Future of secure systems in the US

As a rule, I avoid writing publicly on political topics, but I’m making an exception.

In case you haven’t been following it, the senior Republican and the senior Democrat on the Senate Intelligence Committee recently announced a legislative proposal misleadingly called the Compliance with Court Orders Act of 2016.  The full text of the draft can be found here.  It would effectively ban devices and software in the United States that the manufacturer cannot retrieve data from.  Here is a good analysis of the breadth of the proposal and a good analysis of the bill itself.

While complying with court orders might sound great in theory, in practice this means these devices and software will be insecure by design.  While that’s probably reasonably obvious to most normal readers here, don’t just take my word for it, take Bruce Schneier‘s.

In my opinion, policy makers (and it’s not just in the United States) are suffering from a perception gap about security and how technically hard it is to get right.  It seems to me that they are convinced that technologists could just do security “right” while still allowing some level of extraordinary access for law enforcement if they only wanted to.  We’ve tried this before and the story never seems to end well.  This isn’t a complaint from wide eyed radicals that such extraordinary access is morally wrong or inappropriate.  It’s hard core technologists saying it can’t be done.

I don’t know how to get the message across.  Here’s President Obama, in my opinion, completely missing the point when he equates a desire for security with “fetishizing our phones above every other value.”  Here are some very smart people trying very hard to be reasonable about some mythical middle ground.  As Riana Pfefferkorn’s analysis that I linked in the first paragraph discusses, this middle ground doesn’t exist and all the arm waving in the world by policy makers won’t create it.

Coincidentally, this same week, the White House announced a new “Commission on Enhancing National Cybersecurity“.  Cybersecurity is certainly something we could use more of, unfortunately Congress seems to be heading off in the opposite direction and no one from the executive branch has spoken out against it.

Security and privacy are important to many people.  Given the personal and financial importance of data stored in computers (traditional or mobile), users don’t want criminals to get a hold of it.  Companies know this, which is why both Apple IOS and Google Android both encrypt their local file systems by default now.  If a bill anything like what’s been proposed becomes law, users that care about security are going to go elsewhere.  That may end up being non-US companies’ products or US companies may shift operations to localities more friendly to secure design.  Either way, the US tech sector loses.  A more accurate title would have been Technology Jobs Off-Shoring Act of 2016.

EDIT: Fixed a typo.

 

 

Advertisements

2 Responses to “Future of secure systems in the US”


    • 2 skitterman April 16, 2016 at 19:38

      Not quite. It doesn’t mandate a technical solution nor does it mandate key escrow, but the net effect isn’t so different. It’s a horrible bill that won’t do anything to solve the problem it purports to want to solve anyway.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s





%d bloggers like this: