While the FBI abandoned its court case against Apple, the dispute of course still rumbles on in Congress, with hearings today and a proposed bill to force U.S. tech companies to break encrypted devices on demand. But at least one legal expert thinks the Feinstein-Burr bill is deeply flawed, arguing that it is unconstitutional, unenforceable and would harm U.S. investigative capabilities.
And not just any legal expert: you can’t really ask for better credentials in this area than those of Paul Rosenzweig.
Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company [and] formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Distinguished Visiting Fellow at the Homeland Security Studies and Analysis Institute. He also serves as a Professorial Lecturer in Law at George Washington University [and] a Senior Editor of the Journal of National Security Law & Policy.
In a blog post on Lawfare, Rosenzweig sets out the three problems he sees with the Feinstein-Burr bill …
Rosenzweig begins by pointing out that the U.S. can only control what happens within its own borders. Even if manufacturing devices with unbreakable encryption were banned domestically, people would still be able to download end-to-end encrypted messaging and storage apps from other countries.
The government would, he says, have to make it illegal to import such software – and this could be legally problematic.
It probably violates the US Constitution. Granted, the precedent is a bit old, and comes from the Ninth Circuit, but nonetheless, there is a good basis for thinking that such a ban would violate the First Amendment. In Bernstein v. Department of Justice, the government tried to stop Bernstein from publishing his encryption algorithm. In that case they said it violated export law (rather than a hypothetical import law). But the 9th Circuit rejected that ban and ruled that software source code was speech protected by the First Amendment and any regulations preventing publication would be unconstitutional.
Even if courts ruled it legal, he observes, enforcement would be near-impossible. The only practical way to stop someone downloading particular apps from overseas servers would, he says, require truly draconian measures – and even then, they likely wouldn’t work.
To implement an “import” ban would require the operation a system akin to the Great Chinese Firewall – a filter that scanned the global internet and implemented a blocking protocol to prevent anyone from the US finding that code. Even if that sort of large-scale surveillance were to pass constitutional muster it strikes me as both technically and politically beyond contemplation. Are Americans going to allow the US government to monitor inbound content? And given the breadth of internet access in the US, could it really be done effectively? I think the answer to both questions is likely “no.”
Finally, even if the bill were legal, and even if it were practical, he says it is likely to do more harm than good in terms of U.S. ability to detect and investigate genuine threats.
Malicious actors would have other options for encrypted communication applications if they chose. By driving actors away from American products and systems we might have the perverse effect of driving internet traffic and technology companies offshore, depriving our analysts of valuable metadata information. In other words, for the truly malevolent actors we might actually hurt our investigative capabilities.
A lot may depend on the outcome of the upcoming elections: the proposal reportedly does not have the support of the current White House administration, but it looks extremely unlikely that the bill would make it to a vote beforehand.
Photo:AFP/Jewel Samad/Getty Images via WCSH6
FTC: We use income earning auto affiliate links. More.
Someone could hack into in FBI server or computer and tamper mess with evidence.
It’s good to see someone with these credentials taking a very non-emotional and logical world-wide view of the absurdity of the Feinstein-Burr Bill. The basis of their bill is the the USA is the final arbiter of all things legal and that’s that! Well, the US does not have that ability or far reaching effect on the world.
This was flawed legislation that was a reaction to the whole FBI vs. Apple dustoff.
Who even elected Feinstien? CA – pleas vote her out in the next cycle. She is almost as big an embarrassment as Sarah Palin. YMMV
I’m from CA and I 100% cannot tell you why this woman continues to be voted into office. Both her and Pelosi… I think people just go to the poles and think “well, the country isn’t burning, they must be ok” and check the box. Stupid.
Almost as big as an embarrassment? You’re not being honest with yourself on that one. Palin was admittedly irritating but looks like an Einstein standing next to Feinstein (and Pelosi for that matter).
Of course, this says nothing about the impact on U.S. manufacturers of security products.
Would any company outside the U.S. even consider a Cisco firewall/VPN product? No. Foreign sales would essentially go to zero. Huawei would be very appreciative.
The authors of this bill know all of these things.
This bill has no chance of being signed into law. The authors of the bill know this.
They will come back later with something a little less astringent and a sympathetic government will make a draconian law.
Even assume that they can put a firewall up that prevents the code from coming into the U.S. – will they prevent technology (physical media) that might have the code from crossing borders? Will the U.S. govt prevent a computer from travelling overseas and returning to the U.S.? Will they scan every USB device entering the U.S.? Will they prevent books being published that has the code written out in handwriting?
No. They will not and if they tried, they wouldn’t have 100% loyalty within their ranks to be absolutely perfect. Additionally, we’ve already got encryption. How they plan on doing anything but “try” to phase it out over the next decade is beyond me.
Not to mention using encrypted comms to transmit the encrypted software …
Is there any good articles out there on the existence or likelihood of what I would call “unconnected private networks”? I mean, what stops a terror cell from creating their own cell phone network of 6 towers in a city to communicate on that is never connected to the internet, etc?
Even places like Chine where they are brutally censor the internet and technology use of the public, there is a thriving black market for encryption and VPN access technology. And just as antibiotics lead to the creation of drug resistant superbugs, the average Chinese criminal now uses encryption technology far superior than the government can block.
Makes you wonder why neither Feinstein or Burr — both smart people under most circumstances — didn’t think to talk to somebody like Rosenzweig WHILE writing the bill.
I was hoping there was sarcasm there but I think you are serious. Face it, neither one of them care about the people they were elected to serve. All they care about is name recognition so their legacy can live on after they’re gone. Attaching their name to something like this will certainly do that.
https://youtu.be/O4tUx1W3zLc