54

The U.S. congress has a draft for a bill that would require companies to fetch information from a device when requested by a court. A consequence of this is that many types of security technology become illegal for any company subject to U.S. jurisdiction.

My question is, would this make open source software that uses encryption illegal?

  • In particular, could open source developers be sued?
  • Can a company that contributes to open source software be sued?
  • If a company distributes open source software, can they be sued (such as the owners of gnupg.org or github.com (note that difference between the two))?
  • If a phone maker puts open source encryption software in it, can they be sued?
  • If a user installs open source encryption software on a phone, can the phone maker be sued?
    • What if they downloaded it from a software center provided by the phone maker?

I am specifically talking about the types of encryption that could lead a company to be sued.

Note: I think I may be using the word "sue" incorrectly. Feel free to edit this question in order to make more sense legally.

user
  • 115
  • 8
Christopher King
  • 1,724
  • 2
  • 15
  • 21
  • Though the question is well-received here, if you don't get the kinds of in-depth analysis you're looking for here, you can flag the question to request that a mod move it to Open Source.SE where there's a more specific community of experts on this specific topic. – WBT Apr 09 '16 at 21:27
  • 1
    @WBT The trick was to scare the living semicolons out of /r/Programming. – Christopher King Apr 10 '16 at 03:06
  • @PyRulez Living semicolons could be a scary thing. Do a lot of programmers wind up having partial colonotomies? ;-) – WBT Apr 10 '16 at 04:13
  • Could you argue that once a piece of software is made open source it becomes 'of the world' and not subject to american jurisdiction? IANAL obviously, but a real world example is getting convicted because someone got stabbed by someone else using a knife you once threw away. – RichardAtHome Apr 09 '16 at 19:26
  • 2
    Seriously? No. If the law says "making X is illegal", publishing it or giving it away hardly changes the fact that you did make the illegal thing. – nobody Apr 09 '16 at 19:58
  • You could argue it. You would lose. – PJB Apr 09 '16 at 21:32
  • No that 'of the world' argument definitely under no circumstances applies.

    Although on that note jurisdiction is important if you are a australian software developer writing code in australia and hosting it on a australian server then US law definitely does apply..

    In some extreme cases the United States government will use extremely immoral tactics to get their man ( see the guys from 'the pirate bay', The judge presiding over the case may or may not have been paid a lot of money by american lawyers to pretend that US law applies so sweden )

     – Damian Nikodem Apr 10 '16 at 02:23
  • It would depend on the final wording of the bill, but I imagine so. Uploading a photo album that includes some child porn doesn't become legal if the illegal pictures were taken by a third party. – mire Apr 10 '16 at 13:22

3 Answers3

19

Section 4, Definition 4 Covered Entity, emphasis added:

The term "covered entity" means a device manufacturer, a software manufacturer, an electronic communication service, a remote computing service, a provider of wire or electronic communication service, a provider of a remote computing service, or any person who provides a product or method to facilitate a communication or the processing or storage of data.

This definition seems extremely broad, and could be stretched to cover an answerer on Stack Overflow whose answer provided a method facilitating data processing, storage, or communication (which covers most software methods). So let's then look at what can be required of a covered entity:

Section 3(a)(1), Requirement:

... a covered entity that receives a court order from a government for information or data shall provide such information or data to such government in an intelligible format or provide technical assistance as is necessary to obtain such information or data in an intelligible format or to achieve the purpose of the court order.

Subsection 2 limits the scope so that a covered entity only has to provide data if the data was "made unintelligible by a feature, product, or service owned, controlled, created, or provided by the covered entity or by a third party on behalf of the covered entity."

However, courts cannot effectively require people to do the impossible; if a programmer wrote a method that was used in an encrypted communication service that does not mean the programmer, lacking the encryption key, will be forced to break what they believe to be unbreakable encryption.

The key here is in section 3(c), emphasis added:

A provider of remote computing service or electronic communication service to the public that distributes licenses for products, services, applications, or software of or by a covered entity shall ensure that any such products, services, applications, or software distributed by such person be capable of complying with subsection (a).

So if this bill were to become law, it would be the service provider who's responsible for making sure the government can get the intelligible information. The government could require e.g. the author of the encryption function, even if that person's not part of the service provider, to help break the encryption, but the responsibility for ensuring data accessibility lies with the service provider.

