back to article Line by line, how the US anti-encryption bill will kill our privacy, security

In the wake of the FBI's failed fight against Apple, Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA) have introduced a draft bill that would effectively ban strong crypto. The bill would require tech and communications companies to allow law enforcement with a court order to decrypt their customers' data. Last week a …

  1. cbars Silver badge

    Amazing

    How doublethink actually became a thing!

    Keep your customers secrets or else.

    Give us your customers secrets or else.

    1. Sir Runcible Spoon

      Re: Amazing

      I think the US should put this bill forward for a vote immediately.

      That way, anyone who votes in its' favour will have shown themselves to be unfit for office - right down to the point where they shouldn't be allowed to make the tea.

      Sack anyone who votes for it and ban them from ever having any more authority than over their own bladders.

      1. ecofeco Silver badge

        Re: Amazing

        That way, anyone who votes in its' favour will have shown themselves to be unfit for office - right down to the point where they shouldn't be allowed to make the tea.

        Except in Murica, that's usually a guaranteed re-election.

      2. MachDiamond Silver badge

        Re: Amazing

        With elections coming up this year, this bill should be voted on as soon as possible. Once it's known which corporate shills have voted to pass it, the US voters will know whom to vote against (assuming that their votes are actually counted).

      3. Tom -1

        Re: Amazing

        "ban them from ever having any more authority than over their own bladders"

        That's very wrong. Give them that much authority and they'll piss all over us!

  2. Anonymous Coward
    Anonymous Coward

    The more I read about this, the more I want some pitchforks and torches

    Ropes, lampposts, congress: Some assembly required.

    1. Anonymous Coward
      Anonymous Coward

      Mr AC, I agree.

      But most people will not read about this.

      I know not where you live, but I hail from the UK where our beloved Daily Mail, Mirror. Independent, Guardian, Times et al regularly write shit instead of following a story.

      I do despair for the future..

    2. Voland's right hand Silver badge

      You do not need to

      You need wallets. And election season.

      Feinstein represents silly valley if memory serves me right. If she continues down this road her chances of being re-elected are highly correlated with Lucipher working for the Mountainview county council as a snow plough driver.

      1. Vern not Winston Smith
        Big Brother

        Re: You do not need to

        Feinstein, while a democrat has always sided with law enforcement since her time as Mayor of San Francisco. The article notes this is not her first bill she has "written" to support of the NSA and FBI. I am speculating here, it won't be her last.

        FYI: The senator has been in her current office going on 24+ years. Nobody has the money to take her seat. The last election, she didn't even campaign.

        1. ckm5

          Re: You do not need to

          Plenty of people in California (as a senator, she represents all of California, not just SV) have the money to take on Feinstein. The question is will she push someone, anyone, over the edge.

      2. martinusher Silver badge

        Re: You do not need to

        She's one of the senators from California so she's elected by the whole state. She's not up for reelection this year, its Boxer's turn (and she's retiring).

        We do have to get ignorant legislators out of government but its an uphill struggle against the hordes, there's so many of them. What Fienstein hasn't figured out is why DES got changed out for AES. It wasn't just that DES got old and tired, it was because the Cold Warriors wanted to exercise so much control over technology that critical technology like encryption standards had to originate "anywhere but in the USA".

        I've personally witnessed just how much damage these people have done to our technology industries over many decades. Since the industry has grown rapidly its easy to overlook the losses but as things flatten out you will notice how many of our key technologies have been hollowed out by overzealous and underinformed legislators.

      3. MachDiamond Silver badge

        Re: You do not need to

        I'm surprised that Feinstein's advanced oldtimers disease hasn't been leaked to the media. She's never been very bright when it comes to technology, economics or morals.

      4. rusty94114

        Re: You do not need to

        The Californians who have repeatedly elected Feinstein to the Senate are generally unaware that she is one of the most totalitarian-minded members of Congress. She is a ringleader of the War on Drugs, and an opponent of internet privacy. When she was Mayor of San Francisco in the 1980s she vetoed legislation that would have extended to gay city employees in domestic partnerships the health insurance benefits that were available to heterosexual employees.

        Hopefully this latest totalitarian move will finish Feinstein's political career.

    3. hplasm
      Happy

      Digital pitchfork...

      1. Encrypt nasty PC virus.

      2. Punch a Fed.

      3.Get PC confiscated and decrypted.

      4.BZZZZZKKKTT!!!

      5.Profit!

  3. Ropewash
    Facepalm

    These articles...

    They angry up the blood every time I read them.

    Not from the U.S. but in a country that tends to follow soon after on crap like this.

    I'll repeat the only point I have on the issue,

    The government can lead by example here and make sure they are running the same busted "security" on all their data so the people can have backdoor access to it for freedom of information requests.

    They want to protect the people from the terrorists? They can start by protecting them from their own government.

    1. Palpy

      Re: The government [of USA] can lead by example...

      ...and they have! The OPM hacks dropped the US government's pants to the tune of personnel records on 22 million employees, including security classifications.

      Now if that isn't busted security, I don't know what is.

      Maybe it's like penis envy -- Feinstein, Burr, et al are insanely jealous of people smart enough to do good encryption.

      Or perhaps it's simpler: Feinstein, Burr, et al are insane.

      Leave it at that.

      1. h4rm0ny

        Re: The government [of USA] can lead by example...

        >>"Or perhaps it's simpler: Feinstein, Burr, et al are insane."

        Simpler than that. They're interests just don't align with the publics. Nor has a farmer's interests ever truly aligned with the chickens. They might both want to keep the fox out, but the farmer still wants to keep the chickens in.

        1. Sir Runcible Spoon
          Thumb Up

          Re: The government [of USA] can lead by example...

          Nice analogy there Harmony, and not a car in sight ;)

        2. allthecoolshortnamesweretaken

          Re: The government [of USA] can lead by example...

          Why did the chicken use weak encryption?

          Okay, somebody please come up with a clever punchline. K THX.

          1. BebopWeBop

            Re: The government [of USA] can lead by example...

            Because Alice asked him to?

          2. Sir Runcible Spoon
            Coat

            Re: The government [of USA] can lead by example...

            "Why did the chicken use weak encryption?"

            Because it wanted someone to use it's back door?

          3. G Olson

            Re: The government [of USA] can lead by example...

            "Why did the chicken use weak encryption?"

            Because he didn't have a strong enough shell for his embryonic development environment.

          4. channel extended

            Re: The government [of USA] can lead by example...

            Because the rooster had crossed the road?

          5. Number6

            Re: The government [of USA] can lead by example...

            Why did the chicken use weak encryption?

            Because it wanted the information to get to the other side?

          6. Mpeler
            Coat

            Re: The government [of USA] can lead by example...

            Because it wanted people to see poultry in motion...

    2. This post has been deleted by its author

  4. The Nazz

    Stuff your fancy encryption.

    Can i just have the lead photo as a screensaver? That should keep the buggers away.

    1. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    I can't decide if this is well-meaning but just astoundingly ignorant; or if it's a genuinely evil attempt to further fuck over people's liberty in a (going to be unsuccessful) power grab.

    It does highlight a frequently-occurring flaw in the American psyche, though, and that is forgetting that there's a 'rest of the world' out there. Because there is, this cannot possibly work.

    If this bill went through, the immediate cost would be in -at minimum- billions and the cost over time would be truly colossal. Nobody in their right mind would use a bank that automatically rendered them more liable to scams; or encryption software that is deliberately flawed.

    In the unlikely event of this bill passing, my new hobby is to send one-time-pad encrypted email attachments with dodgy names*** to US Senators.

    ***CP_vol_7.zip (With the CP standing for Cat Pictures, or possibly Chincillas, but don't tell anyone because it's not as funny if the reveal isn't in the highest court you can find with extensive press coverage).

    1. Duncan Macdonald
      Mushroom

      Evil one time pad

      If you want to send an encrypted message - and still have plausible deniability - do the following.

      1) Encrypt the message with a one time pad (simple XOR encryption - still unbreakable if each byte of the message is encoded by a unique byte of the pad and the pad is never reused)

      2) Create an innocuous message of the same length

      3) Create a fake "one time pad" as the XOR of the innocuous message and the encrypted message from (1)

      If forced to decrypt the message - provide the fake "one time pad" generated in stage 3 which converts the encrypted message into the innocuous message from stage 2.

      1. Anonymous Coward
        Anonymous Coward

        Re: Evil one time pad

        That is quite deliciously evil; but wouldn't that make your "evil message" (now being used as the one-time-pad and containing structured data) easier to decrypt?

