Solution providers and security experts say they are worried a new bill designed to give law enforcement "backdoor" access into encryption technologies will seriously hurt their businesses -- especially if they are called upon to open the backdoors themselves.
The bill, proposed Wednesday by Sens. Richard Burr, R-N.C., and Dianne Feinstein, D-Calif., under the name Compliance With Court Orders Act of 2016, says that "no person or entity is above the law," and therefore all data security solutions must comply with legal regulations and court orders, even if it means building in backdoor access.
The bill covers all "providers of communications services and products," which could include manufacturers of devices, software, remote computing services, wire or electronic communication services, or "any person who provides a product or method to facilitate a communication or the processing or storage of data."
[Related: Report: Optiv Security To Seek IPO In Coming Months]
For partners, the critical element is the bill's impact on license distributors, which it defines as "a provider of remote computing service or electronic communication service to the public that distributes licenses for products, services, applications, or software," will have to ensure that those distributed products meet the requirements for law enforcement access.
Jamie Murdock, chief information security officer at Binary Defense Systems, a Hudson, Ohio-based managed security service provider, said these types of requirements would be "challenging for our business," especially since the company offers its own endpoint detection product with secure communication capabilities.
"The implications to us could mean that we could have to allow access into this system, as well as the software that runs on thousands of individual endpoints," Murdock said. "This could mean our company may have to provide access to the monitoring that we do for our customers.
There are other caveats to this, such as only needing to do this if the data has been made 'unintelligible.' " While his company is bound to abiding by U.S. law and supports law enforcement efforts, Murdock said, his top priority is the security of his clients' environments.
This bill would harm client information security, he said. "As [a managed security service provider], security of our clients is our main focus -- that’s why we’re here and do what we do.
This is something we are adamant about," Murdock said. "My personal hopes are that this will not pass.
There have been many cases where an individual device, whether physical or application, needed to be accessed for an investigation. … There becomes an issue when the access must be 'baked in.' By doing this, you are asking for malicious actors to exploit this capability." In another development Thursday with a potential impact on industry privacy, Microsoft said it had filed a lawsuit against the U.S. Justice Department, arguing that customers using cloud services should be notified when the government wants to access their data. Microsoft said nearly half of the 5,624 federal demands for data in the past 18 months have said the company couldn't tell its customers about the request.
There are other caveats to this, such as only needing to do this if the data has been made 'unintelligible.' " While his company is bound to abiding by U.S. law and supports law enforcement efforts, Murdock said, his top priority is the security of his clients' environments.
This bill would harm client information security, he said. "As [a managed security service provider], security of our clients is our main focus -- that’s why we’re here and do what we do.
This is something we are adamant about," Murdock said. "My personal hopes are that this will not pass.
There have been many cases where an individual device, whether physical or application, needed to be accessed for an investigation. … There becomes an issue when the access must be 'baked in.' By doing this, you are asking for malicious actors to exploit this capability." In another development Thursday with a potential impact on industry privacy, Microsoft said it had filed a lawsuit against the U.S. Justice Department, arguing that customers using cloud services should be notified when the government wants to access their data. Microsoft said nearly half of the 5,624 federal demands for data in the past 18 months have said the company couldn't tell its customers about the request.
