微软、Facebook和谷歌联手抵制新加密法案

虽然新法案尚未实施，但几家大科技公司已经敲响警钟，因为新法案可能迫使企业按政府的要求破解智能手机等加密设备。

本周二，代表微软、谷歌、亚马逊、贝宝和Facebook等公司的四个团体起草了一封公开信，收信人是参议院情报委员会主席理查德•伯尔（北卡罗来纳州共和党参议员）和副主席黛安娜•范斯坦（加利福尼亚州民主党参议员）。两人上周公布的新议案草案引起了争议。科技行业团体表示，如果实施，新法案会导致“政府强制的安全漏洞”，本质上就是要求科技公司为政府开发破解软件。

就在新加密法案宣布前，苹果公司上个月刚刚跟联邦调查局进行了一次激烈对抗，双方争执的焦点是执法部门要求苹果解锁圣伯纳迪诺枪击案嫌疑人赛义德•瑞兹万•法鲁克使用的iPhone，而苹果坚决拒绝。后来FBI得到第三方的帮助，与苹果的论战遂被搁置一旁。但关于能否强迫科技公司帮助破解用户设备获取加密信息的争论并未停息。

苹果的最新透明度报告显示，去年在多数情况下确实都为执法部门提供了帮助。11%的情况下苹果拒绝了政府的要求，但在80%的情况下都提供了相应数据。科技公司指出，新法案的不同之处在于可以迫使软件工程师削弱安全系统，变得更容易破解，因为该法案规定在刑事案件中，如果科技公司拒不破解相关设备上的模糊加密数据，则可视为违法。

路透社报道，按照这项法案，在涉及死亡、重伤、毒品、对儿童犯罪以及外国情报部门活动的刑事案件中，企业有责任按法院的要求交出加密数据。

上周提出草案后，伯尔和范斯坦目前正在征询意见，随后将正式提交参议院审议。

以下是公开信的内容：

亲爱的伯尔主席和范斯坦副主席：

我们写这封信的目的是为了表达我们对加密相关政策的深切关注。政策的初衷很好，但行不通。如果新法案得以施行，我们亟需的防护手段会遭到削弱，无法再抵抗那些意图造成经济损失和人身伤害的人。我们相信，对美国乃至全世界的IT基础设施安全来说，避免出现因政府强制执行而出现的安全漏洞很关键。

我们的成员公司都是通过创新推动数字经济获得成功并保持增长，我们都认同用户的人身安全及其最私密信息的安全需要保护。为了同时服务两方面，我们会遵循两项基本原则。首先，司法程序要求时我们会立刻响应，对政府部门在数据方面的紧急要求也会迅速处理。其次，我们的系统和产品设计包含了许多基于网络和设备的特性，包括但不限于强大的加密功能。加密的目的是保证用户的数字安全不会受到罪犯以及政府的威胁。

任何强制性破解要求，比如你们在此项法案的征求意见稿中授权的行为，都会带来意料之外的结果。面对这样的要求，企业将被迫把政府获取数据放在其他考量因素之上，包括数字安全。由此产生的结果是，科技公司在设计产品和服务时可能被迫妥协，为用心不良之人提供可乘之机，我们一直在竭力阻止入侵者伤害顾客的利益，但妥协之后将无能为力。此项法案将迫使数字通信和存储服务供应商按照法院的要求确保政府以“清楚明白”的方式获得数据。这样的授权意味着企业和用户使用加密技术时，必须预留允许某些第三方获得数据的潜在渠道，但用心不良之人也可以利用这个渠道实施破解。

另一点要铭记的在于，此类技术性授权并未考虑当今技术已全球一体化的特征。举例来说，获取数据的要求绝不会仅限于美国执法部门，如果美国政府可以提出要求，其他国家也一定会效仿。此外，美国并未垄断这些安全措施。国会是通过了数据安全方面的法案限制数据使用，但只是限制，并没有阻止使用。这样做只会把用户推向美国之外的公司，削弱美国科技行业的全球竞争力，并导致越来越多的数据存储在其他国家。

我们坚决支持执法部门为确保侦破犯罪案件，掌握防范恐怖主义和保护公众所需的法律权力、资源以及相应的训练。然而，必须在协助执法部门和保护消费者的安全以及数字信息之间仔细权衡。我们已经准备好，也十分愿意就如何在两者之间取得平衡展开对话，但我们仍然担心，一旦把某个方面的安全置于其他所有领域之上，会对网络安全以及消费者的安全产生难以预料的负面影响。（财富中文网）

签名，

政府监控改革组织

计算机与通信行业协会

互联网基础设施联盟

娱乐软件协会

译者：Charlie

审校：夏林

It’s not up for adoption yet, but already major tech companies are sounding the alarm about a new bill that could pressure companies to bust into encrypted devices like smartphones when asked to do so by the government.

