Apple Aftermath: Senate Entertains A New Encryption Bill

If you recall, there was a recent standoff between Apple and the U. S. Government regarding unlocking an iPhone. Senators Richard Burr and Dianne Feinstein have a “discussion draft” of a bill that appears to require companies to allow the government to court order decryption.

Here at Hackaday, we aren’t lawyers, so maybe we aren’t the best source of legislative commentary. However, on the face of it, this seems a bit overreaching. The first part of the proposed bill is simple enough: any “covered entity” that receives a court order for information must provide it in intelligible form or provide the technical assistance necessary to get the information in intelligible form. The problem, of course, is what if you can’t? A covered entity, by the way, is anyone from a manufacturer, to a software developer, a communications service, or a provider of remote computing or storage.

There are dozens of services (backup comes to mind) where only you have the decryption keys and there is nothing reasonable the provider can do to get your data if you lose your keys. That’s actually a selling point for their service. You might not be anxious to backup your hard drive if you knew the vendor could browse your data when they wanted to do so.

The proposed bill has some other issues, too. One section states that nothing in the document is meant to require or prohibit a specific design or operating system. However, another clause requires that covered entities provide products and services that are capable of complying with the rule.

A broad reading of this is troubling. If this were law, entire systems that don’t allow the provider or vendor to decrypt your data could be illegal in the U. S. Whole classes of cybersecurity techniques could become illegal, too. For example, many cryptography systems use the property of forward secrecy by generating unrecorded session keys. For example, consider an SSH session. If someone learns your SSH key, they can listen in or interfere with your SSH sessions. However, they can’t take recordings of your previous sessions and decode them. The mechanism is a little different between SSHv1 (which you shouldn’t be using) and SSHv2. If you are interested in the gory details for SSHv2, have a look at section 9.3.7 of RFC 4251.

In all fairness, this isn’t a bill yet. It is a draft and given some of the definitions in section 4, perhaps they plan to expand it so that it makes more sense, or – at least – is more practical. If not, then it seems to be an indication that we need legislators that understand our increasingly technical world and have some understanding of how the new economy works. After all, we’ve seen this before, right? Many countries are all too happy to enact and enforce tight banking privacy laws to encourage deposits from people who want to hide their money. What makes you think that if the U. S. weakens the ability of domestic companies to make data private, that the business of concealing data won’t just move offshore, too?

If you were living under a rock and missed the whole Apple and FBI controversy, [Elliot] can catch you up. Or, you can see what [Brian] thought about Apple’s response to the FBI’s demand.

62 thoughts on “Apple Aftermath: Senate Entertains A New Encryption Bill

  1. Surely what this will do, if passed, is drive business overseas to countries where this bill doesn’t apply. It is very easy to backup to other jurisdictions if you have fast access to the Internet.

    1. They might make it illegal for US citizens in USA to use secure backup or encryption services outside US jurisdiction. And anyone who tries to do it will be treated as terrorist. Or make it completely illegal to use encryption unless for example NSA provides the software and public/private key pairs to the citizens, thus ensuring that any communication can be decrypted by government. So the future might be UPSA: United Police States of America. Freedom and privacy are overrated anyway…

      1. The big issue is how does your data get there? If you can’t use an encrypted link to put it offshore, then an encrypted offshore service is moot. And, let’s not forget, that the amount of backbone tapping the NSA and other organizations do, coupled with the fact that it’s pretty easy to see whats encrypted and what’s not, makes it easy to pick anyone out who’s trying to encrypt on the way out anyways. Even a simple HTTPS connection could become illegal.

        1. It could not become illegal, as that would cause certain services that have the obligation to protect client data in a position where they either have to not encrypt and break the law or encrypt and break the law… the lobbyists would eat the senate alive well before this went out…

          1. They could let companies use encryption as long as NSA has private keys of every user of such service. You know, for safety reasons and to fight with terrorists and criminals…

    2. I remember that “traffic crossing the border” was one reason to tap traffic. If it stays within the USA, it’s probably US-citizens. But if it crosses the border, you can’t know for sure, and you can tap it.

    3. Welcome to Europe, folks. Feel free to secede and return to the UK, or join the EU as your own state. Bonus offer: return to UK now, and you get to choose whether we remain part of the EU!

      1. or just move north! :) we have good beer, bacon and great wilderness! on top of that we would like to have more security conscious people in our humble country to help convince our politicians to stop following the American ones ;)

        ps: no we do not live in igloos and a big chunk of our population actually lives further south than the 49th parallel.

  2. Orr ween yourself off of the Apple/Google/Microsoft infrastructure now. I set up my own backup/sync server a year or so ago for a number of other reasons but it will also cover this scenario as my data is not in anyone else’s hands.

