Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Encryption Security Democrats Government Privacy Republicans Software The Courts News Your Rights Online Technology

Burr-Feinstein Anti-Encryption Bill Is Officially Released (techcrunch.com) 314

An anonymous reader quotes a report from TechCrunch: Senators Richard Burr and Dianne Feinstein released the official version of their anti-encryption bill today after a draft appeared online last week. The bill, titled the Compliance with Court Orders Act 2016, would require tech firms to decrypt customers' data at a court's request. The bill is not expected to get anywhere in the Senate. President Obama has also indicated that he will not support the bill, Reuters reports. The bill requires legislation requires communications services to backdoor their encryption in order to provide "intelligible information or data, or appropriate technical assistance to obtain such information or data." Sen. Feinstein stated, "The bill we have drafted would simply provide that, if a court of law issues an order to render technical assistance or provide decrypted data, the company or individual would be required to do so. Today, terrorists and criminals are increasingly using encryption to foil law enforcement efforts, even in the face of a court order. We need strong encryption to protect personal data, but we also need to know when terrorists are plotting to kill Americans."
This discussion has been archived. No new comments can be posted.

Burr-Feinstein Anti-Encryption Bill Is Officially Released

Comments Filter:
  • Uh huh... (Score:5, Informative)

    by EmeraldBot ( 3513925 ) on Thursday April 14, 2016 @02:24AM (#51905943)

    In the US, just over 3,000 people have died of terrorist attacks. In 21 years. How many millions die from car crashes alone each year? Are we going to start improving our public transit? No, of course not, because that's not the sexy ratings our senators here want.

    The really sad part isthat these are people who voted in, they are not dictators or such. A majority of people are actually stupid enough to vote for such idiots, and it makes me wonder where our future is headed. Given the rather extreme views that have become fashionable over the last year, I don't think it's too far off we'll soon be looking at the level of control shown in Russia today. I sure hope it was worth losing our privacy, safety, and fundamental values to save us from those "evil terrorists", who haven't played a role in 99.999% of the population. Might I point out, that's not an exaggeration.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      In the US, just over 3,000 people have died of terrorist attacks. In 21 years. How many millions die from car crashes alone each year?

      Posting because that crashes number is so far off... in most years, somewhere in the neighborhood of 25,000 to 30,000 people die in car crashes in the U.S. Still a hell of a lot more than terrorists kill, and you have a good point. Many more Americans will be killed by mundane items in their daily lives, like, say, hamburgers, than ever will be by terrorists.

      • by Maritz ( 1829006 )
        Yes. The problem for politicians is that it's difficult to turn high numbers of road deaths into a power-grab. It's difficult to argue that people should bend over and let government look their asshole because roads are bad. Now terrrrism on the other hand...
    • The really sad part isthat these are people who voted in, they are not dictators or such. A majority of people are actually stupid enough to vote for such idiots, and it makes me wonder where our future is headed. Given the rather extreme views that have become fashionable over the last year, I don't think it's too far off we'll soon be looking at the level of control shown in Russia today. I sure hope it was worth losing our privacy, safety, and fundamental values to save us from those "evil terrorists", who haven't played a role in 99.999% of the population. Might I point out, that's not an exaggeration.

      It's not just stupid people. It's also people who don't understand the issues because they have never studied encryption or computer security. Smart people and policy-makers.

      • by Jason Levine ( 196982 ) on Thursday April 14, 2016 @08:21AM (#51907079) Homepage

        Then there are also the power-mad people. These people might understand how encryption works, but they don't care because they see something that isn't under their control. They can't tolerate this so they come up with a reason why having this not under their control is bad ("terrorism") and then hammer the American public and politicians with this reason. It doesn't matter if the reason isn't true (terrorists have been using clear text communication) or if their reason wouldn't be fixed by passing US laws (terrorists would use strong encryption that's already available). The thing that matters to them is getting this thing under their control - even by a little bit. Then, they can expand their control until all non-backdoored strong encryption is banned.

    • Re:Uh huh... (Score:5, Insightful)

      by skegg ( 666571 ) on Thursday April 14, 2016 @03:12AM (#51906051)

      Heck, we know more people die every year:

          - in backyard swimming pools
          - from bee stings
          - from peanut allergies

      than from terrorism.

      But of course, we also know this isn't about preventing terrorism.

