I’m not quite sure why I, a non-lawyer, find I must comment on an opinion on a legal matter authored by a lawyer, but I find I am so compelled. Paul Rosenzweig on Lawfare, commenting on the newly introduced Feinstein-Burr bill, suggests it’ll be un-Constitutional and uses the following analogy:
It seems to me, however, that there are a number of objections to that plan – the most notable of which is that it probably violates the US Constitution. Granted, the precedent is a bit old, and comes from the Ninth Circuit, but nonetheless, there is a good basis for thinking that such a ban would violate the First Amendment. In Bernstein v. Department of Justice, the government tried to stop Bernstein from publishing his encryption algorithm. In that case they said it violated export law (rather than a hypothetical import law). But the 9th Circuit rejected that ban and ruled that software source code was speech protected by the First Amendment and any regulations preventing publication would be unconstitutional. Of course, the cases are different – the export case is about the right to publish and the import case is about the right to read what has been published outside the US – but the similarities are strong.
The government objected that Bernstein had violated ITAR regulations regarding export of weapons technology, as the Electronic Frontier Foundation explains here. A closer reading indicates some strong variances, despite Rosenzweig’s assertion, chief of which is the fact that Bernstein wished to publish the algorithm and supporting mathematical analysis, as well as lecture on his work. This is a far cry from the current concern of Feinstein-Burr, which is the actual use of a working product lacking any sort of backdoor or decryption approach. A better comparison would be to suggest that it is lawful to possess plans for a machine gun, while not lawful to possess a working machine gun.
OSS (Open Source Software) is, I believe, protected under the First Amendment, so assuming you’re technically competent, you could download foreign OSS encryption software, compile and use it. Then the onus is on the individual user. But not all software is OSS.
Which is not to say SCOTUS wouldn’t still invalidate this legislation, assuming it becomes law. I just don’t see this analogy as being particularly strong.
Overall, I actually agree with Rosenzweig that this legislation seems impractical. As he says,
To summarize it seems to me that:
-
Encryption technology is global;
-
To enforce Feinstein-Burr domestically we will either need to run a firewall to prohibit importation of non-conforming encryption technology OR prohibit (civilly or criminally) the illegal possession of such technology; and
-
Success (as unlikely as it is) in that endeavor would divert determined encryptors to other means of storage and communication which would be systematically less transparent to law enforcement than the current status quo.
And, of course, a backdoor usable by the government is a backdoor usable by a hacker.
It seems to me that the government needs to consider the encryption question in a strategic rather than tactical manner. NewScientist provided some brief coverage on that particular point in the UK back in January, which I covered here. To summarize, they recommended legislation requiring all databases that are online be encrypted; that encryption be completely legal, with no backdoors. While their particular points may work or not, the real idea here is to consider the big picture and the unintended (but not unforeseeable) consequences of laws that directly address the short-term problems we face; formulation of a strategic approach which may incorporate elements deemed to be counter-intuitive to agencies such as the FBI is certainly a notion I could entertain. But approaching these issues piecemeal may result in a lack of progress, or even steps backward.