    1. Running a similar system, but the average citizen wouldn’t have a clue as to how to do this. Its one of the reasons I sincerely believe a router/arm server hybrid would kill in the market. Easy remote access, encrypted backup, etc would be a sale to anyone who is privacy minded but not technically inclined. Add a few extras like torrent clients, vpn server, and Emby media server for a home “Netflix” experience for those with large DVD/backups (either way). And if you vase it on open source projects it would be especially hard to mandate backdoors/breaking the encryption. But then I guess the hardware manufacturer to get in trouble even if officially its a easy to install unofficial OS? Man I need to get to work on this. I’m going to go hunt down some solid SoC, anyone know of anything that would fit the bill for high bandwidth needs and a decent amount of processing power/RAM? (4GB+)

      1. It’s not quite combined, but it sounds like most consumer NAS systems around, combined with a router with UPnP. Synology NAS devices, for example, you run CloudStation, OpenVPN, Plex, Download Station and encrypt your shared drives.

      2. Xiaomi has a router that is really powerful and does backups, although I have been wondering about what it is sending home to China! And the interface is in mandarin, although the app is in english. 1TB backup driver and very well built hardware with plenty of power.

        Problem with home backup system is redundancy. A burglary or fire can cause the loss of all your photo backups in a few minutes. Most lay-people will still struggle with this.

        I agree that there is definitely a market for a decent router setup. With proper routing and multiple WAN + all the backup bells and whistles.

  3. >>>Technical assistance
    Well, IMO it means that people/companies also could be pushed to give their source code/SSL certificate private keys, for example. And who would stop FBI from fabricating a case if they absolutely need somebody’s code and certs to sign it?

    1. If (and i know this is a big if) the code is properly written it doesn’t matter if they see the source code. That’s the draw of ECC , forward secrecy, and modern encryption in general. The method is well known but the math is simply too expensive to solve without the keys. Even knowing how the keys are made doesn’t help you

        1. They flash a custom ROM that has decryption disabled. Which was what they wanted Apple to do in the first place.

          This isn’t beating the encryption so much as bypassing it entirely.

    1. As a business, we have already experienced the US industrial espionage infrastructure several times with our IP. They are worse than China businesses, because one can’t publicly call the hydra-heads hypocrites without risking a deformation case.

      To be honest, it is unsurprising Congress would try to outlaw Math designed to make the process more difficult.
      While they aren’t all necessarily ignorant, many have fascist ideals and irrational economic revenue model theories.

      I didn’t think America would surrender so readily to corporations seeking unfair market positions reaching beyond the Patriot Act’s treasure trove of Marketing data.

      If this passes, people will simply release new kinds of Steganography augmented encryption that is stronger than anything publicly available today. Notably, there are new types of distributed public key systems coming which can’t be associated with current traditional individual pairing standards, or be routed through Google’s new “special” IPv6 routers.

  4. Do it yourself. I wonder what the FBI/NSA/CIA does, if I refuse to provide my AES-256 keys to the data I encrypted and saved somewhere. They could torture me, but if I’m dead, just like that guy, who’s Iphone was decrypted, there’s nothing they can do :)

          1. Reminds me of the classic from Firesign Theatre;
            Chief: “Player, you have choice. You choose Death or Chi-Chi?”

            Player:”I choose death, chief.”
            Chief:”Oh, you wise, player. But first, a little chi-chi!”

    1. The right to privacy is an implied right. ITAR defines encryption as arms, so this bill should be invalid under the second amendment. Do you think we could get the NRA to take up encryption for the people? They certainly hate Dianne enough.

  5. This draft-bill trial-balloon was leaked days ago, and there has been almost ZERO coverage of it in the mainstream media! This bill is orders of magnitudes greater in terms of government over-reach compared to the Patriot Act. Do you remember the all the screaming and yelling in the media and press about over-reach in the Patriot Act? So where is the media this time? Where is the ACLU this time? Why is this bill being ignored?

  6. FWIW…

    Constitutional basis for right to privacy:

    https://en.wikipedia.org/wiki/Privacy_laws_of_the_United_States

    Federal:

    Although the word “privacy” is actually never used in the text of the United States Constitution, there are Constitutional limits to the government’s intrusion into individuals’ right to privacy. This is true even when pursuing a public purpose such as exercising police powers or passing legislation. The Constitution, however, only protects against state actors (a person who is acting on behalf of a governmental body). Invasions of privacy by individuals can only be remedied under previous court decisions.

    The Fourth Amendment to the Constitution of the United States ensures that “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized”.

