Dear Senator Burr,
This is an open letter, drafted to your office and co-published on the Internet at http://8minutesoffame.com/richard-burr-letter/ on this day, April 13, 2016.
As a constituent and someone that tends to support your overall stances on more issues than I disagree, I find myself in the position of not being able to remain silent on the issue of the “Compliance with Court Orders Act of 2016” your office is proposing for the 2nd session of the 114th Congress. I shall endeavor to make my points on the topic in as reasonable a manner as I possibly can.
Overall scope – to understand the scope of your document it has to be read backwards, which I find humorous in that most political writings are backwards in their effect if not their initial intent. This particular draft release however is more disturbing that most in that it appears to me that neither of the parties drafting this bill have any technical competence from which to glean a right or reason to be drafting such legislation.
In short, neither party seems to actually have any idea what they are talking about, so I find myself wondering why you would co-sponsor a bill about a subject that is obviously over your head in terms of technical understanding; with the possible exception that you have a staff of personnel upon which you rely that has completely misled you by their own inept understanding of the subject matter.
Let’s start at the beginning. What covered entities are affected by your proposed legislation, which I will for the sake of brevity henceforth refer to as the “bill?”
Covered entities are, as identified in Section 4, subsection (4):
- Any device manufacturer.
- Any software manufacturer.
- Any electronic communications service (which I assume to mean email, TCP, IP, UDP, HTTP, Text, SMS, MMS, or any broker thereof).
- A remote computing service (a term I can tell you have no idea what it means but for clarification I will advise you also includes companies like mine that offer remote support, remote control, remote services, and other computer and communications related services as part of our core business, even though we have only tangential-involvement at best to such data)
- Any person who provides a product or method to facilitate communications or the processing or storage of data.
You have basically laid out a list of entities that covers every single company that has anything to do with data, touching data, manipulating data, and I mean ANY kind of data, not just communications. Your blatant inclusion of persons that provide a product or method of storing data covers entities that are far outside the scope of a communications bill. In fact, that inclusion alone means access to all kinds of data in every form is within the scope of this bill.
Further reading in section (5) outlines the types of data to which your bill refers. Subsection (A) is fairly common, and seems to reference communications in its more normal form; to which we attribute conversations, text messages, emails, etc. Subsection (B) however once again delves into the grey space with terms such as “information stored remotely or on a device.” I’m choosing to ignore the “provided by a covered entity” only because it seems your original scope clearly defines a covered entity as almost every technology company and partner in the world. It would just be redundant to repeat it again.
Limitations of Scope
If it is the scope of your bill to cover devices such as mobile phones and tablets, which I assume it is considering it falls on the heels of the recent Apple/FBI issue, then you need to know your broad terms in subsection B seem to overreach. This states information “stored remotely or on a device” is within the scope.
Let me explain with relevant current examples that would occur today on a normal indivudual’s electronic device. Information that could normally be accessed from a phone, but not stored there, would include access to a person’s social media accounts, email accounts, dropbox, Soonr, OneDrive, and other accounts as well. Nevermind the vague possibilities. Let’s just use my personal cell phone, the one I’m carrying right now.
Using my personal phone alone, without access to any other information, under the provisions of your bill, would grant an agency the ability to search my cell phone, but would also allow access to my Facebook, text messages, work email, personal email, snapchat, whatsapp, twitter feeds, phone calls, banking information, photos, Voxer conversations, Instagram, the contents of my Xbox account, chrome browsing history, internet radio history, music history, to-do lists, work calendar, personal calendar, all contacts, gas and mileage logs, gps tracking history, gps locations of friends of the person using related apps, resting heart rate, sleep schedule, client list, access to client passwords, remote camera feeds, Lowe’s shopping history, Google wallet (banking) history, as well as my Amazon purchases.
The argument for access to a “phone” is no longer simply a request to see who a person is talking to, or how long. It is unfettered access to everything digital in the individual’s life. It is more invasive than any FBI-executed search warrant you could ever issue on someone’s home and for most people under the age of 40, contains one-button access to most everything they deal with on a day to day basis.
