Cybersecurity & Tech Surveillance & Privacy

What If Feinstein-Burr Passes?

Paul Rosenzweig
Monday, April 18, 2016, 9:19 AM

I want to engage in a thought experiment or, if you prefer, a wargame exercise. I want to look at what will likely happen in the days, weeks and months after Feinstein-Burr passes.

Published by The Lawfare Institute
in Cooperation With

I want to engage in a thought experiment or, if you prefer, a wargame exercise. I want to look at what will likely happen in the days, weeks and months after Feinstein-Burr passes.

Feinstein-Burr, of course, is the recently introduced bill that would require all remote computing service providers who use encryption to enable a method of decryption. It will apply, by its terms, to all devices and systems manufactured, sold, or used in the United States.

So, let’s assume the premise of the bill as a legitimate government objective – in other words, let’s not debate the wisdom of the choice, but rather accept as a reasonable objective the goal of preventing the domestic use of strong encryption by Americans or others present in the United States.

How well will that work?

Not very well at all, I think – and to make it work we’d have to engage in some pretty aggressive enforcement activities that, candidly, I think are politically suspect and practically beyond the realm of realistic possibility.

To begin with Feinstein-Burr would seem to apply only to domestically manufactured or marketed devices and systems (or, perhaps more broadly, to devices and systems manufactured anywhere in the world by those who have a corporate presence in the US).

But that is by no means the entire corpus of those who produce encryption products. Earlier this year the Berkman Center published a report written by Bruce Schneier (along with Kathleen Seidel and Saranya Vijayakumar), which found that there were 865 encryption products from 55 different countries on the market with 546 of those from outside the US. Of course, given the way the market is growing, I suspect the number is greater today. But taking that data as still reasonably accurate there are plenty of non-American encryption products available. And they would, of course, be lawfully used by people outside of the US, consistent with non-US law. We are not purporting to prevent Germans, for example, from using a German encryption product even if it doesn’t have an extraordinary access option – and if we did, our efforts would be derided (rightly) as nonsensical.

So what about Americans who wanted to purchase these products? Well, in a global market, at a first cut, they would be readily available. It is, for example, trivially easy to download the Telegram messenger app from the Google store. I am reasonably sure that Feinstein-Burr will be read to prohibit Google (an American company) from continuing to offer Telegram in the store … but that only means that you would have to download Telegram directly from their off-shore website (or any one of a 1000 mirror sites). Telegram is headquartered in Berlin and has, as far as I know, no American presence at all. So it is not subject to Feinstein-Burr and even if it were, it would not be subject to the compulsion of American courts since it lacks a US presence.

That’s the first counter-move in a post Feinstein-Burr world – our motivated encryptor simply downloads a non-American encryption program without the mandated Feinstein-Burr backdoor.

What next? How would the US respond to this prospect?

Well, in a recent forum the US Attorney for the Eastern District of Michigan, Barbara McQuade, offered this response: “I think it would be reasonable to ban the import of open-source encryption software." As a practical matter that is, of course, the most likely government response – since it can’t stop Telegram (and the 545 other foreign encryption products) from being created, the only way to stop them from being used in the United States is to ban their importation. That’s the next obvious counter-move by pro-Feinstein-Burr advocates in the chess game of encryption access.

It seems to me, however, that there are a number of objections to that plan – the most notable of which is that it probably violates the US Constitution. Granted, the precedent is a bit old, and comes from the Ninth Circuit, but nonetheless, there is a good basis for thinking that such a ban would violate the First Amendment. In Bernstein v. Department of Justice, the government tried to stop Bernstein from publishing his encryption algorithm. In that case they said it violated export law (rather than a hypothetical import law). But the 9th Circuit rejected that ban and ruled that software source code was speech protected by the First Amendment and any regulations preventing publication would be unconstitutional. Of course, the cases are different – the export case is about the right to publish and the import case is about the right to read what has been published outside the US – but the similarities are strong.

So … the governments counter to the counter-move has constitutional problems. But let’s put that aside – let’s assume for a minute that we find some answer to the constitutional objection. What next? How, exactly, would an import ban be implemented?

Poorly, I think, if at all. After all the encryption product is just code, streamed across the network. It doesn’t have a physical manifestation. Unlike, say, a knock-off Gucci bag that can be blockaded at the port of entry, there is no “port” where we can readily interdict the importation of code. And anyone outside the US publishing such code would not be covered by US regulations, so they couldn't be blocked from doing anything by a US court.

That leaves, as far as I can tell, two possibilities. The first is some form of virtual interdiction. In other words, to implement an "import" ban would require the operation a system akin to the Great Chinese Firewall – a filter that scanned the global internet and implemented a blocking protocol to prevent anyone from the US finding that code. Even if that sort of large-scale surveillance were to pass constitutional muster it strikes me as both technically and politically beyond contemplation. Are Americans going to allow the US government to monitor inbound content? And given the breadth of internet access in the US, could it really be done effectively? I think the answer to both questions is likely “no.”

And that leaves us with one other option – prohibition. If we can’t realistically stop the importation of encryption products, the only plausible implementation step left as a counter-move is to prohibit the possession of the non-conforming product. This might be done civilly (in the same rough manner as we prohibit the possession of devices and items that violate intellectual property laws) or it could be done criminally (as we do with drugs). So it seems to me that if we are serious about Feinstein-Burr and want to counter the determined encryptor we are going to have to move to a system of software regulation and prohibition – the ban can’t work any other way.

And what happens after that?

Well, I can see a number of possibilities as counter-counter-moves by the determined encryptor in our wargame. First, of course, our determined encryptor might just ignore the prohibition. It is unlikely that there will be random audits or such, so the crime of illegal encryption possession will, in the end, likely be an add-on charge to substantive offenses such as drug trafficking (or perhaps a substitute if the encryption prevents prosecution).

Second, of course, would be to move much data storage off-shore. Malicious actors would have other options for encrypted communication applications if they chose. By driving actors away from American products and systems we might have the perverse effect of driving internet traffic and technology companies offshore, depriving our analysts of valuable metadata information. In other words, for the truly malevolent actors we might actually hurt our investigative capabilities.

And we would likely see the same effect in communications, rather than storage. Encryptors would be diverted to other means of communication, like Sony PlayStation and Microsoft XBOX. Resource constraints make it unlikely that the government has the ability, however, to actively monitor the plethora of channels used by the hundreds of millions owners of each video game console.

So there you have it. To summarize it seems to me that:

  • Encryption technology is global;
  • To enforce Feinstein-Burr domestically we will either need to run a firewall to prohibit importation of non-conforming encryption technology OR prohibit (civilly or criminally) the illegal possession of such technology; and
  • Success (as unlikely as it is) in that endeavor would divert determined encryptors to other means of storage and communication which would be systematically less transparent to law enforcement than the current status quo.

[DISCLOSURE NOTE: As many readers know, I do consulting work for many tech companies, including providing advice on the encryption debate. Though I have no open engagements on the issue, it is the case that almost all of them have an interest in this issue and they are likely to oppose the Feinstein-Burr bill. The opinions expressed here, however, are my own.]

Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare