This is not just govt access. For a judge to be able to order your computer unlocked, means people at Microsoft, at Lenovo (or whoever you use), and at your ISP all have the keys to unlock your data even if you used an “encryption” feature. You have to trust every company, everywhere to never have a security incident involving the keys.

I posted my full thoughts after the first reading through this at https://rietta.com/blog/2016/04/08/feinstein-burr-encryption....

Specifically, any U.S company would be required to maintain the ability, through unspecified means, to retrieve the plain-text from any data “made unintelligible by a feature, product, or service owned, controlled, created, or provided by the [company].” And the company would then be required to turn over such data in real-time “concurrently with its transmission” or “expeditiously, if stored by the [company] or on a device.”

It's chilling.

"A covered entity that receives a court order for information or data shall provide such information or data in an intelligible format; or provide such technical assistance as is necessary to obtain such information or data in an intelligible format or achieve the purpose of the court order."

Okay, so I get that the main section of the bill requires companies which provide encryption to decrypt data upon receiving a court order demanding access to it. If the company is capable of decrypting its customers' data, that's a scary thought.

But it's followed by two very conflicting subsections: (b) nothing in this act may be construed to require or prohibit any specific design or operating system to be adopted by any covered entity, but (c) a provider of remote computing services to the public shall ensure such products are capable of complying with a court order to decrypt.

It seems like this could be read as "you must build backdoors", but also as "we're not telling you how to architect your product." These two sections are completely at odds.

By the way, Scribd sucks. Have a downloadable PDF: https://josephhall.org/f0eabaa89b8ee38577bf7d0fd50ddf0d58ecd... (it's still just non-OCR'd images though :<)

"We don't have the first notion how cryptography works," said the politician-senators in a joint statement, "but we're hoping the voters will see past the blatant trampling of civil liberties to think we're doing something to be tough on the trrrrists."

The funniest part is feinstein is California senator. Know who San Francisco congress rep is?, pelosi another champion of freedom... Voting doesn't work, it's a waste of time, our corrupt illegitimate government will continue to violate every ethic and change every law which increases their power. Anyone who defends such monsters are no better than monsters themselves. Again, the US government kills with impunity, tortures with impunity, commits war crimes like the recent hospital bombi ng, has the highest incarceration rate in the world... The list of goes on and on and yet people plug their ears and bury their heads in the sand. We live in a police state, just accept the truth.

EDIT

The community can down vote but can't respond to the truth.

I just wrote my senators. I encourage you to do the same.

Talk here is fine, but it's more useful to let folks on the hill know what's up.

I think the bill is over-the-top bad; they are obviously going for a compromise of some kind. By appearing to reach a middle ground they can paint the pro-crypto camps as being uncooperative.

Of course, there's no middle ground with math.

Maybe the right answer isn't fighting. Maybe the right answer is just getting a few friends together, creating a town, appoint someone judge, someone else prosecutor and someone else sheriff.

There was a report of someone speeding. Use the awesome government powers to subpoena cell phone connectivity, credit card transactions, or whatever to identify the speeder.

Police have auctions for seized stuff, presumably you could just auction off that data off to recover the costs (and then some)

Then repeat, over and over.

If you're feeling really enthusiastic, start targeting aws's DOD stuff. [1]

[1] https://aws.amazon.com/compliance/dod/

Politicians aren't idiots. Neither are they Machiavellian schemers. They are just in a situation where supporting bills like this are all upside and no downside.

If this passes and five years later computer security is swiss cheese, politicians know that most people will blame the computer companies and vendors not the government.

If this fails due to tech company opposition, they will get to avoid any criticism for not preventing the next terrorist attack. Instead they will simply find one encrypted iPhone and blame Apple.

Crypto == Math. Full stop.

All thoughts on civil liberties aside, it's sad that these officials don't even realize that what they're asking for is (or will hopefully shortly be) impossible for companies to do.

Then the real fighting will start. I'm sure Congress sees this proposal as a middle-ground between DOJ desires and freedom/privacy, but once it dawns on them that things like "no knowledge" encryption are really what it says on the tin, they will feel backed into a corner, with the only visible choices being something asinine like, criminalize encryption or ... give up?

Maybe that's something for this community to start thinking about, if we want to have a constructive say in this whole mess. Come up with a way to frame the "Give up" option in a better light, so Congress can point to it and tell the DOJ "look we did X for you", while still not outlawing encryption.

If this passed, I would appreciate a determined stance to make the government's technology experience difficult. No more smartphones. Google and Bing refusing traffic to government IP blocks. No more Windows updates past whatever Microsoft has already agreed to by contract.

Obviously there's no financial incentive for any of this.

No way this passes....it blatantly violates the First, fourth, and fifth Amendment.

How can we stop this...Vote! Vote the people that support this out of office.

....also...If they want to make everything unsecure...hack the congress members bank accounts, private information, Ashley Madison account, every email and text they send, every phone call they make...every password they've used on any site ever. Make them wish they never made such a stupid law. Maybe then they will learn how important encryption is.

