While the FBI abandoned its court case against Apple, the dispute of course still rumbles on in Congress, with hearings today and a proposed bill to force U.S. tech companies to break encrypted devices on demand. But at least one legal expert thinks the Feinstein-Burr bill is deeply flawed, arguing that it is unconstitutional, unenforceable and would harm U.S. investigative capabilities.
And not just any legal expert: you can’t really ask for better credentials in this area than those of Paul Rosenzweig.
In a blog post on Lawfare, Rosenzweig sets out the three problems he sees with the Feinstein-Burr bill …
Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company [and] formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Distinguished Visiting Fellow at the Homeland Security Studies and Analysis Institute. He also serves as a Professorial Lecturer in Law at George Washington University [and] a Senior Editor of the Journal of National Security Law & Policy.
Rosenzweig begins by pointing out that the U.S. can only control what happens within its own borders. Even if manufacturing devices with unbreakable encryption were banned domestically, people would still be able to download end-to-end encrypted messaging and storage apps from other countries.
The government would, he says, have to make it illegal to import such software – and this could be legally problematic.
Even if courts ruled it legal, he observes, enforcement would be near-impossible. The only practical way to stop someone downloading particular apps from overseas servers would, he says, require truly draconian measures – and even then, they likely wouldn’t work.
It probably violates the US Constitution. Granted, the precedent is a bit old, and comes from the Ninth Circuit, but nonetheless, there is a good basis for thinking that such a ban would violate the First Amendment. In Bernstein v. Department of Justice, the government tried to stop Bernstein from publishing his encryption algorithm. In that case they said it violated export law (rather than a hypothetical import law). But the 9th Circuit rejected that ban and ruled that software source code was speech protected by the First Amendment and any regulations preventing publication would be unconstitutional.
Finally, even if the bill were legal, and even if it were practical, he says it is likely to do more harm than good in terms of U.S. ability to detect and investigate genuine threats.
To implement an “import” ban would require the operation a system akin to the Great Chinese Firewall – a filter that scanned the global internet and implemented a blocking protocol to prevent anyone from the US finding that code. Even if that sort of large-scale surveillance were to pass constitutional muster it strikes me as both technically and politically beyond contemplation. Are Americans going to allow the US government to monitor inbound content? And given the breadth of internet access in the US, could it really be done effectively? I think the answer to both questions is likely “no.”
A lot may depend on the outcome of the upcoming elections: the proposal reportedly does not have the support of the current White House administration, but it looks extremely unlikely that the bill would make it to a vote beforehand.
Malicious actors would have other options for encrypted communication applications if they chose. By driving actors away from American products and systems we might have the perverse effect of driving internet traffic and technology companies offshore, depriving our analysts of valuable metadata information. In other words, for the truly malevolent actors we might actually hurt our investigative capabilities.
Photo:AFP/Jewel Samad/Getty Images via WCSH6