    The First Amendment protects the right to free assembly, broadening privacy rights. The Ninth Amendment declares that the fact that a right is not explicitly mentioned in the Constitution does not mean that the government can infringe on that right. The Supreme Court recognized the Fourteenth Amendment as providing a substantive due process right to privacy. This was first recognized by several Supreme Court Justices in Griswold v. Connecticut, a 1965 decision protecting a married couple’s rights to contraception. It was recognized again in 1973 Roe v. Wade, which invoked the right to privacy to protect a woman’s right to an abortion, and in the 2003 with Lawrence v. Texas, which invoked the right to privacy regarding the sexual practices of same-sex couples.

  7. Senator Dianne Feinstein – Chairman of the Senate Intelligence Committee (January 3, 2009 – January 3, 2015)
    Senator Richard Burr – Chairman of the Senate Intelligence Committee (January 4, 2015 – present)

    The people proposing the removal of a pesky like privacy are not exactly unbiased.

    1. Senator Dianne Feinstei is 82 so I strongly suspect that she may not fully understand the ramifications of what is being asked for, and the long term detrimental effect it will ultimately have on the U.S. economy. Which is not necessarily a bad thing for the rest of the world.

      1. Feinstein almost certainly understands the ramifications of what she is proposing and if not her staff does. This woman is and has always been a champion of fascism and lobbies heavily to remove rights and powers from the people under a false banner of progressivism. Just look at her very long voting history to see this.

    2. Feinstein was a big supporter of the NSA spying on every average citizen.
      Then she threw a fit when it was revealed they also spied on the senators and representatives such as herself.
      Her only interest is in being one of the big people above the law and preventing the little people from removing her power.
      As someone from California, I deeply apologize to the rest of the states for the fact she remains in office.

  8. I sometimes think that the whole Internet is just a scheme intended from the very beginning to collect everyone’s data. After all it originated from DARPA. Every activist can be shoot down with some uncomfortable data, when the need arises. You disagree with the goverment policy? Let’s see, this is what you did on December 4th, 2007 …

  9. tim cook i hope you intend to become a second level criminal i.e risk a charge of aiding and abetting in terrorism to protect our rights.

    i also hope you boobytrap future devices so if anyone tries to extract the data whether by the ports or unsoldering chips the device erases the chips (sorry drive savers you are going to destroy the data you are trying to recover).

  10. IMHO, Apple should make a new version of IOS available ASAP. No screen locking, no encryption. Offer it with the note: “This is optional now, but will be required by law if this law is passed”.

  11. What does physical access to the devices matter when Snowden already revealed that all those companies had been conspiring with intelligence agencies to let them install hardware in their networks to track, monitor, record, and intercept the data that goes I’m and out of the devices without users knowledge or consent or without warrant?

    Seems trivial.

  12. There’s obviously much more afoot than what they are claiming. You’re a fool if you don’t think the NSA can already do what they are proposing to require in this bill. This is just another way to take freedoms away from the common man under the the guise of safety. The kicker? The government still can’t guarantee your safety any more after a bill like this is passed than before. Have a think about that.

  13. There are two things that need to be kept in mind here. The first is expectation of privacy. Once any information leaves your possession, you no longer have any expectation of privacy. anything can happen to said data. Your expectation of privacy becomes zero. It is analogous to having a conversation in a Walmart. While it may be considered rude to listen in, you are in a public venue. Think of the internet as the worlds largest Walmart. Once the data leaves your house, it is in the public area. The second is the thought that encrypting data makes it inherently private. It does not. It makes it harder for it to be read, that is all. Think of the English speaking person listening to the Spanish speaking couple in that Walmart. To him, the conversation is encrypted. If he learns to speak Spanish then we return to the state where they are speaking in a public venue and the information is no longer private.

    The point of all this is, you only have an expectation of privacy within the walls of your own house or within the confines of your own hardware. Once outside of those confines your right to privacy means jack shit.

    1. You do still have the right to expect privacy.

      This sort of noxious thinking shows just how successfully corporations have brainwashed western citizens.

      Once data leaves your house it is NOT in public – you are conflating the issues and terminology surrounding photography in public.

    2. but you fail to see that they are trying to make sure that the confines of your hardware do not exist to them. to explain in an analogy, this would be like requiring by law for lock makers to create a master key for all of their locks that could be requested by the government at any time. This has already been shown to be foolish, for example, TSA approved locks are useless because the master key has been reverse engineered. another analogy would be the domestic automotive manufacturers that used sets of keys for their cars rather than an individual key for each car (before immobilizer chips), i have seen people start up and drive away in a car that wasn’t theirs only to return minutes later to get in the right car!