Ah yes, the good old "let's ban math" bill.

Not the first time: https://en.wikipedia.org/wiki/Indiana_Pi_Bill

Unless they backdoor in backdoors, it seems like this will just force companies to make sure there's no possible way for them to access the data.

If your company ever has any way to view the data, the government will find a way to force you to give it to them.

It is my sincerest hope that this bill goes into the filing cabinet with Dihydrogen Monoxide [0] and legislating the value of pi [1]. I appreciate the challenges that encryption creates for law enforcement, but it has nothing to do with placing people "above" the law; rather it is a simple truth that you cannot create a system that is both designed to be secure and circumvented by authorities (and no one else). It is asinine that we must continue to have this debate.

[0] http://www.nbcnews.com/id/4534017/ns/technology_and_science-...

[1] https://en.wikipedia.org/wiki/Indiana_Pi_Bill

"We’re still in the process of soliciting input from stakeholders and hope to have final language ready soon." Who are stakeholders in this context?

Ah, demonstrating yet again how insane it is that we hand so much power to people who know so little about the domains they control (and worse, seem to do little to change their lack of understanding). Will bills like this spur people into action to change how the government operates? I suspect at the very least, this will pointlessly cost technology companies millions as they desperately try to counteract the bill.

What would we do if this passed? I suppose I would winnow and chaff the hell out of my data, sending literally 42 gigabytes of garbage bytes for every one-kilobyte file. That way, if somebody wants to decrypt it, they will at least have to sift through tons and tons of garbage to do so.

The way I read the text (which is quickly and layman-y) I don't see anything that mandates back doors or encourages weak encryption. So to me it looks mostly fine or even just a formalization of the status quo?

It seems to say that if a company can read their customers data in plain text, then that plaintext should also be provided to authorities upon request/warrant.

So the bottom line is: use strong crypto and build products with strong crypto and ensure only the end users hold the keys to the data. Then all the aid you can give authorities is "no can do" - and that's still acceptable? I'm kind of fine with that.

Do bills like this one pass? This reads like childish foot-stamping.

Anyway, if there's a product out there which doesn't provide this capability, no amount of bill passage is going to make that product work like some congressperson wants.

As far as I am concerned, this bill is unconstitutional.

Could someone help decode this?

"covered entities must provide responsive, intelligible information or data, or appropriate technical assistance to a goverment pursuant to a court order."

I assume that this includes secret FISA orders, but what's with the language about "a government"? Could this be construed to include non-American governments? (i.e. Five Eyes?) Or is that a term of art?

Doesn't the 13th amendment to the constitution outlaw slavery?

> Neither slavery nor involuntary servitude, except as a punishment for crime whereof the party shall have been duly convicted, shall exist within the United States, or any place subject to their jurisdiction.

If you've done anything illegal, they can't compel you to work?

Seems to make this whole thing sound unconstitutional.

YC staff: Since YC is a huge source of economy and technical innovation.. have you considered talking to the USG about security?

I can see from reading the comments that I remain in the minority in thinking that such a law will actually bring benefits in terms of security since it will promote FOSS approaches which, being based upon free speech, will be beyond the reach of this law, and which being open will in any case be more secure.

If you're in California, here is a form to email Dianne Feinstein your thoughts on this bill. https://www.feinstein.senate.gov/public/index.cfm/e-mail-me

Ignorance is everywhere, especially concerning computer security and especially among the representatives and senators in the US Congress.

We must combat ignorance by educating the ignorant, and that includes elected officials. Many here at HN have knowledge and high level of awareness of the importance of privacy and security, and I'm sure there are more than a few genuine experts tuning in. In any case most of us probably have salient information and experience to share, and it certainly needs to be shared.

If you are a US citizen by all means write to your Representative and Senators. Voters' opinions do matter, particularly in an election year.

This afternoon, I sent messages to all 3 members of my congressional delegation exclaiming how bad an idea the Burr-Feinstein bill happens to be. I urge you do do the same.

If the goal is to stop terrorism and illegal drug trade, this is the epitome of idiocy. End to end encryption isn't trivial to implement, but at the same time there are many open source projects that implement it already. If this become the norm, than professional criminals will simply adopt open source tools and 3rd party programs, as well as products offered by companies outside US to ensure their privacy. So this will weaken the security of all honest people and do basically nothing to achieve any of the goals set forth in this legislature. Of course if the goal is to further control and subjugate the citizens of this country for the benefit of it's corrupt government, then by all means, it's a brilliant piece of legislature.

Now that the Supremes have ruled that the feds can force you to buy a product (health insurance), it's not such a large step to force people to perform work on their behalf.

One of the major gripes of the American revolution was the forced quartering of soldiers in people's homes.

So this hands the entire security software market to overseas companies...?