        1. Sir Runcible Spoon

          Re: Evil one time pad

          "but wouldn't that make your "evil message" (now being used as the one-time-pad and containing structured data) easier to decrypt?"

          I don't see why it should. If I've understood correctly the fake pad is just to convert something you know (the encrypted message) into something else you know (the fake unencrypted message).

          The original pad will will decrypt the original encrypted message to the real one. All the fakery stuff only relates to the faked message so should reveal nothing about the real pad or message.

          1. Anonymous Coward
            Anonymous Coward

            Re: Evil one time pad

            I'm not an expert, so was asking for information. (I was completely wrong about the evil message being the one-time pad, as that function is served by the new one-time pad that you have whipped up for yourself...my mistake...not enough coffee).

            Your encrypted message contains both the decoy message and the evil message. My question is that if you decode the decoy message, does not that give some clues (either by changes at conversion time or by what's left) that might make it more vulnerable to finding out that there's another message in there? Or worse - to decoding it? The evil message is structured so might it not be possible to detect that something is there?

            1. Sir Runcible Spoon

              Re: Evil one time pad

              Ah, I think I see your disconnect here.

              In reality, the encrypted message does not 'contain' the decoy message as such. You are creating a fake translation matrix that you apply to your encrypted message to make it look like the decoy message when it's processed.

              Does that help?

              Actually, thinking about it, couldn't this process be used to fake evidence if someone refuses to reveal their passwords? It might be limited to creating incriminating evidence rather then magically conjuring up actual useful data (which is still hidden by the encryption) - but who is going to argue that the prosecution has 'incorrectly' decrypted the file? The only way to prove that their information was fake would be to produce the *real* key, and hence reveal the real data.

              Oh dear.

              1. Anonymous Coward
                Anonymous Coward

                Re: Evil one time pad

                Thanks, I think it will help after I've looked some more stuff up. Clearly I'm hard-of-thinking today.

                The new one-time pad by the prosecution would have to have a different hash than your original (OK, second) decoy pad, wouldn't it? You might be able to prove that the files have been interfered with. Mind you, if someone's clever enough to think of tampering with one-time pads; it's feasible that they'll have the knowhow (if possibly not the opportunity) to interfere with the forensic report of the original storage medium.

                So actually this technique is not only for deniability; but can also be used as a protection measure; as it takes you from being completely stuffed to a word-against-word situation...and if you whip out your decoy pad and it decrypts to an innocuous message then you'll end up looking more credible to a jury, I think.

                1. Tony Haines

                  Re: Evil one time pad

                  Here's an attempt to clear up any remaining confusion:

                  A one time pad is random data (at least) as long as the original message.

                  If we look at the original suggestion, step 3 could be put off until the demand arrives. One could, without knowing the original, decrypt the message to anything. Therefore it doesn't affect the security of the original message.

                  ...

                  I've thought about this before, in a rather similar context. In the UK, could this approach be used to fend off a RIPA section 49 notice?

                  I think it's worded that you're required to make the information intelligible, which this approach does, assuming a carefully chosen plaintext. Might be handy when they're demanding you decrypt a file you don't actually have a key for.

            2. John Robson Silver badge

              Re: Evil one time pad

              "My question is that if you decode the decoy message, does not that give some clues (either by changes at conversion time or by what's left) that might make it more vulnerable to finding out that there's another message in there? Or worse - to decoding it? "

              Any OTP encrypted message contains ALL messages of the same length (or shorter) - you just need the appropriate OTP to get to it.

              All that the "innocuous OTP" proves is that someone has combined the 'crypt data' with 'innocuous message' to get an 'innocuous OTP'.

              If you find the 'evil OTP' then you reveal the 'evil message' - but you need to demonstrate that that OTP was used on this message - since you now have two apparently valid OTP instances, and only one is genuine.

        2. Gigabob

          Re: Evil one time pad

          No - the trick is the "one-time" pad is held at the sender and receiver's position and for each message a layer of the pad is removed - thus each message encoding schema is random and observed bits from a transmission cannot be used as a guide on a subsequent message. This betters the scheme for Enigma - which transmitted a large volume of messages each day - and you had to decrypt during the day to be able to read something at night. This requires discipline to avoid reuse of the pad.

          The only way to crack this unbreakable system, first documented by Frank Miller in 1882 for Telegraph systems is if the one-time pads are not truly random or if someone re-uses a prior pad as in the Verona case. This is why pseudo-random number generators are not usable for securing systems.

      2. Anonymous Coward
        Anonymous Coward

        Re: Evil one time pad

        You would have done well on the old (now defunct?) PGP.Security Usenet threads. They were all about one time pads, extra long password schemes and so on, fun reading.

        1. Anonymous Coward
          Anonymous Coward

          Re: Evil one time pad

          "Any OTP encrypted message contains ALL messages of the same length (or shorter)"

          That did it. Got a neighbour who's doing renovations; which does not sit well with being nocturnal.

          Actually,, this technique does handily solve my main problem with the UK version of encryption legislation...decrypt it or go to prison. In my work, I end up with a vast stack of other people's passwords; so I could end up in the position of not decrypting (and fulfilling my responsibilities as a data controller) and going to prison; or decrypting and making myself liable for all sorts of shit under various Data Protection Acts, in various countries.

          ...so I could decrypt and leave the passwords scrambled; which would also have a handy built-in canary for law enforcement misusing the data.

    2. hplasm
      Joke

      " (With the CP standing for Cat Pictures, or possibly Chincillas,"

      Chia Pets?

      Phwoarr!

    3. Jeffrey Nonken

      Actually I don't think it's well-meant, and I also think it's made in ignorance. I think it's an intentional power grab by people who have no effing clue what they're doing. There is no either/or here.

    4. John 104

      @moiety

      It isn't well-meaning. Feinstein has repeatedly introduced or voted for rights reducing legislature for her entire career. If she had her way, she'd burn the constitution and impose martial law on all of us. She is poison to the US and I wish she would just go away.

    5. Anonymous Coward
      Anonymous Coward

      ***CP_vol_7.zip (With the CP standing for Congress representatives caught in Porn pictures but don't tell anyone because it's not as funny if the reveal isn't in the highest court you can find with extensive press coverage).

      1. This post has been deleted by its author

  6. a_yank_lurker

    Good Sense?

    "Good sense might prevail in the Land of the FreeTM, but don't bet on it." With America's Native Criminal Class (Mark Twain) which is best at subtracting from the sum total of human knowledge (Czar Reed of Maine) I figure the final bill will be much worse than the current drafts.

    1. JEDIDIAH
      Devil

      Re: Good Sense?

      The problem with this bill is that it will impact commerce. Tech isn't just about the tech companies anymore but everyone else who will be impacted by that tech. It's like that bit from the last DrWho special where he plugged Hyroflax into all of the big banks.

      Nothing gets protected like money.

      This dimwit is threatening the security of money. Never mind the midgets of Silicon Valley.

  7. Anonymous Coward
    Anonymous Coward

    I don't see how this would be a problem for Apple

    They are going to make it so it is impossible to get at the data under any circumstances. Obviously I haven't read the full text, but what I have seen doesn't seem to require that they perform the impossible. So if presented with an iPhone 5c they might be forced to create a hacked OS to help the FBI break in, but if presented with an iPhone running iOS 10 that includes the changes that make it impossible to Apple to help, the FBI will get the court order and Apple will say "what you are asking is impossible".

    If the government could compel impossible things they should just have a court order that compels Apple to hand over a list of every active terrorist in the world and where they are located. That would save a lot of hassle trying to decrypt phones and doing police work if you assume you can force someone to pull a rabbit out of a hat.

    1. Mark 85
      Facepalm

      Re: I don't see how this would be a problem for Apple

      Ah.. the list of impossible things that some CongressCritters think can be done.... This is right up there at the top. What's next.. ordering an FTL drive? Ordering NASA to find "heaven"?

      Good on Wyden and I hope enough in Congress listen to him as seems to be one of the few who have a grasp of the problem. As for the two bozos.... a pox on them. Better yet, may all their files and emails along with anyone who voted for them be exposed because... ya' know, weak encryption.

      I swear it's a race to the bottom between the US and just about everyone else. I'm wondering if May will try to top this or maybe France?

    2. P. Lee

      Re: I don't see how this would be a problem for Apple

      The problem is the passcodes. Proper security requires high-entropy but no-one is going to do that every time they want to unlock their phone. Hence the ability to brute-force it is wanted.

