Would open source programs that use encryption be illegal under this draft of the "Compliance with Court Orders Act of 2016"

Question

The U.S. congress has a draft for a bill that would require companies to fetch information from a device when requested by a court. A consequence of this is that many types of security technology become illegal for any company subject to U.S. jurisdiction.

My question is, would this make open source software that uses encryption illegal?

• In particular, could open source developers be sued?
• Can a company that contributes to open source software be sued?
• If a company distributes open source software, can they be sued (such as the owners of gnupg.org or github.com (note that difference between the two))?
• If a phone maker puts open source encryption software in it, can they be sued?
• If a user installs open source encryption software on a phone, can the phone maker be sued?
  • What if they downloaded it from a software center provided by the phone maker?

I am specifically talking about the types of encryption that could lead a company to be sued.

_{Note: I think I may be using the word "sue" incorrectly. Feel free to edit this question in order to make more sense legally.}

Answer 1

Section 4, Definition 4 Covered Entity, emphasis added:

The term "covered entity" means a device manufacturer, a software manufacturer, an electronic communication service, a remote computing service, a provider of wire or electronic communication service, a provider of a remote computing service, or any person who provides a product or method to facilitate a communication or the processing or storage of data.

This definition seems extremely broad, and could be stretched to cover an answerer on Stack Overflow whose answer provided a method facilitating data processing, storage, or communication (which covers most software methods). So let's then look at what can be required of a covered entity:

Section 3(a)(1), Requirement:

... a covered entity that receives a court order from a government for information or data shall provide such information or data to such government in an intelligible format or provide technical assistance as is necessary to obtain such information or data in an intelligible format or to achieve the purpose of the court order.

Subsection 2 limits the scope so that a covered entity only has to provide data if the data was "made unintelligible by a feature, product, or service owned, controlled, created, or provided by the covered entity or by a third party on behalf of the covered entity."

However, courts cannot effectively require people to do the impossible; if a programmer wrote a method that was used in an encrypted communication service that does not mean the programmer, lacking the encryption key, will be forced to break what they believe to be unbreakable encryption.

The key here is in section 3(c), emphasis added:

A provider of remote computing service or electronic communication service to the public that distributes licenses for products, services, applications, or software of or by a covered entity shall ensure that any such products, services, applications, or software distributed by such person be capable of complying with subsection (a).

So if this bill were to become law, it would be the service provider who's responsible for making sure the government can get the intelligible information. The government could require e.g. the author of the encryption function, even if that person's not part of the service provider, to help break the encryption, but the responsibility for ensuring data accessibility lies with the service provider.

The definition of service provider seems absent from at least what I can see of this bill, but it seems that a company selling a communications service to customers would very likely qualify, and a person/company who posted an answer on SO that was then picked up and integrated into something someone else distributed as part of a service, very likely would not.

Answer 2

There is good hope that this draft will never be turned into a law, if you read headlines like on theregister: "Read America's insane draft crypto- Understandable – it's more stupid than expected"

Creating the encryption is perfectly legal. You might be asked to help recover encrypted data. There is no mention of cost; I doubt that you could be asked to provide your services for free.

You are presumably on expert on creating encryption. You are presumably not at all an expert on cracking encryption. I would reasonably expect you to provide assistance by providing the complete source code for the encryption which you had to do anyway, because the GPL requires you to do so. (Except with the GPL, you have the choice between providing the source or committing copyright infringement, and here you have the choice between providing the source and infringing on this proposed law).

Answer 3

The argument can be made (and has already been made) that open source development is speech, and therefore protected by the first amendment.

Secondly, since encryption can be used for personal protection, the use of encryption software can be assimilated to the "bearing of arms", and is therefore protected by the second amendment. Any attempt at making encryption illegal would itself be unconstitutional.