This article is more than 1 year old
After huffing and puffing for years, US senators unveil law to blow the encryption house down with police backdoors
Lawmakers will attempt to bend the laws of mathematics to their will
A trio of Republican senators on Tuesday proposed legislation that requires service providers and device makers in America to help the Feds bypass encryption when presented with a court-issued warrant.
The law bill [PDF] is dubbed the Lawful Access to Encrypted Data Act, which uncharacteristically cannot be condensed into a pandering acronym. This latest legislative attempt to make encryption – math – insecure on-demand should not be confused with another bill up for consideration in the United States' Congress, the EARN-IT Act, which threatens service providers with liability for supporting private, aka encrypted, communications.
It's also not the Burr-Feinstein anti-encryption bill from 2016 but it's similar in purpose.
LAEDA is sponsored by US Senators Lindsey Graham (R-SC), Tom Cotton (R-AR), and Marsha Blackburn (R-TN). Graham is one of the sponsors of the EARN-IT Act. And Blackburn pioneered the Trump administration's rule changes that allowed ISPs to market people's online data.
Cotton also received attention recently for an unvetted New York Times op-ed that called for a military response to public protests over the police killing of George Floyd.
Pay to play fast and loose
The bill requires any corporate presented with a warrant – "device manufacturer, an operating system provider, a provider of remote computing service, or another person" – to help authorities "access information stored on an electronic device or to access remotely stored electronic information."
Low Barr: Don't give me that crap about security, just put the backdoors in the encryption, roars US Attorney GeneralREAD MORE
It doesn't specify how encryption should be dealt with, just that it should be undoable when inconvenient to authorities.
The terms "device manufacturer," "operating system provider," and "provider of remote computing service," apply only to firms with unit sales over one million annually or one million customers/subscribers. Any electronic devices included in the law must have 1GB of storage or more. The term "another person" is not qualified in the text.
The bill entitles those drafted for encryption-cracking duty to liability exemption and to compensation "for reasonable expenses directly incurred in complying with the order," but not more than $300.
Service providers that handle data in motion – over a network – are also expected to help authorities access encrypted data and to bear the cost of maintaining their mandated encryption-dissolving systems.
What's more, the bill calls for the creation of a competition, funded with no more than $50m in tax dollars, to pay out one or more prizes, awarded at the discretion of the US Attorney General, for anyone developing a system capable of undoing encryption and providing authorities with access to data. The competition winner can be awarded no more than $1m however.
"Tech companies’ increasing reliance on encryption has turned their platforms into a new, lawless playground of criminal activity," said Cotton in a statement.
"Criminals from child predators to terrorists are taking full advantage. This bill will ensure law enforcement can access encrypted material with a warrant based on probable cause and help put an end to the Wild West of crime on the Internet."
Logic kicks in
Encryption, it should be said, also prevents a fair amount of crime by keeping things like online bank accounts and web browsing reasonably secure. Mandating a backdoor, which mathematically anyone could find, might not be the wisest move.
In an effort to show that such legislation is needed, the Senators cite a case where encryption was bypassed without legally-compelled industry help. They point to the December 2019 terrorist attack at the Pensacola Naval Air Station in Pensacola, Florida, involving a member of the Royal Saudi Air Force.
The FBI, they said, recovered information from the attacker's phone without any help from Apple after spending four months and some amount of money described as "large sums of tax dollars." Apple denies the claim.
Privacy and civil liberties advocates predictably are aghast at the proposed legislation and are weary of having to fight the Clipper Chip battle from the 1990s over and over again.
"This is a full-frontal assault on encryption and on Americans' privacy and security, just when the shift to living much of our lives online from home means we can least afford it," said Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society, in an email to The Register.
"The bill unambiguously contains the long-dreaded backdoor mandate for devices and online services alike, from cloud storage to email to apps, such as end-to-end encrypted messaging apps."
"This bill is simply blind to reality," said EFF senior staff attorney Andrew Crocker in an email to The Register.
"It is blind to the fact that as millions of us march in the streets and shelter in place, we've never been more dependent on secure communications and devices. It is blind to the expert consensus that there is no way to provide access to securely encrypted data without a backdoor, something that legislating a prize for a magical solution cannot change. And it is blind to public opinion."
"For decades, Americans have overwhelmingly rejected government attempts to require security flaws in technology, from the Clipper Chip, to the Apple San Bernardino case, up to Senator Graham's other misguided bill, the EARN IT Act, which would allow a government task force to outlaw end-to-end encryption," Crocker said. "We shouldn't spend one second more debating these fictions."
Asked about whether LAEDA, if approved, might be subject to a legal challenge under the First Amendment, Pfefferkorn said the bill would bring internet and computing devices under the CALEA [Communications Assistance for Law Enforcement Act] rules to which telcos are currently subject.
"While I am not aware of what First Amendment challenges may have been brought to CALEA when it was passed in the 1990s, I believe this up-front, design-for-decryptability mandate is a little different than the situation in the San Bernardino showdown, where Apple did bring First Amendment arguments," she said.
"With that said, to the degree that Apple would still be forced to create code it does not want to create, and cryptographically sign – i.e., vouch for – code it does not truly stand by, then yes, the arguments Apple raised in the San Bernardino case could putatively be raised here as well," she said. ®