Privacy and security advocates may be forced to battle it out on the U.S. Senate floor to stop a newly introduced bill that will help law enforcement get past encryption.
New backdoor bill in Congress hits encryption debate head on
The new bill is part of a critical debate in cybersecurity.
The question: Should encrypted communications be out of law enforcement's reach? Or can a judge grant what the bill calls 'lawful access' to investigators who want to peer into encrypted data and platforms?
Lawful access is even in the bill's name.
Dubbed the Lawful Access to Encrypted Data Act of 2020, the Department of Justice (DOJ) says it will "improve the ability of law enforcement agencies to access encrypted data, and for other purposes.”
Center for Internet and Society: bill is worst case encryption assault
Leaders at the Center for Internet and Society, at Stanford University, call this a "full frontal nuclear assault on encryption in the United States."
Writes the CIS's Riana Pfefferkorn:
"The new bill applies to operating systems and apps and messaging and chat and social media platforms and email and cloud storage and videoconferencing and smartphones and laptops and desktops and your Xbox, and probably voting machines and IoT devices—basically any electronic device with just 1 GB of storage capacity.
It isn't just aimed at Apple, Google, Facebook, Signal, and the like, though it certainly applies to them; it goes well beyond, to include everyone from Box and Dropbox, to the full range of Microsoft's products, to OEM handset manufacturers.
This bill is the encryption backdoor mandate we've been dreading was coming, but that nobody, during the past six years of the renewed Crypto Wars, had previously dared to introduce. Well, these three senators finally went there."
Who introduced encryption bill and what is DOJ saying?
Senators Lindsey Graham, Tom Cotton, and Marsha Blackburn co-sponsored the bill. And U.S. Attorney General Bill Barr has already spoken out in support of it. He focused on the same arguments he's made in the past, which is that encryption allows the worst of the worst to live beyond the law:
"While strong encryption provides enormous benefits to society and is undoubtedly necessary for the security and privacy of Americans, end-to-end encryption technology is being abused by child predators, terrorists, drug traffickers, and even hackers to perpetrate their crimes and avoid detection.
Warrant-proof encryption allows these criminals to operate with impunity. This is dangerous and unacceptable."
This kind of legislation also aligns with previous statements by the Five Eyes intelligence alliance, which is a joint perspective on privacy from the U.S., the United Kingdom, Canada, Australia, and New Zealand.
SecureWorld covered the Five Eyes stance on the privacy and security debate back in 2018. Here are three statements from the alliance:
- "Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute."
- "The increasing gap between the ability of law enforcement to lawfully access data and their ability to acquire and use the content of that data is a pressing international concern."
- "We are always willing to work with technology providers in order to meet our public safety responsibilities and ensure the ability of citizens to protect their sensitive data."
One of Barr's statements on this Senate bill parallels this perspective: "Data security and public safety are not mutually exclusive."
Encryption debate: a cybersecurity perspective
But will a bill like this, which requires a backdoor or "lawful access" to encryption, somehow create security vulnerabilities that hackers or other nation-states can exploit?
On one side, there is the U.S. government and AG Bill Barr:
"I am confident that our world-class technology companies can engineer secure products that protect user information and allow for lawful access."
On the other side are cybersecurity thought leaders like Bruce Schneier. At a SecureWorld conference, we asked Schneier about whether the government can have a backdoor through encryption while the rest of us can maintain both security and privacy. His answer is very direct:
"They have this weird definition of security which means security from everyone except them, which we as technologists can't actually build. And they are pushing for insecure protocols at the same time they're complaining about lack of security.
So yes, we need security. We need trust and that actually means the FBI and NSA are not going to be able to eavesdrop on those systems. And they have to either accept that or be happy with the insecurity. They can't get both."
Schneier also calls this time the "Golden Age of surveillance." This is what he hopes government officials will eventually understand:
"Encryption is vital for national security. That as long as our phones and computers are used and carried by our legislators, our CEOs, our nuclear power plant operators, putting back-doors in them is not just stupid, it's dangerous.
And yes, I get it that the FBI will have to do a little more work to solve crimes, but the security benefit is more than worth it."
If this bill moves forward, we won't be surprised if Schneier is one of the industry leaders called to testify.
SecureWorld will continue to follow this bill's progress.