      The other option is to have a high-entropy passcode just for software upgrades which don't destroy the on-chip data, but a rarely used password is going to be forgotten or shortened.

      Realistically, if a terrorist is going out to die, he's now going to destroy his phone first, regardless of what any phone manufacturer does.

      But this was never about terrorism, was it? This is about the State asserting its right to Total Information Awareness. That's mostly to protect against another Snowden, in my opinion. We can't have the serfs knowing what's really going on.

      1. Anonymous Coward
        Anonymous Coward

        @P. Lee - passcodes

        Passcodes - i.e. 4 digits PINs are definitely a problem, but you do not have to use them. iOS supports using passwords. You don't need too much entropy before brute force becomes utterly unwieldly - this isn't like password cracking where can try a rainbow attack using a dictionary of billions of pre-encrypted passwords.

        If your password was a single lowercase dictionary word you'd be vulnerable, but if you simply added a couple digits or punctuation marks to it, you'd have enough entropy to be safe as the solution space would too large for a dictionary attack to be practical given the limitations of being able to enter them (even if you bypassed the delays for wrong passwords and the ten try limit)

      2. MachDiamond Silver badge

        Re: I don't see how this would be a problem for Apple

        If the data on the terrorists phone was encrypted, there wouldn't be anything that Apple could have done to help the FBI. Damn media outlets don't understand the difference between an encrypted file and a password protected device.

        If a "terrorist" wanted to keep data secure, they'd use a third party encryption program if Apple's built in encryption was compromised or thought to be.

    3. veti Silver badge

      Re: I don't see how this would be a problem for Apple

      And when a court orders them to "render appropriate assistance to decrypt the device", they can send them complete and detailed documentation describing exactly how it was made.

      Sounds reasonable.

    4. tom dial Silver badge

      Re: I don't see how this would be a problem for Apple

      On its face, the draft law requires in Section 3a that a company that provides a device or encryption system "shall" perform certain actions under specified circumstances. How they provide for that (Section 3b) is up to them; the government cannot require a specific implementation (similar to the fact that they did not require a specific implementation in the recent California case). The imperative "shall" does not, on its face, allow for a "covered entity" such as Apple, for example, to evade this by implementing a security system in their product that they cannot, in fact, circumvent; the law, if enacted, will impose a requirement

      The draft does not provide any information about the consequences for a "covered entity" that either will not or cannot comply. I can imagine a fine, possibly quite large, for covered entities that refuse and possibly injunctions shutting down sales of non-compliant products which the covered entity has designed so that it cannot bypass the product security. That would be a sad outcome indeed.

      The proposed law still is pretty rough, and does not cover things, such as fraud, money laundering, and other financial crimes that seem fairly obvious. There seems no very good reason, for example, to single out any particular type of crime for this treatment; it ought to be enough for a US or District Attorney to be able to convince a judge to issue a search warrant based on probable cause. (I expect that other types of court order, if included in an enacted version, would be thrown out on the basis of Riley v California, which found a warrant necessary for search of a cell phone, even incident to an arrest).

      1. Anonymous Coward
        Anonymous Coward

        Re: I don't see how this would be a problem for Apple

        Apple would not be "refusing" to comply, they would be unable to comply. It would be no different than the FBI trying to get Apple to break into a phone that had been damaged by fire, and Apple telling them "it has been destroyed too badly".

        The law says the covered entity 'shall' provide certain things, but does not specify that they must design their products to be capable of providing those things. That's a whole different law, and Apple will already be at that point before this law can ever pass - congress would never pass something so controversial during an election year, and by the time there is a lame duck session in November Apple will have already changed iOS 10 so they cannot comply.

        1. tom dial Silver badge

          Re: I don't see how this would be a problem for Apple

          The question might well be whether Apple would be able to sell such equipment in the US. The draft law appears to require that they bypass, or help the government to bypass, security that they provide or have provided on their behalf by another party, given a constitutionally valid warrant or other court order, and maybe a lawful court order for assistance under the proposed act, to do so. One obvious solution to the "cannot bypass" claim would be a "cannot sell" injunction applicable to such equipment in the US.

          I am not arguing that this would be good policy, or would not cause great uproar and discontent. However, it is not obviously inconsistent with anything in the Constitution. Moreover, if implemented subject to the same controls that Apple applies to iOS, it would not, in fact, pose any threat that does not now exist to users against whom the government does not obtain authority to breach privacy.

          The draft act has numerous problems, but "cannot bypass my built in security" may not be the most serious of them.

    5. SImon Hobson Silver badge

      Re: I don't see how this would be a problem for Apple

      > They are going to make it so it is impossible to get at the data under any circumstances. ... if presented with an iPhone running iOS 10 that includes the changes that make it impossible to Apple to help, the FBI will get the court order and Apple will say "what you are asking is impossible".

      And that's where this law kicks in, such a phone would be illegal - it would be illegal for Apple to make it (or import it), illegal to sell it, and if Apple ever turned round and said "impossible" then that's a complete admission that they broke this new law banning unbreakable crypto.

      In fact, their current models would be illegal under this law - and that's the problem.

      "Anything" with crypto where TPTB can't be given the decrypted data on demand is basically illegal. So Apple must water down their protection to render it insecure - and so must anyone else making or importing anything in the US.

      As pointed out, this would render the USA "out of bounds" for pretty much anything technology related. The current "discussions" regarding Privacy Shield would be moot - it would be illegal to provide proper security of any data held in the US even if the government completely backed down and accepted the principle of privacy.

      What would happen is that a good chunk of US technology business would be very quickly offshored. There'd be (sticking with Apple for a moment) a "US iPhone" and a "rest of world" iPhone - the RoW version would have security, the US one wouldn't, and the security software would have to be developed outside of the US. A bit like certain encryption tools had to be developed outside the US to avoid their "encryption is a weapon of mass destruction" laws.

      Apple, Microsoft, IBM, Cisco, Juniper, and a long long list of US tech companies would very soon be deciding that the rest of the world was a more important market than the domestic US one !

      1. Charles 9

        Re: I don't see how this would be a problem for Apple

        "In fact, their current models would be illegal under this law - and that's the problem."

        Then the problem lies with Congress. The Constitution specifically forbids retroactive laws (Article I, Section 9). If an item exists legally, it cannot be made illegal after the fact.

        1. tom dial Silver badge

          Re: I don't see how this would be a problem for Apple

          The prohibition of ex post facto laws probably would be effective exactly until they (for whatever value of "they") offer a new model or an update to the software or firmware of an existing model.

      2. Anonymous Coward
        Anonymous Coward

        Show me where

        I have seen nothing in the text of the proposed law that makes it illegal to make, sell or import any sort of device based on government access. Only that tech companies have to help the government access them, but it is silent on what happens if the tech company is UNABLE to help.

      3. tom dial Silver badge

        Re: I don't see how this would be a problem for Apple

        There are a few other countries where law enforcement officials would be happy to be able to access data stored on smartphones (France, Belgium, and the UK come to mind rather quickly). It seems possible that these companies find few large markets in which to sell equipment that is immune to government authorized search.

        Upvoted anyhow for clarity of analysis, although the bill, if enacted, is certain to differ from what we see now in draft.

  8. stizzleswick
    FAIL

    Unwanted consequences

    I wonder whether these congresspeople ever think their ideas through to the end. If they insist on weakened encryption, this encryption will not only be broken by law enforcement, but by criminals ranging from individual to corporate.

    Which would put a stop to most high-value technological development.

    Think about it. Boeing and Airbus would know exactly what the other company is developing. The 787 came out before the A350 in part because of industrial espionage by Boeing; with no secure encryption available, this kind of thing would not be a single occurrence but a constant one. So both companies would stop doing any high-risk development out of fear that they invest the billions into R&D only for the other company to file the patents first. You may replace "Airbus" and "Boeing" with the names of any other high-tech duopoly you like, there are quite a few. Think space booster development and defense contractors.

    The same goes for scientific progress. In the higher academic circles, he who publishes first gets the Nobel Prize, not necessarily he who did the actual work. So work would get slowed significantly, because top-notch scientists would be unable to use electronic media for communication for their work any longer, lest another team grab the laurels of years of work they didn't do themselves. It has happened before, many times, just so far through negligence letting papers lying around and not by default decreed by law.

    Those are only the two most obvious considerations, but I somehow doubt the congresspeople (and the many other legislators the world over demanding encryption be banned outright!) ever thought things through even this far.

    1. Richard 12 Silver badge

      Re: Unwanted consequences

      Airbus would be fine - they're European!

