Wolverton: Feinstein’s response to Apple-FBI dispute bad for privacy, security

We knew that Sen. Dianne Feinstein was cooking up a bill with North Carolina Sen. Richard Burr in response to Apple’s dispute with the FBI over the San Bernarndino iPhone.

We knew that the bill was going to target companies like Apple that refused to help the government unscramble encrypted data. And we suspected, given Feinstein’s past history of being unconcerned about anyone’s privacy other than her own, that the bill was going to be pretty bad for the privacy of everyday citizens and the security of tech products.

How bad? Well we now know.

The bill would require companies, in response to a court order, to decrypt data stored on devices they make, apps they design or online services they offer. It would compel them to provide to governments whatever technical assistance “is necessary” to unscramble the data.

Perhaps worst of all, the bill would essentially require Apple, Google and other operators of application stores to ensure that the data sent through the apps they sell through them can all be unscrambled as well.

Needless to say, consumer, privacy and tech industry advocates trashed the bill.

“I could spend all night listing the various ways that Feinstein-Burr is flawed & dangerous,” Matt Blaze, a cryptography researcher and computer science professor at the University of Pennsylvania, said on Twitter. “But let’s just say, ‘in every way possible.'”

The draft legislation is a “massive overreach,” Gaurav Laroia, policy council at Free Press Action Fund, a consumer advocacy group, said in a statement, adding that it would essentially outlaw so-called end-t0-end encryption of data and undermine the security of online transmissions.

The two senators behind the bill “appear to have forgotten the rights guaranteed to Americans under the Constitution,” Laroia said. “This bill would subvert encryption and violate the privacy rights we hold dear.”

The bill states that explicitly it wouldn’t prohibit or require any particular feature or operating system. But by requiring companies to be able to unscramble the data stored in their apps, services and phones, the bill is essentially doing just that, said Daniel Castro, vice president at the Information Technology and Innovation Foundation, a think tank backed by the tech industry group. Companies can’t design products with the strongest security possible while at the same time constructing them so that that data stored on or sent through the products can be decrypted.

“In short, this bill sets up a legal paradox,” Castro said.

Representatives of the two senators behind the bill did not immediately respond to my requests for comment. But in a statement on behalf of both senators sent to Wired, Feinstein Spokesman Tom Mentzer said the bill was still being finalized and the senators were continuning to solicit “input from stakeholders.”

We “can’t comment on language in specific versions of the bill,” Mentzer said in the statement. “However, the underlying goal is simple: when there’s a court order to render technical assistance to law enforcement or provide decrypted information, that court order is carried out. No individual or company is above the law.”

But as written, the bill would undermine much of the way consumers use technology today. It could potentially bar U.S. browser makers like Google and Microsoft from allowing their software to encrypt Web pages when they transmit them, because they those companies don’t have the keys to decrypt the pages. The technology used to encrypt the transmission of Web pages has long been used to protect users’ online banking sessions, and many Web sites have been employing the technology to protect visitors from having other data compromised or from being attacked by spoof sites.

The bill could also bar U.S. companies from completely deleting users’ data or allowing users to do so themselves, said Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, a consumer advocacy group. A provision in the draft legislation would require companies to “deobfuscate” data to “its original form,” he noted, which could be interpreted to mean that companies would have to be able to reconstruct data that’s been trashed. That violates some of principals privacy and security advocates have been trying to instill, such as the notion that companies should delete any data they don’t need to hold on to and to truly protect consumer’s personal information, deleted information needs to be made unrecoverable.

The bill is “insane,” he said. “It’s madness.”

The Feinstein-Burr legislation comes in the wake of the fight between Apple and the FBI over the iPhone used by one of the San Bernardino attackers. The FBI sought a court order to force Apple to help the agency unlock the device. In recent versions of the software underlying Apple’s phones, the company had put in place new security measures that better protect data stored on them by encrypting it by default and limiting the ability of people other than device owners to guess the passcode that scrambles the data.

Apple refused to help the FBI and fought the proposed order, saying that complying with it would undermine the security of all iPhones. The FBI eventually withdrew the case, saying it had found a way to glean the data off the device.

In the long-running debate over how to balance citizens’ privacy and security rights versus government security and law enforcement demands, Feinstein long ago showed herself to be on the side of surveillance and against civil liberties. She supported the reauthorization of Bush-era surveillance laws without amendments — despite reports and criticism that the authority was being abused — and attempted to thwart reform efforts that started in the wake of the revelations from former National Security Agency contractor Edward Snowden. Indeed, she was harshly critical of both Snowden, whom she said was guilty of “treason,” and WikiLeaks, which released the documents leaked by Chelsea Manning.

About the only time Feinstein has stood up for privacy against surveillance was when the CIA hacked into and spied on the computers the Senate Intelligence Committee — then headed by Feinstein — was using to compile its report on the agency’s use of torture during the War on Terror.

Photo: Democratic Sen. Dianne Feinstein speaking with reporters in 2013. (AP Photo/J. Scott Applewhite)


Tags: , , , , , , , , , , , ,


Share this Post

  • billionaire-ess go home

  • Wild Bill Kinda

    It is technologically impossible to outlaw encryption.