Today, legislators from the House and Senate published the text of a new bill that would require smartphone manufacturers to decrypt data in response to law enforcement demands. Introduced by Senators Diane Feinstein (D-CA) and Richard Burr (R-NC), the bill does not establish any new civil or criminal penalties for companies unable to comply, simply stating companies "must provide in a timely manner responsive, intelligible information or data, or appropriate technical assistance to obtain such information."
While the bill doesn't name any company specifically, it comes on the heels of Apple's high-profile court fight with the FBI, which saw the company resisting demands to break lockscreen security measures on a phone linked to the San Bernardino attack. Apple CEO Tim Cook told employees the government's request would "undermine the very freedoms and liberty our government is meant to protect."
"How secure can your encryption be, when any court... can send you a piece of paper asking to undo it?"
If the bill becomes law, Apple and other companies will have a much harder time resisting similar legal demands. Essentially any hard encryption — that is, encryption that cannot be broken by the company providing it — would be in violation of the proposed measures, presenting a massive problem for a broad range of tech companies. Still, the bill may face an uphill political battle. President Obama has declined to support the bill, according to a Reuters report yesterday, and a similar anti-encryption measure failed to pass congress in 2014 after the president withdrew his support.
So far, the reaction from security experts has been uniformly negative, with many concerned that the bill's language was so broad as to target ancillary forms of encryption covering web traffic or credit card data, far beyond its intended scope. "How secure can your encryption be," asked Johns Hopkins professor Matthew Green, "when any court in the land, including Indian tribes, can send you a piece of paper asking to undo it?"
Correction 2:44PM ET: A previous version of this piece stated that the bill had been introduced into Congress, which is incorrect. Rather, the text of the bill became available for the first time. The Verge regrets the error.