New Republican bill latest in long line to force encryption backdoors

Here we go again. Senate Republicans push a new bill to mandate "lawful access" to encrypted devices and data. It won't end until law enforcement has better cyber forensics capabilities.

backdoor / abstract security circuits, locks and data blocks
Baku Retsu / KrulUA / Getty Images

In what seems like Groundhog Day when it comes to encrypted communications, a group of Republican senators last week introduced the Lawful Access to Encrypted Data Act, which aims to end the use of so-called “warrant-proof” encrypted technology by terrorists and criminals. Senate Judiciary Committee Chairman Lindsey Graham (R-SC), Tom Cotton (R-AR) and Marsha Blackburn (R-TN) introduced this latest measure to find a way for law enforcement to gain access to devices and data that are protected by unbreakable encryption methods.

“The Lawful Access to Encrypted Data Act is a balanced solution that keeps in mind the constitutional rights afforded to all Americans while providing law enforcement the tools needed to protect the public from everyday violent crime and threats to our national security,” the Senators said in a statement.

Although the bill’s proponents don’t say so explicitly, the “lawful access” it seeks to establish mirrors a long string of potentially damaging efforts by the federal government to install backdoors into encrypted communications, according to critics. Virtually all cybersecurity and cryptography experts insist that any break in the encryption chain will break security and protection altogether, leaving criminals and adversarial nation-states with even more power to hack into users' devices and communications for nefarious purposes.

History of anti-encryption legislation

The efforts by lawmakers and federal law enforcement agencies to force Silicon Valley and the tech industry to build backdoors into encrypted devices and communications go back to 1993 when the Clinton Administration’s proposed to create a “Clipper Chip” so the NSA could intercept encrypted voice communications. Since then, a number of proposals to bypass or otherwise negate encryption have been introduced and failed.

The best known of these anti-encryption efforts is the legal fight waged by former FBI Director James Comey with Apple to force the Cupertino giant into helping the Bureau break into the iPhone of a mass shooter in San Bernardino. Most recently, a bipartisan bill, the EARN-IT Act, which is also backed by Senator Graham, has been widely condemned as a sneak attack on end-to-end encryption.

The Lawful Access to Encrypted Data Act comes after Attorney General William Barr coined a new euphemistic phrase for encryption backdoors, “lawful access,” and began promoting the idea of court-authorized access to the content of encrypted communications.  It’s no surprise, then, that Barr is an enthusiastic backer of the bill.

Experts condemn encryption backdoor mandate

The initial reaction by academics, cryptographers, technologists, and human rights advocates to the latest bill was swift and harsh. “This bill is the encryption backdoor mandate we’ve been dreading was coming, but that nobody, during the past six years of the renewed Crypto Wars, had previously dared to introduce,” Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society, wrote in her detailed analysis of the bill.

The Electronic Frontier Foundation (EFF) said, “If EARN-IT attempts to avoid acknowledging the elephant in the room, the Lawful Access to Encrypted Data Act puts it at the center of a three-ring circus. The new bill doesn’t bother with commissions or best practices. Instead, it would give the Justice Department the ability to require that manufacturers of encrypted devices and operating systems, communications providers, and many others must have the ability to decrypt data upon request. In other words, a backdoor.”

“I don’t know what to tell you that hasn’t been said a thousand times already. We’ve been here before,” Bruce Schneier, noted cryptographer and fellow at the Berkman Center for Internet & Society at Harvard Law School, tells CSO. “This is crypto-war version three? Five? I’m losing count.”

Calling the pursuit of encryption backdoors “myopic,” Schneider says, “You’re the police, and you want everyone to keep their hands where you can see them. Whether it’s a good idea in general, they don’t think about.”

Law enforcement needs better forensic tools

Still, the reason that encryption backdoors crop up over and over again is that we, as a society, do have a problem that needs to be solved. “We actually do need to solve the police’s problem,” Schneier says. “The police really do need better digital forensics tools and capabilities. We’re actually not solving the real police problem, which is why they keep whining about the phones. Why isn’t this solved yet?”

Anti-encryption laws could harm economy

Other countries, particularly the UK and Australia, have adopted laws that come close to mandating encryption backdoors. In the UK, the Investigatory Powers Act, also known as the Snooper’s Charter, gives authorities the ability to order the disclosure of encryption keys or force suspects to decrypt encrypted data.

Australia’s Assistance and Access Act of 2018 lays out a framework for mandatory industry assistance to law enforcement and intelligence agencies to help them access encrypted communications. Although neither country has been transparent about the impact of these laws, some advocates contend that they are damaging economic activity.

“If the US were to adopt either or both of Senator Graham's bills, we could expect to see the same harm to the US economy, the tech sector in particular, as users and paying customers lose all trust in products and software from US companies,” Stanford’s Pfefferkorn tells CSO. “Why would any foreign customers want to buy or use a service they know has been backdoored to enable US government snooping?”

On top of that there’s the irony that the US government would seek to build backdoors into technology products while decrying the same activity by China. “Of course, members of Congress and various federal agencies regularly make the same allegations of secret backdoors for state snooping at Huawei and other Chinese companies -- and seem utterly immune to the irony of making those accusations while also touting” anti-encryption bills, Pfefferkorn says.

To Schneier, one thing is true about the recent Republican bill: “For national security, we need this bill not to pass,” he says. But someday in the future, “before the end of the human species,” this constant fight over encryption will be resolved, Schneier believes.

Until then, we’ll have “the same battles again and again. The same arguments. The names change, but the organizations are all the same,” he says. “Embrace the suck.”

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies