New bill stokes long-running encryption fight in Washington
Congress is gearing up for another run at passing encryption laws that proponents say will allow U.S. law enforcement to do its job and security experts say will make everyone’s communications less safe.
The big picture: As companies like Facebook and Apple encrypt more of their platforms by default, U.S. authorities fear the world is “going dark” on them. The consensus is stronger than ever among security experts, human rights advocates and the industry that weakening encryption hurts everyone.
Driving the news: Last week, Sens. Lindsey Graham (R-S.C.), Tom Cotton (R-Ark.) and Marsha Blackburn (R-Tenn.) introduced the Lawful Access to Encrypted Data Act, which would force makers of devices, platforms and apps to create backdoors so law enforcement can access communications and metadata on these platforms and crack devices open as well.
- “Tech companies’ increasing reliance on encryption has turned their platforms into a new, lawless playground of criminal activity,” said Cotton in a statement accompanying the bill’s announcement.
According to the proposed law, use of these access capabilities, for both criminal and national security investigations, would require a warrant. But mandating potential backdoors in popular messaging apps like WhatsApp would uniformly weaken these platforms' security, say experts.
- The bill is a “full-frontal nuclear assault on encryption in all its forms,” says Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society.
Be smart: Data is either encrypted or it's not. The creation of a vulnerability for use by U.S. law enforcement provides opportunities for malign foreign states like Russia and China as well as cybercriminal groups.
The catch: Critics argue the bill would be unlikely to fulfill its stated objective — making it easier for U.S. law enforcement to access encrypted communications among criminals, terrorists and spies.
- Sophisticated malign actors like terrorists and child predators will move their communications onto bespoke encrypted platforms or burrow into the dark web.
- And technologically savvy, privacy-concerned Americans may be able to simply procure encrypted messaging platforms produced outside of the U.S. in places where strong encryption isn’t functionally outlawed.
- Lawful Access to Encrypted Data Act would also force device manufacturers to create backdoors, for instance on iPhones. These devices are used extensively all over the world, so the bill could expose device holders globally to potential surveillance — and much worse — by bad actors.
- “You are creating a world where criminals have better security than law-abiding citizens do,” says Pfefferkorn.
The intrigue: Pfefferkorn believes that the act's backers aim to make another bill that could weaken encryption, the EARN IT Act, appear more reasonable. Both should be rejected, she argues.
- The EARN IT Act aims to curb child exploitation online by tying changes to liability protections for tech platforms to government-mandated "best practices" that could involve back-door requirements.
- Wednesday morning, Graham introduced a substantial modification to the bill, and its provisions appear to be in flux.
The state of play: The debate over encryption has smoldered and flared periodically for decades, with government authorities — led, today, by Attorney General William Barr — insisting on their need for access and security experts warning that backdoors harm everyone.
- But this time around, the encryption push is not even uniformly supported within federal law enforcement circles.
- “It is time for governmental authorities — including law enforcement — to embrace encryption because it is one of the few mechanisms that the United States and its allies can use to more effectively protect themselves from existential cybersecurity threats, particularly from China,” wrote former FBI general counsel Jim Baker in an important essay in Lawfare earlier this year.
My thought bubble: Thus far, the “lawful access” debate has centered on how encryption affects law enforcement. But its impact on U.S. intelligence agencies has flown almost entirely under the radar.
- Spying is being transformed in the digital age. Governments still view human intelligence-gathering as essential, but ubiquitous interception, tracking and surveillance technologies have made it more complex than ever.
- Intelligence officers need to be able to communicate securely without harming sources. Asking those sources to use bespoke covert communications tools could endanger them.
- Consequently, America’s spies have turned to “hiding in plain sight,” integrating their espionage tradecraft into mundane digital life, where it’s less likely to be noticed by adversaries or endanger sources. This likely includes using strongly encrypted, commercially available apps and devices for communications. Compromising that tech would also compromise their intelligence work.
The bottom line: So far, the Department of Justice and domestic U.S. law enforcement agencies have dominated the “lawful access” debate. Intelligence agencies, loath to reveal sources and methods, have said nothing publicly.
- But this is one instance where greater transparency from the U.S. intelligence community may make us all — including America’s own spies — safer.