      • Heck, we know more people die every year:

        - in backyard swimming pools
        - from bee stings
        - from peanut allergies

        Thank you very much! Here is my revised plan on how to deal with Dianne Feinstein:

        1. Force feed her Reese's Peanut Butter Cups.
        2. Smack a live beehive on her head. (She might look better, with a B-52 hairdo).
        3. Throw her into the swimming pool! If she weighs the same as a duck . . . she's a witch! Otherwise . . . we'll finally be rid of her.

        Shame on you, California, for you dishing up this monstrosity upon the world!

    • Because while car crash deaths are still a real big killer, the IS has made MASSIVE strides in reducing them, and that has been done in no small part by legislation of new safety features. Deaths both in terms of absolute numbers and deaths per 100 million miles driven have been dropping consistently since around 1970.

      Not agreeing with this bullshit encryption bill, just that your example may not be showing what you want it to show.

      • by Minupla ( 62455 )

        at 32,675/yr in the US, I think it's still a pretty safe argumentative gambit to suggest that if we're going to be terrified, it should be of our fellow drivers rather then some IS.

        Min

    • Re:Uh huh... (Score:4, Insightful)

      by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Thursday April 14, 2016 @05:53AM (#51906433) Homepage Journal

      Are we going to start improving our public transit? No, of course not, because that's not the sexy ratings our senators here want.

      No? [wikipedia.org]

      I think Feinstein is an evil hypocrite, in so many words, but California is doing more to promote public transportation than most states.

    • I think more to the point is that 0 people have died in the US due to terrorists who where aided by encryption. No terrorists will ever use encryption because the benefit (easier communication) does not outweigh the cost (being arrested/killed before performing the act). If you are a terrorist or member of organized crime then you can never ever be 100% sure that NSA, FBI et al cannot spy on everything that you do and in that line of work you do need to be 100% sure.

      For example here in Sweden the major orga

    • Comment removed based on user account deletion
    • > A majority of people are actually stupid enough to vote for such idiots

      A majority of people don't vote.

      FTFY

  • by Anonymous Coward on Thursday April 14, 2016 @02:28AM (#51905949)

    All the time. Seriously, that's what terrorists do. Does anybody think it's a part-time thing or whatever? "Let's see Achmed... Tomorrow we'll go fishing, then we hit the beach and next week we'll plot to kill Americans. But it must be wednesday because I have bingo on monday and a garage sale on tuesday, and the rest of the week I have to fill in for Jamal who's having a jihad on non-recyclable grocery bags."

    • Sometimes they plot to kill other people as well... just sayin'.

    • The tobacco industry deliberately plotted to kill Amecicans in way larger proportion that the 9/11 Saudis. The food industry via sugar over intake also kills much more people than terrorists. The government kills much more Americans with unjustified wars.

      Actually anything threatening the top wealthy 1% is considered as much more dangerous than when threatening the 99% rest.

  • Can't have both (Score:5, Insightful)

    by Anonymous Coward on Thursday April 14, 2016 @02:36AM (#51905969)

    "We need strong encryption to protect personal data, but we also need to know when terrorists are plotting to kill Americans."

    Can't have both, buddy.

  • by He Who Has No Name ( 768306 ) on Thursday April 14, 2016 @02:42AM (#51905975)

    This is pretty much the nail in the coffin.

    If her prior activities that would make an Inspector General blanch weren't enough, this monstrosity is pretty much proof-positive of her loss of mental faculties.

    • by AmiMoJo ( 196126 )

      Maybe she's a traitor trying destroy America by wrecking it's economy. She is aiding terrorists in their efforts to destroy your way of life and prosperity.

  • by Artem S. Tashkinov ( 764309 ) on Thursday April 14, 2016 @02:43AM (#51905983) Homepage

    Terrorists and criminals are increasingly using encryption to foil law enforcement efforts, even in the face of a court order.

    Yeah, right.

    Oh, wait, the most recent terrorist attacks in Belgium were carried out using disposable one time cell phones without using encryption of any kind.

    Who are those politicians are trying to fool? Why the terrorists cannot create their own encrypted applications which do not save any data whatsoever? I mean we already have Telegram, Wire and many other apps with P2P encryption and timers which pretty much guarantee no party will ever be able to restore or decrypt the content of conversations.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      I'm not sure I trust either Telegram or Signal TBH.
      Signal I really want to trust, but they want my whole f'in contact book and AFAIK there is no way to just give my friends like an anon ref code or something. Feels creepy and unnessecary.

      Telegram OTOH is just crazy crappy. Has anyone ever actually tried to read the API docs for mtproto? It's a damned nightmare to parse it.

