DHS giving 'active defense' cyber tools to private sector, secretary says
Senate Intel panel releases official encryption bill draft
A draft of the long-awaited Senate Intelligence Committee encryption bill officially arrived on Wednesday.
The measure, from Chairman Richard Burr (R-N.C.) and ranking member Dianne Feinstein (D-Calif.), would force companies to provide "technical assistance" to government investigators seeking locked data.
The move is a response to concerns that criminals are increasingly using encrypted technology to hide from authorities.
An initial discussion draft of the bill was first made public by The Hill last week.
While law enforcement has long pressed Congress for legislation that would give it greater access to encrypted data, the tech community and privacy advocates warn it would undermine security and endanger online privacy.
"I have long believed that data is too insecure, and feel strongly that consumers have a right to seek solutions that protect their information - which involves strong encryption," Burr said in a statement. "I do not believe, however, that those solutions should be above the law."
Little was different in Wednesday's draft from the version published by The Hill last Thursday.
The measure still states that a company must provide "information or data" to the government "in an intelligible format" when served with a court order.
If the company cannot meet this standard, it must offer "technical assistance as is necessary to obtain such information or data," according to the language.
The bill covers a wide array of companies and individuals that facilitate digital chatting, including device and software manufacturers, as well as providers of electronic communication services.
In a release, Burr and Feinstein noted the bill would not ban any types of encryption or operating systems.
"Terrorists and criminals are increasingly using encryption to foil law enforcement efforts, even in the face of a court order," Feinstein said in a statement. "We need strong encryption to protect personal data, but we also need to know when terrorists are plotting to kill Americans."
One significant addition since last week's leaked draft is a section specifying exactly when the government can seek a court order compelling companies to provide technical help.
The measure lists crimes resulting in death or "serious bodily harm," federal crimes against a minor, serious violent felonies and federal drug crimes. The measure would also apply to foreign intelligence, espionage and terrorism cases.
Notably, the bill also extends the power to state crimes that are equivalent to any of the federal crimes listed in the bill.
Local district attorneys have long been banging the drum for the type of authority the Burr-Feinstein bill would grant.
The bill does not include specific penalties for companies that refuse to help. Instead, the bill would leave it up to individual judges to decide how to penalize companies, Burr said earlier this week.
"If they don't honor the court order or appeal, that judge has full authority to exercise penalties, fines," the committee chairman told reporters.
"And that's where it should be, because every situation is going to be different, so you can't necessarily codify a certain route."
Such a situation was recently thrust into the spotlight when Apple rebuffed an FBI court order directing the firm to create software that would allow investigators to access data on an iPhone used by one of the San Bernardino shooters.
The measure is expected to face long odds in the Senate.
The tech community has already expressed serious reservations about the early leaked draft. Dean Garfield, CEO of the Information Technology Industry Council - which represents major tech players such as Apple, Facebook, Google and Microsoft - called the effort "misguided."
The White House sent mixed signals about the bill as it reviewed the language in recent weeks.
While officials insist no decision has been made yet on whether to support or oppose the measure, White House press secretary Josh Earnest on Tuesday cast doubt on Congress' ability to pass "constructive" legislation to address the encryption issue.
In addition to the outside pushback, the Burr-Feinstein bill has to compete with an alternative effort from Sen. Mark Warner (D-Va.).
Warner and House Homeland Security Chairman Michael McCaul (R-Texas) in February introduced legislation to establish a national commission that would explore how police can get at encrypted data without endangering Americans' privacy.
The McCaul-Warner commission would consist of 16 members, including tech industry executives, privacy advocates, cryptologists, law enforcement officials and members of the intelligence community.
Modeled after the 9/11 Commission, the group would have six months to create an interim report, and a year to deliver its full findings. Its scope would expand beyond encryption, exploring more broadly how authorities can maintain security with the proliferation of modern technology.
Privacy and civil liberties advocates have not embraced the Warner-McCaul commission, either, though. The American Civil Liberties Union dinged the proposal its broad mandate that they say could lead to overreach.
Burr has insisted that no commission is necessary since law enforcement has already made the problem abundantly clear - encryption is stymying legitimate investigations.
But Burr said he does hope that Wednesday's draft "will start a meaningful and inclusive debate on the role of encryption and its place within the rule of law."