Will Congress Make Security Illegal?

The Draft Burr-Feinstein Bill, technically called the "Compliance with Court Orders Act" makes strong security illegal.

Encryption 101

The basic tenant of strong security is that you have the key to your data and no one else does. If you have a storage unit or a safe, you must have the key or combination. If you are forced to allow someone else to have a key, then you are not in control and don't have top level security.

If whoever makes your data storage or software available, requires that they keep a key to get into your data, then the data does not have high level security. It means a hacked site or corrupt or corrupted employee can view and steal your information.

What the Burr-Feinstein Draft Bill Does

This proposed legislation makes security programs, password safes, and secure data storage illegal. They specifically say that you can't store, transmit or write software that does not have a back door for access by the software writers or storage facility.

So, for example, Keepass, Lastpass, Roboform and all other password safes would have to have a backdoor that would allow the company that makes it to get into your passwords. If that secret ever escaped their control your passwords would be vulnerable. Thousands of law enforcement agencies will be asking for access to safes protected by that software. It will be impossible to keep the key safe.

Bruce Schneier did a survey of encryption products and found 865 of them from 55 different countries. Apparently all those companies and individuals, must make backdoors for the American government. That includes the 546 foreign products. Of those 546 foreign products, 34% are open source, meaning that the source code is available for anyone to download and write themselves. So, if 1 million foreign people download the source code, America will make them all write backdoors if they make it available or use it.

Spideroak backup would also be outlawed, as would every other solid cloud backup product. In other words, most of the 865 products currently in use.

The comparison to physical locks

Often law enforcement tries to compare the digital safe with a physical safe. They point out that if you have a locked room or safe, law enforcement can break into it. However, there is a difference between the digital world and the physical world. There is no sound or space in the digital world. If someone is going to knock my door down, he will make noise and must be physically present. If some Bot is inside my computer, the owner could be anywhere in the world and it will make no sound. Furthermore, they could attack a million places simultaneously, or attack a site holding the data for millions of people.

What would make this seem reasonable to me

As soon as the government presents proof that they have a filter that can distinguish between attackers who are good and have pure intent from the corrupt, I'll be happy to give them my digital keys. Until that filter is available, their demand for a backdoor is a very bad idea.

How others have responded

Techcrunch article: (Good summary and review)
"is the technological equivalent of requiring all pigs to fly."

Senator Ron Wyden

"This legislation would effectively outlaw Americans from protecting themselves. It would ban the strongest types of encryption and undermine the foundation of cybersecurity for millions of Americans. This flawed bill would leave Americans more vulnerable to stalkers, identity thieves, foreign hackers and criminals. And yet it will not make us safer from terrorists or other threats. "

Representative Darrell Issa
Chairman of the House Judiciary Committee
"as flawed and technically-naive as a piece of legislation can get. Mandating that companies weaken our security to give government secret backdoor access into our devices would be a massive blow to American’s right to privacy and frankly would also be downright dangerous,”

What to do?

At a minimum we should all email our representatives to stop this insanity. A link to the Electronic Freedom Foundations Email letter is here. They will lookup your representatives from your email address and present the forms necessary for emailing and answering the one or two questions from each representative. They are sometimes different. No information is stored by EFF or the tools they use.

Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe Search All Articles Browse by Category Security Internet Mobile Business Hardware Fun		Will Congress Make Security Illegal? The Draft Burr-Feinstein Bill, technically called the "Compliance with Court Orders Act" makes strong security illegal. Encryption 101 The basic tenant of strong security is that you have the key to your data and no one else does. If you have a storage unit or a safe, you must have the key or combination. If you are forced to allow someone else to have a key, then you are not in control and don't have top level security. If whoever makes your data storage or software available, requires that they keep a key to get into your data, then the data does not have high level security. It means a hacked site or corrupt or corrupted employee can view and steal your information. What the Burr-Feinstein Draft Bill Does This proposed legislation makes security programs, password safes, and secure data storage illegal. They specifically say that you can't store, transmit or write software that does not have a back door for access by the software writers or storage facility. So, for example, Keepass, Lastpass, Roboform and all other password safes would have to have a backdoor that would allow the company that makes it to get into your passwords. If that secret ever escaped their control your passwords would be vulnerable. Thousands of law enforcement agencies will be asking for access to safes protected by that software. It will be impossible to keep the key safe. Bruce Schneier did a survey of encryption products and found 865 of them from 55 different countries. Apparently all those companies and individuals, must make backdoors for the American government. That includes the 546 foreign products. Of those 546 foreign products, 34% are open source, meaning that the source code is available for anyone to download and write themselves. So, if 1 million foreign people download the source code, America will make them all write backdoors if they make it available or use it. Spideroak backup would also be outlawed, as would every other solid cloud backup product. In other words, most of the 865 products currently in use. The comparison to physical locks Often law enforcement tries to compare the digital safe with a physical safe. They point out that if you have a locked room or safe, law enforcement can break into it. However, there is a difference between the digital world and the physical world. There is no sound or space in the digital world. If someone is going to knock my door down, he will make noise and must be physically present. If some Bot is inside my computer, the owner could be anywhere in the world and it will make no sound. Furthermore, they could attack a million places simultaneously, or attack a site holding the data for millions of people. What would make this seem reasonable to me As soon as the government presents proof that they have a filter that can distinguish between attackers who are good and have pure intent from the corrupt, I'll be happy to give them my digital keys. Until that filter is available, their demand for a backdoor is a very bad idea. How others have responded Techcrunch article: (Good summary and review) "is the technological equivalent of requiring all pigs to fly." Senator Ron Wyden "This legislation would effectively outlaw Americans from protecting themselves. It would ban the strongest types of encryption and undermine the foundation of cybersecurity for millions of Americans. This flawed bill would leave Americans more vulnerable to stalkers, identity thieves, foreign hackers and criminals. And yet it will not make us safer from terrorists or other threats. " Representative Darrell Issa Chairman of the House Judiciary Committee "as flawed and technically-naive as a piece of legislation can get. Mandating that companies weaken our security to give government secret backdoor access into our devices would be a massive blow to American’s right to privacy and frankly would also be downright dangerous,” What to do? At a minimum we should all email our representatives to stop this insanity. A link to the Electronic Freedom Foundations Email letter is here. They will lookup your representatives from your email address and present the forms necessary for emailing and answering the one or two questions from each representative. They are sometimes different. No information is stored by EFF or the tools they use. Further reading The actual draft bill: Techdirt Article: Great video (5 minutes) from CGP Grey explains need for private keys. I strongly recommend this to everyone. Clear statement in response by EFF pleading that this be stopped from even being offered as a bill. Date: April 2016 This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
		I attempt to provide reliable information, but make no warranty as to the accuracy or safety of these articles. I disclaim all legal responsibility for what following these instructions may do. Follow my advice at your own risk

Keeping clients' computers safe and profitable for over 30 years