THE COMPLIANCE WITH COURT ORDERS ACT: A SERIOUS THREAT?

On Thursday April 7, 2016, a first draft of the United States Senate’s Compliance with Court Orders Act, an anti-security bill, was released.[1] The Senate members responsible for this bill are Senators Dianne Feinstein from California and Richard Burr from North Carolina. The bill's text opens innocently enough: “A bill to require the provision of data in an intelligible format to a government pursuant to a court order, and for other purposes.”[2] However, a complete reading of the bill reveals that it seriously and severely affects and impedes privacy rights. The bill requires companies to recover the plain-text from data “made unintelligible by a feature, product, or service owned, controlled, created, or provided by the [company]” and then to turn over that data in real-time “concurrently with its transmission” or “expeditiously, if stored by the [company] or on a device.” In other words, any conversations or exchanges of any material or data must be accessible to the government and any encryption would essentially be ineffective against the government by law. If this bill becomes law, pursuant to a court order obtained by the government, the companies that implement encryption onto our devices and accounts would need to decrypt that data and hand it over to Uncle Sam. Thus, companies will be legally precluded from implementing advanced encryption without having key backup systems to access the data at any time. That means that companies would be prevented from building truly secure software, as they would be required to provide technical assistance to the government for decryption purposes to provide “plain-text data.” Otherwise, non-compliance would mean penalties (not yet specified) for those companies, just as violating any other law would. The above is essentially the effect of the bill in a nutshell, but what about the consequences for our country and us?

The Compliance with Court Orders Act poses a serious security threat to all of our “secured” data, not only by the government, but also by computer hackers and foreign cyber-spies. If access to these key backup systems falls in the wrong hands, all of our encrypted data protected by the particular company or organization whose key backup system was infiltrated, would effectively be compromised, as the encryption would be rendered useless. Last summer, several of the world’s top cryptographers published a paper about the dangers of weakening encryption, and warned that backdoor methods created to give the government access to encrypted communications would inevitably be used by these hackers and spies.[3] This bill poses much more danger to our privacy rights than the government trying to unlock an iPhone. Further, all companies would essentially be exposed to much more liability due to an exponentially increased risk of data breaches as a result of creating these “backdoors” or backup key systems for decryption.

Kevin Bankston, the director of the New America Foundation’s Open Technology Institute, states: “I gotta say in my nearly 20 years of work in tech policy this is easily the most ludicrous, dangerous, technically illiterate proposal I’ve ever seen.”[4]  Ultimately, this bill is the single largest threat to both our privacy rights under the Constitution  and to cyber security in general.

Ara M. Baghdassarian is an associate attorney with Barnes Law, licensed to practice law in California.

The opinions expressed are those of the author and do not necessarily reflect the views of the firm, its clients, or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] It is not yet clear whether the bill has been officially submitted within the Senate.

[2] https://www.scribd.com/doc/307378123/Burr-Encryption-Bill-Discussion-Draft

[3] http://www.wired.com/2016/04/senates-draft-encryption-bill-privacy-nightmare/

[4] http://www.wired.com/2016/04/senates-draft-encryption-bill-privacy-nightmare/