This post originally appeared in Re/code.
When the FBI backed off of its legal request to force Apple into breaking the encryption on an iPhone used by one of the San Bernardino shooters after figuring out that — contrary to its hyperbolic claims — it could access the contents of the phone without Apple’s help, many in the tech world hoped that it would break the government’s anti-encryption fever.
But instead of listening to the unequivocal consensus of the technologists, cryptographers and security experts who argue that weakening encryption or attempting to create some kind of magical back door for the government’s exclusive use only creates vulnerabilities that bad actors can and will exploit, two influential senators in Congress want to move forward with a bill that would essentially require all tech companies to do just that — create back doors into their encryption technologies or forgo encryption altogether.
It is hard to overstate how incredibly dangerous and foolish the Burr-Feinstein “Compliance with Court Orders Act of 2016” draft legislation is and even harder to believe it was coauthored by California’s senior senator, Dianne Feinstein, D-Calif., and Sen. Richard Burr, R-N.C.
The bill takes the FBI’s ill-advised request in the Apple case to its (il)logical conclusion; instead of forcing a single company to break its own security and hoping that the decrypted operating system never found its way into malicious hands, this bill would force every tech company in America to break their encryption systems and announce to the world that the unsecure back doors were available to anyone who could find them.
The risks involved should be apparent to anyone with a basic understanding of how vulnerable we already are to hackers without the government forcing us to be less safe. Anyone who has received a new credit card because their account was compromised should know how common these types of hacks are. Financial institutions have some of the strongest incentives of any companies in the world to ensure that their services are secure, and yet they continue to get hacked again and again and again.
A bill requiring already cash-strapped startups to develop government-only back doors and then protect them from hackers is essentially a full-employment act for cyber criminals. Apple — the most highly capitalized company in the world — has said it would have to build “one or two secure facilities” to protect the decrypted OS the FBI was requesting, at a cost of between $25 million and $50 million.
If a small tech startup facing a similar decryption requirement could even keep its operations afloat after assigning 10 employees to work four weeks full-time building a decryption tool as per Apple’s estimate (hint: no startup could), it’s preposterous to think that it has the resources to build a CIA-level security facility. Even putting aside the security risks that this kind of mass decryption order creates, the economic drag that forced decryption would put on our startup sector is reason enough to oppose it (particularly considering both terrorists and upstanding citizens will just end up using secure products and services created in countries that still allow encryption).
Of course, the security risks this bill creates are real and imminent. Weakened digital security doesn’t just mean that there’s a possibility that more embarrassing private photos will end up on the Internet, or that your bank will have to send you new credit cards every now and again, or even that the government will become a Peeping Tom into your personal life. Weakened digital security can pose a real threat to physical safety: An NPR report found that 85 percent of domestic violence shelters reported working with victims “whose abusers tracked them using GPS”; hackers have shut down hospital facilities with DDoS attacks; and cyber criminals are beginning to target physical infrastructure.
Thankfully, early indications suggest that the bill will find little support if and when it gets formally released. Even if this bill gets laughed out of the Senate, it should alarm everyone that two U.S. senators so blatantly ignored technological reality and common sense in drafting this proposal. If our representatives cannot grasp how the digital world works, and totally ignore the admonitions of the many tech experts that warned of the damage anti-encryption proposals will cause to safety, security and economic welfare, it does not bode well for their capacity to support the startup community that is responsible for all new net job growth in this country.