The Dangers of the Burr Encryption Bill

The Burr Encryption Bill – Discussion Draft dropped last night, and proposes legislation to weaken encryption standards for all United States citizens and corporations. The bill itself is a hodgepodge of technical ineptitude combined with pockets of contradiction. I would cite the most dangerous parts of the bill, but the bill in its entirety is dangerous, not just for its intended uses but also for all of the uses that aren’t immediately apparent to the public.

The bill, in short, requires that anyone who develops features or methods to encrypt data must also decrypt the data under a court order. This applies not only to large companies like Apple, but could be used to punish developers of open source encryption tools, or even encryption experts who invent new methods of encryption. Its broad wording allows the government to hold virtually anyone responsible for what a user might do with encryption. A good parallel to this would be holding a vehicle manufacturer responsible for a customer that drives into a crowd. Only it’s much worse: The proposed legislation would allow the tire manufacturer, as well as the scientists who invented the tires, to be held liable as well.

While the bill claims that it in no way is designed to force companies to redesign their products, this is a subtle hypocrisy: the reality is that there is no possible way to comply with it without intentionally backdooring the encryption in every product that may be used in the United States. Encryption is a sophisticated math problem; a problem that can only be solved with knowledge of the keys calculated by the end-user. In other words, encryption is completely out of control of the manufacturer, and entirely in the hands of the end-user. The only way for a company like Apple to decrypt customer data is for them to secretly copy every key ever used to encrypt data, or to store the encryption keys on the device in a way that they can access them. It is quite literally storing the key inside the lock. This weaker form of encryption takes us all the way back to the days of iOS 6 or older, where virtually all of an iPhone’s data could be extracted from devices by Apple. All the while Apple could hack into their customer’s iPhones, a number of forensics tools, jail breaking tools, and other open source hacking tools were also doing it for criminals, teenagers, angry spouses, stalkers, and others.

Having “secure encryption” and “encryption that a third party can decrypt” are mutually exclusive. Both are technologically impossible. Burr, while trying to make this legislation sound like a “middle ground”, is in reality choosing the latter option: weaker encryption that isn’t really encryption at all.

Due to the backdooring of encryption that this legislation implies, American electronics will be dangerously unsafe compared to foreign versions of the same product. Diplomats, CEOs, scientists, researchers, politicians, and government employees are just a few of the people whose data will be targeted by foreign governments and hackers both while traveling, but also whenever they’re connected to a network. The encryption design will have had to be made so weak in order to allow for this government backdoor, that no court order will be needed – American owned devices will be vulnerable to many forms of attacks that are even less sophisticated than the data breaches our own government has fallen victim to.

The idea of a foreign actor or a nation state actor attacking an iPhone is by no means some far fetched conspiracy theory. Consider that it was allegedly an Israeli firm that figured out how to hack into Syed Farook’s iPhone 5c, and not an American firm. The only reason the FBI was likely able to acquire the tool was because they were the highest bidder. The technology to do this was developed outside the country, and can be sold to additional parties without the United States’ permission or knowledge. If our enemies were to offer millions for the same technology, such a company would be under no obligation to honor exclusivity with the United States government, and even if they were, they can certainly develop a similar technology all over again and sell it to the next bidder.

The technology to gain privileged access to an iPhone is something that has been developed repeatedly over the device’s nine year history, in spite of the billions of R&D dollars and bright engineers Apple has hired to secure the device. The only thing protecting your data today is the encryption tied to a complex, alphanumeric passcode on the device. That is the one last leg of security that Burr’s encryption bill is trying to do away with.

Aside from the iPhone, consider how this bill might be applied to electronic commerce. It is a carte blanche pass to order SSL encryption keys and backdoor encrypted containers from any company, compromising the security of every individual (both foreign and domestic) that has ever used the company’s services. This does not include strictly ephemeral conversations, monitored in real-time, but due to our government’s ongoing “recording of the Internet”, all past conversations could potentially (depending on the type of encryption used) also be forced.

Another important thing to note from this proposed legislation is that it makes no distinction between encrypted / obfuscated data and data that has been destroyed by the user. As far as the iPhone is concerned, deleted data is obfuscated data that has been forgotten about. The way the iPhone has been designed to destroy user data is to simply drop the encryption keys for individual files, or the keys for the entire disk when wiped. The wording of this bill is so broad that it forces a shredder manufacturer to assist with reconstructing documents destroyed by one of their products. The same is true of Apple’s wipe function, meaning that in order to comply, Apple would be forced to store the encryption keys for all of your past data, even if you wipe it, so that it can later be recovered under a court order.

The absurdity of this bill is beyond words. Due to the technical ineptitude of its authors, combined with a hunger for unconstitutional governmental powers, the end result is a very dangerous document that will weaken the security of America’s technology infrastructure. This will affect everything from the iPhone you hold in your pocket to how data is transmitted over the Internet, allowing the government to effectively break all electronic commerce and Internet security. This is bad legislation in every way, and it very subtly allows for unconstitutional government control of private industry. This bill should be seen for the unconstitutional power grab that it is, and never make it to a vote. The Burr-Feinstein bill, in short, punishes American companies for being “too secure”, and forces them to redesign their products to be vulnerable and inferior in security to their foreign competitors – putting everyone at risk.