      Boeing would be utterly screwed.

      1. h4rm0ny

        Re: Unwanted consequences

        US Intelligence has previously been known to pass on Airbus's confidential information on big deals to Boeing. This is known in the EU. So turnabout is fairplay, I guess. Even if it's self-inflicted on the US part.

    2. Doctor Syntax Silver badge

      Re: Unwanted consequences

      "I wonder whether these congresspeople ever think their ideas through to the end. If they insist on weakened encryption, this encryption will not only be broken by law enforcement, but by criminals ranging from individual to corporate."

      That's not a problem in the minds of the bill's authors. The vendor just has to provide encryption that criminals can't break but they, the vendors, can. How they do that is the vendors' problem: "Nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design ... to be adopted by any covered entity."

    3. allthecoolshortnamesweretaken

      Re: Unwanted consequences

      It's almost like they want to wipe out the US high tech sector...

      ... but life amd some exposure to politics on the local level has taught me that human supidity knows no bounds. It's either that, or they are North Korean sleeper agents. In any case, at least it would lower the rents in the SF area.

    4. Jeffrey Nonken

      Re: Unwanted consequences

      "I wonder whether these congresspeople ever think their ideas through to the end. If they insist on weakened encryption, this encryption will not only be broken by law enforcement, but by criminals ranging from individual to corporate."

      No. They think the keys well be safe in the hands of law enforcement, won't be abused, and won't be cracked independently by hackers or other governments.

      After all, they're the good guys, right?

      They really are that incredibly stupid and ignorant.

      1. tom dial Silver badge

        Re: Unwanted consequences

        The proposed act, like the court order in the Farook iPhone case, does not require that the government have any keys at all, or even be able to use whatever a vendor devises to comply with the act. It requires that the vendor decrypt or assist the government to do so.

    5. John 104

      Re: Unwanted consequences

      @stizzleswick

      They do think these things through. Most anti-crime legislature in the US these days is geared toward non-criminals. Criminalizing constitutionally held rights all in the name of safety. Criminals don't give a rats ass about the law, that's why they are criminals... The senators know this. The goal is to remove power of the populace to protect themselves from, and hold accountable the very elected officials that are supposed to be working for the people, not for themselves. Sadly, it is probably horribly and irreversibly corrupted. As a US citizen it sickens me to no end.

    6. Richard Roe
      Facepalm

      Re: Unwanted consequences

      Weak encryption is no encryption. Will anyone buy anything online again? Will the banks bear all the losses as thieves access bank accounts?

  9. Anonymous Coward
    Anonymous Coward

    ORLY?

    > "No entity or individual is above the law," said Feinstein

    So obviously, the architects of the 2008 financial meltdown are mostly behind bars? The people responsible for fabricating evidence of WMDs in Iraq, and taking half of the western world to war; they had their comeuppance didn't they? And when the CIA realised they'd accidentally provided self-incriminating documents to a Senate Committee, then hacked the senate computers to remove said evidence, they were brought swift justice after Dianne Feinstein herself brought it to light?

    1. bombastic bob Silver badge

      Re: ORLY?

      Feinstein's contact page uses HTTPS, I cynically point out...

      https://www.feinstein.senate.gov/public/index.cfm/e-mail-me

      1. Ken Hagan Gold badge

        Re: ORLY?

        Interestingly, the use of encryption in https is not to hide anything, merely to prove that it really is you.

        I'm sure it is well understood in these forums that a back-door would not only blow open secrets, it would make it impossible to trust anything. However, I see no wording in this bill about making it possible to impersonate others (perhaps, for the purposes of emptying their bank accounts).

        Perhaps the best response to this bill is "Please publish your online banking details.". The idiots will wonder what you are talking about and deny that it is relevant, but if it becomes the stock response to all such requests, perhaps the more curious idiots (like, the ones voting in November) might make further enquiries and enlighten themselves.

        1. Doctor Syntax Silver badge

          Re: ORLY?

          'Perhaps the best response to this bill is "Please publish your online banking details.". The idiots will wonder what you are talking about and deny that it is relevant'

          And they'd be right. Because apart from being able to decrypt on demand for law officers the vendor would be required to protect the data from everyone else. The fact that these requirements are mutually impossible is beside the point as far as the authors are concerned.

        2. Sir Runcible Spoon

          Re: ORLY?

          "Interestingly, the use of encryption in https is not to hide anything, merely to prove that it really is you"

          Wait, what?

          I agree that there are two uses for encryption keys and that one of those is to digitally sign data to prove it was written by you, but I'm not sure you understand https as it isn't implemented like that.

          The certificate exchange and verification process is to create an encryption key for the data flow between you and the web server. Anyone else looking at that data stream wouldn't know what it contained unless they had the key.

          Unless I've totally misunderstood your point :/

  10. dan1980

    Let's blow past all the ethical reasons why this is ridiculous and even past the reasons why weakening encryption is dangerous.

    Instead, let's just focus on the practical, logistical implications for the existing technology companies who would be covered by this.

    There are thousands of pieces of existing software, currently running on all manner of hardware, that would need to become compliant with this legislation. All that software would need to be re-written and re-deployed.

    That's not quick and it's not free. So, while companies may be compensated (by the tax payer) for the effort requiured to hand over the data for each request, who pays for them to re-write their software? To delay product launches? Arranging for updating of existing devices? User communication? Support?

    And that's before we talk about interoperability and communication between hetergenous systems - something that's sort of important in the modern, connected world.

    How can you have software from different vendors across different hardware communicating without standards? And what standards can exist when each vendor is charged with coming up with their own solution?

    So yes, the privacy and security issues are HUGE but even at the simplest level, this legislation is insane.

  11. MotionCompensation

    In the Land of the Free..

    ... you can have a gun, but you're not allowed to keep secrets.

    1. tom dial Silver badge

      Re: In the Land of the Free..

      You are allowed now to keep whatever secrets you wish by default. The government (either federal or state) can get authorization from a judge to access those secrets by obtaining a warrant based on "probable cause, supported by Oath or affirmation." That is included in the Constitution's fourth amendment. The proposed law may be unworkable and it may be bad policy, but nothing in it affects legal rights of citizens or of non-citizens legally present in the US.

    2. Eponymous Cowherd
      Facepalm

      Re: In the Land of the Free..

      It's more absurd than that. The politicotards don't get the fact that encryption is just maths, and it's piss easy to roll your own.

      So they want to try to ban something (or, at least, render ineffective) something that anyone can make for themselves. An act that that will also have little effect on the safety of American ( or any other ) citizens.

      Yet fail to do anything to control guns, which most people are incapable of making themselves and which kill over 10,000 Americans every year.

      1. Anonymous Coward
        Anonymous Coward

        Re: In the Land of the Free..

        You are aware that the guns are incapable of firing themselves?

        I just want to be sure you grasp that basic fact...

        1. gazthejourno (Written by Reg staff)

          Re: Re: In the Land of the Free..

          Ridiculous. Everyone knows guns themselves murder millions daily while their terrified owners cower in fear, meekly bombing up fresh magazines lest their property turn against them.

        2. Eponymous Cowherd
          FAIL

          Re: In the Land of the Free..

          "You are aware that encryption algorithms are incapable of finding terrorist material themselves, eh?"

          You are aware that encryption algorithms are incapable of finding terrorist material themselves, eh?

        3. Charles 9

          Re: In the Land of the Free..

          "You are aware that the guns are incapable of firing themselves?"

          So why does the term "spontaneous discharge" exist, then?

  12. Queasy Rider

    You have all been bamboozled.

    This bill will never become law and they know it. It is really meant to force every rich tech company to open their wallets, not their encryption. This bill will have tech running so scared they they will pour mountains of cash through their lobbyists into congress critters' pockets. Congress, on its part, will equivocate, right up to the final vote, squeezing every last penny they can out of the Googles, Microsofts, Facebooks, etc. of America, before finally, at the last moment, allowing themselves to be convinced that this is a bad bill, then claiming they felt that all along. Everybody will then breathe a deep sigh of relief, and Congress will stash all that windfall cash.

    1. Anonymous Coward
      Anonymous Coward

      Re: You have all been bamboozled.

      I agree. We're at the point where tech companies are globalised. They don't need government anymore and they chose where to pay tax and how much. Tech companies also command more respect, authority and credibility amongst the population as compared to goverment institutions and politicians. The recent support for Apple (vs FBI) is evidence of that.

      The old way of politics where the Military & Industrial complex pours money into lobbyists and polticians is over.

      The ban on encryption is a last ditch attempt at showing tech companies who's boss.(or who wants to stay boss).

      In recent years technology has had a bigger(positive) impact on my life than politics. It is almost as if politicians are intentionally boring people to death, so they can get on unhindered, with whatever it is they do.

      I find the efforts of Elon Musk more inspirational than any politician in the last few decades.

    2. allthecoolshortnamesweretaken

      Re: You have all been bamboozled.

      So, basically it's a protection racket?

  13. Brent Beach

    This bill ensures that there can never be a safe harbour for EU data on any US server.

    When this bill passes, the US ceases to be a part of the internet - no one will allow any of their data to ever reside on the US. I suspect many US citizens will insist their data go offshore as well.

    We will have Data Havens popping up in small countries around the world - they will allow strong encryption and deny all access to the data. Data Havens will soon have a value beyond that of Tax Havens. Small islands will have to install nuclear reactors to power the server farms.

    This may also mean owning an enigma machine will be illegal.

    Science fiction writers are going to have a field day with this.

    1. James 51

      Science fiction writers are going to have a field day with this.

      FTFY.

    2. allthecoolshortnamesweretaken

      Data havens

      They will also have to build up a nuclear deterrent. Just in case.

      EDIT

      OMG, I could see a business opportunity in this. For North Korea.

  14. Allan George Dyer
    Devil

    How to get a supercomputer, paid for by the USA Gov...

    "shall be compensated for such costs as are reasonably necessary"

    I see an opportunity...

    1. Build popular app with strong encryption

    2. Wait for USA Gov. to demand decryption

    3. Ask for $$$ to buy f**ing big supercomputer...

    4. "No, we don't have an answer yet, call again in 10 billion years..."

    "and which have been directly incurred"

    Damn, past tense, it's like they were anticipating this...

    1. John Robson Silver badge

      Re: How to get a supercomputer, paid for by the USA Gov...

      Buy it online, submit invoice to US Gov.

      If they don't pay inside the DLR time limit then return supercomputer to supplier...

  15. Oengus

    Business opportunity

    "No man's life, liberty, or property are safe while the legislature is in session." Mark Twain

    Never were truer words spoken. Particularly in this case. I think we should setup legislation in a country that guarantees the availability of strong encryption and ensures that there are no backdoors. If we can couple that with low company taxes I am sure that a lot of high tech companies will want to setup there.

    1. Nigel 11

      Re: Business opportunity

      Elon Musk was mentioned earlier.

      I doubt it was his plan, but who is better-placed to set up a data-haven outside all existing legislatures? On Mars, maybe?

      1. John H Woods

        Re: Business opportunity

        "On Mars, maybe?"

        Don't fancy your latency ...

  16. bombastic bob Silver badge

    I fired off a Nasty-Gram to Feinstein

    I fired off a Nasty-Gram to my senator, Feinstein. I avoided profanity. It wasn't easy.

    https://www.feinstein.senate.gov/public/index.cfm/e-mail-me

    that's where ANYONE can send a Nasty-Gram. It helps if you live in Cali-fornicate-you, but ANYONE can say whatever they want.

    It also helps if you give REAL contact information.

    I'm sure there's a SIMILAR contact form for the other senator, the 'Establishment' RINO.

    stoopid gummint.

    1. Pascal Monett Silver badge

      Re: I fired off a Nasty-Gram to Feinstein

      Kudos to you for doing the one thing that is really necessary in this case : showing your politician that his aides and yes-men are out of touch with his political base.

      Because nothing sends a politician scurrying the other way like the perspective of losing votes. Remember Minister Hacker ? "You're not asking me to make a courageous decision, are you ?"

      Make sure that hack knows the decision is courageous.

      1. Nigel 11

        Re: I fired off a Nasty-Gram to Feinstein

        Shouldn't we be firing off nicely supportive missives, encouraging him in his efforts to bankrupt the USA within the decade and to make the EU the best place in the world for businesses old and new?

        1. Jeffrey Nonken

          Re: I fired off a Nasty-Gram to Feinstein

          Her. Dianne. https://en.m.wikipedia.org/wiki/Dianne_Feinstein

          Not that I expect everybody in the world to know our politicians. The US citizenry are notorious in our own ignorance of global politics. Or culture. Or language. Or geography. I... May be slightly less parochial than most, but I'm guilty of it as well.

  17. Anonymous Coward
    Anonymous Coward

    Para 12(C)(i) is a good one

    Providing technical assistance by delivering such information or data - concurrently with its transmission would require the OS used to encrypt a communication to provide a live feed, if requested.

    Telemetry, telemetry, telemetry - now we know what Windows 10 is for.

    1. Dan 55 Silver badge
      Black Helicopters

      Re: Para 12(C)(i) is a good one

      Windows 10 allows MS to log in if you don't lower the diagnostic data level from full.

      MS are practically complying with this bill already. Almost uncanny.

      1. Anonymous Coward
        Anonymous Coward

        Re: Para 12(C)(i) is a good one

        Uncanny, yes. Microsoft seem to have had a good idea of where the wind was blowing. Or are they blowing themselves?

        Doesn't say much for Windows 10, mind, if its best chance of taking over from Windows 7 lies in it already being compliant with a nut-job bit of lawmaking.

  18. Anonymous Coward
    Anonymous Coward

    As much as I think this is stupid and damaging I think I can see where this is going. They will probably enforce the local storage of keys and the unlocking of devices on the manufacturer that way the encryption is intact until you have physical or remote access to said device.

    Having said that the stupid part is that they really think they could force someone like tencent to adhere to these rules and if they don't then how exactly would they stop people using foreign software? The only thing this will achieve is the severe hobbling of the US tech industry. Who in their right mind would use a cloud service that the US government could access at will?

    1. Pascal Monett Silver badge

      Name me a US-based cloud service that the US government cannot access "at will".

      Just one.

      Those National Security letters don't take all that long to print, you know.

      1. Anonymous Coward
        Anonymous Coward

        That's true but it isn't currently explicitly disclosed so it gives the US a modicum of deniability.

      2. energystar
        Childcatcher

        Don't be so chauvinist...

        Just name a Civilian Cloud anywhere in the World not accessed by some government.

  19. Bloodbeastterror

    The Wire

    Anyone who has seen this will recognise the recent UK newspaper articles which said that the terrorist scum didn't rely on encryption, they used burner phones. How exactly will this bill help with that...?

    I'll allow that these two are not evil (though this is exactly the way that the 1984 brigade are creepingly gaining control over the populace) but that leaves me only with the alternative - they're stupid and/or ill-informed.

    1. Pascal Monett Silver badge
      Trollface

      Heretic !

      How dare you bring reality to the debate ! You informed anarchist, you !

      This is not about particular occurences, this is about furthering the domination of Government over The People by using handwaving, strawman arguments and religiously chanting the magic password (ie terrism).

      You're ruining everything they're fighting for !

  20. tony2heads

    2 thoughts

    - What ever happened to "Live free or Die" and ”He who would trade liberty for some temporary security, deserves neither liberty nor security” from the founding fathers of the USA

    - Sen. Feinstein is beginning to look like Davros emperor of the Daleks

    1. Sir Runcible Spoon

      Re: 2 thoughts

      Get real, Davros was a genius.

    2. Teiwaz

      Re: 2 thoughts

      "- Sen. Feinstein is beginning to look like Davros emperor of the Daleks"

      Beginning? (cover picture doesn't show the 'travelling machine')

      (between her and Theresa the Sea Devil it's quite the Doctor Who nemesis line-up)

      1. TimeMaster T

        Re: 2 thoughts

        That is a very rude thing to say. Davros is much better looking.

    3. Anonymous Coward
      Anonymous Coward

      Re: 2 thoughts

      "Live free or Die"

      I think Rincewind put it best. Once you're dead, it's over. At least when you're alive you can change things.

      "He who would trade liberty for some temporary security, deserves neither liberty nor security"

      They've been found to be mutually exclusive and polarizing. You can EITHER have liberty (in anarchy) OR security (in autocracy); problem is, there's no happy medium between them because anything in between is unstable, naturally tending to drift toward one end or the other. So third options are ephemeral at best.

  21. Craig 31

    "All providers of communications services and products (including software) should protect the privacy of United States persons through implementation of appropriate data security and still respect the rule of law and comply with all legal requirements and court orders."

    And for the none americans living in America?

    1. Doctor Syntax Silver badge

      "And for the none americans living in America?"

      That's OK, they're probably illegal immigrants.

      1. Sir Runcible Spoon
        Headmaster

        "And for the none americans living in America?"

