Sens. Richard Burr (R., N.C.), chairman of the Senate Intelligence Committee, and Dianne Feinstein (D., Calif.), vice chairman of the committee, today released a discussion draft of legislation that would require communications service providers and communications device and software makers to comply with court orders for information or data in connection with the investigation of specified “serious crimes.”
The bill—the Compliance with Court Orders Act of 2016—was positioned by the senators as a catalyst for discussion on the issue of communications encryption technologies. They said they would “now solicit input from the public and key stakeholders before formally introducing the bill.” Sen. Burr said he endorsed the use of encryption technologies by service providers and device makers, but added, “I do not believe, however, that those solutions should be above the law.
“I am hopeful that this draft will start a meaningful and inclusive debate on the role of encryption and its place within the rule of law,” he said. “Based on initial feedback, I am confident that the discussion has begun. We remain eager to sit down and discuss a way forward with all who are willing to engage constructively on this critically important and challenging issue.”
“No entity or individual is above the law,” said Sen. Feinstein in a statement. “The bill we have drafted would simply provide that, if a court of law issues an order to render technical assistance or provide decrypted data, the company or individual would be required to do so. Today, terrorists and criminals are increasingly using encryption to foil law enforcement efforts, even in the face of a court order. We need strong encryption to protect personal data, but we also need to know when terrorists are plotting to kill Americans.”
According to the language of the discussion draft, the bill would express the “sense of Congress” on a number of fronts, including that “no person or entity is above the law”; that all communications service providers and device and software makers should “protect the privacy of United States persons through implementation of appropriate data security and still respect the rule of law and comply with all legal requirements and court orders”; and that providers ”must provide responsive, intelligible information or data, or appropriate technical assistance to a government pursuant to a court order.”
According to the draft’s text, entities covered by the bill would have to provide intelligible data to the government only for data that the covered entity had encrypted on its own; covered entities would be reimbursed for “reasonable costs” in complying with an order; and the government would not require or prohibit the use of any operating systems by covered entities.
Sens. Burr and Feinstein said the bill would not create any “new collection authorities for the government to obtain communications.” The language of the bill includes an extensive description of “communications identifying information,” often referred to as communications metadata, that the bill says does not meet the definition of “contents of communications.”
Last week, an earlier version of the discussion draft drew strong opposition from a range of interest groups that questioned whether it would create backdoors in communications and device security, and even whether its aims were accomplishable given the nature of encryption technologies (TRDaily, April 8).
Some interest group reaction to the draft ran in a similar vein. Jack Ward, president at the Application Developers Alliance, said in a statement that the bill “would compel developers, device manufacturers, communications providers, and others to provide technical assistance to law enforcement to deliberately weaken data security measures like encryption.”
He continued, “Data is either encrypted or it is not, and the technical assistance that this legislation mandates is not feasible nor is it in the country’s best interest. Despite the Act’s Design Limitation provision, these requirements would compel companies and developers to create a specific design or operating system with inherent security flaws. Encryption has proven to be one of our most effective tools to combat crime and is critical to keeping Americans safe and their private information secure. Efforts to undermine security—especially those compelling companies and developers to act against the best interests of their consumers—is short-sighted and will ultimately stifle the inventiveness and ingenuity that has made America the world’s innovation leader. This is a trade-off that cannot be had.” – John Curran, john.curran@wolterskluwer.com