      I don't trust any service that wants my phone number and list of contacts.

      • by NetNed ( 955141 )
        Mod up parent. Telegram has been proven to be junk. It's funny how often it is mentioned in news articles like it's somehow "rock solid"
    • Indeed and let's face it, if you where a terrorist would you ever be able to trust Telegram, Wire or other P2P solutions to 100%? The cost of being caught as a terrorist is quite high (life time in Guantanamo or killed by a drone) so the benefit of the solution (being able to communicate with your group) is simply not worth it.
    • You can create end-to-end encrypted apps in html5 and javascript. Provided phones don't have logs of everything the user does, whatever the manufacturers do will not achieve much.

    • Comment removed based on user account deletion
  • Woo! BFAEB! (Score:5, Funny)

    by wonkey_monkey ( 2592601 ) on Thursday April 14, 2016 @03:03AM (#51906019) Homepage

    Burr-Feinstein Anti-Encryption Bill

    I heard they're opening for Aerosmith next month.

  • by Anonymous Coward on Thursday April 14, 2016 @03:04AM (#51906023)

    The proposal itself may be awful, the likely consequences would be good. This could very well be the final push for many companies processing personal information to finally leave the US and settle in a country less hostile to privacy.

    • Leaving the US for a privacy Shangri La sounds appealing, but where is this place?

      By my estimations, it's a small number of European countries, most of which might face EU regulations which could end up being nearly as "bad" as the US for no real gain.

      Most other places don't have enough privacy protections (crooked, authoritarian governments) or if they do, are too small to resist the diplomatic pressure the US could bring to bear on their privacy practices. Further, they may be small enough that the Chine

    • by Hentes ( 2461350 )

      When TTIP and TTP get finished the number of those countries will drop sharply.

  • Comment removed based on user account deletion
  • by NReitzel ( 77941 ) on Thursday April 14, 2016 @05:10AM (#51906337) Homepage

    Senators Richard Burr and Dianne Feinstein are neither the oppressive arm of Government nor are they idiots.

    They are, however, profoundly ignorant of how things work in the real (non-Beltway) world. They are of the same ilk that cannot understand that email kept on a small private server (small target) with a staff that gives a damn is quite likely a lot more secure than on a "secured government server."

    They must be thinking, "the company will provide a back door and keep it secret." What a great concept. Unfortunately that idea belongs to a world where it took a whole government and a bevy of codebreakers to crack a simple substitution code - the Enigma codes. Today, a single hacker can put together thousands of cpu core resources to attack any system. If there exists a back door, if there is any way into an encrypted system, some 14 year old in Romania or Great Britian (or China!) will find it. Consider the fact that the FBI hired such to go after in iPad, and the thing was compromised in short order.

    And lest we think that this is a good thing, so that governments can go after terrorists, let me pose a question on a personal level: "How big is your bank account? Would you mind if you woke up some morning and found it empty?"

    There are thousands of terror targets and probably tens of thousands of would-be terrorists. There are quite literally billions of targets in the private sector. It won't make the even news for very long if Mr. Smith gets cleaned out, but to Mr. Smith it may seem pretty terrible.

    And there is a worse side: Let's say that the government requires back doors everywhere. Does that mean that terrorists are going to give up and throw up their hands figuratively? Hell, no. Any competent programmer can come up with an encryption scheme not known to the government, perhaps with vulnerabiilities which are also unknown to the government. The good guys (Us!) have opened our bank accounts to the script kiddies, and the bad guys will go right on using strong encryption. The government will be right back where they are now, having to hire a hacker to break that encryption.

    We will have given up the keys to our doors without putting a small dent in terrorism.

    Not a good choice, imo.

    • Senators Richard Burr and Dianne Feinstein are neither the oppressive arm of Government nor are they idiots.

      False. They are part of the oppressive arm of government. We would usually say "hand", though.

      They are, however, profoundly ignorant of how things work in the real (non-Beltway) world.

      No, no they are not. Feinstein in particular is simply a hypocrite, which she proves every time she opens her face.

      They are of the same ilk that cannot understand that email kept on a small private server (small target) with a staff that gives a damn is quite likely a lot more secure than on a "secured government server."

      If you're talking about Clinton, though, that's not what happened. What happened was that she had a small private server which she used to facilitate illegal, insecure communications; she had her staff go through the email and determine what was classified, which is itself a breach of the law for both

      • by Z00L00K ( 682162 )

        There is no oppressive arm of government, all governments becomes oppressive given time, it's in the bone and marrow of all of them.