How does this apply to open source? Eg, if two people used PGP, their email providers couldn't decrypt their communications. Would the PGP authors/maintainers get in trouble for being unable to help? Does this effectively make it illegal to create end-to-end encryption tools for users?

If this manages to become law, how would this impact open source crypto? Which company would hold the responsibility of compliance? The project sponsors, code repo hosts, or other?

"made unintelligible by a feature, product, or service owned, controlled, created, or provided by the [company]."

So no more Hash functions I guess, better store those passwords in clear text. Also encryption is the key to any form of distributed system where you have misbehaving actors.., you know like the internet..

It's rather disheartening that Californians haven't managed to organise serious resistance to Feinstein.

This is why none of my business, and none of my personal data (outside browing with PrivacyBadger enabled), goes to companies residing in the United States.

(written on an rk3288-based ARM laptop from China, over a VPN from Iceland)

I mean... you literally can't legislate crypto, can you?

Could someone explain what this would look like, in a practical sense? Would self-signed keys become illegal, and all PKI would have to have a "government" parent key of some kind?

The plaintext version of the draft bill (cleaned up):

http://pastebin.com/raw/PrXTrc2N

Does anyone know if foreign companies that operate within the United States would be subject to these laws?

If not, then perhaps a lot of big US tech companies will move offshore?

Thoughts?

So the publisher that publishes text book on crypto have to provide a bank door to the government?

Well it was only a matter of time before we digressed back into a nation with legalized slavery.

No, absolutely not. I'm tired of this stupid conversation. The answer is always no.

Encryption which can be decrypted by third party is not encryption but encoding.

Reading through the bill, it's apparent that this is actually a pretty poor attempt at circumventing the rise of encryption. I have my suspicions as to why.

The bill mandates technical assistance, yes, but the obvious argument is that no amount of technical assistance can accomplish that which is impossible. If the data can't be accessed, it can't be accessed. Interpreting this as barring companies from implementing those implementing those features would require an unduly expansive reading of the text, to say nothing of issues with Sect. 3(b).

Sect. 3(c) seems to contradict that, but 18 USC § 2711 defines a "remote computing service" as "the provision to the public of computer storage or processing services by means of an electronic communications system" [0]. That would seem to include iCloud services, for instance, but not the iPhone itself. For reference, 18 USC Chapter 121 covers the storage of electronic communications and access to transactional records.

It's possible that this is part of a long-game. Breaking the encryption debate down into smaller pieces lets them control the narrative a bit more and defuse some of the strongest arguments against backdoors and weakening encryption. They can point to this bill a few months down the road and see "look, nothing bad happened. The evil hackers those San Francisco techies were complaining about never stole your identity." It would make the opposition appear more reactionary, and give them more time to muddy the water further.

To the average person, the bill seems entirely reasonable. Who could object to companies giving assistance when they have to comply with a court order? In that sense, it's a perfect starting point.

But most likely, this is a trial balloon meant to help them refine their arguments and position before they get around to a concerted push. That seems likely given that the Senate Intelligence Committee doesn't really have jurisdiction over this issue [1][2]. If they can pass it, great for them. If not, they'll come back around for another go in a bit. They've got the time, and for various reasons, they've chosen this hill to fight upon.

If the want to stop these efforts before they eventually manage to stumble into a "success," the tech industry eventually has to gear up for a lobbying and PR war with a degree of cynicism that's unheard of in Silicon Valley. Eventually, simply reacting to the government's efforts isn't going to be enough.

Groups like the RIAA and MPAA, even when they've failed to actually implement their policy proposals, have had remarkable successes in manipulating Congress to go along with their plans. At least until they backfire. Like the NRA with the second amendment, encryption will have to be the primary focus. Everything else has to be secondary. Supporting backdoors and the weakening of encryption has to be transformed into a toxic issue for politicians. Hammer home the potential consequences to every retiree and everyone else who doesn't like the idea of their identity being stolen and their assets being spread amongst the criminal element.

With this debate, there's really no room for optimism or taking the "high road." There's no high road in sight, and success is the only metric that matters here.

0. https://www.law.cornell.edu/uscode/text/18/2711

1. https://www.eff.org/deeplinks/2016/04/burr-feinstein-proposa...

2. http://www.intelligence.senate.gov/about

The bill begins:

It is the sense of Congress that--

    no person or entity is above the law;
    economic growth, prosperity, security, stability, and liberty require
    adherence to the rule of law;

Confused here, I thought that the process between Apple and the FBI was taking place in the courts and not on some kind of aquatic platform in international waters.

There's a real, reasonable fear at the heart of this legislation.

If encryption becomes widespread and providers/individuals start using it correctly, then it will greatly hinder law enforcement's ability to gather physical evidence for certain types of crimes.

At the end of the day this is just another situation where we have to weigh the positive of greater freedom against the negative of the impunity this freedom may provide to those breaking laws that we all support.

I don't know what the answer is, but acting like anyone who supports this legislation is just after more control is immature.