On Tuesday four groups representing companies such as Microsoft MSFT -1.42% , Google GOOGL -0.21% , Amazon AMZN 0.81% , Paypal PYPL 2.14% , and Facebook FB 0.12% drafted an open letter to Senate intelligence committee chairs Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.), who released their new draft of the controversial bill last week. The tech groups say if adopted, the new law would create “government-mandated security vulnerabilities,” essentially requiring tech companies to build hackable software for the government.

The new encryption bill comes on the heels of Apple’s AAPL 0.17% big fight with the FBI last month over whether the company could be forced to help law enforcement crack into an encrypted iPhone used by San Bernardino shooter Syed Rizwan Farook. That fight was pushed aside when the FBI got help from a third party, but the debate over whether tech companies should be forced to help crack into other encrypted information on user devices wages on.

Apple’s latest transparency report suggests the company did help law enforcement in a majority of cases last year, objecting to 11% of law enforcement requests, while providing data in 80% of cases. But the difference with the new law, the companies say, is it could force software engineers to make security systems weaker and more hackable because it would make it illegal for companies to bow out of decoding unintelligible, encrypted data on devices in criminal cases.

Under the new bill, companies would be responsible for turning over encrypted data if demanded by court order in criminal cases that involve death, serious injury, drug offenses, child victims, or foreign intelligence operations, Reuters reported.

Burr and Feinstein are now soliciting input on the bill, introduced as a draft last week, before formally introducing it for adoption in the Senate.

Here’s the letter to the senators:

Dear Chairman Burr and Vice-Chairman Feinstein:

We write to express our deep concerns about well-intentioned but ultimately unworkable policies around encryption that would weaken the very defenses we need to protect us from people who want to cause economic and physical harm. We believe it is critical to the safety of the nation’s, and the world’s, information technology infrastructure for us all to avoid actions that will create government-mandated security vulnerabilities in our encryption systems.

As member companies whose innovations help to drive the success and growth of the digital economy, we understand the need to protect our users’ physical safety and the safety of their most private information. To serve both these interests, we adhere to two basic principles. First, we respond expeditiously to legal process and emergency requests for data from government agencies. Second, we design our systems and devices to include a variety of network- and device-based features, including but not limited to strong encryption. We do these things to protect users’ digital security in the face of threats from both criminals and governments.

Any mandatory decryption requirement, such as that included in the discussion draft of the bill that you authored, will to lead to unintended consequences. The effect of such a requirement will force companies to prioritize government access over other considerations, including digital security. As a result, when designing products or services, technology companies could be forced to make decisions that would create opportunities for exploitation by bad actors seeking to harm our customers and whom we all want to stop. The bill would force those providing digital communication and storage to ensure that digital data can be obtained in “intelligible” form by the government, pursuant to a court order. This mandate would mean that when a company or user has decided to use some encryption technologies, those technologies will have to be built to allow some third party to potentially have access. This access could, in turn, be exploited by bad actors.

It is also important to remember that such a technological mandate fails to account for the global nature of today’s technology. For example, no accessibility requirement can be limited to U.S. law enforcement; once it is required by the U.S., other governments will surely follow. In addition, the U.S. has no monopoly on these security measures. A law passed by Congress trying to restrict the use of data security measures will not prevent their use. It will only serve to push users to non-U.S. companies, in turn undermining the global competitiveness of the technology industry in the U.S. and resulting in more and more data being stored in other countries.

We support making sure that law enforcement has the legal authorities, resources, and training it needs to solve crime, prevent terrorism, and protect the public. However, those things must be carefully balanced to preserve our customers’ security and digital information. We are ready and willing to engage in dialogue about how to strike that balance, but remain concerned about efforts to prioritize one type of security over all others in a way that leads to unintended, negative consequences for the safety of our networks and our customers

Signed,

Reform Government Surveillance

Computer & Communications Industry Association

Internet Infrastructure Coalition (I2C)

The Entertainment Software Association