        There aren't any.

  22. Anonymous Coward
    Anonymous Coward

    Low hangng fruit...

    Law enforcement should focus on non encrypted crime first. The Panama Papers have shown that tax evaders and money launderers have been doing just fine for the past 40+ years without encryption and most countries have done nothing about it.

    Would be great if we saw law enforcement holding these people accountable, instead of wasting energy on this "war on encryption" media campaign.

    1. Charles 9

      Re: Low hangng fruit...

      HOW when it's the people ABOVE law enforcement in the midst of it. These are the kind of people who live above the law if not outside it. Try to snare them and they'll bribe whoever they need and sneak off to some place where they can't be extradited.

  23. long-in-tooth

    long-in-tooth

    I have an ENIGMA Machine and a single use sets of settings.

    A short message with surrounding babble apparently would take 1,000 years to crack.

    ADNH HTAS HYDL TJGJ EMNH

    My password is 'incorrect'

    1. Sir Runcible Spoon
      Joke

      Re: long-in-tooth

      If your password is 'incorrect', maybe it is 'expired'.

    2. energystar
      Windows

      Re: long-in-tooth

      MS Office License? Enigma was serious engineering. How big would that machine be on silicon? 'Grain of rice'? Why the 'millions' lines of code? There's a lot of ignorance to profit here. Doesn't it, Security Industry?

    3. energystar
      Flame

      Re: long-in-tooth

      Just surround this your blog posts with noise text. And you'll be guilty. On contributing to Climate Warming.

      1. energystar
        Facepalm

        Re: long-in-tooth

        Releasing your post up here for World view has generated a large amount of heat.

  24. John Robson Silver badge

    Reasonable costs...

    Well, I'll need a few dollars to research quantum computing, build working hardware, then I can start to crack the encryption to help you...

    No I can't tell you if 'few' means a billion or 100 trillion...

  25. Rich 11 Silver badge

    This law would only apply to US companies or overseas firms with offices here

    If TTIP comes in before Burr-Feinstein, does that mean that an EU company offering end-to-end encryption services in the US could sue the US government for compensation by severely restricting the service it can offer? How is 'office' defined? A shell company constituted in Delaware, or would a rented mailbox in DC do?

    A covered entity that receives a court order from a government as described in paragraph (1) and furnishes technical assistance under subparagraph (B) of such paragraph pursuant to such order shall be compensated for such costs as are reasonably necessary and which have been directly incurred in providing such technical assistance or such data in an intelligible format.

    So maybe the Feds eventually approach the company with a court order and say they need one of its customers' messages in an intelligible form. If the Feds want the plaintext some time before the heat death of the Universe, the company rents a truly huge amount of compute power and sets it to brute-force cracking. How long would it take before the government budget for such recompense is drained?

    1. Charles 9

      "So maybe the Feds eventually approach the company with a court order and say they need one of its customers' messages in an intelligible form. If the Feds want the plaintext some time before the heat death of the Universe, the company rents a truly huge amount of compute power and sets it to brute-force cracking. How long would it take before the government budget for such recompense is drained?"

      Probably not much at all if they're keeping a Black Project working quantum computer under the datacenter in Utah.

  26. kryptonaut
    Facepalm

    The Law

    "No entity or individual is above the law," said Feinstein.

    ...except for the laws of mathematics, we in the government are definitely above those laws.

    1. energystar
      Big Brother

      Not the mathematics...

      But the mathematicians. Yeah! talking to you.

  27. Doctor Syntax Silver badge

    "This is an odd one, since that is entirely the bill's purpose."

    No it's not odd. It's a protection against being posed the obvious problem they can't answer: "OK, if you're so clever, tell us how to do this.".

  28. Anonymous Coward
    Anonymous Coward

    Serve the suspect with a warrant

    Serve the suspect with a court order requiring they unlock their stuff. Why exactly should the police be able to reach-around the judicial protections? Why should they be able to go to the device makers instead of the usual court ordered searches directed at the suspect?

    It's called "Compliance with Court Orders Act", it's actually "Compliance with any potential FUTURE court order act".

    Because they have to backdoor everyones hardware *today* to allow for any future court or police requests for that data *tomorrow*.

    Do they have probable cause to suspect *everyone* today for crimes they might commit tomorrow?

    No.

    On the contrary, they have a privacy right today, and a presumption of innocence (certainly of crimes they haven't yet been accused of), so why is their hardware backdoored and spied on if they're innocent? Feinstein?

  29. Andy 97

    This is a nonsense.

    If the Congress people actually think this will have any influence on genuinely bad people and how they communicate with others - they are completely diluted.

    "Did IQ's drop sharply while I was a way?"

    1. Sir Runcible Spoon
      Joke

      " they are completely diluted."

      To what degree? 10%? 5%?

  30. Doctor Syntax Silver badge

    There are a couple of likely outcomes.

    One is that the mutual incompatibility of the requirements would become its downfall in court. A company builds the encryption its customers require. Some investigator attempts to invoke the decryption requirement. The company goes to court with any number of expert witnesses to state that the requirements of the law are mutually impossible. Based on they argue that they've complied with one and must then be excused of complying with the other. There'd be scope for pouring on a certain amount of ridicule such as comparing the bill with attempting to outlaw gravity.

    The other is that the US loses its IT industry.

    1. admiraljkb
      Coat

      your #2 is actually #1, but regardless, its a crappy law. I'll get my coat, as the US will be too tech-hostile to stay in if anything like the proposed law passes....

  31. Nameless Faceless Computer User

    Couple of things

    Bills like this are introduced in a vacuum of what the people actually want.

    The news media will not cover it because they're too busy following what Donald Trump said yesterday.

    If and when people actually hear the news, they won't understand it. The bill will have a cute title like, The American People Protection Act Against Terrorism or some other meaningless "sounds good" nomenclature.

    1. Nigel 11

      Re: Couple of things

      I'm actually almost hoping that this bill pases.

      The initial result will be no noticeable change.

      The long-term result will be the exit of all high-tech industries from the USA, to the ruination of that country and the benefit of anywhere else that does not blindly follow the USA over the cliff.

      Sadly that's more likely to be a Pacific atoll state than the UK!

      1. Anonymous Coward
        Anonymous Coward

        Re: Couple of things

        Sadly that's more likely to be a Pacific atoll state than the UK!

        I unfortunately agree BUT I would recommend something with a higher height above sea level than an atol.

        if they really want an atol I'm sure China will build one for them.

  32. Aodhhan
    Meh

    1- Right to privacy isn't absolute.

    2- The government has the responsibility of keeping the general public safe

    3- There are ways to allow bypassing encryption and still keeping things relatively secure... or do you really think you currently need to 'approve' updates to your operating system?

    4- It's more likely you and the general public will benefit from a bypass than have it used against you... unless you're a criminal.

    For instance... it's more likely you will have your identity stolen, credit debt increased, bank account wiped out, etc... and the only evidence linking the criminal to these acts against you are on an encrypted hard drive.

    If law enforcement cannot get access to it, the criminal will never be charged and your money, credit rating, etc. will be lost forever. Which also means any decent paying job requiring a background investigation will be out of reach because of a poor credit rating and all the other electronic mayhem the criminal did.

    What about a possible POS breach where criminals got access to your credit card numbers among other things. Investigators can't investigate what happened because the banks and commercial store involved refuse to allow access to their encrypted information.

    ...I wonder, will you be in favor of a law enforcement bypass then? Of course you would. Just imagine your whole world turned upside down, and tomorrow you have no car, no place to live and no money. With your electronic reputation in the dumps, you also have no future or prospects for employment, loans, etc.

    Good luck with that.

    1. Anonymous Coward
      Anonymous Coward

      "For instance... it's more likely you will have your identity stolen, credit debt increased, bank account wiped out, etc... and the only evidence linking the criminal to these acts against you are on an encrypted hard drive."

      More than likely such a savvy criminal will live outside US jurisdiction, meaning he's out of reach anyway. Even if he could be apprahended, he'd likely have no evidence at all because at the hint that the door's being busted in, he activated a self-destruct mechanism whereby the volume key on the drive is wiped or physically melted with thermite. Either way, the evidence goes up in smoke and the law has no case and no way to create one. All his data is now just useless random data that NO one can decrypt, not even him.

      "What about a possible POS breach where criminals got access to your credit card numbers among other things. Investigators can't investigate what happened because the banks and commercial store involved refuse to allow access to their encrypted information."

