Right now, we rely on secure technologies like never before—to cope with the pandemic, to organize and march in the streets, and much more. Yet, now is the moment some members of the Senate Judiciary and Intelligence Committees have chosen to try to effectively outlaw encryption in those very technologies.
The new Lawful Access to Encrypted Data Act—introduced this week by Senators Graham, Blackburn, and Cotton—ignores expert consensus and public opinion, which is unfortunately par for the course. But the bill is actually even more out of touch with reality than many other recent anti-encryption bills. Since January, we’ve been fighting the EARN IT Act, a dangerous anti-speech and anti-security bill that would hand a government commission, led by the Attorney General, the power to determine “best practices” online. It’s easy to see how that bill would enable an attack on service providers who provide encrypted communications, because the commission would be headed by Attorney General William Barr, who’s made his opposition to encrypted communications crystal clear. The best that EARN IT’s sponsors can muster in defense is that the bill itself doesn’t use the word “encryption”—asking us to trust that the commission won’t touch encryption.
But if EARN IT attempts to avoid acknowledging the elephant in the room, the Lawful Access to Encrypted Data Act puts it at the center of a three-ring circus. The new bill doesn’t bother with commissions or best practices. Instead, it would give the Justice Department the ability to require that manufacturers of encrypted devices and operating systems, communications providers, and many others must have the ability to decrypt data upon request. In other words, a backdoor.
The bill is sweeping in scope. It gives the government the ability to demand these backdoors in connection with a wide range of surveillance orders in criminal and national security cases, including Section 215 of the Patriot Act, a surveillance law so controversial that Congress can’t agree whether it should be reauthorized.
Worse yet, the bill requires companies to figure out for themselves how to comply with a decryption directive. Their only grounds to resist is to show it would be “technically impossible.” While that might seem like a concession to the long-standing expert consensus that technologists simply can’t build a “lawful access” mechanism that only the government can use, the bill’s sponsors are nowhere near that reasonable. As a hearing led by Senator Graham last December demonstrated, many legislators and law enforcement officials believe that even though any backdoor could be exploited by bad actors and put hundreds of millions of ordinary users at risk, that doesn’t mean it’s “technically impossible.” In fact, even if decryption would be “impossible” because the system is designed to be secure against everyone except the user who holds the key —as with full-disk encryption schemes designed by Apple and Google—that’s likely not a defense. Instead, the government can require the system to be redesigned.
Not only does the bill disregard the security of users, it allows the government to support its need for a backdoor with one-sided secret evidence, any time it feels a public court proceeding would harm national security or “enforcement of criminal law.” As we’ve seen, the government already attempts to stretch the limit of surveillance laws in secret to undermine the security of communications products. This bill would make that the norm.
Finally, the bill makes almost no concession to the massive disruption it would have on how people use technology. Its limitations are almost laughable: any device that has more than a gigabyte of storage and sells more than a million units a year could have to build a government-required backdoor if it is subject to five warrants or other requests, as would any operating system or communication system with more than a million active users. Clearly the bill’s authors are attempting to target iPhones, Android phones, WhatsApp, and other popular technologies, but the bill would also sweep in many specialized operating systems as well as consumer devices like Fitbits, Rokus, and so on.
It would also establish a sort of X-Prize for “secure backdoors,” rewarding researchers who manage to find “solutions providing law enforcement access to encrypted data pursuant to legal process.” But it is not a lack of resources or proper monetary incentives that has failed to square that particular circle. Instead, it is simply the inability to design a system that reliably allows access by the “good guys” without catastrophically weakening the security of the system.
These concerns only scratch the surface of what’s wrong with this bill. As with EARN IT, we should take every opportunity to tell members of Congress to leave the secure technology we rely on alone.