        • There is no oppressive arm of government, all governments becomes oppressive given time, it's in the bone and marrow of all of them.

          I couldn't agree more, that's why something like bioregionalism is needed. Local government aligned upon natural boundaries which produce natural confluence of interest. Minimal government at all levels. Citizen involvement. You will never have no government, so the best thing you can do is make sure you get as little government as possible while still getting your needs met.

          Both wings belong to the same bird

    • by Kjella ( 173770 ) on Thursday April 14, 2016 @06:31AM (#51906569) Homepage

      And there is a worse side: Let's say that the government requires back doors everywhere. Does that mean that terrorists are going to give up and throw up their hands figuratively? Hell, no. Any competent programmer can come up with an encryption scheme not known to the government, perhaps with vulnerabiilities which are also unknown to the government.

      Please... the number of programmers that could come up with good cryptographic primitives is 0.1% or less. You're much better off just using AES for symmetric, RSA for asymmetric and DHE for key exchange with forward secrecy that tons of crypto analysists have spent years on and not come up with anything of significance. The flaws are usually all implementation and backdoors, not the building blocks themselves.

    • Comment removed based on user account deletion
    • It must be nice to live in your naive little lalaland where the government means well, but just doesn't get how the magic boxes work. And where a basement email server run by "a guy" is more secure than hardened, robust, and security designed industrial email systems. No, make no mistake, these are hardcore totalitarians and they know it. They have been installed to do a job, and that is destroy a society based on liberty and freedom. Thanks to people who think they "mean well", they're getting away with

    • They must be thinking, "the company will provide a back door and keep it secret." What a great concept. Unfortunately that idea belongs to a world where it took a whole government and a bevy of codebreakers to crack a simple substitution code - the Enigma codes.

      It's not about that. If you read the discussion draft of the proposed bill you will find the salient part is Sec. 2.4 which puts the onus of data decryption onto the service provider. There is nothing about how to implement it, just that if you encrypt it, it better be intelligible when we ask for it. There is a discussion about privacy of the individual, but it's secondary to access by the state. I uncertain if a judicial order is the same as a warrant for telecommunications intercepts however I still don

    • Senators Richard Burr and Dianne Feinstein are neither the oppressive arm of Government nor are they idiots.

      But then you spend the rest of your post describing how oppressive and idiotic their ideas are.

    • Have you seen a picture of Diane Feinstein? She was always a little scary looking, but now it's pretty obvious she's a scary-looking old biddy, who, as you say, doesn't understand what it is she's doing, or worse, does understand what she's doing, and will just try to ram it through, right down our throats, regardless. It's time she resigned, she's just thrashing around and doing damage to everyone around her now, like a sadly elderly person who insists on still driving their car even when it's clear they'r
  • And then the world wide tech sector would get a boost , and the US tech sector go bust.


    What ? I never said I carred for the US tech sector. I am seeing this from the perspective of somebody in another country tech sector withshing that US politician get what they want : give us all non US firm a lot of jobs.
  • by Chrontius ( 654879 ) on Thursday April 14, 2016 @05:29AM (#51906373)

    Today, terrorists and criminals are increasingly using encryption to foil law enforcement efforts, even in the face of a court order. We need strong encryption to protect personal data, but we also need to know when terrorists are plotting to kill Americans.”

    We do - but we cannot have both.

    Choose wisely.

  • i will have to cancel my credit cards and get new ones, and never buy anything online ever again,
  • by duke_cheetah2003 ( 862933 ) on Thursday April 14, 2016 @05:48AM (#51906423) Homepage

    You can't put the encryption genie back in the bottle. You look really dumb when you tell people you can.

    I seriously just laugh every time I see this kind of foolish uneducated thinking. Don't senators have technical advisers that tell them: IT CAN'T BE DONE.

    It's not even really a difficult concept to grasp, in my opinion.

    • Don't senators have technical advisers

      No. They have people that tell them what they want to hear and people who manage their statements so that it panders to just the right set of donors and not offend others.

    • You very much can. You just have to convince people that encrypted communications are a complex, high-cost investment provided by a large company, not something they can take personal responsibility for. Your Cellphone needs slipjack because you couldn't handle pre-encrypting your own e-mail; therefor you are helpless if the Government hacks Slipjack.

