peshkova - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

FAQ: Will draft bill mandate access to encrypted information?

Is the Compliance with Court Orders Act draft bill the first step to mandating that tech companies allow access to their products' encrypted communications?

The Compliance with Court Orders Act of 2016 is a draft bill sponsored by Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.), who are the chairman and vice chairman of the Senate Intelligence Committee. Under the measure that was made public on April 13, 2016, if a company is served with a court order requesting encrypted information it would either have to deliver the information in an intelligible format or provide technical assistance to make the information intelligible. The measure's sponsors describe it as a way to prevent "warrant-proof encryption" and ensure that law enforcement can read encrypted communications when they have a warrant.

The senators drafted the decryption legislation in the wake of the government's high-profile battle with Apple over access to an iPhone following the Dec. 2, 2015, mass shooting in San Bernardino, Calif. A federal magistrate judge had ordered Apple to unlock an iPhone that had been taken as evidence in the mass shooting, and Apple resisted. The senators did not cite the Apple incident in announcing the draft legislation but instead referred to other instances of crime in which law enforcement sought to read encrypted communications that had been obtained as evidence.

This encrypted information FAQ is part of SearchCompliance's IT Compliance FAQ series.

What types of companies does the draft legislation apply to?

The Burr-Feinstein draft bill applies to software makers, device makers, electronic communication service providers, remote communication service providers, wire or electronic communication service providers or anyone who provides a product or method to "facilitate a communication" or to process or store data.

Related content
Compliance with Court Orders Act of 2016
Apple and FBI encryption battle likely to continue

Does the draft bill require companies to build "backdoors" into their products for law enforcement to access data?

According to the sponsors of the Compliance with Court Orders Act, the measure does not require "backdoors" in encrypted products because it does not specify any particular technology for accessing the data. A provision in the bill states that nothing "in this Act may be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by a covered entity." Critics argue, however, that it would not be possible to comply with the measure without building some means of access into encrypted products. Decryption keys would have to be stored either by the company or by the end user, critics maintain.

Related content
Tim Cook says Apple won't create backdoor to unlock shooter's iPhone
Senate bill seeks "backdoor" access to devices with encrypted information

Who supports the Compliance with Court Orders Act?

Several law enforcement organizations and officers have been vocal in their support of the draft bill released by Sens. Burr and Feinstein. The FBI Agents Association, National District Attorneys Association (NDAA), International Association of Chiefs of Police (IACP), Major Cities Chiefs Police Association, and Major County Sheriffs' Association publicly expressed their approval of the measure. Several prominent individuals, including Cyrus R. Vance, Jr., the district attorney of New York County and William J. Bratton, the New York City Police commissioner, also expressed their support.

The legislation is necessary to ensure that law enforcement can access lawfully obtained digital evidence that is becoming increasingly integral to investigations, according to the NDAA and the IACP. These organizations maintain that without this type of legislation, companies like Apple get to decide the balance between the security of customer data and the security of communities.

Related content
District attorneys, police chiefs support Burr-Feinstein encryption legislation
Senators drafting anti-encryption bill briefed by FBI

Who opposes the Compliance with Court Orders Act?

Numerous privacy rights organizations, civil liberties groups, academics and technology companies oppose the Burr-Feinstein measure. They maintain that the draft bill would require companies to weaken device security and threaten customers' privacy. They also warn that eliminating a court order recipient's ability to appeal the order would eliminate a basic due process right.

In comments submitted to the Senate Intelligence Committee, the Consumer Technology Association (formerly called the Consumer Electronics Association) warned that the access mandated by the draft bill could be exploited by terrorists. "If a special key is created for law enforcement, it wouldn't be used only by the good guys under limited circumstances," CTA wrote. "Rather, that key inevitably would be discovered by others, potentially giving countries such as China and Russia an entry point to our phones and the sensitive information stored on them."

A coalition of more than 30 organizations -- including the American Library Association, American-Arab Anti-Discrimination Committee, Center for Democracy & Technology, Committee to Protect Journalists and the Electronic Frontier Foundation -- called on President Obama to specifically oppose the draft legislation. The coalition maintains that the bill "would threaten the safety of billions of internet users, including journalists, activists, and ordinary people exercising their right to free expression, as well as critical infrastructure systems and government databases."

Related content
Electronic Frontier Foundation: Burr, Feinstein proposal is anti-security
Draft encryption bill called "ludicrous" and "dangerous"

What are the Compliance with Court Orders Act's prospects?

Since its public release, the Compliance with Court Orders Act has drawn criticism from a wide array of public advocacy organizations, industry associations, academics and civil liberties groups. It has not won the support of the White House or open endorsements by members of Congress other than its sponsors. In light of its highly controversial nature, the measure is unlikely to be formally introduced in its current form. Contentious legislation is particularly difficult to push forward in an election year, when only non-controversial and must-pass measures typically are able to get through.

The Compliance with Court Orders Act will likely be an ongoing battle on Capitol Hill as legislators try to balance privacy protection and law enforcement's access to encrypted communications. The issues raised in the draft bill are almost certain to re-emerge another day, in another form. It isn't uncommon for even less complicated legislation to take repeated efforts throughout multiple sessions of Congress to gain sufficient support.

Related content
President Obama backs away from proposal to grant law enforcement access to encrypted information
Despite Apple hype, support for encryption bill falters

Next Steps

More topics covered in SearchCompliance FAQs:
FINRA shifts regulatory focus to compliance culture
FTC warns big data analytics create discrimination risk
Compliance reporting failures blamed in TREAD Act woes
Bio-Rad's transparency a valuable FCPA compliance lesson

This was last published in June 2016

Dig Deeper on Industry-specific requirements for compliance

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Ideal? No. Necessary? Yes, until we figure out a better solution.

With a properly executed search warrant, signed by a judge and all that, it's the only option available to fight industry stonewalling. I know it's an unpleasant thought to many, and I'm as concerned about my privacy as most everyone else here, but there are folks out there who are plotting to kills us. We need some way to hear their plans before they succeed.
Cancel
What do you think of the Compliance with Court Orders Act requirement that tech companies grant law enforcement access to encrypted communications?
Cancel
I agree that something needs to be done to access criminals' communications in the digital age, but we need to be careful when drafting the legislation: it is a slippery slope where many people's privacy could be threatened due to the criminal actions of a few. Also where do we draw the line between what encrypted communications can be accessed and what is off limits? Is it the severity of the crime? Who determines what types of crimes fall under this umbrella?
It's also important to remember that granting law enforcement access to these communications could also create more information risk-- especially if the "bad guys" figure out how to access the technologies through these newly-created back doors and exploit the information down the road. 
Cancel

-ADS BY GOOGLE

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close