The definition of service provider seems absent from at least what I can see of this bill, but it seems that a company selling a communications service to customers would very likely qualify, and a person/company who posted an answer on SO that was then picked up and integrated into something someone else distributed as part of a service, very likely would not.

WBT
  • 4,878
  • 2
  • 28
  • 58
  • 2
    However, courts cannot effectively require people to do the impossible but does this matter if the program is required to write a back door before hand? (essentially). See Sec 3(c). – IronManMark20 Apr 09 '16 at 18:27
  • The service provider is the one who's responsible for making sure the back door is there. This legal requirement does not, by itself, guarantee that the service provider will comply. – WBT Apr 09 '16 at 18:30
  • 5
    We cannot prove that a message is unencrypted. A message may contain stenography or be opaque to the operators. This would also require them to identify and block stenographic data where possible.

    Suppose I were to provide a service which distributed random numbers (like random.org does) and stenographic payloads. The court might first issue a warrant to inspect my software to identify opaque messages being transmitted in this service. Then they might compel me under the act to either scrable (block) or reveal the stenography.

     – Karl the Pagan Apr 09 '16 at 18:40
  • @KarlthePagan Discussion about the government having to make the case data is "unintelligible" under this bill is here. – WBT Apr 09 '16 at 18:43
  • 8
    @KarlthePagan: Picky correction, but I think you're looking for steganography, not stenography. – Soren Bjornstad Apr 09 '16 at 19:22
  • 2
    If the service provider is responsible, what happens if it's a really generic service like AWS? It's possible for users of that service to put crypto on their servers, with no back doors, right? If those users are not themselves service providers (i.e. they are individuals running private servers, or something like that), how does the law apply? – Kevin Apr 10 '16 at 06:35
  • @Kevin I was going to ask that next. – Christopher King Apr 10 '16 at 11:58
  • 2
    @Kevin & PyRulez AWS would have to provide access through AWS-provided encryption. With any communication or remote computing service, there is the possibility the user might add additional layers of encryption or obfuscation. When they're layered, there may be multiple service providers responsible for making sure there are backdoors to access data through each layer. It gets more interesting when there is not a service provider associated with a given layer (but since the definition of service provider is a bit vague here, getting into that is farther into the realm of speculation). – WBT Apr 10 '16 at 14:21
  • Wait a second! In shall provide such information or data to such government in an intelligible format or* provide technical assistance as is necessary to obtain such information or data in an intelligible format or to achieve the purpose of the court order. * According to this statement nobody is forced to provide anything by court order. You can always satisfy the clause by the second disjunct. An if your encryption is 100% foolproof the only assistence you can give is to provide a brute-forcing program... – Bakuriu Apr 10 '16 at 15:05
  • 1
    @Bakuriu you may recall that in FBI vs. Apple, FBI was asking for even less than a brute-forcing program: just a circumvention around the feature that destroys data in response to a detected brute-force attack (a feature which itself makes denial-of-service goal attacks easier). The second part of that "or" actually seems more concerning because it's more of a blank check for what the orders can command. – WBT Apr 10 '16 at 17:49
  • @WBT But if I'm not mistaken in the Apple case it was a PIN that they had to brute force, not the password for decryption. In any case if you are encrypting you should make sure that the password is strong enough to resist an offline brute force attack. – Bakuriu Apr 10 '16 at 18:03
  • 2
    @Bakuriu Apparently Apple chose to balance password complexity with usability on the side of a shorter, easier-to-input password to make normal use cases relatively easy, with a data-self-destruct feature as a primary defense mechanism against offline attacks. That's getting a bit off-topic for this answer though (from "in any case if you are encrypting..."); relevant questions/answers might be found/started at Information Security.SE. – WBT Apr 10 '16 at 18:13
3

There is good hope that this draft will never be turned into a law, if you read headlines like on theregister: "Read America's insane draft crypto- Understandable – it's more stupid than expected"

Creating the encryption is perfectly legal. You might be asked to help recover encrypted data. There is no mention of cost; I doubt that you could be asked to provide your services for free.