      Again, nine times out of ten, the crook is operating from another country: likely one that's antagonistic to the West like Russia or China and maybe even with their tacit consent and covert support. Three words: you can't win.

      About the only way you can avoid this is to liquidate all your assets and go live by yourself in the Alaskan wilderness or somewhere in complete isolation. Otherwise, you just have to live with the risk and realize that when it comes, it's "Game Over, Better Luck Next Life," and there's no way around it. Either live with it or drive yourself crazy trying to flatten the sphere.

    2. Doctor Syntax Silver badge

      "For instance... it's more likely you will have your identity stolen, credit debt increased, bank account wiped out, etc."

      How do you think this might happen. And how (you're going to have to think harder than you've ever thought before) do you think this might be prevented?

  33. bacdef

    No entity or individual is above the law

    IANAL.

    One question that pops up in my mind upon reading this is: could an individual or an entity potentially sue the US government or one of its agencies and through this proposed law compel it to hand over its encryption keys and data ?

    1. Charles 9

      Re: No entity or individual is above the law

      The Constitution generally gives the federal government sovereign immunity. In other words, you can only sue if they ALLOW themselves to be sued.

      1. Doctor Syntax Silver badge

        Re: No entity or individual is above the law

        "The Constitution generally gives the federal government sovereign immunity. In other words, you can only sue if they ALLOW themselves to be sued."

        In other words, they're above the law.

        1. Charles 9

          Re: No entity or individual is above the law

          No, they have sovereign immunity because they ARE the law. Without them, the law wouldn't exist. It's part of the deal with sovereignty: being self-determining, they establish and enforce the rules.

  34. ma1010
    WTF?

    Next Month Feinstein introduces

    A bill to make both pi and e equal to 3.0. This will be known as the "Making Scientific Calculations Simpler Act." Every bit as well-thought out as her encryption bill (or any of her many other Great Ideas), this will foster scientific innovation by making math much simpler for scientists and others. It will catapult the USA into a real leadership position in the scientific world.

    Future projects include assisting work on conquering space by getting Congress to repeal the law of gravity.

    1. MachDiamond Silver badge

      Re: Next Month Feinstein introduces

      From what I've heard, if pi is equal to 3, the postal system can be speed up to the point where we get letters before the sender has posted them. Could be a win-win as long as nobody messes with the sorting machine. Perpetual energy and all that.

  35. MT Field

    Inept leaders and bad legislation

    That's end-of-empire, folks.

  36. energystar

    At least Dianne and Richard are actually working...

    Most of the bunch are just grabbing their actual catch and yelling each other. CONGRATULATIONS to Dianne and Richard. Also is quite clear that Industry doesn't want to acknowledge what Senate is clearly asking. Also is quite clear that only Actor? being kidded into not acting is Consumer.

    No tech barrier. Common, there is intelligent People around here. Theoretic formalism for this kind of problems where established since the time of Mainframes.

    IT People here is not being kidded with this pseudo-theoretical limit. But silence allow the Consumer to be kidded.

    In fact, IT People here should be fighting the fight for a breathing space of true personal encrypted privacy, within some of the memory space(s).

    Security should be concerned with communications only, and leave our private wanders and ramblings to ourselves.

    Personal_address-space>Comm-Provider_address-space>Law-Enforcement_address-space. With a line of Formal Request Back to the Individual. The better this scheme -of any other- works, the less Intelligence Community has to meddle in everybody business.

    1. energystar

      If well Reality of the Industry forbids it...

      Intelligence Community should NOT meddle with the Personal_address-space, on a ethic reasoning. The less another Actors.

    2. energystar

      Dreams..

      Whoever thinks that actual Civilian Private Communications Do Exist.

      1. energystar
        Pint

        Whichever exist...

        Are 'Skunk-Works' classified. Cheers!

    3. energystar
      IT Angle

      Remembering a transcendent Royal Edict.

      English King? No man should lack guarantors.

      On empowering clients|users, the bestowing Entity becomes guarantor.

      Government is not asking the weakening of anything.

      Government Is asking those -no questions asked- empowering Companies to effect guaranties on their protégées, when Lawfully requested so.

      Again, this is not a Tech Issue. As simple as dividing that so called One Pass by two. And declaring themselves 'Me in the Middle'.

  37. ecofeco Silver badge

    Privacy is some kinda damn socialist plot!

    You have problem with Corporate Communist Capitalism©®™, comrade?

  38. Old Handle

    OK, I'm inclined to think it's just stupid, not evil

    It seems to me the only change to make this a reasonable (not necessarily good, but reasonable) law is insert "if possible", at the end of the requirement for companies to turn over data. Since it does contain the provision that no particular design can be required or prohibited , in practice all it really means is "If you leave the door open, let us use it". As currently written, all a company would have to do to "comply" with this law, while still offering strong end-to-end encryption is say "Alright, 'appropriate technical assistance' coming right up. We're going to build the world's biggest super computer farm to crack this key for you... but you're paying, right?"

    1. Vic

      Re: OK, I'm inclined to think it's just stupid, not evil

      It seems to me the only change to make this a reasonable (not necessarily good, but reasonable) law is insert "if possible", at the end of the requirement for companies to turn over data.

      Nope.

      The change required to make it reasonable involves a pint of diesel and a blowtorch...

      Vic.

      1. Charles 9

        Re: OK, I'm inclined to think it's just stupid, not evil

        Petrol, not diesel. Diesel actually doesn't set light with a torch. It combusts under different conditions (mostly pressure-related) which is why you don't need a spark to ignite it.

        1. Vic

          Re: OK, I'm inclined to think it's just stupid, not evil

          Petrol, not diesel

          Diesel, not petrol.

          Diesel actually doesn't set light with a torch

          This video disagrees with you. That's the first one I found - having done similar myself, I knew there was bound to be one.

          Petrol has a tendency to conflagrate and burn your face off. Diesel, with its much higher ignition temperature and lower volatility, is somewhat safer in such situations..

          Vic.

  39. paulc
    FAIL

    completely clueless..

    n/t...

  40. DiViDeD

    Who'da Thunk It?

    "Today, terrorists and criminals are increasingly using encryption to foil law enforcement efforts, even in the face of a court order"

    Those terrorists & criminals, eh? No respect for the law.

  41. dewaele

    Awesome article

    Unfortunately, most americans have become fat, lazy, and obsessed with Kim K's ass. It is sad to see what the popular zombies have become. Look at the jokes running for president. Scammer, criminal, and idiots. The US wants to control the population and look how they love to pump our local water supplies with sodium fluoride which is known to cause problems with neural development...

    1. Charles 9

      Re: Awesome article

      "which is known to cause problems with neural development..."

      Really? Can you cite reputable peer-reviewed medical journals from multiple countries to support your claim?

      1. Dodgy Geezer Silver badge

        Re: Awesome article

        New Godwin's Law. Let's call it 'Charles' law'?

        Anyone requiring cites from 'Reputable' (ie, ones that I agree with) 'Peer-Reviewed' (in other words, old chum's networks) journals from 'multiple countries' (so that I can claim that you haven't cited enough) is:

        1 - wrong

        2 - unable to admit this

        3 - frantically trying to force the original poster to do his own checking work for him

        4 - never going to agree with any cite that's given, making the whole exercise pointless...

        1. Charles 9

          Re: Awesome article

          Then I propose Godwin's Law for Godwin's Law.

          1. If you don't believe there's such a useful thing as "reputation," then you don't trust anyone. By definition, you're paranoid.

          2. If you don't trust peer review (which includes rivals who would love to shoot down the competition), then you don't trust anyone. By definition, you're paranoid.

          3. If you don't place your stock in other countries and their laws which will differ from country and country and may indeed see each other as rivals or even enemies, you believe there is a global conspiracy. Meaning you don't trust anyone. By definition, you're paranoid.

          If you aren't willing to back up the claims you make, you're either making a baseless claim or you don't think backing up the claim is possible because the moment you make it everyone will oppose you because you. And if you're that paranoid, why haven't you abandoned the Internet at this point, gone to the mountains, and hidden in your lead bunker waiting for Judgment day?

          1. anniemouse

            Re: Awesome article

            The real paranoid one is the one who distrusts human beings as a species so they put everyone in the virtual animal cage in case they need to monitor protesters, political organisations, or just have some fun when they get bored.

  42. Anonymous Coward
    Anonymous Coward

    mass exodus from USA

    All security related companies be it hardware or software will HAVE to relocate all offices out of the USA.

    the USA will loose out on Billions of tax revenue and will be NO safer for it in fact they will be less safe as local security will be back doored and bad apples WILL get in (as well as the Govt decide yourself which is worse)

  43. allthecoolshortnamesweretaken
    1. anniemouse

      Re: Because terrorists!