  14. Fire works with paper, EMPeeing on your data will always be possible. It will become that self destruction will be the norm for last level encryption defeat. A government mandated unerasable storage requirement will be the next move.

  15. What am i reading this is absurd, America Goes on Attack pisses off some sand people and America won’t buy from Russia all because of an altercation about 110 years ago, But america will force the UN and say blah blah then they steal from sand people they get butt mad go on Rampage 30+ years ago they infect the people with agents agents later turn on the US who then declares to the world they’re being of terror wrists, Plane is of explode big news American new outlets told to blame Russia BUK missle launcher Cold war lie inquiry finished Not of Russian design or made people be of kill watch of death all in a very specific region where certain resource pipelines are feeding into a nation America again claims Shenanigans gets ingored war winding down gotta do something suspicious blah blah need to convince the UN again to go pick on the sand people because we need OIL for AIR FARCE ONE.

  16. 1998. US Government passes the Digital Millennium Copyright Act, making it illegal to circumvent any electronic encryption.

    2016. US Government wants to pass a law prohibiting any electronic encryption from being *un-circumventable*.

    1. No. DMCA only applies to encryption that is used to protect copyright. And DMCA does not apply to governments (there is a specific exception for government) when they use that to legally obtain evidence (its included in the “Fair use”).

      A encryption on a phone or device, that only allows its authorized owner to access it, is not a encryption designed to protect copyright, even if the owner uses the protection as it, so even if a song artist uses the PIN code on his iPhone to protect against someone “stealing” his song files, the PIN code does not protect against copying or misuse of the song files, and thus does not fall into DMCA.

      Normally, a DRM system consist of 2 parts:
      A encryption. The sole function of the encryption is to prevent non-policy-abiding devices from reading the data.
      A usage policy. Devices or softwares that do understand the policy and enforces it, do posess the encryption key.

      A third part, software verification, is also considered part of a DRM system, where the DRM system verifies any software loaded on the device are genuine and signed by the device manufacturer, to prevent anyone from loading a modified software that do allow the usage of encryption keys, but do not abide to the usage policy.

      Thats why there is a possible that people that circumvents the software verification of routers, can fall afoul of DMCA due to the method in question is generally used to protect digital rights.

      And also, all DRM systems do have a way to “unlock” it from the manufacturer, so if a government stumbles upon for example a phone call recording protected with DRM, they can just ask the operator of the DRM system to put “usage rights = all” in the online policy for the specific file in question.

      ———————————————————————————

      And no, US Government don’t want to pass a law prohibiting encryption to be “un-circumventable”.
      What they want to do, is to make sure the manufacturer or provider of a service or device, should have the “master keys” to decrypt it. That does not mean the encryption is circumventable.

      A secure master keying scheme can be easily done, where there is a grand-master-key, that never leaves a special secure vault, eg a HSM in a permanently sealed vault, and any tampering clears this master key. Out of this grand-master-key, you create specific date keys, that is only valid for devices manufactured a specific date. Out of each date key, you create a device-specific public/private key.
      This can be easily done by using Elliptic curve math to generate chained keys.

      All this calculation can be done inside the secure vault.
      Thus, upon receiving a subpoena, the manufacturer can enter a serial number and get the device key. This can also be enforced so the serial number must be physically entered locally on a tamper-resistant keypad and this device is completely airgapped and offline. It could even contain a switch and capacitor, that disconnect the mains power just before doing any crypto, to completely prevent any power analysis.

      And of course, this HSM device could be such as so multiple persons, lets say even 4 different unrelated persons out of lets say 8, need to stand in front of the machine and auhenticate to it, to allow keys to be calculated.

      Then the manufacturer can give this device-specific key to the police, but the keys can never be abused or leak as they are locked in the HSM.

      The manufacturing plant have the grand-master-public-key and can thus generate chained public keys, so even if the plant is compromised, no secrets leak out.

  17. A MUCH harder solution is to vote the scumbags of ANY party out of office that support this. The tech quislings on the other hand, can be dealt with on a much more immediate ba$i$. In the long run if you hurt either one’s wallet hard enough, they might learn the lesson.

  18. Nice musings and all, but this game has gone on for decades before personal computing. It’s back to measure, counter-measure. If the government were to pass some kind of legislation requiring manufacturers to provide them master keys, today’s savvy user community will easily adjust with personal encryption schemes and custom software layers that would form another layer of the so-called onion skin.

    What I think is more troubling, if anything, is what is happening with the big box software companies and hardware manufacturers. I’m watching Microsoft and Intel and it seems there might be some upcoming hanky-panky between the microarchitecture and OS.

    Can you say built-in root-kit?

Leave a Reply to ejonesss Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.