A collection of tech-sector trade groups lowered the boom on a discussion draft of legislation released last week by Sens. Richard Burr (R., N.C.), chairman of the Senate Intelligence Committee, and Dianne Feinstein (D., Calif.), vice chairman of the committee, that would require communications service providers and communications device and software makers to comply with court orders for information or data in connection with the investigation of specified “serious crimes.”

In an April 19 letter to the senators, the trade groups said they had “deep concerns about well-intentioned but ultimately unworkable policies around encryption that would weaken the very defenses we need to protect us from people who want to cause economic and physical harm. We believe it is critical to the safety of the nation’s, and the world’s, information technology infrastructure for us all to avoid actions that will create government-mandated security vulnerabilities in our encryption systems.”

“Any mandatory decryption requirement, such as that included in the discussion draft of the bill that you authored, will to lead to unintended consequences,” said the Entertainment Software Association, the Internet Infrastructure Coalition, the Computer and Communications Industry Association, and Reform Government Surveillance. 

“The effect of such a requirement will force companies to prioritize government access over other  considerations, including digital security. As a result, when designing products or services, technology companies could be forced to make decisions that would create opportunities for exploitation by bad actors seeking to harm our customers and whom we all want to stop. The bill would force those providing digital communication and storage to ensure that digital data can be obtained in ‘intelligible’ form by the government, pursuant to a court order. This mandate would mean that when a company or user has decided to use some encryption technologies, those technologies will have to be built to allow some third party to potentially have access. This access could, in turn be exploited by bad actors.”

“It is also important to remember that such a technological mandate fails to account for the global nature of today’s technology. For example, no accessibility requirement can be limited to U.S. law enforcement; once it is required by the U.S., other governments will surely follow. In addition, the U.S. has no monopoly on these security measures. A law passed by Congress trying to restrict the use of data security measures will not prevent their use. It will only serve to push users to non-U.S. companies, in turn undermining the global competitiveness of the technology industry in the U.S. and resulting in more and more data being stored in other countries.”

The groups said, “We are ready and willing to engage in dialogue about how to strike that balance, but remain concerned about efforts to prioritize one type of security over all others in a way that leads to unintended, negative consequences for the safety of our networks and our customers.” – John Curran, john.curran@wolterskluwer.com

Courtesy TRDaily