Representatives of the two major political parties in the US have united to reintroduce a bill in Congress aimed at preventing the government from mandating vulnerabilities in data security technologies.
If enacted, the bipartisan Secure Data Act 2018 would stop any government agency or court order from forcing a company to build backdoors into encrypted devices and communications.
The bill includes safeguards that uphold security for both developers and users, stating: “No agency may mandate or request that a manufacturer, developer or seller of covered products design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency.”
Although previous versions of the bill have failed, Republican and Democratic supporters have reintroduced the bill just days after renewed calls by the law enforcement community to tackle the “problem” of encryption.
US intelligence and law enforcement agencies have requested, required and even sought court orders against individuals and companies to build a backdoor, weakening secure encryption in their product or service to assist electronic surveillance.
In a speech at the Association of State Criminal Investigative Agencies 2018 Spring Conference on 7 May, US attorney general Jeff Sessions said: “It is critical that we deal with the growing encryption or the ‘going dark’ problem.
“And the stakes are high. Last year, the FBI was unable to access investigation-related content on more than 7,700 devices – even though it had the legal authority to do so. Each of those devices was tied to a threat to the American people.
“This is a large number, but it is small compared to the number that your agencies are unable to access because of encryption.
“That is why we are working with stakeholders in the private sector, in law enforcement, and in Congress to find a solution to this problem. Ultimately, we may need Congress to take action on this issue.”
In the UK, former home secretary Amber Rudd went on a crusade against end-to-end encryption that began after the Westminster terror attack on 22 March 2017, but she appeared to back down after discussions with WhatsApp’s owner, Facebook, and Google, Twitter and Microsoft on the issue.
In an official statement after the meeting, no mention was made of restricting encryption or requiring tech firms to provide backdoors, and the government’s apparent U-turn on the issue was widely welcomed by the security industry.
However, concerns remain among technology firms about the lack of clarity around encryption and bulk data collection in the UK government’s controversial Investigatory Powers Act, which allows the government to demand “technical” changes to software and systems.
Meanwhile, the Electronic Frontier Foundation (EFF) said the new US bill “gets encryption right” and welcomed its reintroduction to Congress.
“This legislation reflects much of what the community of encryption researchers, scientists, developers, and advocates have explained for decades—there is no such thing as a secure backdoor,” the EFF said.
The EFF said the reintroduction of the bill comes just a week after the digital rights group convened a panel of true experts on Capitol Hill to explain why government-mandated backdoors face insurmountable technical challenges and will weaken computer security for all.
“Given that the DoJ [Department of Justice] and FBI continue to rely on flawed theoretical approaches to key escrow in pushing for ‘responsible encryption’, we are glad to see some Congress members are listening to the experts and taking this important step to protect anyone who uses an encrypted device or service,” the EFF said.
According to the EFF, the bill would protect companies that make encrypted mobile phones, tablets, desktop and laptop computers, as well as developers of popular software for sending end-to-end encrypted messages, including Signal and WhatsApp, from being forced to alter their products in a way that would weaken the encryption.
The bill also forbids the US government from seeking a court order that would mandate such alterations. The lone exception is for wiretapping standards required under the 1994 Communications for Law Enforcement Act, which itself specifically permits providers to offer end-to-end encryption of their services.
The EFF added: “The Secure Data Act is thus the polar opposite of the Burr-Feinstein proposal introduced in the wake of the confrontation between Apple and the FBI in the San Bernardino case, which would have allowed sweeping court orders to require technical assistance from companies like Apple.
“We have explained before that this type of mandate is unconstitutional, likely violating the First Amendment. And, as an internal DoJ report recently demonstrated, the FBI did not need Apple’s assistance in the San Bernardino case because it had the resources at its disposal to unlock the iPhone belonging to the shooter.
“Nevertheless, the bureau did not make its capabilities known to courts, Congress and the public. Legislation like the Secure Data Act would both prevent another such fight from playing out and also head off the risk of wrong-headed legislation like the Burr-Feinstein proposal.”
Privacy and security at risk
Democratic US representative Zoe Lofgren, one of the bill’s sponsors, said in a statement: “Encryption backdoors put the privacy and security of everyone using these compromised products at risk.
“It is troubling that law enforcement agencies appear to be more interested in compelling US companies to weaken their product security than using already available technological solutions to gain access to encrypted devices and services.
“Congress must act to protect the products available to Americans that keep their personal information safe from warrantless surveillance and hackers intent on breaching their data.”
Co-sponsor of the bill, Republican representative Thomas Massie said its reintroduction comes hard on the heels of a troubling DoJ report calling into question the FBI’s handling of Syed Rizwan Farook’s locked iPhone in the wake of the 2015 San Bernardino attack which suggested that FBI officials did not pursue available technical solutions to access Farook’s iPhone because the FBI preferred to obtain a precedent-setting court judgment compelling Apple to weaken its product encryption.
“It is well documented that encryption backdoors put the data security of every person and business using the products or services in question at risk,” said Massie. “For example, a software testing firm found serious backdoor vulnerabilities in wiretapping software for law enforcement made by Israeli software firm NICE Systems in 2013 that allowed hackers to completely compromise their system and listen to intercepted phone calls.
“Backdoors created for law enforcement and intelligence surveillance are vulnerabilities available for hackers to exploit.”