You are presumably on expert on creating encryption. You are presumably not at all an expert on cracking encryption. I would reasonably expect you to provide assistance by providing the complete source code for the encryption which you had to do anyway, because the GPL requires you to do so. (Except with the GPL, you have the choice between providing the source or committing copyright infringement, and here you have the choice between providing the source and infringing on this proposed law).

gnasher729
  • 34,028
  • 2
  • 46
  • 88
  • 1
    Hope you're right! Still, "insane" laws have passed by Congress before... – Baard Kopperud Apr 10 '16 at 10:49
  • 1
    There is mention of cost and that reimbursement would be provided. – WBT Apr 10 '16 at 14:08
  • 3
    "You are presumably on expert on creating encryption. You are presumably not at all an expert on cracking encryption." You can't be an expert on creating cryptographic systems without knowing how they can be broken. – Rhymoid Apr 10 '16 at 18:33
  • 9
    Of course you can. Actually, if you create a cryptographic system and you know how it can be broken, your cryptographic system is rubbish and should never, ever be let loose on the public. – gnasher729 Apr 10 '16 at 21:07
  • @gnasher729 if a cryptographic system hasn't withstood humanity's strongest attacks on it, it's worthless. If you don't even know how to begin attacking it, it's probably worthless. If you don't know how to attack cryptographic systems any attempt from you to make a cryptographic system will probably result in garbage that falls apart the moment someone seriously picks at it – user253751 Apr 17 '23 at 11:21
0

The argument can be made (and has already been made) that open source development is speech, and therefore protected by the first amendment.

Secondly, since encryption can be used for personal protection, the use of encryption software can be assimilated to the "bearing of arms", and is therefore protected by the second amendment. Any attempt at making encryption illegal would itself be unconstitutional.

Flavien
  • 101
  • So would you also be arguing that no law can place any restrictions whatsoever on gun ownership (even by terrorists, violent murderers, etc.) or speech (even defamatory, riot-inciting, etc.)? – WBT Apr 10 '16 at 02:02
  • (1) if you scream out the nuclear codes the first amendment isn't going to protect you. if this bill becomes law something similar may apply (hence the reason for this question). (2) Encryption hasn't been considered arms in the eyes of the law for a while because this leads to many other unintended side effects (ie interstate or international movement of encryption algorithms becomes arms sales) – David says Reinstate Monica Apr 10 '16 at 02:16
  • 9
    @DavidGrinberg Strong cryptography does sometimes get formally classified as a munition and is covered by some arms control rules, especially for international movements. – WBT Apr 10 '16 at 04:31
  • 2
    @DavidGrinberg Also, the nuclear launch codes were 00000000 for many years during the Cold War. So there, I said it, even in bold, and I don't expect that'll be troublesome (mostly because the code isn't current). – WBT Apr 10 '16 at 04:38
  • 1
    @WBT I am not saying restrictions cannot be placed on the use of guns and encryption, I am saying outright outlawing them would be unconstitutional. – Flavien Apr 10 '16 at 10:35
  • @DavidGrinberg Screaming nuclear codes would fall under the exception to the first amendment for "speech owned by others". Source code doesn't fall under any established exception. – Flavien Apr 10 '16 at 10:41
  • 2
    The probability of the Supreme Court creating or recognizing a new category of unprotected speech is very, very low. In 2009, in United States v. Stevens, the Supreme Court explicitly rejected (8 to 1) the theory that new categories of speech could be excluded from First Amendment protection without a long history of restricting that type of speech. The test for whether a category of speech is outside 1A protection is whether it has been historically considered unprotected. Speech subject to First Amendment protection may not be restricted on the grounds that its social costs exceed its value. – David Schwartz Apr 10 '16 at 19:02
  • @WBT Encryption hasn't been subject to ITAR since the 1990s. It has some export restrictions under the Department of Commerce's Export Administration Regulations (EAR,) but not under the (far more strict) International Traffic in Arms Regulations (ITAR) of the Department of State. Exporting ITAR stuff is a pain in the neck (literally, your neck will get stiff just from sitting there reading the regs and required paperwork - then DDTC will deny the license anyway.) Exporting EAR stuff usually isn't so bad. – reirab Apr 10 '16 at 21:49
  • @WBT Some cryptography can be actually classified, but generally only if the IP is actually owned by the government (i.e. it was created by the government itself or under government contract.) In this case, it's not only illegal to export it, but to disseminate it to anyone who doesn't have both a security clearance and a need to know (just as with any other classified information.) – reirab Apr 10 '16 at 21:57