Compliance with Feinstein-Burr Encryption Bill Would Create Untenable Legal Paradox For U.S. Companies

WASHINGTON—The Information Technology and Innovation Foundation (ITIF) released the following statement from Vice President Daniel Castro in response to draft legislation announced today by Sen. Dianne Feinstein (D-CA) and Sen. Richard Burr (R-NC), the Compliance with Court Orders Act of 2016, which would require companies to decrypt their customers’ data upon receiving a court order:

This legislation places an unqualified demand on companies to decrypt their customers’ data upon receiving a court order from law enforcement. While companies should comply with lawful requests, it is simply not possible for a company to do so when the customer controls the only keys used to encrypt the data. For example, the popular messaging app WhatsApp, which provides end-to-end encryption on its platform, would not be able to comply with the legislation, unless it modified its system. Yet, the bill explicitly states that it is not authorizing the government to require or prohibit any specific design changes to software or hardware. In short, this bill sets up a legal paradox that would further muddy the waters about how and when the government can compel the private sector to assist in gaining access to private information.

As ITIF has argued in a recent report, the core policy of the U.S. government should be to improve cybersecurity, not weaken it. But insisting that the government always have a means to decrypt private data would limit innovation in cybersecurity. Going forward, it is important that we have a public debate about how the government should work in partnership with the private sector to address national security threats, prevent and investigate crime, and improve cybersecurity for all. Unfortunately, as drafted, this bill does not achieve these objectives.