A trio of Republican senators have introduced a bill that would force tech firms to engineer backdoors into their encryption techniques whenever a judge asks them to—essentially banning encryption that prevents hackers from stealing stored data and end-to-end encryption that prevents anyone but senders and recipients from accessing data. If passed, the would inevitably compromise the security of millions of users not under investigation at all.
The Lawful Access To Encrypted Data (LAED) Act’s sponsors are GOP Senators Lindsey Graham, Tom Cotton, and Marsha Blackburn, each of whom have authored bills or co-sponsored legislation that would be disastrous for the internet, such as Graham’s muddled, anti-encryption EARN IT Act. All three senators have also been hostile to tech companies that have cited the security and privacy of all users when refusing to enable wiretapping or backdoor decryption of their products. The LAED Act would authorize courts to issue search warrants that would compel “a device manufacturer, an operating system provider, a provider of remote computing service, or another person to furnish all information, facilities, and assistance necessary to access information stored on an electronic device or to access remotely stored electronic information, as authorized by the search warrant.”
Under the terms of the bill, tech firms with over 1 million users would have to proactively crack their own code to facilitate such search warrants. That includes “isolating the information authorized to be searched,” “decrypting or decoding information on the electronic device or remotely stored electronic information that is authorized to be searched” except where it is technically impossible due to the “independent actions of an unaffiliated entity,” and “providing technical support as necessary to ensure effective execution of the warrant for the electronic devices particularly described by the warrant.” Smaller firms could still be ordered to comply as well. This would all be done at the cost of the companies themselves.
For years, the Department of Justice and the FBI have been scaremongering about encryption, insisting that it hinders investigations into terrorism, child abuse, and organized crime. Many tech companies, including Apple and Facebook, have fought their demands, saying that building any type of backdoor into their encryption technology would create a massive vulnerability that could be exploited by anyone aware of it.
Whether or not the LAED Act has a serious chance of making it through the legislative process and being signed into law, privacy and cybersecurity experts and industry lobbyists are trashing it. As Ars Technica noted, this bill would not only have serious consequences for encrypted messaging services like Signal or social networks like Facebook, but massive cloud services providers like Amazon, Microsoft, and Google or HTTPS and DNS over HTTPS providers like CloudFlare—who could in turn be targeted by cybercriminals and state-backed hackers. Terrorists and criminals could also easily sidestep the law by finding alternative software, while the bill simultaneously lowers the bar for governments to engage in mass surveillance.
“Politicians who don’t understand how technology works need to stop introducing legislation like this,” Evan Greer, deputy director of digital rights nonprofit Fight for the Future, told Gizmodo in an emailed statement. “ It’s embarrassing at this point. Encryption protects our hospitals, airports, and the water treatment facilities our children drink from.”
“Security experts have warned over and over again that weakening encryption or installing back doors will make everyone less safe, not more safe,” Greer added. “Full stop. Lawmakers need to reject the Lawful Access to Encrypted Data act along with the EARN IT act. These bills would enable mass government surveillance while doing nothing to make children, or anyone else, any safer.”
Riana Pfefferkorn, the Associate Director of Surveillance and Cybersecurity at the Stanford Center for Internet and Society, wrote in a blog post that the sponsors’ claims LAED Act authority would only be used in exceptional cases didn’t hold up to any degree of scrutiny.
“In truth, what this bill would require is a mandatory built-in mass backdoor for practically every device or service you use that has a computer in it or touches the Internet at any point,” Pfefferkorn wrote. “If it passes, this bill marks the end of strong encryption for stored data on devices; those would now be illegal to sell in America. And it is an outright ban on offering E2EE in the U.S.”
“It’s bananas given the current state of affairs to think that only criminals and terrorists use encryption, or that the billions of people that out protects everyday are less important than acute crime that affects small numbers of people,” Internet Society technologist Joseph Lorenzo Hall told Motherboard.
“Encryption is critical to protecting privacy and security, and these government access mandates would critically weaken online safety,” Jason Oxman, the president and CEO of industry trade group the Information Technology Industry Council, told CNBC. “Government decrees to weaken encryption will compromise consumers’ security and trust and could expose their medical, work, and personal information to foreign governments or criminal actors.”
“Legislation to weaken security also runs counter to concerns lawmakers have raised about the need for companies to protect user data from hackers and other threats online, including in the lead up to the 2020 election,” Oxman told the network.