Over the holiday weekend we’ve been receiving more information about the welcome demise of the Senate Bill sponsored by Senators Richard Burr and Dianne Feinstein, two leading senators on the Senate Intelligence Committee. The bill would have forced U.S. companies to decrypt any encrypted data they may have handled if ordered to do so by a U.S. court. The federal government had not supported the bill, and various agencies such as the CIA and NSA had remained decidedly lukewarm.
Libertarian writer Julian Sanchez recently described the draft bill as “the most insane thing I've ever seen seriously offered as a piece of legislation. It is ‘do magic’ in legalese.” While Cindy Cohn of the Electronic Frontiers Foundation wrote “Forcing companies to undermine their products will stifle the very innovation that built the American tech industry. American innovators and companies will just lose out since foreign companies will still be offering these protections to their users.”
So just why would the conditions potentially legislated by the bill not have worked in the real world? Encryption is a sophisticated math problem; a problem that can only be solved with knowledge of the keys calculated by the end-user. In other words, encryption is normally out of the control of the manufacturer, and entirely in the hands of the administrator of an encryption network, or the end-users themselves. The only way for a company such as Apple to decrypt customer data would be for Apple to copy every key ever used to encrypt data, or to store the encryption keys on devices in a way that they could later access on demand. As Zix CEO Dave Wagner has stated before, “it is like leaving the key in the lock of your home’s door.”
Consider also electronic commerce. The bill would have made it open season to order SSL encryption keys and backdoor encrypted containers from any company using them, thus compromising the security of every individual in the U.S. and abroad who use these companies’ services. Even more disturbing, the bill made no distinction between encrypted data and data that has been destroyed or wiped by the user. This would have meant that the keys for past data or shredded data would have needed to be retained by any company that handled that data, so that it could be reconstructed later at the order of a court.
We at Zix protect business communications for our customers and their communities. Therefore we are pleased that the draft legislation has been withdrawn. Business leaders who wish to enroll in the Zix Encryption Network and join the Zix community that easily exchanges secure encrypted emails can learn more by clicking here.