feinstein's commitment to protecting our country but unfortunately the proposed policy is misguided and will ultimately lead to increased insecurity rather than increased security … This proposal would actually freeze in place the technology we need for protection, leaving all of us extraordinarily vulnerable."
The text does mention that no part of the bill would restrict a person or company from creating or using strong encryption, just that there must be a means for law enforcement to gain access when required. Opponents say requiring such "backdoors" would give bad actors a way in, just like law enforcement.
White House spokesperson Eric Schultz said the administration has not taken a position on this specific bill yet, though President Barack Obama's "position on encryption is well-known."
"The president has said before that there's no scenario in which we don't want really strong encryption," Schultz said in an April 7 conversation with reporters. "Now, at the same time, we do understand we want to make sure that we don't allow terrorists a safe haven to operate in cyberspace. So that's why we will continue to engage with the private sector to discuss the national security and public safety challenges we face with the use of encryption."
As for the Burr-Feinstein bill, "I'm sure we will take a look at what they're proposing and be in touch," he said.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.