Had you worded your bill to leave out “stored remotely” much of that aforementioned data would be off-limits. However, much of that data is on-demand, meaning it’s not actually stored there until you open the application to access it and the limited knowledge police law enforcement have on the subject would make it impossible for them to know the difference. For example, my client’s working data isn’t actually stored on my phone at all, but if you open an application to access it, any information necessary would be downloaded almost instantly, at which point it IS on my phone. However, it wasn’t on the phone before when the phone was in the agent’s hand, but is now that they have launched the application. The line between what is and is not accessible on a device is greyed in today’s technologically connected world and your bill demands access to all of it by simply saying “stored remotely” in one sentence.
Let’s move on to Section 4 (10). Your bill defines intelligible to mean information that hasn’t been encrypted, which I think we all agree is fine, but it also includes “information or data that has been encrypted, enciphered, encoded, modulated, or obfuscated” which your bill demands has to be reverse engineered or decrypted to provide authorities with the information in its original form.
Subsections (11) and (12) of section 4 go on to cover other clarifications not at the heart of my dispute, so I’ll forego addressing them.
Back to the heart of the matter
Now that we firmly understand the scope of the bill gives access to anything on a device, or anything that device has the access to, and it is a foregone conclusion that the scope would include every consumer in the United States and every company with any footprint whatsoever in the digital marketplace, what is the bill actually asking in terms of technical compliance?
The bill states that anything encrypted, encoded, obfuscated, or otherwise manipulated to provide security for the individual, company, or client that uses technology has to have a backdoor method provided by the manufacturers to render that data readable in its original form, which I’ll assume means some version of plain-text legible to whomever has the court order to access information on the device. While the bill itself doesn’t explicitly state a backdoor per-se, it states that covered entities have to have a way to comply with law enforcement’s demand to decrypt the information. Since neither yourself nor Senator Feinstein are employed in the technology sector I’ll forgive the ignorance and just state that it equates to the exact same thing; a backdoor, a way to undo what has been done to any data sent or stored through the company’s hardware or software.
The sheer scope of that demand is both technically impossible to implement and flies in the face of the idea of personal privacy.
As someone both read-up on the Constitution and employed within the technical community, I freely admit there is nothing in the US Constitution that addresses the privacy of an individual with respect to oversight from something like what you are proposing. I think we can all agree that the founding fathers never envisioned a world with instant communications and global access to data, much less telephones at all. With that in mind it is abundantly clear to me that the men that formed this great nation DID endeavor to protect its citizenry from all forms of tyranny, both foreign and domestic. I think we probably agree on that. Had they known about such forms of surveillance and the powers that come along with it, I believe they would have laid down stronger defenses against it. Alas they did not and we have to think for ourselves what is best for our people and for each other and strive to make those kinds of changes that better mankind, not changes that allow one government an advantage over its citizenry.
Living in a post-Snowden age with the broad overreach of our government fresh in everyone’s mind and examples of our own government delving into the lives of its citizenry in ways it had no legal approval to do, is it any surprise that citizens such as myself would be firmly against such broad powers being wielded by someone that has shown no remorse for mistreating its own citizenry in so many ways and so recently? As my Senator, I would have expected you to fall on that side of this argument, not side with Feinstein, a woman no one in their right mind has ever co-sponsored a bill with. While I am all for bi-partisan politics, the mere idea that the democratic front-runner for anti-gunners who has no idea how firearms work, would wholeheartedly agree with your office on this bill should have given you fair warning that it requires much deeper analysis before siding with her view on this issue. I can’t fathom many situations in which the Republican senator from NC and the democratic senator from California are going to be on the same side. This one should prove no different.
However, leaving Feinstein out of this argument; if we lived in an age when our government had shown compassion and a fairly successful history of protecting us from harm from outside harm, the opinion of the masses might be different. Sadly, we do not. We instead live in a time when the government more oft than not mistreats the powers it has while reaching greedily for more.
Leaving aside for the moment the fact that you’re proposing a bill that gives the school-yard bully just another tool for his arsenal, let’s take a moment to discuss the technical implications of your bill.
The truth about encryption
Encryption is only as good as its ability not to be decrypted. The Apple case itself has revealed that to be true, even if only in hindsight. If there is a way to decrypt a piece of information, that information simply will not remain forever in the hands of those who pledge to do good. The federal government of the United States itself has been the victim of hacking these recent years. Faced with the new cyber-threat of ransomware, which they have had zero success in slowing down or stopping, they have actually come out publicly and counseled victims and business to simply pay the ransom to hackers because they can’t find a way to stop it or combat the threat of ransom-ware once it has infected a company. It’s infecting business daily, costing the US millions in extortion fees, and yet you still want to weaken encryption further by making it so every personal communication device needs to be downgraded in a time when even the best encryption out there is incapable of stopping threats.
