An anti-government protester holds up his iPhone with a sign "No Entry" during a demonstration near the Apple store on Fifth Avenue in New York on February 23, 2016. Apple is battling the US government over unlocking devices in at least 10 cases in addition to its high-profile dispute involving the iPhone of one of the San Bernardino attackers, court documents show. Apple has been locked in a legal and public relations battle with the US government in the California case, where the FBI is seeking technical assistance in hacking the iPhone of Syed Farook, a US citizen, who with his Pakistani wife Tashfeen Malik in December gunned down 14 people. / AFP / Jewel SamadJEWEL SAMAD/AFP/Getty Images ORIG FILE ID: 549279033
Comments (13)

An anti-government protester holds up his iPhone with a sign "No Entry" during a demonstration near the Apple store on Fifth Avenue in New York on February 23, 2016. Apple is battling the US government over unlocking devices in at least 10 cases in addition to its high-profile dispute involving the iPhone of one of the San Bernardino attackers, court documents show. Apple has been locked in a legal and public relations battle with the US government in the California case, where the FBI is seeking technical assistance in hacking the iPhone of Syed Farook, a US citizen, who with his Pakistani wife Tashfeen Malik in December gunned down 14 people. / AFP / Jewel SamadJEWEL SAMAD/AFP/Getty Images ORIG FILE ID: 549279033

While the FBI abandoned its court case against Apple, the dispute of course still rumbles on in Congress, with hearings today and a proposed bill to force U.S. tech companies to break encrypted devices on demand. But at least one legal expert thinks the Feinstein-Burr bill is deeply flawed, arguing that it is unconstitutional, unenforceable and would harm U.S. investigative capabilities.

And not just any legal expert: you can’t really ask for better credentials in this area than those of Paul Rosenzweig.

Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company [and] formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Distinguished Visiting Fellow at the Homeland Security Studies and Analysis Institute. He also serves as a Professorial Lecturer in Law at George Washington University [and] a Senior Editor of the Journal of National Security Law & Policy.

In a blog post on Lawfare, Rosenzweig sets out the three problems he sees with the Feinstein-Burr bill …

NordVPN

Rosenzweig begins by pointing out that the U.S. can only control what happens within its own borders. Even if manufacturing devices with unbreakable encryption were banned domestically, people would still be able to download end-to-end encrypted messaging and storage apps from other countries.

The government would, he says, have to make it illegal to import such software – and this could be legally problematic.

It probably violates the US Constitution.  Granted, the precedent is a bit old, and comes from the Ninth Circuit, but nonetheless, there is a good basis for thinking that such a ban would violate the First Amendment. In Bernstein v. Department of Justice, the government tried to stop Bernstein from publishing his encryption algorithm. In that case they said it violated export law (rather than a hypothetical import law). But the 9th Circuit rejected that ban and ruled that software source code was speech protected by the First Amendment and any regulations preventing publication would be unconstitutional.

Even if courts ruled it legal, he observes, enforcement would be near-impossible. The only practical way to stop someone downloading particular apps from overseas servers would, he says, require truly draconian measures – and even then, they likely wouldn’t work.

To implement an “import” ban would require the operation a system akin to the Great Chinese Firewall – a filter that scanned the global internet and implemented a blocking protocol to prevent anyone from the US finding that code.  Even if that sort of large-scale surveillance were to pass constitutional muster it strikes me as both technically and politically beyond contemplation.  Are Americans going to allow the US government to monitor inbound content?  And given the breadth of internet access in the US, could it really be done effectively?  I think the answer to both questions is likely “no.”

Finally, even if the bill were legal, and even if it were practical, he says it is likely to do more harm than good in terms of U.S. ability to detect and investigate genuine threats.

Malicious actors would have other options for encrypted communication applications if they chose. By driving actors away from American products and systems we might have the perverse effect of driving internet traffic and technology companies offshore, depriving our analysts of valuable metadata information.  In other words, for the truly malevolent actors we might actually hurt our investigative capabilities. 

A lot may depend on the outcome of the upcoming elections: the proposal reportedly does not have the support of the current White House administration, but it looks extremely unlikely that the bill would make it to a vote beforehand.

Photo:AFP/Jewel Samad/Getty Images via WCSH6

About the Author

Ben Lovejoy's favorite gear