US Senators release official draft of encryption legislation

If it were already a law, Apple would have been on the hook to break the terrorist’s iPhone

The first proposed US federal encryption legislation has been released, and had it been established law earlier this year Apple would have had to provide the help the FBI asked for in accessing encrypted data on the iPhone used by a terrorist in San Bernardino.

The draft published by Sen. Richard Burr of North Carolina and Sen. Dianne Feinstein of California calls for encryption vendors and others to obey court orders that command them to deliver intelligible versions of encrypted data or to provide technical assistance to make it intelligible.

That’s exactly what the FBI was asking for earlier this year with a judge’s order to disarm the anti-brute-force mechanism on the terrorist’s iPhone. In the absence of a law as specific as the Burr-Feinstein draft, Apple appealed, saying it shouldn’t be forced to create new technology to break the security of its own products.

The FBI dropped the matter when it got a third party to break into the phone, so there was no court ruling on Apple’s argument.

On the one hand the Burr-Feinstein proposal prohibits government officials from requiring or prohibiting any specific design or operating system. On the other it requires that vendors and service providers covered by the law make sure products and services they license can make encrypted communications intelligible.

That doesn’t explicitly require encryption backdoors, but the only known way to reliably decrypt data and communications is to have a backdoor.

If required by a court order, vendors would have to isolate the requested data, make it intelligible, and do so either real-time as it is transmitted, or in the case of stored data, it would have to be decrypted expeditiously.

Vendors and service providers are only responsible for complying with the law if it is their product or service that rendered the requested data unintelligible in the first place. So an ISP couldn’t be held responsible for decrypting communications that cross its network unless they provided the encryption. They wouldn’t be responsible for traffic that was encrypted by the endpoints in the communication.

The proposal says that any entity that provides services or products that could be affected by the court orders must make their products and services able to comply. So if a service provider offered an encryption service powered by a third party’s software, they would have to make sure there was a means for decrypting whatever the software encrypted.

The draft specifies that the law would be applied only to certain crimes including those involving threat of or actual death or serious bodily harm; terrorism and espionage; federal crimes against minors; serious violent felonies; and serious federal drug crimes. It would also cover state crimes that are equivalent to those federal crimes mentioned.

The requirements would apply to device manufacturers, electronic communication or remote computing service providers, and anyone who “provides a product or method to facilitate a communication or the processing or storage of data.”

The proposal doesn’t touch on what the penalties are for failing to comply with the law.

Vendors that provide technical assistance would be paid for reasonable costs incurred in providing that assistance.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleFBI

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts