Richard Burr’s Encryption (AKA Cuckoo) Bill, Working Thread

A version of Richard Burr and Dianne Feinstein’s ill-considered encryption bill has been released here. They’re calling it the “Compliance with Court Orders Act of 2016,” but I think I’ll refer to it as the Cuckoo bill. This will be a working thread.

(2) Note the bill starts by suggesting economic prosperity relies on breaking encryption. There are many reasons that’s not true, most obviously that it will put US products at a disadvantage in other countries.

(2) Note this only applies to “providers of communications services and products (including software).” Does it apply to financial companies? Because they’re encrypting data between themselves that should be accessible to law enforcement. Does it apply to car companies? IoT companies?

(2) Note they mention “judicial order” and “court order” here. It’s clear (and becomes clearer later) that this includes orders that aren’t warrants, so FISA orders. Which suggests they’re having a problem with encryption under FISA too.

(3) The Cuckoo Bill builds in compensation. That’s one way companies could fight this: to make sure it would take a lot to render data intelligible.

(4) I suspect this license language would expand to do scary things with other “licensing” products.

(4) Note that they’ve expanded the definition of metadata to include “switching, processing, and transmitting” data. I bet that has already been done in secret somewhere.

(5) The language on destination and switching suggests they’re trying to include location data in metadata.

(6) Note the “order or warrant” language.

(6) The covered entity might include banks and cars, though not obviously so.

(8) An odd use of “original form” in decrypted definition.

(9) Wow, they even want to require entities to have to provide decrypted data in motion.

6 replies
    • jerryy says:

      Keep in mind the discussions ate the national news level have been dominated by the chorus of ‘omg, we are all going to die if this privacy stuff is not gotten rid of…’. Not many folks are really buying the claims which is why the national news level folks have to keep coming up with louder versions of ‘omg, we are all going to die if …’.
      The general public does understand quite well, especially once someone with a technical background takes some time to let them know what secret crap folks like Burr and Feinstein are trying to pull.
      The public keeps stopping the crap when they know about it, ex. net neutrality, CISA, SOPA, etc., but those in law-making positions keep trying to sneak it in. Until people are elected that will finally stop trying to sneak crap like this into law, folks like Marcy have to keep bringing up the stuff.

  1. SpaceLifeForm says:

    Insane, just insane.

    Note that the proposed BS^W bill is self-contradictory.
    Of course, those contradictions will get removed in
    during house-senate negotiations, and the remaining
    clueless congress-critters will vote Yea later after never
    reading again what they are voting on. Why bother to read
    what you are voting on? Time is short, they have their
    handlers^W campaign contributors to meet.

    See Patriot Act. That is what they learned in kindergarten.

  2. TomVet says:

    Talk about unintended consequences, I see a huge one that will surely come back to give them a large bite in the ass.
    On page 8, line 10-14 there is this:
    10 (B) the information or data has been
    11 encrypted, enciphered, encoded, modulated, or
    12 obfuscated and then decrypted, deciphered, decoded, demodulated, or deobfuscated to its
    14 original form.
    This seems to indicate that not only encryption, but redaction also must be reversible. So when this law goes into effect and gov docs start coming out under FOIA with these new rules, someone is very quickly going to make a tool to do just that. Because of course this law applies to the government as well, right?
    Won’t that be fun? I’ll be able to hear the screaming from the Capitol all the way out here in Idaho.

  3. Synoia says:

    How to defeat Burr-Feinstein.

    1. Install PfSense or IPCop as your router SoHo control software, on both called and calling sides of the conversation. Both PfSense and IpCop can control outgoing connection, and provide activity logs of connections (port number and IP address).
    2. Buy a sim card based cell smart phone with wifi
    3. Do not install the sim card (defeats stingray).
    4. Obtain phone software which uses the TOR network
    5. Code a special TOR exit gateway to connect two phone IP connections together. The is the outbound call setup server.
    6. Obtain the IP address of the cell phone you want to call. This could be provided by a directory server, and an agent on all subscribing cell phones, that matches public key and IP address to a cell phone number.
    7.Use a calling phone TOR client, to be written, to call the IP address of the called cell phone, and encrypt the conversation with the public key of the called cell phone.
    8. Include in the calling and called phone client a second IP connection to carry copies traffic to the local NSA listening post.
    8.Configure the SoHo router, for both calling and called parties, to block all outbound connections except TOR.
    9.Call away.

    The use of the Cell phone is possibly breaking the law. The software provider and cell manufacturer are complying with the law.

    The message: People desiring total privacy can circumvent the law faster that the law can be written. The general public can be spied upon.

    Which raises a question: What is the real intent of this law? It enables spying on ordinary people, but not others being careful.

  4. Synoia says:

    “Wow, they even want to require entities to have to provide decrypted data in motion”

    Your encrypted information flows on one IP connection to your Bank, and the same information, unencrypted, flows to the NSA (or others)?

    That appears secure.

Comments are closed.