      FEINSTEIN is actually acting in a treasonous manner. BURR is actually acting in a treasonous manner. Together they are threatening the privacy of all Americans, killing American ingenuity and creativity, and generally acting like imbeciles who don't know they have their heads up their own ____.

      And... these "predatory third world control freaks" are killing American business while shipping jobs overseas. In the spirit of SANDERS & TRUMP, firing the entire legislative body save for very few, will put America on the path to being Great again.

  44. Led boot
    Paris Hilton

    Second ammendment right...

    Cryptography was on the united states munitions list as late as 1992, with all of the export restrictions that came along with it. United states citizens have "...the right to bear arms...". so I would have thought that American citizens have the right to any type of encryption they can afford?!

    Paris because; once you've made a tool of yourself as publically as these two senators have, its difficult to be taken seriously...

    1. energystar
      Mushroom

      Re: Second ammendment right...

      "the right to bear arms.." Not to use them...the less to commit crime.

    2. anniemouse

      Re: Second ammendment right...

      lol! First we get life in prison for shipping stron encryption overseas (as if the people outside the u.s. are so stupid as to not conceive their own) Now these primo azzajoles want to give us life in prison for using strong encryption.

      WOW. Privacy rules as long as you don't mind getting permission to schedule your high level business meetings from the likes of imbeciles like Feinstein (the censor master) and Burr (i hear the guy is 100% complete eejit).

  45. Alan W. Rateliff, II
    Joke

    Chicken Littles

    For God's sake, you bunch of pinko Commies... it's BI-PARTISAN, two of our brightest political minds in fact, so it MUST be a grand idea!

    Er, honestly, I'm not certain this is funny at all...

  46. admiraljkb

    I don't see how this and HIPAA can be resolved against each other

    On one hand health care providers are told to keep patient data secure, and then if the encryption to do that is banned, they'll start to get sued for not being properly HIPAA compliant. If encryption is backed off on JUST mobile devices, then Doctors will have to go back to paper instead of tablets...

    Not to mention the fact that putting our encryption LOWER than the rest of the planet makes every bit of our infrastructure vulnerable to terrorist cyberattack or state sponsored cyberattack. Might as well revert all our power and water plants back to full manual control and pull all the computers out... How stupid are US politicians? (yeah, bunch of clueless OLD lawyers, nvm)

    1. MachDiamond Silver badge

      Re: I don't see how this and HIPAA can be resolved against each other

      It's already know that US spy agencies have plied their trade snooping on the oversight committees that are meant to keep them on a leash. I wonder if the SENATOR has stopped to think that giving the keys to the henhouse to the foxes might be a really bad idea. The US black agencies are already completely out of control. More and more, police departments in the US are out of control and are gearing up with surplus military equipment. I live in a small town that has a Humvee and an APC at the police department. At the very least, it looks bad.

  47. TimeMaster T
    WTF?

    Off topic ...

    Has anyone else noticed that the more insane a politician, judge or military leader is the more square their face is?

    Fienstien, Trump, Putin, Gingrich, Cruz, Rubio, Scalia, Patton, MacArthur, Kim-Jong, etc. all have really square faces.

  48. JoeKrozac

    Diane Frankenstein

    That foul cunt looks like the mother of Emperor Palpatine, and the Emperor definitely had more class.

  49. zen1

    Feinstein...

    One of this countries biggest hypocrites. She can go fornicate herself and then rot in a very warm place that probably won't be cooling off any time soon

  50. martinusher Silver badge

    Time to retire

    I think its the other one -- Senator Boxer -- that's retiring this year so we're stuck with Feinstein for another couple of years. Both need to be pensioned off (they'll probably find a good berth in a lobbying company or similar). Boxers replacement may well be Kamela Harris who, if her track record is anything to go by, is just Feinstein Jr. Time for some fresh blood (and preferably not Republican fresh blood, with one or two notable exceptions they're total nutcases).

  51. MachDiamond Silver badge

    Beyond consumer devices.

    This draft is so broadly worded that it may apply to things such as ATM's, credit card and POS terminals. A judge may even interpret the law to include modern cars. Let's all imagine the evil money we could make by disabling or causing cars to crash on a major interchange during rush hour if large sums of money aren't deposited to a certain overseas bank account. The beauty is that once the back door is found for the cars, we could run the ransom routine all over the world many times before the car models that have been compromised could be updated. Even that wouldn't help since the method to break into the vehicles would be known and the next hack gets easier since we'd know what to look for and where.

    Compromising security is wrong on a fundamental level. If the US mandates it, Britain, France and the rest of the EU will shortly follow (or the US will impose sanctions just like they do with the reporting of US citizens that have bank accounts with overseas banks. If they don't report the accounts, they get taxed on US transactions.) At least China and North Korea will love it. It will make espionage much easier for them.

    1. Anonymous Coward
      Anonymous Coward

      Re: Beyond consumer devices.

      You are forgetting an even scarier outcome ........

      After the unlovely events you describe come to pass, a cowered and whipped populace will soon be eager for even more restrictive legislation. Instead of a golden age through technology (where the benefits can be shared and used by all), the existing kleptocracy will simply use it to keep everyone beaten down as they grab more and more power.

      Lovely legacy to leave for our children,.... isn't it?

      Why these fear mongerors continue to be allowed oxygen is beyond me.

      1. Charles 9

        Re: Beyond consumer devices.

        Simple. They've hogged ALL the oxygen, leaving you with a sadistic choice. Either you let them live so you can leech off the oxygen they possess...or you asphyxiate...

  52. davidnrobyn

    Translation

    "No entity or individual is above the law," said Feinstein.

    Translation: None of you citizen mundanes is above the law, and don't you forget it! WE decide what's legal, and for whom.

  53. anniemouse

    don't you love the hypocrisy of this bulldookie? nobody is above the law?

    yeah, except the thieving coniving predatory persons in the ruling group that illegal steal our privacy and sell it to who knows who - and then allow wallstreet thieves to crash the economy and pay what? pay a small percent of their take!

    oh they hypocrisy... The law for decades threatened americans with treasonous punishment for shipping encryption overseas. Now the dummies like censormaster Feinstein (BDS UCB) who also want to limit freedom of expression and speech, want to punish us for using strong encryption - you know, like the kind they actually have overseas.

    i love the part that says "All providers of communications services and products (including software) should protect the privacy of United States persons through implementation of appropriate data security and still respect the rule of law and comply with all legal requirements and court orders."

    THIS IS NOTHING SHORT OF A TRAP AND A SHAM OF A TRAP AT THAT.

  54. Chris Hunt

    Hmmm

    "Good sense may prevail in the Land of the Free"

    Citation needed.

  55. Anonymous Coward
    Anonymous Coward

    We need to get type-writers, personal cipher-systems for communication with business partners, pigeon mail, and get rid of computers. Then, we should start a new era of technical advancement – from zero.

    1. Charles 9

      They'll just innovate hidden letter-impression readers in the rollers and breed falcons and hawks, and breed Nineteen Eighty-Four levels of paranoia in your neighbor.

  56. Dodgy Geezer Silver badge

    I can't see the problem...

    The Bill requires "appropriate technical assistance" to be given.

    Great.

    Send a mathematician around to explain why the encryption is believed to be unbreakable. That's 'technical assistance"...

  57. Dodgy Geezer Silver badge

    Don't Worry!

    As soon as the US Film Industry and Walt Disney get to hear that their DVD encryption might be weakened, the US Intelligence sector will back down.

    Because no one annoys The Mouse.... https://www.youtube.com/watch?v=O03M6Tm7sWI

  58. Dave 15

    I am visiting Auntie with a cake

    Could mean just that or perhaps that I am taking a bomb to bomb the queen.

    There was similar with ww2 giving the information about dday to the french... all that is needed is both sides to know what you really mean. Terrorists are not as thick as the rule makers but the rule makers have big egos and never admit how stupid they are

    1. Charles 9

      Re: I am visiting Auntie with a cake

      But then you have the issue of First Contact. How do you pass the code to the other side without it being intercepted? Indeed, how can Alice know Bob is really Bob and not Mallory or in this case Gene if they've never met before and there's always the chance Trent's been doubled? Not to mention custom codes like this tend to have a limited vocabulary, much like good stego. You can only convey so much information, and it's hard to "wing it" and convey an arbitrary change of plans without giving yourself away.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like