The letter is addressed to the bill's sponsors, Senators Richard Burr and Dianne Feinstein, and warns of the legislation's "unintended consequences", calling its requirements of technology companies "well-intentioned but ultimately unworkable" (via The Verge).
Any mandatory decryption requirement, such as that included in the discussion draft of the bill that you authored, will to lead to unintended consequences. The effect of such a requirement will force companies to prioritize government access over other considerations, including digital security. As a result, when designing products or services, technology companies could be forced to make decisions that would create opportunities for exploitation by bad actors seeking to harm our customers and whom we all want to stop. The bill would force those providing digital communication and storage to ensure that digital data can be obtained in "intelligible" form by the government, pursuant to a court order. This mandate would mean that when a company or user has decided to use some encryption technologies, those technologies will have to be built to allow some third party to potentially have access. This access could, in turn, be exploited by bad actors.The letter is signed by Reform Government Surveillance, the Computer and Communications Industry Association, the Entertainment Software Association, and the Internet Infrastructure Coalition. Facebook, Netflix, eBay, and Dropbox are among other companies represented by the groups.
It is also important to remember that such a technological mandate fails to account for the global nature of today’s technology. For example, no accessibility requirement can be limited to U.S. law enforcement; once it is required by the U.S., other governments will surely follow. In addition, the U.S. has no monopoly on these security measures. A law passed by Congress trying to restrict the use of data security measures will not prevent their use. It will only serve to push users to non-U.S. companies, in turn undermining the global competitiveness of the technology industry in the U.S. and resulting in more and more data being stored in other countries.
We support making sure that law enforcement has the legal authorities, resources, and training it needs to solve crime, prevent terrorism, and protect the public. However, those things must be carefully balanced to preserve our customers’ security and digital information. We are ready and willing to engage in dialogue about how to strike that balance, but remain concerned about efforts to prioritize one type of security over all others in a way that leads to unintended, negative consequences for the safety of our networks and our customers.
The news follows heavy criticism of the bill from security experts after a draft titled "The Compliance with Court Orders Act 2016" was circulated earlier this month following Apple's standoff with the FBI over access to an iPhone used by one of the shooters in the San Bernardino terrorist attack. The draft states that all providers of communication services and products must respect the "rule of law" and comply with legal requirements and court orders to provide information stored either on devices or remotely.
Without detailing specific technical demands, the wording of the act itself makes end-to-end encryption impossible. Experts said it was "absurd", "dangerous", and "bad legislation in every way", amounting to a government-mandated back door.
The White House remains deeply divided on the issue and has so far decided not to offer public support for the legislation. Language in the draft bill is subject to changes based on input from stakeholders, although an official draft was released one week ago with few changes from the earlier version. Senators Burr and Feinstein have yet to respond to the letter.
Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.