A new shot was fired last week in the reignited crypto wars, when Sens. Dianne FeinsteinDianne Emiel FeinsteinSenate panel advances bill blocking tech giants from favoring own products Eight senators ask Biden to reverse course on Trump-era solar tariffs Lawmakers in both parties to launch new push on Violence Against Women Act MORE (D-Calif.) and Richard BurrRichard Mauze BurrPelosi says she's open to stock trading ban for Congress Momentum builds to prohibit lawmakers from trading stocks Public health expert: Biden administration needs to have agencies on the 'same page' about COVID MORE (R-N.C.) released a discussion draft of legislation that would require companies to decrypt their customer data upon receiving a court order. The battles in this ongoing war have become fiercer in recent weeks as the standoff between Apple and the FBI has played out in the courts and in the media, and both law enforcement and the tech community have further entrenched themselves in their opposing positions. Yet while critics have rightly pilloried the proposed Burr-Feinstein bill as being both impractical and imprudent, a fairly simple amendment would make it a viable proposal that could bring both sides of the crypto war closer to a much-needed detente and prevent a continued escalation of the fight.
Most of the encryption debate is about whether businesses should be able to design the best security controls they can conceive for their customers, even if it means that the government may be locked out. The tech sector argues that the government should not be in the business of telling them how to build secure products, while law enforcement argues that no company should sell products that let users encrypt data such that the government cannot gain access. Since it is impossible for both of these conditions to be true, the debate has stalled.
The proposed Burr-Feinstein legislation has received widespread ridicule because its attempt to square this circle is nonsensical: The bill simply states that both conditions are to be true. Without qualification, it requires companies to decrypt data for law enforcement while at the same time stating in the legislation that it is not imposing any design limitations on the private sector. Unfortunately, saying something, even if it is in congressional legislation, does not make it so. The only way companies would be able to comply with the proposed law would be to design their systems so their customers do not have the only copy of the key used to encrypt their data.
The problem here is not just one of incoherent legislation. As the Information Technology and Innovation Foundation has shown in a recent report, if companies were to be required to adopt this type of key escrow system, it would introduce many new vulnerabilities, which would make everyone less secure while doing little to actually protect Americans from criminals and terrorists.
Undoubtedly, the bill's sponsors have honest and honorable intentions. They say that the purpose of the legislation is to reinforce the idea that "no one is above the law." Indeed, it is quite reasonable to expect companies to obey the law and do what they can to help with lawful investigations. They also say they have no intention of allowing the government to tell the private sector how to design products. If both of these are indeed true, then here is where it may be possible to find a compromise.
A commonsense fix would be for the bill to only require companies to comply with lawful court orders when doing so is technically feasible. That is, if companies have the key, then they should decrypt the data, but if they do not have it, then they should not be expected to. While hard-liners on both sides might object — either because they do not believe companies should have to comply with any requests, or because they believe the government should ban certain forms of encryption — this would create a solid middle ground. It would uphold the goal of ensuring that nobody is above the law while also preserving the principle that the government will not hold back the private sector from improving security.
At the end of the day, we need to find a resolution to this debate, or the crypto wars will last indefinitely. Both law enforcement and the tech community have important contributions to make so that Americans will be safer and more secure, and they can do this better when they are working together. Amending this legislation would be a good place to start toward reconciliation.
Castro is vice president of the Information Technology and Innovation Foundation, a think tank focusing on the intersection of technological innovation and public policy. Follow him on Twitter @CastroTech.