In the event of the Apple case, with regards to the phone, the example is even more evident. Apple couldn’t comply without rewriting code to break their own security. Meanwhile, some other hacking company the FBI has yet to disclose to the public had already come up with another way to access the device. It stands to reason that you should already know that no method the FBI purchased was itself a legitimate product that is legal to be sold in the US because it violates the security of another company’s product by design.
This is the same government that wants backdoor access to everything electronic its consumers possess. Does that not strike you as blindly arrogant, not to mention incredibly irresponsible? Merely forcing companies to create methods to decrypt data that is encrypted means there is absolutely zero security. If it can be reverse-engineered (which includes things like back doors) then it can be reverse engineered by ANYONE with enough time, finances, and desire to do so. There is no such thing as a backdoor that can only be given to the government of the United States, especially amongst all the many platforms your bill encompasses.
Companies across the world would be forced to weaken their encryption and stop efforts at increasing consumer privacy because the US government basically says “Wait, you can make it strong enough a 12-year-old can’t break into it, but you can’t make it SO good that we can’t get into it either.”
But what if you could?
Let’s say for a moment your bill did work and all US-based companies and manufacturers were magically forced to comply. What would happen? The outcome would be identical to the automotive industry and the industrial industries and we’ve seen how that turned out.
Companies that make products for sale to consumers would simply move their servers off shore. Dropbox would now operate out of some other country instead of the US. Facebook could simply move everything away from California, and I personally believe they would if threatened strongly enough.
Thanks to the global reach of the Internet, there is no way possible the government could enforce a ruling on non-US companies that would have the effect your bill desires. There are thousands of companies that operate outside the USA for simply this reason alone.
There are already many applications that are non-US that offer encryption already that would not be affected by this bill. Customers would just choose to use them instead. Companies such as TrueCrypt, based in the Czech republic were long a staple for those desiring free encryption. Since their demise, they have been replaced by Irdix, based out of France, and therefore not subject to the bill you are proposing.
Your bill would unduly burden technology companies here in the US, drive up sales for companies off-shore, and within one year the bill will have zero technological effect because no one would be using US products for technological needs.
Meanwhile, anyone that chose to remain within the US and comply might as well have a flashing neon sign over their product that says “Hackable.”
Technical hurdles, governmental overreach, and personal privacy aside, it is your job as our elected senator to work for the best interest of your constituents. Where was the poll on your website asking for guidance from your voters as to what you should propose? Where was our input, or the solicitation for input of those technically capable to advise you on such a matter when you have absolutely no idea what you’re talking about?
The argument you are undoubtedly using is that the government must be free to search out terrorists at every level and that companies shouldn’t be allowed to hamper them in that effort. By that metric, given today’s standard of technology, your next bill will require the wearing of GPS trackers by all citizens so the government can know where anyone is at any given moment. Maybe we should have kill-switches installed in all US based cars that allow anyone with a warrant to simply disable any vehicle from a satellite connection to reduce the risk of injury during pursuit by the authorities? If these sound far-fetched to you, then I’m glad, because they fall inline right beside the proposition your bill has introduced.
To the public’s knowledge (and I’ll admit there are likely instances that remain classified we are not privy to) there has never been a terrorist plot of any kind deterred by allowing the government or any other body, access to a person’s private store of data. Until such time as that has occurred, and occurred with a frequency that could be argued for the greater-good clause, this bill of yours should be laid aside and your fight should be FOR the people of this great nation and their justifiable right to privacy, not against it.
I hope, Senator Burr, that you will take my thoughts to heart and reconsider your stance on this issue. I also hope that you will take the time to read the article I mentioned at the beginning, where this same letter is co-published for my readers and where (I hope) they will add their thoughts and comments.
1) If you wish to comment to this in a format the Senator might read, please use the blog’s comment feature, NOT the Facebook comment feature. Blog comments are preserved with the article whereas Facebook’s commenting stream isn’t.
2) With respect to the seat of the elected official to which this is intended, I ask that you refrain from language that would offend readers of any age. Failure to do so will simply result in me deleting your comment before the Senator or his staff see it.
3) Any response from the Senator or his staff will be posted here verbatim. Whether or not I receive one I have no way of knowing at the time of publication.