  • how many times has a politician said one thing and then did the exact opposite when it comes time to put it down on paper
  • Alternate name (Score:5, Insightful)

    by Dunbal ( 464142 ) * on Thursday April 14, 2016 @06:15AM (#51906513)
    An alternate name for the bill could be the Burr-Fenstein Fucking Waste of Public Time And Money act.
  • Wouldn't it just be simpler to pass a law requiring all terrorists to report what they are going to do 24 or 48 hours before they do it?

  • by mpercy ( 1085347 ) on Thursday April 14, 2016 @07:33AM (#51906837)

    Just adopt the George Costanza approach with her.

  • What morons wrote this?

    The government cannot require or prohibit any specific design or operating system for any covered entity to use in complying with a court order.

    I.e. nothing is out-of-bounds when complying? That seems to conflict with this:

    No one is above the law. Court order recipients must comply with the rule of law.

    But what if providing the data requires breaking existing laws? I'll be the first to admit I don't know legalese, but this sure is confusing.

  • and not Orwellian, like, say, the PATRIOT act.

  • Terrorists and criminals are increasingly using encryption to foil law enforcement efforts, even in the face of a court order.

    Given that the majority of terrorist leadership structure (technocal and non-technical) isn't domestic, and they are completely capable of writing their own encryption apps, and hosting the services outside the US,
    1. How does the bill reach those users and servers Answer: It doesn't
    2. How does the bill enhance/protect/maintain security of users. Answer: It doesn't
    3. How does the bill

  • On May 12, 2011, Feinstein cosponsored PIPA. [wikipedia.org]

    I think this person needs to lose an election.

  • I've learned that any bill with the word Feinstein attached to it will be based on ignorance and fear. How this idiot keeps getting re elected is beyond my comprehension.
  • Different government agencies use different price per human life saved methodologies. Most agencies, such as the car regulation, pollution, etc. regulate only if the cost is less than $10 million per life saved. The EPA sets it at 7.4 million. Some agencies won't even require safety regulations if the cost exceeds $2 million.

    Terrorism based agencies are a radical shift. When terrorism is involved, the idiots are willing to spend up to $180 million to save a single life. (https://www.schneier.com/blog/a

  • by KeithIrwin ( 243301 ) on Thursday April 14, 2016 @12:41PM (#51909111)

    Last night I figured out how to extort money out of big tech companies if the Feinstein-Burr bill becomes law. It requires that any company which has provided encryption technology render technical assistance in order to provide unencrypted versions of information in response to court orders.
    So, here's what you do:
    1) Choose a company which provides any existing encryption products which don't have backdoor and will host data for you in some form. Good choices might be Apple, Google, or Microsoft. For Microsoft you can use their BitLocker product to encrypt things. For Apple or Google, you can just use OpenSSL's command line to do the encrypting. There are likely some other companies that would work, but those are the first which come to mind.
    2) Find a co-conspirator who is willing to sue you.
    3) Create some key piece of information which is relevant to the potential court case.
    4) Choose an amount of money which is quite large, but is within the potential budget of the company.
    5) Do some calculations like this spread sheet does: https://docs.google.com//1hsvO2RBXWYxMMMCaDx5CASPy2l/edit (although I'm not sure these numbers are correct because I'm not sure they account for the efficiency of doing this with GPUs instead of CPUs) to figure out how long the key will have to be to be in order to cost the target amount of money. Assuming their figures are correct, then 86 bits would be the correct answer.
    6) Choose an encryption function which uses more bits than that. So let's go with 128-bit AES for this example.
    7) Encrypt the key piece of information with it.
    8) Make a second file which contains notes about what algorithm is used and contains all but your target number of bits of the key. So in this case, 128-86 yields 42, so we put the first 42 bits of the key in the file.
    9) On the storage provided by your target company, store the encrypted data and the unencrypted second file.
    10) Ensure that all other copies of the data and the key have been completely and utterly destroyed, but keep references to its existence.
    11) Proceed with the lawsuit and have your co-conspirator find out about the file in discovery.
    12) Have them obtain a court order requiring the target company render technical assistance. Now, to comply with the court order, they must spend approximately $10 million dollars to brute force the remaining bits of the key.
    13) Offer to have talks about settling the lawsuit, but only if the company is also involved in those talks.
    14) Hint that this could all go away for a much smaller amount, like only $100,000 especially if the target company were willing to pay.
    15) Once they pay up, drop the lawsuit thus vacating the court order.

If you aren't rich you should always look useful. -- Louis-Ferdinand Celine

Working...