by Nuno Menezes
In the wake of recent controversy over access to encrypted data, the Senate Select Committee on Intelligence, Chairman Richard Burr and the Vice Chairman Dianne Feinstein have released the Compliance with Court Orders Act of 2016. This compliance draft legislation is set to reinforce the obligation for all entities to comply with court orders designed to “protect Americans against criminals and terrorists.”
Covered entities include device manufacturers, software manufacturers, electronic communication services, remote communication services, providers of wire or electronic communication services, providers of remote communication services, or any person who provides a product or method to facilitate a communication or to process or store data.
The bill does not create any new collection authorities for the government to obtain communications; however, it does require that covered entities ensure that the government’s lawfully-obtained evidence is readable. In other words, it will require that entities like service providers and device manufacturers be able to access user data.
Chairman Burr declared:
I have long believed that data is too insecure, and feel strongly that consumers have a right to seek solutions that protect their information – which involves strong encryption, I do not believe, however, that those solutions should be above the law. I am hopeful that this draft will start a meaningful and inclusive debate on the role of encryption and its place within the rule of law. Based on initial feedback, I am confident that the discussion has begun. We remain eager to sit down and discuss a way forward with all who are willing to engage constructively on this critically important and challenging issue.
The bill maintains that “no one is above the law.” Court order recipients must comply with the rule of law and providers of communications services and products should protect United States persons’ privacy with strong data security while complying with court orders and other legal requirements.
The Vice Chairman Feinstein commented:
The bill we have drafted would simply provide that, if a court of law issues an order to render technical assistance or provide decrypted data, the company or individual would be required to do so. Today, terrorists and criminals are increasingly using encryption to foil law enforcement efforts, even in the face of a court order. We need strong encryption to protect personal data, but we also need to know when terrorists are plotting to kill Americans.
One provision of the draft that is sure to generate discussion seems to place the onus on certain communication service providers that distribute licenses for a covered entity’s products and services, since they must ensure that these products and services are capable of providing information or data in an intelligible format.
Covered entities will be also responsible for the information or data they have made unintelligible.
This draft also establishes that the government cannot require or prohibit any specific design or operating system for any covered entity to use in complying with a court order.
Burr and the Vice Feinstein will now solicit input from the public and key stakeholders before formally introducing the bill. The Compliance with Court Orders Act of 2016 and all the discussion draft from this legislation can be found here.