peshkova - Fotolia

FAQ: Will draft bill mandate access to encrypted information?

Is the Compliance with Court Orders Act draft bill the first step to mandating that tech companies allow access to their products' encrypted communications?

The Compliance with Court Orders Act of 2016 is a draft bill sponsored by Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.), who are the chairman and vice chairman of the Senate Intelligence Committee. Under the measure that was made public on April 13, 2016, if a company is served with a court order requesting encrypted information it would either have to deliver the information in an intelligible format or provide technical assistance to make the information intelligible. The measure's sponsors describe it as a way to prevent "warrant-proof encryption" and ensure that law enforcement can read encrypted communications when they have a warrant.

The senators drafted the decryption legislation in the wake of the government's high-profile battle with Apple over access to an iPhone following the Dec. 2, 2015, mass shooting in San Bernardino, Calif. A federal magistrate judge had ordered Apple to unlock an iPhone that had been taken as evidence in the mass shooting, and Apple resisted. The senators did not cite the Apple incident in announcing the draft legislation but instead referred to other instances of crime in which law enforcement sought to read encrypted communications that had been obtained as evidence.

This encrypted information FAQ is part of SearchCompliance's IT Compliance FAQ series.

What types of companies does the draft legislation apply to?

The Burr-Feinstein draft bill applies to software makers, device makers, electronic communication service providers, remote communication service providers, wire or electronic communication service providers or anyone who provides a product or method to "facilitate a communication" or to process or store data.

Related content
Compliance with Court Orders Act of 2016
Apple and FBI encryption battle likely to continue

Does the draft bill require companies to build "backdoors" into their products for law enforcement to access data?

According to the sponsors of the Compliance with Court Orders Act, the measure does not require "backdoors" in encrypted products because it does not specify any particular technology for accessing the data. A provision in the bill states that nothing "in this Act may be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by a covered entity." Critics argue, however, that it would not be possible to comply with the measure without building some means of access into encrypted products. Decryption keys would have to be stored either by the company or by the end user, critics maintain.

Related content
Tim Cook says Apple won't create backdoor to unlock shooter's iPhone
Senate bill seeks "backdoor" access to devices with encrypted information

Who supports the Compliance with Court Orders Act?

Several law enforcement organizations and officers have been vocal in their support of the draft bill released by Sens. Burr and Feinstein. The FBI Agents Association, National District Attorneys Association (NDAA), International Association of Chiefs of Police (IACP), Major Cities Chiefs Police Association, and Major County Sheriffs' Association publicly expressed their approval of the measure. Several prominent individuals, including Cyrus R. Vance, Jr., the district attorney of New York County and William J. Bratton, the New York City Police commissioner, also expressed their support.

The legislation is necessary to ensure that law enforcement can access lawfully obtained digital evidence that is becoming increasingly integral to investigations, according to the NDAA and the IACP. These organizations maintain that without this type of legislation, companies like Apple get to decide the balance between the security of customer data and the security of communities.

Related content
District attorneys, police chiefs support Burr-Feinstein encryption legislation
Senators drafting anti-encryption bill briefed by FBI

Who opposes the Compliance with Court Orders Act?

Numerous privacy rights organizations, civil liberties groups, academics and technology companies oppose the Burr-Feinstein measure. They maintain that the draft bill would require companies to weaken device security and threaten customers' privacy. They also warn that eliminating a court order recipient's ability to appeal the order would eliminate a basic due process right.

In comments submitted to the Senate Intelligence Committee, the Consumer Technology Association (formerly called the Consumer Electronics Association) warned that the access mandated by the draft bill could be exploited by terrorists. "If a special key is created for law enforcement, it wouldn't be used only by the good guys under limited circumstances," CTA wrote. "Rather, that key inevitably would be discovered by others, potentially giving countries such as China and Russia an entry point to our phones and the sensitive information stored on them."

A coalition of more than 30 organizations -- including the American Library Association, American-Arab Anti-Discrimination Committee, Center for Democracy & Technology, Committee to Protect Journalists and the Electronic Frontier Foundation -- called on President Obama to specifically oppose the draft legislation. The coalition maintains that the bill "would threaten the safety of billions of internet users, including journalists, activists, and ordinary people exercising their right to free expression, as well as critical infrastructure systems and government databases."

Related content
Electronic Frontier Foundation: Burr, Feinstein proposal is anti-security
Draft encryption bill called "ludicrous" and "dangerous"

What are the Compliance with Court Orders Act's prospects?

Since its public release, the Compliance with Court Orders Act has drawn criticism from a wide array of public advocacy organizations, industry associations, academics and civil liberties groups. It has not won the support of the White House or open endorsements by members of Congress other than its sponsors. In light of its highly controversial nature, the measure is unlikely to be formally introduced in its current form. Contentious legislation is particularly difficult to push forward in an election year, when only non-controversial and must-pass measures typically are able to get through.

The Compliance with Court Orders Act will likely be an ongoing battle on Capitol Hill as legislators try to balance privacy protection and law enforcement's access to encrypted communications. The issues raised in the draft bill are almost certain to re-emerge another day, in another form. It isn't uncommon for even less complicated legislation to take repeated efforts throughout multiple sessions of Congress to gain sufficient support.

Related content
President Obama backs away from proposal to grant law enforcement access to encrypted information
Despite Apple hype, support for encryption bill falters

Next Steps

More topics covered in SearchCompliance FAQs:
FINRA shifts regulatory focus to compliance culture
FTC warns big data analytics create discrimination risk
Compliance reporting failures blamed in TREAD Act woes
Bio-Rad's transparency a valuable FCPA compliance lesson

Dig Deeper on Industry-specific requirements for compliance