Senate's New Anti-Encryption Bill Rankles Privacy Advocates
Privacy advocates are up in arms about a sweeping new bill introduced this week that would allow "lawful access" of encrypted devices and services with a warrant.
Privacy advocates are publicly denouncing a new anti-encryption bill introduced this week, The Lawful Access to Encrypted Data Act, that some claim is tantamount to an outright ban on providers who offer end-to-end encryption in their online services.
The goal of the legislation, introduced Tuesday by members of the Senate Judiciary and Intelligence Committee, Senators Lindsay Graham (R-SC), Tom Cotton (R-AR), and Marsha Blackburn (R-TN), is to foster national security and ferret out "terrorists and criminals" who use encrypted technology – but could have back breaking repercussions for data security and privacy.
The bill would allow law enforcement to access encrypted data via service providers and device manufacturers – essentially through a backdoor – as long as they have probable cause and a warrant.
The way the bill is worded suggests it wants providers to make data in motion and data at rest accessible for law enforcement. The bill would require companies are “delivering all communications authorized to be intercepted securely, reliably, and concurrently with their transmission."
Specifically, device manufacturers, operating systems, and remote computing service providers would have to be able to isolate the information to be searched and assist by "decrypting or decoding information on the electronic device or remotely stored electronic information that is authorized to be searched, or otherwise providing such information in an intelligible format, unless the independent actions of an unaffiliated entity make it technically impossible to do so.”
There's not a lot of room for error here. If enacted, the law would require companies like Apple to devise a way to unlock an iPhone and Facebook would have to find a way to decrypt communication on WhatsApp. One would assume that Zoom, which recently went back on its decision not to offer end-to-end encryption for all users, would have to comply as well. If these companies – the bill would apply to those who manufacture devices that have over one gigabyte in storage or a service that has over one million monthly active users – can’t provide access, they'll be commanded to build a decryption capability, either themselves or through a third-party contractor.
The actual law is 52 pages long (.PDF) but for those who've sat down to parse it, it’s clear it largely runs counter to the advice of experts and perhaps blatantly, the security of users.
As advocates at the Electronic Frontier Foundation and Stanford's Center for Internet and Society have pointed out, the bill paints a target on seemingly every tech company's back: Apple and its iPhones, Google and its Android devices, Facebook and WhatsApp, Signal, Box, Dropbox, video conferencing software, social media companies, even Microsoft's suite of products.
In the law's current iteration, companies themselves would have to figure out how to comply. The only way a technical assistance order couldn't be complied with? If the "independent actions of an unaffiliated entity make it technically impossible to do so," like if the information was encrypted by another person.
Incredulously, the bill also includes a section where it would incentivize the creation of a lawful access solution that still maximizes privacy and security.
“It’s like passing a law mandating that everybody’s house has to be made out of super-fragile, highly transparent glass, so that the police can see what everybody is doing inside their homes and easily break down somebody’s wall if they see something they don’t like, and then creating a prize for the glazier whose glass doesn’t give the cops an owie when it shatters. The prize just doesn’t matter anymore once the mandate is in place,” Riana Pfefferkorn, the Associate Director of Surveillance and Cybersecurity at the Stanford Center for Internet and Society, wrote of the bill Wednesday.
This of course is by no means a new fight. The industry has long argued about the merits of encryption – the tug of war between the government, technologists, and privacy advocates has been especially fierce in the over the last four years.
It was reignited in 2016 with the “going dark” debacle, in after the FBI asked Apple to unlock an iPhone used by the San Bernardino shooter and then again in a spat between Facebook executives and Attorney General William Barr last December and at the beginning of this year when the FBI had difficulty getting into an iPhone belonging to a shooter in Pensacola.